Reverse Engineering the Tesla Battery Management System to increase Power Available

Presented at Black Hat USA 2020 Virtual, Aug. 5, 2020, 12:30 p.m. (40 minutes).

Tesla released the dual motor performance Model S in late 2014. At that time the vehicle came with "insane mode" acceleration and an advertised 0-60 time of 3.2 seconds. Later, in July of 2015, Tesla announced "Ludicrous mode" that cut the 0-60 time down to 2.8 seconds. This upgrade was offered as a hardware and firmware change to the existing fleet of P85D vehicles and was offered for new purchases as well. Since then, Tesla has released the P90D and P100D that also have incremental performance improvements. What makes the P85D upgrade unique was how the process offered a unique insight into how the vehicle's Battery Management System(BMS) handles power requests from the front and rear drive units of the car. I was able to reverse engineer this upgrade process by examining the CAN bus messages, CAN bus UDS routines, and various firmware files that can be extracted from any rooted Tesla Model S or X. I also decrypted and decompiled Python source code used for diagnostics to determine that the process involved removing the battery pack and replacing the fuse and high voltage contactors with units that could handle higher amperage levels as well as modifying the current sensing high voltage "shunt" inside the battery pack so that it would properly respond to the higher Amperage. I then performed this process on an actual donor P85D. I then modified the firmware of the Battery Management System and the appropriate files on the security gateway to accept the modified battery pack, bricking the car in the process and forcing me to pay to have it towed to another state so I could troubleshoot. I came to understand that the BMS is the deciding module that allows the drive units to have only as much power as the BMS allows.


Presenters:

  • Patrick Kiley - Principal Security Consultant, Rapid7
    Patrick Kiley (GXPN, GPEN, GAWN, GCIH, CISSP, MCSE), currently a Principal Security Consultant on the Penetration Testing team at Rapid7, has over 17 years of information security experience working with both private sector employers and the Department of Energy/National Nuclear Security Administration (NNSA). While he was with the NNSA, he built the NNSA's SOC and spent several years working for emergency teams. Patrick has performed research in Avionics security and Internet connected transportation platforms. Patrick has experience in hardware hacking, IoT, Autonomous Vehicles, and CAN bus.

Links:

Similar Presentations: