Scripts to Enhance Firmware

From Unofficial Tesla Tech
Revision as of 15:41, 20 June 2020 by Carl (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

Introduction

I'd offered a number of scripts to customize your firmware, but this article is about a whole new set of scripts to use instead. A much better set. Needless to say, you must have root.

Lunar's scripts by MattG over on github is a comprehensive way to customize your system and are an excellent reference. But I have completely overhauled them with security improvements, consolidations, extensions, and made them Posix-compliant. Thanks Matt, for blazing the trail.

One change I've made is for the scripts to run in sh (Dash) rather than Bash wherever possible. (in memory of the ShellShock bug) We infosec types like simplifying wherever possible to reduce attack surface, and Bash is just not simple.

I'll describe how to install, and set up of these scripts should be self-explanatory as I've annotated exensively. Below is a description of each script and its function so that you can decide which you want to use, if any.

Tokens - Grab 'em

The first thing to do before anything else is to get your two tokens... /var/etc/saccess/tesla1 and tesla2 are the passwords for users tesla1 and tesla2 respectively. Copy these you your laptop, write them on a piece of paper, tape them to your forehead, put them under your pillow. These tokens change every day if Tesla has access to your car, but we are going to fix that right up.

Do not set the tokens immutable (don't ask me how I know...);  if you do, the Upstart SSHd script (/etc/init/ssh.conf) will try to set the tokens' owner and rights but fail, and so guess what? No SSH! Parrty Time! But don't worry, my tokens backup script notices when they change instantly, and backs them up to the IC and (optionally) to your home server.

The Data Structure

As my scripts are so different from Lunars I've renamed them 'solar'.

As I finish these up I'll provide a full archive of them for download. All you have to do is unpack the archive in /var, and make the settings you want by editing /var/solar/solar.conf and scripts.conf . Then set up cron properly.

And tinker and improve, although be forewarned, thar be dragons. I did everything for a reason;  know  thee  what  thine  art  about. Suggestions and improvements welcomed. (Criticisms dispatched with extreme prejudice)

To run any script standalone for testing:
# sh {scriptname}.sh
... but be aware;  it may need variable(s) assigned first (located in solar.conf) with:
# export {variablename}={value}
If it seems like it's not working check for this. Be sure to kill any latent daemons you may have created with this, or emit-reboot-cid.

The directory structure is:

  • /var
    • /solar
      • assets (directory) - Where all the goods are stored.
      • scripts.conf - The setup file for which scripts you want to run.
      • solar.conf - The setup file for variables.
      • start.sh - The file that kicks everything off.
  • /var
    • /solar
      • /assets
        • profile - Additions to the CID and IC /etc/profiles to make things nicer.
        • save-tokens.php - Script to go on your remote (home) server to save tokens.
        • save-vitals.php - Script to go on your remote (home) server to back up vital info of your car. This belongs in your home server's 'tesla' directory. For example if your home server is example.com, this .php file would go in example.com/tesla/ . Make sure the .php file is readable by your webserver.
        • scriptsEveryBoot (directory) - Scripts here are executed every boot.
        • scriptsEveryFiveMinutes (directory) - Scripts here are executed every five minutes (NOT READY)
        • scriptsMisc (directory) - Scripts here have various functions. (NOT READY)
Science.jpg CAUTION - Science Content

~~ Backing Up to a Remote Server ~~

So backup-critical-files will back up your critical files to the Instrument Cluster (when the IC has the intelligence), which is a no-brainer. Backing these file up to your home server is optional, but highly recommended -- although it does require a little setup.

We are going to do this using an excellent utility called rsync, which operates through an SSH tunnel to your home. So at home you must set up an SSH server which listens on a port which is the last 4 digits of your car's VIN. (security is layers) Then on your home router set it to pass through requests to this port from the outside, through to your server.

Tesla has thoughtfully provided us with an absolutely non-privileged user called 'nobody', which is in the group nogroup, and we will use this user to set up the rsync tunnel, just in case there is a MitM attack, they wouldn't get anywhere.





          • create-accounts.sh - Set your own password on users root, tesla, and your own chosen setuid account, and set your SSH RSA certificate for all.
          • daemon-stop.sh - Stop the Tesla daemons which seem not useful, including cid-updater which really bangs on syslog. Don't worry, it's easy to turn back on.
          • firewall-tesla.sh - Set up a comprehensive firewall using IPTables to keep Tesla out. Your car will appear to them like it's 'asleep'. zzzzz
          • freedomevstart.sh rwx------ 1 root root 3696 2020-04-16 15:55 freedomevstart.sh (NOT READY)
          • listen-for-code.sh - Function codes set by some talent to perform actions with shortcuts.
          • log-to-mem.sh - Change from logging to the eMMC flash to RAM, to prevent wearing out the eMMC. Not necessary and not recommended if you've upgraded to a SwissBit eMMC chip. Nonvolatile logs, good -- hysterical daemons battering them, bad.
          • open-diag-port.sh - duh, open the diagnostic port.
          • profile.sh- Add /var/solar/assets/profile to the bottom of /etc/profile for nice additional features in the shell. (prompt)
          • speed-sensitive-volume.sh - Change audio volume depending on speed of the vehicle.
          • watch-tokens.sh - Save /var/etc/saccess/tesla* tokens immediately whenever they are changed, to the IC, and optionally to your home server.
  • /var
    • /solar
      • /assets
        • scriptsEveryFiveMinutes

...

  • /var
    • /solar
      • /assets
        • scriptsMisc

...

