A proof-of-concept exploit has been published for a critical flaw in the secure boot process of the Nothing Phone (2a) and CMF Phone 1.
This exploit can break the chain of trust and allow full code execution at the highest privilege level, posing a severe risk to device security.
Vulnerability Overview
A logic flaw in the MediaTek secure boot chain affects the Nothing Phone (2a) and likely other MediaTek devices.
When the device’s bootloader is unlocked, the Preloader skips the verification of the bl2_ext partition.
This partition is supposed to verify all subsequent boot stages, but with the flaw, it is never checked.
By exploiting this gap, an attacker can run arbitrary code at EL3, the highest privilege level in the system, and disable the secure boot chain after Preloader execution.
Technical Details and PoC Code
The published proof-of-concept, named fenrir, patches the function sec_get_vfy_policy() in bl2_ext to always return zero.
This bypasses the authentication policy and allows any boot image to load without checks. The exploit also spoofs the device’s lock state to appear locked, permitting integrity checks to pass while still unlocked.
The PoC includes Python, C, and shell scripts to automate the patching and flashing process.
- Build Process:
- Place the original bootloader image in bin/[device].bin
- Run ./build.sh pacman (or supply a custom path)
- This produces a patched file named lk.patched
- Flashing:
- Use ./flash.sh to upload the patched image to the device via fastboot
- If fastboot is unavailable, alternative flashing methods may be required
The PoC also registers custom fastboot commands and can dynamically call built-in bootloader functions.
However, memory modification at runtime currently triggers MMU faults and remains a work in progress.
Impact and Mitigation
This vulnerability undermines the entire chain of trust on affected devices. Once exploited, attackers can install unauthorized operating systems or manipulate firmware without detection.
The flaw has been confirmed on the Nothing Phone (2a) and CMF Phone 1, and preliminary testing suggests other MediaTek-based phones like the Vivo X80 Pro may also be at risk.
Users should avoid unlocking their bootloaders until an official patch is released. Device makers and chipset vendors must update the secure boot verification to enforce checks on bl2_ext even when unlocked.
Security teams should monitor for unauthorized flashing activity and advise end users to re-lock their bootloaders once official updates are applied.
The full PoC repository, including detailed explanations, scripts, and usage instructions, is available under the AGPL-3.0 license on GitHub.
Security researchers and device vendors are urged to review the code and integrate proper verification measures to restore a secure boot chain.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
