· 6 min read ·

What Your Car's Computer Needs Before It Will Boot Without the Car

Source: hackernews

Security researchers who want to study automotive software face a problem that has no clean software-only solution. The systems they want to analyze run on hardware that sits inside a car, powered by a 12-volt bus, embedded in a network of dozens of electronic control units that send and receive messages constantly. Buying a complete test vehicle is expensive. Keeping it for extended research ties up a large capital asset. And modern automotive computers often refuse to operate fully without receiving the expected signals from the rest of the vehicle.

This is why David Hu’s write-up on running a Tesla Model 3’s computer on his desk lands as genuinely useful documentation. The process is not just hobbyist curiosity. It’s a replicable methodology for automotive security research that anyone with a bench supply and some salvage parts can reproduce, and understanding why it’s non-trivial requires understanding what a modern automotive computer actually depends on to function.

Tesla’s MCU Architecture

The Model 3’s main infotainment and control unit has gone through several hardware generations. The original Model S used NVIDIA Tegra 3 silicon running Ubuntu 14.04. The Model 3 at launch used an Intel Atom E8000-series processor for the Media Control Unit (MCU), paired with eMMC storage and a Linux-based OS that Tesla has described publicly as a custom distribution built on Ubuntu’s foundations. MCU2 brought NVMe storage and more RAM. The post-2023 Highland refresh moved the infotainment to an AMD Ryzen Embedded processor with substantially more compute headroom.

The point is that these are not microcontrollers. They are general-purpose x86 or x86-64 machines running a conventional Linux userspace, with a kernel that includes modules for CAN bus interfaces, custom Tesla hardware, and automotive-grade wireless chipsets. The software gap between “this looks like a server” and “this will behave like a server when you take it out of the car” is where the interesting problems live.

The Power Problem

The first challenge is power. Automotive computers run from the vehicle’s 12-volt low-voltage bus, but “12 volts” covers a wide range of actual conditions. A fully-charged 12V lead-acid or lithium auxiliary battery sits closer to 13.8V under charge. The module’s internal power supply must handle voltage transients, load dumps, and cold-crank events. For bench testing, a lab-grade bench supply set to somewhere between 12V and 13.8V works, but the module typically has multiple power inputs: a persistent power rail that keeps certain memory alive, a switched ignition rail that signals the system to boot, and sometimes a dedicated rail for specific subsystems.

Identifying which connector pins carry which rails requires either a wiring diagram (Tesla publishes partial schematics through their repair documentation portal) or careful continuity testing. This is one of the places where having a second salvaged unit to probe without fear of damage is valuable.

What the CAN Bus Expects

Power alone is rarely sufficient. The Controller Area Network connects the MCU to dozens of other modules: the Body Control Module (BCM), the Battery Management System (BMS), the Vehicle Gateway, steering, braking, HVAC, and door controls. Messages flow constantly. A modern vehicle CAN bus runs at 500 kbps or 1 Mbps, carrying periodic status frames from each module at defined intervals.

The MCU performs what is effectively a network health check at startup. If expected modules are absent from the bus, the system may limit functionality, display warning screens, or refuse to fully initialize certain subsystems. Tesla’s architecture uses a Gateway module as a CAN-to-Ethernet bridge that mediates communication between the high-voltage powertrain bus, the chassis bus, and the MCU. On the bench, that Gateway either needs to be present as salvaged hardware, or its expected traffic needs to be simulated.

Simulating CAN traffic is tractable with readily available hardware. The Peak PCAN-USB and the Canable are both popular adapters that expose a SocketCAN interface on Linux. With SocketCAN, you can write a simple daemon that periodically sends the heartbeat frames the MCU expects from absent modules:

# Bring up CAN interface
ip link set can0 up type can bitrate 500000

# Send a periodic BCM status frame (ID 0x132 is an example, not Tesla-specific)
cansend can0 132#0000000000000000

In practice, determining the exact frame IDs and expected payloads requires either live capture from a working vehicle (using the OBD-II port as an access point) or reference to reverse-engineered databases like opendbc, which comma.ai maintains as a community resource of decoded CAN signals for many vehicle platforms including Tesla.

The Salvage Yard as Research Infrastructure

The sourcing angle in Hu’s post deserves attention on its own terms. Salvage yards are not just a cost optimization. They are the practical mechanism through which automotive security research becomes accessible.

A Tesla Model 3 MCU pulled from a salvage vehicle costs roughly $200 to $600 depending on generation and condition, compared to $1,500 or more for a new unit from Tesla. More importantly, the salvage unit carries no warranty obligations, no legal ambiguity around intentional modification, and no concern about bricking a vehicle that someone needs to drive. Platforms like Copart and IAA list crashed Teslas continuously, and the MCU is typically undamaged in any collision that doesn’t involve the front trunk area.

The density of Tesla salvage in certain markets, particularly California, has created a parallel ecosystem. EV-specific salvage yards like EV Parts Online have emerged specifically to handle the demand for Tesla components from researchers, repair shops operating outside Tesla’s authorized network, and hobbyist builders.

Authentication and Boot-Time Checks

Most automotive computers include some form of vehicle-binding or authentication. The mechanisms vary by manufacturer and generation. Some use VIN-coded modules that refuse to operate in a different vehicle’s context. Others use challenge-response authentication between modules. Tesla’s approach has evolved across hardware generations.

Earlier Tesla units could be operated in bench mode with relatively minimal ceremony. Newer hardware, particularly post-2021 builds, incorporates more sophisticated attestation. The Secure Boot chain matters here: if the firmware signature doesn’t match what the bootloader expects, the system won’t proceed. This is part of why having salvaged hardware with genuine Tesla firmware intact is important. A unit that has been through a factory reset or firmware wipe may have different behavior than one pulled directly from a crashed vehicle.

What You Can Actually Do

Once the system is running on the bench, the research surface becomes the full Linux environment. Tesla’s OS exposes several interesting interfaces. The system runs busybox-based userland utilities alongside custom Tesla binaries. There is a debug UART header on most MCU boards that provides a serial console during boot. Once at a shell, the attack surface includes:

  • The carserver process, which handles high-level vehicle control and communicates with Tesla’s backend
  • The Chromium-based browser embedded in the infotainment UI
  • Bluetooth and Wi-Fi stacks used for phone-as-key and software updates
  • The OTA update mechanism, which fetches and applies firmware packages

Hu previously documented a BLE relay attack against Tesla’s phone-as-key system in 2022. That class of research requires understanding both the Bluetooth stack and how the vehicle interprets proximity signals, which is exactly the kind of multi-layer analysis that becomes tractable when you can run the hardware in a controlled bench environment and iterate without worrying about a car sitting in a parking lot.

Why This Matters Beyond Tesla

The broader principle here extends well past any single automaker. As vehicles become more software-defined, the question of who can study that software, under what conditions, and with what tools becomes a right-to-repair question as much as a security research question. The 2021 NHTSA guidance on automotive cybersecurity acknowledges the tension between security through obscurity and independent verification, but leaves the tooling question largely unresolved.

What Hu’s methodology demonstrates is that the barrier to automotive security research is primarily logistical rather than technical. The hardware is available. The tools for CAN analysis, firmware extraction, and Linux exploitation are mature. The main remaining friction is documentation: knowing which pins to power, which CAN frames to simulate, and which interfaces to approach first. Posts like this one reduce that friction, which is net positive for the security of systems that now control steering, braking, and over-the-air software updates in millions of vehicles.

Was this interesting?