{"id":13538458,"url":"https://github.com/hackerschoice/thc-tesla-powerwall2-hack","last_synced_at":"2026-02-21T22:30:51.518Z","repository":{"id":106922319,"uuid":"221465987","full_name":"hackerschoice/thc-tesla-powerwall2-hack","owner":"hackerschoice","description":"TESLA PowerWall 2 Security Shenanigans ","archived":false,"fork":false,"pushed_at":"2024-05-09T07:35:54.000Z","size":1007,"stargazers_count":463,"open_issues_count":0,"forks_count":43,"subscribers_count":33,"default_branch":"master","last_synced_at":"2025-10-26T15:40:03.533Z","etag":null,"topics":["electricity","hacking","powerwall","security","tesla"],"latest_commit_sha":null,"homepage":null,"language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/hackerschoice.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2019-11-13T13:30:04.000Z","updated_at":"2025-09-15T02:01:32.000Z","dependencies_parsed_at":null,"dependency_job_id":"fbdd7add-dc6a-473f-ae18-19bb1c0f39c2","html_url":"https://github.com/hackerschoice/thc-tesla-powerwall2-hack","commit_stats":{"total_commits":28,"total_committers":7,"mean_commits":4.0,"dds":0.3928571428571429,"last_synced_commit":"729b8693229a6ce8c0cf66ff6b8f9ade3f923cd4"},"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/hackerschoice/thc-tesla-powerwall2-hack","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/hackerschoice%2Fthc-tesla-powerwall2-hack","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/hackerschoice%2Fthc-tesla-powerwall2-hack/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/hackerschoice%2Fthc-tesla-powerwall2-hack/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/hackerschoice%2Fthc-tesla-powerwall2-hack/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/hackerschoice","download_url":"https://codeload.github.com/hackerschoice/thc-tesla-powerwall2-hack/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/hackerschoice%2Fthc-tesla-powerwall2-hack/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":29695781,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-02-21T18:18:25.093Z","status":"ssl_error","status_checked_at":"2026-02-21T18:18:22.435Z","response_time":107,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["electricity","hacking","powerwall","security","tesla"],"created_at":"2024-08-01T09:01:12.293Z","updated_at":"2026-02-21T22:30:51.495Z","avatar_url":"https://github.com/hackerschoice.png","language":null,"funding_links":[],"categories":["\u003ca id=\"9eee96404f868f372a6cbc6769ccb7f8\"\u003e\u003c/a\u003e工具"],"sub_categories":["\u003ca id=\"31185b925d5152c7469b963809ceb22d\"\u003e\u003c/a\u003e新添加的"],"readme":"# TESLA PowerWall 2 Security Shenanigans\n\n24h ago Elon Musk announced to build the next [TESLA Gigafactory in Germany](https://techcrunch.com/2019/11/12/elon-musk-picks-berlin-for-teslas-europe-gigafactory/), somewhere near Berlin. Here at THC we consider Berlin to be our home turf. Welcome to Berlin, Mr. Musk.❤️\n\nLet's take a look at this TESLA Powerwall 2. Let's make sure the security is up to our standards before it is being sold to our citizens.\n\nThis is a start. Take this and take it further.\n\nTwitter: [@hackerschoice](https://www.twitter.com/hackerschoice)  \neMail: root at thc.org\n\n---\n**EXECUTIVE SUMMARY**\n1. GUI wide open.\n2. Default password on WiFi and management interface\n3. Attacker can cause financial damage to consumer\n4. Attacker can dump entire PW Load into the grid at once\n5. Attacker can oscilate between CHARGING and DUMPING (microseconds, the poor sub-station!)\n6. Attacker can change grid codes.\n\n---\n**Introduction:**\nThe Tesla Powerwall 2 (PW) is a battery storage solution. It is often installed in combination with photovoltaic solar panels (PVs). The PW will store the PV generated power during daytime when the sun is shining and make the power available to the house when the sun is not shining. The PW can store up to 13.5kWh of electric power and load/unload it at 5kW (7kW peak US / 5kW peak in the UK).\n\n---\n**Components:**\nThe Gateway (GW) consists of a Single Board Computer (SBC) and an energy meter (Neurio).