PoC Exploit Released For Nothing Phone Code Execution Vulnerability

A proof-of-concept (PoC) exploit has been released for a critical vulnerability in the secure boot chain of the Nothing Phone (2a) and CMF Phone 1, potentially affecting other devices using MediaTek systems-on-a-chip (SoCs).

The exploit, named Fenrir and published by researcher R0rt1z2, allows for arbitrary code execution at the highest privilege level, effectively breaking the secure boot process.

The vulnerability stems from a logical flaw in the MediaTek boot chain, where a key component is not properly verified when the bootloader is in an unlocked state.

The vulnerability resides in the Preloader stage of the MediaTek boot process. When a device’s bootloader is unlocked (seccfg is set to unlocked), the Preloader fails to verify the cryptographic signature of the bl2_ext partition.

This oversight is critical because bl2_ext is responsible for verifying all subsequent components in the boot chain.

The Preloader transfers execution to bl2_ext while still operating at Exception Level 3 (EL3), the highest privilege level in ARM architecture.

An attacker can therefore patch bl2_ext to bypass all further signature checks, causing a total collapse of the chain of trust and allowing the loading of unverified and malicious code.

Nothing Phone Code Execution Vulnerability

By exploiting this flaw, an attacker can achieve code execution at EL3, granting them deep control over the device before the main operating system even begins to load.

The PoC demonstrates this by patching a single function, sec_get_vfy_policy(), to always return a value of 0, tricking the bootloader into believing that all subsequent images are verified.

The released exploit includes a payload that can register custom fastboot commands, control the device’s boot mode, and dynamically call native bootloader functions.

Additionally, the PoC can spoof the device’s lock state, making it appear as “locked” to pass strong integrity checks even when the bootloader is unlocked.

The researcher notes that while the current payload cannot modify memory at runtime due to MMU faults, the exploit provides a powerful foundation for further development.

Affected Devices And Mitigation

The exploit has been confirmed to work on the Nothing Phone (2a) (codenamed “Pacman”) and the CMF Phone 1 (codenamed “Tetris”).

The developer of the exploit also notes that the Vivo X80 Pro is affected by a similar, and potentially more severe, vulnerability where bl2_ext is not verified even with a locked bootloader.

The issue is believed to be present in other MediaTek devices that use “lk2” as their secondary bootloader.

The researcher has issued a strong warning, stating that any attempt to use the exploit can permanently damage or “brick” a device if not performed correctly.

Users are advised to exercise extreme caution, as the process involves flashing a modified bootloader image that can lead to irreversible hardware failure.

Cyber Awareness Month Offer: Upskill With 100+ Premium Cybersecurity Courses From EHA's Diamond Membership: Join Today