How to Unlock Bootloader using CVE-2022-38694 Exploit

In this guide, we will show you the steps to unlock the bootloader on your Android device using the CVE-2022-38694 Exploit. Unlocking the bootloader is usually a fairly easy task- just boot your device to Fastboot Mode, type in fastboot flashing unlock, and finally confirm the choice on your device via the Power and Volume keys. Unfortunately, that isn’t the case with all OEMs.

Devices with a Unisoc or Spreadtrum chipset are perhaps the most complicated ones out there when it comes to the unlocking process [and now HyperOS is going that direction as well ]. The aforementioned command will not work on any device with an underlying Unisoc or Spreadtrum chipset. Well, some of these devices don’t even have a Fastboot Mode to begin with. So, what can be done in such cases?

Well, you can use the Identifier Token to get this job done , but its use case is limited to only a few devices out there. This is where the CVE-2022-38694 Exploit comes into play. In technical terms:

Any attacker [which would be we in this case] with physical access to the device can overwrite a function pointer in the BootROM data section and execute their own code with BootROM privileges.

The exploitation of this vulnerability could easily lead to unauthorized access to the device’s bootloader. And guess what? This is exactly what we would need [it’s just that while the access will still be unauthorized, we would be very much aware of the user who is getting this access!]. So, making full use of this CVE-2022-38694 Exploit, let’s proceed ahead and unlock the bootloader on your Unisoc/Spreadtrum devices.

  • How to Unlock Bootloader using CVE-2022-38694 Exploit Supported Device List Download Bootloader Unlock CVE-2022-38694 Exploit Tool Bootloader Unlocking Instructions

How to Unlock Bootloader using CVE-2022-38694 Exploit

CVE-2022-38694 Exploit unlock bootloader - 1

Before starting, please take a complete device backup. Moreover, the process might void the device’s warranty as well. So proceed ahead with caution and at your own risk. Droidwin and its members wouldn’t be held responsible in case of a thermonuclear war, your alarm doesn’t wake you up, or if anything happens to your device, and data by performing the below steps.

Supported Device List

Apart from the ones listed below, there are a few other devices given in the Downloads section, which are not part of this list but are supported as well.

