Nokia 6/5 EDL triggering through USB

Aleph Research Advisory





  1. Nokia 6

  2. Nokia 5 (unconfirmed)

Technical Details

A special USB cable (with D+ shortened to GND) can cause the Secondary BootLoader (SBL) of Nokia 6 / 5 to reboot into EDL. Since the Firehose programmers these devices have been leaked, one (for example, by the use of malicious chargers while the connected device is powered-down) could exploit them in order to execute various attacks.

Device SoC Programmer Tested SHA256
Nokia 6 (d1c) MSM8937 prog_emmc_firehose_8937_lite.mbn yes 74f3de78ab5cd12ec2e77e35b8d96bd8597d6b00c2ba519c68be72ea40e0eb79
Nokia 5 MSM8937 prog_emmc_firehose_8937_lite.mbn no D18EF172D0D45AACC294212A45FBA91D8A8431CC686B164C6F0E522D476735E9

In our blog post we demonstrate arbitrary code execution in every part of the Nokia 6 bootloader chain, and later on in Android itself. Although unconfirmed, we believe this attack is applicable on Nokia 5 as well.


  • 22-Jan-18
    : Public disclosure.
  • 01-Dec-17
    : Reported (Nokia).
  • 01-Dec-17
    : Vendor acknowledged report.
  • 09-Nov-17
    : Added as ALEPH-2017029.