Tesla's Wall Connector EV charger includes anti-downgrade protections to prevent attackers from installing vulnerable older firmware versions. The system uses a security ratchet that checks firmware versions during updates via UDS routine 0x201, refusing to activate older images than what's currently installed.

However, researchers discovered the bootloader itself performs no ratchet validation—it only verifies signatures and CRCs. This creates a bypass opportunity: upload a valid current firmware to establish the partition layout, then re-prepare the same slot with vulnerable older firmware without triggering validation.

The exploit works by leveraging how Tesla's dual-slot firmware system operates. First, a recent signed firmware gets written and validated through routine 0x201, which updates the partition table's generation counter. Then routine 0xFF00 re-erases that same physical slot while preserving the partition table. Finally, older firmware loads into the now-empty slot and boots successfully since the bootloader trusts the partition layout over the ratchet value.

This Tesla Wall Connector vulnerability demonstrates how complex firmware update chains can have unexpected gaps. The attack requires physical CAN bus access and approximately 30 minutes to execute, potentially allowing downgrade to versions with known exploits like those from Pwn2Own competitions.