查看TSLA的源代码
←
TSLA
跳转到:
导航
,
搜索
因为以下原因,你没有权限编辑本页:
您刚才请求的操作只有这个用户组中的用户才能使用:
用户
您可以查看并复制此页面的源代码:
== Overview == [[文件:Tesla-hw-overview.png]] * CID (Central Information Display) – the large console at the centre of the dash * IC (Instrument Cluster) * Conventional CAN connected ECUs CAN Buses: * 1 – dedicated connection to diagnostic OBD-II port * 2 – body – door, lights, mirrors * 3 – powertrain – drive inverters, battery management system, charger, thermal controller(动力总成 – 驱动逆变器、电池管理系统、充电器、热控制器) * 4 – body – climate control, seats * There is no ‘5’ – although the hardware is present on the CID it is not used. * 6 – chassis – suspension, instrument cluster, stability controller, power steering (底盘 – 悬架、仪表盘、稳定控制器、动力转向) 例如 Model S 的诊断口 (20pin): [[文件:Connector TeslaModelS X437A.jpg]] '''Model 3 & Y 诊断口:''' [[文件:Diagnostic connector-3Y.jpg]] 26pin,右上 P1,左上 P14,右下 P15,P18(CanH), P19(CanL) [[文件:Obd2-pinout.png | 600px]] <br> == CAN Frame == [[文件:CAN-frame-msg.png]] * SOF: The Start of Frame is a 'dominant 0' to tell the other nodes that a CAN node intends to talk * ID: The ID is the frame identifier - lower values have higher priority * RTR: The Remote Transmission Request indicates whether a node sends data or requests dedicated data from another node * Control: The Control contains the Identifier Extension Bit (IDE) which is a 'dominant 0' for 11-bit. It also contains the 4 bit Data Length Code (DLC) that specifies the length of the data bytes to be transmitted (0 to 8 bytes) * Data: The Data contains the data bytes aka payload, which includes CAN signals that can be extracted and decoded for information * CRC: The Cyclic Redundancy Check is used to ensure data integrity * ACK: The ACK slot indicates if the node has acknowledged and received the data correctly * EOF: The EOF marks the end of the CAN frame <br> == Model 3 CAN MSG == [https://www.csselectronics.com/pages/can-bus-simple-intro-tutorial CAN Bus Quick Tutorial] * [https://www.teslaownersonline.com/threads/diagnostic-port-and-data-access.7502/ Diagnostic Port & Data access] * https://github.com/joshwardell/model3dbc * https://github.com/commaai/opendbc <source lang=bash> $ git clone https://github.com/linux-can/can-utils.git $ cd can-utils/ && make && make install $ ip link set can0 type can bitrate 500000 listen-only on $ ifconfig can0 up # output all of the CAN messages (including errors) to your terminal: $ candump -cae can0,0:0,#FFFFFFFF (1423606588.555165) can0 00E#1E563FFF08FFA066 (1423606588.555434) can0 102#CA98F8FFEEFF (1423606588.555881) can0 202#845E6B9D00007102 (1423606588.556169) can0 6F2#1634B40D1D43C3D0 (1423606588.556193) can0 212#5800227400 (1423606588.556455) can0 23A#000B001200050000 (1423606588.556678) can0 21A#FE0000FE000000B7 (1423606588.556902) can0 222#0000DA98F01070 (1423606588.557139) can0 29A#0000FE0000000000 (1423606588.557481) can0 27A#292903DC092600 # log out all the data to a file in your current working directory (name like: candump-2023-02-10_221628.log $ candump -l any,0:0,#FFFFFFFF </source> <br> == DBC (CAN Databases) == [[文件:CAN-DBC-File-Format-01.png]] '''DBC Message Format:''' * A message starts with BO_ and the ID must be