> Tesla offers a “Root access program” on their bug bounty program. Researchers who find at least one valid “rooting” vulnerability will receive a permanent SSH certificate for their own car, allowing them to log in as root and continue their research further.
Pretty interesting. Sounds like Apple's Security Research Device Program[0], where you're loaned a rooted iPhone, but with a clear qualification criteria.
It strikes a nice balance, because to qualify you have to 1) show you have the skills to get root access anyway and 2) show you're willing to participate in the bug bounty program and get things patched.
I would of course love root on everything I own, but I can understand Tesla's motivation here since root for everyone would make vulnerability discovery easier for malicious actors. And if everyone had root on their Tesla, it'd be much easier to make naughty modifications that might catch the ire of regulators. (like disabling driver attentiveness checks in self-driving mode).
In most cases I agree with this, but maybe not for potentially dangerous things like cars? What if someone roots into their car and disables some essential safety feature - maybe even a legally mandated safety feature?
More concretely, the expertise-required-to-access-root is in a different field to the expertise-required-to-make-wise-changes. i.e. you might know how to hack a car, but that doesn't mean you know how cars operate.
You can feel that way, but plenty of car configuration has always been locked away and walled off, and manufacturers make a tidy profit selling software licenses to dealers and mechanics to perform basic diagnostics. Proprietary software is big business what can you do.
Having shell is extremely handy for further discovery. SO handy that if they were just gonna patch the bug and lock you out, you would simply not disclose it.
That’s quite a weak confidence in their own platform security if finding a root level vulnerability is not one-off event, but it’s a program expected to have multiple people routinely finding those.
And as we all know, if you're smart enough to get root access, your neighbours children playing football in the street should be subject to the risk of you driven a car that claims to have full self driving with custom code on it.
I used to work for a company that made third party scan tools. We had racks of ecus disconnected from the car with just a diagnostic connector and power. nothing got to a real car without first trying it on the rack. I remember on time we figured out a bmw (pre obdii) had the bytes offset from the standard documentation (it was a semi-standard protocol that some other cars used at the time), we went from we communicate but nothing is wrong to a very long list of dtcs on that controller. (All our competitors also showed nothing wrong, but the official bmw tool showed dtcs)
It's funny to hear LVDS be described as an "automotive" cable when all of my run-ins with it are for connecting laptop displays to their main-boards! (though that has a very different connector on it, and its a very general term for the signalling protocol from what I remember)
Very cool. Over a year and a half ago I installed a towing brake controller in my Tesla Model Y. Found the location of the plug, how to access and the pinout online (confirmed via a voltmeter..) so the car's side felt straight forward. But then I needed to find a brake controller that can work with the higher voltage (14.4v vs the normal 12v). Then built a cable from the brake controller to the connector that plugs into the car that I found on eBay. I velcro'd the controller under the dashboard. It works pretty well. I towed my small camper several times with it last year with no issues. Yay! However my little project is nothing compared to this post. Love people hacking away. So cool.
> " I needed this because both the computer and a screen were being sold with the cables cut a few centimeters after the connector (interestingly most sellers did that, instead of just unplugging the cables)."
Can't you just solder some extra wires onto the cut off bits, rather than having to try and find a compatible cable? They've left the connectors in, and that's the hard bit, the rest is just wires
I'm amused reading the terms and requirements the author mentions in the bug bounty program for researchers gaining root access (under 'Vehicle Targets') - https://bugcrowd.com/engagements/tesla
"To promote further security research, Tesla offers security researchers the opportunity to retain root access on their infotainment system even after their reported vulnerability has been patched. In order to qualify, a researcher must send in a valid report describing a novel way to gain root access on a Tesla infotainment system. Upon confirmation, Tesla will instruct the researcher on how to use their existing root access to enable the researcher SSH feature, along with an SSH certificate for the researcher's public key (tailored to their specific hardware ID). The certificate restricts SSH access to the local diagnostic ethernet link. Tesla may renew the certificate as long as the researcher continues reporting vulnerabilities."
Anyone finding this fascinating, please check out Openinverter Forum [0]. Ton of work has been done in decoding CAN messages, DBC files are floating around, open source firmware and controllers are available for Tesla and others components, mostly inverters and chargers but there are overlaps with the VCU and displays as well.
It's funny how the biggest problem turned out to be a mostly mechanical part, the rather trivial 6-pin connector.
Given the presence of the wiring schematics and the mechanical dimensions, I'm surprised that the author did not try to 3D-print the mechanical parts of the connectors, givem that the electrical parts extracted from the BMW connectors did fit.
