Tesla Hacking to FreedomEV!
This is a modal window.
The media could not be loaded, either because the server or network failed or because the format is not supported.
Formal Metadata
Title |
| |
Subtitle |
| |
Title of Series | ||
Number of Parts | 561 | |
Author | ||
License | CC Attribution 2.0 Belgium: You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor. | |
Identifiers | 10.5446/44548 (DOI) | |
Publisher | ||
Release Date | ||
Language |
Content Metadata
Subject Area | ||
Genre | ||
Abstract |
|
00:00
Hacker (term)SoftwareProjective planeGoodness of fitComputer animation
01:11
Hacker (term)Open sourceSoftwareInterface (computing)Directory serviceFreewareSystem programmingTuring testInterior (topology)Pay televisionData modelComputer networkPlanningRange (statistics)Workstation <Musikinstrument>Food energyRootRegular graphIntegrated development environmentPoint (geometry)Function (mathematics)Endliche ModelltheorieControl flowMaxima and minimaControl flowEndliche ModelltheorieMetrePay televisionBitSymbol tableSoftware testingCore dumpGroup actionAnalogyCuboidTouch typingMultiplication signWave packetFreewareInformation privacySoftwareInformation technology consultingRow (database)Physical systemOvalMobile WebPlanningLevel (video gaming)Projective planeAliasingMassGame controllerOpen sourceFacebookHacker (term)Reduction of orderFood energyKey (cryptography)InternetworkingProcess (computing)Goodness of fitSinc functionComputer animation
08:42
RootScripting languageReliefSystem programmingDecision theoryFile systemFingerprintGradientInterface (computing)Web browserInformation securityTotal S.A.Function (mathematics)Fiber bundleData storage deviceInformation privacyUniform resource locatorEntire functionAsynchronous Transfer ModeRight angleProcess (computing)Distribution (mathematics)SoftwareDecision theoryBitForcing (mathematics)Business modelService (economics)Axiom of choiceScripting languageUser interfaceRootTrailOpen sourceMultiplication signFunctional (mathematics)Physical systemElectronic program guideSource codeGradientPower (physics)Projective planeCodeAdditionConnected spaceGoodness of fitBand matrixFile systemDynamic random-access memoryLaptopOverhead (computing)Data managementRevision controlEndliche ModelltheorieFiber bundleCASE <Informatik>Installation artInternetworkingCodeVolume (thermodynamics)Compilation albumElectronic visual displayMobile appComputer animation
16:13
AverageInstallation artMobile appFactory (trading post)Asynchronous Transfer ModeSoftware developerLine (geometry)CodeUser interfaceRootScripting languageMusical ensembleInstallation artMobile WebSoftware testingGraphical user interfaceComputer animation
18:08
TouchscreenGateway (telecommunications)Tape driveAsynchronous Transfer ModeAsynchronous Transfer ModeIP addressInterface (computing)SoftwareVirtual machineUser interfaceAddress spaceComputer animation
18:56
TouchscreenGateway (telecommunications)Tape driveComputer networkRevision controloutputBootingFile systemMechanism designWhiteboardIntelData modelCore dumpWeb browserControl flowMultimediaBefehlsprozessorTelnetModule (mathematics)Connected spaceModemMereologyComputer hardwareComputing platformSerial portJava appletFreewareCAN busFirmwarePlastikkarteUniqueness quantificationArmGraphics processing unitPascal's triangleAbstract state machinesVariable (mathematics)Multiplication signRotationSoftware frameworkComputer fileCentralizer and normalizerCASE <Informatik>ArmElectronic visual displayPasswordKernel (computing)Vector potentialoutputPhysical systemBitService (economics)Partition (number theory)Connected spaceGateway (telecommunications)Server (computing)Degree (graph theory)Parameter (computer programming)Execution unitFile systemMicrocontrollerIP addressBootingRevision controlBilderkennungRead-only memoryConstraint (mathematics)RootTelnetTouchscreenCartesian coordinate systemConfiguration spacePlastikkarteComputer networkLevel (video gaming)Open sourceIntelSet (mathematics)Process (computing)Mechanism designGoodness of fitCore dumpVideoconferencingTerm (mathematics)GUI widgetMedical imagingWeb 2.0Functional (mathematics)Module (mathematics)Graph (mathematics)DatabaseElectric generatorMulti-core processorSoftwareWeb browserSoftware testingInternetworkingRoutingKey (cryptography)Device driverComputer animation
27:17
Software testingVolumeGreen's functionRootDivisorFigurate numberSoftwareProjective planePhysicalismInternetworkingService (economics)RoutingFactory (trading post)Uniform resource locatorCentralizer and normalizerToken ringElectronic visual displayAddress spaceSet (mathematics)Information securityPosition operatorComputer animation
29:33
