Nothing Phone 2a Bootloader Exploit Working
A new exploit called Fenrir targets the Nothing Phone 2a, CMF Phone 1 & other MediaTek-powered devices. It takes advantage of a flaw in how the phone starts up, allowing full control over the device before Android even loads. Even after waiting for 1 month, Nothing ignored the developer's bootloader vulnerability report affecting CMF Phone 1 and Phone 2a and thus developer made it exploit public.
When you power on your phone, it goes through several steps to make sure everything is secure and untampered. This is called the secure boot chain. Each of these steps is trusted only if the previous one verifies it.
1. BootROM – The first code built into the chip. It loads the next part.
2. Preloader – Loads the next component, called bl2_ext, and normally checks it.
3. bl2_ext – This runs at the highest privilege level (EL3) and is supposed to check everything else.
4. TEE (Trusted Execution Environment) – Handles secure operations like fingerprint data and encryption.
5. GenieZone – A MediaTek component that manages access to the secure system.
6. LK / AEE – Boots the Android operating system and handles crash logging.
7. Linux Kernel – This is Android. The phone is now fully booted.
This exploit abuses a flaw in the MediaTek boot chain. When the bootloader is unlocked (
Additionally, the included PoC also spoofs the device’s lock state as locked so you can pass strong integrity checks anywhere while being unlocked. Someone even managed to pass Basic, Device and Strong integrity on LineageOS for Phone 2a without rooting, spoofing, using pixel fingerprint or leaked keybox.
Vivo X80 Pro is also vulnerable & it has a more severe version of the flaw, as it fails to verify bl2_ext even with a locked bootloader. You can read more about the usage of exploit here:
https://github.com/R0rt1z2/fenrir
Follow @TechLeaksZone
A new exploit called Fenrir targets the Nothing Phone 2a, CMF Phone 1 & other MediaTek-powered devices. It takes advantage of a flaw in how the phone starts up, allowing full control over the device before Android even loads. Even after waiting for 1 month, Nothing ignored the developer's bootloader vulnerability report affecting CMF Phone 1 and Phone 2a and thus developer made it exploit public.
When you power on your phone, it goes through several steps to make sure everything is secure and untampered. This is called the secure boot chain. Each of these steps is trusted only if the previous one verifies it.
1. BootROM – The first code built into the chip. It loads the next part.
2. Preloader – Loads the next component, called bl2_ext, and normally checks it.
3. bl2_ext – This runs at the highest privilege level (EL3) and is supposed to check everything else.
4. TEE (Trusted Execution Environment) – Handles secure operations like fingerprint data and encryption.
5. GenieZone – A MediaTek component that manages access to the secure system.
6. LK / AEE – Boots the Android operating system and handles crash logging.
7. Linux Kernel – This is Android. The phone is now fully booted.
This exploit abuses a flaw in the MediaTek boot chain. When the bootloader is unlocked (
seccfg), the Preloader skips verification of the bl2_ext partition, even though bl2_ext is responsible for verifying everything that comes after it. So if bl2_ext it's not verified and can be modified, it compromises the entire secure boot process. The exploit modifies a function called sec_get_vfy_policy() inside bl2_ext, making it always return "0", so an unverified bl2_ext running at EL3 now happily loads unverified images for the rest of the boot chain.Additionally, the included PoC also spoofs the device’s lock state as locked so you can pass strong integrity checks anywhere while being unlocked. Someone even managed to pass Basic, Device and Strong integrity on LineageOS for Phone 2a without rooting, spoofing, using pixel fingerprint or leaked keybox.
Vivo X80 Pro is also vulnerable & it has a more severe version of the flaw, as it fails to verify bl2_ext even with a locked bootloader. You can read more about the usage of exploit here:
https://github.com/R0rt1z2/fenrir
Follow @TechLeaksZone
❤1
🆙 PixelOS Fifteen - UNOFFICIAL
#ROM #A15 #V #Rodin #PixelOS #POS
🚨Flashing steps: click me!
⬇️ Download Rom : Sourceforge | Google drive | Vendor Boot
🖼 Screenshoot : Click here
🗒 Changelogs:
❗️Known issues:
📝 Notes:
🤝 Thanks to:
- Discussion : @rodincommunity
#ROM #A15 #V #Rodin #PixelOS #POS
📱 Device: Poco X7 Pro (rodin)
👤 Developer: @rthedream
ℹ️ Android Version: Android 15
📆 Build date: 8/09/2025
📂 File Size: 2,8GB
🚨Flashing steps: click me!
⬇️ Download Rom : Sourceforge | Google drive | Vendor Boot
🖼 Screenshoot : Click here
🗒 Changelogs:
- Shipped Dolby Atmos
- Resolve small audio strength (dirty workarounds)
- Resolved fast charging
- Resolved hotspot overlays
- Moved to Lineage lights common HAL
- Disable game default frame rate feature
- Enable ZRAM
- Minor source changes and stability improvement
❗️Known issues:
• HTSR
📝 Notes:
• SELinux is "enforcing".
