Cracking the secrets of a Tesla’s “brain box”—the good, the bad, and the ugly
DEF CON, a yearly tech and defense industry convention that focuses mostly on exploiting and reverse-engineering “secure” technologies in order to reveal weak links, has begun releasing batches of its presentations for 2020. Among these is one by Patrick Kiley, who investigates how a Tesla’s software can be modified to unlock features and performance potential that’s normally restricted based on factors like the trim level of the vehicle or who owns it.
Every few decades, we have to essentially relearn everything we know about the automobile as technology changes, and few shifts have been more brutal than the move into electric vehicles. It’s represents theoretical acres of new territory. It takes a wealth of different tools and knowledge required to modify and repair EVs—let alone to manufacture them in the first place—so traditional speed shops are typically uncomfortable approaching electric vehicles like a Tesla.
If a shop had the requisite know-how and tool, though, what would be the play? Well, the EV modding game is less about hot-rodding the hardware—the drive units and batteries themselves—and more about adjusting software by scanning and eventually rewriting parts of the vehicles back-end code. This topic is complex, so we’re going to begin at ground level before tossing you into the stratosphere at ludicrous speed.
Enter the Matrix
An electric vehicle is essentially run by a network of individual computer modules that work together to direct power for charging or acceleration. They also decide how much juice to give the motor with different throttle inputs, where to limit performance to protect the driveline and battery, and so on.
In a combustion-powered vehicle, a throttle pedal attaches to a butterfly valve, which passively allows air into the huffing engine. An EV’s pedal, on the other hand, broadcasts its position to the greater vehicle network until the receiving components—in this case, the motor controller and battery management system—pick the message out of the network stream and absorb the data into their next steps in managing the drivetrain.
This network, known as a Controller Area Network (CAN) Bus (a term in electronics for any major conduit of power or data that’s tapped by other parts), acts like the car’s central nervous system. It’s already present in today’s cars, controlling everything from your power windows to your factory boost controller. In most cars outside of pure EVs, however, the drivetrain is still comprised of mechanical bits, outside of the electronic sensors and controls. If you want to change how that engine makes power, you’re playing a game of camshafts and port design, among other things (boooost).
Modern EVs replace these mechanical components with … more computers, all of which use varying forms of encryption to keep people from sniffing the data streams. The encryption also prevents would-be tuners from figuring out exactly what an EV’s power curve looks like and from accessing the code to modify it. It sounds absurdly high-tech, but with an EV, we’re no longer basing a power curve on a fuel-air-spark mixture, as we would in the tuning tables of a typical internal combustion ECU.
The foundation on which our cars operate has fundamentally changed, and that’s where Kiley’s research comes into play. You can modify the electric motor to some degree—those of us who’ve spent too much money and time hand-winding armatures for custom RC motors can attest to that—but the real secret lies in the invisible hand of the CAN Bus network. Once we learn what that system is doing, we can modify it—namely, to make more power and to unlock features for which the vehicle is already equipped, like Ludicrous Speed and free Supercharger station access in the case of a Tesla.
Sure, but what if I don’t care about speed?
You should care about consumer rights, then, because Tesla’s usage of this moldable foundation has created controversy in the past. Buyers of used Teslas have seen features removed via software updates just because the previous owner didn’t directly buy those features from Tesla.
This would be like bringing a used Mustang GT, and the next morning discovering a Ford engineer sitting in your driveway ripping out the upgraded brakes and suspension. “Sorry, you didn’t pay your GT tax to us when you paid someone else for this car!”
It’s happened for several Tesla owners over the years, and the process essentially decontents a car without the owner’s permission. The system is especially dangerous because a Tesla’s used values can take into account features like factory-enabled free Supercharging station access … for the previous owner.
A second analogy: You buy your new Mustang GT and look under the hood to find a 2.7-liter Eaton blower perched between the valve covers of the GT500’s 5.2-liter V-8. Sweet! You hop behind the wheel, turn the key, slam the skinny pedal into the Earth’s core and, despite your car having all the necessary equipment to dole out 760 hp, you only get 460 hp.
Naturally, you’d be frustrated in either scenario. Unfortunately, this is how Tesla has set the stage for other automakers in the EV space. Many owners feel that their purchase prices pays for all of a vehicle’s mechanical capabilities, but Tesla has been using software to limit those capabilities in lower-spec trims. There is a growing expectation that a customer doesn’t actually own the software in their vehicle; instead, they buy licensing rights to that software along with the vehicle’s purchase. The process is an abuse of the Digital Media Copyrights Act (DMCA) and warps the definitions of traditional computer intellectual property onto the automotive industry.
It’s an affront to consumer rights, and recent cases brought against Apple by users who’ve “jail broken” their iPhones for custom software have established precedent that Tesla’s approach is an abuse of DMCA. However, if we’re using the farming equipment industry as a litmus test (John Deere has come under fire for preventing farmers from being able to effectively repair their machinery by requiring expensive software, cables, and unique registrations to kill the DIY and used parts market), OEMs don’t seem to care.
Taking back our cars
The hacking community is essentially saving the culture of automotive modification through its own natural curiosity. Many of the speakers at DEF CON don’t have traditional automotive backgrounds, if any at all. Many hackers cut their teeth with a little mischief; others have the alphabet agencies on their resumes but have since moved into roles as “white hat” or “red team” hackers with ethical and professional agendas. In the same way gearheads love to tear something down to see how it works inside, hackers are digging into software.
What Kiley’s research focuses on is the process of sniffing through the CAN Bus to study the raw data, then figuring out how to translate that data (which is shown in its raw hexadecimal format) into legible descriptions like battery temperature or the motor’s current draw. Some of this data will have to be decrypted, of course, and Kiley goes into detail about how Tesla structures their system with various software keys hidden in the file system. For the most part, though, after the raw data has been revealed, it becomes a game of pattern recognition to see which raw hexadecimal values equate to which features.
By changing these values (“bits,” more specifically), you can switch features on or off. By tweaking a whole group of them, you can start to discover more complicated software routines, such as how Tesla builds a power curve for its motors so that the notoriously-instant torque is actually usable and civilized.
Grab some popcorn, and put the IT department on speed dial. Kiley’s presentation and the follow-up Q&A go into very granular detail, but little else delves this deep into the changes in store for the automotive industry.