FORUMS

 View Poll Results: Did this method work for your device??

YES! Finally unlocked!!!
 
3 Vote(s)
33.33%
No.
 
1 Vote(s)
11.11%
I don't have a ZTE device, but that's cool!
 
5 Vote(s)
55.56%

Bootloader Unlocking on older Qualcomm ZTE Devices, /Devinfo partition modification

150 posts
Thanks Meter: 51
 
By alexenferman, Senior Member on 17th May 2020, 03:55 PM
Post Reply Email Thread
Warning: This unlocking method might not work on newer ZTE devices with Oreo+ and flagship devices. You have nothing to lose, but it might not do anything.

This tutorial is only for Qualcomm ZTE Devices.

Unlocking the Bootloader:

Warning: This bootloader unlocking method is not for beginners. It requires at least some knowleage on how to flash ROMS or partitions via QFIL and ADB commands. If you do not understand something here, than the tutorial might not be suitable for you. You can still try it, but at your own risk of course.

Will not work on:
Axon 7
Axon 7 Mini
Axon 9
Axon 10
Axon M
Zmax 2 (Z958)
Anything else that has Oreo, PIE or 10
The unlocking bit on those devices are stored in another partition that can't be easily modifiable

Working on: (Thanks @deadman96385)

Snapdragon 210 Processors:
ZTE Avid 4 (Z855) (code-name: calbee)
ZTE Avid Plus (Z828)
ZTE Maven 2 (Z831) (code-name: chapel)
ZTE Maven 3 (Z835) (code-name: draco)
ZTE Majesty Pro Plus (Z899VL) (code-name: elden)
Unknown ZTE (code-name: forbes)
ZTE ZMAX One (Z719DL) (code-name: gemi)
ZTE Tempo X (N9137) (code-name: grayjoylite)
ZTE Grand X View 2 (K81) (code-name: helen)
ZTE Overture 3 (Z851) (code-name: jeff)
ZTE Fanfare 3 (Z852) (code-name: kelly)
ZTE ZFive G LTE (Z557BL) (code-name: lewis)
ZTE ZFive C (Z558VL) (code-name: loft)
Unknown ZTE (code-name: refuge)
ZTE N818S (code-name: sapphire/sapphire4G)
ZTE Blade Vantage (Z839) (code-name: sweet)

Snapdragon 617:
Android 5.1.1
ZTE Grand X Max 2 (Z988) (code-name: jerry)
ZTE Imperial Max (Z963U) (code-name: lily)
ZTE Max Duo LTE (Z963VL) (code-name: nancy)
ZTE Axon Max (C2016) (code-name: orchid)
ZTE Max Duo LTE (Z962BL) (code-name: tom)
Android 6.0.1
ZTE ZPAD (K90U) (code-name: gevjon)
ZTE AT&T Trek 2 (K88) (code-name: jasmine)
ZTE Grand X Max 2 (Z988) (code-name: jerry)
ZTE Axon Max (C2016) (code-name: orchid)
ZTE ZMAX Pro (Z981) (code-name: urd)
Android 7.1.1
ZTE AT&T Trek 2 (K88) (code-name: jasmine)

MSM8920/MSM8937/MSM8940/MSM8953 (Qualcomm Snapdragon 427/430/435/625):
ZTE Blade Force/ZTE Warp 8 (N9517) (code-name: warp8)
ZTE Grand X4 (Z956/Z957) (code-name: finacier)
ZTE Blade Spark (Z971) (code-name: peony)
ZTE Blade X (Z965) (code-name: proline)
ZTE Max XL/ZTE Bolton (N9560) (code-name: bolton)
ZTE Blade Z Max (Z982) (code-name: crocus)
Unknown ZTE (code-name: flame)
ZTE Blade X Max (Z983) (code-name: stollen)
ZTE Blade Max View (Z610DL) (code-name: violet)
ZTE Max Blue LTE (Z986DL) (code-name: florist)
ZTE AT&T Primtime (K92) (code-name: primerose)
Of course, it might work on more models that might not be listed here.

Want to watch a video instead?