unique and in decimal (not hexadecimal) * The DBC ID adds 3 extra bits for 29 bit CAN IDs to serve as an 'extended ID' flag * The name must be unique, 1-32 characters and may contain [A-z], digits and underscores * The length (DLC) must be an integer between 0 and 1785 * The sender is the name of the transmitting node, or Vector__XXX if no name is available '''DBC Signal Format:''' * Each message contains 1+ signals that start with SG_ * The name must be unique, 1-32 characters and may contain [A-z], digits and underscores * The bit start counts from 0 and marks the start of the signal in the data payload * The bit length is the signal length * The @1 specifies that the byte order is little-endian/Intel (vs @0 for big-endian/Motorola) * The + informs that the value type is unsigned (vs - for signed signals) * The (scale,offset) values are used in the physical value linear equation (more below) * The [min|max] and unit are optional meta information (they can e.g. be set to [0|0] and "") * The receiver is the name of the receiving node (again, Vector__XXX is used as default) * [https://www.csselectronics.com/screen/page/can-dbc-file-database-intro/ CAN DBC File - QuickStart] * [https://www.csselectronics.com/pages/dbc-editor-can-bus-database Online DBC Editor] * https://github.com/joshwardell/model3dbc/blob/master/README.md * https://github.com/commaai/opendbc <br> == Tesla EDR == EDR: Event Data Recorder,汽车事件数据记录系统,用于记录车辆碰撞前、碰撞时、碰撞后三个阶段的汽车运行关键数据,包括速度、方向盘的转向角度、气囊状态、制动状态、加速踏板状态、ABS 状态等数据,能有效还原事故发生前后的真实状态,可视为 Tesla 的 “黑匣子”。 当系统检测到碰撞或类似碰撞的情況(例如撞到道路障碍物)时,EDR 会记录与车辆动力学和安全系统有关的数据。该数据存储在车辆的约束控制模块 (RCM) 中。Tesla Model S/X/3/Y 都有 RCM (Restraint Control Module),在 Model 3 & Y 上,其位于中央扶手箱的底部。 记录的数据可以帮助调查人员更准确地还原事故原因。在正常行驶条件下,EDR不会记录数据;仅当车辆检测到异常事件时,才会记录事件数据。 官方读取工具软件: Tesla EDR https://edr.tesla.com 官方推荐 CAN 硬件:[https://www.peak-system.com/PCAN-USB.199.0.html PCAN USB] (不带隔离 IPEH-002021 € 188, 带隔离 IPEH-002022 € 228)[https://www.peak-system.com/fileadmin/media/linux/index.htm Linux and PEAK-System's CAN Interfaces] 官方连接线:Tesla Model 3 Direct-To Module EDR Retrieval Cable (Tesla part number 1492139) 约 $200 官方读取指南:https://edr.tesla.com/guides/CD-20-20-003_Model_3_EDR_Data_Retrieval_Guide.pdf Hacking: https://www.teslaownersonline.com/threads/tesla-event-data-recorder-access-by-can.6175/page-2 标准:[http://c.gb688.cn/bzgk/gb/showGb?type=online&hcno=CC68F6BFD3E104560914271598AFE8C8 强制国标 GB 39732-2020 汽车事件数据记录系统], 美标 [https://www.ecfr.gov/current/title-49/subtitle-B/chapter-V/part-563 CFR-49-563] [《机动车运行安全技术条件》(GB7258-2017)] <br> == Model 3 Display & MCU == * [https://teslamotorsclub.com/tmc/threads/model-3-mcu-on-the-bench.268621/ Model 3 MCU on the bench] <br> == CAN Chip == * [https://www.nxp.com/docs/en/data-sheet/TJA1042.pdf TJA1042] * [https://www.ti.com/lit/ds/symlink/sn65hvd231.pdf SN65HVD231] CAN (Controller Area Network),即控制器局域网总线,是一种有效支持分布式控制或实时控制的串行通信网络。 广泛应用于工业现场控制、智能楼宇、医疗器械、交通工具以及传感器等领域。 CAN 总线规范为 ISO11898。 CAN 总线就两条连线,CAN_H 和 CAN_L,通常电压值为: CAN_H = 3.5V,CAN_L= 1.5V '''MCP2515:''' * 工作电压 2.7V ~ 5.5V * 5mA 典型工作电流 * CAN V2.0B @ 1 Mb/s, 0 ~ 8 byte length in the data field <br> == CAN Tools == canutils 包含canconfig、canecho、cansend、candump、cansequence 五个命令,用于检测和监控 Socket CAN接口。 