search

denysvitali / tesla-firmware-decrypt

A tool to decrypt Tesla OTA firmwares
Other
16 stars 4 forks source link

Question about the firmware acquisition #2

Open lihaoran8001 opened 4 months ago

lihaoran8001 commented 4 months ago

I was wondering How can we get the firmware binary file and what model can this algo applied to? Thanks

denysvitali commented 4 months ago

The firmware can be fetched by sniffing the HTTP traffic between the car and the Tesla firmware servers - yes it's really HTTP.

This works (AFAIK) with all the firmware versions. The key is transmitted via a secure channel (Tesla's VPN) - but it's unique per file.

If someone leaks / finds a way to get those keys, they can decrypt the firmware from their side. The key can't really be bruteforced, but one can buy a Tesla infotainment computer off eBay and (with root access) get all the firmware keys from there.

This repo will only help you if you have a copy of the encrypted firmware (I have plenty!) AND their associated key (I have close to 0).

lihaoran8001 commented 4 months ago

Really appreciate for quick reply. I've understand the mechanism you've explained.

Do you mean that there's a SET(limited number) of firmwares and their corresponding keys? Or it could be every time a car initiate a firmware update, server generate a temporary/random key and use it to encrypt firmware then distributed both to car?

The firmware can be fetched by sniffing the HTTP traffic between the car and the Tesla firmware servers - yes it's really HTTP.

This works (AFAIK) with all the firmware versions. The key is transmitted via a secure channel (Tesla's VPN) - but it's unique per file.

If someone leaks / finds a way to get those keys, they can decrypt the firmware from their side. The key can't really be bruteforced, but one can buy a Tesla infotainment computer off eBay and (with root access) get all the firmware keys from there.

This repo will only help you if you have a copy of the encrypted firmware (I have plenty!) AND their associated key (I have close to 0).

denysvitali commented 4 months ago

There is one key per firmware file. The firmware URL is signed and it's valid only for a short amount of time, but the file itself is always the same for every (model,version,CPU) version.

That is, if I have an encrypted firmware file 2023.00.00 for a Model 3 AMD and you have retrieved that key - I can use that key to decrypt my file.

lihaoran8001 commented 4 months ago

Got it, thanks for your help:)

lihaoran8001 commented 4 months ago

Hi Denys, is it possible to get your encrypted firmwares/keys so I can make a validation on this algo?

denysvitali commented 4 months ago

The algorithm works, trust me (:

I cannot share the encrypted firmware file and the encryption keys - sorry.