Tesla Model 3 Rear Drive Unit Closed Source CAN Hacking

[AMP3R]

Do you have an intact HVIL loop with a 20mA current running through it? Without that the HV bus discharge circuit on the inverter will not deactivate.

I haven't connected HVIL. Can you tell me how to emulate it? What voltage is there? Is PWM used?

[davefiddes]

It's quite simple to emulate on the bench. It is a simple 20mA current loop and you can use the same 12VDC supply you use for the main inverter (it is optically isolated from the main inverter electronics).

I use the following circuit with an LM317L regulator:

The HV DC connector is part of the loop. I see you have the official cable so you should be good. If anyone wants to jumper it out you need to do this:

The HV discharge circuitry is completely automatic but the HVIL current is monitored by the main inverter MCU.

[AMP3R]

It's quite simple to emulate on the bench. It is a simple 20mA current loop and you can use the same 12VDC supply you use for the main inverter (it is optically isolated from the main inverter electronics).

I use the following circuit with an LM317L regulator:

hvil.png

The HV DC connector is part of the loop. I see you have the official cable so you should be good. If anyone wants to jumper it out you need to do this:
IMG_20240830_113428_695.jpg

The HV discharge circuitry is completely automatic but the HVIL current is monitored by the main inverter MCU.

Thank you. Do you think the transistor that turns on the resistor bank is still okay when I kept the HV for a few minutes?

[davefiddes]

Not sure. I suspect it'll probably be OK. IIRC Damien burned his out but he was running for quite some time.

I found you can see the operation of the discharge circuitry quite clearly with a current clamp on the HVDC input. With an idle inverter the two sources of current draw on the HVDC is the backup gate drive PSU and the HV discharge resistors. Turning on and off the HVIL circuit varied it quite significantly. You need a current clamp that is accurate in the DC mA range. My cheap UNI-T UT210E Pro seems to do the job OK.

[AMP3R]

Not sure. I suspect it'll probably be OK. IIRC Damien burned his out but he was running for quite some time.

I found you can see the operation of the discharge circuitry quite clearly with a current clamp on the HVDC input. With an idle inverter the two sources of current draw on the HVDC is the backup gate drive PSU and the HV discharge resistors. Turning on and off the HVIL circuit varied it quite significantly. You need a current clamp that is accurate in the DC mA range. My cheap UNI-T UT210E Pro seems to do the job OK.

Active discharge alert has gone. Thanks!

[AMP3R]

So the immobilizer is unlocked, the inverter shows signs of life with a 10 kHz beep for a split second during power on and shows that it is in the IDLE state, the HVIL circuit is on.

I switch to D, the inverter shows N and the IDLE state doesn't change. That is, in order for D to be ENABLE, you first need to achieve STANDBY in P.

Does the motor need cell voltages? I think the problem lies somewhere in the messages from the BMS. What do you think?

[P.S.Mangelsdorf]

The funny thing is that there is no info anywhere on google that anyone has even tried to run this motor as is, without messing with inverter, and in fact there is no one to even ask.

I met someone on Drag Week (a spectator) who said he had a build using one of the Canadian Model 3 controllers (I think it was Ingenext). It sounded like the drive units were unmodified.

From what I've seen it's only those of you here on OI trying to get these running without a commercial controller. It does look like those commercial controllers might reprogram something, but not clear what.

[AMP3R]

After playing with the motor for a while, I realized why the inverter doesn't switch into STANDBY mode.

Active errors: DIR_a144_configMismatch, DIR_a062_systemLimpMode, DIR_a092_bmsMIA.

[AMP3R]

I noticed that DIR_a144_configMismatch is triggered by two messages 0×392 (info about battery) and 0×7FF (car config)

We can say that this is a fundamental error and because of it the motor will not spin.

[AMP3R]

I figured out the 0×392 BMS_packConfig message, which triggers the DIR_a144_configMismatch error.
Just corrected the maximum voltage to 387 and the error disappeared.

[AMP3R]

The first frame from the multiplexed message 0×7FF about the car config is ready. It turned out that all bits can be empty except bit 56

The second frame can be completely empty.

The third needs information about GTW_perfomancePackage, GTW_chassisType and GTW_packEnergy. Everything else can be zero.

The fourth can be completely empty.

The fifth can be completely empty.

The sixth is also empty.

DIR_a144_configMismatch goodbye

[AMP3R]

The main system errors have disappeared, but the inverter does not switch to STANDBY mode yet. Any ideas?

