Welcome to Tesla Motors Club
Discuss Tesla's Model S, Model 3, Model X, Model Y, Cybertruck, Roadster and More.
Register

Salvage Car Owners Support Group.

This site may earn commission on affiliate links.
I would be really careful to use ingineers services.
He rooted and tried to convert a friends car to EU charging and lighting.
Lighting didn't work. So my friend repaired the car in one year time. And last week he asked ingineer to finally fix the lighting issue.
He just did a firmware update and bricked the tuner with this update. The lights still didn't work. BUT ingineer wanted 350 Dollar for this firmware update, which needs 5 mins to start. The car does the rest alone.
350 dollar for a bricked tuner and not solving the lighting issue.
When my friend didn't pay 5 days after that, ingineer locked his car out of his web interface for which my friend paid 750 dollar to use.

Solved this issue with other peoples help now:)
Can share these contacts if anyone is interested.

The car finally got registered on Friday :)

Just wanted to give a small word of caution here, from the experience we had.

Can you PM me those contacts.
 
Marco's post echos what I've heard about Ingineer.

I've rooted my own. (pre-2016) There're are the dicey ways, which keep getting fixed by Tesla, and then there's having a phone shop unsolder your eMMC, put it in an AllSocket chip carrier, and rooting it yourself. I put a Netgear PoE switch between the ICU and MCU, and connected a Tinker Board to that for wifi and control. At some point I'll add fore and aft lipstick dashcams. (main reason I used a Tinker Board)

Partitions 1 and 2 of the eMMC are for the OS -- while one is being used, an update is loaded to the other and verified. Then the system boots to the new one. The OS is loaded into RAM by a boot coprocessor in the Tegra chip, which then chains to the main T3 and it boots to the OS in RAM. Partition 3 in the eMMC is then mounted as /var, and partition 4 is mounted as /home. Linux knowledge necessary. If you don't have it just pay wk.

A little more detail in my post here.
 
Marco's post echos what I've heard about Ingineer.

I've rooted my own. (pre-2016) There're are the dicey ways, which keep getting fixed by Tesla, and then there's having a phone shop unsolder your eMMC, put it in an AllSocket chip carrier, and rooting it yourself. I put a Netgear PoE switch between the ICU and MCU, and connected a Tinker Board to that for wifi and control. At some point I'll add fore and aft lipstick dashcams. (main reason I used a Tinker Board)

Partitions 1 and 2 of the eMMC are for the OS -- while one is being used, an update is loaded to the other and verified. Then the system boots to the new one. The OS is loaded into RAM by a boot coprocessor in the Tegra chip, which then chains to the main T3 and it boots to the OS in RAM. Partition 3 in the eMMC is then mounted as /var, and partition 4 is mounted as /home. Linux knowledge necessary. If you don't have it just pay wk.

A little more detail in my post here.
Thanks rooter, my main goal is to clear all the faults so that I can get the car inspected. If any one can help me please PM me.
 
I was always under the impression it's the frame vin that determines the car's vin.

Back to the original topic, I am in the Phoenix area and can help diagnose and repair, including root, clearing dtc's, and program keys. I also travel to SoCal at least once a month. So if you need help, let us know where you are at and someone nearby should be able to assist you.
 
A PM said:
you said that you put a switch between IC and MCU and gain the access. When I was rebuilding my old 2013 Model S one guy helped me to root it. it had version 8. I connected my laptop to the internal car network instead of IC. He changed network address to 192.168.90.101 and gain the access this way. He did it remotely. I didn't see the process. do you know this way ? can you help and explain how to root my MCU ? I understand basics and I am quick learner. I have both cables (to connect IC and MCU through the switch).
I did as I posted (in the two threads) to root it. His method was only possible with old firmware versions.

Not to take away from earnest commercial rooters like ce2078. But the biggest commercial rooters monitor everything you do all the time. I prefer to not allow this.

Call around and find a cell phone store that does repairs. Craigslist is what I used. If you find one with a rework station, they are very used to removing eMMCs to recover phone data. Have them remove the (Hynix) eMMC from the CID and make sure they reball it. It's a surface-mount ball-grid array chip, and you won't be able to read/write it if not reballed.

