Port forwarding for OTA updates

[Airborne_Ape]

I've had 4 successful OTA updates; each time they've occurred via the TCU.

Whenever the APIM resets I've noticed Wifi will turn itself back on and auto-connect to the home network. I'm fine with that, but it's a bit odd that every OTA update I've received happened after I specifically disabled the vehicle's wifi connection (for better or worse, Ford forces OTA updates over the TCU if the vehicle is not connected to wifi).

It may be a coincidence, but considering how inconsistent OTA updates are for so many owners I suspect firewall settings might be an issue for some of us. Does anyone know which TCP / UDP ports to open & forward to our vehicle or have suggestions on how to identify which ports our vehicles use?

How bad of an idea is it to place our vehicle in a virtual DMZ? Part of my brain says the truck is just another category of IoT devices and not to worry, but on the other hand it seems like too much of a compromise.

I would like to see an update work over wifi at least once.

Sponsored

 

[Shoebox72069]

I'm making an bit of an assumption here but if I had to guess it's probably just 443/TCP to some API server. To any firewall device it would look like general web traffic.

I did some quick googling for a doc from Ford... but came across this from the MachE guys, I'm going to make another assumption this probably applies to us as well...

https://www.macheforum.com/site/threads/ota-updates-technical-info.4923/

I would also generally say that most peoples (not saying yours is!) home wireless is terrible and probably why there is a higher degree of success over the LTE modem vs someones wifi network. Do you think you have good reception from where your truck is vs where your wifi router/unit is at?

The easiest way is to probably to run Wireshark on the network and just filter traffic by the MAC off of the wireless on the truck. OR if you have a fancier firewall (PFsense/OPNsense) you could filter/log the traffic as it egresses the firewall.

There are options, none of them I would consider easy. Probably Wireshark would be easiest but its such a cluster to read.

If they actually release an OTA update a some point, I can look at my logged traffic and perhaps look...

 

[Airborne_Ape]

True, my wifi is lousy even when at full strength with a regular device. I get that a strong connection doesn’t necessarily = high throughput, but I don’t think that would have a major impact since files are downloaded to the GWM before being installed to the target ECU.

I have 3 of 3 signal bars where it sits. The workshop manual says at least 2 signal bars are required for wifi OTA updates. Unfortunately it doesn’t specify a decibel threshold.

Filtering by MAC to identify ports seems like the easiest but I think I’ll create a separate network just for connecting my truck.

pfSense is a good option too. I appreciate the suggestion and started looking into it.

 

[Shoebox72069]

True, my wifi is lousy even when at full strength with a regular device. I get that a strong connection doesn’t necessarily = high throughput, but I don’t think that would have a major impact since files are downloaded to the GWM before being installed to the target ECU.

I have 3 of 3 signal bars where it sits. The workshop manual says at least 2 signal bars are required for wifi OTA updates. Unfortunately it doesn’t specify a decibel threshold.

Filtering by MAC to identify ports seems like the easiest but I think I’ll create a separate network just for connecting my truck.

pfSense is a good option too. I appreciate the suggestion and started looking into it.

I'd think good signial would be the best indicator of successful update vs throughput/bandwidth.

Truck business aside, both solutions IMO are a million times better than any consumer option you'll find, even comes with sane defaults. I'd go Opnsense personally at this point but they are very similar.

Sponsored