CVE-2022-38694

HIGH

Unisoc SC9863A/T310/T610/T618 - Local Privilege Escalation via Unchecked BootRom Write Address

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 10 public exploits for CVE-2022-38694. PoCs published by TomKing062, TheGammaSqueeze, Phlegmelm.

AI-analyzed exploit summary This repository contains functional exploit code for CVE-2022-38694, targeting Unisoc (Spreadtrum) bootloader vulnerabilities. The tools manipulate firmware files to bypass bootloader locks by patching specific memory regions.

Description

In BootRom, there is a possible unchecked write address. This could lead to local escalation of privilege with no additional execution privileges needed.

Exploits (10)

nomisec WORKING POC 507 stars
by TomKing062 · poc
https://github.com/TomKing062/CVE-2022-38694_unlock_bootloader

This repository contains functional exploit code for CVE-2022-38694, targeting Unisoc (Spreadtrum) bootloader vulnerabilities. The tools manipulate firmware files to bypass bootloader locks by patching specific memory regions.

Classification
Working Poc 95%
Attack Type
Auth Bypass
Complexity
Moderate
Reliability
Reliable
Target: Unisoc/Spreadtrum bootloader (various versions)
No auth needed
Prerequisites: Physical access to device · Unisoc/Spreadtrum-based device · Firmware dump
devstral-2 · analyzed Feb 19, 2026 Full analysis →
nomisec WORKING POC 57 stars
by TheGammaSqueeze · poc
https://github.com/TheGammaSqueeze/Bootloader_Unlock_Anbernic_T820

This repository provides a functional bootloader unlock exploit for Anbernic devices using a modified version of CVE-2022-38694. It includes a script and detailed instructions for unlocking the bootloader, which is a prerequisite for flashing custom firmware.

Classification
Working Poc 90%
Attack Type
Auth Bypass
Complexity
Moderate
Reliability
Reliable
Target: Anbernic T820 Bootloader
No auth needed
Prerequisites: Unisoc USB Drivers · Windows system · Physical access to the device
devstral-2 · analyzed Feb 19, 2026 Full analysis →
nomisec WORKING POC 1 stars
by Phlegmelm · poc
https://github.com/Phlegmelm/CRACK12

This repository provides a functional exploit for CVE-2022-38694, targeting Unisoc UMS9230 devices to unlock the bootloader and achieve root access. It includes automated scripts and detailed documentation for the exploitation process.

Classification
Working Poc 90%
Attack Type
Auth Bypass
Complexity
Moderate
Reliability
Reliable
Target: Unisoc UMS9230 bootloader
No auth needed
Prerequisites: Windows 10/11 · Android Platform Tools (adb/fastboot) · Unisoc USB driver · CVE-2022-38694 unlock tools · Magisk APK
devstral-2 · analyzed May 15, 2026 Full analysis →
nomisec WRITEUP 1 stars
by Seriousattempts · poc
https://github.com/Seriousattempts/Bootloader_Unlock_Retroid_Pocket_3Plus

This repository provides a detailed guide for unlocking the bootloader on the Retroid Pocket 3+ using CVE-2022-38694. It includes step-by-step instructions, prerequisites, and references to external tools and drivers.

Classification
Writeup 90%
Attack Type
Auth Bypass
Complexity
Moderate
Reliability
Reliable
Target: Retroid Pocket 3+ (UNISOC T618)
Auth required
Prerequisites: Unisoc USB Drivers · ums512_alldocube_iplay_50_EN_20230801 · ADB (Platform Tools) · Enabled developer options on RP3+
devstral-2 · analyzed Feb 19, 2026 Full analysis →
nomisec WRITEUP
by sloden1977-lang · poc
https://github.com/sloden1977-lang/ROOT-ZTE-X1001

This repository provides a detailed technical guide for unlocking the bootloader and installing Magisk on the ZTE Blade X1001 using CVE-2022-38694. It includes step-by-step instructions, prerequisites, and troubleshooting tips, but does not contain functional exploit code.