[img=[URL="[URL="[URL="[URL="[URL="[URL="[URL="https://imgur.com/a/8T5ZPYz"]Imgur[/URL]"]Imgur[/URL]"]Imgur[/URL]"]Imgur[/URL]"]Imgur[/URL]"]Imgur[/URL]"]Imgur[/URL]]
(terrible forum software)

And buy an AllSocket programmer like this one. Pop the chip in (taking static precautions as the chip is static-sensitive), stick the reader in an SD card or MMC slot, and you have the contents of the flash to play around with. Needless to say, always properly mount and umount. And pay close attention to where pin 1 is.

Partitions 1 and 2 are typical nVidia, they switch off with each firmware upgrade. Partition 3 is mounted as /var, and 4 as /home. Makes sense that you'd want var and home non-volatile. Once you're done making changes have the phone repair resolder the chip. The whole process cost me $125. Actually I upgraded from the cheap Hynix to a 64GB SwissBit.

Side Note: This is the chip that 'wears out' because Tesla did intensive (and necessary) logging in the early days. SD/MMC chips not specifically named 'endurance' are not able to take too much writing.

Needless to say this all involves risk. Don't even think about it if you don't have engineering and solid Linux skills, just pay somebody and make do with letting them have root instead of you.

Those remote exploits to gain root are always due to undisclosed vulns in the firmware, and all the commercial guys live in dread of their methods being found out and fixed. My method can't be fixed.

So what about version 9? All versions after a certain 8.1 build have moved responsibility for key settings (Supercharging, Autopilot nag), away from the CID and into the gateway. The gateway is a special processor on the MCU which acts as a firewall between the MCU (music, creature comforts) and the CAN busses (actual car control). The gateway presents an API, and only if the limited set of properly-structured commands are given, will it allow given operations to take place. Due to code-signing we can't make changes to the gateway firmware. Due to code-signing we can't make changes to any of the (16 or so) controllers in the car, including the boot flash. This means you can not unilaterally downgrade the firmware version in the eMMC as it would not then match the boot image release. (Please don't ask for clarification if you don't understand)

Recently an exploit has been released called Fusee Gelee, which I've explained in a prior post. This would allow turning off code-signing, enabling even modification of the gateway firmware. This is desirable, but only if you really know what you're doing because it has safety implications. Successfully smashing the stack and injecting the right payload would do it, but I haven't yet worked out the right payload. Some have, but they're not sharing yet. It's important to understand that Tesla can not reverse an exploit like this because it is inherent to the hardware. And it would mean complete freedom to up/downgrade versions, turn off/on all features, and so on.

Modifying the firmware, you can open the ethernet diag port. Optionally you can put a switch between the ICU and MCU -- I put in a Netgear GS105PE, a PoE switch so I also needed to add a 12v-to-PoE converter. (eBay) Don't try to power the 'right' ethernet lines because PoE no longer works that way. Also to the switch I added a Tinker Board, which is more powerful than a Raspberry Pi, since I plan to add cameras. The Tinker Board requires more current than the latest Pi so be sure to get a big enough 12v-to-5v buck power supply.
 
Last edited:
Rooter, I dont really do this for profit. I do however ask people to cover my time. I dont offer an app nor keep access to your car.

I do a similar method as you for gaining access, however I dont unsolder the chip. I access the chip in place.

I am secretive, but not for commercial reasons. I dont toss out info that someone who doesnt understand can use incorrectly and damage their car nor do I want to help those who dont want to offer help in return.

Send me a PM if you want to 'compare notes'.
 
Sorry, I'm not going to get into a flame war here with people are are my competitors trying to slam me, that just demonstrates a lack of integrity. I have plenty of references, many of whom are respected members here and have already spoken on my behalf. I currently support many hundreds of cars all over the world and I can support any Tesla you have, even Model 3, and I do not require you to risk your car's systems by requiring you to take anything apart on the dash to do so. (except Model 3 at this time) I am the only service who can provide full remote access with a remote application that enables YOU access to all your car's data 24/7. These other guys trying to slam me are copycats and simply have not invested the time required to offer this class of service.