\n\nThe SBC is custom built by WinSystems Inc and is called the G400. The main chip is a [MCIMX6S7CVM08AC](https://www.mouser.co.uk/datasheet/2/302/IMX6SDLIEC-1126203.pdf) from NXP. It is not underfilled and all balls are accessible (*hint*).\n\nThe Neurio energy meter is the W1 module. It connects to the SBC via WiFi.\n\nRS-485 is used to communicate between the SBC and the battery. Up to 10 batteries can be connected to a single GW (daisy-chain).\n\nThe research is based on GUI firmware *1.10.2* and internal firmware *Tesla-0.0.7*\n\nThe GW can  be configured to connect via Ethernet, GSM and Wifi to the Internet/Tesla-HQ. The Internet connection is used for firmware updates and for Tesla to fiddle with your PW. Tesla has unrestricted and remote management capability.\n\n![Tesla GW PCB](images/tesla-pw-gw.jpg)\nDownload: [tesla-pw-gw.jpg](images/tesla-pw-gw.jpg)  \nDownload: [tesla-pw-gw-front.jpg](images/tesla-pw-gw-front.jpg)\n\n```\n22/tcp open  ssh (SSH-2.0-OpenSSH_7.2)\n80/tcp open  http (PW UI running here)\n8306/tcp  open  Welcome to Model S hec-updater ONLINE Built for Package Version: 17.23.0 (up 28754.018395333s)\n29810/tcp open  unknown\nMAC ETH  Address: 00:01:45:07:31:17 (Winsystems)\nMAC WiFi Address: 00:23:A7:AF:de:ad (Redpine Signals)\n```\nHere are some commands you can execute on the hec-updated on port 8306:\n```\nstatus\nins \nauth\nreadsig\nwatch\npatch\nreset\nexit\nhandshake\noverride_handshake\ngostaged\nvin\n```\n---\n**PW-UI Management Interface**\n\nThe PW-GW’s management interface is accessible via WiFi. The WiFi network name is *TEG-XYZ* with XYZ being the last 3 digits of the PW’s serial number. TEG stands for ‘Tesla Energy Gateway’.\n\nThe password for the WiFi is the serial number. The serial number looks like this:\n\n```\nST\u003cYY\u003e\u003cL\u003e0001\u003cXYZ\u003e\n```\nYY is the built year and L is the revision number. I’ve seen revisions with letter D through to I. For example *ST17H0001789* would be a valid password for the Tesla PW on a WiFi network with SSID TEG-789.\n\nThe Management Interface (PW-UI) is accessible at http://192.168.91.1. The webpage will ask for a password which is again the serial number. The same management interface is accessible via the ethernet connection.\n\nThe password can not be changed. It is not possible to disable the WiFi network. I accessed mine from 50m away. It's broadcasting its SSID as well (yeha!).\n\n**THC says: Fix it! No default passwords. Do not have the WiFi accessable unless during installation.**\n\n---\n**CT fun:**\n\nThe Tesla PW comes with two CT sensors. These are A/C current clamps that are installed around the LIVE wire of the incoming GRID line (house LIVE) and the LIVE wire of the SOLAR PV.\n\n![CT Clamp](images/Current-Transformer.jpg)\n\nThe Tesla PW uses these clamps to determine when to charge the PW from the Solar PV. E.g. the PW goes into charging mode when the Solar PV generate more electricity than the house uses.\n\nThe CT sensors have to be installed with the correct orientation or otherwise the GW gets an inverted (negative) reading. E.g. The GW thinks the house is exporting electricity rather than importing from the grid. Electricians do make mistakes and Tesla has this *amazing* feature to *invert the reading in software* if the installer fitted the CT clamps the wrong way around (sweet!)\n\nIn the PW-UI Management Interface this is possible by selecting the \"Flip\" check-box next to the CT Sensor name on the CT configuration page. \n\n---\n**CHARGE \u0026 KILL THE GRID**\n\nLet's flip the reading of the GRID CT Clamp in the PW-UI. Lets assume the CT Clamp reading is +1kW (e.g. that the house is drawing +1kW from the grid). After flipping the reading the GW received -1kW and believes that the energy is being exported to the grid. The PW immediately goes into charging mode and starts charging the PW. This causes more power to be drawn from the grid (say +2kW). The CT Clamp reports this to the GW as -2kW (remember, it's flipped) and the PW ramps up charging...and draws even more power from the grid..and so on and so on...until it's charging at full load of +5kW. All this happenes within microseconds. **WARNING: The battery gets hot very quickly and the fans start spinning at full power**\n\nThere are other fun CT Clamp Flip Combinations. Another combination forces the PW to dump it's entire charge back into the grid - all at once of course.