Fenrir MediaTek bl2_ext secure-boot bypass with EL3 code exe...

[carlospolop]

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

• Blog URL: https://github.com/R0rt1z2/fenrir
• Blog Title: Fenrir: MediaTek bl2_ext secure-boot bypass with EL3 code execution (Nothing Phone 2a / CMF Phone 1)
• Suggested Section: Generic Methodologies & Resources -> Mobile/IoT/Embedded -> Secure Boot & TrustZone (Android/MediaTek) -> bl2_ext verification bypass and EL3 code execution

🎯 Content Summary

What it is
Fenrir is a PoC exploit-and-patching toolkit that compromises the secure boot chain on certain MediaTek-based phones by abusing a verification logic flaw. Confirmed targets include Nothing Phone (2a) “Pacman” (supported) and CMF Phone 1 “Tetris” (known working with incomplete support). The author also observed the issue on a Vivo X80 Pro.

Root cause and trust boundary
On affected devices, when the device’s bootloader configuration (<c...

🔧 Technical Details

Boot-chain verification bypass via bl2_ext policy patch
Abuse devices where Preloader skips verifying bl2_ext whenever seccfg is unlocked. Patch sec_get_vfy_policy() in bl2_ext to return 0 so all downstream image verification is disabled. Because bl2_ext runs at EL3, the attacker controls loading of TEE, GenieZone, LK/AEE, and the Linux kernel, breaking the chain of trust across secure and non‑secure worlds.

Integrity/attestation evasion by lock‑state spoofing
Modify the bootloader’s reported lock state so the device appears “locked” while actually unlocked. This helps pass strong integrity checks/attestations even when booting unsigned components; some environments may still require vbmeta adjustments.

Runtime control through fastboot augmentation
Hook the bootloader to register custom fastboot commands, swit...

🤖 Agent Actions

I analyzed the repository, researched the PoC, and added a new focused page documenting the MediaTek bl2_ext verification bypass with EL3 code execution based on the Fenrir project. I also linked it from the most relevant existing firmware analysis/bootloader pages.

What I did:

• Researched the Fenrir PoC README to extract the technical root cause, exploitation workflow, triage indicators, and payload capabilities.
• Explored HackTricks and reviewed at least 5 relevant files:
  • src/hardware-physical-access/firmware-analysis/README.md
  • src/hardware-physical-access/firmware-analysis/bootloader-testing.md
  • src/hardware-physical-access/firmware-analysis/firmware-integrity.md
  • src/hardware-physical-access/physical-attacks.md
  • src/mobile-pentesting/android-app-pentesting/android-applications-basics.md
• Determined the best location is under hardware-physical-access/firmware-analysis (boot-chain and secure boot content fits here).
• Created a new page with technical details, commands, and triage guidance.
• Linked the new page from:
  • firmware-analysis/bootloader-testing.md (top “Related” block)
  • firmware-analysis/README.md “Related resources” section

New file created:

• src/hardware-physical-access/firmware-analysis/android-mediatek-secure-boot-bl2_ext-bypass-el3.md
  • Title: MediaTek bl2_ext Secure-Boot Bypass (EL3 Code Execution)
  • Content:
    • MediaTek boot chain overview and affected trust boundary
    • Root cause: Preloader skipping bl2_ext verification when seccfg is unlocked
    • Patch details: sec_get_vfy_policy() → return 0 to disable verification
    • How to triage via expdb logs (img_auth_required = 0 and ~0 ms cert vfy time)
    • Practical exploitation workflow with Fenrir build/flash commands
    • Runtime payload features (custom fastboot cmds, boot mode control, dynamic call, lock-state spoof)
    • Porting tips for locating/paching verification policy in device-specific bl2_ext
    • Impact, detection, and hardening ideas
    • Device notes (Nothing Phone 2a, CMF Phone 1, Vivo X80 Pro)
    • References: Fenrir repo URL
  • Includes banners and proper markdown formatting.

Internal references added:

• In src/hardware-physical-access/firmware-analysis/bootloader-testing.md (near the top):
  • Added a “Related” block with a ref to the new page.
• In src/hardware-physical-access/firmware-analysis/README.md (“Related resources”):
  • Added a new ref to the new page.

Why here:

• The topic concerns secure boot chains, SoC boot stages, and bootloaders (Preloader/bl2_ext/TEE/GZ/LK), so it belongs under hardware and firmware analysis instead of mobile app pentesting.

References used:

• Fenrir: https://github.com/R0rt1z2/fenrir

Changes applied as files:

• Created: src/hardware-physical-access/firmware-analysis/android-mediatek-secure-boot-bl2_ext-bypass-el3.md
• Modified: src/hardware-physical-access/firmware-analysis/bootloader-testing.md
• Modified: src/hardware-physical-access/firmware-analysis/README.md

---

This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

[carlospolop]

🔗 Additional Context

Original Blog Post: https://github.com/R0rt1z2/fenrir

Content Categories: Based on the analysis, this content was categorized under "Generic Methodologies & Resources -> Mobile/IoT/Embedded -> Secure Boot & TrustZone (Android/MediaTek) -> bl2_ext verification bypass and EL3 code execution".

Repository Maintenance:

• MD Files Formatting: 897 files processed

Review Notes:

• This content was automatically processed and may require human review for accuracy
• Check that the placement within the repository structure is appropriate
• Verify that all technical details are correct and up-to-date
• All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0