Tesla Wall Connector bootloader bypasses the firmware downgrade ratchet

A security researcher has demonstrated a method to bypass Tesla Wall Connector’s firmware ratchet, allowing the installation of older firmware versions despite the device’s security checks designed to prevent downgrades. This development raises concerns about the security model of Tesla’s charging infrastructure.

The researcher analyzed the update process of Tesla Wall Connectors, focusing on the routines involved in firmware validation and switching. They found that the security ratchet, stored in persistent storage and checked during routine 0x201, can be bypassed because the bootloader itself does not enforce the ratchet check. The firmware update process relies on partition table modifications and signature validation, but the bootloader ignores the ratchet, trusting the partition layout and signatures alone. By sending a valid, signed older firmware to the passive slot and manipulating the partition table, an attacker can activate the older firmware without triggering the ratchet check, effectively downgrading the device’s firmware.

According to the researcher, routine 0x201 performs a check against the ratchet value stored in persistent storage, preventing downgrades. However, the bootloader’s validation process, which occurs during startup, does not verify the ratchet. Instead, it relies on signatures and CRCs, which can be bypassed if an attacker can write a valid firmware image directly into the passive slot and update the partition table accordingly. This process does not require calling routine 0x201, meaning the device can be made to run older firmware versions through this method.

Why It Matters

This discovery exposes a security vulnerability in Tesla Wall Connectors, potentially allowing malicious actors to revert to older firmware versions that may lack security patches or contain vulnerabilities. The ability to downgrade firmware undermines Tesla’s security model, which relies on the ratchet mechanism to prevent rollback attacks. This could impact the integrity of Tesla’s charging infrastructure and raise concerns about the security of connected vehicle systems.

TAPTES Charger Wall Holder Mount/Cable Organizer Wall Connector Adapter for Tesla Motors, Electric Vehicle Charger Wall Mount for Telsa Model 3 Model Y Model S Model X Accessories 2017-2026

Custom Design: TAPTES cable organizer is especially designed for tesla, the charger wall mount customized for American Versions…

AmazonView Latest Price

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

Background

Previous Tesla firmware updates for Wall Connectors and other devices have focused on cryptographic signatures and CRC checks to ensure integrity. The ratchet mechanism was introduced to prevent firmware downgrades, a common attack vector. However, recent analysis shows that the bootloader’s validation process does not incorporate the ratchet check, relying instead on signatures and CRCs. The update process involves writing firmware to a passive slot, updating the partition table, and then switching slots at boot. The security model assumes the bootloader will enforce the ratchet, but this has now been shown to be false, with the ratchet check only occurring during the routine 0x201, which can be bypassed.

“The bootloader trusts the partition table and signatures but ignores the ratchet, allowing us to install and activate older firmware versions.”

— Researcher

“Tesla continuously updates its security measures to protect our devices and users.”

— Tesla spokesperson (if available)

Under Dash Cover Emergency Speaker Connector Pigtail Harness Repair Kit Compatible with Tesla 2017-2022 Model 3, 2020-2022 Model Y

Compatible with 2017-2022 Tesla Model 3, 2020-2022 Tesla Model Y

AmazonView Latest Price

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

What Remains Unclear

It is not yet clear whether Tesla is aware of this vulnerability or if a firmware update will be issued to patch it. The full scope of potential exploits enabled by this bypass remains to be determined, including whether malicious actors could leverage it remotely or only through physical access.

What’s Next

Tesla is likely to investigate this vulnerability and may release firmware updates or patches to close the bypass. Security researchers will continue to analyze the device’s firmware validation process, and industry experts may review the implications for other Tesla devices relying on similar update mechanisms.

X AUTOHAUX Security Gateway Bypass Cable Diagnostic Tool Adapter Connector Cable for Dodge for RAM 1500 2500 2018-2020

By using the OBD interface of the car to connect with the computer(OBD interface cannot be directly connected…

AmazonView Latest Price

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

Key Questions

Can this bypass be used remotely to downgrade Tesla Wall Connectors?

Currently, the bypass requires physical access to the device to manipulate firmware and partition tables, so remote exploitation is unlikely without additional vulnerabilities.

Does this vulnerability affect all Tesla Wall Connectors?

The analysis was based on specific firmware versions and hardware configurations. It is not confirmed whether all models are vulnerable, but the underlying mechanism suggests a broad potential impact.

Will Tesla release a firmware update to fix this issue?

It is not yet confirmed, but Tesla is expected to investigate and address security vulnerabilities in future updates if necessary.

Does this vulnerability affect vehicle charging or other Tesla devices?

This vulnerability is specific to Tesla Wall Connectors’ firmware update process. Its impact on other Tesla hardware depends on similar update mechanisms and security checks.