A lot of folks miss the previous features like Parking Mode and so on. To bring back these features, one needs to hack the Tesla.
But, how to jailbreak a Tesla? It is a hard procedure that only can be performed if you know a little about coding. Let me give a slight idea about the steps:
- Find the route.
- Jailbreak the browser.
- Choose one Individual Embedded System.
- Make a fake ECU server.
- Use CAN message.
- Receive Tesla’s response.
In this guide, I’ll share in-depth detail on jailbreaking the Tesla so you can do it yourself at home. Here I Go!
Follow These Steps to Jailbreak a Tesla
In order to gain the features like Seat or Parking Mode, I’ll share the procedure in detail so you can follow it. This is how can Teslas be jailbroken:
Step 1: Find the Target
You have to find out the weakest point to jailbreak the Tesla. For that, it’s best to target Wi-Fi SSID (one of the Tesla Services) that is locked with a plaintext password pre-saved (meaning the code is fixed) known as “QtCarNetManager.”
However, know that it can’t be connected in normal mode. To make it work, you have to use Tesla Guest. The Tesla body shop and superchargers offer a Wi-Fi hotspot with a saved passcode.
If you can fake it and redirect the traffic of QtCarBrower to your own domain, it will be easier to jailbreak the Tesla car.
Step 2: Jailbreak the Browser
Next, check the Tesla User Agent web browser which would be “Mozilla/5.0 (X11; Linux) AppleWebKit/534.34 (KHTML, like Gecko) QtCarBrowser Safari/534.34”. It is an old version that contains 2 jailbreaking paths to success in executing arbitrary code.
If “compareFuction” is JSArray::shiftCount(), the m_vector will be shifted into the new structure and change the length of it. However, the local variable pointer storage will be the same as the old location. Now, do the following steps:
- By using the vulnerability in JSArray::sort() leak the JSCell address of a Uint32Array structure.
- By using the CVE-2011-3928 get the address of a Uint32Array class structure.
- By using the vulnerability in JSArray::sort() insert FastFree() at this address.
- Define a new Uint32Array class structure to get access to arbitrary address writes.
- Add a JavaScript function into an array.
- Now, leak the JSCell address of the JavaScript function.
- From the JSCell address and JSC::ExcecutableBase structure, collect the address of the JIT memory.
- Write down the shellcode to JIT memory and simply execute this JavaScript function.
As Tesla still uses ARM Linux vulnerability CVE-2013-6282, it will be easier to get the arbitrary read/write in kernel context to write the exploit. To do so, here’s what you’ll need to do:
- Firstly, path the setresuid() syscall to get into the root privilege.
- Invoke the reset_security_ops() to disable the AppArmor (which is blocking you from getting into arbitrary read/write in kernel context).
Step 3: Get into One Individual Embedded Systems
Instead of IC and Parrot, the safest way to get into the inner system is possible via Gateway. To do so, follow the given instructions:
- Reverse the binary file (gw–diag) to get the function name called ENABLE_SHELL.
- Command “printf “\x12\x01” | socat – udp:gw:3500” to wake up Gateway’s backdoor on port 23. This is the shell entry!
- Find out the token of the backdoor from the function shellTask() in IDA. Remember the keyword that you see that will help you get fully-access to the Gateway.
Step 4: Program ECU On Tesla
- Locate the ECU in the Gateway which you’ll find in the box. There’s an SD card that is directly connected to the Gateway with no protection.
- Check the FAT FS on this SD Card to locate debug and upgraded-related files.
- If you find a log file (which is related to upgrading ECU), then use some string of these files and do some searching. Locate the file name booted.img and rename it.
- Now, make a face boot.img by using the memoinfo area with customizable code. Then, recalculate the value.
- Look for the file name release.tgz that contains the ECU software bundle and other data.
- Under this file, you’ll find gtw.hex file. Disassemble it to see internal things.
- Among all the function, you’ll find one with id 0x08 that check the file named msg_content on the SD Card to confirm if the format is correct and able to pass the checksum check.
- If all checks are passed, then this system will rename the file to boot.img and restart itself. Then, it will load and run.
- Wait for a while until the software is updating itself as the developer will try to update the software.
Step 5: Add CAN Message
Now you can send any sort of message to the real CAN bus by using the fake UDP signal. Plus, you can block some essential CAN signals that can cause issues in dangerous situations when driving the car.
Through the access, you can now jailbreak the Tesla and compromise CAN bus when driving by simply naming a part like Tesla > seat/braking/mirror/trunk/sunroof/p_mode.
Step 6: Get Tesla’s Response
After attempting the jailbreak, you’ll get a response from Tesla quickly within 10 days. Wait for the response and then you’ll get the feature unlocked.
Frequently Asked Questions
1. What Does Jailbreak the Tesla Mean?
No matter whether is the Tesla Model 3 worth it in jailbreak or not, the meaning of this action is a simple process to remove restrictions imposed by Tesla. Jailbreak helps to unlock the features and make them available for the car to enjoy.
2. Is It Possible to Hack into A Tesla?
It’s possible as long as it has a computer. As Tesla has more than 60 computers to work the inner system, a hacker can hack into the system via a connected network.
3. Is it legal to jailbreak Tesla?
Yes, it is legal in most countries in this era. According to the exemption in the Digital Millennium Copyright Act, this doesn’t void law.
Overall Thoughts
That’s how to jailbreak a Tesla in case you want to return the previous features that have been locked! Although this isn’t a crime, but it might void the warranty from Tesla, and a basic repair cost a lot. Hope this helps!
