Because no one who has standing considers it worthwhile enough to sue.
-
Want to remove ads? Register an account and login to see fewer ads, and become a Supporting Member to remove almost all ads.
Because no one who has standing considers it worthwhile enough to sue.
Awesome work, @green1 . I'm about to sell my 85D and take delivery of a P100D. As soon as I get the new car, I'm going to follow you on this journey. Hopefully soon, I'll be able to collaborate with ya'll on moving forward even further.
A couple of questions and thoughts, if you don't mind:
1) I'm assuming the IC <-> CID traffic isn't encrypted? It seems like an SSL cert with client auth would be an easy patch for this exploit. I'm surprised they haven't done so already.
2) My understanding from defcon was that the CID posts the access token to the IC every 24 hours. Also, that token is a password for one of the users on the CID, which has sudoers access. I'm assuming you know that and so I'm curious why you haven't used that to escalate to root. Is the token not sent cleartext or something? In any case, it sounds like if you can get root to the IC, that will be a quick jump over to root on the CID.
3) As mentioned, I'm waiting to get my car before I'll be able to sniff traffic, but I haven't quite bridged the gap in my mind between packet sniffing and collecting the factory mode REST/JSON command. It's not like the IC ever sends that to the CID. Maybe this will become obvious once I have wireshark up and running. Were you maybe able to get the values of the gui_* constants somehow so you could generate the correct message ids for things like factory mode?
4) Do you know if the UDP knock is still a valid way of accessing the VLAN from the "mystery cable"? This would definitely be a less invasive method compared to a switch behind the dash.
5) I'm assuming you just hacked up a 12v lighter adapter and used it to power a network switch that accepts 12v?
Thanks for posting everything. It's inspiring!
A couple of questions and thoughts, if you don't mind:
1) I'm assuming the IC <-> CID traffic isn't encrypted? It seems like an SSL cert with client auth would be an easy patch for this exploit. I'm surprised they haven't done so already.
2) My understanding from defcon was that the CID posts the access token to the IC every 24 hours. Also, that token is a password for one of the users on the CID, which has sudoers access. I'm assuming you know that and so I'm curious why you haven't used that to escalate to root. Is the token not sent cleartext or something? In any case, it sounds like if you can get root to the IC, that will be a quick jump over to root on the CID.
3) As mentioned, I'm waiting to get my car before I'll be able to sniff traffic, but I haven't quite bridged the gap in my mind between packet sniffing and collecting the factory mode REST/JSON command. It's not like the IC ever sends that to the CID. Maybe this will become obvious once I have wireshark up and running. Were you maybe able to get the values of the gui_* constants somehow so you could generate the correct message ids for things like factory mode?
4) Do you know if the UDP knock is still a valid way of accessing the VLAN from the "mystery cable"? This would definitely be a less invasive method compared to a switch behind the dash.
5) I'm assuming you just hacked up a 12v lighter adapter and used it to power a network switch that accepts 12v?
Thanks for posting everything. It's inspiring!
@cryptyk - your P100D will come with 8.x. Tesla has apparently disabled the setting of variables over the VAPI without prior authentication. I should be able to help you with the endpoint you will need to hit for factory mode, but I don't think it will work.
Great point about the access token. I had the same thought. Apparently it is encrypted.
The UDP packet AFAIK is still valid. However it is a salted hashed access token sent to the broadcast address so without the token you won't get anywhere.
Great point about the access token. I had the same thought. Apparently it is encrypted.
The UDP packet AFAIK is still valid. However it is a salted hashed access token sent to the broadcast address so without the token you won't get anywhere.
@apacheguy
Thanks - Much appreciated!
When you say the session needs to be authd: I assumed that as long as I'm on the network between the IC and CID, that the IC would keep the session authd every < 30 seconds so that the CID will accept commands. Is that not the case?
In other words, if I inject a VAPI command on the network between the IC and CID, how does the CID know that it's not from the authd IC? Are those commands signed or something?
Thanks - Much appreciated!
When you say the session needs to be authd: I assumed that as long as I'm on the network between the IC and CID, that the IC would keep the session authd every < 30 seconds so that the CID will accept commands. Is that not the case?
In other words, if I inject a VAPI command on the network between the IC and CID, how does the CID know that it's not from the authd IC? Are those commands signed or something?
To be honest I'm not sure, it's just what I've been told. I'm not on 8.x yet myself. It's conceivable the commands from the IC are now accompanied by a token/password/signature I'd imagine... Something beyond the standard UDP auth.
@neroden, I failed to read your post because I ran into a personal attack and moved it to snippiness. Please try again.
That's unfortunate, it was full of good information.
Here's the text with what appears to be the offending "personal attacks" omitted.
@cryptyk k I think you're being given some erroneous information here.
While I haven't tried any of this on 8.x (because I refuse to downgrade) my understanding is that Tesla has not blocked setting variables on 8.x, what they have done is removed a few of my favourites (the ability to removed AP restrictions). My theory is that now that all the "important" people are likely on AP2.0 cars running Full Self Driving Alpha versions, there is no longer a need to maintain the ability to remove the restrictions on normal AP on our cars. (I'm 100% convinced that the only reason the switches existed previously was so that Elon and friends wouldn't have to live with the restrictions they force down everyone else's throats) They've simply hardcoded the restrictions in now instead of through variables.