You will need:
  • A Qualcomm ZTE device (I am using a ZTE Avid Plus Z828)
  • A PC
  • Adb Commands installed
  • QFIL 2.0.1.9
  • Your QFIL firehose (emmc_firehose_8***.mbn) You can get it from here: https://github.com/programmer-collection/zte
  • A Hex editor (Like HxD)


Tutorial:
  • Hold power and volume down to boot to FTM mode


  • Using ADB commands, type: adb reboot EDL



Open QFIL, You should see Qualcomm HS-USB QD-Loader 9008 (COM****)
  • Select "Flat build"
  • Select your firehose (emmc_firehose_8***.mbn)


  • Select tools, partition manager
  • Click ok

We are intrested in the /devinfo partition only!


  • Right click devinfo only and click on "Manage Partition data"


  • Click on "Read Data"
  • Check the logs on the main window, it will show you where it will be saved (Most frequently in the Appdata/Roaming/Qualcomm folder) and the file will be named something like this: ReadData_emmc_Lun0_0x1c000_Len16384_DT_**_**_****_ **_**_**.bin
  • Copy the file we read to somewhere like the desktop and make a backup in case it does not work.

Next, open HxD or any other hex editor
  • Click File>Open and select the file we copied to the desktop

You should see a layout like this:



Edit this:

41 4E 44 52 4F 49 44 2D 42 4F 4F 54 21 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00


to this:

41 4E 44 52 4F 49 44 2D 42 4F 4F 54 21 00 00 00
01 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00



  • Go to offset 007FFE00 and repeat the same steps:



It looks like ZTE did put another ANDROID-BOOT! at this section, they thought I would not see the second one Make sure you edit that second one, otherwise the BL won't be unlocked.

__________________________________________________ _________________________

What will this do?! The two 01s we put in this file will show to the bootloader that it was unlocked before via fastboot. Of course, we are editing it now and it was never unlocked via fastboot. This is enough to fool it

For people who don't know, on all android devices, there is the /devinfo partition that stores the information of the bootloader such as is_unlocked (aboot), is_tampered, is_verified, charger_screen_enabled, display_panel, bootloader_version, radio_version etc.
We have to modify it into saying is_unlocked and is_Critiacal_unlocked

__________________________________________________ __________________________________
  • Do not touch anything else and click File>Save
  • Boot your phone into EDL again.

(You might need to reopen QFIL)


  • Back to the partitions, right-click /devinfo again and click "Manage partition Data" again
  • Click "Load image"


  • Select the file we modified (Should be a .bin)
  • Wait a few seconds and restart your phone and IT SHOULD BOOT SURELY!!

Your bootloader should be unlocked!!
You cannot really tell if the Bootloader is unlocked unfortunatley. But, if TWRP boots or ROOT persists then here is your sign


TWRP is booting!

You can now ROOT, Install custom ROMs, Install Custom Recoveries, kernel modifications & More using QFIL!
You are now free


Credits to aleph security in the Unlocking the bootloader section at the bottom of the page for showing the Hex values to change: https://alephsecurity.com/2018/01/22/qualcomm-edl-2/
The Following 4 Users Say Thank You to alexenferman For This Useful Post: [ View ] Gift alexenferman Ad-Free
17th May 2020, 09:18 PM |#2  
deadman96385's Avatar
Retired Forum Moderator / Recognized Developer
Flag Saint Paul, Minnesota
Thanks Meter: 7,820
 
Donate to Me
More
Firehose collection
Here is my collection of ZTE firehoses for use in this guide. I cant guarantee everyone will work but the vast majority of them should. But they are all organized by codename and my best attempt at matching codename to shipping name.

https://github.com/programmer-collection/zte
The Following 3 Users Say Thank You to deadman96385 For This Useful Post: [ View ]
17th May 2020, 11:35 PM |#3  
Quote:
Originally Posted by deadman96385

Here is my collection of ZTE firehoses for use in this guide. I cant guarantee everyone will work but the vast majority of them should. But they are all organized by codename and my best attempt at matching codename to shipping name.

https://github.com/programmer-collection/zte

That is actually where I got my firehose from! I will add the link to the OP
17th May 2020, 11:41 PM |#4  
deadman96385's Avatar
Retired Forum Moderator / Recognized Developer
Flag Saint Paul, Minnesota
Thanks Meter: 7,820
 
