Nothing Phone 2a Bootloader Exploit Working

A new exploit called Fenrir targets the Nothing Phone 2a, CMF Phone 1 & other MediaTek-powered devices. It takes advantage of a flaw in how the phone starts up, allowing full control over the device before Android even loads. Even after waiting for 1 month, Nothing ignored the developer's bootloader vulnerability report affecting CMF Phone 1 and Phone 2a and thus developer made it exploit public.

When you power on your phone, it goes through several steps to make sure everything is secure and untampered. This is called the secure boot chain. Each of these steps is trusted only if the previous one verifies it.

1. BootROM – The first code built into the chip. It loads the next part.
2. Preloader – Loads the next component, called bl2_ext, and normally checks it.
3. bl2_ext – This runs at the highest privilege level (EL3) and is supposed to check everything else.
4. TEE (Trusted Execution Environment) – Handles secure operations like fingerprint data and encryption.
5. GenieZone – A MediaTek component that manages access to the secure system.
6. LK / AEE – Boots the Android operating system and handles crash logging.
7. Linux Kernel – This is Android. The phone is now fully booted.

This exploit abuses a flaw in the MediaTek boot chain. When the bootloader is unlocked (seccfg), the Preloader skips verification of the bl2_ext partition, even though bl2_ext is responsible for verifying everything that comes after it. So if bl2_ext it's not verified and can be modified, it compromises the entire secure boot process. The exploit modifies a function called sec_get_vfy_policy() inside bl2_ext, making it always return "0", so an unverified bl2_ext running at EL3 now happily loads unverified images for the rest of the boot chain.

Additionally, the included PoC also spoofs the device’s lock state as locked so you can pass strong integrity checks anywhere while being unlocked. Someone even managed to pass Basic, Device and Strong integrity on LineageOS for Phone 2a without rooting, spoofing, using pixel fingerprint or leaked keybox.

Vivo X80 Pro is also vulnerable & it has a more severe version of the flaw, as it fails to verify bl2_ext even with a locked bootloader. You can read more about the usage of exploit here:
https://github.com/R0rt1z2/fenrir

Follow @TechLeaksZone