Researchers bypass the Tesla AW-CU300 Wall Connector anti-downgrade ratchet by committing the partition layout with a valid firmware, then overwriting the slot with an old signed image before rebooting.
Key Takeaways
The anti-downgrade ratchet lives entirely in switch_to_new_firmware() (UDS routine 0x201); the bootloader only checks magic header, CRC32, and RSA signature, never the ratchet value.
The bypass: call routine 0xFF00 twice. First pass writes the partition layout via 0x201 with a current firmware, second pass erases that firmware and replaces it with old 0.8.58 without calling 0x201.
g_boot_flags is set at boot and never updated mid-session, so the same physical slot is always selected as passive, making the double-write reliable.
Full exploit runs over Single-Wire CAN at 33.3 kbps in ~30 minutes; two full firmware images must be transferred, then the original Pwn2Own chain (Wi-Fi credential leak, telnet, buffer overflow) applies.
Fix options noted: enforce ratchet in the bootloader, invalidate the partition layout on slot erase, or force reboot after 0x201 succeeds. Tesla patched this in a subsequent OTA update.