If anyone attempts to abuse my services and/or attempts unauthorized to access my systems as at least one person here has, they and/or their car will be blocked. This will not be tolerated. In addition I will report any intrusions to the relevant authorities. In the US and in many NATO countries, it is a felony (or local equivalent) to access a computer or server system you do not own without the owners permission. I have to protect my methods as best I can from both Tesla and the others here that have self-identified a lack of integrity.

Also: Releasing public information (even if poor) on how to perform attacks on Tesla's systems is a really bad idea, and it only hurts everyone in the long run. Even though now in the US we don't have to fear DMCA repercussions, Tesla still has the right to vigorously protect their systems for whatever (inscrutable) reasons they decide. Releasing public information only assists them in more thorough lockdown in the future.

FYI: Tesla will now sell any unrestricted part to you, regardless of whether you car is salvage or otherwise unsupported (grey market, etc). This policy was enacted September 7th of 2018, and also describes the (almost pointless) HV inspection process. Here are some excerpts from this policy that was sent to all service centers: (note the last line on the first page)

pic


pic


You can look up what parts you want from the now public parts catalog: https://epc.teslamotors.com/#/catalog
Click "public" to access. Once you have a part number that shows as not-restricted, you can call any Tesla service center and give them your VIN and the part number. They will tell you a price. If they refuse to, please tell them to reference the above document (TN-18-00-001). This usually quickly changes their response. (Many service centers still have not seen this)
 
By 'slamming' you Ingineer, do you mean noting publicly the facts that you retain root and do not share it, and monitor your customers? I can't see what else you could be referring to. Well Ok, I've never named you specifically, but now I see how you think.

The information I've released (and may soon release) was not public until now. Yes, this is a bad idea... to the commercial interests. I am making sure that the public retains control. Sure there's a better way of rooting, I know (and you know), although more surgical, and I may bring that soon. In fact maybe I should detail the Linux work.

I guess you can call me a 'competitor'... an open-source one. This had to happen sooner or later. It is high time that those who are capable be given the tools they need to work on their cars.


If anyone attempts to abuse my services and/or attempts unauthorized to access my systems as at least one person here has, they and/or their car will be blocked. This will not be tolerated. In addition I will report any intrusions to the relevant authorities. In the US and in many NATO countries, it is a felony (or local equivalent) to access a computer or server system you do not own without the owners permission. I have to protect my methods as best I can from both Tesla and the others here that have self-identified a lack of integrity.

Yes I've heard about you cutting off cars and I believe it, particularly given your post above. And you've made some prominent enemies. Confirms your attitude. Thus it seems to me that your methods must be publicized if I can get into your systems. I already see that your opsec is poor.

Cultivating fear works for a while Ingineer, but long-term it is not a good business practice. Don't you know this?
 
Last edited:
Not FUD here. FACT. Releasing anything in an open forum is bad for everyone, as Tesla will take action to close whatever methods you publish. Any supposed "gift" you hope to open source will simply be short lived. Go ahead and release as much as you can find, a cold winter is coming for everyone. I shouldn't have to even say this stuff, anyone who has been working on these cars for long knows exactly how it works.

If you are truly the "Robin Hood" you purport to be, Go start sharing your time and post here and actually help people. I'm 1400 posts ahead of you, all for free.
 
  • Like
Reactions: hoang51 and KyleDay
Hello rooter, I totally agree with you. I couldn't imagine that with so many out of warranty cars the information on fixing it will be so limited. There is a point to hide exploits that could be fixed by tesla, but what's the point on hiding something that is already fixed or cannot be fixed, like hardware parts?

My mcu died a week ago. No ping reply and no any packets from 192.168.90.100. Have tried to reboot it with a fuse maybe 10 times also disconnected a battery, no good signs so far.
As I couldn't find a better way to identify the problem, I've decided to bring my Tegra board to phone shop. Will try to do the backup and scan chip for possible issues. Then, if I will be able to restore firmware, I will simply replace the chip. If the chip is completely dead or too corrupted, I will need a plan B.

If I will be able to read the chip, I will still need to compare it with some working version, so I could identify missing or corrupted parts. I believe many of you are creating copies each time update arrives. Is it possible to get something to compare with? My MCU had version 8.1 (2018.14.2 a88808e).

What is exact chip part number you were using for replacement? Any recommendations for longevity?
 
