Critical Unsigned Firmware Update in Actions Semiconductor Platform

01 — Executive Summary

What We Found

During hands-on firmware analysis of a consumer music player by our team we found a critical vulnerability discovered in the firmware update mechanism of all devices built on the Actions Semiconductor platform. The update toolchain performs no any cryptographic validation before writing arbitrary firmware to the device!

That means for example an attacker with physical USB access can permanently compromise any affected device with fully custom firmware, with the compromise surviving factory reset.

02 — Research Process

How We Got Here

Initial Observation

Our investigation began with an anomalous device behaviour: the Lenco Xemio-860 crashed and performed a full factory reset when loading a music file with an arbitrary long filename. This indicated absent or broken input validation in the file system parser. Rather than treating the crash as a minor annoyance, it was used as an entry point to investigate the full firmware architecture.

Firmware Extraction

The device presents itself as a standard USB mass storage device. A raw disk dump was performed to capture the full 8.4 GB NAND flash image at the block device level:

sudo diskutil unmountDisk /dev/diskX
sudo dd if=/dev/diskX of=xemio860_raw.bin bs=4096 status=progress

Result: 8,376,025,088 bytes captured in approximately 14 minutes at 10 MB/s. The dump produced a complete binary image of the device flash, including all partitions.

Binary Triage

We wrote a specific script in order to scan the raw binary for ASCII strings matching firmware-relevant keywords: upgrade, update, firmware, system, version, commaxx, lenco. This scan showed a fully embedded Windows firmware update toolkit at flash offset 0x0265b11c, with all files confirming the SoC vendor as Actions Semiconductor.

Update Tool Discovery

The embedded toolkit was stored as a ZIP archive within the flash containing the complete Windows firmware flashing utility:

RdiskUpgrade.exe Windows GUI firmware flasher (90 KB)

Production.dll USB communication and flashing library (2.57 MB)

Script.dll Scripting engine (602 KB)

python27.dll Embedded Python 2.7 runtime (2.3 MB)

Upgrade.ini Firmware update configuration file

driver/ADFUUpdate.inf Actions Semiconductor USB device driver

Configuration Analysis

The Upgrade.ini CONFIG section revealed the complete lack of any security configuration:

Upgrade.ini — [CONFIG]

FWFILE=          ← blank — accepts ANY firmware binary
UISKIN=skin-upgrade
VER00=1.00.01

We noticed that there is no signature field, no checksum parameter, no even hash algorithm, not even an authentication mechanism of any kind. The FWFILE key is blank — the tool accepts any firmware binary the user points it at and flashes it without question. And that's the vulnerability.

Confirming Zero Cryptographic Verification

strings Production.dll | grep -i 'sign|verify|hash|md5|sha|rsa|aes|encrypt'

Zero firmware-related cryptographic functions found in a 2.57 MB binary. The flashing logic performs no verification whatsoever before writing to the device.

USB Device Identification

The driver INF file identified the full scope of vulnerable devices. Actions Semiconductor USB Vendor ID 10D6 covers 12 distinct Product IDs, meaning this vulnerability extends across a wide range of budget consumer devices from multiple brands:

PID_ff51 PID_ff61 PID_ff63 PID_ff66 PID_ff79 PID_ff88 PID_ff76 PID_ff96 PID_fe01 PID_fe02 PID_fd01 PID_10D6

03 — Security Impact

Attack Capability & Scenarios

Because Production.dll accepts and flashes any firmware binary with no validation, a malicious user with brief physical USB access can achieve all of the following:

→ Flash arbitrary firmware, replacing the complete device operating system
→ Gain persistent code execution that survives factory reset and power cycling
→ Modify device behaviour invisibly with zero external indicators of compromise
→ Silently extract any data stored on the device or inserted SD card
→ Repurpose device hardware (microphone, storage, Bluetooth) for malicious purposes

A

Targeted Espionage — Office Access

An attacker gains brief unattended access to a target executive's desk. Connects the device to a laptop, runs RdiskUpgrade.exe with malicious firmware, completes the flash in under 60 seconds. Modified firmware activates the microphone and writes encrypted audio captures to the SD card. Device looks identical to before.

B

Supply Chain Attack

A malicious actor inside a distribution chain intercepts a batch before delivery. Using the RdiskUpgrade.exe tool already embedded on each device, all units are reflashed and resealed in original packaging. End customers receive devices that appear factory-fresh but execute attacker-controlled code from first power-on.

C

Malicious Public Charging Station

A rogue USB charging station at an airport or hotel enumerates connected devices and detects Actions Semiconductor VID 10D6 automatically. On detection it initiates a firmware flash without any user prompt. Any user who charges their device leaves permanently compromised. Fully silent, requires no victim cooperation.