Installing

Download the archive (when it's ready), and put it somewhere, /var/local/ is good.
# tar -jxpvf /var/local/solar.bz2 /var/
# cd /var/solar

Now edit solar.conf to your liking, and edit scripts.conf to turn on the scripts you want to run. The defaults are a pretty good start. Everything else should be squared away.

If you want to save files to and communicate with a remote (home) server, particularly using a phone app like MattG's nikola, you'll need to set up a web server which can be accessed from the outside.

Don't reboot yet! We still have to kick this thing off at boot.
# crontab -e
And add:

@reboot /sbin/start-stop-daemon --start --quiet --make-pidfile --oknodo --background --pidfile /var/run/solar-main.pid --exec /bin/bash /var/solar/start.sh

Save it, take a Red, and
# emit-reboot-cid

ShakeDown

Want to check what's working and what's not? Result Codes are written to the system log file as scripts are executed. A Result Code of 0 means success... a Result Code of something else means something else. After reboot:

# cat /var/log/syslog |grep SCRIPT
2020-06-20T08:08:38.323023-07:00 cid SCRIPT: profile root on CID 0
2020-06-20T08:10:23.736534-07:00 cid SCRIPT: bin boot busybox dev disk etc home ifup.lo ifup.parrot ifup.toucan ifup.wwan0 lib lost+found media mnt nonexistent opt proc root sbin selinux srv sys system tmp usr var Starting Solar bin boot busybox dev disk etc home ifup.lo ifup.parrot ifup.toucan ifup.wwan0 lib lost+found media mnt nonexistent opt proc root sbin selinux srv sys system tmp usr var
2020-06-20T08:10:52.144781-07:00 cid SCRIPT: start.sh Sleeping for 1m waiting for internet.
2020-06-20T08:11:54.018177-07:00 cid SCRIPT: start.sh Found internet
2020-06-20T08:11:54.028019-07:00 cid SCRIPT: start.sh Continuing with Solar startup
2020-06-20T08:11:54.433382-07:00 cid SCRIPT: daemon-stop Stop due to solar.conf cid_updaterStop=true 0
2020-06-20T08:11:54.536247-07:00 cid SCRIPT: daemon-stop Stop due to solar.conf teslaVPNStop=true 0
2020-06-20T08:11:54.544045-07:00 cid SCRIPT: open-diag-port 0
2020-06-20T08:11:54.670721-07:00 cid SCRIPT: daemon-stop Stop due to solar.conf chinaPositionerStop=true 1
2020-06-20T08:11:55.086609-07:00 cid SCRIPT: autopilot-autosteer 0
2020-06-20T08:11:55.119180-07:00 cid SCRIPT: listen-for-code 0
2020-06-20T08:11:55.150496-07:00 cid SCRIPT: firewall-tesla iptables rules flushed 1
2020-06-20T08:11:55.318725-07:00 cid SCRIPT: speed-sensitive-volume 0
2020-06-20T08:11:55.535866-07:00 cid SCRIPT: create-accounts create carl 2
2020-06-20T08:11:55.560691-07:00 cid SCRIPTS: backup-critical-files Copying critical files to ic:/var/solar-backups-cid/.
2020-06-20T08:11:55.721223-07:00 cid SCRIPT: create-accounts SSH key root 0
2020-06-20T08:11:55.890607-07:00 cid SCRIPT: create-accounts SSH key tesla 0
2020-06-20T08:11:56.051016-07:00 cid SCRIPT: create-accounts SSH key carl 0
2020-06-20T08:11:56.323195-07:00 cid SCRIPT: firewall-tesla firewall-tesla 0
2020-06-20T08:11:56.408938-07:00 cid SCRIPT: profile 0
2020-06-20T08:11:56.670919-07:00 cid SCRIPT: backup-critical-files backed up to IC, tokens 0
2020-06-20T08:11:57.241006-07:00 cid SCRIPT: backup-critical-files backed up to IC, /var/spool/cron/crontabs/root, /var/solar/, and /var/etc 0
2020-06-20T08:11:57.633069-07:00 cid SCRIPT: backup-critical-files backed up to IC, ic:/var/solar-backups-cid/gw_hwids.txt 0
2020-06-20T08:11:58.013039-07:00 cid SCRIPT: backup-critical-files backed up to IC, ic:/var/solar-backups-cid/gw_internal.dat 0
2020-06-20T08:11:58.560691-07:00 cid SCRIPTS: backup-critical-files Copying critical files to https://blah.com/tesla/.
2020-06-20T08:11:58.670919-07:00 cid SCRIPT: backup-critical-files backed up to home server, https://blah.com/tesla/tokens 0
2020-06-20T08:11:59.241006-07:00 cid SCRIPT: backup-critical-files backed up to home server, https://blah.com/tesla/var/spool/cron/crontabs/root, /var/solar/, and /var/etc 0
2020-06-20T08:11:59.633069-07:00 cid SCRIPT: backup-critical-files backed up to home server, https://blah.com/tesla/var/solar-backups-cid/gw_hwids.txt 0
2020-06-20T08:11:59.013039-07:00 cid SCRIPT: backup-critical-files backed up to home server, https://blah.com/tesla/var/solar-backups-cid/gw_internal.dat 0

Oh, there are a few non-zeroes, chinaPositionerStop is already stopped, firewall-tesla I don't know but it works, and I haven't had time to chase down 'create carl' for bit-twiddling, but all is working as intended.


... in progress

Carl A. Cook