\n\nThe Problem:\n1. Here in the UK we have night rate and day rate for electricty. Night rate is usually 300% cheaper and the PW is charged by night. Now an attacker can trick the PW to charge at day-rate and dump the load into the grid at night-rate, causing a financial loss to the consumer.\n2. The default password is crap. It's 2019. This should not happen. An attacker can access multiple Tesla PW's at the same time. Does anyone know how the grid feels if all Tesla PW's start dumping their load back into the grid? I can also quickly change between CHARGING and DUMPING. It's really quick. We are talking sub-second switching between CHARGING and DUMPING. How does the grid feel about me oscilating this and who will die first, the PW or the sub-station?\n3. It is little understood that Tesla can do all this from their HQ. By this I mean any attacker or employee with the right access to Tesla HQ can put all PW's worldwide into CHARGING and DUMPING and oscilating between these two very quickly (sub-second).  \n\n**THC says: Err, do not cause any harm**\n\n---\n**So much more to research**\n\nThe PW-UI managment interface has lots of other features which we have not explore (yet). It's possible to play with the grid codes such as forcing the PW into 60Hz or lowering/increasing the allowed export amperage or voltage. *Someone really should take a look at this....*\n\nImagine what somebody could to with access to the PW GW single board computer...and thus being able to send raw commands via the rs485 to the batteries....\n\nLooks like the ssh version might be vulnerable to [username enumeration](https://bugfuzz.com/stuff/ssh-check-username.py). Also somebody should check serial console and vga/keyboard on the PCB.\n\n---\n**Automate your attack**\n\nThe PW-UI is a web-based interface. A simple Python script can be used to trigger any type of commands remotely. A lot of commands are uncodumented. The best way to get a list of commands is to have the Mozilla Network Monitor running during setup and testing.\n\n---\n**Interesting API calls**\n\nMost API calls are available without authentication. Auth is required for most API calls that write to the system. It's HTTP BASIC AUTH using the same password as the WiFi password.\n\n```\nGET API calls:\n/api/status              # Shows start_tie, up_time, version, git_hash\n/api/system_status/grid_faults\n/api/system_status/soe   # Shows percentage\n/api/config\n/api/config/completed\n/api/customer\n/api/sitemaster/stop     # Stops the PW\n/api/sitemaster/run      # Starts the PW\n/api/customer/registration\n/api/installer\n/api/meters\n/api/meters/aggregates  # Info about CTS and loads)\n/api/meters/readings\n/api/networks\n/api/networks/wifi_security_types\n/api/operation\n/api/powerwall\n/api/powerwalls/status \n/api/site_info\n/api/sitemaster         # Shows running, uptime, connected_to_tesla...\n/api/solar\n/api/system_status/grid_faults\n/api/system/testing\n/api/system/update/status\n```\n\n```\nPOST API calls:\n/api/customer/registration/legal\n/api/customer/registration/skip\n/api/installer\n/api/login/Basic\n/api/meters/{CTS ID}/invert_cts\n/api/networks/default_gsm/disable\n/api/operation\n/api/powerwalls\n/api/powerwalls/update\n/api/site_info/timezone timezone: Europe/London\n/api/site_info/grid_code\n/api/site_info/grid_code\n/api/site_info/site_name\n/api/site_info/timezone\n/api/system/testing\n/api/system/networks/conn_tests\n\n\n```\n\nExample:\n```\n/api/site_info/grid_code\n```\n|variable|value|\n|------|-------|\n|grid_code|50Hz_230V_1_G59:UK|\n|region|G59 21A|\n\nDo not try any of these Grid Codes (really, please do not):\n```\nAU ASS4777.2\nDE VDE4105\nUK GA59 21A, GA83 16A\nIT CEI-021\nNZ NZS47772\nUS: IEEE1547 Split Phase 240V 60Hz\n```\n\n```\n/api/installer\n```\n\nTesla Installer Account Numbers are sequential and can be retrieved with *api/installer/companies*. Example: Installer 1681 is *ZSD Solar GmbH*. This is how the installer can see your Tesla Installation and disable your tesla remotely. Good idea to change this :\u003e\n\n|variable|value|\n|--------|-----|\n|Company|THC|\n|customer_id| 31337|\n|phone|0123456789|\n\n```\nGET api/config\nGET api/customer\nGET completed\nGET api/logout\n```\n\n---\n**Hacking Environment**\n\nA list of some tips and tricks. Some parts are optional and not needed to hack the PW.