Tesla Owners Online Forum banner
1 - 17 of 17 Posts

·
Registered
Joined
·
1 Posts
Discussion Starter · #1 ·
Hi all,

My curiosity got the best of me and I recently bought a subscription to Tesla's service website. Going through the electrical diagrams I noticed an ethernet diagnostic port with the pinout labeled. I'm able to communicate with the MCU without having to disassemble my dash! Here's a simplified version for anyone looking to make an ethernet cable for their Model 3:
Slope Font Rectangle Parallel Diagram


This goes to the white port in the driver footwell. Here's a pic:
Automotive lighting Flash photography Grey Gas Tints and shades


To make my cable, I soldered to a standard 4-pin header socket (hotglued to increase strength and prevent shorts):
Liquid Fluid Drinkware Plastic bottle Water bottle


The standard 4 pin header fits great. Make sure you catch all 4 pins when you plug it in (the port has an unpopulated 5th pin). Also make sure you plug it in the correct orientation. Orange points towards rear of the car, green towards front.
Audio equipment Gas Cable Vehicle door Electrical wiring


I had to hardcode my laptop to use IP: 192.168.90.110 Subnet: 255.255.255.0. There's nothing special about that IP, it's just an available address in the 192.168.90.X subnet Tesla uses.

The results are the same as what Lewurm found on his GitHub. Using nmap I can see port 8080 and 22 for the CID:
nmap 192.168.90.100 -p8080,22 -Pn

Looking in Wireshark, I notice the CID is also reachable at 192.168.20.2. I see ARP traffic where the CID attempts to find the following. (Comparing with Lewurm's results, I can conclude these MAC's are the same on every car):
192.168.90.60 00:55:7b:b5:7d:f7
192.168.90.105 02:53:6e:00:ae:02
192.168.90.102 dc:44:27:11:02:03 Gateway

According to Tesla's theory of operation for the Model 3, everything should be on the same ethernet switch. In practice, I'm not sure if that is true. I tried spoofing my MAC and IP to match some of the other modules but wasn't able to see any increased traffic. No new ports when rerunning nmap. I'm not sure if they run ACL's on the switch (doubt it, imo) or if the modules are just well locked down.

I was NOT able to access the gateway on port 3500. I was also NOT able to access the MCU's ice-updater on port 25956. I am disappointed by this. There would have been some practical benefit to DIY repair if we could access the ice-updater... That would have allowed us to redeploy firmware for DIY hardware replacement.

Your results may vary... I'm curious if anyone's seen more ports or traffic by doing some ethernet layer 2 trickery. Let me know what you find!
 

Attachments

·
Premium Member
Joined
·
166 Posts
This car hides so many surprising secrets.
 
  • Like
Reactions: bwilson4web

·
Registered
Joined
·
1,060 Posts
That was my understanding from the start -- high speed CAN data 'hidden' in physical/data link ethernet. Makes a lot of sense to use industry standard protocols for the electrical connections at the very least - lots of common chips can handle tx/rx with those protocols. Then it's just lots and lots of layers of security to stop someone stealing your car from the diagnostic port :)
 

·
Premium Member
Joined
·
530 Posts
Mobile techs and service centers use this port in conjunction with an ethernet to usb cable and tesla software (in part cloud based) to perform all types of diagnostics and reset procedures (for example recalibrate windows, set amber vs red rear turn signal modes on/off, pull logs off the linux xCUs scattered across the car etc).
 
  • Like
Reactions: Kizzy

·
Registered
Joined
·
1,060 Posts
Mobile techs and service centers use this port in conjunction with an ethernet to usb cable and tesla software (in part cloud based) to perform all types of diagnostics and reset procedures (for example recalibrate windows, set amber vs red rear turn signal modes on/off, pull logs off the linux xCUs scattered across the car etc).
Amber signals is a software flag?! I WANT IT! The red signals blend too easily with the brakes I find.
 

·
Premium Member
Joined
·
530 Posts
I want it too... not for us mere mortals though. Only insiders playing around with such things on Tesla staff owned cars. Ugh.
 

