<--

OnePlus 3/3T OxygenOS 4F500301 Bootloader Locking Bypass

Aleph Research Advisory

Identifier

Severity

Critical

Products

  1. OnePlus 3T
  2. OnePlus 3

Vulnerable Version

OxygenOS prior to 4.0.2

Technical Details

OxygenOS before version 4.0.2 has two hidden fastboot oem commands: fastboot oem 4F500301/2 which allow the attacker to effectively lock/unlock the bootloader, disregarding the OEM Unlocking checkbox, without user confirmation and without a factory reset. This allows for persistent code execution with high privileges (kernel/root) with complete access to user data.

Timeline

Posts

Credit