Congrats, OP has recreated a test/development bench, the bane of developers working on automotive software development all around the world. They're so close to being a real vehicle that you think you'll be able to get a lot of work done, but they're not, so you don't.
> We ordered the chip and took the board to a local PCB repair shop, where they successfully replaced it and fixed the MCU.
What is a "local PCB repair shop"? All the guys who used to fix TVs and radios are gone. Anyone else (not living in China) having trouble locating such an outfit in their neighborhood?
Hey, I just remembered my school used to have ages ago some cool power supplies (I think from Agilent?) that were very idiot proof, they had current limit with a dial that I think didn’t went over 1A or perhaps even less, and they would instantly disarm on short circuit (and indicate it with a led), and also the voltage dial I think wouldn’t go over 25V. I remember it was very big and heavy, but it survived countless students that used the lab daily.
Nowadays, is there any power supply available that is that resistant or is the recommended approach to get an used old one? Does anyone have a power supply at home that is also used by kids with a brand/model they would recommend? Thanks!
This is awesome. Curious if these are plug and play and if that's the case where is the memory that tells you what the mileage is. If it's attached to the computer than the mileage would be off if you switch/repair it.
Completely unrelated. Would be interested if you figure out how to retrofit the new adaptive shocks on performance models to the older cars. Something I would love to do if I had hobby time. I'm pretty sure they fit physically, but needs to be connected to the main computer. I likely would never touch the main computer unless I got root access. In my brain I was thinking about a separate system made with raspberry pi's.
ECU software development is sort of my day job. If you're going to go down this path, I seriously recommend getting the specialized plugs and connectors and making your own wiring harnesses to whatever size you need. It's absolutely easier than manhandling a full wiring harness or cutting one down. Cheaper, too.
> A REST-like API on :8080 which returned a history of “tasks”
I am curious to know what kind of historical tasks- since it's a media control unit; does it show what kind of media was being played in the last trip? does it reveal any other info about the driver?? There might be a privacy angle here that you could exploit and share it with Tesla.
> Turns out that actual cars don’t have individual cables. Instead they have these big “looms”, which bundle many cables from a nearby area into a single harness. This is the reason why I could not find the individual cable earlier. They simply don’t manufacture it.
Typical setup for cars (and lawn mowers). As a software guy my first instinct is, computing power is cheap enough, seems like a CAT5-like thing running between all components would do it. Speaking as a software guy - meaning I'm probably missing a lot of the big picture. On the other hand, it's a lot easier to safety-check a mechanical lockout that physically opens a circuit, than something running on software.
People need to request the source code.. There’s a ton of open source they use that forces Tesla to give you source if you’re a customer and you ask. I don’t get why security people aren’t doing this already.
I _do_ find it weird that the LCDs from crashed cars are so expensive. I wonder if newer models have better screens, so people with older cars upgrade? Or if they're a common failure point?
I have a Model 3, but I can't say I follow the forums.. but I've never heard of screens failing -- I'm sure it happens but I think if it was common problem I'd have heard of it.
Excellent detective work. I had no idea you can get a Tesla's computer off market. I wonder if these may be the last decade that we may be able to get root access to our on hardware consumer products. Keep the good work up.
Granted, I think it would be valuable to look at all sorts of automotive ECUs. I always wonder how the tuning industry does their thing; I shudder to think they're just sitting there flipping hex codes directly in running software...
Makes me think imagine finding a crashed drone somewhere and you pull its guts out, use it for the home automate something, run a shed, plot point in a story
It could be clout like "I turned a Shahed into a gaming PC"
I would love to use the drive units from a Tesla in a conversion project. Unfortunately, they're cryptographically paired with the main computer, and there's no way to use them.
I am surprised that they are surprised that car wiring diagrams are online. People wouldn't accept cars without online service manuals and schematics, and some states mandate them by law. I just looked up this subsystem for my car via my public library. https://appcontent.chiltonlibrary.com/chilton_images/Honda/E...
332 comments
> Tesla offers a “Root access program” on their bug bounty program. Researchers who find at least one valid “rooting” vulnerability will receive a permanent SSH certificate for their own car, allowing them to log in as root and continue their research further.
Pretty interesting. Sounds like Apple's Security Research Device Program[0], where you're loaned a rooted iPhone, but with a clear qualification criteria.
It strikes a nice balance, because to qualify you have to 1) show you have the skills to get root access anyway and 2) show you're willing to participate in the bug bounty program and get things patched.