·
Premium Member
Joined
·
5,057 Posts
Hi all,

My curiosity got the best of me and I recently bought a subscription to Tesla's service website. Going through the electrical diagrams I noticed an ethernet diagnostic port with the pinout labeled. I'm able to communicate with the MCU without having to disassemble my dash! Here's a simplified version for anyone looking to make an ethernet cable for their Model 3:
View attachment 31322

This goes to the white port in the driver footwell. Here's a pic:
View attachment 31321

To make my cable, I soldered to a standard 4-pin header socket (hotglued to increase strength and prevent shorts):
View attachment 31324

The standard 4 pin header fits great. Make sure you catch all 4 pins when you plug it in (the port has an unpopulated 5th pin). Also make sure you plug it in the correct orientation. Orange points towards rear of the car, green towards front.
View attachment 31325

I had to hardcode my laptop to use IP: 192.168.90.110 Subnet: 255.255.255.0. There's nothing special about that IP, it's just an available address in the 192.168.90.X subnet Tesla uses.

The results are the same as what Lewurm found on his GitHub. Using nmap I can see port 8080 and 22 for the CID:
nmap 192.168.90.100 -p8080,22 -Pn

Looking in Wireshark, I notice the CID is also reachable at 192.168.20.2. I see ARP traffic where the CID attempts to find the following. (Comparing with Lewurm's results, I can conclude these MAC's are the same on every car):
192.168.90.60 00:55:7b:b5:7d:f7
192.168.90.105 02:53:6e:00:ae:02
192.168.90.102 dc:44:27:11:02:03 Gateway

According to Tesla's theory of operation for the Model 3, everything should be on the same ethernet switch. In practice, I'm not sure if that is true. I tried spoofing my MAC and IP to match some of the other modules but wasn't able to see any increased traffic. No new ports when rerunning nmap. I'm not sure if they run ACL's on the switch (doubt it, imo) or if the modules are just well locked down.

I was NOT able to access the gateway on port 3500. I was also NOT able to access the MCU's ice-updater on port 25956. I am disappointed by this. There would have been some practical benefit to DIY repair if we could access the ice-updater... That would have allowed us to redeploy firmware for DIY hardware replacement.

Your results may vary... I'm curious if anyone's seen more ports or traffic by doing some ethernet layer 2 trickery. Let me know what you find!
The Diagnostic port is the first thing I went chasing after about a year and a half ago....

https://teslaownersonline.com/threads/diagnostic-port-and-data-access.7502/#post-130395

I even have the proper connectors and a harness made up. But we determined it was ethernet that was encrypted or must be unlocked in some way and were stuck for a while unable to find any good data in the car, until we finally found CAN elsewhere.

I haven't heard of any further success communicating on the diagnostic ethernet, but you certainly got some useful info here. I hope you can keep trying and maybe figure something out. I'm not sure if @Ingineer knows more about it now too.
 

·
Registered
Joined
·
1 Posts
Look here:
https://teslamotorsclub.com/tmc/thr...del-3-note-car-repaired-after-a-crash.174945/

I am also trying to get some ports to respond.
USB-Serial connection to FTDI is asking for username and password, any idea what that could be?

I found out the udp command to unlock diag port but I guess it has to run from the inside. No idea what can it do from outside - thru the firewall because it requires data from ICE emmc.
 

·
Registered
Joined
·
1 Posts
Well if I was building this I would have the Tesla Cloud send a Magic packet down to the Car which then enables some ports on the Firewall, Regards to encyrpting Ethernet, never seen that done, not on the ethernetlayer it self. That would happen on higher layers.
Try Ping Broadcast and See whats going on . Leave a Packet capture running while sending some commands via the Tesla App. :p

Just some ideas.
 

·
Registered
Joined
·
5 Posts
Look here:
https://teslamotorsclub.com/tmc/thr...del-3-note-car-repaired-after-a-crash.174945/

I am also trying to get some ports to respond.
USB-Serial connection to FTDI is asking for username and password, any idea what that could be?

I found out the udp command to unlock diag port but I guess it has to run from the inside. No idea what can it do from outside - thru the firewall because it requires data from ICE emmc.
What this mean UDP command ( magic packet same as WOL) ? And what is it? Also where did you connect USB to serial? I know the HW3 has two Ethernet ports. Is one of them console?

