Update on Tesla stuff #6
Comments
|
@lewurm can you give us a little hint how we could obtain more up to date little somethings ourselves? |
|
If I could hack it, I'd want to do things that Tesla thus far refuses to fix, like:
ahem I may have a few bugs and no outlet to report them. I can only dream that someone at Tesla is itching to find bugs to submit ;) |
As far as I know you need root on a car that receives an update, then you can grab the update from the car before applying the update. Or you know such a person doing that.
I think that's a very fair point. Most of your things that you have listed will be even hard to modify even when you have root, because you need to patch an existing binary (you still don't have source access to it, except for a few things that are implemented with shell scripts). FWIW there is a community-based collection of feature requests, might be worth it to file some of your ideas there: https://featurerequests.co/ |
|
Thanks, great feature tracker by the way! |
|
Hi @lewurm your blog is pretty interesting!
Sorry, I didn't read the part about dm-verity carefully enough. By the way, I've just found out that the model 3 computer is an unrestricted, over-the-counter part, here in the US and in Europe, so anyone can buy it directly from tesla (not so the model S/X one, for some strange reason...). |
|
Hey @lewurm |
|
No peers on the torrent? |
Hey @AlexVaq, where did you find out that the model 3 computer is an over the counter part? I tried to ask someone I know at a Service Center to order a a HW3 car computer (1462554) but those are backordered. You're saying HW2.5 is available? |
|
Just go to the Tesla parts catalog
epc.tesla.com
You might need to register, but registration to access the catalog is free. Then you look in the diagrams for the MCU. Model S/X are listed as "Tesla only", if I remember well, but surprisingly the Model 3 MCU is over the counter.
… El ene. 14, 2020, a las 6:44 p. m., David Dominguez Hooper ***@***.***> escribió:
Hi @lewurm your blog is pretty interesting!
The point is you can always hack the MCU using the soldering/desoldering technique, providing that you can read/write the eMMC.
Sorry, I didn't read the part about dm-verity carefully enough. By the way, I've just found out that the model 3 computer is an unrestricted, over-the-counter part, here in the US and in Europe, so anyone can buy it directly from tesla (not so the model S/X one, for some strange reason...).
Hey @AlexVaq, where did you find out that the model 3 computer is an over the counter part? I tried to ask someone I know at a Service Center to order a a HW3 car computer (1462554) but those are backordered. You're saying HW2.5 is available?
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub, or unsubscribe.
|
|
I downloaded today and it went quite fast actually.
… El ene. 14, 2020, a las 4:30 p. m., Tony G ***@***.***> escribió:
No peers on the torrent?
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub, or unsubscribe.
|
|
I can not get the magnet link to work, uTorrent and Qbittorrent both not finding it. Tips? :( Thanks |
Yes, it's listed as "Over-the-Counter(No VIN)", but when you ask about it, they require VIN to purchase. Maybe I'm not going through the proper channel, but hey Tesla doesn't make it easy to buy. |
The other question is which part#'s of the harness/cabling system would be useful for connecting to the MCU. |
Recently had a service center refuse to sell me an oil pump (otc) for a salvage...which is directly against their policy (https://www.tesla.com/about/legal#unsupported-salvaged-vehicle-policy). They are also supposed to perform for cost any non-hv service on salvage, but most of them do not realize that either. |
|
Ugh, here is the correct magnet link: |
Thanks, I was starting to feel dumb. |
|
I have successfully captured the contents of the eMMC with the pinout you posted. I also broke the pad off the board at the CLK signal. It's pretty fragile and if you break it then the CLK signal doesn't get to the eMMC and that's not good. It is possible to repair it usually. So, I'd recommend people see if they can find a nearby larger component to solder to instead of the little vias or pads. In the case of the CLK signal there is a resistor right above the pad that is connected. Just solder to the end of the resistor and you'll have a nice, firm connection that won't break the board. |
|
Can you describe how you read the memory without desoldering? And what did you use for reading? |
|
Which he revision is everyone poking at? |
|
Can somebody give some more hints regarding the ISP method, which was supposedly successful for multiple people already?
