Reverse Engineering the Tesla Battery Management System to increase Power Available

The presentation discusses reverse engineering of Tesla's Battery Management System (BMS) and Electronic Control Units (ECUs) and the potential for modifying firmware. The speaker also mentions the limitations and challenges of such modifications.

• Reverse engineering of Tesla's BMS and ECUs is possible
• Firmware modifications can be made to the BMS
• Access measures on the CAN bus are limited
• Modifying firmware can be challenging and may have limited impact on vehicle performance

The speaker describes how they were able to unwind the electronic parking brakes of a Tesla vehicle by disconnecting the leads and applying 12 volts with the correct polarity. They also mention how someone was able to reverse engineer the entire Autopilot 2 system and install it in an Autopilot 1 vehicle.

Tesla released the dual motor performance Model S in late 2014. At that time the vehicle came with "insane mode" acceleration and an advertised 0-60 time of 3.2 seconds. Later, in July of 2015, Tesla announced "Ludicrous mode" that cut the 0-60 time down to 2.8 seconds. This upgrade was offered as a hardware and firmware change to the existing fleet of P85D vehicles and was offered for new purchases as well. Since then, Tesla has released the P90D and P100D that also have incremental performance improvements. What makes the P85D upgrade unique was how the process offered a unique insight into how the vehicle's Battery Management System(BMS) handles power requests from the front and rear drive units of the car. I was able to reverse engineer this upgrade process by examining the CAN bus messages, CAN bus UDS routines, and various firmware files that can be extracted from any rooted Tesla Model S or X. I also decrypted and decompiled Python source code used for diagnostics to determine that the process involved removing the battery pack and replacing the fuse and high voltage contactors with units that could handle higher amperage levels as well as modifying the current sensing high voltage "shunt" inside the battery pack so that it would properly respond to the higher Amperage. I then performed this process on an actual donor P85D. I then modified the firmware of the Battery Management System and the appropriate files on the security gateway to accept the modified battery pack, bricking the car in the process and forcing me to pay to have it towed to another state so I could troubleshoot. I came to understand that the BMS is the deciding module that allows the drive units to have only as much power as the BMS allows.