I'm try to get familiar with Model 3 and trying to understand it more, I had able to get to service mode and trying to get other modes like factory and transport modes. I'm curious and like to know how things works
 

·
Registered
Joined
·
5 Posts
Hi all,

My curiosity got the best of me and I recently bought a subscription to Tesla's service website. Going through the electrical diagrams I noticed an ethernet diagnostic port with the pinout labeled. I'm able to communicate with the MCU without having to disassemble my dash! Here's a simplified version for anyone looking to make an ethernet cable for their Model 3:
View attachment 31322

This goes to the white port in the driver footwell. Here's a pic:
View attachment 31321

To make my cable, I soldered to a standard 4-pin header socket (hotglued to increase strength and prevent shorts):
View attachment 31324

The standard 4 pin header fits great. Make sure you catch all 4 pins when you plug it in (the port has an unpopulated 5th pin). Also make sure you plug it in the correct orientation. Orange points towards rear of the car, green towards front.
View attachment 31325

I had to hardcode my laptop to use IP: 192.168.90.110 Subnet: 255.255.255.0. There's nothing special about that IP, it's just an available address in the 192.168.90.X subnet Tesla uses.

The results are the same as what Lewurm found on his GitHub. Using nmap I can see port 8080 and 22 for the CID:
nmap 192.168.90.100 -p8080,22 -Pn

Looking in Wireshark, I notice the CID is also reachable at 192.168.20.2. I see ARP traffic where the CID attempts to find the following. (Comparing with Lewurm's results, I can conclude these MAC's are the same on every car):
192.168.90.60 00:55:7b:b5:7d:f7
192.168.90.105 02:53:6e:00:ae:02
192.168.90.102 dc:44:27:11:02:03 Gateway

According to Tesla's theory of operation for the Model 3, everything should be on the same ethernet switch. In practice, I'm not sure if that is true. I tried spoofing my MAC and IP to match some of the other modules but wasn't able to see any increased traffic. No new ports when rerunning nmap. I'm not sure if they run ACL's on the switch (doubt it, imo) or if the modules are just well locked down.

I was NOT able to access the gateway on port 3500. I was also NOT able to access the MCU's ice-updater on port 25956. I am disappointed by this. There would have been some practical benefit to DIY repair if we could access the ice-updater... That would have allowed us to redeploy firmware for DIY hardware replacement.

Your results may vary... I'm curious if anyone's seen more ports or traffic by doing some ethernet layer 2 trickery. Let me know what you find!
Might DDOS crash something and give you access
 

·
Registered
Joined
·
5 Posts
Hi all,

My curiosity got the best of me and I recently bought a subscription to Tesla's service website. Going through the electrical diagrams I noticed an ethernet diagnostic port with the pinout labeled. I'm able to communicate with the MCU without having to disassemble my dash! Here's a simplified version for anyone looking to make an ethernet cable for their Model 3:
View attachment 31322

This goes to the white port in the driver footwell. Here's a pic:
View attachment 31321

To make my cable, I soldered to a standard 4-pin header socket (hotglued to increase strength and prevent shorts):
View attachment 31324

The standard 4 pin header fits great. Make sure you catch all 4 pins when you plug it in (the port has an unpopulated 5th pin). Also make sure you plug it in the correct orientation. Orange points towards rear of the car, green towards front.
View attachment 31325

I had to hardcode my laptop to use IP: 192.168.90.110 Subnet: 255.255.255.0. There's nothing special about that IP, it's just an available address in the 192.168.90.X subnet Tesla uses.

The results are the same as what Lewurm found on his GitHub. Using nmap I can see port 8080 and 22 for the CID:
nmap 192.168.90.100 -p8080,22 -Pn

Looking in Wireshark, I notice the CID is also reachable at 192.168.20.2. I see ARP traffic where the CID attempts to find the following. (Comparing with Lewurm's results, I can conclude these MAC's are the same on every car):
192.168.90.60 00:55:7b:b5:7d:f7
192.168.90.105 02:53:6e:00:ae:02
192.168.90.102 dc:44:27:11:02:03 Gateway

According to Tesla's theory of operation for the Model 3, everything should be on the same ethernet switch. In practice, I'm not sure if that is true. I tried spoofing my MAC and IP to match some of the other modules but wasn't able to see any increased traffic. No new ports when rerunning nmap. I'm not sure if they run ACL's on the switch (doubt it, imo) or if the modules are just well locked down.

