-
Want to remove ads? Register an account and login to see fewer ads, and become a Supporting Member to remove almost all ads.
Plasmid_Boy
Member
Based on this image it looks like possible
CLK
dD
and two pins that arent on this maybe a 1.8v thats located from somewhere else?
Hi all, I am preparing to do this. But I can't make out the pin that looks like 'V88' next to the pin labeled 'VCC V2.8' (the two green wires). And for the 2.8V input (DC I assume), do I connect the positive terminal to the VCC pin and the negative terminal to the CMD (which I assume is common)? I am hoping to clone the data before unsoldering the eMMC.
Plasmid_Boy
Member
Sorry about the noob question above, I am new to this. From reading about eMMC cards, the ‘V88’ pin mentioned above is likely VSS (+1.8V) and the CMD pin is COMMAND I/O. Has anyone here successfully extracted data from the eMMC before unsoldering it from the board?
Slexs
Member
Looks like I should put up the high-rez picture by ce2078.
The strict meaning of these has been lost among a growing number of people, and so you will often see Vcc used as the positive supply in CMOS circuits and in many circuits, Vss/Vee is the same as the ground node, in which case it may or may not ever be noted as being Vss or Vee. In other circuits, there may be a more reasonable choice for the ground reference that is, generally, somewhere between the two values making Vss/Vee negative.
Anyway, Vcc and Vss are on either side of a snubbing capacitor, IOW it shunts noise from Vcc to ground.
I've pulled eMMC data off the CID but only was able to make D0 work, and very slowly. I know of several others who have too. But this was before the capacitor change on the Allsocket. Maybe it works better with that.
I've put up a higher-rez pic but MediaWiki is fighting back. As soon as I wrangle it you'll see it in much closer detail.
Plasmid_Boy
Member
Thank you. That makes sense.
I made this image for my own use, but maybe someone else might find it useful.
I interpretedD' on the original image as 'd0' (hope that it is correct).
Attachments
Plasmid_Boy
Member
Thank you for the explanation. I was confused about seeing Vss/Vee/VDD, but it is clear.
Plasmid_Boy
Member
Thank you. The high res picture cleared all ambiguity. Now I just need to find the appropriate wires to buy. Do you have any recommendations?I've fu**ed with MediaWiki as long as I'm going to. Now you can at least drill down to the high-rez picture, then magnify.
Do NOT make the same mistake I made and try to solder network wires. I pulled off a ground land with that and ruined a CID. (I am not afraid to own up to my mistakes if it teaches, and am not the only one who's done this...)
See the picture just prior in my article, of my second effort. I soldered fine wire-wrap wires to the ethernet wires, and heat-shrinked. Then tie-wrapped the bundle to the board. That was superb, but unfortunately the land IDs I'd been given were spurious.
Needless to say, make a list of wire colors = signals.
Use a PCB microscope at your local Maker's Lab if they have one.
See the picture just prior in my article, of my second effort. I soldered fine wire-wrap wires to the ethernet wires, and heat-shrinked. Then tie-wrapped the bundle to the board. That was superb, but unfortunately the land IDs I'd been given were spurious.
Needless to say, make a list of wire colors = signals.
Use a PCB microscope at your local Maker's Lab if they have one.
Last edited:
Plasmid_Boy
Member
Thanks for the info. I have a roll of spare ethernet wires and will look for the 'fine wire-wrap wires'.
I work at a university that has a large surplus warehouse containing all kinds of stuff, including electrical and electronic stuff, so I should be able to find some. My lab at the university has several stereo microscopes that I can use.
Cheers!
I work at a university that has a large surplus warehouse containing all kinds of stuff, including electrical and electronic stuff, so I should be able to find some. My lab at the university has several stereo microscopes that I can use.
Cheers!
I managed to dump a whole (intact) eMMC last week using the shown wiring and an el-cheapo SD-Card reader on Linux. The transfer speed was around 22 MB/s. The same setup only yielded around 6 MB/s when using a Macbook Pro, also producing read-errors on some occasions.
The CID was powered with 2.7 V during the transfer with a current draw of about 900 mA.
Plasmid_Boy
Member
Awesome. Thanks for the info. I was going to x window on mu Macbook Pro, since it didn’t work for you, I will install Linux on a PC then.
You'd have to back it up every time you update. Or else be able to get a copy of everythng except the certificates.
And don't the certificates expire after a certain amount of time?
Certs aren't important to back up, as they're just for Tesla if you're not rooted. But tokens are very useful; unfortunately tokens expire daily because remember: Life Is For Suffering. What matters is your carkeys, vin, gateway config and a few others.
Everyone who's out of warranty or Salvage should have at least one backup, and protect it. And know your current firmware version number. But the way you Earthlings are we all know that's not necessarily going to happen. I give several fallback procedures to recover which should succeed.
Everyone who's out of warranty or Salvage should be rooted, if not for yourself then for an open-sourcer service like ce2078 or TonyT to do stuff for you.
Everyone who's out of warranty or Salvage should have at least one backup, and protect it. And know your current firmware version number. But the way you Earthlings are we all know that's not necessarily going to happen. I give several fallback procedures to recover which should succeed.
