Tesla Hacking to FreedomEV! - Jasper Nuyens [FOSDEM 2019]

The FreedomEV project wants to enable full consumer control over the eletric vehicle future.

The principle is to enable maximum functionality but still preserving the existing software. You still want to be able to bring in your car for service, and you don’t want to conflict with the manufacturer business model. It must be easy to install, but also easy to disable.

FreedomEV is started by running a bash script. For this to work, the car must have a persistent location from where we can run something as the root user. From there on, everything runs on a chroot on a USB stick. It is based on Ubuntu because that was already available for Tegra.

Configuration is done through a web interface with nginx as the server and php-fpm for scripting. Functionalities are done by “FreedomEV apps”. An enabled app is activated when the stick is booted and deactivated when it goes down. There are directories for things that have to be done periodically (a simple kind of cron). Unless it is marked as hidden, an enable/disable toggle is added automatically to the FreedomEV web interface when the app is present on the USB stick.

The Tesla Instrument Cluster is behind the steering wheel. It has a fixed IP address, an ssh key was leaked, and it is connected over Ethernet to the rest of the car. The console display is based on a quad core Tegra. It runs a Qt based web browser. Communication is a separate microcontroller that provides BT/Wifi/LTE, running a Buildroot filesystem. Autopilot 2.0 is a separate CPU. It has a Buildroot-based system, runs on an Nvidia px2.

To get root you first need to get on the Ethernet. It is a Fakra connector, you can make it yourself or buy it online. You need a security dongle to be able to access it (through a key exchange) - FreedomEV allows you to disable that, because it’s a risk for theft. But that still doesn’t get you root.

Getting root through the internet might be possible as well, but it’s very well secured. In general, Tesla is good at fixing security issues when they are found. Remember that getting root makes it easier to steal the care or to fake mileage etc. Tesla has a bug bounty program (as opposed to other vendors who will sue security researchers).

There are rumours that in the future Tesla will give the possibility to give root to owners. But FreedomEV wants to be a motivator for manufacturers to allow this kind of thing. For now, you can ask a Tesla Service Technician, because they have root. As a last resort, you can solder off the eMMC and reflash it.

Jasper is not certain to what extent Tesla endorses this kind of hacking.