Bypass Record

Pre-OS Boot × Unisoc UMS512 (T618) SoC firmware

A publicly-reported instance of Pre-OS Boot bypassing Unisoc UMS512 (T618) SoC firmware, recorded with its original source. Factual record; no assessment of any specific deployment.

Product

Unisoc UMS512 (T618) SoC firmware

Technique

Pre-OS Boot

MITRE ATT&CK

T1542

Confidence

High

Severity

High

Status

poc

Disclosed

2026-04-23

Config / version noted

Not stated

Provenance

github.com
disclosed 2026-04-23 · original source · via exa

Reported as

bypassing Unisoc UMS512 (T618) firmware signature verification by patching the Secondary Program Loader (SPL) to disable RSA signature checks

Mechanism

The BootROM loads SPL from eMMC and verifies only its DHTB SHA256 hash, not the RSA signature. The SPL normally performs RSA-2048 signature verification on sml, trustos, and uboot images. The tool patches the SPL to NOP out the four RSA verify call sites and updates the DHTB hash. The patched SPL is flashed to the eMMC boot partition, causing all subsequent boot stages to load without signature checks.

Detection & mitigation

Monitor bootloader integrity by comparing SPL hashes against known-good values at rest and during boot; enforce hardware-backed secure boot with BootROM verification of the full chain, not just the SPL hash.

Pre-OS Boot has also been recorded against

AMI Google Insyde Microsoft Qualcomm

This is a record of a publicly-reported event, not an assessment of any specific organization's deployment. Detection and mitigation notes are drawn from the cited source. Where the source is silent, fields are omitted.