blog icon indicating copy to clipboard operation
blog copied to clipboard

Published 20 hours ago verified publisher icon lewurm

Powering up the Model 3 CID without an eMMC: Welcome ice-updater

Open lewurm opened this issue 4 years ago • 2 comments

While waiting for the eMMC reader I thought it might be interesting what happens to power the board on without an eMMC attached. That's what I get on the serial console:

copy ELK from SPI in 5961 ms
SB: Enabled
==> jump to image @100000 (setup @90000) ...
[    0.000000] Linux version 4.1.27-ELK ([email protected]) (gcc version 5.2.0 (crosstool-NG crosstool-ng-1.22.0) ) #2 SMP Fri Jun 29 22:10:37 PDT 2018
[    0.000000] Command line: console=tty0 init=/sbin/init ro rootwait ip=192.168.90.100 clocksource=hpet loglevel=7 console=ttyS2,115200n8 earlycon=uart8250,mmio32,0xfc000000,115200n8 modprobe.blacklist=dwc3 loglevel=7 ABL.bdev=ELK ABL.boot=0 ABL.csever=3.0.20.1139 ABL.bpdt1=0x000055aa,0x00000000 ABL.bpdt2=0x000055aa,0x00000000 ABL.hwver=53,4,1600,b086,1,4096 ABL.mrcthreshold=0,0 ABL.memser=0x00000001 ABL.reset=power ABL.seed=0,0 ABL.oemkm=398@c1454 ABL.timestamps=64@0xc0000 ABL.consbuf=0xdc000 ABL.version=rel.1704
[...]
[    1.410535] IP-Config: Complete:
[    1.414168]      device=eth0, hwaddr=a4:34:d9:01:02:03, ipaddr=192.168.90.100, mask=255.255.255.0, gw=255.255.255.255
[    1.426062]      host=192.168.90.100, domain=, nis-domain=(none)
[    1.432798]      bootserver=255.255.255.255, rootserver=255.255.255.255, rootpath=
[...]
Epoch from Gateway: 1451606410
Fri Jan  1 00:00:10 GMT 2016
VIN from Gateway: 5YJ3E1EA3JF051792
[...]
updater.c:31266: Personality: ice-updater
updater.c:3251: created staged_report_dir_path = /var/spool/ice-updater/staged, terminated_report_dir_path = /var/spool/ice-updater/terminated
updater.c:3262: created spool_dir_path = /var/spool/ice-updater, dev_id = 0x10
Looking for 'ABL.bdev=ELK' in 'console=tty0 init=/sbin/init ro rootwait ip=192.168.90.100 clocksource=hpet loglevel=7 console=ttyS2,115200n8 earlycon=uart8250,mmio32,0xfc000000,115200n8 modprobe.blacklist=dwc3 loglevel=7 ABL.bdev=ELK ABL.boot=0 ABL.csever=3.0.20.1139 ABL.bpdt1=0x000055aa,0x00000000 ABL.bpdt2=0x000055aa,0x00000000 ABL.hwver=53,4,1600,b086,1,4096 ABL.mrcthreshold=0,0 ABL.memser=0x00000001 ABL.reset=power ABL.seed=0,0 ABL.oemkm=398@c1454 ABL.timestamps=64@0xc0000 ABL.consbuf=0xdc000 ABL.version=rel.1704
'
Welcome to /bin/ice-updater (557fdf80a1680229)
[...]
ice-updater:30866: Creating command listener for personality ice-updater (8) on port 25956

ice-updater:30873: Command service listener has fd 7

ice-updater:30875: Creating HTTP listener for personality ice-updater (8) on port 20564

ice-updater:30882: HTTP service listener has fd 8

Full log here: https://gist.github.com/lewurm/4c212deca36c03972bd483ad9a610589

Apparently the abl-APL bootloader (which presumably stands for "automotive bootloader-Apollo") falls back to loading an image of the SPI flash memory located next to the eMMC. It has the FBGA code RW229 on it, which leads me to this serial number: MT25QU128ABA8E12-0AAT. According to the datasheet it has 128MB of storage.