What this means is that accessing factory mode (something Tesla still needs to do on the cars) is still available, but un-neutering AP is no longer possible.
Since that time, I have connected up a 3 port switch and a Raspberry Pi under the dash, these are powered directly from the battery with no lighter adapter. (If putting a switch in, you want to make sure there's no risk of the power coming out while driving because you'll lose communication between the IC and CID) Now whenever I want to make any changes I connect to the Pi wirelessly and tell it to issue the appropriate command. I also have it programmed to issue specific commands at regular intervals.
While I haven't tried any of this on 8.x (because I refuse to downgrade) my understanding is that Tesla has not blocked setting variables on 8.x, what they have done is removed a few of my favourites (the ability to removed AP restrictions). My theory is that now that all the "important" people are likely on AP2.0 cars running Full Self Driving Alpha versions, there is no longer a need to maintain the ability to remove the restrictions on normal AP on our cars. (I'm 100% convinced that the only reason the switches existed previously was so that Elon and friends wouldn't have to live with the restrictions they force down everyone else's throats) They've simply hardcoded the restrictions in now instead of through variables.
What this means is that accessing factory mode (something Tesla still needs to do on the cars) is still available, but un-neutering AP is no longer possible.
The data is unencrypted. There is no good reason to encrypt it. That said, Tesla may do it in the future, but if they do, know that it does NOT increase security in any way, shape, or form, and is 100% part of Tesla's ongoing war on their own paying customers.
The information that they presented at defcon is outdated. As they said right in the presentation, many of those attack vectors had already been patched at the time of that presentation. So while yes, the key is shared over the network, there's no way of actually capturing and using it based solely on the information presented there (it's not being sent cleartext)
If you sniff the traffic, and see the variable names in there, and then look at the defcon talk again, you may find something with a familiar looking format to try...
Yes it is, but again, you need the token which you have no way of obtaining to do it. As a result, that method is quite impractical.
For the initial work I didn't bother with a switch at all, I simply disconnected the IC from the CID, connected a computer, sent the command, and then re-connected them. I kept it that way for a few weeks, connecting a computer as needed to issue commands (I did extend the cables down to a more convenient location so I wouldn't have to do the whole dash disassembly each time)
Since that time, I have connected up a 3 port switch and a Raspberry Pi under the dash, these are powered directly from the battery with no lighter adapter. (If putting a switch in, you want to make sure there's no risk of the power coming out while driving because you'll lose communication between the IC and CID) Now whenever I want to make any changes I connect to the Pi wirelessly and tell it to issue the appropriate command. I also have it programmed to issue specific commands at regular intervals.
@green1 - I am confused about your earlier post which is what led me to believe the setting of variables is disabled in 8.x. have you since uncovered information that suggests this is not the case?
Additionally, by saying that the token is not sent clear text over the network you are implying that it is encrypted.
Additionally, by saying that the token is not sent clear text over the network you are implying that it is encrypted.
My current information is that setting variables is not disabled, however certain variables are no longer there to set (specifically the ones that remove the restrictions on AP)
That is what I am saying, yes.
Found a little car called "Lightning McQueen" in my developer car on the bench.
Would be nice, if Tesla enabled this screen in the actual car GUI..
Would be nice, if Tesla enabled this screen in the actual car GUI..
Last edited:
mobe
Member
Wrong. If you build the airplane you can do whatever you want as long as you call it a " wink ", "EXPERIMENTAL ", airplane. And just for good measure you have to write the word, " EXPERIMENTAL" on the outside.
Last edited:
It's called "cluster test" which is one of the apps, that can be enabled on 7.x.
Its not there anymore at 8.0.
Also having a bench update pending.
f-stop
Active Member
OP: While I agree wireless plans & prices really suck here in Canada, there is one cheaper alternative prepaid offering you may not know about - Speakout Wireless/7-Eleven - an MNVO operating on Rogers network
Min $25 top-up valid for 1yr, unlike the other companies' 30-day expiry. Incoming SMS free, outgoing $0.15 ea.
You can buy just a SIM, $10. However if you need data, then that's +$10 for 100MB/30days. Just came across this thread so haven't read through all its details yet, but it seems there was some idea of just using SMS... so though I'd mention Speakout in case it helps (I have several relatives using Speakout for emergency-use only, i.e. $25 lasts them a whole year).
$25/yr for one way communication... starts adding up quickly if you want two way communication.
Some of the previously listed global sim options seem like a better choice if you're serious about this sort of thing. For now I don't have the need, but who knows what the future will hold.
MaxHolthausen
Member
Forgive my ignorance, I'm a Noob here!
My friends and I want to rework older Tesla's into race track performance and endurance cars. We would like to totally redo the IC (instrument cluster) with our own layouts and variable display. Has anyone done something like that here or elsewhere on the Internet?
Any help would be greatly appreciated. Thanks in advance.
My friends and I want to rework older Tesla's into race track performance and endurance cars. We would like to totally redo the IC (instrument cluster) with our own layouts and variable display. Has anyone done something like that here or elsewhere on the Internet?
Any help would be greatly appreciated. Thanks in advance.
Similar threads