|
|
@wevieee I just tried dumping the eMMC but was unsuccessful. I'm not sure if this was because I did something wrong or I have a broken car computer. The MCU I have won't boot when I apply 12V power. The gateway works and I can ping it via ethernet and the led lights come on. However, I can't ping the main computer and the debug logs just show the bootloader boot looping. Logs: https://fn.lc/s/serial-out.txt The step after these logs should be reading from the eMMC to boot but it never gets to that stage making me wonder if there's something wrong with the eMMC itself. Interestingly it doesn't boot to the recovery image either so not sure what's going on. I tried the method described in https://www.blackhat.com/docs/us-17/wednesday/us-17-Etemadieh-Hacking-Hardware-With-A-$10-SD-Card-Reader-wp.pdf with a cheap sd card reader. Looking at the serial output from the CPU it didn't appear to be booting when I applied power via the sdcard reader so setting the Intel SOC to reset may not be necessary. I looked but haven't been able to find a reset pin for the Intel chip. @collin80 did you have to put the Intel SOC in reset? |
|
I didn't put the SOC into reset but you should. You see, one time I had both the Intel SOC and my reader running at the same time then I changed a file with the reader. DO NOT DO THAT. It causes inconsistent writes to the EXT3/4 file system and really isn't a good thing at all. If you plan to write to the eMMC you need the on-board SOC disabled in some way or you're going to have a bad time. If you want to just read the eMMC then you can do that with the SOC still running. They can both read but only one can write. |
@collin80 Would you care to elaborate? All my SPI 1bit mode captures have failed so far. Which device you used, resistor values, wire lengths? Thanks I've used an easyjtag device with ISP/SPI 1bit adapter, pcb test jig with micro pins. Powering eMMC VCC with 1.8v/2.8v/3.3v has given no results so far. Guessing signals to CMD/DAT0 needs to be smoothened out, like suggested to me earlier by @verygreeen. Have not had time to test that out yet tho, a bit busy at the moment. Can post some pics if anyone is interested. Continuity tests found the pins needed for 1bit SPI on the same side of pcb (back side). Don't mean to hijack your thread @lewurm :D |
Do you have a pinout for the SPI? I'm trying to dump / write to an SPI on an MCU2, and maybe the M3 and mCU2 boards are similar enough. |
|
Slightly off topic but what do you think about an easy way to disable the LTE modem? Perhaps by disconnecting the antennas? |
hi, is this the complete image? |
Seems like no, image size is small. Seems like just update image. |
Sorry for leaving everyone hanging, and thanks to everyone for their interest. I've got a ton of responses via email/telegram/twitter. Also I've been asked about what happened to my amazing eMMC dumping plan.
Well, I failed.
I got the eMMC reader with an additional blank eMMC. The master plan would have been to dump the old one, change some bits in the dump, and flash the new one and solder it back. Alas I wasn't even able to dump the old one. Either it got damaged during the removal or the balling must be redone. The new one reads/writes fine.
Since then I learned a bit more about the architecture from several sources (most are private). The MCU2 (the Intel based system in Model S/X) and ICE (Model 3 MCU, also Intel based) are both using
dm-verityto verify the root filesystem on boot. What's left are some other partitions that can be modified, but it's hard to gainrootaccess via that (there was a vulnerability but that got fixed in early 2019). The take away is: When you really care aboutrooton your car, get a MCU1 based car because that one is wide open.However, there are update images floating around in the interwebs. See below.
Warning about in-circuit eMMC dumping
I know one person who successfully dumped the eMMC with the pin mapping I've posted in an previous blog entry.
Alas, I also heard back from two people who messed up something when attempting a dump. Since then the eMMC isn't detected by the board anymore and then basically acting as you would remove it, like I did.
Soo... be careful.
A callout to exploit writers
I've found an interesting known CVE that hasn't been patched by Tesla yet. The vulnerability enables you to set a bit in the malloc heap several times. Note, clearing a bit is not possible.
If you are such a person and have interest and time, please reach out to me via email/twitter/telegram/irc.
What's next
Pretty much I'm in "I give up"-mode:
rsyncSentry/Dashcam footage via TeslaUSB by plugging a Raspberry Pi between the car and the USB storage.The only remaining reason to gain😄 ).
rootis in the spirit of "I own the hardware, thus I want to run my own software", and maybe to understand the car's software better (e.g. check out amazing analysis by @greentheonly on Twitter ) or tracking down weird sleep issues like this (please upvote btwA little something
Maybe you can do something useful with that:
Have fun!
The text was updated successfully, but these errors were encountered: