Qualcomm exploit chain brings bootloader unlocking freedom to Android flagships
10 hours ago
- #Bootloader Exploit
- #Qualcomm
- #Android Security
- A vulnerability in Qualcomm’s Android Bootloader allows unsigned code execution via the 'efisp' partition on Android 16 devices.
- The exploit chains with a 'fastboot' command oversight to bypass SELinux and unlock the bootloader.
- Xiaomi’s Hyper OS vulnerability further enables bootloader unlocking on Xiaomi 17 series and other Snapdragon 8 Elite Gen 5 phones.
- The exploit involves loading unsigned code from the 'efisp' partition without authenticity checks.
- SELinux is switched to Permissive mode using a vulnerable 'fastboot oem set-gpu-preemption' command.
- Xiaomi’s MQSAS app is exploited to write a custom UEFI app to the 'efisp' partition, enabling bootloader unlock.
- Xiaomi may patch the exploit soon, with fixes possibly included in Hyper OS 3.0.304.0.
- The exploit currently affects Snapdragon 8 Elite Gen 5 devices running Android 16, excluding Samsung phones using S-Boot.
- Qualcomm has fixed some vulnerabilities, but it's unclear if the base GBL exploit has been patched.