Oneplus phone update introduces hardware anti-rollback

Posted by validatori 1 day ago

Oneplus phone update introduces hardware anti-rollback(consumerrights.wiki)

455 points | 267 commentspage 4

cmxch 1 day ago|

So OnePlus is no better than the rest of the pack.

bflesch 1 day ago||

How likely is it that such software-activated fuse-based kill switches are built into iPhones? Any insights?

mort96 1 day ago||

So this article isn't about a kill switch, just blocking downgrades and custom ROMs.

But to answer your question: we know iPhones have a foolproof kill switch, it's a feature. Just mark your device as lost in Find My and it'll be locked until someone can provide your login details. Assuming it requires logging in to your Apple account (which it does, AFAIK; I don't think logging in to a local account is enough), this is the same as a remote kill switch; Apple could simply make a device enter this locked-down state and then tweak their server systems to deny logins.

jacquesm 1 day ago|||

I'd say for commercial hardware it is a near certainty even if you won't ever know until it is much too late.

Realize that many of these manufacturers sell their hardware in and employ companies in highly policed societies. Just the fact that they are allowed to continue to operate implies that they are playing ball and may well have to perform a couple of favors. And that's assuming they are fully aware of what they are shipping, which may not be always the case.

I don't think it is a bad model at all to consider any cell phone to be compromised in multiple ways even though you don't have hard proof.

izacus 1 day ago|||

Apple has been doing that since forever and will remotely kill switch devices so they need to be destroyed instead of reused: https://fighttorepair.substack.com/p/activation-locks-send-w...

Millions of fully working apple devices are destroyed because of that even - Apple won't unlock them even with proof of ownership.

Muromec 1 day ago|||

It's there on all phones since forever lol. Apple can ship an update that adds "update without asking for confirmation" tomorrow and then ship another one that shows nothing but a middle finger on boot and you would not be able to do anything, including downgrading back.

Retr0id 1 day ago|||

The M-series CPUs found in iPads (which cannot boot custom payloads) are the same as the M-series CPUs found in Macbooks (which can boot custom payloads) - just with different fuses pre-burnt during manufacturing.

Pre-prod (etc.) devices will also have different fuses burnt.

hexagonwin 1 day ago|||

iPhones already cannot be downgraded, they can only install OS versions signed by apple during the install time. (search SHSH blobs) They also can't run unsigned IPA files (apps). Not sure if they have a physical fuse, but it's not much different.

hoistbypetard 1 day ago||

The significant difference is that if it were placed into DFU mode and connected to an appropriate device that had access to appropriately signed things, it could be "unbricked" without replacing the mainboard.

hexagonwin 1 day ago||

true, but I believe these bricked oneplus devices can also be revived from 9008 (EDL) if they can find the qualcomm firehorse loader file.

QuiEgo 1 day ago||

100%, if you steal a phone from the Apple store they just remote brick it.

QuiEgo 1 day ago||

Example: https://www.techspot.com/news/108318-stolen-iphones-disabled...

IshKebab 1 day ago||

Why? What advantage do they get from this? I'm assuming it's not a good one but I'm struggling to see what it is at all.

jeroenhd 1 day ago||

They patched a low-level vulnerability in their boot process. Their phones' debug features would allow attackers to load an old, unpatched version of their (signed) software and exploit it if they didn't do some kind of downgrade prevention.

Using eFuses is a popular way of implementing downgrade prevention, but also for permanently disabling debug flags/interfaces in production hardware.

Some vendors (AMD) also use eFuses to permanently bond a CPU to a specific motherboard (think EPYC chips for certain enterprise vendors).

hexagonwin 1 day ago||

They can kill custom roms and force the latest vendor firmware. If they push a shitty update that slows down the phone or something, users have no choice other than buying a new device.

bcraven 1 day ago||

The article suggests custom roms can just be updated to be 'newer' than this.

At the moment they're 'older' and would class as a rollback, which this fuse prevents.

hypeatei 1 day ago||

It's my first time hearing about this "eFuse" functionality in Qualcomm CPUs. Are there non-dystopian uses for this as a manufacturer?

hexagonwin 1 day ago||

Samsung uses this for their Knox security feature. The fuse gets broken in initial bootloader unlock, and all features related to Knox (Samsung Pay, Secure Folder, etc) gets disabled permanently even after reverting to stock firmware.