I would of course love root on everything I own, but I can understand Tesla's motivation here since root for everyone would make vulnerability discovery easier for malicious actors. And if everyone had root on their Tesla, it'd be much easier to make naughty modifications that might catch the ire of regulators. (like disabling driver attentiveness checks in self-driving mode).
[0] https://security.apple.com/research-device/
> Researchers who find at least one valid “rooting” vulnerability will receive a permanent SSH certificate for their own car
It feels like this is something you should get by being owner of the car, and not have to do free speculative research for the manufacturer to get it.
As a pedestrian I prefer for most people to not have root access to their multi-ton fast-moving killing machine.
More concretely, the expertise-required-to-access-root is in a different field to the expertise-required-to-make-wise-changes. i.e. you might know how to hack a car, but that doesn't mean you know how cars operate.
They've also revoked certificates from researchers personal cars in the past
https://x.com/i/status/1722717318009041104
DM me if interested
> " I needed this because both the computer and a screen were being sold with the cables cut a few centimeters after the connector (interestingly most sellers did that, instead of just unplugging the cables)."
Can't you just solder some extra wires onto the cut off bits, rather than having to try and find a compatible cable? They've left the connectors in, and that's the hard bit, the rest is just wires
"To promote further security research, Tesla offers security researchers the opportunity to retain root access on their infotainment system even after their reported vulnerability has been patched. In order to qualify, a researcher must send in a valid report describing a novel way to gain root access on a Tesla infotainment system. Upon confirmation, Tesla will instruct the researcher on how to use their existing root access to enable the researcher SSH feature, along with an SSH certificate for the researcher's public key (tailored to their specific hardware ID). The certificate restricts SSH access to the local diagnostic ethernet link. Tesla may renew the certificate as long as the researcher continues reporting vulnerabilities."
Very neat.
> Unfortunately I had no other choice but to buy this entire loom for 80 USD.
Fwiw, mine costs $450 from Ford. Also in the US we call this a wiring harness, with the loom being the material that goes over the wires
[0] - https://openinverter.org/forum/
Given the presence of the wiring schematics and the mechanical dimensions, I'm surprised that the author did not try to 3D-print the mechanical parts of the connectors, givem that the electrical parts extracted from the BMW connectors did fit.
> We ordered the chip and took the board to a local PCB repair shop, where they successfully replaced it and fixed the MCU.
What is a "local PCB repair shop"? All the guys who used to fix TVs and radios are gone. Anyone else (not living in China) having trouble locating such an outfit in their neighborhood?
> A DC power supply capable of providing 12V
Hey, I just remembered my school used to have ages ago some cool power supplies (I think from Agilent?) that were very idiot proof, they had current limit with a dial that I think didn’t went over 1A or perhaps even less, and they would instantly disarm on short circuit (and indicate it with a led), and also the voltage dial I think wouldn’t go over 25V. I remember it was very big and heavy, but it survived countless students that used the lab daily.
Nowadays, is there any power supply available that is that resistant or is the recommended approach to get an used old one? Does anyone have a power supply at home that is also used by kids with a brand/model they would recommend? Thanks!
Completely unrelated. Would be interested if you figure out how to retrofit the new adaptive shocks on performance models to the older cars. Something I would love to do if I had hobby time. I'm pretty sure they fit physically, but needs to be connected to the main computer. I likely would never touch the main computer unless I got root access. In my brain I was thinking about a separate system made with raspberry pi's.
> A REST-like API on :8080 which returned a history of “tasks”
I am curious to know what kind of historical tasks- since it's a media control unit; does it show what kind of media was being played in the last trip? does it reveal any other info about the driver?? There might be a privacy angle here that you could exploit and share it with Tesla.
> Turns out that actual cars don’t have individual cables. Instead they have these big “looms”, which bundle many cables from a nearby area into a single harness. This is the reason why I could not find the individual cable earlier. They simply don’t manufacture it.
Typical setup for cars (and lawn mowers). As a software guy my first instinct is, computing power is cheap enough, seems like a CAT5-like thing running between all components would do it. Speaking as a software guy - meaning I'm probably missing a lot of the big picture. On the other hand, it's a lot easier to safety-check a mechanical lockout that physically opens a circuit, than something running on software.
I have a Model 3, but I can't say I follow the forums.. but I've never heard of screens failing -- I'm sure it happens but I think if it was common problem I'd have heard of it.
:O
It could be clout like "I turned a Shahed into a gaming PC"
What a waste.