OnePlus 2 Boots with a Tampered Secondary Bootloader
It’s fair to say the OnePlus 2 doesn’t have the best reputation when it comes to the Android enthusiast community. It used the Snapdragon 810 SoC (which has had a ton of criticism), never received Android 7.0 Nougat (even though it was promised), and has been shown to have vulnerabilities in the past that OnePlus refuses to fix. Now, a new discovery from Aleph Security again shows the OnePlus 2 boots with a tampered Secondary Bootloader.
This means that OnePlus has designed the Primary Bootloader of the OnePlus 2 to not do any validation of the Secondary Bootloader at all. Speculation from the research team says this may be due to a lenient hardware configuration. So this vulnerability allows an attacker to tamper with the secondary bootloader partition and then completely disable the signature validation of the rest of the bootloader chain. Not only that, but this can also result in signature validation being disabled for other SBL-validated partitions such as TrustZone and ABOOT as well.
They continued working with the vulnerability and were able to easily pinpoint the exact SBL function that validates the rest of the chain. After a quick patching of the call @ 0xFEC0E90C they avoid the failing path and booting with tampered aboot and tz now succeeds. The team then proceeded to modify one of the fastboot oem commands. This enabled them to temporarily unlock the bootloader and turn off the device tampering flag.
They also confirmed equivalent partitions of older OnePlus devices (OnePlus One and OnePlus X) have no digital signatures at all so they are vulnerable as well. When they got in contact with OnePlus about this OnePlus 2 vulnerability, they were told the device would not be fixed since it is “about to reach the product’s lifecycle.”
Source: Aleph Security