Tesla Wall Connector bootloader bypasses the firmware downgrade ratchet
Key takeaways
- In a previous article, we presented an attack against the Tesla Wall Connector Gen 3 used during Pwn2Own Automotive 2025.
- Tesla then shipped a firmware update that adds an anti-downgrade check to the update routine.
- This is one of those vulnerabilities you find by hand, with a coffee, an IDA window, and zero help from a language model.
In a previous article, we presented an attack against the Tesla Wall Connector Gen 3 used during Pwn2Own Automotive 2025. The exploit chain relied on a simple fact: there was no anti-downgrade mechanism. Once we could speak UDS over the charging cable, we could just write an old, vulnerable firmware to the passive slot, reboot, and pop the debug shell.
Tesla then shipped a firmware update that adds an anti-downgrade check to the update routine. Every firmware image now carries a security ratchet value, and the updater refuses any image whose ratchet is lower than the one stored on the device.
This second article describes how this anti-downgrade works, and how we bypassed it by abusing the order of operations between the partition table write and the slot erase, replaying the original Pwn2Own attack on a fully up-to-date charger.