[UNLOCK] Tuliptool: unlock, TWRP, and custom boot

Search This thread
By:
Advanced…
M

mattx1002

Member
Nov 22, 2014
12
11
Not A City, Somewhere
maestromony said:
Mine:
ZTE/P852A11/tulip
7.1.1/NMF26V/20170519.163520
user/release-keys

v1.2.0B09 installed
Click to expand...
Click to collapse

I have the same. I've unlocked the bootloader (it gave me an error, but still worked), and flashed TWRP on the recovery. I've tried, unsuccessfully, to install SuperSU using ADB Sideload on TWRP. TWRP seems to have a problem detecting the OS, as well as being unable to find the swap, and the /system and /data partitions. Flashing the boot did not seem to have any adverse effects, but it also didn't allow me to install SuperSU.
 
Last edited:
  • Like
Reactions: maestromony
eDooM85

eDooM85

Senior Member
Dec 27, 2012
167
65
San Salvador
Lenovo P11
Xiaomi Poco F5 / Redmi Note 12 Turbo (China)
Hope for rooting ZTE K88

tdm said:
Speaking of kernels, I see two models in the ZTE kernel: tulip and jasmine. The US model is tulip. I'm wondering if the other variants are jasmine. Could some folks with non-US models check the property ro.build.product and ro.build.fingerprint to see what they say? eg. mine says:

$ adb shell getprop ro.build.product
tulip
$ adb shell getprop ro.build.fingerprint
ZTE/P852A12/tulip:7.1.1/NMF26V/20170605.225613:user/release-keys
Click to expand...
Click to collapse

paziusss said:
ro.build.product = msm8952_64
ro.build.fingerprint = ZTE/P852A11/msm8952_64:6.0.1/MMB29M/20170315.140125:user/release-keys

seems unnamed in my build. Maybe I should flash the 7.1 image and check again... :confused: Also /proc/cpuinfo says Hardware : Qualcomm Technologies, Inc MSM8952, no mention to tulip or jasmine.
AFAICT the diference between tulip and jasmine is the panel (samsung vs zte) but I didn't dig so much on your sources
Click to expand...
Click to collapse

Jasmine its a different device (AT&T Tablet Trek 2 HD) ZTE K88
https://www.att.com/devicehowto/tutorial.html#!/stepbystep/id/stepbystep_KM1147758?make=ATT&model=ATTK88

I would love if you could make a recovery for the tablet currently unrooteable and unable to get into fast-boot, also i can't try your tool right now (I'm at work), but when i get home i will share the results :)

(Sorry for my English, I'm from El Salvador)
 

Attachments

  • jasmine.jpg
    jasmine.jpg
    255.7 KB · Views: 518
  • Like
Reactions: josemiguelmartinez and tdm
tdm

tdm

Inactive Recognized Developer
Jun 7, 2011
2,139
3,667
Seattle
Mystery solved, thank you!

Feel free to try the tool, it may work for you...

eDooM85 said:
Jasmine its a different device (AT&T Tablet Trek 2 HD) ZTE K88
https://www.att.com/devicehowto/tutorial.html#!/stepbystep/id/stepbystep_KM1147758?make=ATT&model=ATTK88

I would love if you could make a recovery for the tablet currently unrooteable and unable to get into fast-boot, also i can't try your tool right now (I'm at work), but when i get home i will share the results :)

(Sorry for my English, I'm from El Salvador)
Click to expand...
Click to collapse
 
  • Like
Reactions: Askael
elliwigy

elliwigy

Retired Forum Moderator / Recognized Developer
XDA App Taskforce
Mar 16, 2011
13,426
10,017
Phoenix
Samsung Galaxy Tab S7 / S7 Plus
Samsung Galaxy S21 Ultra
tdm said:
Mystery solved, thank you!

Feel free to try the tool, it may work for you...
Click to expand...
Click to collapse

did u get my pm?? wondering if u could add a programmer for msm8998 to your tool?? I dont have a zte but do have an msm8998 device can be put into edl but your tool says failed to send programmer i am guessing because its using a different programmer than what works on an msm8998 device?

