2022 Tesla Model 3 LR Projector to Matrix headlight retrofit

[stutech]

Can you tell us what other retrofit and reprogramming is supported by the public toolbox? Would it allow MCU upgrades?

So I found you can also retrofit the OEM power lift gate it appears with public toolbox, and of course the towing package. Theirs also an option to change battery type to lithium ion for the 12v. This might mean an updated Intel MCU than runs on 16v may eventually be available for retrofit, or possibly Tesla will support a scaled down amd upgrade for older cars someday. I didn't want to change the type and find out It looks like you can replace hv components, if you can buy them lol and even reprogram battery packs with toolbox. Swapping computers for the same type I imagine is possible too if you read the config and then write it, but I don't see any options other than autopilot upgrade for official retrofit scripts.

 

[stutech]

so i spoke to a shop out in NORCAL says they can get them to work so anyone who switches to the matrix headlights, they'll reprogram it etc. They charge $900 for the reprogramming itself. I'm not sure if its a true reprogramming but thats what they said

I'm betting they have internal 3rd party access which is a step above public toolbox. I saw theirs about 4 different access levels in the code. I'd gladly pay them if they can do that though

 

[terranx]

I'm betting they have internal 3rd party access which is a step above public toolbox. I saw theirs about 4 different access levels in the code. I'd gladly pay them if they can do that though

From what I understand if you can get onto the call's internal network, you can make more changes (most of the level of access stuff is enforced by the ICE module). For intel cars, there is a second ethernet port on the MCU that isn't super difficult to access. For ryzen cars, I think we'd need a broad on reach adapter.

 

[stutech]

From what I understand if you can get onto the call's internal network, you can make more changes (most of the level of access stuff is enforced by the ICE module). For intel cars, there is a second ethernet port on the MCU that isn't super difficult to access. For ryzen cars, I think we'd need a broad on reach adapter.

I tried the other ethernet port too, but it was also secured sadly. I am gonna try through broadReach since I believe that's the best way other than getting the mcu into a special mode thats a pain.

 

[terranx]

ah that’s a shame, guess they locked that one down at some point. Wish those adapters weren’t so expensive

 

[Cyberpower678]

I'm betting they have internal 3rd party access which is a step above public toolbox. I saw theirs about 4 different access levels in the code. I'd gladly pay them if they can do that though

I thought there were 10?

 

[stutech]

I thought there were 10?

It's weird how it has the access levels, one person can have many roles it appears. Like my account had 5 different "roles" attached. Not sure what they all mean. Anyway a bit of an update, I tried the broad R reach adapter I purchased and couldn't get it to work after tapping the correct wires near the tuner. I'm in the process of getting another broad r adapter to try and see if I can connect to the non firewalled side of the gateway without the MCU being in a weird recovery mode. I've found lots of interesting documentation from security researchers suggesting it's not protected on the broad r interfaces unlike the diag or other Ethernet port that's unused on the mcu. You can also potentially manipulate the switch chips vlans from that side as I have the documents showing exactly what to send it to get it to change vlans. This would mean one could talk to the gateway and then change the config of non signed parameters. Only issue is this obviously won't let you change everything just some things, problem also is the broad r adapters are very expensive haha.

 

[Cyberpower678]

It's weird how it has the access levels, one person can have many roles it appears. Like my account had 5 different "roles" attached. Not sure what they all mean. Anyway a bit of an update, I tried the broad R reach adapter I purchased and couldn't get it to work after tapping the correct wires near the tuner. I'm in the process of getting another broad r adapter to try and see if I can connect to the non firewalled side of the gateway without the MCU being in a weird recovery mode. I've found lots of interesting documentation from security researchers suggesting it's not protected on the broad r interfaces unlike the diag or other Ethernet port that's unused on the mcu. You can also potentially manipulate the switch chips vlans from that side as I have the documents showing exactly what to send it to get it to change vlans. This would mean one could talk to the gateway and then change the config of non signed parameters. Only issue is this obviously won't let you change everything just some things, problem also is the broad r adapters are very expensive haha.

Not like I'm trying to steal FSD or the acceleration upgrade. lol. The only two variables I want to change are IDs 32 and 133, and I want to set them to 1 and 0 respectively.

Good luck, let us know if you discover anything useful.

 

[TSteve]

So I found you can also retrofit the OEM power lift gate it appears with public toolbox, and of course the towing package. Theirs also an option to change battery type to lithium ion for the 12v. This might mean an updated Intel MCU than runs on 16v may eventually be available for retrofit, or possibly Tesla will support a scaled down amd upgrade for older cars someday. I didn't want to change the type and find out It looks like you can replace hv components, if you can buy them lol and even reprogram battery packs with toolbox. Swapping computers for the same type I imagine is possible too if you read the config and then write it, but I don't see any options other than autopilot upgrade for official retrofit scripts.

