Back
Technology

Qualcomm Vulnerability Allows Bootloader Unlocking on Android 16 Devices

Generated on: Last updated: 1 sources
View source

Qualcomm Android Bootloader Vulnerability Uncovered

A vulnerability has been identified in Qualcomm's Android Bootloader (ABL) implementation that permits the execution of unsigned code. This issue primarily impacts devices running Android 16, particularly those equipped with Qualcomm Snapdragon 8 Elite Gen 5 System-on-Chips.

Exploit Mechanism Details

The Qualcomm ABL attempts to load the Generic Bootloader Library (GBL) from the "efisp" partition. During this process, the ABL checks for the presence of a UEFI app but does not verify its authenticity. This oversight allows unsigned code placed on the "efisp" partition to be loaded and executed without validation.

To bypass default security measures, specifically SELinux Enforcing mode, the exploit chains with an oversight in a fastboot command. The command fastboot oem set-gpu-preemption accepts input arguments without adequate checks or sanitization. This flaw enables attackers to append androidboot.selinux=permissive to the command, thereby switching SELinux from Enforcing to Permissive mode.

Xiaomi-Specific Exploit Chain

On Xiaomi devices, including the Xiaomi 17 series, Redmi K90 Pro Max, and POCO F8 Ultra, an additional vulnerability within Xiaomi's Hyper OS is leveraged. The MQSAS (MIUI Quality Service and Secure) app's IMQSNative binder service, with its system-level permissions, is exploited to write a custom UEFI app to the "efisp" partition.

Following a device reboot, the ABL loads and executes this custom UEFI app due to the initial GBL vulnerability. The custom app then proceeds to unlock the bootloader by setting the is_unlocked and is_unlocked_critical parameters to "1".

Scope and Patch Status

The fundamental GBL exploit is expected to affect all Android Original Equipment Manufacturers (OEMs) that utilize Qualcomm's ABL, with the notable exception of Samsung, which employs its proprietary S-Boot. The specific chain of vulnerabilities required for a successful bootloader unlock may vary across different OEMs.

Qualcomm has reportedly addressed the vulnerability associated with the fastboot oem set-gpu-preemption command. Xiaomi is anticipated to patch the Hyper OS app vulnerability, with indications that it may already be resolved in Hyper OS 3.0.304.0 builds released in China.

However, it is not yet clear whether the core GBL exploit has been fully fixed by Qualcomm, or if any such fixes have been disseminated to Android OEMs and subsequently rolled out to consumers.

Users who intend to utilize the exploit have been advised to disconnect their devices from the internet and refrain from applying firmware updates.