OnePlus OxygenOS & HydrogenOS are vulnerable to downgrade attacks. This is due to lenient
updater-script in the OnePlus OTAs which does not check that the current version is lower than or equal to the given image’s (see below the 4.0.0
updater-script). Downgrades can occur even on locked bootloaders & without triggering a factory reset, allowing for exploitation of now-patched vulnerabilities with access to user data. This vulnerability can be exploited by a Man-in-the-Middle (MiTM) attacker targeting the update process. This is possible because the update transaction does not occur over TLS. In addition, a physical attacker can reboot the phone into recovery, and then use
adb sideload to push the OTA (on OnePlus 3/3T ‘Secure Start-up’ must be off).
getprop("ro.display.series") == "OnePlus 3T" || abort("E3004: This package is for \"OnePlus 3T\" devices; this is a \"" + getprop("ro.display.series") + "\"."); show_progress(0.750000, 0); ui_print("Patching system image unconditionally..."); block_image_update("/dev/block/bootdevice/by-name/system", package_extract_file("system.transfer.list"), "system.new.dat", "system.patch.dat") || abort("E1001: Failed to update system image."); show_progress(0.050000, 10); [...]
PoC can be found here.