ChipsetDevice NameBoot to Download ModeOS VersionAdditional Information
sc9863aItel Vision 2s/3vab
sc9863aRealme C11 2021 RMX3231/Narzo 50i RMX3235vab
sc9863aRedbeat C1vabuse sc9863a_Itel_Vision_3
sc9863aVortex NS65use sc9863a_Itel_Vision_3
sc9863aZTE Blade A31vabarm32
sc9863aZTE Blade A51vabarm32
sc9863aZTE Blade A52vabarm32, can use as 9863a_32 vab ZTE universal
sc9863aZTE Blade A5 20199
sc9863aZTE Blade A7 20199
sc9863aZTE Blade V2020 Smart10
sc9863aZTE Voyage 40sevabfdl-dl from A52, can use as 9863a_64 vab ZTE universal
ud710Coolpad X109
ud710Hisense A7POWER + VOL_UP + VOL_DOWN10fdl1-boot
ud710Hisense A7ccPOWER + VOL_UP + VOL_DOWN10fdl1-boot
ud710Hisense HNR551TPOWER + VOL_UP + VOL_DOWN9
ud710K-Touch Bee A79
ud710Tyyh 2020/Hisense HNR552TPOWER + VOL_UP + VOL_DOWN9fdl1-boot
ud710Tyyh 2021/360 q10proPOWER + VOL_DOWN10fdl1-boot, 2021 and q10pro have different device-tree
ud710xiaolajiao 20
ums312MEIZU MeiBlue 10/10s9
ums312Qin F21pro+vabcan use as ums312 vab universal ?
ums512Alldocube iplay 50POWER + VOL_DOWNvabcan use as ums512 vab universal
ums512GIONEE GT9vabfdl1-boot
ums512Hisense A5proPOWER + VOL_UP + VOL_DOWN10fdl1-boot
ums512Hisense A5proccPOWER + VOL_UP + VOL_DOWN10fdl1-boot
ums512Hisense E22 HITV102Cuse Hisense A5procc
ums512Hisense hi readerPOWER + VOL_UP + VOL_DOWN10
ums512Hisense Q5POWER + VOL_UP + VOL_DOWN10fdl1-boot
ums512Infinix hot 12 play nfcvabNOP handshake
ums512Motorola Moto G20vab
ums512OYSIN m60p v5000vab
ums512Realme C21y RMX3261/RMX3263vab
ums512Realme C25y RMX3269vab
ums512Umidigi A13 Prouse Umidigi G1 Max
ums512Umidigi G1 Maxvab
ums512ZTE Axon20 4G A2121E P618A0110fdl1-boot
ums9230Alldocube iplay 50 miniPOWER + VOL_DOWNvabEMMC ONLY !!!
ums9230Baidu Qinghe V20vabread #57
ums9230Blackview A85vab
ums9230Coolpad shangfeng50vabuse ums9230 universal
ums9230Doogee T10POWER + VOL_DOWNvab
ums9230Doogee T10svab
ums9230Doogee T20 Minivabuse ums9230 universal
ums9230DOOV u23vabuse ums9230 universal
ums9230DOOV x15provabuse ums9230 universal
ums9230i15provab
ums9230IIIF150 B2vab
ums9230Infinix Hot 12provab
ums9230Infinix Hot 30ivabpatch dl_cmd_handler
ums9230Itel P40+vabpatch dl_cmd_handler
ums9230Itel S23vabpatch dl_cmd_handler
ums9230Itel vision 3 plusvab
ums9230Itel vision 5 plusvabNOP handshake
ums9230lebest l23provabuse ums9230 universal
ums9230moto e13vabEMMC ONLY, THIS WILL ERASE YOUR UFS
ums9230moto e20vabuse moto e13
ums9230Nokia G21vab
ums9230Philips X7206vabuse Alldocube iplay 50 mini
ums9230Realme C31 RMX3501vab
ums9230Realme C33 RMX3424vab
ums9230Realme C35 RMX3511vab
ums9230Realme C51 RMX3830vab
ums9230Realme C53 RMX3760/RMX3762vab
ums9230Realme narzo 50i prime RMX3506vab
ums9230Realme Note 50 RMX3834vab
ums9230RYHT X90vab
ums9230Tecno spark 8cvab
ums9230Umidigi A15vab
ums9230Umidigi Active T1vab
ums9230universalvabEMMC ONLY !!!
ums9230zte blade 40/50 designvabuse ums9230 universal
ums9620anbernic RG 556vabfdl1-boot
ums9620anbernic RG Cubevabfdl1-boot
ums9620Bihee a89POWER + Num_1vab
ums9620Coolpad GoldCentury y60POWER + VOL_UPvabpatch dl_cmd_handler use ums9620_universal_unlock test dramtype yourself
ums9620DOOV x9vabuse universal dram1/dram2
ums9620Hisense H60vab
ums9620OSCAL Tiger 13vabuse ZTE Universal or universal dram1/dram2
ums9620TCL t508nPOWER + center + up + down + right + leftvab
ums9620universal dram1/dram2vabCoolpad devices,Tyyh 2022
ums9620ZTE UniversalPOWER + VOL_DOWNvab30s, 41, 50
ums9621MeiZu Note 16vabcustom_exec payload is private

Download Bootloader Unlock CVE-2022-38694 Exploit Tool

You may now get hold of the tool corresponding to your device from below [ Credits for these files: TomKing062 on GitHub] .