Well this is interesting as I've always wanted a power trunk on my 2018. Any idea if it's really difficult to do, or is 3rd party just the way to go?

 

[stutech]

Well this is interesting as I've always wanted a power trunk on my 2018. Any idea if it's really difficult to do, or is 3rd party just the way to go?

I think getting the OEM power trunk parts is the hard part. Looks like maybe it was for the China model 3 retrofits they are doing. I'd imagine it's easier to do than the aftermarket ones.

 

[WhiteM3P-]

I think getting the OEM power trunk parts is the hard part. Looks like maybe it was for the China model 3 retrofits they are doing. I'd imagine it's easier to do than the aftermarket ones.

Oem trunk isn't possible. The actual trunk lid and body panels are a little different if I remember correctly.

 

[stutech]

Oem trunk isn't possible. The actual trunk lid and body panels are a little different if I remember correctly.

In toolbox one of them is saying retrofit power trunk, that option didn't show until a week ago or so, that one I don't believe needs any different body parts, but that is probably specific to non us markets

 

[terranx]

The config setting for the Chinese trunk retrofit is different than the factory one. If you can get those parts, that's probably retrofittable.

 

[WhiteM3P-]

In toolbox one of them is saying retrofit power trunk, that option didn't show until a week ago or so, that one I don't believe needs any different body parts, but that is probably specific to non us markets

Yeah you're probably right. I know my 2020 can't in NA

 

[terranx]

I tried the other ethernet port too, but it was also secured sadly. I am gonna try through broadReach since I believe that's the best way other than getting the mcu into a special mode thats a pain.

Have you messed with this at all? I found a 100-baseT1 adapter relatively cheap (RDDRONE-T1ADAPT: Ethernet media converter). Seems like the radio is the most accessible option for the two wire ethernet.

I imagine if it's possible to talk to the gateway, the process would involve unlocking the gateway and entering the socat commands to raise a shell? Most of the hints I can find are from a few years ago and largely legacy S/X stuff, so I'm not sure if any of that still applies.

 

[zrachwal84]

Not like I'm trying to steal FSD or the acceleration upgrade. lol. The only two variables I want to change are IDs 32 and 133, and I want to set them to 1 and 0 respectively.

Good luck, let us know if you discover anything useful.

Write PM i can help to change gateway values

 

[Cyberpower678]

Have you messed with this at all? I found a 100-baseT1 adapter relatively cheap (RDDRONE-T1ADAPT: Ethernet media converter). Seems like the radio is the most accessible option for the two wire ethernet.

I imagine if it's possible to talk to the gateway, the process would involve unlocking the gateway and entering the socat commands to raise a shell? Most of the hints I can find are from a few years ago and largely legacy S/X stuff, so I'm not sure if any of that still applies.

If my PM with them is any indication, 2 different adapters were attempted unsuccessfully.

 

[stutech]

Have you messed with this at all? I found a 100-baseT1 adapter relatively cheap (RDDRONE-T1ADAPT: Ethernet media converter). Seems like the radio is the most accessible option for the two wire ethernet.

I imagine if it's possible to talk to the gateway, the process would involve unlocking the gateway and entering the socat commands to raise a shell? Most of the hints I can find are from a few years ago and largely legacy S/X stuff, so I'm not sure if any of that still applies.

Unfortunately both adapters I tried didn't work, not sure if something I was doing was wrong, but it seems the Tesla broad R reach is really picky about the adapter. I know there are some sketchy ways to get the MCU into a mode you can write values, but they aren't posted publicly for people's own good. Yes though it involves socat in Ubuntu to send commands though.

 

[Cyberpower678]

Sadly for me, I've pretty much concluded that I can't get into the gateway on my own and will need an actual service tech to do it. Good job Tesla for excellent security. Shame on Tesla for making something so trivial so damn difficult to change.

 

[sebastian1987]

Did anyone manage to change the gateway Paramus using toolbox with external privilege?

I tried to intercept the messages between toolbox and the car, all command are limited by the JWT token principle that is fetched from odin_token endpoint and then sent to Odin in the MCU which verifies the intermediate cert against the stored root cert, then the verifies the token against the intermediate cert provided in the command, based on that principle everything is limited.

If I could put my hands on firmware image I might be able to inspect odin_bundle and try to exploit it.

I managed to exploit toolbox.Tesla.com and get toolbox subscription for free, I know their code is not invincible and they don’t really try hard to close exploits as much as they just wait for them to be discovered then they close them.

So if anyone has access to some private repo that has firmware images that would be really helpful. The firmware image I have is really old and I’m sure the code is changed a lot.

I have the latest firmware images. PM me