D

Cross-Brand Platform Attack

Because 12 USB Product IDs share the same Vendor ID and the same unverified update mechanism, a single automated attack tool can identify and reflash any compatible device across dozens of consumer electronics product lines worldwide. Scale of impact extends far beyond the Lenco Xemio-860 specifically.

04 — Test Cases

Reproducible Evidence

The following test cases were executed against the Lenco Xemio-860BK running firmware VER00=1.00.01. Each test is independently reproducible on any device sharing Actions Semiconductor VID 10D6.

TC-01 Trigger Filename Crash Medium

PreconditionDevice powered on, connected via USB, FAT32 partition mounted

InputMusic file with filename exceeding 255 characters copied to device root

Expected (secure)Device rejects filename or truncates gracefully

Actual ResultDevice crashes, performs full factory reset — confirms absent input validation

TC-02 Verify Absence of Signature Fields in Update Config Critical

PreconditionFlash dump acquired (xemio860_raw.bin), update tool extracted

Inputcat RDiskUpdate/Upgrade.ini

Expected (secure)[CONFIG] section contains SignatureFile=, CheckSum=, or equivalent fields

Actual ResultCONFIG contains only FWFILE= (blank), UISKIN=, VER00= — zero security fields

TC-03 Confirm Zero Crypto Functions in Production.dll Critical

PreconditionProduction.dll extracted from flash dump

Inputstrings Production.dll | grep -i 'sign|verify|hash|md5|sha|rsa|aes|encrypt'

Expected (secure)Output includes references to SHA/RSA/HMAC or equivalent functions

Actual ResultZero firmware-related cryptographic functions found in 2.57 MB binary

TC-04 Confirm USB VID Scope Across 12 Product IDs High

Preconditiondriver/ADFUUpdate.inf extracted

Inputcat ADFUUpdate.inf | grep VID

ExpectedSingle product entry

Actual Result12 distinct PIDs listed under VID 10D6 (Actions Semiconductor Co., Ltd)

05 — Tooling

Tools Used in This Research

dd	Raw NAND flash extraction via USB mass storage interface
ByteScan custom script	Binary string scanning, ZIP boundary detection, artifact extraction
binwalk	Firmware signature detection, filesystem identification, entropy analysis
strings (GNU)	Readable string extraction from PE binaries (DLL/EXE)
zipfile — Python stdlib	Reliable ZIP extraction from arbitrary binary offsets
Ghidra 11.1.2	Disassembly platform prepared for deeper static analysis

06 — Key Lessons

What This Research Teaches

01 Consumer devices often embed their own attack tools — the firmware flasher was stored on the device itself inside the user-accessible flash partition.
02 Configuration files are the fastest proof of absent security controls. A missing signature field in Upgrade.ini took seconds to read and was immediately conclusive.
03 Strings analysis of production DLLs delivers fast, definitive proof. Zero cryptographic function names in a 2.57 MB binary confirms the absence of any validation logic.
04 USB Vendor IDs dramatically expand CVE scope. One finding covering VID 10D6 potentially affects dozens of products across multiple consumer electronics brands worldwide.
05 Physical access vulnerabilities are publishable, MITRE-assignable CVEs. They are not second-class findings in the security community.
06 The initial crash (filename overflow) was a launchpad, not the destination. Following anomalous behaviour deeper into the firmware architecture revealed a far more impactful finding.

07 — Responsible Disclosure

Disclosure Timeline

Vendor notified: Commaxx B.V. and Lenco Benelux BV — February 24, 2026
CVE submitted: MITRE — February 24, 2026 — pending assignment
90-day disclosure window: in effect
Public disclosure: Regardless of vendor response — May 2026

Full CVE details: bytescan.net/CVE

Product	Lenco Xemio-860BK / 860BU / 860GN
Manufacturer	Commaxx B.V., Wiebachstraat 37, Kerkrade, Netherlands
Brand	Lenco Benelux BV
SoC Platform	Actions Semiconductor Co., Ltd (USB VID: 10D6)
Update Tool	Tool-Media Player Utilities v4.46 (June 3, 2024)
Core Binary	Production.dll (2.57 MB), RdiskUpgrade.exe
Vulnerability	No firmware signature or integrity verification (CWE-347)
Severity	Medium-High (CVSS ~6.8) — requires physical USB access
Scope	12 USB Product IDs sharing Actions Semi VID 10D6
CVE Status	Pending — MITRE submission and vendor disclosure in progress