Cyberpower678
Member
I poked at the gateway a bit myself today, but it's pretty secure. I haven't discovered a way to access. There could be some exploits hidden in the MCU, that can put the car into Factory Mode, but most of them, if not all, are patched at this point.I tried this with the latest version of toolbox 3 on my account and it sadly said the change was unauthorized by my account level. I have a 2019 sr+ I am trying to make several small gateway changes to, like adding pws speaker etc., and none of those changes it takes even if I try this way above. Has anyone been able to successfully issue any gateway change command that isn't listed as changeable by the tesla 3 toolbox dashboard? I even went as far as reverse engineering how they are sending commands from toolbox 3 scripts to odin via a secured web socket. I was able to send odin a command I crafted with the same token I captured from my computer even, however it validates your access level by the tokenv2 that's sent, so changing things "unauthorized" is still blocked. I've been poking around for a way to get access to the gateway directly, but have been met with the firewall on the driver side diag port obviously. I've heard something about broadReach ethernet on the tuner side being the way in to talk to the gateway directly, but unsure how people are authenticating even with it. I have a broadR reach adapter so I plan to poke around on that, but have heard the mcu needs to be in recovery mode first. If anyone has any info on this stuff, or has made any progress on it, feel free to pm me.
On the plus side, we now know that the command being issued is valid, and how to format the argument, but now we need a tech to do it. Thanks for confirming that consumer toolbox does not have the clearance to do it. Confirms what @verygreen mentioned earlier.