NuclearPowered
Member
Would you mind taking photos of all the diagnostic menus? I don't think that exists in the wild
-
Want to remove ads? Register an account and login to see fewer ads, and become a Supporting Member to remove almost all ads.
Ooohhh! Waiting (im-)patiently for the step by step ... Cut here, attach this, press these keys simultaneously, .... Instructions!
A few more steps in this direction and it's going to start feeling like it's really MY car!
A few more steps in this direction and it's going to start feeling like it's really MY car!
Worth noting this is a dismantle-the-car exploit...... so not super useful for non-bench stuff. I'm not taking my car apart to do this on my own vehicles... lol. But I can play CAN data to my bench and let it decode it for me.
tinm
2020 Model S LR+ Owner
Seeing all the "Car needs service" messages in the first sets of photos was hilarious.... like C3PO booting up without arms or legs.... messages should have said "Service needs car."
Probably advisable to screen grab the images in this thread. I suspect Tesla will soon gently or not so gently "request" the thread be deleted for whatever legal reasons. Countdown to commence in 3...2...1...
Probably advisable to screen grab the images in this thread. I suspect Tesla will soon gently or not so gently "request" the thread be deleted for whatever legal reasons. Countdown to commence in 3...2...1...
Bangor Bob
Member
Very nice! That's a "Level Up" at any rate.
The next level is won when you can change the limits.
Game Over is when you can reflash with your own code, and then flash back to factory.
Well, working on only a handful of hours of sleep.... I'm completely into the MCU and IC and have root on both, as well as developer mode on the touchscreen and a nifty diagnostic panel on the IC. Need to get a little more rest, and I'll post some pics and such.
I'm pretty sure my avenue to root is going to be patched in a later version, if it isn't already... but, cool none the less.
- - - Updated - - -
Sweet, full quality screenshots
(The IC one was upside down for some reason... so had to flip it)
Yes, I'm up to 40 errors... lol.
I'm pretty sure my avenue to root is going to be patched in a later version, if it isn't already... but, cool none the less.
- - - Updated - - -
Sweet, full quality screenshots
(The IC one was upside down for some reason... so had to flip it)
Yes, I'm up to 40 errors... lol.
HankLloydRight
No Roads
dirkhh
Middle-aged Member
Am I the only one who noticed the UPDATE MAPS button???
A lot of people will want access to THAT.
Ok, and to most everything else that you have shown. Not sure I need SketchPad, though
A lot of people will want access to THAT.
Ok, and to most everything else that you have shown. Not sure I need SketchPad, though
While I applaud your work and would love to have this level of access in my own car, you really should report the vulnerability you used to Tesla to ensure it does get patched. I'm sure it's likely something they should already know about but still would be the right thing to report it.
Cyclone
Cyclonic Member ((.oO))
His wife will post here for help and we'll come over and join him and then she has more mouths to feed lol!
Jason, let me preface this by saying I like and respect you. You have contributed a lot to TMC, solar, etc., and you put your knowledge and money where your mouth is (going off grid, etc.)
Having said that, while I am just as much a geek as many of us here and am curious to learn more about our cars, I think you may be stepping over the line a bit. I recognize that you haven't shared how to exploit Tesla's OS, and I'm glad that you haven't. I encourage you to consider reporting it under the bug bounty program. Posting details of the intervals of Tesla's proprietary OS could have ramifications for Tesla, us, and you. Do you really want to get into a fight with Tesla?
I know you will likely have a different view (obviously), and many others here will as well, but I felt compelled to say something and share my opinion. So I've done that, and I'm about to take off on vacation and may not be able to read the replies for a week. Unless of course I give in and check in during vacation
(I guess this was a bit like lighting a fuse and running away. Sorry about that...)
Andrew
Edited to correct my own stupidity.
Having said that, while I am just as much a geek as many of us here and am curious to learn more about our cars, I think you may be stepping over the line a bit. I recognize that you haven't shared how to exploit Tesla's OS, and I'm glad that you haven't. I encourage you to consider reporting it under the bug bounty program. Posting details of the intervals of Tesla's proprietary OS could have ramifications for Tesla, us, and you. Do you really want to get into a fight with Tesla?
