2022 Tesla Model 3 LR Projector to Matrix headlight retrofit

[terranx]

the set gw config odin task only allows unlimited changing for Tesla personnel, if you purchased access to toolbox as a 3rd-party, then you can only use it to change tow package, car color and tires type variables, nothing else. Also your syntax is wrong.

Well even if it's useless I would appreciate any hints regarding the syntax. That's about what I was able to come up with digging through the javascript and looking at examples of other tasks. I understand if you're unwilling to share.

 

[verygreen]

the syntax is just a regular python array of dicts. To enable tow package:

[ {"configid":72,"data":"01"} ]

 

[terranx]

Man I could have sworn that was one of the variants I tried, but I guess not. Thanks for that. Shame they have it all locked down though.

 

[WhiteM3P-]

@verygreen what level of access do body shops have? Tbx-internal or tbx-external?

 

[verygreen]

@verygreen what level of access do body shops have? Tbx-internal or tbx-external?

I don't know for sure, but I think it's tbx-external as well. May be with some very few exceptions. tbx-internal is basically ranger access

 

[Nintendo80]

I don't know for sure, but I think it's tbx-external as well. May be with some very few exceptions. tbx-internal is basically ranger access

can we turn on the ambient light? I found the original Ambient Light but of course they Don’t work!!!

 

[Nintendo80]

can we turn on the ambient light? I found the original Ambient Light but of course they Don’t work!!!

I meant the door ambient light insert for refresh I’m sorry

 

[andreimd]

Thanks for valuable information in this thread, it’s so interesting to learn about internals of the Tesla software on the cars. How to unlock the gateway though as the other thread quoted earlier in a comment mentions about “Vehicle gateway unlock procedure” and article 5582900. I couldn’t find this article, is it hidden from Tesla service portal?

 

[Rknapp]

If anyone knows a place in So CA that does a retrofit of Matrix lights, please let me know. Any idea of the cost?

 

[uscgreel]

This was a roller coaster of a read! I thought someone had it figured out, then we didn't, then someone had something...lol! We just got a set of these Matrix beauties in inventory and I want to put them in an Older Model 3!

 

[WhiteM3P-]

This was a roller coaster of a read! I thought someone had it figured out, then we didn't, then someone had something...lol! We just got a set of these Matrix beauties in inventory and I want to put them in an Older Model 3!

Totally doable if you convince tesla tech to do it.

 

[snovvman]

Has anyone successfully done the retrofit either by Tesla or independent of Tesla?

 

[terranx]

Has anyone successfully done the retrofit either by Tesla or independent of Tesla?

There’s been a couple sporadic cases. But more often than not the Tesla centers will say they can’t do it

 

[Mohammed Talas]

Did anyone manage to change the gateway Paramus using toolbox with external privilege?

I tried to intercept the messages between toolbox and the car, all command are limited by the JWT token principle that is fetched from odin_token endpoint and then sent to Odin in the MCU which verifies the intermediate cert against the stored root cert, then the verifies the token against the intermediate cert provided in the command, based on that principle everything is limited.

If I could put my hands on firmware image I might be able to inspect odin_bundle and try to exploit it.

I managed to exploit toolbox.Tesla.com and get toolbox subscription for free, I know their code is not invincible and they don’t really try hard to close exploits as much as they just wait for them to be discovered then they close them.

So if anyone has access to some private repo that has firmware images that would be really helpful. The firmware image I have is really old and I’m sure the code is changed a lot.

 

[WhiteM3P-]

Did anyone manage to change the gateway Paramus using toolbox with external privilege?

I tried to intercept the messages between toolbox and the car, all command are limited by the JWT token principle that is fetched from odin_token endpoint and then sent to Odin in the MCU which verifies the intermediate cert against the stored root cert, then the verifies the token against the intermediate cert provided in the command, based on that principle everything is limited.

If I could put my hands on firmware image I might be able to inspect odin_bundle and try to exploit it.

I managed to exploit toolbox.Tesla.com and get toolbox subscription for free, I know their code is not invincible and they don’t really try hard to close exploits as much as they just wait for them to be discovered then they close them.

So if anyone has access to some private repo that has firmware images that would be really helpful. The firmware image I have is really old and I’m sure the code is changed a lot.

What level of access does your exploited toolbox have? Did you try to run the commands using set vehicle configs odin task?

 

[Mohammed Talas]

I don have an exploited toolbox, I managed to find a way to get annual subscription for free, that’s all for now, I got Intel MCU and trying to exploit Odin on it without doing any hardware changes, but as I mentioned before, without firmware image I can’t really do anything, so if I couldn’t find firmware image to inspect the odin bundle I might have to get eMMC reader and get into the messy level.

vehicle config is still filtered and you can’t change much when you are tbx-external level.

have you managed to change anything?

 

[Fahrly]

I don have an exploited toolbox, I managed to find a way to get annual subscription for free, that’s all for now, I got Intel MCU and trying to exploit Odin on it without doing any hardware changes, but as I mentioned before, without firmware image I can’t really do anything, so if I couldn’t find firmware image to inspect the odin bundle I might have to get eMMC reader and get into the messy level.

vehicle config is still filtered and you can’t change much when you are tbx-external level.

have you managed to change anything?

Could you send me a PM on how you found a way to get it for free, because paying the amount jsut for testing is not worth it.

Thanks

 

[Mohammed Talas]

Sorry guys but the vulnerable endpoint was patched as I was checking today

 

[andreimd]

@verygreen what level of access do body shops have? Tbx-internal or tbx-external?

I found the list of Toolbox levels of access here

Each token contains a security level. These levels grant access to different Odin commands. This allows different tiers of service the minimum permissions they need to do their job.

These are broken into principals and remote_execution_permissions. Presumably principals requires physical access via the diagnostic ethernet port.

The principals levels listed in the Odin tasks are:

• tbx-internal
• tbx-external
• tbx-technical-specialist
• tbx-engineering
• tbx-service

These seem to be mostly internal car tests likely used during manufacturing. The only time the non internal/external principals show up is forPROC_ICE_X_LOGS-UPLOADER and ICE_DEASSOCIATE_PRODUCT_ID. The second is engineering only and appears to wipe the vehicle VIN and car config.

The remote_execution_permission levels listed in the Odin tasks are:

• tbx-service
• tbx-service-infotainment
• tbx-technical-specialist
• tbx-service-engineering
• tbx-engineering
• tbx-mothership

@terranx I think you was looking into using PROC_ICE_X_SET-VEHICLE-CONFIG for changing gateway config, right? It seems it is accessible only by tbx-mothership Toolbox access

Things like TEST-BASH_ICE_X_SEARCH-UI-ALERTS can be accessed by tbx-service, tbx-service-engineering and tbx-mothership.

Things like PROC_ICE_X_SET-VEHICLE-CONFIG can only be accessed by tbx-mothership.

 

[devs]

I found the list of Toolbox levels of access here


@terranx I think you was looking into using PROC_ICE_X_SET-VEHICLE-CONFIG for changing gateway config, right? It seems it is accessible only by tbx-mothership Toolbox access

it is not enough to have tbx-mothership token, for secured configs, like headlamps/autopilot/taillights you need to specify not only a value, but a signature, that contains vin & timestamp. such signature will only be valid for 5 minutes