编译 canutils 依赖 libsocketcan, 可用 canutils-4.0.6 和 libsocketcan-0.0.12 版本。 * canutils:https://github.com/linux-can/can-utils Old: https://public.pengutronix.de/software/socket-can/canutils/ * libsocketcan:https://git.pengutronix.de/cgit/tools/libsocketcan https://public.pengutronix.de/software/libsocketcan/ 如出现如下错误: <source lang=bash> $ ifconfig can0 up ifconfig: SIOCSIFFLAGS: Invalid argument mcp251x spi1.0: bit-timing not yet defined mcp251x spi1.0: unable to set initial baudrate! $ ip link set can0 type can bitrate 125000 triple-sampling on </source> 需要使用 iproute2 中的 ip 工具: <source lang=bash> /buildroot-2020.11.2$ scp output/build/iproute2-5.7.0/ip/ip $ ip link set can0 type can bitrate 500000 listen-only on $ ifconfig can0 up $ candump -cae can0,0:0,#FFFFFFFF $ candump -l any,0:0,#FFFFFFFF $ candump -cae -tA can0,0:0,#FFFFFFFF (2023-07-14 17:30:09.311837) can0 07EC38C0 [7] remote request (2023-07-14 17:30:09.312132) can0 01E77C60 [2] 12 91 '..' </source> <source lang=bash> $ cansend can0 -i 8 -e 0x11 0x22 0x33 0x44 0x55 0x66 0x77 0x88 </source> Loopback 测试模式可用于硬件自检,无需连接外部 CAN 总线: <source lang=bash> $ ip link set can0 up type can bitrate 1000000 loopback on $ ip -details link show can0 2: can0: <NOARP,UP,LOWER_UP,ECHO> mtu 16 qdisc pfifo_fast state UNKNOWN mode DEFAULT group default qlen 10 link/can promiscuity 0 can <LOOPBACK,LISTEN-ONLY> state ERROR-ACTIVE restart-ms 0 bitrate 1000000 sample-point 0.750 tq 83 prop-seg 4 phase-seg1 4 phase-seg2 3 sjw 1 mcp251x: tseg1 3..16 tseg2 2..8 sjw 1..4 brp 1..64 brp-inc 1 clock 12000000 numtxqueues 1 gso_max_size 65536 gso_max_segs 65535 $ candump can0 -L & $ cansend can0 300#AC.AB.AD.AE.75.49.AD.D0 (0000000887.394367) can0 300#ACABADAE7549ADD0 (0000000887.394465) can0 300#ACABADAE7549ADD0 </source> <br> == Reference == * [https://www.pentestpartners.com/security-blog/reverse-engineering-tesla-hardware/ Reverse Engineering Tesla Hardware] * [https://www.pentestpartners.com/security-blog/reverse-engineering-the-tesla-firmware-update-process/ Reverse Engineering the Tesla Firmware Update Process] * https://github.com/lewurm/blog/issues * https://www.teslaownersonline.com/threads/diagnostic-port-and-data-access.7502/ * CANServer (ODBLink MX+) * https://github.com/amund7/CANBUS-Analyzer * [https://teslatap.com/modifications/extracting-internal-vehicle-data/ Extracting internal vehicle data] * [http://www.inovatek.cn/index.php?case=archive&act=show&aid=332 TeslaOBD] * Scan MY Tesla, TesLAX ... * https://carprotool.com/forum/pinouts * [https://fn.lc/post/tesla-model-3/ Hacking my Tesla Model 3 - Security Overview] * [https://fn.lc/post/tesla-model-3-services/ Hacking my Tesla Model 3 - Internal API] * [https://www.instructables.com/Exploring-the-Tesla-Model-S-CAN-Bus/ Exploring the Tesla Model S CAN Bus] * [https://www.instructables.com/DIY-Beaglebone-CAN-Bus-Cape/ DIY Beaglebone CAN Bus Cape] * [https://iopscience.iop.org/article/10.1149/1945-7111/ab7900#jesab7900s4 Capacity Recovery Effect in Commercial LiFePO4 / Graphite Cells] <br>
返回到
TSLA
。
个人工具
登录
名字空间
页面
讨论
变换
查看
阅读
查看源代码
查看历史
操作
搜索
导航
首页
社区专页
新闻动态
最近更改
随机页面
帮助
工具箱
链入页面
相关更改
特殊页面