Nothing Phone 2a Bootloader Exploit Working
A new exploit called Fenrir targets the Nothing Phone 2a, CMF Phone 1 & other MediaTek-powered devices. It takes advantage of a flaw in how the phone starts up, allowing full control over the device before Android even loads. Even after waiting for 1 month, Nothing ignored the developer's bootloader vulnerability report affecting CMF Phone 1 and Phone 2a and thus developer made it exploit public.
When you power on your phone, it goes through several steps to make sure everything is secure and untampered. This is called the secure boot chain. Each of these steps is trusted only if the previous one verifies it.
1. BootROM – The first code built into the chip. It loads the next part.
2. Preloader – Loads the next component, called bl2_ext, and normally checks it.
3. bl2_ext – This runs at the highest privilege level (EL3) and is supposed to check everything else.
4. TEE (Trusted Execution Environment) – Handles secure operations like fingerprint data and encryption.
5. GenieZone – A MediaTek component that manages access to the secure system.
6. LK / AEE – Boots the Android operating system and handles crash logging.
7. Linux Kernel – This is Android. The phone is now fully booted.
This exploit abuses a flaw in the MediaTek boot chain. When the bootloader is unlocked (
Additionally, the included PoC also spoofs the device’s lock state as locked so you can pass strong integrity checks anywhere while being unlocked. Someone even managed to pass Basic, Device and Strong integrity on LineageOS for Phone 2a without rooting, spoofing, using pixel fingerprint or leaked keybox.
Vivo X80 Pro is also vulnerable & it has a more severe version of the flaw, as it fails to verify bl2_ext even with a locked bootloader. You can read more about the usage of exploit here:
https://github.com/R0rt1z2/fenrir
Follow @TechLeaksZone
A new exploit called Fenrir targets the Nothing Phone 2a, CMF Phone 1 & other MediaTek-powered devices. It takes advantage of a flaw in how the phone starts up, allowing full control over the device before Android even loads. Even after waiting for 1 month, Nothing ignored the developer's bootloader vulnerability report affecting CMF Phone 1 and Phone 2a and thus developer made it exploit public.
When you power on your phone, it goes through several steps to make sure everything is secure and untampered. This is called the secure boot chain. Each of these steps is trusted only if the previous one verifies it.
1. BootROM – The first code built into the chip. It loads the next part.
2. Preloader – Loads the next component, called bl2_ext, and normally checks it.
3. bl2_ext – This runs at the highest privilege level (EL3) and is supposed to check everything else.
4. TEE (Trusted Execution Environment) – Handles secure operations like fingerprint data and encryption.
5. GenieZone – A MediaTek component that manages access to the secure system.
6. LK / AEE – Boots the Android operating system and handles crash logging.
7. Linux Kernel – This is Android. The phone is now fully booted.
This exploit abuses a flaw in the MediaTek boot chain. When the bootloader is unlocked (
seccfg), the Preloader skips verification of the bl2_ext partition, even though bl2_ext is responsible for verifying everything that comes after it. So if bl2_ext it's not verified and can be modified, it compromises the entire secure boot process. The exploit modifies a function called sec_get_vfy_policy() inside bl2_ext, making it always return "0", so an unverified bl2_ext running at EL3 now happily loads unverified images for the rest of the boot chain.Additionally, the included PoC also spoofs the device’s lock state as locked so you can pass strong integrity checks anywhere while being unlocked. Someone even managed to pass Basic, Device and Strong integrity on LineageOS for Phone 2a without rooting, spoofing, using pixel fingerprint or leaked keybox.
Vivo X80 Pro is also vulnerable & it has a more severe version of the flaw, as it fails to verify bl2_ext even with a locked bootloader. You can read more about the usage of exploit here:
https://github.com/R0rt1z2/fenrir
Follow @TechLeaksZone
❤1
🌟🌟 Telegram Tweaks
[LSPosed/lspatch] Remove action bar stories in the Telegram messenger (+block unmute button)
• Action bar stories fix (hide or move to the drawer)
• Mute/unmute chat bottom button fix (make it chat/channel's notifications status label)
• Chat bottom gift button fix (hide it to prevent accidental taps)
• (Added) lspatch support
• (Added) block internal Telegram updates check
✳️ Author: MichaelZhuravsky
🔸 GitHub repository
🔸 GitHub releases
🔸 MRP-Storage
🔁 Bootloop Protection
🔅 Telegram: @gitdroid | @magiskrootport
🔅 GitHub: @magiskrootport
🌟🌟 Privacy Guard
🛠️ Requirements
Protect your apps from unwanted capture.
