FORUMS
Remove All Ads from XDA

[TOOL] Unlock bootloader in ASUS ZenPad 3S 10 Z500M (P027)

408 posts
Thanks Meter: 450
 
By diplomatic, Senior Member on 6th January 2018, 04:31 AM
Post Reply Email Thread
Tool to Unlock Bootloader in ASUS ZenPad 3S 10 Z500M (P027)

There is currently no official way to unlock the bootloader of the ZenPad 3S 10. The bootloader on this device does not let you start any unofficial (i.e. rooted) images. Worst of all, it's impossible to start even Yellow State images, which are self-signed. That is bad news if you want to have persistent root on your tablet. It does, however, let you do tethered boot.

That kind of behavior is not acceptable. I've developed a clever way to put a Mediatek bootloader into an unlocked state by using this software in root access. This results in the standard Orange State boot mode, which disables boot partition verification. As a bonus, this procedure does not erase your data like a typical unlock routine does. It also does not require a PC except to start the temporary rooted image. Note that your tablet will still not have fastboot flashing functionality. But flashing by other means is still possible.

WARNING: Running this tool should be pretty safe. But I don't encourage anyone to try this. This is still new, so unforeseen problems might arise. It cannot be ruled out that your device will become bricked. Before trying this out, consider the risks and drawbacks involved. By unlocking, you are essentially giving up the security of your device. It's also possible that a future firmware update will relock the bootloader or become incompatible with this tool.

This software is only for ASUS model Z500M/P027. Do not try it on any other device. It will not work. Support for other Mediatek devices may be added in the future. (That's why this is posted in the general forum rather than the ZenPad 10 one.)

And by the way, I don't own this tablet.

DISCLAIMER
This software is for educational purposes only. Anything you do that is described in this post is at your own risk. No one else is responsible for any data loss, corruption or damage of your device, including that which results from bugs in this software.

REQUIREMENTS
  • A ZenPad Z500M tablet upgraded to Android N
  • A rooted/patched boot image such as one made by Magisk Manager (method 1)
  • Temporary root with Magisk or other superuser manager installed (method 1)
  • TWRP image (method 2)
  • Knowledge of adb/fastboot and of basic Linux command shell

INSTRUCTIONS
Method 1
  1. Read all of these instructions and make sure you understand them before starting
  2. If you don't have an offline patched boot image, use Magisk Manager to make one from the stock boot.img of your current firmware. Transfer it to your PC.
  3. Reboot your tablet into fastboot mode--either hold vol. down + power to power up, and select Fastboot. Or run 'adb reboot bootloader' while in Android.
  4. Connect your tablet to a PC and run fastboot boot patched_boot.img to start the rooted image in tethered mode
  5. Download the tool zip file to your tablet.
  6. Extract the zip to your /data/local/tmp folder.
  7. Open a root shell with adb shell, then run 'su'
  8. Change your shell current directory to that folder (cd /data/local/tmp)
  9. Run this command to unlock or lock the bootloader
    Code:
    sh unlockbl.sh
  10. Follow the instructions on the screen and type the requested confirmation into the prompt.
  11. Check for completion or any error messages. Report them here.
  12. If no errors, you are unlocked and may modify your boot partition (e.g. install root).

Method 2
  1. Read all of these instructions and make sure you understand them before starting
  2. If you don't have TWRP for your tablet, download the latest image to your PC from this thread.
  3. Download the tool zip file to your tablet.
  4. Extract the zip to your /data/local/tmp folder. (For this method, most other folders should work as well due to permissive selinux mode)
  5. Reboot your tablet into fastboot mode--either hold vol. down + power to start up and select Fastboot, or run 'adb reboot bootloader' from Android
  6. Connect your tablet to a PC and run fastboot boot twrp-*.img to start TWRP in tethered mode
  7. At the TWRP welcome screen, do not select to modify the system partition and touch Keep System Read-only instead. Doing otherwise will render your tablet unbootable.
  8. Mount system in TWRP in read-only mode. Mounting in read/write mode will render your tablet unbootable.
  9. Open a shell with adb shell on your PC or open TWRP's built-in terminal
  10. Change your shell current directory to the folder that you extracted the tool zip into (cd /data/local/tmp)
  11. Run this command to unlock or lock the bootloader
    Code:
    sh unlockbl.sh
  12. Follow the instructions on the screen and type the requested confirmation into the prompt.
  13. Check for completion or any error messages. Report them here.
  14. If no errors, you are unlocked and may modify your boot partition (e.g. install root).

DOWNLOAD

Current Version
Unlock Tool v0.6

Past Versions
Unlock Tool v0.5
(Need to specify export LD_LIBRARY_PATH=/system/vendor/lib64 if running under TWRP.)