Everyone who's out of warranty or Salvage should be rooted, if not for yourself then for an open-sourcer service like ce2078 or TonyT to do stuff for you.
Last edited:
I would love to understand this better. Is there not a limit to how old a backup can be for a restore on a Tesla managed car?
Plasmid_Boy
Member
Rooter, after rooting the EMC, is there a way to back it up periodically? Yours is connected to your personal server, correct? Alternatively, would it be possible to access via a USB connection for diagnostic and backup? Thanks again.
On a Tesla-managed car the same rules apply, you still mainly need those key files and your current version number or you're dead -- which means you have to either root it or tap into it, and also means you will probably get noticed unless you're good at it.
There are changes in firmware versions over time, like you cannot install anything beyond 18.24 into a pre-18.24 CID because they'd changed the firmware signing key (so you must do 18.24 first), and then there are the maps changes. Now the impending change from OpenVPN to websocket for comms security. pff, I've never bothered to learn OpenVPN as it's lame. When WireGuard came out I moved from IPSec to it, and may soon try to adapt WireGuard to my CID. Linus Torvalds was so impressed with WireGuard that he's now put it in the kernel.
Generally worst-case, if you have the key files and know your current version, your versioning and images can be wrangled to work out (I've done it), as long as you or a service have or can get access to savesets in the firmware repository. I doubt the talent would allow most access though, reasonably so.
He had given me permission to publish his Tesla implementation of the Fusee Gelee compromise which would allow anything including version downgrades, but has now decided instead to offer that as a service through TonyT when Tony is able to work it out. (Don't ask Tony about it. He'll let everyone know if/when he is able to do it) Nevertheless disappointing, especially as downgrading this way was my idea.
Sure. I have an article on backing up. You can put this in a systemd timer or cron job.
But don't try to back up over GSM (phone access). It will take forever and may get you noticed. Use wifi.
I have an Arduino Yun nanocomputer in my car (passenger's dash end) which is connected to the car switch, that shares connections between the IC, MCU, and Yun. The Yun automatically associates with my Unifi AP Pro which is wifi access for my LAN, so any LAN VM or machine can access the car, including my backups server in the basement. Here's a pic from when I was sill flopping around with the Pi:
The Yun is unusual as not only does it have an Arduino processor but also a Linux processor; plus it has a NIC and wifi. (I tried Raspberry Pi 3+ and Asus Tinkerboard but I hated them both)
Last edited:
EL OH EFFING EL.
First, I gave you the exploit over a year ago, if you read our emails you will see that it was first given to you on october 23rd, 2018. I had ALREADY COMPLETED 99% OF THE EXPLOIT before you even made your account on TMC in May.
Second, I said you can publish and distribute it both then and now.
Third, I said I would not be providing a payload for Fusee as I do not want to be responsible for people ****ing up their cars, and that I do NOT want to compromise ALL root methods by releasing a payload.
Fourth. FuseeGelee is not patchable, but Tesla's unique way of booting up the firmware does allow for a few ways to make FG itself useless. If a payload were to be released, Tesla would work on patching around it which will result in a much, much slower MCU for _every_ MCU1 user, and essentially kill off both software and hardware rooting entirely.
Fifth, downgrading by Fusee was not your Idea at all. Not only do you have no skills in rooting and just steal other people's work and take credit for it, but you didnt even know what I was talking about when I first brought up the subject. Then you said you had another "group" which was working on it and wanted my info to share with them, but wouldn't allow me to talk to them directly.
I then offered to let you into our rooting group, and you threw a tantrum about people hiding stuff from you (they weren't), and quit/deleted all your posts of stolen info.
Also, simply saying "hey lets downgrade to a vulnerable version" is literally the first thought of anyone attempted to root or hack anything. It has no significance in anything and has been happening
Sixth, I have done absolutely NOTHING for ANY profit. Ask any OpenPilot user, or anyone who I have helped. I have only ever REFUSED donations or asked them to donate to charity instead. I am not trying to make money off this in any way, shape, or form. I am not associated with Tony's work or providing any services to Tony other than giving him the same support as I give anyone who has any questions.
As far as I know, he does not use FG at all, and I am fairly sure his root method is from desoldering the chip, so I have no idea what you are talking about when it comes to me providing him a service. Usually I just curse him out for doing something stupid and then try to tell him out to fix it when he makes a mistake.
Please do not contact me anymore for anything. You are trying to paint me as a bad guy in it for money when I have open sourced everything I do. I do not participate much in forums like these because of all this drama that seems to occur. Everyone has all of my work, anyone can contact me if they have any questions. But please, do not take rooter's posts as fact or at face value, he is twisting things to make it look like him and you are "victims".
It simply has to do with the fact that I have a better understanding of the situation and do not want to be responsible for every car's performance tanking, and people destroying their MCU using my code and then blaming me.
I am already messaged enough by kind people looking for help and advice that it drive me crazy (I spend about an 12 hours a week helping people for free), and really don't feel like getting harassing and threatening messages because "I" broke their $90,000 car and won't help them fix it.