Hello laurynas,

You don't say how old your car is but I suspect it's 2014 or older. Most likely the eMMC has worn out, as Tesla kept intensive logging for years. (for good reason)

But the good news is the damage is likely only to partition 3. (/var) I don't have access to images of varying releases -- and it is imperative that you run a release which matches the version of your Spansion boot chip, due to code-signing. You have that, in partition 1 or 2 or both. So do the following steps carefully. With tech, a miss, is as good as a mile.

Take a picture of the chip before they remove it so you can identify pin 1, which isn't marked on this sorry chip. It helps them if you remove the shroud and heatsink from the T3. No big deal. Have the eMMC chip removed and reballed. You need a phone repair that does rework, with an infrared workstation. They'll know exactly what to do, but don't tell them it's for your car... they may get frightened. It's for your stereo or something. Hopefully they have a stainless steel mask and solder balls, for reballing the pads, and hopefully they place pieces of metal over other components to protect them.

Put the chip in the AllSocket carrier, paying close attention to pin 1, and put that into your computer. Need to be running Linux, I recommend CentOS but any will do.
# dmesg
... and the last few lines will show what the chip came up as, usually /dev/mmcblk0 and associated partitions p1-p4.

# cd /home/{youruser}/dl
... or wherever you want to put the images. You first want to pull the full image, bit-for-bit as there are one or more blank sectors at the beginning and it is very important to preserve the file-structure.
# dd if=/dev/mmcblk0 of=mmcblk0.img bs=4M
... substitute your input device if different. Block-size just speeds up the transfer and makes no reference to structure. This is your Golden Image.

Now for safety and study, also preserve each partition:
# dd if=/dev/mmcblk0p1 of=mmcblk0p1.img bs=4M
... note carefully how this command differs from the above. Do this also with p2 through p4.

It's possible you will get errors around partition 3, but do the best you can. You must get as much data as possible.

You'll need a new eMMC. I've looked everywhere for an 'endurance'-type eMMC but haven't found one yet, so the next best thing is a high-quality chip. Whereas the stock Hynix chip is a low-grade Hynix H26M42002GMR 8GB, I've replaced mine with a SwissBit
SFEM064GB1EA1TO 64GB. Moar storage is never a problem (with quality components). I bought mine at Mouser Electronics.

The new chip will be balled from the factory so you can pop it in the AllSocket (paying close attention to pin 1).

If you got a clean full image from above,
# dd if=mmcblk0.img of=/dev/mmcblk0 bs=4M
... you see, to Linux everything looks like a file, even devices, so you can treat them that way.

Now; it's possible your filesystem is damaged, so let's check it:
# fsck /dev/mmcblk0p1
... (no, not F*CK!, an old Linux joke), and do each through partition 4. If it finds damage, have it try to repair with
# fsck -y /dev/mmcblk0p3

If you continue to have a problem with part 3's image we'll have to figure something else out.

If all has gone well, what we've done is lay down a bit-for-bit image of your old flash onto the new one. This means that the image is limited to 8GB, whereas your new chip has a capacity of 64GB. Fortunately Tesla made /home as the 4th partition, so let's expand that to take up the rest of the chip, giving us access to that space for future fun.
# gparted
... make -sure- that the device selected in the upper-right is the mmcblk0, or else you're about to ruin your boot disk. Select the resize tool and drag part 4's partition to take up the rest of the chip. Check-mark. Close gparted and consider your next move.

Now would be a good time to root the chip and take other measures. That's a long story and I am time-limited.

For now you will be able to have the shop resolder the chip and it should boot. Hold off on this if you want to root though.

For everyone else, his symptom is a black screen on the MCU. This happens when the T3's boot coprocessor (a separate processor in the T3) boots and tries to build the OS in RAM, but either fails at that, or when it chains to the T3 to boot, that boot fails. Black screen.
 
Last edited:
Releasing anything in an open forum is bad for everyone, as Tesla will take action to close whatever methods you publish. Any supposed "gift" you hope to open source will simply be short lived.
Rattling your upheld Cross and Talisman are of no concern to me, Earthling.

Now look upon your life with a critical eye and see wherefrom you come and what ye have wrought with thine own hands.