Changelog
v0.6
  • Handle units with blank bootloader configs
  • Improve compatibility with TWRP
  • Improve text wrapping for TWRP's terminal
v0.5
  • Major overhaul to remove the need for kernel module
v0.2
  • Made compatible with other FW versions
v0.1
  • First release

CREDITS
@amartolos for being a kick-ass tester

If anyone wants to develop a full Android app around this script, be my guest.

Also, that Thanks button will not click itself...
Attached Files
File Type: zip unlock_tool_z500m_v0.5.zip - [Click for QR Code] (8.8 KB, 3134 views)
File Type: zip unlock_tool_z500m_v0.6.zip - [Click for QR Code] (9.4 KB, 1596 views)
The Following 41 Users Say Thank You to diplomatic For This Useful Post: [ View ] Gift diplomatic Ad-Free
 
 
6th January 2018, 05:25 AM |#2  
OP Senior Member
Thanks Meter: 450
 
More
reversed
The Following 2 Users Say Thank You to diplomatic For This Useful Post: [ View ] Gift diplomatic Ad-Free
6th January 2018, 12:53 PM |#3  
Member
Flag Haarlem
Thanks Meter: 16
 
More
I got this after typing "Yes, I want to unlock"
Quote:

Extracting binaries
Inserting kernel module
Testing kernel module
Oops! Something went wrong. Aborting
Your system has not been modified
Exit code 126

When running script with terminal on tablet I got exit code 1 on the same stage.
6th January 2018, 03:13 PM |#4  
Senior Member
Thanks Meter: 92
 
More
Quote:
Originally Posted by Joh14vers6

I got this after typing "Yes, I want to unlock"


When running script with terminal on tablet I got exit code 1 on the same stage.

Were you running a basic boot image or did you boot the patched boot image?
6th January 2018, 04:07 PM |#5  
Member
Flag Haarlem
Thanks Meter: 16
 
More
Quote:
Originally Posted by amartolos

Were you running a basic boot image or did you boot the patched boot image?

I booted from the patched boot image. Latest FW. Script will not run without (temp)root.
6th January 2018, 06:05 PM |#6  
loner.'s Avatar
Senior Member
Thanks Meter: 292
 
More
I haven't been able to get magisk to make a patched boot.img
Any help appreciated.
6th January 2018, 06:15 PM |#7  
ExtremeRyno's Avatar
Senior Member
Thanks Meter: 120
 
More
Can we use the patched boot image you posted from the other thread? "Z500M_signed_patched_boot.tar"? https://forum.xda-developers.com/sho...0&postcount=72
6th January 2018, 06:59 PM |#8  
swear0730's Avatar
Senior Member
Flag Madtown, WI - 68 square miles surrounded by reality
Thanks Meter: 130
 
More
2. Install Magisk Manager and create an offline patched boot image from the stock boot.img if you don't have one.
Apologies. I have Magisk installed on my Nexus 6 but I would not consider myself an expert. With that device I installed the Magisk zip file in TWRP recovery and then installed Magisk Manager. After installation of Magisk Manager on the Z500M and launching the app it asks if I want to install the Magisk 15.2 zip. Should that be done?

At this time I haven't done this and I don't see any method for creating the patched boot image. Can someone direct me via a link or explanation on how to do this?
6th January 2018, 07:19 PM |#9  
Senior Member
Thanks Meter: 92
 
More
There's another thread that contains this info: Click Here
The Following 2 Users Say Thank You to amartolos For This Useful Post: [ View ] Gift amartolos Ad-Free
6th January 2018, 07:37 PM |#10  
loner.'s Avatar
Senior Member
Thanks Meter: 292
 
More
Quote:
Originally Posted by ExtremeRyno

Can we use the patched boot image you posted from the other thread? "Z500M_signed_patched_boot.tar"? https://forum.xda-developers.com/sho...0&postcount=72

Yes

Sent from my P01MA using Tapatalk
6th January 2018, 09:40 PM |#11  
OP Senior Member
Thanks Meter: 450
 
More
Quote:
Originally Posted by Joh14vers6

I got this after typing "Yes, I want to unlock"

Quote:

Extracting binaries
Inserting kernel module
Testing kernel module
Oops! Something went wrong. Aborting
Your system has not been modified
Exit code 126

When running script with terminal on tablet I got exit code 1 on the same stage.

Hmm, that sounds like a permissions problem. Before running the script, can you turn off Selinux enforcement somehow? Try running 'setenforce 0' or maybe there's a setting in Magisk that controls this. Bear with me, I'm trying to get to the bottom of this...

Has anyone besides amartolos gotten this to work yet?
The Following User Says Thank You to diplomatic For This Useful Post: [ View ] Gift diplomatic Ad-Free
Post Reply Subscribe to Thread

Tags
asus-zenpad-10, unlock, z500m

Guest Quick Reply (no urls or BBcode)
Message:
Previous Thread Next Thread
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes