Nokia 6/5 EDL triggering through USB

Aleph Research Advisory

Identifier

ALEPH-2017029

Severity

Critical

Products

Nokia 6
Nokia 5 (unconfirmed)

Technical Details

A special USB cable (with D+ shortened to GND) can cause the Secondary BootLoader (SBL) of Nokia 6 / 5 to reboot into EDL. Since the Firehose programmers these devices have been leaked, one (for example, by the use of malicious chargers while the connected device is powered-down) could exploit them in order to execute various attacks.

Device	SoC	Programmer	Tested	SHA256
Nokia 6 (d1c)	MSM8937	prog_emmc_firehose_8937_lite.mbn	yes	74f3de78ab5cd12ec2e77e35b8d96bd8597d6b00c2ba519c68be72ea40e0eb79
Nokia 5	MSM8937	prog_emmc_firehose_8937_lite.mbn	no	D18EF172D0D45AACC294212A45FBA91D8A8431CC686B164C6F0E522D476735E9

In our blog post we demonstrate arbitrary code execution in every part of the Nokia 6 bootloader chain, and later on in Android itself. Although unconfirmed, we believe this attack is applicable on Nokia 5 as well.

Timeline

22-Jan-18
: Public disclosure.
01-Dec-17
: Reported (Nokia).
01-Dec-17
: Vendor acknowledged report.
09-Nov-17
: Added as ALEPH-2017029.

Posts

Exploiting Qualcomm EDL Programmers (5): Breaking Nokia 6's Secure Boot
By Roee Hay & Noam Hadad,
22-Jan 2018
Exploiting Qualcomm EDL Programmers (4): Runtime Debugger
By Roee Hay & Noam Hadad,
22-Jan 2018
Exploiting Qualcomm EDL Programmers (3): Memory-based Attacks & PBL Extraction
By Roee Hay & Noam Hadad,
22-Jan 2018
Exploiting Qualcomm EDL Programmers (2): Storage-based Attacks & Rooting
By Roee Hay & Noam Hadad,
22-Jan 2018
Exploiting Qualcomm EDL Programmers (1): Gaining Access & PBL Internals
By Roee Hay & Noam Hadad,
22-Jan 2018

Credit

Roee Hay (@roeehay) of Aleph Research, HCL Technologies
Noam Hadad of Aleph Research, HCL Technologies