A proof of concept exploit, called Fenrir and published by researcher R0rt1z2, has been released for a critical weakness in the secure boot chain used by the Nothing Phone (2a) and CMF Phone 1, and likely present in other devices using MediaTek system on chips. The exploit lets an attacker run code at the highest ARM privilege level, effectively breaking the device boot chain and the chain of trust.
What the flaw is, simply explained
The root cause is a logical error in the MediaTek boot process, specifically in the Preloader stage. When a device has an unlocked bootloader, the Preloader fails to verify the cryptographic signature of the bl2_ext partition, a component that is supposed to validate every subsequent boot stage. Because execution is passed to bl2_ext while still at Exception Level 3, EL3, an attacker who modifies bl2_ext can bypass later signature checks and load unverified, potentially malicious code.
How the PoC works
The Fenrir proof of concept demonstrates a minimal, yet powerful change, it patches a single function, sec_get_vfy_policy(), to always return zero, tricking the boot process into accepting subsequent images as verified. The released payload shows functionality to register custom fastboot commands, change the device boot mode, and call native bootloader routines dynamically. The PoC also includes a method to spoof the reported lock state, making a device appear locked to integrity checks even when the bootloader is actually unlocked.
Impact, affected devices, and variations
The exploit has been confirmed to work on Nothing Phone (2a), codename Pacman, and CMF Phone 1, codename Tetris. The researcher warns that a similar or worse issue affects the Vivo X80 Pro, where bl2_ext may not be verified even when the bootloader is locked. More broadly, any MediaTek device that uses lk2 as the secondary bootloader could be vulnerable.
Technical limitations and future risk
At present, the payload demonstrated cannot reliably modify memory at runtime because attempts to alter memory trigger MMU faults, however, the exploit still achieves EL3 code execution and forms a strong foundation for further enhancements. A mature exploit could lead to persistent, low level compromise that survives OS reinstall or factory reset, depending on device protections.
Safety and mitigation advice
The researcher issues a strong warning, flashing a modified bootloader can permanently brick a device if done incorrectly. Users should exercise extreme caution, avoid applying untrusted bootloader images, and follow vendor updates and security advisories. Device manufacturers will need to issue fixes that ensure bl2_ext and similar partitions are cryptographically verified regardless of bootloader lock state, and users should apply official firmware updates as they become available.