• GApps build
• Signed build
• OTA implemented
• Make sure u've backup IMEI.
• Dirty flashable from old build/OTA update.
🤝 Thanks to:
• @claxten, @rio113 for help☕️ Buy me a coffee!
• @MrZ3T4, @Tutup_oli, @Saiful220, @julesovalle, @ZTV86 for tester
• @rthedream for device tree
• Ko-fi- Channel : @Rodinupdate
• Dana
• Saweria
- Discussion : @rodincommunity
❤5🔥3
We already got auth over the global group and already have a device tree so this place kinda doesn't have a purpose anymore, imma just release stuff and leak stuff here.
Forwarded from POCO X7 PRO | Updates
🆙 PixelOS Fifteen - UNOFFICIAL
#ROM #A15 #Rodin #PixelOS #POS
🚨Flashing steps: click me! | OTA update
⬇️ Download Rom : Sourceforge | Vendor Boot | Mirror : soon..
🖼 Screenshoot : Click here
🗒 Changelogs: Click here
❗️Known issues:
📝 Notes:
🤝 Thanks to:
Follow : @PocoX7Pro5GUpdates
Join : @PocoX7ProGlobal
#ROM #A15 #Rodin #PixelOS #POS
📱 Device: Poco X7 Pro (rodin)
ℹ️ Android Version: Android 15
📆 Build date: 11/10/2025
📂 File Size: 3GB
🚨Flashing steps: click me! | OTA update
⬇️ Download Rom : Sourceforge | Vendor Boot | Mirror : soon..
🖼 Screenshoot : Click here
🗒 Changelogs: Click here
❗️Known issues:
• You tell me (gib logs or gtfo)
📝 Notes:
• Reflash latest fw if it doesn't boot
• SELinux is enforcing.
• GApps build
• Signed build
• OTA implemented
• Make sure u've backup IMEI.
• Clean flash is mandatory
🤝 Thanks to:
• @claxten, @rio113, @holymee for help☕️ Buy me a coffee!
• @inizeydann for tester
• @rthedream for device tree
• Ko-fi
• Dana
• Saweria
Follow : @PocoX7Pro5GUpdates
Join : @PocoX7ProGlobal
❤2
Forwarded from Rodin Alliance
Crowdfunding POCO X7 Pro
Hey fam, The AOSP project for POCO X7 Pro by @rthedream is already rolling. Now we’re opening a crowdfunding to cover the device purchase, so the project can keep moving smooth & drama-free.
📄 Crowdfunding Agreement
To keep everything crystal clear, we’ve prepared an agreement covering:
📌 Dev Progress
Updates will be posted here:
➡️ @rthelolchex_builds
☕️ Donation Links
• Ko-fi (Global, PayPal supported)
• Saweria (Indonesia)
• UPI (ID: charantej94@oksbi)
📊 Donation Recap
To keep full transparency, every donation will be listed & updated regularly.
@rodinalliance & github.
After donating, just send your payment screenshot to one of the admins:
👉 @herobuxx | @StartTrueDreams | @katajaree |
Indian users - UPI payments screenshots send to @Cherri94
The recap will include: username/name, amount, and date.
🔥 Let’s squad up and support together so the POCO X7 Pro AOSP project stays on track. And in the end, we all get to enjoy AOSP together.
🙏 Big thanks fam, you guys are the real MVP!
Hey fam, The AOSP project for POCO X7 Pro by @rthedream is already rolling. Now we’re opening a crowdfunding to cover the device purchase, so the project can keep moving smooth & drama-free.
📄 Crowdfunding Agreement
To keep everything crystal clear, we’ve prepared an agreement covering:
* Dev responsibilities👉 Full agreement here: Crowdfunding Agreement
* Roles of initiator & overseer
* Donor rights (supporter privileges)
* Rules of device usage
📌 Dev Progress
Updates will be posted here:
➡️ @rthelolchex_builds
☕️ Donation Links
• Ko-fi (Global, PayPal supported)
• Saweria (Indonesia)
• UPI (ID: charantej94@oksbi)
📊 Donation Recap
To keep full transparency, every donation will be listed & updated regularly.
@rodinalliance & github.
After donating, just send your payment screenshot to one of the admins:
👉 @herobuxx | @StartTrueDreams | @katajaree |
Indian users - UPI payments screenshots send to @Cherri94
The recap will include: username/name, amount, and date.
🔥 Let’s squad up and support together so the POCO X7 Pro AOSP project stays on track. And in the end, we all get to enjoy AOSP together.
🙏 Big thanks fam, you guys are the real MVP!
❤1
It will take longer for Hyperos 3 for mediatek devices to come than supposed to because of Vulkan stuff, vulkan probably isn't going to be used in system like it was said.