I have all the programmers and such if you need em.. it might be a long shot but worth a try if youre up to the challenge
 
  • Like
Reactions: Askael
tdm

tdm

Inactive Recognized Developer
Jun 7, 2011
2,139
3,667
Seattle
Yes I'll try to do that soon. I'm quite busy right now.
elliwigy said:
did u get my pm?? wondering if u could add a programmer for msm8998 to your tool?? I dont have a zte but do have an msm8998 device can be put into edl but your tool says failed to send programmer i am guessing because its using a different programmer than what works on an msm8998 device?

I have all the programmers and such if you need em.. it might be a long shot but worth a try if youre up to the challenge
Click to expand...
Click to collapse
 
  • Like
Reactions: Askael
elliwigy

elliwigy

Retired Forum Moderator / Recognized Developer
XDA App Taskforce
Mar 16, 2011
13,426
10,017
Phoenix
Samsung Galaxy Tab S7 / S7 Plus
Samsung Galaxy S21 Ultra
tdm said:
I'll look at the code tomorrow. But I am guessing that your device uses a different programmer. Sorry. :/
Click to expand...
Click to collapse

is there a tutorial or a write up on how you managed this? i am curious lol.. if its standard edl feature (minus just adding support for programmers/chipsets) its one hell of a find!

maybe release a tool where you can load your own programmer files?
 
  • Like
Reactions: Lugralunoogos
tdm

tdm

Inactive Recognized Developer
Jun 7, 2011
2,139
3,667
Seattle
No, this is all proprietary stuff.

I know how to use EDL because I worked on EDL programming at cyngn as part of a project to make a factory flash/reset tool. Most every major OEM has some sort of similar tool -- Samsung has Odin, LG has LGNPST and LGUP, etc. Unfortunately, cyngn imploded before the tool was released. Pity, it was very nice and easy to use tool.

Qualcomm provides an API to talk to devices in EDL mode. Unfortunately, they only provide Windows libraries to link against. I am a die-hard Linux user, so I said no thanks and developed a cross-platform code base from the spec documents that runs on Linux, Mac, and Win64. (This is why my tool uses the WinUSB driver instead of the Qualcomm driver.)

I figured out the unlock by reading the aboot source code. It's publicly available:

https://source.codeaurora.org/quic/la/kernel/lk

In particular, look for read_device_info and is_unlocked in this file:

https://source.codeaurora.org/quic/la/kernel/lk/tree/app/aboot/aboot.c?h=LA.BR.1.3.6-04710-8976.0

Having said all that, it would be feasible to write a XML programmer document that you could feed to QFIL to do the unlock. After all, you only need to change one byte in the first sector of the devinfo partition...

elliwigy said:
is there a tutorial or a write up on how you managed this? i am curious lol.. if its standard edl feature (minus just adding support for programmers/chipsets) its one hell of a find!

maybe release a tool where you can load your own programmer files?
Click to expand...
Click to collapse
 
Last edited:
  • Like
Reactions: xRogerxC, Lugralunoogos and Askael
elliwigy

elliwigy

Retired Forum Moderator / Recognized Developer
XDA App Taskforce
Mar 16, 2011
13,426
10,017
Phoenix
Samsung Galaxy Tab S7 / S7 Plus
Samsung Galaxy S21 Ultra
tdm said:
No, this is all proprietary stuff.

I know how to use EDL because I worked on EDL programming at cyngn as part of a project to make a factory flash/reset tool. Most every major OEM has some sort of similar tool -- Samsung has Odin, LG has LGNPST and LGUP, etc. Unfortunately, cyngn imploded before the tool was released. Pity, it was very nice and easy to use tool.

Qualcomm provides an API to talk to devices in EDL mode. Unfortunately, they only provide Windows libraries to link against. I am a die-hard Linux user, so I said no thanks and developed a cross-platform code base from the spec documents that runs on Linux, Mac, and Win64. (This is why my tool uses the WinUSB driver instead of the Qualcomm driver.)

