Share
## https://sploitus.com/exploit?id=B9031C45-1D3A-536E-A5A4-8D236B32EB56
# Realme C53 (RMX3760) โ Bootloader Unlock & Root Guide
Complete guide to unlock bootloader (via CVE-2022-38694) and gain root access
on Realme C53 / RMX3760 (Unisoc T612).
> **Bahasa Indonesia?** Lihat [`README.id.md`](README.id.md) untuk panduan dalam bahasa Indonesia.
## Device Specifications
| Spec | Value |
|------|-------|
| Model | Realme C53 (RMX3760 / RMX3762) |
| SoC | Unisoc T612 (ums9230) |
| CPU | 2x Cortex-A78 + 6x Cortex-A55 |
| GPU | Mali-G57 |
| Kernel | 5.15.178-android13-8 (non-GKI) |
| Android | 15 (AP3A.240905.015.A2) |
| Storage | 64 GB / 128 GB eMMC |
| RAM | 4 GB / 6 GB |
| Arch | aarch64 |
| Slots | A/B (boot_a/boot_b, init_boot_a/init_boot_b) |
## Requirements
- Windows PC (or any OS with ADB/fastboot)
- USB cable (data transfer capable)
- SPRD USB driver (for unlock step)
- ~30 minutes
## Methods
This guide covers **two** root methods:
1. **Magisk** (recommended, simpler) โ Works via init ramdisk patching
2. **KernelSU** (LKM mode) โ Requires building kernel module from source
## Quick Start
### 1. Backup Data
**WARNING:** Unlocking bootloader wipes the device. Backup your important data before proceeding.
### 2. Unlock Bootloader
Use [CVE-2022-38694](https://github.com/TomKing062/CVE-2022-38694_unlock_bootloader)
exploit by TomKing062.
1. Install SPRD driver (see `sprd_driver/`)
2. Power off phone
3. Short-circuit the motherboard to enter SPRD U2S Diag mode
4. Run unlock procedure (see `scripts/unlock.sh`)
### 3. Dump Stock Boot Image
```
adb shell dd if=/dev/block/by-name/boot_a of=/data/local/tmp/boot.img
adb pull /data/local/tmp/boot.img stock_boot.img
```
### 4. Root with Magisk
```
# Push Magisk files to phone
adb push stock_boot.img /data/local/tmp/
adb shell /data/local/tmp/magisk/boot_patch.sh /data/local/tmp/boot.img
adb pull /data/local/tmp/magisk/new-boot.img magisk_patched_boot.img
# Flash
adb reboot bootloader
fastboot flash boot_a magisk_patched_boot.img
fastboot flash boot_b magisk_patched_boot.img
fastboot reboot
```
Open Magisk app โ Superuser โ Grant root to Shell.
### 5. Root with KernelSU (LKM)
Requires building `kernelsu.ko` from kernel source for matching vermagic.
```
git clone
cd kernel_source
# Add KernelSU as submodule
curl -LSs "https://raw.githubusercontent.com/KernelSU-Next/KernelSU-Next/main/kernel/setup.sh" | bash -
# Build only the module
make ARCH=arm64 CC=clang LLVM=1 modules_prepare
make ARCH=arm64 CC=clang LLVM=1 M=KernelSU modules
# Use ksud to patch boot image with the .ko
```
See `scripts/root_kernelsu.sh` for details.
## Partition Layout
| Partition | Size | Description |
|-----------|------|-------------|
| boot_a/boot_b | 64 MB | Kernel + DTB (no ramdisk) |
| init_boot_a/b | 8 MB | Ramdisk (init scripts) |
| vendor_boot | 100 MB | Vendor ramdisk |
| super | 8000 MB | System, product, vendor |
| userdata | rest | User data |
| miscdata | 1 MB | Bootloader unlock flag |
Full layout in `files/partition_layout.txt`.
## Kernel Source
```
https://github.com/realme-kernel-opensource/realme_C51_C53_Note50_C60_C51_N53-AndroidU-kernel-source
```
Note: Contains `drivers/gpu/drm/nouveau/nvkm/subdev/i2c/aux.c` and
`include/soc/arc/aux.h` which are reserved filenames on Windows.
Use WSL/Linux to clone.
## Credits
- [TomKing062](https://github.com/TomKing062) โ CVE-2022-38694 unlock exploit
- [KernelSU-Next](https://github.com/KernelSU-Next/KernelSU-Next) โ KernelSU Next
- [topjohnwu](https://github.com/topjohnwu/Magisk) โ Magisk
- Realme Open Source โ Kernel source code
- [opencode](https://opencode.ai) โ AI coding agent used to document this guide
- opencode/big-pickle โ Model powering the AI agent
## License
This documentation is provided for educational purposes.
Use at your own risk.