InternetworkingAndroid (robot)Computer networkService (economics)RootCAN busInformation securityLevel (video gaming)Data modelRoutingHoaxRootBitInternetworkingLevel (video gaming)Shared memoryEndliche ModelltheorieConnected spaceFunctional (mathematics)NumberMobile appCASE <Informatik>Software testingGoodness of fitMathematical singularityUniform resource locatorInstallation artGame theoryComputer clusterPoint (geometry)Software bugTheory of everythingSoftwareComputer programmingInformation securityElectronic visual displayComputer animation
32:58
Gateway (telecommunications)RootEscape characterPoint (geometry)Service (economics)Endliche ModelltheorieDifferent (Kate Ryan album)MathematicsIntegrated development environmentRootDenial-of-service attackRoutingBitShift operatorHidden Markov modelPhysical systemNetwork topologyComputer animation
34:12
Point (geometry)RootWhiteboardOvalService (economics)Information securityComputer programmingScripting languageEmailExploit (computer security)Wind tunnelDemonFlash memoryRootLevel (video gaming)IterationProjective planeMultiplication signTwitterUltraviolet photoelectron spectroscopyService (economics)Open sourceInternet forumRoutingFlagLine (geometry)Ferry CorstenComputer animation
38:23
Asynchronous Transfer ModeSoftware developerMobile appFactory (trading post)GSM-Software-Management AGCodeConnected spaceAsynchronous Transfer ModeSystem callPersonal identification numberMusical ensembleCodePole (complex analysis)Information privacyMessage passing
39:37
FreewareBranch (computer science)CodeSoftware developerFactory (trading post)Asynchronous Transfer ModeElectronic visual displayUser interfaceInclusion mapData miningMessage passingPersonal identification number2 (number)WhiteboardConnected spaceSoftware developerTouch typingAsynchronous Transfer ModeInternetworkingFactory (trading post)Cartesian coordinate systemSystem callMusical ensembleInterface (computing)BitGoodness of fitElectronic visual displayMappingComputer animation
41:09
SoftwareFunction (mathematics)Link (knot theory)Broadcasting (networking)Error messageFrame problemCharge carrierTransport Layer SecurityMetric systemTrailData managementPhysical systemGraph coloringAsynchronous Transfer ModeFerry CorstenComplete metric spaceSoftware developerElectronic visual displayWärmestrahlungMobile appSoftwareCore dumpMusical ensembleCASE <Informatik>Scripting languageOnline helpRemote procedure callSampling (statistics)Functional (mathematics)Computer animation
43:35
FreewareBranch (computer science)CodeTotal S.A.RootMobile appInterface (computing)MassProper mapMathematical analysisAsynchronous Transfer ModeAdditionComputer-generated imageryGraphical user interfaceLink (knot theory)Descriptive statisticsData miningMobile appArithmetic progressionSimulationConnected spaceUser interfaceAsynchronous Transfer ModeMedical imagingFile systemRight angleBitDirectory serviceTable (information)Projective planeCore dumpOverlay-NetzComputing platformComputer fileComputer programmingArithmetic meanPhysical systemLaptopRootScripting languageElectronic visual displayProper mapMultiplication signPersonal identification numberGastropod shellPlanningProcess (computing)Web browserOcean currentCartesian coordinate systemKeyboard shortcutSoftware testingService (economics)Functional (mathematics)Branch (computer science)ModemScaling (geometry)Form (programming)ResultantMetropolitan area networkInterface (computing)Flash memoryComputer animation
49:56
Software testingReverse engineeringBEEPInterface (computing)Electronic visual displayTouchscreenCompilation albumWeb browserSimilarity (geometry)GUI widgetEvent horizonService (economics)Hacker (term)Server (computing)MotherboardGradientDistribution (mathematics)Green's functionMeasurementStandard deviationReverse engineeringMobile appCompilation albumRootControl flowWeb browserBEEPData storage deviceSimilarity (geometry)Table (information)Hacker (term)User interfaceGUI widgetVariety (linguistics)Covering spaceEvent horizonRoutingMultiplication signLimit (category theory)Computer animation
52:21
Euler anglesComputer animation
Transcript: English(auto-generated)
00:05
Do you hear me clear, loud and clear? OK, great. So I am Jasper Noyens. I'm going to bring you this talk about from Tesla hacking to Freedom EV, Freedom EV project.
00:24
So I'm quite excited to be here, honestly. It's been about 18 years that I've come to FOSDEM. I have missed a few years. I have to admit. And I have submitted quite a few talks. And this is my first talk at FOSDEM.
00:48
Thank you, guys. I'm so proud to be here and to be able to present this to you because, obviously, you are also the people who I admire so much.
01:00
And probably the reason why I didn't get any talk earlier is just because I have the habit of wearing a shirt like this, and everybody thinks I'm stupid. Good. Hi, I'm Jasper Noyens. I'm the founder of LinuxBelgium. We do make money with free and open-source software training and consultancy, purely open-source.
