shurikgo/cve-2026-25262-sm8450-research
GitHub: shurikgo/cve-2026-25262-sm8450-research
在 SM8450 平台上实验验证 CVE-2026-25262 漏洞,证明通过 Sahara 协议的 Write-What-Where 漏洞可在无服务器令牌的情况下绕过 Firehose 认证。
Stars: 7 | Forks: 1
```
# CVE-2026-25262 on Snapdragon 8 Gen 1 (SM8450) — 实验验证
**First public confirmation that CVE-2026-25262 is exploitable on Snapdragon 8 Gen 1 (SM8450).**
This repository contains the research results, including a draft article (English and Russian) describing a practical approach to bypass EDL authentication by directly manipulating the loader's runtime state before control is transferred.
## 🔍 关键发现
- CVE-2026-25262 (Write-What-Where in Sahara protocol) works on **Snapdragon 8 Gen 1** (SM8450).
- The PBL always loads code into Non-Secure World; status codes (33, 34, 41, 48) are diagnostic, not binary pass/fail.
- The Firehose authentication is not hardware-enforced — it is a **software variable** located at `0x6b9cd538` (the "silver key").
- By writing `5` to this address via CVE before sending `SAHARA_CMD_DONE`, full UFS access is granted without any server-side token.
## 📁 Repository 结构
```
├── README.md
├── article_en.md # 英文草稿
├── article_ru.md # 俄文草稿
├── article_en.pdf # 英文 PDF
└── article_ru.pdf # 俄文 PDF
```
## ⚠️ 负责任的 Disclosure
This work is published for educational and research purposes. No full exploit code is provided. The details shared are sufficient for verification and further study, but do not include ready-to-use attack tools.
## 📌 标签
`qualcomm` `edl` `sahara` `firehose` `cve-2026-25262` `sm8450` `snapdragon-8-gen-1` `reverse-engineering` `exploit-research`
## 📬 联系方式
If you have questions or want to discuss this research, feel free to open an issue or reach out directly.
---
**Last updated:** July 2026
📖 Also available in: [Russian](docs/README_ru.md)
```
标签:Maven, 云资产清单, 情报收集, 漏洞研究, 漏洞验证, 目录枚举, 移动安全, 逆向工程, 防御加固, 高通