I met someone on Drag Week (a spectator) who said he had a build using one of the Canadian Model 3 controllers (I think it was Ingenext). It sounded like the drive units were unmodified.
Please look.davefiddes wrote: ↑Wed Oct 09, 2024 8:59 pm You look like you have a lot of happy systems there to my uneducated eyes. Have you got a capture of a working Tesla of a similar vintage to compared against?
Great job!AMP3R wrote: ↑Mon Feb 17, 2025 6:56 pm While my bench power supply is on its way from China, I wanted to look how the immobilizer works.
Screenshot from 2025-02-17 21-00-20.png
As soon as the inverter logic has power and VCFRONT transmits the 0×221 (VCFRONT_LVPowerState) message, it (inverter) shoots the 0×276 message to the CAN vehicle for literally a split second. This is a challenge for the VCSEC.
Meanwhile, the VCSEC is already ready and when you put the key card, it responds with the 0×3D9 message for about one second. That's it - the immobilizer is unlocked.
The 0×276 challenge message is new every time the inverter is restarted. After looking on its structure, I dare to assume that it has 65536 possible combinations.
The 0×276 and 0×3D9 messages are tightly linked. To verify this, I generated the same challenge for my VCSEC several times in a row and the response in 0×3D9 was the same. During the experiment, the inverter was turned off.
In short, for those who did not understand how it works:
1. The motor sends a challenge.
2. VCSEC responds with a value calculated using a one-way hash function based on the challenge and the secret.
3. The motor checks the response using its own calculation of the expected hash value. If the values match, authentication is confirmed.
What secret is stored in VCSEC, a big big secret.
For fun, you can record the entire range of challenge/response pairs (65536) This will take about 18 and a half hours. But in fact, this method is of little use, since it will only work on a specific motor.
A small update for you. It's impossible to dump the inverter flash via CAN, because Tesla disabled UDS service 0×35 Request data upload.
The new power supply didn't help, which means the problem is somewhere in the can messages.AMP3R wrote: ↑Sun Feb 02, 2025 9:18 pm A few days ago I had an idea to take another close look what the inverter sends to the vehicle CAN and after poking around found something interesting. It turns out that there are many more ids with alerts and errors than I thought. By simple calculations edited the dbc file and when turned on the drive unit I was stunned.
Of course, nothing will work, because the DI_a174_notOkToStartDrive alert is active. The logic lacks 12 volts, which I supply from a regular ATX power supply. If this turns out to be the cause, it will be very funny. But it is too early to rejoice.
Screenshot from 2025-02-02 21-54-41.png
