OnePlus 3/3T OxygenOS 4F500301 Bootloader Locking Bypass

Aleph Research Advisory

Identifier

CVE-2017-5626

Severity

Critical

Products

OnePlus 3T
OnePlus 3

Vulnerable Version

OxygenOS prior to 4.0.2

Technical Details

OxygenOS before version 4.0.2 has two hidden fastboot oem commands: fastboot oem 4F500301/2 which allow the attacker to effectively lock/unlock the bootloader, disregarding the OEM Unlocking checkbox, without user confirmation and without a factory reset. This allows for persistent code execution with high privileges (kernel/root) with complete access to user data.

Timeline

01-Mar-17
: Added as ALEPH-2017003.
08-Feb-17
: Public disclosure.
29-Jan-17
: CVE-2017-5626 assigned.
25-Jan-17
: CVE ID requested.

Posts

Owning OnePlus 3/3T with a Malicious Charger: The Last Piece of the Puzzle
By Roee Hay,
26-Mar 2017
Owning a Locked OnePlus 3/3T: Bootloader Vulns
By Roee Hay,
08-Feb 2017

Credit

Roee Hay (@roeehay) of Aleph Research, HCL Technologies