QuiEgo 1 day ago|||

Almost every modern SoC has efuse memory. For example, this is used for yield management - the SoC will have extra blocks of RAM and expect some % to be dead. At manufacturing time they will blow fuses to say which RAM cells tested bad.

Retr0id 1 day ago|||

eFuses are in most CPUs, often used for things like disabling hardware debug interfaces in production devices - and rollback prevention.

thesh4d0w 1 day ago|||

I use them in an esp32 to write a random password to each of my products, so when I sell them they can each have their own secure default wifi password while all using the same firmware.

josephcsible 1 day ago||

What advantage do you see from using eFuses and not some other way to store the password?

thesh4d0w 1 day ago||

This is the only way I could come up with that would allow an end user to do a full factory reset, and end up back in a known good secure state afterwards.

Storing it in the firmware would mean every user has the same key. Storing it in eeprom means a factory reset will clear it. This allows me to ship hardware with the default key on a sticker on the side, and let's a non technical user reset it back to that if they need to.

It gives you a 256bit block to work with - https://docs.espressif.com/projects/esp-idf/en/stable/esp32/...

josephcsible 1 day ago||

But couldn't you also just set aside a bit of the EEPROM your factory reset skips, and accomplish the same thing?

josephcsible 1 day ago||

There are not. The entire premise of eFuses are that after you buy something, the manufacturer can still make changes that you can't ever undo.

Oxodao 23 hours ago||

Oneplus went shit since the 6. Pretty sad, they used to be a great brand...

jijji 1 day ago||

im sure that is not going to improve their sales numbers

mystraline 1 day ago||

Its high time we start challenging these sorts of actions as the "vandalization and sabotage at scale" that these attacks really are. I dont see how these aren't a direct violation of the CFAA, over millions of customer-owned hardware.

They are no different than some shit ransomware, except there is no demand for money. However, there is a demonstrable proof of degradation and destruction of property in all these choices.

Frankly, criminal AND civil penalties should be levied. Criminally, the C levels and boars of directors should all be in scope as to encouraging/allowing/requiring this behavior. RICO act as well, since this smells like a criminal conspiracy. Let them spend time in prison for mass destruction of property.

Civally, start dissolving assets until the people are made whole with unbroken (and un-destroyed) hardware.

The next shitty silly-con valley company thinks about running this scam of 'customer-bought but forever company owned', will think long and hard about the choices of their network and cloud.

skeledrew 1 day ago|

> no demand for money

There is when the device becomes hard bricked and triggers an unnecessary need for a new one.

skeledrew 1 day ago|

This is absolutely cracked. I've been with OnePlus since the One, also getting the 2, 6 and now I have the 12. Stuck with them all these years because I really respected their - original - take on device freedom. I really should've seen the writing on the wall given how much pain it is to update it in the first place, as I have the NA version which only officially allows carrier updates, and I don't live in NA (and even if I did I'd still not be tied to a carrier).

Now I have to consider my device dead re updates, because if I haven't already gotten the killing update I'd rather avoid it. First thing I did was unlock the bootloader, and I intend to root/flash it at some point. Will be finding another brand whenever I'm ready to upgrade again.

dataflow 1 day ago|

This wasn't their only pain point. [1] Just get off OnePlus, you'll be happier.

[1] https://dontkillmyapp.com/oneplus

literallywho 1 day ago|||

Fascinating. I've had a OnePlus 6 from 2018 until 2023 (all on stock software) and I've not had or noticed any issues like that.

dataflow 16 hours ago||

You probably haven't had any apps that need to stay open a long time, or perhaps they have a way to relaunch themselves as a workaround. I've definitely seen this and it's incredibly frustrating to see processes killed when they need to stay running and are not doing anything wrong.

BeetleB 1 day ago|||

What are good alternatives that aren't Pixel?

palata 1 day ago||

For now, Pixels. I'm waiting to see what non-Pixel phone will be supported by GrapheneOS next, but this may take a while.

wolvoleo 1 day ago||

Yeah I'm surprised that they announced it but not the vendor name. I'm sure Google with their infinite resources already know which vendor it is. So who are they hiding it from?