There’s a fight going on right now, one that’s been waging for years, over who really controls our smartphones. When you buy a phone, are you just purchasing the right to use it within the constraints the manufacturer lays out, or should you have the ability to do whatever you like on it, going so far as to install alternate operating systems? Buried within the software that powers our phones is the bootloader, the code that acts as the gatekeeper; unlocked, you can basically do as you please, but locked-down and you’re at the whim of the OEM. To their credit, many manufacturers have been getting better about giving users permission to unlock bootloaders under certain circumstances, but for some of us, that’s not enough. If you’re in that boat, we’ve got good news for you, as a new vulnerability has been published that has the potential to pop open the bootloaders on many Snapdragon-based Androids.
The attack was demonstrated on a Moto X, but will also work on devices like the Nexus 5 or the Snapdragon variants of the GS4 or Note 3. Sadly, the GS5 and One M8 are reportedly invulnerable, due to their code already being patched. The hack side-steps Qualcomm’s implementation of ARM’s Trust Zone protections, designed to separate secure code from the user space. Thanks to a bounds-checking flaw, the exploit is able to arbitrarily write to secure memory and execute code as it sees fit. With that low-level access, removing bootloader protections is trivial.
We’ve yet to see the release of any software tool that takes advantage of this vulnerability to unlock phones, but it may only be a matter of time before something like that surfaces.