Tesla Wall Connector bootloader bypasses the firmware downgrade ratchet
This article masterfully dissects how Tesla's Wall Connector's anti-downgrade "ratchet" can be bypassed, a clever exploit stemming from a disconnect between the updater and bootloader logic. It reveals that physical access allows an attacker to load older, vulnerable firmware onto the device despite built-in protections. The Hacker News community is captivated by this intricate security flaw, sparking debates on device ownership, physical security, and the practical frustrations of smart home hardware.
The Lowdown
This follow-up article details a sophisticated method to bypass Tesla's anti-downgrade mechanism on its Wall Connectors, effectively allowing an attacker with physical access to load older firmware. The exploit cleverly leverages a crucial difference in how the firmware updater and the bootloader enforce security, creating a window for manipulation.
- Tesla introduced a "security ratchet" in firmware version
24.44.3to prevent downgrades, ensuring only newer, signed firmware could be installed. This check is performed by thecheck_image_and_antidowngrade()function within the updater routine (0x201). - Crucially, the
boot2bootloader, which is responsible for starting the device and is separate from firmware updates, does not check this ratchet. It only verifies magic headers, CRCs, and RSA signatures. - The bypass involves a multi-step sequence: first, a new, valid firmware is sent and
0x201is run to update the partition layout, marking that slot as the next to boot. Second, without rebooting, the same physical slot is re-initialized with0xFF00, erasing the validated firmware. Third, an old, vulnerable but still signed firmware is written to the now-empty slot. Finally, a reboot is initiated with0x202, bypassing the0x201routine for the old firmware. - Upon reboot, the bootloader sees the slot containing the old firmware as the active one (due to the partition layout update), validates its signature, and boots it, circumventing the intended anti-downgrade.
- This technique re-enables previously patched vulnerabilities, such as gaining Wi-Fi credentials or access to a debug shell, by downgrading to a susceptible firmware version.
The researchers reported this vulnerability to Tesla, which has since deployed a fix via over-the-air (OTA) updates. They suggest several mitigations, including enforcing the ratchet directly in the bootloader, invalidating partition layouts upon slot erasure, or forcing reboots after successful updates.
The Gossip
Ownership's Open Questions: Hardware Hacking or Rightful Rule?
A core debate among commenters revolves around whether an owner's deliberate firmware downgrade constitutes a "hack" or simply exercising legitimate control over their purchased hardware. Some argue that an owner's actions on their own device shouldn't be termed a hack, while others emphasize the importance of defense-in-depth, even against those with physical access, to prevent more malicious actors from exploiting known vulnerabilities.
Connector Conundrums: Practicalities and Pains
Many users reveal practical motivations for wanting to bypass firmware restrictions. Common frustrations include the Wall Connector's persistent, non-disableable Wi-Fi access point, fragile Wi-Fi connectivity, and the desire to circumvent potential vehicle charging restrictions. Commenters highlight these issues as reasons for seeking greater control and customization over their devices.
Charging Chaos: Schedule Snafus and Billing Blunders
A notable tangent in the discussion concerns the reliability of charging schedules, particularly for Time of Use (TOU) billing. Users advise setting charging timers directly on the car rather than relying solely on the Wall Connector, as Wi-Fi loss can disrupt schedules. Confusion arose regarding whether this could lead to 'free charging' at public stations, which was quickly clarified as irrelevant for a home charging port.