01:21
We don't sell any Red Hat subscription or things like that. We try to focus on what's the heart of our community. And I'm very interested in EVs since Tesla. And obviously, I all owe it thanks to you guys. The entire community is what has made this possible for me.
01:46
And yeah, I'm humbled by it. Thank you. So first of all, I'm a Tesla customer. I'm not a Tesla supplier or employee.
02:00
And there are some disclaimers, of course, with hacking cars. They are relatively big. And you can run people over with them and things like that. But of course, there are other tools which are dangerous as well, like a knife, which can be used for perfectly peaceful purposes as well. So it's also a little bit uncertain
02:21
what level of endorsement there is, both officially and unofficially, by Tesla. We are quite optimistic, and there are some rumors, but more about that later probably. How many of you, is there somebody here who has a Tesla? Who's a Tesla owner?
02:41
OK. Quite a few Tesla owners. Great. Hopefully, some contributors. OK. Are there people who have a reservation, who don't have a Tesla yet, but who are looking for one?
03:01
Yeah, cheers to that. We will have some work to port Freedom EV to that. A car I'm working on, my Model X, nice, gold-winged doors. It's, well, yeah, falcon wings doors, I have to say. It's fantastic.
03:21
The Porsche's for sale, by the way. There's no way of replacing it with a Model S. Once you drive electric, there's no going back. It's really fantastic to drive. You're not doing any pollution either. You can easily, I think, if you plan a little bit, you can drive 1,000 kilometers without having to wait.
03:41
I don't like waiting. In a gas station, you have to fill up the car. You have to wait there a few minutes. I don't like waiting. And with a car, you have to charge. But it charges very quickly at 120 kilowatts. And if you combine it with a toilet break, I do have to pee a lot. Or if you take a lunch break, it's completely full.
04:03
Pee break, just 100 kilometers charged quickly. And lunch, it's completely full, or dinner. So 1,000 kilometers without having to wait. And otherwise, it's just full when you start at home. So you never have to go to the petrol station.
04:20
Just plug it in at night and walk away. For Tesla, it's important to accelerate the world's transition to sustainable energy. That's their mission. Something, of course, which is very nice to say. Self-contributed a little bit to that. Saved over 16 tons of CO2.
04:42
Added to that all the other pollution of our atmosphere over the last one and a half years. So the problem, of course, that for many electric cars are still too expensive.
05:01
And this is hopefully something which is changing. Right now, for 40,000 euro, you get a Kia e-Nero or a Kona electric or a Nissan Leaf, which are already very nice cars and which can get you everywhere you want. Tesla, it's still a bit higher.
05:21
It's announced that they will reduce prices and things will happen this year and early next year that prices will trickle down. Also, the other car manufacturers are going to launch more electric cars. So just be a little bit patient if you don't have money for it yet. Just don't buy a new internal combustion engine car
05:42
because it will have a lifetime of 30 years. And better if you really can afford it, just buy a secondhand car. Good. So coming to the mission of Freedom EV. So why is this Tesla hacking in which
06:05
played around with the system is evolving now into an open source project? Well, it is clear that the future of mobility, which has been stuck in the dark ages for so long
06:20
with analog and proprietary technologies, is now completely digital and running on Linux. And because it runs on Linux, we have it fully under our control. Well, maybe. There is, for example, also this project called
06:42
Automotive Create Linux from the Linux Foundation. And this is fantastic. It allows car manufacturers to run Linux on their cars, to build Linux for their cars, and to more easily build that based upon the Yocto project. Now, if it means that you've got a lot of freedom,
07:02
but if it's completely locked down into a box which you cannot touch, what kind of freedom is that? So it's all about control. Cars are the symbol of freedom for many car manufacturers. I was never that much of a car geek,
07:21
but if you look at all the commercials, it's nice landscapes and cars driving through it, symbol of freedom. But if these symbols of freedom are constantly connected to the internet, can be used as surveillance, mass surveillance weapons against the public,
07:42
it's not that great, of course. So there are some disadvantages, some dangers about the new technology as well. And obviously we think that Tesla is doing the right job, but not all car manufacturers will play nice.
08:00
And it's not because we trust the company now that it will prove to be so in the future. I've seen on the stage of Fosdam, also Facebook a long time ago when there was just a small company very enthusiastic about their new technologies. Now people would probably be more critical
08:22
about what they are doing with respect to privacy. Same goes for Google, same goes for Apple. So what will evolve in the future, we don't know unless we have control ourselves over our own vehicles. So it's about that.
08:41
And obviously also to add some nice features to it as well. So we have some founding principles. First of all, Freedom EV needs to enable maximum functionality of your car while preserving the original software.
