A method for CVE-2025-31710 and to connect to cmd_skt abstract socket to obtain a root shell on unisoc unpatched models
Before everyone screams, Unisoc itself authorized me to publish this after CVE-2025-31710 bullettin, so stay quiet.
Let's start with a joke
Yes, you are not dreaming. Today i want to present you an exploit for a system shell on com.sprd.engineermode app and since it is one of the trusted clients of cmd_skt i was also able to enter it as well. This socket runs a service as root (cmd_services). So yes, i’m glad to present you unisoc-su. Here a list of the trusted clients extracted from cmd_services binary with ghidra which shows com.sprd.engineermode is present:
This cmd_skt, which is an abstract socket, was already entered in 2022:CVE-2022-47339, because of this now it exits if nothing connects almost immediately, that's the reason of this procedure. On this method it's used com.sammy.systools app by pascua28 and cli-pie by TomKing062 (there is another placer app which is still the sammy.systools app but without all the binaries except the cli-pie and has as well the 32 bit version of cli-pie so if you are on 32 bit use that, i had modded it later so it looks different but it's still sammy.systools app).
How this method works. You first execute as adb or shizuku rish the UnisocEngSyshell_Enabler_Script.sh to enable com.sprd.engineermode app (only needed on new models), then following the instructions run on dialer *#*#83781#*#* to run main activity, then from here enter adb shell activity. Then enter on one line the full cli-pie PATH (including the applet), on the other "setprop persist.sys.cmdservice.enable enable", then press start as fast as possible on setprop first and then on the cli-pie line, and boom it will show connected. Then press end on the setprop activity and delete it's text, input "nc -s 127.0.0.1 -p 1234 -L sh -l" or what you use to run the reverse shell. Then go to the terminal and connect back with the according binary or simply with "nc localhost 1234", after that "source /sdcard/Documents/unisoc-su.sh" (or where you placed the script, but it must be accessible from the system shell). That's it, you just got a root shell if everything is correct.
Now, let's talk about about this exploit, the context is heavily guarded by selinux, we have root but every protection is still up. This root is huge because we didn't disable anything but we have to find a place where we can execute, unfortunately this context isn't probably able to disable selinux but after getting execution with our own binaries we could try something. The cmd_services sepolicy isn't this good honestly in my opinion but there is hope. About the service itself, seems on eng doesn't have groups (at least on android 9) and so gid defaults to root, on user builds instead gid is system, so it's more restricted, but with selinux up it's this one which rules anyway.
CVEs that inspired this method: CVE-2022-47339 (cmd_services), CVE-2025-31710 (engineermode system shell)
Here are provided three scripts for unisoc-su, one without tutorial: unisoc-su.sh, one that guides to enter the root shell with system shell only (this method is easier, works offline and without shizuku/adb): unisoc-su-syshell-only-tut.sh, the last one guides to enter the root shell using shizuku/adb, only used to run the setprop part: unisoc-su-adb-shizuku-tut.sh, source the one you like from your terminal, only unisoc-su.sh requires to be sourced from the system shell. It's also available a tools.sh script into the ghostroot folder to add various directories to PATH which is compatible with adb/system and root, also a multi script to run the system shell if you don't know what nc you have on your system which will try to nc from various possible binaries until the connection is successful.
About GhostRoot (Post-Exploit Root Channel) A stealthy post-exploit command channel that survives in RAM and accepts input from any unprivileged app via file-based I/O.
The exploit works up to Android 13 as on later versions unisoc removed the sharedUserId tag from the EngineerMode app and so now it's a normal user app, this makes selinux deny execution of the cli-pie on android 14 and on Android 15.
Image Provided by TomKing062
This unless your device has EngineerMode into vendor and it wasn't updated with the system partition, i just found this situation on a ZTE Blade A55: ZTE_Blade_A55_system_ext_build.txt ZTE_Blade_A55_vendor_build.txt or if your device doesn't have for some reason the patch for this exploit applied even on android 14 and up (assuming you got this lucky). If it didn't you will end in two situations, you might have cmd_services or tool_service which is the new version of this previous one. Note, tool_service doesn't need any setprop and should be always active. tool_service.rc.txt
A screenshot of both the system and the root shell
Here Video Tutorials to enter the cmd_services root shell
unisoc-su.Demonstration.Shizuku.Required.mp4
unisoc-su.Demonstration.System.Shell.only.mp4
Please do not repost this elsewhere if possible.
The app icon icon was grabbed here:icon-link, and here is the license:license-link