Donate to Me
More
Quote:
Originally Posted by alexenferman

That is actually where I got my firehose from! I will add the link to the OP


You may want to limit your statement of all Qualcomm zte's it won't work on anything that launched with Oreo or newer, and certain flagship devices like axon 9, 10, M, etc
18th May 2020, 05:34 PM |#5  
Quote:
Originally Posted by deadman96385

You may want to limit your statement of all Qualcomm zte's it won't work on anything that launched with Oreo or newer, and certain flagship devices like axon 9, 10, M, etc

Yes, you are right. It's sad that the unlocking bit is not stored in the /devinfo partition anymore. At least a lot of people with lollipop, marshmallow and probably nougat can still use this method.
18th May 2020, 07:28 PM |#6  
Junior Member
Thanks Meter: 0
 
More
Doesn't seem to be wroking with my ZTE Tempo X N9137. I trried it twice and got two septerate errors. The first was "ERROR: function: sahara_rx_data:247 Command packet length 1702240364 too large to fit" and the second was "ERROR: function: sahara_rx_data:237 Unable to read packet header. Only read 0 bytes."

Here's the log file...
Quote:

2020-05-18 14:21:38.733 Validating Application Configuration
2020-05-18 14:21:38.738 Load APP Configuration
2020-05-18 14:21:38.751 COM:4
2020-05-18 14:21:38.751 PBLDOWNLOADPROTOCOL:0
2020-05-18 14:21:38.751 PROGRAMMER:True
2020-05-18 14:21:38.751 PROGRAMMER:C:\Users\MikeWin10\Desktop\prog_emmc_fi rehose_8909.mbn
2020-05-18 14:21:38.751 RESETSAHARASTATEMACHINE:False
2020-05-18 14:21:38.751 SAHARAREADSERIALNO:False
2020-05-18 14:21:38.751 SEARCHPATH:C:\Users\MikeWin10\Desktop
2020-05-18 14:21:38.751 ACKRAWDATAEVERYNUMPACKETS:False
2020-05-18 14:21:38.751 ACKRAWDATAEVERYNUMPACKETS:100
2020-05-18 14:21:38.751 MAXPAYLOADSIZETOTARGETINBYTES:False
2020-05-18 14:21:38.751 MAXPAYLOADSIZETOTARGETINBYTES:49152
2020-05-18 14:21:38.751 DEVICETYPE:emmc
2020-05-18 14:21:38.751 PLATFORM:8x26
2020-05-18 14:21:38.751 VALIDATIONMODE:0
2020-05-18 14:21:38.751 RESETAFTERDOWNLOAD:False
2020-05-18 14:21:38.751 MAXDIGESTTABLESIZE:8192
2020-05-18 14:21:38.751 SWITCHTOFIREHOSETIMEOUT:30
2020-05-18 14:21:38.751 RESETTIMEOUT:200
2020-05-18 14:21:38.751 RESETDELAYTIME:2
2020-05-18 14:21:38.751 METABUILD:
2020-05-18 14:21:38.751 METABUILD:
2020-05-18 14:21:38.751 FLATBUILDPATH:C:\
2020-05-18 14:21:38.751 FLATBUILDFORCEOVERRIDE:True
2020-05-18 14:21:38.751 QCNPATH:C:\Temp\00000000.qcn
2020-05-18 14:21:38.751 QCNAUTOBACKUPRESTORE:False
2020-05-18 14:21:38.751 SPCCODE:000000
2020-05-18 14:21:38.751 ENABLEMULTISIM:False
2020-05-18 14:21:38.751 AUTOPRESERVEPARTITIONS:False
2020-05-18 14:21:38.751 PARTITIONPRESERVEMODE:0
2020-05-18 14:21:38.751 PRESERVEDPARTITIONS:0
2020-05-18 14:21:38.751 PRESERVEDPARTITIONS:
2020-05-18 14:21:38.751 ERASEALL:False
2020-05-18 14:21:38.751 Load ARG Configuration
2020-05-18 14:21:38.768 Validating Download Configuration
2020-05-18 14:21:38.769 Image Search Path: C:\Users\MikeWin10\Desktop
2020-05-18 14:21:38.770 Programmer Path:C:\Users\MikeWin10\Desktop\prog_emmc_firehose _8909.mbn
2020-05-18 14:21:38.900 Process Index:0
2020-05-18 14:21:38.908 Qualcomm Flash Image Loader (QFIL) 2.0.1.9
2020-05-18 14:21:45.195 Start Download
2020-05-18 14:21:45.200 Program Path:C:\Users\MikeWin10\Desktop\prog_emmc_firehose _8909.mbn
2020-05-18 14:21:45.205 ***** Working Folder:C:\Users\MikeWin10\AppData\Roaming\Qualcomm \QFIL\COMPORT_4