I was NOT able to access the gateway on port 3500. I was also NOT able to access the MCU's ice-updater on port 25956. I am disappointed by this. There would have been some practical benefit to DIY repair if we could access the ice-updater... That would have allowed us to redeploy firmware for DIY hardware replacement.

Your results may vary... I'm curious if anyone's seen more ports or traffic by doing some ethernet layer 2 trickery. Let me know what you find!
Hi,
I have P3D built May 2019, and I have plugged cable to that port same as your way but it never made my Ethernet work it's like nothing connected. I got header 5 pin and installed white-green, green, white-orange, orange and direct it green to the front that led the 5 not usable pin near to driver, but never worked
 

·
Registered
Joined
·
1 Posts
Hi all,

My curiosity got the best of me and I recently bought a subscription to Tesla's service website. Going through the electrical diagrams I noticed an ethernet diagnostic port with the pinout labeled. I'm able to communicate with the MCU without having to disassemble my dash! Here's a simplified version for anyone looking to make an ethernet cable for their Model 3:
View attachment 31322

This goes to the white port in the driver footwell. Here's a pic:
View attachment 31321

To make my cable, I soldered to a standard 4-pin header socket (hotglued to increase strength and prevent shorts):
View attachment 31324

The standard 4 pin header fits great. Make sure you catch all 4 pins when you plug it in (the port has an unpopulated 5th pin). Also make sure you plug it in the correct orientation. Orange points towards rear of the car, green towards front.
View attachment 31325

I had to hardcode my laptop to use IP: 192.168.90.110 Subnet: 255.255.255.0. There's nothing special about that IP, it's just an available address in the 192.168.90.X subnet Tesla uses.

The results are the same as what Lewurm found on his GitHub. Using nmap I can see port 8080 and 22 for the CID:
nmap 192.168.90.100 -p8080,22 -Pn

Looking in Wireshark, I notice the CID is also reachable at 192.168.20.2. I see ARP traffic where the CID attempts to find the following. (Comparing with Lewurm's results, I can conclude these MAC's are the same on every car):
192.168.90.60 00:55:7b:b5:7d:f7
192.168.90.105 02:53:6e:00:ae:02
192.168.90.102 dc:44:27:11:02:03 Gateway

According to Tesla's theory of operation for the Model 3, everything should be on the same ethernet switch. In practice, I'm not sure if that is true. I tried spoofing my MAC and IP to match some of the other modules but wasn't able to see any increased traffic. No new ports when rerunning nmap. I'm not sure if they run ACL's on the switch (doubt it, imo) or if the modules are just well locked down.

I was NOT able to access the gateway on port 3500. I was also NOT able to access the MCU's ice-updater on port 25956. I am disappointed by this. There would have been some practical benefit to DIY repair if we could access the ice-updater... That would have allowed us to redeploy firmware for DIY hardware replacement.

Your results may vary... I'm curious if anyone's seen more ports or traffic by doing some ethernet layer 2 trickery. Let me know what you find!
Hi all,

My curiosity got the best of me and I recently bought a subscription to Tesla's service website. Going through the electrical diagrams I noticed an ethernet diagnostic port with the pinout labeled. I'm able to communicate with the MCU without having to disassemble my dash! Here's a simplified version for anyone looking to make an ethernet cable for their Model 3:
View attachment 31322

This goes to the white port in the driver footwell. Here's a pic:
View attachment 31321

To make my cable, I soldered to a standard 4-pin header socket (hotglued to increase strength and prevent shorts):
View attachment 31324

The standard 4 pin header fits great. Make sure you catch all 4 pins when you plug it in (the port has an unpopulated 5th pin). Also make sure you plug it in the correct orientation. Orange points towards rear of the car, green towards front.
View attachment 31325

I had to hardcode my laptop to use IP: 192.168.90.110 Subnet: 255.255.255.0. There's nothing special about that IP, it's just an available address in the 192.168.90.X subnet Tesla uses.

