Qualcomm's fifth-generation Snapdragon 8 Gen 1 chip vulnerability exposed, allowing bootloader unlocking on phones like Xiaomi 17.

Tech House March 13 News, the technology media Android Authority today ( March 13 ) published a blog post revealing the Qualcomm GBL vulnerability exploitation chain targeting the Qualcomm Snapdragon 8 Gen 5 Premium chip, and successfully tested unlocking the Bootloader on phones like Xiaomi 17.

Bootloader ( Bootloader ) is the first code that runs when the device starts, responsible for hardware initialization and loading the operating system. Unlocking the Bootloader is a prerequisite for gaining root access or flashing third-party systems on Android devices.

Tech House cites the blog post, which explains that the core of the Qualcomm GBL vulnerability exploitation chain lies in the fact that Qualcomm’s Android bootloader ( ABL ) has missing verification.

In Android 16 systems, after the ABL loads the universal bootloader ( GBL ) from the “efisp” partition, it only checks whether it is a UEFI application but does not verify its authenticity. Therefore, users can directly write and execute unsigned code to that partition, forming the basis of the entire vulnerability chain.

To write data to the “efisp” partition, users must first downgrade the system security module SELinux from the default “Enforcing” to “Permissive.”

Researchers found that Qualcomm’s fastboot oem set-gpu-preemption command lacks input parameter validation. Users can simply append the androidboot.selinux=permissive parameter after this command to easily modify SELinux permissions, thereby bypassing the vulnerability chain.

After rebooting the device, ABL will directly load the custom UEFI application implanted by the user. This application then modifies key system parameters such as is_unlocked to “1,” directly completing the Bootloader unlock.

The media points out that this technological breakthrough overcomes the strict unlocking barriers set by manufacturers like Xiaomi, such as quiz mechanisms and time locks, allowing many previously discouraged enthusiasts to regain full control of their devices.

Multiple reports indicate that Xiaomi may have patched this vulnerability in the HyperOS 3.0.304.0 version pushed to the Chinese market yesterday. Meanwhile, Qualcomm has also fixed the parameter validation issue of the related fastboot commands in its codebase.

The media also notes that besides Samsung phones using their self-developed S-Boot bootloader, other Android brands using Qualcomm ABL may be affected, but the specific exploitation methods will vary depending on the manufacturer’s system customization.

Reference

• New Qualcomm exploit chain brings bootloader unlocking freedom to Android flagships