Flock Safety Bravo Edge AI Compute Device Thundercomm TurboX 6490 Firehose Loader Vulnerability

A vulnerability exists in the Flock Safety Bravo Edge AI Compute Device running Android 13, specifically in the version BRAVO_00.00_local_20241017. The device accepts the default Thundercomm TurboX 6490 Firehose loader in EDL/QDL mode, allowing attackers with physical access to flash arbitrary firmware, dump partitions, and bypass security controls of the bootloader and operating system.

Impact

Exploitation of this vulnerability could lead to unauthorized firmware modifications, partition dumps, and bypassing of bootloader and operating system security measures.

Reproduction

The vulnerability can be reproduced by physically accessing the device and putting it into EDL mode. Once in EDL mode, the Thundercomm TurboX 6490 Firehose loader can be used to flash arbitrary firmware or dump partitions. The device's unlocked bootloader and disabled secure boot further facilitate these actions.