09:03
If you bring your car in for service, the car guy, the car technician, he doesn't know anything about open source or freedom or privacy or software rights. He might want to educate them. But they're more concerned about getting your car working and obviously so.
09:21
So they should not be confronted with our own experimentations on our car. So I think it's important for the Freedom EV project that it is easily to disable, easy to install and that it preserves also the original software. So that basically as a user, you are trusting
09:40
the manufacturer and the open source project of which you can verify the source code yourself. You're not trusting anything else. So that's a little bit of the founding principles. Also lastly, I think it's important to avoid conflicts with manufacturers. Tesla for example, they sometimes sell
10:02
software enabled features. New version of the Model X and the Model S has a 100 kilowatt hour battery. But it's not fully accessible unless you pay an extra price using software, using root privileges. Freedom EV project could enable that.
10:22
But of course that's not the idea. We want to respect the business model of this company. If it's possible to enhance the performance and they don't sell such a package, obviously it is nice to do. So we have to find the right way there. And I think it's important not to do any abuse.
10:44
One of the new features for the Tesla which I will introduce with Freedom EV today is hotspot mode. And it uses the Tesla network to get internet connection and in-car EV experience in your car.
11:01
Obviously it can cure costs for Tesla of this bandwidth. So for that we're also building that it keeps track of the amount of volume so they could possibly build it. We don't want to abuse the system. We just want to make it more useful.
11:20
Our son is really, he loves it. So we had to make some design decisions. Three design decisions are made. First one is that we have one script slash fast slash Freedom EV start which is launched by the car as the root user
11:42
from a persistent storage location. So these two things are a requirement for running Freedom EV on any car. You need to have root access, hopefully, and a persistent location to put a script. So, and of course the car needs to run Linux
12:03
because we'll run the entire Freedom EV project as a CH-rooted addition to the system. So it is a bash script. We chose for bash script because bash or ash is available on most embedded Linux systems and so also on the cars running Linux.
12:27
Then it uses a USB stick. Most cars have a USB stick, USB port for charging. And in the case of the Tesla, it is not only used for charging, it also connects directly to the central display
12:43
of the car. And on this USB stick, there is a root file system containing Ubuntu. What's important to realize is that power management can at any time disable the USB stick,
13:01
normally not while driving. But if you park the car, it can go in power saving mode and then the USB stick is no longer there. So we need to manage that. Why did we choose Ubuntu? And this is a dangerous thing to say here in FOSDEM because obviously we have some nice contributors
13:22
to Debian and to Arch and to other exciting Linux distributions in this room. And for two of those guys, I'm sorry. We have to pick one. And obviously Ubuntu is a nice choice because Avidia Tegra for Ubuntu was already available.
13:41
You can just apt-yet install 10,000s of packages compared to with Yocto where we need to cross-compile everything and fiddle with recipes. It's just a lot easier. So please don't be sad for the other guys. And obviously it doesn't necessarily need to be that.
14:01
It just happens to be this way. So with respect to the automotive-grade Linux, it is not impossible that freedom if you will also evolve as a layer towards Yocto and in this way can also be easily integrated with that. But that's probably two, three steps ahead.
14:24
Oh yeah, and maybe a little bit of criticism towards Yocto. If you want to run Yocto with the GUI and dependencies like Chromium, for example, you end up with something which is the same size of Ubuntu. Come on guys, you can do better than that. So maybe a good advertisement for Ubuntu.
14:43
I don't know. I try to change every two years Linux distribution running on my own laptop just to running Manjaro right now on the other laptop. So yeah, okay. So another design decision, the third design decision
15:03
is how to configure everything we want to do with Freedom EV. Well, through a web interface. And obviously we could have chosen something lightweight, but we went for Nginx and PHP, FPM and looked the other day and it's only consumed about 10 megabytes of RAM.
15:22
It has two gigabytes of RAM. It's not the most optimal RAM-wise, but it's high performance and low overhead. So why not? Because it's not written in stone. We can change that if we like. So with respect to the functionality, we have bundled the functionality together
15:41
in so-called Freedom EV apps. Popular name maybe. But what's important for that is that they have a proper activation when the USB stick is detected and when the USB stick is lost, the entire root file system is gone. Well, maybe there are still some processes dangling. So we need to properly deactivate them as well.
16:02
So maybe also some things need to be periodically run. So all that kind of functionality is provided out of the activation of Freedom EV. So let's have a look at how it all comes together.
17:21
Verify if it's not running the CHroot, not yet installed. If it's a correct car, it will download and install the Freedom EV Start script and install it inside the Chrome tab. That's all it does, test Freedom EV installed.
17:41
After that, we only need to insert a USB stick. When the stick is inserted within the minute, Freedom EV will detect that it's there. Freedom EV is configurable through a web interface.
18:00
Freedom EV will detect that it's there. Freedom EV is configurable through a web interface.