When enabled for an app, Privacy Guard will block screenshots, block screen recording and hide app content in Recents.
🛠️ Requirements
• Magisk with Zygisk enabled
• LSPosed (Zygisk variant)
• Android 8.1+ recommended (tested 12–14)
✳️ Author: tan-dew
🔸 GitHub repository
🔸 GitHub releases
🔸 MRP-Storage
🔁 Bootloop Protection
🔅 Telegram: @gitdroid | @magiskrootport
🔅 GitHub: @magiskrootport
☀️ LSPosed CLI Tools
https://github.com/rogy153/ScopeForge---LSPosed-CLI-Manager
Advanced command-line tools for managing LSPosed modules with intelligent scope discovery, automatic backup, and batch operations.
https://github.com/rogy153/ScopeForge---LSPosed-CLI-Manager
Advanced command-line tools for managing LSPosed modules with intelligent scope discovery, automatic backup, and batch operations.
GitHub
GitHub - rogy153/ScopeForge: A CLI Manager for LSPosed without using GUI apk manager
A CLI Manager for LSPosed without using GUI apk manager - rogy153/ScopeForge
🌟🌟 NextRAM
A powerful Magisk module that enhances Android device performance through intelligent memory management, ZRAM optimization, and kernel-level tuning.
✳️ Author: @rexamm1t, @matrix_5858
✳️ Telegram: Channel | Group
🔸 GitHub repository
🔸 GitHub releases
🔸 MRP-Storage
🔁 Bootloop Protection
🔅 Telegram: @gitdroid | @magiskrootport
🔅 GitHub: @magiskrootport
❤1
🌟🌟 Systemless APNs
Systemless Apns is a required component for the SIM Spoof utility.
✳️ Author: UhExooHw
🔸 GitHub repository
🔸 GitHub releases
🔸 MRP-Storage
🔁 Bootloop Protection
🔅 Telegram: @gitdroid | @magiskrootport
🔅 GitHub: @magiskrootport
🌟🌟 jni_trace
android jni trace for arm64 for magisk module!
✳️ Author: xbyl1234
🔸 GitHub repository
🔸 MRP-Storage
🔁 Bootloop Protection
🔅 Telegram: @gitdroid | @magiskrootport
🔅 GitHub: @magiskrootport
🌟🌟 Syncthing for KernelSU
Syncthing is a continuous file synchronization program. It synchronizes files between two or more computers.
Syncthing for Magisk
✳️ Author: Laputa0
🔸 GitHub repository
🔸 GitHub releases
🔸 MRP-Storage
🔁 Bootloop Protection
🔅 Telegram: @gitdroid | @magiskrootport
🔅 GitHub: @magiskrootport
🌟🌟 Gboard Lite Online Installer
🛠️ Requirements
A lightweight, optimized Google Keyboard experience for rooted Android devices
Transform your typing experience with Gboard Lite - a streamlined version of Google's flagship keyboard that delivers premium features without the bloat.