  • sc9863a_Itel_Vision_3.zip
  • [email protected]
  • sc9863a_Realme_C11_2021_RMX3231_Narzo_50i_RMX3235.zip
  • sc9863a_ZTE_Blade_A31.zip
  • sc9863a_ZTE_Blade_A51.zip
  • sc9863a_ZTE_Blade_A52.zip
  • sc9863a_ZTE_Blade_A5_2019.zip
  • sc9863a_ZTE_Blade_A7_2019.zip
  • sc9863a_ZTE_Blade_v2020_smart.zip
  • sc9863a_ZTE_Voyage_40se_v4.zip
  • ud710_coolpad_x10.zip
  • ud710_hisense_a7.zip
  • ud710_hisense_a7cc.zip
  • ud710_hisense_HNR551T.zip
  • ud710_K-TouchBeeA7.zip
  • ud710_tyyh2020.zip
  • ud710_tyyh2021.zip
  • ud710_xiaolajiao20.zip
  • ums312_for_android9_10_MeiBlue_10_10s_repack.zip
  • ums312_MeiBlue_10_10s.zip
  • ums312_Qin_F21pro+.zip
  • ums512_alldocube_iplay_50_EN_20230801.zip
  • ums512_for_android10_alldocube_iplay_50_repack.zip
  • ums512_GIONEE_GT9.zip
  • ums512_hisense_a5pro.zip
  • ums512_hisense_a5procc.zip
  • ums512_hisense_hi_reader.zip
  • ums512_hisense_q5.zip
  • ums512_infinix_hot_12_play_nfc.zip
  • ums512_Motorola_Moto_G20.zip
  • ums512_OYSIN_m60p_v5000.zip
  • ums512_Realme_C21y_RMX3261_RMX3263.zip
  • [email protected]
  • ums512_Umidigi_G1_Max.zip
  • ums512_ZTE_Axon20_4G_A2121E_P618A01.zip
  • ums9230e_Tecno_KL4.zip
  • ums9230_alldocube_iplay_50_mini_EN_20230527.zip
  • ums9230_Baidu_Qinghe_V20.zip
  • ums9230_Blackview_A85.zip
  • ums9230_Doogee_T10.zip
  • ums9230_Doogee_T10s.zip
  • [email protected]
  • ums9230_i15pro.zip
  • ums9230_IIIF150_B2.zip
  • ums9230_Infinix_hot_12_pro.zip
  • ums9230_Infinix_Hot_30i_base230522.zip
  • ums9230_itel_P40+_base230619_v2.zip
  • ums9230_itel_S23_base230605.zip
  • ums9230_itel_vision_3_plus.zip
  • ums9230_itel_vision_5_plus.zip
  • ums9230_moto_e13_v2.zip
  • ums9230_moto_g04.zip
  • ums9230_moto_g14.zip
  • ums9230_Nokia_G21.zip
  • ums9230_Realme_C31_RMX3501.zip
  • ums9230_Realme_C33_RMX3624.zip
  • ums9230_Realme_C35_RMX3511.zip
  • ums9230_Realme_C51_RMX3830.zip
  • ums9230_Realme_C53_RMX3760_RMX3762.zip
  • ums9230_Realme_narzo_50i_prime_RMX3506.zip
  • ums9230_Realme_Note_50_RMX3834.zip
  • ums9230_RYHT_X90.zip
  • ums9230_tecno_spark_8c.zip
  • ums9230_Umidigi_A15.zip
  • ums9230_Umidigi_Active_T1.zip
  • ums9230_universal_unlock.zip
  • ums9620_bihee_a89_v3.zip
  • ums9620_hisense_h60.zip
  • ums9620_RG_556.zip
  • ums9620_RG_CUBE.zip
  • ums9620_tcl_t508n_v6.zip
  • ums9620_universal_unlock_dramtype1.zip
  • ums9620_universal_unlock_dramtype2.zip
  • ums9620_ZTE_universal.zip

Bootloader Unlocking Instructions

  1. First off, download and extract the SPD Drivers on your PC.
  2. Then launch the DriverSetup.exe file and install the drivers.
  3. Now, download the Unlock Bootloader Tool from the above link.
  4. Then boot your device to the Download Mode as shown below:
  5. Power off your device. Then, press and hold the Volume Down key and connect it to your PC via a USB cable.
  6. Power off your device. Then, press and hold the Volume Up and Down keys and connect it to your PC via a USB cable.
  7. Now open Device Manager [via Windows+X shortcut keys] and search for your device.
  8. It should be named like: Unisoc Phone, SPRD COM, UNKNOWN DEVICE, or something similar.
  9. So right-click on it and select Update Drivers > Browse my computer for driver > Choose from a list of drivers > select the SPRD AT Version xxx > hit Install.
  10. Now disconnect the phone. Open the “Unlock_autopatch_512.bat” file and connect your device to the PC in Download Mode [as explained above].
  11. Now, proceed with the on-screen instructions to complete the rest of the process. Once done, your device will boot to the OS having an unlocked bootloader.
  • How to Unlock Bootloader on Tecno Devices [MediaTek & Unisoc]
  • How to Unlock Bootloader on any Unisoc/Spreadtrum Device
  • Download and Install Unisoc / Spreadtrum USB Drivers
  • How to Backup Unisoc/Spreadtrum Firmware using Research Download Tool
Google preferred - 2

(Cancel Reply)

Δ