18:24
And the key address of the machine. You can see all the different modes to enable. If we remove the USB stick, EV software, it will detect the stick is no longer there
18:41
and stop all remaining software. Good, so I have a second movie coming up later,
19:03
which explains a little bit more. So here we have a little bit more technical details about our Tesla. Our Tesla is basically a computer network which just happens to have a big battery and some wheels.
19:22
So the instrument cluster, which is the display behind the steering wheel here, as this IP address, we have the big screen, which is over here, which is a 17 inch screen. It is actually a display which is rotated on its side. So, and the Avidia Tegra has, as far as I know it,
19:46
no possibility of, from the video driver, rotating it. And that's probably the reason why the Qt application, which is constantly visible, written by Tesla, is actually on its side.
20:02
So, and that's also probably the reason why they are stuck with Qt 4, because Qt 5 obviously has contributed a lot of nice features compared to Qt 4. But one of the disadvantages with Qt 5 is that with Qt 4, you can just say rotate 90 degrees.
20:22
And with Qt 5, you have to basically turn all the widgets. So I presume that's the reason why they do it like that. The disadvantage with that is of course that if we use the X display directly, and we send an X term on it, it will be visible on its side.
20:42
So, actually I wanted to put that into another movie, but yeah, time constraints. So, and this of course also means that if we want to visualize stuff directly to the X server ourselves, we need to make sure that it's rotated or that it's an application which supports 90 degrees rotation.
21:05
The general software-based framework in the kernel for turning 90 degrees and 180 and something like that would be nice, just saying, but okay, good.
21:21
Gateway 102, 103, if you like it in the open source world, don't complain, just do it. So I know, I know. Autopilot, so I'll go over the systems one by one. There is also the uplink, which is connected to the USB and Bluetooth and Wi-Fi,
21:41
which is connected basically to the USB over the central display. So this is the instrument cluster. This is the back of the instrument cluster if you open up the car. I never opened up a car before. But luckily, the Tesla is relatively easy to open up.
22:03
It's only one screwdriver you need. It's the same screws everywhere. They did a really good job. And the instrument cluster behind the steering wheel has a leaked SSH key. So if you have access to the internal network,
22:22
you can get access to that. So it boots a SquashFS compressed read-only file system, but the slash far partition is writable and persistent across the reboot, so we can put stuff in there. It's very similar than what's on the central display.
22:41
The things like steering wheel buttons are attached to this instrument cluster, and the input is sent over the ethernet. It's actually a good way to know if your ethernet connection is working. Just use the scroll wheel, nothing happens. It's your ethernet which doesn't work. The guys from Tesla service were actually quite surprised that I knew that.
23:04
Because of course, I fiddled with it. I put a switch in there in between and things like that. So settings are stored in SQLite 3 database, and there's also comments to view those comments, LVS. You can also change all these parameters
23:21
and variables stored in there in a persistent and non-persistent way. Instrument cluster, be careful when you remove it. The connector has a click mechanism. It's very easy once you know it, but otherwise difficult to use.
23:40
At Shaa a few years ago, Italian friends helped me with that first time. Then the central display, okay, so it's 192.168.90.100. It's an NVIDIA Tegra quad core system.
24:02
Now on the newer cars, it is Intel-based systems. And so we currently don't support that yet. If you have such a car and you have root access to it, you can try to port FreedomV to it. I'm sure it won't be that difficult and we'll have to just make another file system image
24:23
of probably a Ubuntu on Intel compatible then. Or whatever you like, it's your car. Good, so it runs the Qt-based web browser, which most people don't really like.
24:42
It's not that great. So being able to use that for the configuration of FreedomV is of course a nice application because most people don't use it for anything else anyway. So, okay. Then we see an end map of the system.
25:03
Obviously there is a lot of interest to be able to get root access. And we'll come back to that later. There's also the parrot USB connected Bluetooth Vfie and LTE module, which is on IP addresses.
25:22
Can be accessed through Telnet. It's only physically accessible from the central unit and it's a very small microcontroller. But it runs a built root file system. Then there is another device, a gateway,
25:42
running free ETOS and which is attached to the canvases. So to control basically most vehicle functions, there are six canvases typically used in automotive industry and attached to the gateway. It's used to contain a password
26:02
which you could extract from the SD card located inside the CID, but it's no longer the case. Whenever there are easy ways to get roots, Tesla fixes it. And obviously that's a good thing because there is also the potential for abuse. But we'll come back to that.
26:21
Autopilot 2.0 has its own IP address. It's basically the most powerful system in the car, obviously. There is a new version of the autopilot which will come out this year. Autopilot 3.0, which contains a sock
26:40
developed by Tesla themselves. It's quite amazing. It will enable about 100 times as fast processing of You Look Only Once images from the eight cameras on the system. So with this generation, it's NVIDIA PX2 based,
27:01
two Denver cores for ARM A57s and one Pascal GPU to do the heavy lifting for the image analysis and to assist in getting people where they want without a lot of effort. So how do we get root?
