Sub gighertz sampling and playback exercise.
Background The charge port door on a Tesla can be remotely opened as a convenience when charging. The charging plug on a Tesla Supercharger or a Tesla home wall charger, uses a low power wireless signal to open the charge port door as the plug comes into proximity.
There is no verification of the authenticity of the charger and this is a simplex channel, with no response or exchange coming from the vehicle. By design, the signal will open the charge port door even if the vehicle is locked. In contrast, the charge port door cannot be manually opened by pressing on it when the car is locked. This makes it very convenient for the user as charging using a Tesla branded service “just works”. There is nothing to stop Tesla changing this behaviour in the future via a software update.
Exercise I started out by searching what had been done by others. It turns out that the Internet finds that opening the charge port on a Tesla you don’t own is hilarious. No suprises there! So there is a lot written about it, there are Youtube videos and you can download the files so that you can amuse yourself even if you don’t wish to learn :-(
From my perspective, it was a chance to play with the “sub gigahertz” capture capability of the Flipper Zero and in the hands-on process reinforce some real world truths that I worry might sneak up on me, while I teach the theory of data communications.
The interface on the Flipper Zero is very straightforward. All you really need to know is that the charge port is in the sub gigahertz frequency range.
https://docs.flipper.net/sub-ghz
I’m not sure why, but my initial attempts to capture the signal and replay it didn’t work. Pressing the button on my Tesla wall charger connector resulted in an obvious peak in the received signal strength, but replaying the signal saw the charge port remain shut.
So a little seaching revealed .sub files that others had uploaded. The first thing I noticed was that the files indicated 315 MHz, which isn’t part of the approved ISM band in Australia, so I was doubtful that this would be correct. When I sampled my own charger, the signal was received at 433 MHz, but in very close proximity the receiver could easily be overloaded with harmonics all over the place so I didn’t feel that was definitive.
Anyway, sending at 315 MHz (oops broke the law!) did nothing. A bit more research suggested/confirmed that Australian Teslas use 433.9 MHz. I also discovered that the frequency is part of the .sub file format.
Filetype: Flipper SubGhz RAW File Version: 1 Frequency: 433900000 Preset: FuriHalSubGhzPresetOok270Async Protocol: RAW RAW_Data: 399 -377 32700 -66 …
So I took an existing 315 MHz Internet file and changed the frequency to 433 MHz. Bingo! Open charge port.
With confirmation that 433 MHz was correct, I had another go at capturing my own signal. I used the AM270 setting as this has a narrower bandwidth and thus it is likely to have lower noise.
A really good explanation of the capture parameters is here: https://github.com/jamisonderek/flipper-zero-tutorials/wiki/Sub-GHz/1b5ea1c7d0b80da3a829099ea658cbfd561abcb2
I don’t recall if I used read or READ or READ RAW, but this time the Flipper Zero recognised it as a discrete transmission. Once again, success and the satisfaction I had been able to capture the output myself.
My file is is here:
You can add it to your Flipper by: Opening your USB connected flipper using the web interface here:
- open Files
- Click SD card
- Drag the file
When you open SubGHz the file will now be visible.
Learning outcomes I learned a lot through this exercise:
- Some practical Flipper skills and familiarity.
- Knowledge of a simple protocol used in a common tech oriented product.
- Reinforcement that all radio based devices will be region specific.
- Reflection on the trade off between security and user experience.
Further work
- Capturing the signal is one thing. But generating it via Python and gaining an appreciation of the signal and encoding itself would be rewarding. Not a recording but a “perfect” live performance. This opens up the Flipper Zero to generating arbitrary signals which is very cool for a handheld device as opposed to a shoe box of wires and discrete boards.
- Moving on the software defined radio path, this would be an excellent beginner project to replicate the signal using GNU radio. The output could be tested using Flipper Zero, and then once confirmed it could be used to drive a “proper SDN” such as a Hack RF or BladeRF.
Conclusion For me the Flipper Zero delivered in this exercise. It reduced the equipment down to palm size battery powered device and delivered a proof of concept quickly enough to deliver an encouraging achievement. I’m not big on gamification in learning (if it isn’t intrinsically fun why fake it?) but you do want to feel success.
I like the idea that you can carry your success in your pocket. Forever (until Elon says no) you can open a Tesla charge port. If you can do that because you just copied my file and annoyed EV drivers then I’m not sure your portfolio of achievements says about you and the Flipper is a script kiddie toy. But if you generate that file with GNU radio and speak confidently about the encoding of the signal and the work flow in GNUradio, then I think you could be well satisfied.
https://lab.flipper.net/