Nokia 6, Nokia 5 (unconfirmed)
A special USB cable (with D+ shortened to GND) can cause the Secondary BootLoader (SBL) of Nokia 6 / 5 to reboot into EDL. Since the Firehose programmers these devices have been leaked, one (for example, by the use of malicious chargers while the connected device is powered-down) could exploit them in order to execute various attacks.
| Device | SoC | Programmer | Tested | SHA256 |
|---|---|---|---|---|
| Nokia 6 (d1c) | MSM8937 | prog_emmc_firehose_8937_lite.mbn | yes | 74f3de78ab5cd12ec2e77e35b8d96bd8597d6b00c2ba519c68be72ea40e0eb79 |
| Nokia 5 | MSM8937 | prog_emmc_firehose_8937_lite.mbn | no | D18EF172D0D45AACC294212A45FBA91D8A8431CC686B164C6F0E522D476735E9 |
In our blog post we demonstrate arbitrary code execution in every part of the Nokia 6 bootloader chain, and later on in Android itself. Although unconfirmed, we believe this attack is applicable on Nokia 5 as well.