27:21
I get the question a lot. Now the Freedom EV project is not about how to get root. It's basically a prerequisite. Okay, but how to get root? So getting onto the physical internet network is the first step. So it has a factor connector. You can basically try to fiddle and figure it out
27:43
by yourself, but there are also pre-made, over-expensive cables you can find on eBay. But okay, yeah. They're called Tesla Service Access Cables. And they also fit in a connector below the steering,
28:04
below the central display here. Now the port below the central display is locked by Tesla Ethernet, is locked. And it can be activated by a tool which Tesla Service uses. It's called Toolkit. And this sends a cryptographic token to unlock this port.
28:25
Some people don't like that because it's known that people who steal Teslas can also have Toolkit. So if they then break a window, enable the ports,
28:41
plug it in, have roots, disable the alarm, start the car, then it's gonna happen very quickly that it's assisted in stealing a car. So also one of the things we want to add to Freedom EV is just to disable that security token. It's called Sec Ed and we can just kill the process.
29:02
And yeah, then it doesn't work. Obviously we might want to turn it back on when we go to the Tesla Service Center. Or we can add some GPS positioning, easily query where the car is, even get the address and things like that. And he offends it.
29:20
So it's only possible to do that at the Tesla Service location. Heck, Tesla could do that. But okay, we're doing a lot of things which Tesla could do. But they have other priorities, I think, so. Which data paths exist to get roots? Well, through the internet.
29:41
Obviously all these cars are connected to the internet. Must be certainly a way to get into that. But maybe it's a bit difficult. Maybe only singularity capable AEIs will be able to intrude to all Tesla cars. I don't know. It's a nightmare of Elon Musk that all cars in the world would be hacked
30:04
and directly sent to the same location, creating cows in traffic, things like that. It's a risk, yes, because obviously Tesla can access all the cars. It only takes one malicious person at Tesla to do that.
30:26
Other possibility is through your Tesla Android app. You can steer the car with your Tesla Android app. You can set the air conditioning, lots of functionality you have on your app. And obviously there's also a data path
30:41
which is heavily protected, of course. Modelship.Tesla.com is basically the central point where all these things go through. All the cars connect to. Aside from that we have our internal ethernet network, which means we have a physical connection
31:01
at our central display behind our instrument cluster, and also going to our autopilot, which is fairly easily accessible. Now getting physical access to the ethernet network, you would presume, okay, then we are having root.
31:20
Well, it's not the case. So it's very good protected. Can buses might be another way of access. Tesla is a very good citizen with respect to security. Whenever there is a problem security-wise,
31:40
they fix it immediately. Not only that, well, what is the problem, of course? Well, if somebody can get roots to somebody else's car, there is a possibility for abuse. It is possible to help stealing Teslas. It is possible to fake the mileage.
32:00
It is possible to fake fin numbers and trim levels of the car. You can control the cars and things like that remotely. So yeah, obviously there is a danger of abuse. And this is a good thing, of course, that Tesla is immediately addressing these issues when they come to be.
32:23
Also, Tesla has a bug bounty program. This means if you find a way to root your Tesla, you can, of course, share it with everybody to be able to install Freedom EV. But if you tell it to Tesla, they will give you money and they will fix it right away.
32:43
So it's a difficult situation for Freedom EV. So with the Model 3, they even have upped the game. So now with the pound to own contest in Vancouver, which will happen in March, they have really said,
33:04
okay, if you can root our car in these different ways or access or even just to a denial of service attack on our autopilot system, we give you fixed, we give you $50,000. Okay, it's hard to compete with that.
33:23
Not only that, if you're the first one to do one of those things, you get a Model 3 for free as well. So yeah, there is a guy who has posted that he has roots on his Model 3
33:40
and he is running Ubuntu as well on it in a CH-rooted environment. So, but still he's not eligible for any of these prices because he desolders to the E-MMC, put some changes in there and put it back, which is of course a method to do. Not everybody will want to do that, of course.
34:04
And it might void your warranty a little bit. Well, only for the device and not the rest of the car, of course. But there are some unaligned interests between Tesla and us and as a whole, maybe offenders as well. So they will fix it right away.
34:22
So it's of course great that they fix it, but it's not that great if it's the only way to gain access to your own car. It's your car. Come on. When I bought my Tesla first, I sent an email to Elon Musk and I said, I'm turning 40, please give me root on my own car.
34:45
Turns out he doesn't read emails so much and I should have maybe sent it over Twitter. There was somebody on the Tesla Motors Club Forum who was so kind to assist me there first,
35:00
for the ECA and then using a undocumented exploit. So it was great that he wanted to share that with me. So I hope that there is not right now an official way to ask root access for your own freaking car, but I hope it will change quickly.