Classification
Writeup 95%
Attack Type
Other
Complexity
Moderate
Reliability
Theoretical
Target: ZTE Blade X1001 (Firmware C1.0.10_X1001_EEA, Android 12)
No auth needed
Prerequisites: ADB + Fastboot · SPD Research Driver · Exploit script for CVE-2022-38694 · Magisk APK · Windows PC · USB cable
devstral-2 · analyzed Jun 13, 2026 Full analysis →
nomisec WORKING POC
by JoshAtticus · poc
https://github.com/JoshAtticus/ztewaste

This repository contains a functional proof-of-concept exploit for CVE-2022-38694, which extracts sensitive user data from Unisoc ZTE devices by leveraging a diagnostics dump vulnerability. The exploit uses Unisoc BROM tools to dump data and processes it to reveal app usage, OTA history, system events, and battery statistics.

Classification
Working Poc 95%
Attack Type
Info Leak
Complexity
Moderate
Reliability
Reliable
Target: ZTE devices with Unisoc chips (e.g., ZTE Blade A73 5G with Unisoc T760/UMS9620)
No auth needed
Prerequisites: Unisoc BROM tools (spd_dump.exe) · ADB access to the device · Device in Unisoc BROM mode
devstral-2 · analyzed Jun 01, 2026 Full analysis →
nomisec WRITEUP
by Gopartner · poc
https://github.com/Gopartner/realme-c53-unlock-root

This repository provides a detailed technical guide for unlocking the bootloader and rooting the Realme C53 (RMX3760) device using CVE-2022-38694. It includes step-by-step instructions, scripts, and configuration files for building a KernelSU module and flashing a patched boot image.

Classification
Writeup 95%
Attack Type
Auth Bypass
Complexity
Moderate
Reliability
Reliable
Target: Realme C53 (RMX3760) bootloader
No auth needed
Prerequisites: SPRD driver installation · ADB and Fastboot tools · Magisk APK · CVE-2022-38694 unlock tool
devstral-2 · analyzed May 17, 2026 Full analysis →
nomisec WORKING POC
by AureliusIvan · poc
https://github.com/AureliusIvan/ubl-itel-s23

This repository contains a functional exploit for CVE-2022-38694, targeting the Unisoc BootROM to unlock the bootloader on the Itel S23 (S665L) device. It includes detailed technical documentation, exploit payloads, and scripts to bypass signature verification.

Classification
Working Poc 95%
Attack Type
Auth Bypass
Complexity
Moderate
Reliability
Reliable
Target: Unisoc BootROM (UMS9230)
No auth needed
Prerequisites: Linux environment · USB debugging enabled · OEM unlocking enabled · specific device (Itel S23)
devstral-2 · analyzed Mar 05, 2026 Full analysis →
nomisec WORKING POC
by AureliusIvanInvenioPTL · poc
https://github.com/AureliusIvanInvenioPTL/ubl-itel-s23

This repository contains a functional exploit for CVE-2022-38694, targeting the Unisoc BootROM to unlock the bootloader on the Itel S23 (S665L) device. It includes detailed technical documentation, exploit payloads, and scripts to automate the unlock process.

Classification
Working Poc 95%
Attack Type
Auth Bypass
Complexity
Moderate
Reliability
Reliable
Target: Unisoc BootROM (UMS9230)
No auth needed
Prerequisites: Linux environment · USB debugging enabled · OEM unlocking enabled · specific device (Itel S23)
devstral-2 · analyzed Mar 05, 2026 Full analysis →
nomisec WORKING POC
by xbxarchivr · poc
https://github.com/xbxarchivr/UNISOCUnlocker

This repository contains a functional exploit for CVE-2022-38694, targeting UNISOC-based devices. The code includes device-specific configurations and appears to be an unlocker tool for various UNISOC chipset models.

Classification
Working Poc 90%
Attack Type
Other
Complexity
Moderate
Reliability
Reliable
Target: UNISOC-based devices (various models)
No auth needed
Prerequisites: Physical access to the device · UNISOC-based device
devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (1)

Core 1

Scores

CVSS v3 7.8
EPSS 0.0056
EPSS Percentile 42.4%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact total

Details

CWE
CWE-250
Status published
Products (1)
Unisoc (Shanghai) Technologies Co., Ltd./SC9863A//T310/T610/T618/ /
Published Sep 01, 2025
Tracked Since Feb 18, 2026