Full Report
Mocor OS is a proprietary OS from UNISOC. This OS is used in various phone vendros such as Nokia, TCL and others. During the initial boot up process, there is a user-lock password on the phone. Without knowledge of this, it should not be possible to access data on the phone. The author found a weird (and not very well explained) loophole in the code. When a software reboot is triggered on the SoC via a crash, certain permission checks are not done compared to the regular boot. By glitching the chip, this can be done. In fact, it does not require fancy equipment. Simply connect GND to the CLK for 50-100 ms during the password check and it will bypass the check. This article was confusing to me. But, it seems that the soft reboot during the password prompt assumes that the system booted securely. So, it takes a shortcut if a soft reboot occurs after this point. To be honest, not sure if this is true but with the large timing window, this almost appears to be a software bug than a hardware bug.
Analysis Summary
# Vulnerability: UNISOC Mocor OS Password Bypass via Clock Fault Injection
## CVE Details
- **CVE ID:** CVE-2023-3630
- **CVSS Score:** 6.1 (Medium)
- **Vector:** CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
- **CWE:** Not explicitly stated (Relates to CWE-287: Improper Authentication and CWE-1332: Improper Handling of Faults that Lead to Security State Violations)
## Affected Systems
- **Products:** Devices running Mocor OS (proprietary OS from UNISOC/Spreadtrum).
- **Versions:** All versions prior to the latest release; specifically impacts devices using the **UNISOC SC6531E** chipset.
- **Configurations:** Feature phones/burner phones from various vendors including **Nokia, TCL, Alcatel**, and other white-label manufacturers.
## Vulnerability Description
The vulnerability exists in the soft reset routine of the Mocor OS kernel. When the system experiences a crash, the SoC triggers a "soft reboot." Unlike a standard cold boot, this soft reboot routine assumes a previous secure state and fails to re-execute critical permission checks for the user-lock password.
By manually forcing a clock fault (glitching the hardware), an attacker can crash the Main OS at the exact moment the password prompt is displayed. The resulting soft reboot bypasses the authentication logic, granting direct access to the device's main screen and data.
## Exploitation
- **Status:** PoC available (demonstrated by ONEKEY Research Lab).
- **Complexity:** Low (requires only a basic conductor like a metal wire; no specialized glitching hardware is required).
- **Attack Vector:** Physical (requires opening the device to access the SoC pins).
## Impact
- **Confidentiality:** High (Full access to data stored on the phone).
- **Integrity:** High (Ability to modify system settings and data).
- **Availability:** None (The attack is used to gain access, not to disable the device).
## Remediation
### Patches
- **UNISOC:** According to the vendor, the issue is fixed in the latest release of Mocor OS. However, because UNISOC does not publicly provide granular versioning or release notes, users must rely on vendor-specific firmware updates.
### Workarounds
- **Physical Security:** As the attack requires physical access to the internal hardware (SoC pins), maintaining physical control of the device is the primary defense.
- **Data Policy:** Users should avoid storing highly sensitive information on feature phones known to use the SC6531E chipset.
## Detection
- **Indicators of Compromise:** Physical evidence of device tampering (broken seals, tool marks on the casing, or solder residue on the PCB).
- **Detection Methods:** There are no software-based logging mechanisms in Mocor OS likely to record this hardware-level glitching event.
## References
- **Vendor Advisory:** hxxps[://]www[.]unisoc[.]com/en_us/secy/announcementDetail/1687281677639942145
- **Original Research:** hxxps[://]www[.]onekey[.]com/resource/security-advisory-unisoc-mocor-fault-injection-security-bypass
- **NVD:** hxxps[://]nvd[.]nist[.]gov/vuln/detail/CVE-2023-3630