35:22
And there is a security researchers program with Tesla, in which Tesla also say that if you are analyzing the security and you break your car, it's no problem. We'll just reinstall it for you, without any cost. I think that's a great thing to do.
35:43
They even say we can do it multiple times. It's nice. So I do think they are doing the right thing. I hope they will do it as well for root. And I understand that they are cautious about it, but come on, we're all grown ups here.
36:03
And why not flash cars like that, and if people are buying a secondhand car, that they know, okay, this car has been rooted. Maybe the trim level is wrong. Maybe people fiddled with it, decreased the price, or maybe it runs freedom, okay, up the price.
36:23
I don't know. But important is, of course, that Tesla is a trendsetter for the industry. And what Tesla is going to do now will also impact what other vendors will do later on. And that's also the reason why I go through the efforts of starting this project right now.
36:42
Why I think it's important that we make this step right now of being able to open source our cars. Because it's the beginning of the new era of electric cars and it's probably the last iterations of cars, I would say. I don't know.
37:01
After that will be tunnels and flying, I guess. Okay, so how to get roots from someone who has a root method from a Tesla service technician or third party repair center. Obviously, these people, they have roots. They have access to the toolbox program from Tesla.
37:22
So if they just give you access or just use the command line to have this one command pasted, it's already there. And the script is very simple. You can look at the script yourself. It will just see if the USB stick is not there.
37:41
Okay, it stopped, it exits. It doesn't do anything anymore. In the current iterations, it runs out of crontab because fastpool cron is on var and writable was an easy way. Maybe on the Intelliquipped cars, we have to turn it into a demon or something else. We'll have to see if we get access to those cars.
38:00
Also for other cars, non Tesla cars, they might have different ways of getting things started. But yeah, I hope we'll be able to find it out quickly. And if all else fails, yeah, desoldering or resoldering EMMC, it's not that hard.
38:20
It's always a way. So what have we put already inside Freedom EV? Only in a marketing-like way
39:00
where you cannot verify what actually happens.
39:03
But by looking at the code and disabling the GSM connection and turning off EV, this is globe mode. Disables autopilot, GPS, Wi-Fi, and 3.4G. It makes you invisible for tracking
39:21
by the vehicle and mobile phone calls. Mapping, music streaming, stopped working. And it could be abused, and the pin to drive to enable LTE disabled. So that feature didn't make it yet, the pin to drive to disable.
39:41
So I will be able to add that quickly. Good. Boarding message. Globe mode makes you invisible for tracking by the vehicle and mobile phone calls. Mapping, music streaming, stopped working. And it could be abused,
40:01
and the pin to drive to enable LTE disabled. Globe mode disables the USB 3G connection to the Internet. When we turn globe mode off again, if we turn globe mode off again,
40:23
it will take a little bit of seconds, and then we see that LTE gets enabled again. So the message is that it gets enabled. It takes five seconds for the interface to recognize that the USB device is back online, and then get back our data connection
40:48
or your freedom. Freedom EV gives you easy access to developer and factory mode, which can be enabled at the touch of a button. Developer and factory mode will restore
41:02
the Qt application running on our display. Up for display, we see that a blue developer text is added to our T of Tesla. This is Tesla provided functionality.
41:22
If we now touch this button, then we will get to see the developer mode. We get a nice overview of the different packs in our car.
41:42
Car is currently plugged in. We see what the car battery management system is actually doing. Developer mode also shows us when the car was first built. So February 1st, 2017 in this case. There is a special thermal mode inside developer mode,
42:01
which gives us an overview of all the important temperature metrics in the system. Go out of developer mode again by touching the exit button. That will reboot the system again. When Elon Musk announced two years ago that hotspot mode was coming to Tesla cars
42:21
through a simple software upgrade, everybody was thrilled. With hotspot mode, you can just add this antenna to a car and turn it into an in-car vehicle.
42:41
Just then search the USB EV adapter. We're ready to go. The Freedom EV app keeps track of data usage. So Tesla can properly build usage of their network if they want to do so. Some things you can enable with Freedom EV don't make a lot of sense.
43:03
Moonshine mode changes the color of your display behind the steering wheel in a psychedelic way. If one day you decide you should want to live without Freedom EV, complete removal is as simple as running the removal script.
43:35
Thank you, thank you. So here is the GitHub project.
43:43
It's completely accessible. There are already some contributors. And last night also a friend of mine from Hungary, a great Tesla hacker, also installed it on his cars and gave it a test.
44:02
Then quite a few typos were already fixed as a result. So we bundle this functionality which we can just enable in the web interface in what we call apps. And we see here in the master branch there's the slash Freedom EV. So we put everything on the USB stick,
44:23
the root file system in the directory Freedom EV. And there we have a directory called apps. This directory called apps contains symbolic links to apps in progress or apps available. The web interface only allows us to create sim links
44:42
basically to apps available out of this apps directory and only those sim links will be active. And it also means that when the USB stick is detected the application is started by running a activation script out of it.