2020-05-18 14:21:45.225 Binary build date: Nov 21 2017 @ 02:53:37
2020-05-18 14:21:45.226 QSAHARASERVER CALLED LIKE THIS: 'C:\Users\MikeWin10\Desktop\Qualcomm_Flash_Image_L oader_v2.0.1.9\QSaharaServer.ex'Current working dir: C:\Users\MikeWin10\AppData\Roaming\Qualcomm\QFIL\C OMPORT_4
2020-05-18 14:21:45.227 Sahara mappings:
2020-05-18 14:21:45.227 2: amss.mbn
2020-05-18 14:21:45.228 6: apps.mbn
2020-05-18 14:21:45.228 8: dsp1.mbn
2020-05-18 14:21:45.228 10: dbl.mbn
2020-05-18 14:21:45.229 11: osbl.mbn
2020-05-18 14:21:45.229 12: dsp2.mbn
2020-05-18 14:21:45.229 16: efs1.mbn
2020-05-18 14:21:45.229 17: efs2.mbn
2020-05-18 14:21:45.230 20: efs3.mbn
2020-05-18 14:21:45.230 21: sbl1.mbn
2020-05-18 14:21:45.230 22: sbl2.mbn
2020-05-18 14:21:45.231 23: rpm.mbn
2020-05-18 14:21:45.231 25: tz.mbn
2020-05-18 14:21:45.231 28: dsp3.mbn
2020-05-18 14:21:45.232 29: acdb.mbn
2020-05-18 14:21:45.232 30: wdt.mbn
2020-05-18 14:21:45.232 31: mba.mbn
2020-05-18 14:21:45.233 13: C:\Users\MikeWin10\Desktop\prog_emmc_firehose_8909 .mbn
2020-05-18 14:21:45.233
2020-05-18 14:21:45.233 14:21:45: ERROR: function: sahara_rx_data:247 Command packet length 1702240364 too large to fit
2020-05-18 14:21:45.234
2020-05-18 14:21:45.234 14:21:45: ERROR: function: sahara_main:924 Sahara protocol error
2020-05-18 14:21:45.234
2020-05-18 14:21:45.235 14:21:45: ERROR: function: main:303 Uploading Image using Sahara protocol failed
2020-05-18 14:21:45.235
2020-05-18 14:21:45.236
2020-05-18 14:21:45.236 Download Fail:Sahara Fail:QSaharaServer Fail:Process fail
2020-05-18 14:21:45.239 Finish Get GPT
2020-05-18 14:23:07.631 Start Download
2020-05-18 14:23:07.634 Program Path:C:\Users\MikeWin10\Desktop\prog_emmc_firehose _8909.mbn
2020-05-18 14:23:07.635 ***** Working Folder:C:\Users\MikeWin10\AppData\Roaming\Qualcomm \QFIL\COMPORT_4
2020-05-18 14:24:37.656 Binary build date: Nov 21 2017 @ 02:53:37
2020-05-18 14:24:37.658 QSAHARASERVER CALLED LIKE THIS: 'C:\Users\MikeWin10\Desktop\Qualcomm_Flash_Image_L oader_v2.0.1.9\QSaharaServer.ex'Current working dir: C:\Users\MikeWin10\AppData\Roaming\Qualcomm\QFIL\C OMPORT_4
2020-05-18 14:24:37.663 Sahara mappings:
2020-05-18 14:24:37.665 2: amss.mbn
2020-05-18 14:24:37.666 6: apps.mbn
2020-05-18 14:24:37.666 8: dsp1.mbn
2020-05-18 14:24:37.666 10: dbl.mbn
2020-05-18 14:24:37.667 11: osbl.mbn
2020-05-18 14:24:37.667 12: dsp2.mbn
2020-05-18 14:24:37.667 16: efs1.mbn
2020-05-18 14:24:37.668 17: efs2.mbn
2020-05-18 14:24:37.668 20: efs3.mbn
2020-05-18 14:24:37.668 21: sbl1.mbn
2020-05-18 14:24:37.669 22: sbl2.mbn
2020-05-18 14:24:37.669 23: rpm.mbn
2020-05-18 14:24:37.669 25: tz.mbn
2020-05-18 14:24:37.669 28: dsp3.mbn
2020-05-18 14:24:37.670 29: acdb.mbn
2020-05-18 14:24:37.670 30: wdt.mbn
2020-05-18 14:24:37.670 31: mba.mbn
2020-05-18 14:24:37.671 13: C:\Users\MikeWin10\Desktop\prog_emmc_firehose_8909 .mbn
2020-05-18 14:24:37.671
2020-05-18 14:24:37.675 14:24:37: ERROR: function: sahara_rx_data:237 Unable to read packet header. Only read 0 bytes.
2020-05-18 14:24:37.675
2020-05-18 14:24:37.675 14:24:37: ERROR: function: sahara_main:924 Sahara protocol error
2020-05-18 14:24:37.676
2020-05-18 14:24:37.676 14:24:37: ERROR: function: main:303 Uploading Image using Sahara protocol failed
2020-05-18 14:24:37.676
2020-05-18 14:24:37.677
2020-05-18 14:24:37.677 Download Fail:Sahara Fail:QSaharaServer Fail:Process fail
2020-05-18 14:24:37.681 Finish Get GPT