I know you will likely have a different view (obviously), and many others here will as well, but I felt compelled to say something and share my opinion. So I've done that, and I'm about to take off on vacation and may not be able to read the replies for a week. Unless of course I give in and check in during vacation
(I guess this was a bit like lighting a fuse and running away. Sorry about that...)
Andrew
Edited to correct my own stupidity.
Last edited:
Andyw2100
Well-Known Member
Scott^H^H^H^H^H Jason, let me preface this by saying I like and respect you. You have contributed a lot to TMC, solar, etc., and you put your knowledge and money where your mouth is (going off grid, etc.)
Having said that, while I am just as much a geek as many of us here and am curious to learn more about our cars, I think you may be stepping over the line a bit. I recognize that you haven't shared how to exploit Tesla's OS, and I'm glad that you haven't. I encourage you to consider reporting it under the bug bounty program. Posting details of the intervals of Tesla's proprietary OS could have ramifications for Tesla, us, and you. Do you really want to get into a fight with Tesla?
I know you will likely have a different view (obviously), and many others here will as well, but I felt compelled to say something and share my opinion. So I've done that, and I'm about to take off on vacation and may not be able to read the replies for a week. Unless of course I give in and check in during vacation
(I guess this was a bit like lighting a fuse and running away. Sorry about that...)
Andrew
Well, I plan to try and confirm my method of entry still exists on current firmware before bothering to talk to Tesla about anything. I have a feeling it's been patched... and if it hasn't, someone is slacking pretty badly. This was one of those times where I literally facepalmed when I saw the root@cid-5xxxxxxxxxxxxxxx# prompt... mainly because I had initially thought to try it but assumed it'd be a waste of time and wouldn't work.
The fact that this still requires you to dismantle the car to get to the IC<->MCU ethernet connection makes me not really care about it much. Yeah, it's an issue, but seriously... if someone is going to break into my car, disassemble half of my dash, and hook a machine up in between my MCU and IC... well, that'd be impressive.
If I find out there's a way to do it with just the diagnostic ports... or worse.... then that's another story. But honestly, I have zero fear of someone else duplicating my efforts and using them in a malicious way.
Also, the "UPDATE MAPS" button is useless because it looks for the maps on USB storage
Edit: I am wondering when Tesla is going to attempt to silence me...
Last edited:
W.Petefish
Active Member
I'll save you the trouble. It has been patched.
That was the way that the guys at DEFCON did it. (they even got a recognition from the developers on that one) Not really too much you can do other than API stuff when you get to that point. The gateway does not allow for arbitrary CAN command pass-through. IF it did, they would be looking alot more like Jeep/Chrysler Group did... egg all over face.
That was the way that the guys at DEFCON did it. (they even got a recognition from the developers on that one) Not really too much you can do other than API stuff when you get to that point. The gateway does not allow for arbitrary CAN command pass-through. IF it did, they would be looking alot more like Jeep/Chrysler Group did... egg all over face.
Nope, the way the DEFCON guys got in was already fixed it seems, even though this unit hadn't been updated in a while. No weak passwords, and Tesla's servers on their VPN don't give out the passwords anymore.
The way I got in was not the same as the DEFCON folks, I promise.
- - - Updated - - -
As for arbitrary CAN stuff... the IC has its own connection to the body CAN bus at least. I don't know of any gateway built into the IC, and the IC won't boot without the CAN connection.
The rest of it is blasted on the ethernet network, and at least a good chunk of it appears to be two way through the gateway. I'm sure there is some safety logic there, but, I wouldn't put a ton of faith in that. Especially with autopilot cars where the ADAS stuff doesn't appear to be on the powertrain CAN bus and has to be relayed by something.
I'm pretty sure I could cause a lot more havoc than the DEFCON folks if I so desired, but that doesn't really do anyone any good.
W.Petefish
Active Member
I may have something along those lines... and the ability to distribute them. Royal pain to get them though.
And by Scott you mean Jason.
Rofl. Um, <Redface>, would you believe typo? Yeah that's it.
Andyw2100
Well-Known Member
But if he hadn't, none of us would have known that all our cars have internal screens with huge red wk057s hand-scrawled on them.