45:01
So it's just a shell script which can start a service. Also the Freedom EV star script will copy the deactivation script through the root file system just to the temp directory in RAM so that if the USB stick needs to be, sorry, is removed
45:20
that it can still run this deactivation script to kill dangling processes. Then there's also a description.json file and this JSON file is basically the name of the program and some more description, everything which is visible in the web interface. Also it can contain hidden.
45:43
The marking, the fact that it's hidden means that it's not visible in the web interface. Also the Freedom EV core itself is implemented, the web interface is implemented as an app. You can easily copy stuff from it. And then we have some directories every minute, every hour, every five minutes, every day
46:03
to implement some kind of Chrome tap like behavior as the script Freedom EV star runs every minute, it will look in those directories if relevant and run whatever is in there in a periodic way. So here we see the example of the description.json
46:23
and by the way, this directory, zero template app in the apps in progress directory, you can just copy that. There's nothing going on in there, just some explanation. You can copy the directory for your own application. If you want to create birthday mode
46:41
of working on it a little bit, you can easily do that. So you see three entries in the description.json, the name of the app, the description and if it's visible or not. So in the apps we see that current things are enabled.
47:00
So yeah, if you want to update Freedom EV just hit pull on the root file system, which will basically put some things in there for faraway freedom EV and also the slash freedom EV directory.
47:20
So what are the current problems and things which are to do? Well, some things in the movie were not really there yet. So to disable, for cloaking modes, we disable right now the LTE modem, but with is not yet disabled. It's easy to disable it, just have to add it.
47:40
But there's also no pin to drive, it's not being asked. So yeah, we'd prefer that's in there. It's not easy just to interface which needs to be built for that. We had some more plans for making movies of things which are already in there, like Webmin is in there. Maybe you're not that fond of Webmin, I know.
48:02
It doesn't work great on the web browser anyway, but it might be interesting when your wife is driving just to be able to install some other things without having to pull out your laptop. A Bloopers movie was also planned. Thank you to my wife, by the way,
48:20
for allowing me to do this. I warn her when there is a possibility that one of the displays is going to reboot. The car still drives when the systems reboot. It's maybe hard to know the speed, but yeah.
48:45
So also the proper hotspot traffic accounting is not in there yet, just not a lot of time for that. It shouldn't be too hard to implement. It should be properly done because of course the car switches between Wi-Fi and LTE 3G all the time,
49:00
so we don't want to pay for our own Wi-Fi connection. So some other things, yeah, the hotspot mode works through SSH SOC tunnel right now, probably some IP tables problems. Unbox, I worked on that a little bit, tried to get Android working on the platform.
49:22
Now, Unbox is more geared towards running on Intel, so might be easier on the newer cars to get that running. Would be nice, of course, to be able to run Spotify, things like that, on your car. Competes a bit with add functionality, basically, compared to the Tesla things.
49:40
Also, car logo addition, I have changed some images in the car. I overlay them using bind mounting, so I don't really change the actual files. And this means that it gets to see like that. I like it a lot. I think lots of people will like it too,
50:00
to be able to put their own logos, their names, whatever, on their cars. So I want to make an app for that as well, so it can be easily done. Also, I would like beep or reverse. The other day, I crashed into a car behind me, blamed the fact that the car didn't beep when I was reversing.
50:21
Web interface for reverse, SSH tunnel is not finished yet. Airplay over Wi-Fi, M-player to view movies. We can also check if the car is driving or not easily, for safety reasons. Compilation of browser like the one from Tesla,
50:42
similar limitations, some cleanup of IP tables. Button widgets sometimes receives two events, often receives two, so it might be the problem with the widget or not. We need to troubleshoot it a little bit. Are Tesla friendly? Oh, hacker friendly, is Tesla? Seems to be quite all right.
51:00
I don't have a lot of time, so. I don't think it voids the warranty, what we are doing here. Obviously, don't break anything. If I break something, I also tell Tesla and I don't claim warranty. I wanted to pay just a few euros because I broke a plastic cover myself.
51:21
Very reasonable. Okay. I need your help. Please contribute. If there are any questions, I might have a minute or so left. Yes.
51:42
Okay, so the question is, if we perform a software update on the car, will FreedomV still work? Yes. So, for now, yes. So, basically, it relies on the fact that we have root access and persistent storage. As long as that not being touched, it keeps on working. Obviously, we need to remain cautious.
52:02
It is possible that they might break stuff and we need to work around it. So, we will always say what the latest support releases. There is a rumor that 2019.2 might break some stuff, and we'll see how to deal with that, if that's really true.
52:21
Yeah.