While I did “mock hype” this vulnerability, I was mostly making fun of those companies using bland and boring vulnerability disclosures as a PR stunt, Pork Explosion is certainly real and today we feast.
Going into this I want to thank Mike Chan and the others at Nextbit for their prompt action to mitigate this in the Nextbit Robin. I also appreciate the QPSI & Android Security teams for their willingness to assist in contacting Foxconn.
and to the meat (or Tofu for you BBQ haters)…
Pork Explosion is a backdoor found in the apps bootloader provided by Foxconn. For those that are not aware, Foxconn assembles phones for many many vendors, some (but not all) also choose to allow Foxconn to build many low level pieces of firmware. To date we have identified at least two vendors (likely many more) with vulnerable devices, InFocus (M810) and Nextbit (Robin). Pork Explosion allows an attack with physical access to a device to gain a root shell, with selinux disabled through usb. The attack can be made through fastboot and the apps bootloader, or through adb if access is available. Due to the ability to get a root shell on a password protected or encrypted device, Pork Explosion would be of value for forensic data extraction, brute forcing encryption keys, or unlocking the boot loader of a device without resetting user data. Phone vendors were unaware this backdoor has been placed into their products.
While taking a peek at the Nexbit Robin’s apps bootloader, (based on Qualcomm’s lk bootloader, with customizations made by Foxconn International Holdings), a fastboot command was noticed that seemed out of place. The Nextbit Robin’s apps boot loader is based on the lk bootloader with customizations made by Foxconn International Holdings.
LOAD:0F92F8DC fastboot_table ; CODE XREF: sub_F939888+174