18th May 2020, 07:58 PM |#7  
deadman96385's Avatar
Retired Forum Moderator / Recognized Developer
Flag Saint Paul, Minnesota
Thanks Meter: 7,820
 
Donate to Me
More
Quote:
Originally Posted by bernshood

Doesn't seem to be wroking with my ZTE Tempo X N9137. I trried it twice and got two septerate errors. The first was "ERROR: function: sahara_rx_data:247 Command packet length 1702240364 too large to fit" and the second was "ERROR: function: sahara_rx_data:237 Unable to read packet header. Only read 0 bytes."

So I tested it on my N9137 and it’s working properly. Normally when it can’t get a hello from the device it means your driver is wrong. Sometimes windows defaults to the diagnostic driver instead of the Qdloader one and you need to change it in device manager.

On another note @alexenferman it might worth while to add to OP known working devices. I’ve tested and confirmed working on
ZTE Imperial Max (Z963U)
ZTE Tempo X (N9317)
ZTE Avid 4 (Z855)
ZTE Grand X View 2 (K81)

I will test on the ZTE Maven 3 once I get it’s battery charged
The Following 2 Users Say Thank You to deadman96385 For This Useful Post: [ View ]
18th May 2020, 08:27 PM |#8  
Junior Member
Thanks Meter: 0
 
More
It's showing Qualcomm HS-USB QDLoader 9008 (COM4) both in Qfil and within Device manager. I reinstalled the driver and am still getting the errors. This is all happening after the steps Tools>Partition Manager>Ok
18th May 2020, 08:46 PM |#9  
Quote:
Originally Posted by bernshood

It's showing Qualcomm HS-USB QDLoader 9008 (COM4) both in Qfil and within Device manager. I reinstalled the driver and am still getting the errors. This is all happening after the steps Tools>Partition Manager>Ok

Restart your phone in EDL mode again.
If you already did this, then it means that your driver is wrong. Try another driver from another source.
18th May 2020, 11:29 PM |#10  
RobboW's Avatar
Senior Member
Flag Forster, NSW, Australia
Thanks Meter: 267
 
More
I'm assuming this also won't work on devices that shipped with older OS and were officially updated to Oreo?


I have an Axon 7 on Oreo and the normal thing is to regress them to unlock bootloader.
19th May 2020, 04:40 AM |#11  
Junior Member
Thanks Meter: 1
 
Donate to Me
More
Anything for the ZTE Blade A462? It's based on the Snapdragon 210 SoC.
Post Reply Subscribe to Thread

Guest Quick Reply (no urls or BBcode)
Message:
Previous Thread Next Thread
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes