How to unlock bootloader on New unisoc Devices (T7510)

Unlocking the bootloader on unisoc T7510 is a prerequisite for many advanced actions, such as flashing Custom ROMs, rooting, or downgrading the operating system. Unlocking the bootloader will void your warranty, therefore you must be careful and take this into consideration.

The unlock method we share below is based on Vulnerabilities on BootROM Where an attacker with physical access to the device can replace a function pointer in the BootROM data section or a return address stored on the stack, allowing them to run their own code with the authority of the BootROM.

detailed Information about Vulnerabilities available here

unisoc BootROM can be taken from here or stack-info.csv.


Step 1: overwrite stack to execute FDL1 without verfication

Use custom_exec_no_verify_3f88.bin to replace the stack if the device entered download mode by holding a specified button during startup (usually volume down).

Use custom_exec_no_verify_3f28.bin to replace the stack if the device entered download mode after all efforts to boot failed (for example, if the splloader was deleted and no key was hit).

Make custom_exec.bin in accordance with BootROM for more Socs affected by CVE-2022-38694.

Step 2: Modify FDL1

Patch 1: NOP(1F 20 03 D5) verfication in data_exec.

Patch 2: change download mode (0x102)(40 20 80 52) to boot mode(0x104)(80 20 80 52).

  • Apply patch 1 to original FDL1, save as fdl1-dl.bin.
  • Apply patch 1 and patch 2 to original FDL1, save as fdl1-boot.bin.

Using FDL1 from a different model (same Soc) appears secure. Unfortunately, only in download mode. Device-specific fdl1 is required to unlock the bootloader. If your manufacturer won’t provide fdl1, you can compile it yourself (you’ll need to modify some ddr init code to work with splloader).

Here is pre patched unlock tool for some devices

Step 3: Modify FDL2(uboot)

Patch 1: patch do_cboot.

search for VerifiedBoot-UNLOCK to find set_lock_status.

search for 0x32121BAC or 0x1BAC (T7510 specific address ?), and reboot_devices starts with CMP W0,#3  CMP W0,#4 CMP W0,#2.

search for enter boot mode to find do_cboot, patch it to call set_lock_status and reboot_devices.

Patch 2 : NOP write check of secure partitions.

Like fdl1, uboot for unlocking bootloader (boot mode) must be device-specific as well. However, you can use another model (same Soc) uboot in download mode to read_part your device uboot


Part 4: get trustos images list and load address from splloader

get splloader by read_part

The list and address are easy to get, since _start calls resetreset calls nand_bootnand_boot will load images from emmc/ufs to memory and boot.

device model android sml teecfg tos
tyyh2020 ud710_20c10 9 0x94000000 no need 0x94040000
tyyh2021 ud710_7h10 10 0x94000000 0x94020000 0x94040000
Hisense A7 ud710_2h10 10 0x94000000 0x94020000 0x94040000


Misc: you need to know correct partition size to read_part, this can be done by read_part user_partition 0 17K efi_part.img(It works for emmc, I don’t know about ufs). Open efi_part.img in WinHex.

Prepare unlock command

1: send fdl1-dl.bin, send uboot, read_part trustos images and chsize these images

2: send fdl1-boot.bin, send modified uboot with trustos images, sml must be the last one sent to device.

3: erase userdata, use one of download/fastboot/recovery (If your userdata use f2fs format, you can take the userdata.bin from tyyh branch).

Here is command that can be used with SPD_dump (must replaced with your own data)

Read Part:

spd_dump fdl fdl1-dl.bin 0x5500 fdl fdl2-dl.bin 0x9efffe00 exec read_part splloader 0 1m spl.bin read_part uboot_a 0 3m uboot.bin erase_part splloader reset

Write part

spd_dump fdl fdl1-dl.bin 0x5500 fdl fdl2-dl.bin 0x9efffe00 exec write_part uboot_a fdl2-cboot.bin write_part uboot_b fdl2-cboot.bin reset
spd_dump fdl fdl1-dl.bin 0x5500 fdl fdl2-dl.bin 0x9efffe00 exec write_part splloader spl.bin write_part uboot_a uboot.bin write_part uboot_b uboot.bin reset


Method 2:

Credit: Github users > TomKing062, Alephgsm, Iscle