The AW-CU300 bootloader ignores the security ratchet, letting attackers load old signed firmware by committing the partition layout before overwriting the slot.
Key Takeaways
The anti-downgrade ratchet lives solely in switch_to_new_firmware() (UDS routine 0x201); the bootloader checks only RSA signature and CRC32, never firmware version.
Bypass sequence: flash valid firmware, call 0x201 to write partition layout, re-run 0xFF00 to erase that slot (g_boot_flags never updates mid-session), write old firmware, reboot.
The bootloader picks the highest gen_level slot from the partition table, which still points to the now-old-firmware slot, so version 0.8.58 boots without ever triggering the ratchet check.
Full exploit runs ~30 minutes over 33.3 kbps Single-Wire CAN; restores the original Pwn2Own chain: Wi-Fi credential leak, telnet shell, buffer overflow.
Fix options: enforce ratchet in bootloader, invalidate partition layout on slot erase, or force reboot after 0x201 succeeds. Tesla patched this in a subsequent OTA firmware update.
Hacker News Comment Review
Commenters noted that critical security logic concentrated in one updater function is a systemic design flaw; the bootloader’s indifference to ratchet values is the real gap.
Practical user frustration surfaced around the Gen 3 Wall Connector broadcasting a persistent TeslaWallConnector_<id> Wi-Fi SSID and ignoring charging schedules when offline, both tied to firmware behavior owners cannot easily control.
Grid-level risk from compromised EV chargers was raised: coordinated firmware manipulation across many units could cause significant unexpected grid load, though this applies broadly to networked chargers, not just Tesla.
Notable Comments
@spacebanana7: flags that 1 million EVs pulling 7 kW at wrong times could add 7 GW to the UK grid, enough to cause instability.
@culi: notes practical upside of downgrade: bypass Tesla vehicle restrictions and potentially enable J1772 compatibility for non-Tesla EVs.
