[Update: Late June] Poco F1 May update might be skipped due to Qualcomm SoC vulnerability

NOTICE: We’ve created an archive of all major developments related to the Pocophone F1 smartphone. We are continuously updating that page with latest Poco F1 news so that you don’t need to search for information related to the device on daily basis. Head here to access that page.

New updates are being added at the bottom of this story…….

Google Pixel or Essential Phone users may find the update strategy of MIUI somewhat otherworldly. While those vanilla Android followers are accustomed to periodic monthly security patches as well as day one major version updates, Xiaomi is playing the game differently.

we_don't_do_that_here_meme

Xiaomi’s Mi branded phones, as well as phones from two related, but independent subsidiaries (Redmi and Pocophone) are running MIUI – a skinned version of Android . The version numbering is quite different from that of stock Android.

For example, the Pocophone F1 was launched back in August 2018 with MIUI 9.6 based on Android 8.1 Oreo. The phone later received MIUI 10 (V10.0.4.0.OEJMIFH, to be precise) OTA update in November. Although the update brought plenty of new features, the base Android version remained the same.

poco_f1_10.0.4.0_ota_changelog
MIUI 10.0.4.0 changelog for Poco F1

After a brief beta testing period, Poco F1 users got the stable Android 9.0 Pie update in the form of MIUI V10.1.3.0.PEJMIFI. Released in December, the update came packed with November 2018 security patch level.

Notice that, the MIUI version number got a minor increment (from 10.0 to 10.1), albeit the underlying Android version received a major update. This update also brought Google Lens integration with MIUI camera app.

poco-f1
Google Lens on Poco F1

Since then, the phone got three more software update via stable channel. In January 2019, Xiaomi rolled out MIUI V10.2.2.0.PEJMIXM update which carried 960fps slow motion video recording support and enhanced low light camera mode.

There was an interesting twist in subsequent months. Alvin Tse, head of Pocophone Global, posted that the company was going to skip the February stable update altogether due to Chinese New Year holidays.

poco_f1_chinese_new_year_delay_alvin

Subsequently they planned to roll out two different stable channel builds in March – the early one should be the release candidate of February and the later one would be the actual March stable update.

Pocophone F1 received MIUI V10.2.3.0.PEJMIXM as the initial March OTA update with a number of touch related fixes and a security patch level of February 2019.

Coming Stable version V10.2.3.0 release note

– Optimize the frozen screen issue

– Update Android Security patch

– Support face recognition in Greece and Brazil

The next update was delayed again and couldn’t even made its way in March. Alvin blamed the Game Turbo feature for the delay as it needed more testing.

poco_f1_update_delay_game_turbo_alvin

MIUI V10.3.4.0.PEJMIXM became live on April 4 for a select number of users. Xiaomi later halted the build in some regions due to an undisclosed bug.

Let me do a quick analysis: the Poco F1 got 3 stable updates in the first four months – all with one month old security patches. Although the beta channel updates are on latest security patch level, majority of the users prefer to stay on stable branch.

Now Alvin has hinted that Xiaomi might skip the May stable update for Pocophone F1 and directly opt for the June OTA.

poco_f1_may_update_skip_alvin
Source

The Qualcomm issued patch Alvin has been talking about should be one related to CVE-2018-11976, i.e. a severe private key extraction vulnerability from Qualcomm’s hardware backed keystores.

Further description of this bug is beyond the scope of this article, thus interested readers should refer to the original disclosure article. The following chipsets are affected:

IPQ8074, MDM9150, MDM9206, MDM9607, MDM9650, MDM9655, MSM8909W, MSM8996AU, QCA8081, QCS605, Qualcomm 215, SD 210/SD 212/SD 205, SD 410/12, SD 425, SD 427, SD 430, SD 435, SD 439 / SD 429, SD 450, SD 615/16/SD 415, SD 625, SD 632, SD 636, SD 650/52, SD 712 / SD 710 / SD 670, SD 820, SD 820A, SD 835, SD 845 / SD 850, SD 8CX, SDA660, SDM439, SDM630, SDM660, Snapdragon_High_Med_2016, SXR1130

Yes, Poco F1’s Snapdragon 845 is vulnerable to the issue as well.

We hope Xiaomi will push the appropriate patch (which is already a part of the existing April 2019 security bulletin from Google, but not all OEMs incorporated required fixes) via beta channel for the Pocophone users as soon as possible.

The next stable update should also bring various touch related optimizations which are currently being tested on the beta channel.

FYI, the Russian Pocophone F1 is still stuck on Android 8.1 Oreo. There is no official statement regarding the unavailability of the official Pie update, whereas the same phone is running Android 9.0 since December all over the world.

poco_f1_russia_oreo

Are you a Poco F1 user? Do you prefer to use beta channel for faster updates? Let us know by commenting below.

Update (June 4)

According to the head of Pocophone Global, the company is now planning to slow down the updates for the Poco F1 and concentrate on fixing the bugs. The next stable update might roll out in late June.

PiunikaWeb is a unique initiative that mainly focuses on investigative journalism. This means we do a lot of hard work to come up with news stories that are either ‘exclusive,’ ‘breaking,’ or ‘curated’ in nature. Perhaps that’s the reason our work has been picked by the likes of Forbes, Foxnews, Gizmodo, TechCrunch, Engadget, The Verge, Macrumors, and more. Do take a tour of our website to get a feel of our work. And if you like what we do, stay connected with us on Twitter (@PiunikaWeb) and other social media channels to receive timely updates on stories we publish.

Want to work for PiunikaWeb and enjoy best-in-industry compensation & benefits? You'll be glad to know we're hiring experienced candidates.

Tags :

Kingshuk De

I came from a mixed background of Statistics and Computer Science. My research domains included embedded computer systems, mobile computing and delay tolerant networks in post-disaster scenarios. Apart from tinkering with gadgets or building hackintosh, I like to hop on various subreddits and forums like MyDigitalLife and XDA.