Researchers find way to jailbreak Tesla’s software-locked features worth up to $15,000
A method to jailbreak these systems and run any software has been devised by researchers from the Technical University of Berlin.
- Tech News
- 3 min read

Tesla is known for its technologically cutting-edge and highly integrated in-car computers, which can be utilised for everything from simple entertainment to fully autonomous driving. Earlier in the BlackHat, an attack briefed against modern AMD-based infotainment systems (MCU-Z) was found on all current vehicles.
A method to jailbreak these systems and run any software has been devised by researchers from the Technical University of Berlin. Additionally, the hack enables voltage glitching to activate software-locked features like seat heating and Acceleration Boost, which Tesla car customers generally have to pay for.
In its service network, Tesla uses this hardware-bound RSA key for vehicle authentication. According to security specialists at TU Berlin, the software-locked features in Electrek's report are worth $15,000.
Researchers find ways to jailbreak AMD-based infotainment systems
Researchers were able to hack into the infotainment system by using methods they developed in earlier research on AMD. These methods could be used to inject faults into the system, which could then be used to steal information from the platform. Tesla's infotainment system is powered by a weak AMD Zen 1 CPU, which has previously been identified as having security vulnerabilities. This means that researchers may be able to exploit these vulnerabilities to jailbreak the system and gain unauthorized access.
Advertisement
The researcher’s brief BlackHat report says, “For this, we are using a known voltage fault injection attack against the AMD Secure Processor (ASP), serving as the root of trust for the system.”
“First, we present how we used low-cost, off-the-self hardware to mount the glitching attack to subvert the ASP’s early boot code. We then show how we reverse-engineered the boot flow to gain a root shell on their recovery and production Linux distributions," he added.
Advertisement
Furthermore, the owner's personal information, phonebook, calendar entries, call logs, Spotify and Gmail session cookies, WiFi passwords, and places visited were all accessible and decryptable via the car's system.
An attacker may use the jailbreak to retrieve the TPM-protected attestation key that Tesla uses to authenticate the vehicle verify the dependability of its hardware platform and transfer it to another vehicle.
In addition to car ID impersonation on Tesla's network, researchers suggest that this might help with operating the car in unsupported zones, performing independent repairs, and customising it.
A soldering iron and $100 worth of electrical parts, such as the Teensy 4.0 board, should be enough to jailbreak a Tesla's infotainment system, according to one of the researchers, Christian Werling.
Christian Werling told BleepingComputer, “Tesla informed us that our proof of concept enabling the rear seat heaters was based on an old firmware version. In newer versions, updates to this configuration item are only possible with a valid signature by Tesla (and checked/enforced by the Gateway).”
“So while our attacks lay some important groundwork for tinkering with the overall system, another software or hardware-based exploit of the Gateway would be necessary to enable the rear seat heaters or any other soft-locked feature," she added.
According to the researcher, the most recent Tesla software update still allows for the key extraction attack, proving that the vulnerability is still exploitable.
According to the researcher, the most recent Tesla software update still allows for the key extraction attack, proving that the vulnerability is still exploitable. Additionally, it has been claimed on certain news websites that the jailbreak can enable Full-Self Driving (FSD), although the researcher has stated that this is unreliable.