After booting is completed the device is again available as 192.168.90.100 in the network. As before there is a ssh service running on port 22, and noteworthy with the same host keys as when the booting was done with the eMMC attached. The service on 25956 is new though (at least I believe so; not sure if I ever nmap'd that far up before). Let's look at this:

$ nc 192.168.90.100 25956
Welcome to Model S ice-updater RECOVERY Built for Package Version: develop-2018.18.16.2-4-453019b7cc (557fdf80a1680229 @ 453019b7ccc4caa36007df094006cec605e30b10) up 418.492602079s!
> help
Unauthorized command: help
> auth
7f97ccdc963d3de4e95fe6d410c59d28e88a94e5160701f292d7ec5ccf124517
> auth
04943d69a0020339e7e5d3265d558ffbd7fffe412fb2015d1e1a75fbc93c46c7
> auth 04943d69a0020339e7e5d3265d558ffbd7fffe412fb2015d1e1a75fbc93c46c7
fail
> auth 557fdf80a1680229
fail
> checksig
Unauthorized command: checksig
> get-boot-mode
Unauthorized command: get-boot-mode
> lolwoot
Unauthorized command: lolwoot
> example
Unauthorized command: example
> HTTP-GET
Unauthorized command: HTTP-GET
> report-vin
> report-vin
> auth
05f481d45e3487e3585e8741d57c082972f3e8c33277586db5b9d8ff9f9d1834
> status
Executable: /deploy/ice-updater, personality: ice-updater, hash 557fdf80a1680229, built for package version: develop-2018.18.16.2-4-453019b7cc
uptime: 573.639213807s

/proc/uptime:
576.15 2299.29


current bootdata Contents: 0xff 0xff 0xff 0xff 0x00 0x00 0x00 0x00 0x1f 0x1f 0x1f 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
Pattern:             0xffffffff
Online boot bank:    RECOVERY
Bank A fail count:   31
Bank B fail count:   31
Bank A dot-model-s size:  0
Bank B dot-model-s size:  0
MCU Board Revision:
Fused: 1

Online map bank: UNKNOWN
Online map package size: 0
Online map signature: NULL
Offline map bank: UNKNOWN
Offline map package size: 0
Offline map signature: NULL

running_in_recovery_partition = 1
installed_firmware_signature = NULL
offline_firmware_signature = NULL
staged_update = no
gateway_needs_update = no
updating_maps = no

END STATUS
> >
> uptime
Unauthorized command: uptime
> wifi-watcher
Unauthorized command: wifi-watcher
> tzset
Unauthorized command: tzset
> report
> post-misc
Unauthorized command: post-misc
> post-gwlogs
Unauthorized command: post-gwlogs
> install
Usage: install URL [-o OFFSET]
> hostip
Unauthorized command: hostip
> gwping
Unauthorized command: gwping

Why did I try those weird commands? Because of some documentation I found about the cid-updater: https://github.com/Lunars/tesla/wiki/CID-Updater

So the only commands that seem to work (I didn't try them all) are status, auth and install.

Not sure what to make up with all this:

  • According to this presentation https://i.blackhat.com/us-18/Thu-August-9/us-18-Liu-Over-The-Air-How-We-Remotely-Compromised-The-Gateway-Bcm-And-Autopilot-Ecus-Of-Tesla-Cars.pdf ic-updater, cid-updater and ape-updater are a thing. Makes sense: The ic is the instrument cluster in Model S/X, cid is the touchscreen and ape the autopilot unit. The ic doesn't exist in the Model 3.
  • What does ice mean in ice-updater then? I found zero hits on Google. Why isn't it called cid-updater too?
  • Why does it mention "Model S" in some of it's output? Lazy engineers?
  • In the presentation linked above the output is "Welcome to Model S ape-updater ONLINE Built [...]", while I get "RECOVERY" instead. I assume it's in a different state?

I'm not gonna attempt to dump the SPI flash for now. I'm hoping to find a copy of ice-updater on the eMMC storage.

lewurm avatar Aug 17 '19 11:08 lewurm

I like your work. Keep going

mikealanni avatar Aug 17 '19 13:08 mikealanni

that's just ELK image. you can see it in /deploy/ice-elk-spi.bin in the car firmware - sort of like a recovery image.

"ice" is the infortanment unit selfname (Even though hostname is cid) on model3. It's not called cid-updater for that reason.

"ModelS" is just lazy enginners indeed.

RECOVERY is because it's built differently.

/deploy/ice-updater is the non-recovery version of the ice-updater you can find in the firmware.

verygreen avatar Aug 18 '19 00:08 verygreen