The results are the same as what Lewurm found on his GitHub. Using nmap I can see port 8080 and 22 for the CID:
nmap 192.168.90.100 -p8080,22 -Pn

Looking in Wireshark, I notice the CID is also reachable at 192.168.20.2. I see ARP traffic where the CID attempts to find the following. (Comparing with Lewurm's results, I can conclude these MAC's are the same on every car):
192.168.90.60 00:55:7b:b5:7d:f7
192.168.90.105 02:53:6e:00:ae:02
192.168.90.102 dc:44:27:11:02:03 Gateway

According to Tesla's theory of operation for the Model 3, everything should be on the same ethernet switch. In practice, I'm not sure if that is true. I tried spoofing my MAC and IP to match some of the other modules but wasn't able to see any increased traffic. No new ports when rerunning nmap. I'm not sure if they run ACL's on the switch (doubt it, imo) or if the modules are just well locked down.

I was NOT able to access the gateway on port 3500. I was also NOT able to access the MCU's ice-updater on port 25956. I am disappointed by this. There would have been some practical benefit to DIY repair if we could access the ice-updater... That would have allowed us to redeploy firmware for DIY hardware replacement.

Your results may vary... I'm curious if anyone's seen more ports or traffic by doing some ethernet layer 2 trickery. Let me know what you find!
for further actions, to open the port, you need a Czech Budrich programmer, or if you don't have one, you need to perform monipulation with the closure of the strip on the mcu
 

·
Registered
Joined
·
1 Posts
Hi, I have prepared cable, but cant configured ip address. Could you please explain someone how it should be? I have set ip address 192.168.90.110, submask 255.255.255.0, Deafult gatewy 192.168.90.1 and left DNS server addresses empty. ping to 192.168.90.100 and 192.168.90.101 fails.
 

·
Registered
Joined
·
1 Posts
Hi all,

My curiosity got the best of me and I recently bought a subscription to Tesla's service website. Going through the electrical diagrams I noticed an ethernet diagnostic port with the pinout labeled. I'm able to communicate with the MCU without having to disassemble my dash! Here's a simplified version for anyone looking to make an ethernet cable for their Model 3:
View attachment 31322

This goes to the white port in the driver footwell. Here's a pic:
View attachment 31321

To make my cable, I soldered to a standard 4-pin header socket (hotglued to increase strength and prevent shorts):
View attachment 31324

The standard 4 pin header fits great. Make sure you catch all 4 pins when you plug it in (the port has an unpopulated 5th pin). Also make sure you plug it in the correct orientation. Orange points towards rear of the car, green towards front.
View attachment 31325

I had to hardcode my laptop to use IP: 192.168.90.110 Subnet: 255.255.255.0. There's nothing special about that IP, it's just an available address in the 192.168.90.X subnet Tesla uses.

The results are the same as what Lewurm found on his GitHub. Using nmap I can see port 8080 and 22 for the CID:
nmap 192.168.90.100 -p8080,22 -Pn

Looking in Wireshark, I notice the CID is also reachable at 192.168.20.2. I see ARP traffic where the CID attempts to find the following. (Comparing with Lewurm's results, I can conclude these MAC's are the same on every car):
192.168.90.60 00:55:7b:b5:7d:f7
192.168.90.105 02:53:6e:00:ae:02
192.168.90.102 dc:44:27:11:02:03 Gateway

According to Tesla's theory of operation for the Model 3, everything should be on the same ethernet switch. In practice, I'm not sure if that is true. I tried spoofing my MAC and IP to match some of the other modules but wasn't able to see any increased traffic. No new ports when rerunning nmap. I'm not sure if they run ACL's on the switch (doubt it, imo) or if the modules are just well locked down.

I was NOT able to access the gateway on port 3500. I was also NOT able to access the MCU's ice-updater on port 25956. I am disappointed by this. There would have been some practical benefit to DIY repair if we could access the ice-updater... That would have allowed us to redeploy firmware for DIY hardware replacement.

Your results may vary... I'm curious if anyone's seen more ports or traffic by doing some ethernet layer 2 trickery. Let me know what you find!
I assume the top picture is looking at the diagnostic port socket?
Thanks
 
1 - 17 of 17 Posts
Top