🛠️ Requirements
• Android Version 8.1+ (API 27+) (Android 8.1 to Android 16)
• Root Method KernelSU or Magisk
• Architecture ARM, ARM64, x86, x86_64
• Storage 50MB free space
• Internet Required for initial download
✳️ Author: @artistaproducer
✳️ Telegram: Channel | Group
🔸 GitHub repository
🔸 GitHub releases
🔸 MRP-Storage
🔁 Bootloop Protection
🔅 Telegram: @gitdroid | @magiskrootport
🔅 GitHub: @magiskrootport
Wild Kernel (fork of KernelSU Next) 🌲
Wild_KSU_Manager ▶️
https://github.com/WildKernels/Wild_KSU
GKI_KernelSU_SUSFS 👻
https://github.com/WildKernels/GKI_KernelSU_SUSFS
OnePlus_KernelSU_SUSFS 1️⃣
https://github.com/WildKernels/OnePlus_KernelSU_SUSFS
Sultan_KernelSU_SUSFS 👨💻
https://github.com/WildKernels/Sultan_KernelSU_SUSFS
Wild_KSU_Manager ▶️
https://github.com/WildKernels/Wild_KSU
GKI_KernelSU_SUSFS 👻
https://github.com/WildKernels/GKI_KernelSU_SUSFS
OnePlus_KernelSU_SUSFS 1️⃣
https://github.com/WildKernels/OnePlus_KernelSU_SUSFS
Sultan_KernelSU_SUSFS 👨💻
https://github.com/WildKernels/Sultan_KernelSU_SUSFS
🌟🌟 RevengeXposed
Xposed module to use Revenge on rooted Android
Revenge is a client modification for Discord Android.
✳️ Author: PalmDevs, revenge-mod
🔸 GitHub repository
🔸 GitHub releases
🔸 MRP-Storage
🔁 Bootloop Protection
🔅 Telegram: @gitdroid | @magiskrootport
🔅 GitHub: @magiskrootport
🌟🌟 G-News Control
A Magisk & KernelSU module that allows you to enable or disable the Google news feed on your device's home screen using the ACTION button in your Root manager or through the Terminal. This feature is useful for devices that do not allow this to be done natively. WITHOUT DISABLING THE GOOGLE APP ITSELF OR REMOVING ANY OF ITS FUNCTIONALITY!
✳️ Author: mango0oo
🔸 GitHub repository
🔸 GitHub releases
🔸 MRP-Storage
🔁 Bootloop Protection
🔅 Telegram: @gitdroid | @magiskrootport
🔅 GitHub: @magiskrootport
🌟🌟 MiNavBarImmerse
A Magisk module that optimizes the Xiaomi NavBar immersion by replacing the NavBar configuration file of third-party applications built into Xiaomi HyperOS 2.2.
✳️ Author: @Ian_zb
✳️ Telegram: Group
🔸 GitHub repository
🔸 GitHub releases
🔸 MRP-Storage
🔁 Bootloop Protection
🔅 Telegram: @gitdroid | @magiskrootport
🔅 GitHub: @magiskrootport
🌟🌟 Oplus side key expansion
💡 Function Introduction
★ Traditional three-stage button
★ New version of custom side buttons
🔰 Feature Examples
OPPO/OnePlus mobile phone side button enhancement module
Expand your OnePlus side key function (three-stage and shortcut keys)
Let the three-stage/new version of the side button break free from limitations and unlock more possibilities.
💡 Function Introduction
★ Traditional three-stage button
• Supported functions :
* Monitor status and execute custom Shell scripts
* Block official operations (mute/vibrate/ring)
★ New version of custom side buttons
• Supported functions :
* Monitor single click + long press / double click + long press and execute custom Shell script
* ⚠️ Note : Single and double clicks cannot coexist
🔰 Feature Examples
• One-click NFC
• One-touch Bluetooth on/off
• One-button flashlight
• One-click recording
• One-click screen recording
• More custom operations
✳️ Author: ItosEO & YangFengTuoZi
🔸 GitHub repository
🔸 GitHub releases
🔸 MRP-Storage
🔁 Bootloop Protection
🔅 Telegram: @gitdroid | @magiskrootport
🔅 GitHub: @magiskrootport
🌟🌟 SSH for Magisk
This is an SSH server running as root using the great Magisk systemless root suite. It includes binaries for arm, arm64, x86, x86_64. However, only arm64 has been tested at all. It requires Android API version 24 or higher (Android 7.0 Nougat and higher).
✳️ Author: Marc W. / D4rCM4rC
🔸 GitLab repository
🔸 GitLab releases
🔸 MRP-Storage
🔁 Bootloop Protection
🔅 Telegram: @gitdroid | @magiskrootport
🔅 GitHub: @magiskrootport