\n\nPart 1:\nPlace the PW on its own dedicated network behind a linux router. This will allow us to capture all network traffic between the PW and the Internet. \n\nPart 2:\nRun the PW-UI Wizard and write down all values. Disable GSM to prevent any further firmware upgrade and to prevent Tesla from fiddling with your PW.\n\nPart 3:\nWe use the web browser ‘Mozilla’. Go to “about:config\" and delete the value in ‘network.http.accept-encoding’. This will make it easier to read captured network traffic between our browser and the PW:\n\n![disable-encoding](images/disable-encoding.png)\n\nPart 4:\nIn Mozilla open the Network Monitor by pressing ‘Cmd+Opt+E’ (Windows: Ctrl+Shift+E). That's all it takes these days. This will allow us to inspect every request to the PW UI and read the response.\n\n![network-console](images/network-console.png)\n\n---\n**Backup Gateway**\n\nA normal Tesla PW installation comes with TESLA's standard gateway. However, the Tesla PW can also be installed with the much larger 'Backup Gateway'. The Backup Gateway makes the above gateway redundant and adds other features to the PW, such as powering the house in case of a grid failure.\n\nThe Backup Gateway seems to have better security. The wifi password seems to be more random and is printed on a sticker inside the lid. The installer password can only be reset with physical access to the PW (toggle the on/off switch).\n\nThis is encouraging. Hopefully those changes will make it into TESLA's standard gateway.\n\nSome random infos:\n```\nPORT      STATE SERVICE\n22/tcp    open  ssh\n53/tcp    open  domain\n80/tcp    open  http\n443/tcp   open  https\n8306/tcp  open  unknown\n29810/tcp open  unknown\n```\n\nhec-updater has been renamed to teg-updated:\n```\nConnection to 192.168.91.1 port 8306 [tcp/*] succeeded!\nWelcome to Model S teg-updater ONLINE Built for Package Version: 19.35.0 (84d72242c0ee9133 @ 201ec5963d8c1838f40b4d982d9a008399d021a7) up 1150818.940038000s!\n\u003e status\nExecutable: /deploy/teg-updater, personality: teg-updater, hash 84d72242c0ee9133, built for package version: 19.35.0\nuptime: 1150826.911056625s\n\n/proc/uptime:\n1150765.55 904594.39\n\ncurrent bootdata Contents: 0xef 0xbe 0xad 0xde 0x02 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x40 0x90 0x1e 0x09 0x40 0xb0 0x29 0x09 0x00 0x00 0x00 0x00 0x31 0x31 0x35 0x32 0x31 0x30 0x30 0x2d 0x30 0x33 0x2d 0x45 0x2d 0x2d 0x54 0x47 0x31 0x31 0x39 0x30 0x39 0x33 0x30 0x30 0x31 0x43 0x4d 0x34 0x00 0x00 0x00 0x00\nPattern:             0xdeadbeef\nOnline boot bank:    KERNEL_B\nOnline fail count:        0\nOnline dot-model-s size:  153727040\nOffline boot bank:        KERNEL_A\nOffline fail count:       0\nOffline dot-model-s size: 152997952\nMCU Board Revision:\nSerial Number:  1152100-03-E--TG119093nnnnnn\nFused: 1\nOverride-version: 0\n\nrunning_in_recovery_partition = 0\ninstalled_firmware_signature = /xeSvkWXSFK7vkT5S/spflhBLyVos8KE3ctYRlS3DHjkdSohHpOMuMjV1IFjBOEVHrIZDMVti0Y3m6rxZVTpBA==\noffline_firmware_signature = yMChUjgg5tF6DS2snMGoxm62eR5ftrUFbex/PviN2o8HOLGJxZm2tOwjNEs2JHV1aFJ4BLDiX1uZgifDXY/NBA==\nstaged_update = no\ngateway_needs_update = no\n\nEND STATUS\n```\n\nAt Your Service,\n\n**The Hacker's Choice  \n\\*\\*\\* Berlin Branch \\*\\*\\***\n\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fhackerschoice%2Fthc-tesla-powerwall2-hack","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fhackerschoice%2Fthc-tesla-powerwall2-hack","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fhackerschoice%2Fthc-tesla-powerwall2-hack/lists"}