[davefiddes]

You look like you have a lot of happy systems there to my uneducated eyes. Have you got a capture of a working Tesla of a similar vintage to compared against?

[AMP3R]

You look like you have a lot of happy systems there to my uneducated eyes. Have you got a capture of a working Tesla of a similar vintage to compared against?

Please look.

[AMP3R]

vehicle can park.csv

(889.77 KiB) Downloaded 574 times

[davefiddes]

I'll have a peek though I'm not sure there's much I can make of it. I guess I was more asking as to whether you had access to enough in the way of captures. Just looked at the price of second hand Model 3s and they're really quite affordable...hoping that someone with one and a sense of adventure would be able to help you out with on-going CAN captures.

[AMP3R]

Ok

[AMP3R]

Can anyone tell what DI_limitVBatHigh, DIR_ssmState, DIR_usmState and DIR_fluxState are?

[AMP3R]

My drive unit probably has last one active error DIR_a155_vcfrontMIA (The DI ECU is not receiving the expected CAN communication from the VCFRONT, and considers it irrational or MIA)

I assume that this is due to the message 0×3A1. Who knows, does it definitely come from VCFront?

[AMP3R]

A few days ago I had an idea to take another close look what the inverter sends to the vehicle CAN and after poking around found something interesting. It turns out that there are many more ids with alerts and errors than I thought. By simple calculations edited the dbc file and when turned on the drive unit I was stunned.

Of course, nothing will work, because the DI_a174_notOkToStartDrive alert is active. The logic lacks 12 volts, which I supply from a regular ATX power supply. If this turns out to be the cause, it will be very funny. But it is too early to rejoice.

[AMP3R]

It's interesting to look how the immobilizer works.

As soon as the inverter recieved the 0×221 (VCFRONT_LVPowerState) message, it shoots 0×276 to the CAN vehicle for a split of second. This is a challenge for the VCSEC.

Meanwhile, the VCSEC is already ready and when you put the key card, it responds with the 0×3D9. That's it - the immo is unlocked.

The 0×276 challenge message is always new every time the inverter is restarted. After looking on its structure, I dare to assume that it has 65536 possible combinations.

The 0×276 and 0×3D9 messages are tightly linked. To verify this, I generated static challenge for my VCSEC several times in a row and the response at 0×3D9 was the same. During the experiment, the inverter was turned off.

In short how it works:

1. The motor sends a challenge.
2. VCSEC responds with a value calculated using a one-way hash function based on the challenge and the secret.
3. The motor checks the response using its own calculation of the expected hash value. If the values ​​match, authentication is confirmed.

For fun, it's possible to record the entire range of challenge/response pairs (65536), make look up table and try to replay these answers to the drive unit.

[AMP3R]

Keyless driving enabled. This means that you can run the motor without a key card, but with the VCSEC connected.

[jetpax]

While my bench power supply is on its way from China, I wanted to look how the immobilizer works.

Screenshot from 2025-02-17 21-00-20.png

As soon as the inverter logic has power and VCFRONT transmits the 0×221 (VCFRONT_LVPowerState) message, it (inverter) shoots the 0×276 message to the CAN vehicle for literally a split second. This is a challenge for the VCSEC.

Meanwhile, the VCSEC is already ready and when you put the key card, it responds with the 0×3D9 message for about one second. That's it - the immobilizer is unlocked.

The 0×276 challenge message is new every time the inverter is restarted. After looking on its structure, I dare to assume that it has 65536 possible combinations.

The 0×276 and 0×3D9 messages are tightly linked. To verify this, I generated the same challenge for my VCSEC several times in a row and the response in 0×3D9 was the same. During the experiment, the inverter was turned off.

In short, for those who did not understand how it works:

1. The motor sends a challenge.
2. VCSEC responds with a value calculated using a one-way hash function based on the challenge and the secret.
3. The motor checks the response using its own calculation of the expected hash value. If the values ​​match, authentication is confirmed.

What secret is stored in VCSEC, a big big secret.

For fun, you can record the entire range of challenge/response pairs (65536) This will take about 18 and a half hours. But in fact, this method is of little use, since it will only work on a specific motor.

Great job!

So are you saying that if i record these 65536 challenge responses for a paired motor/VCSEC, then i could dump the motor firmware and flash it into another motor and the new motor should authenticate?

[AMP3R]

[AMP3R]