Title: TEDAPI v1 and v1r both blocked on BGW2 + PW3 combo, firmware 26.2.1 — AP subnet workaround does not resolve
Note: I have read #165. The recommended workaround (connecting directly to the Powerwall WiFi AP) does not resolve the issue — GET /tedapi/din with credentials returns the same 403 from a phone connected to TeslaPW_XXXXXX (192.168.91.1). This appears to be new behavior specific to firmware 26.2.1 and/or the BGW2 + PW3 hardware combination.
Hardware
- Tesla Powerwall 3 (PW3)
- Backup Gateway 2 (BGW2)
- Firmware: 26.2.1 (a7456b0a)
- pypowerwall: 0.15.4
Network topology
- BGW2 WiFi IP on home LAN: 192.168.68.156
- BGW2 internal ethernet IP (Tesla internal network): 192.168.90.2
- PW3 WiFi AP SSID: TeslaPW_XXXXXX (192.168.91.x subnet)
- Test machine: Ubuntu host on 192.168.68.0/24 with static route added for 192.168.90.0/24 via 192.168.68.156
TEDAPI v1 — results
Tested GET /tedapi/din with HTTP Basic Auth (username: Tesla_Energy_Device, gateway password from PW3 QR sticker) against all reachable IPs:
- 192.168.68.156 (BGW2 home WiFi): HTTP 403 {"code":403,"error":"Unable to GET to resource","message":"User does not have adequate access rights"}
- 192.168.90.2 (BGW2 internal ethernet, reached via static route): HTTP 403 same message
- 192.168.91.1 (from phone connected to TeslaPW_XXXXXX AP, credentials embedded in URL): HTTP 403 same message
Also tested with BGW2 sticker password — same result on all IPs.
The Tesla One app connects successfully to the local gateway using the SSID and sticker password, confirming the credentials are correct. The 403 is consistent across all network paths including from the AP subnet itself at 192.168.91.1.
TEDAPI v1r — results
RSA-4096 keypair generated and registered via Fleet API (python -m pypowerwall register, Fleet API path, EU region). Registration completed successfully — key state returned as VERIFIED.
Tested TEDAPI(..., v1r=True, password=pw3_password, rsa_key_path=...) and TEDAPI(..., v1r=True, password=bgw2_password, rsa_key_path=...) against both 192.168.90.2 and 192.168.68.156.
All four combinations returned:
v1r login failed (401): {"code":401,"error":"bad credentials","message":"Login Error"}
The v1r login POSTs to /api/login/Basic with username: customer. The local customer password set during commissioning is not known. Multiple candidates were tested (both sticker passwords, TSN variations, common defaults including "customer" and "S3cur1ty1") — all 401.
Conclusion
TEDAPI v1 returns 403 "adequate access rights" from every network path including the AP subnet at 192.168.91.1 with correct credentials. TEDAPI v1r cannot proceed past /api/login/Basic. pypowerwall correctly detects PW3: True on connection. No local telemetry is accessible via any known method on this firmware/hardware combination.
Is BGW2 + PW3 on firmware 26.x a known unsupported configuration? Any guidance on what auth mechanism the Tesla One app uses for local access on this firmware would be helpful.
Title: TEDAPI v1 and v1r both blocked on BGW2 + PW3 combo, firmware 26.2.1 — AP subnet workaround does not resolve
Note: I have read #165. The recommended workaround (connecting directly to the Powerwall WiFi AP) does not resolve the issue — GET /tedapi/din with credentials returns the same 403 from a phone connected to TeslaPW_XXXXXX (192.168.91.1). This appears to be new behavior specific to firmware 26.2.1 and/or the BGW2 + PW3 hardware combination.
Hardware
Network topology
TEDAPI v1 — results
Tested GET /tedapi/din with HTTP Basic Auth (username: Tesla_Energy_Device, gateway password from PW3 QR sticker) against all reachable IPs:
Also tested with BGW2 sticker password — same result on all IPs.
The Tesla One app connects successfully to the local gateway using the SSID and sticker password, confirming the credentials are correct. The 403 is consistent across all network paths including from the AP subnet itself at 192.168.91.1.
TEDAPI v1r — results
RSA-4096 keypair generated and registered via Fleet API (python -m pypowerwall register, Fleet API path, EU region). Registration completed successfully — key state returned as VERIFIED.
Tested TEDAPI(..., v1r=True, password=pw3_password, rsa_key_path=...) and TEDAPI(..., v1r=True, password=bgw2_password, rsa_key_path=...) against both 192.168.90.2 and 192.168.68.156.
All four combinations returned:
v1r login failed (401): {"code":401,"error":"bad credentials","message":"Login Error"}
The v1r login POSTs to /api/login/Basic with username: customer. The local customer password set during commissioning is not known. Multiple candidates were tested (both sticker passwords, TSN variations, common defaults including "customer" and "S3cur1ty1") — all 401.
Conclusion
TEDAPI v1 returns 403 "adequate access rights" from every network path including the AP subnet at 192.168.91.1 with correct credentials. TEDAPI v1r cannot proceed past /api/login/Basic. pypowerwall correctly detects PW3: True on connection. No local telemetry is accessible via any known method on this firmware/hardware combination.
Is BGW2 + PW3 on firmware 26.x a known unsupported configuration? Any guidance on what auth mechanism the Tesla One app uses for local access on this firmware would be helpful.