I figured out the unlock by reading the aboot source code. It's publicly available:

https://source.codeaurora.org/quic/la/kernel/lk

In particular, look for read_device_info and is_unlocked in this file:

https://source.codeaurora.org/quic/la/kernel/lk/tree/app/aboot/aboot.c?h=LA.BR.1.3.6-04710-8976.0

Having said all that, it would be feasible to write a XML programmer document that you could feed to QFIL to do the unlock. After all, you only need to change one byte in the first sector of the devinfo partition...
Click to expand...
Click to collapse

ok cool.. i have some reading to do lol.. we actually just successfully restored a few S8+ from hard bricks using edl.. We already have the prog_ufs_firehose_8998_ddr.elf (and lite).. not sure if youre interested but if u can hit me up on hangouts id like to see if u could help abit moreasit took me like 6 months just to figure out the xml to flash the BL partitions lmao

we also already have root so if its similar on our device might just be able to write the bit since we are rooted if its not secured/encrypted partition..

i also have rpmb fuse blowers, signers, boot debug, uefi debug, boot xbl core,splash img creators etc etc.

looking through the files a lot of the tools are backwards compatible to other QC chipsets and itappears they take original toolsand simply add support for newer chipsets.. so let me kno if interested in seein what we got :)

also, do you know what the "sti" and "toolsfv" partitionsare? i was messin around with some of the images in the package i recieved and those 2 partitions appeared and arent on others devices of the same device/variant? I also now am having trouble getting to edl haha, it just reboots normal.. so i am going to try a fresh start later today..

i will start reading up.. I believe theS8/S8+ are one of the first in awhile at least where asammy phone can actually adb reboot edl.. its looking like our only option considering they disable/remove fastboot for us..

however they were kind enough to leave oem unlock allowed = 1 as well as oem unlock supported as 1 just no way for usto run the commands
 
  • Like
Reactions: progro420
tdm

tdm

Inactive Recognized Developer
Jun 7, 2011
2,139
3,667
Seattle
Does the Euro version not respond to the key combination at boot? I don't know of any other way to force it into EDL mode.

You just need to be extra careful to make sure that you can always boot from either boot or recovery. That is, follow the advice in the OP. :)

kurok154 said:
Is there the way to get European version to Edl before boot? In case it falls into bootloop?
Click to expand...
Click to collapse
 
fallen00sniper

fallen00sniper

Senior Member
Jan 4, 2012
832
147
Everett
www.androidfilehost.com
interesting, i have the us model and am still on 7.1.1B12 didn't know there was a B14.

B2017G_USAV1.2.0B14 is available to download... Would it hurt anything to update?

Currently using an iPhone I repaired until I can get it carrier unlocked and sell it... has to be used for 9 more months on the carrier lol, so not completely stressed over updating.
 
Last edited:
tdm

tdm

Inactive Recognized Developer
Jun 7, 2011
2,139
3,667
Seattle
Should be fine to update. It's probably just minor fixes. I'm staying on b12 until the official unlock per zte request.
fallen00sniper said:
interesting, i have the us model and am still on 7.1.1B12 didn't know there was a B14.

B2017G_USAV1.2.0B14 is available to download... Would it hurt anything to update?

Currently using an iPhone I repaired until I can get it carrier unlocked and sell it... has to be used for 9 more months on the carrier lol, so not completely stressed over updating.
Click to expand...
Click to collapse
 
K

kurok154

Member
Sep 18, 2009
11
0
37
Pechora
tdm said:
Does the Euro version not respond to the key combination at boot? I don't know of any other way to force it into EDL mode.

You just need to be extra careful to make sure that you can always boot from either boot or recovery. That is, follow the advice in the OP. :)
Click to expand...
Click to collapse

It doesn't respond to the key combination, and always boots into logo. So if I have bootloop I can't go to the Edl. In axon 7 there is control spot, that you can short circuit in a board and get to Edl. Maybe someone could see or already knows if mini has this spot too?
 
tdm

tdm

Inactive Recognized Developer
Jun 7, 2011
2,139
3,667
Seattle
A control spot on the mother board? All phones have that. But it requires disassembling the phone, which is not easy.
kurok154 said:
It doesn't respond to the key combination, and always boots into logo. So if I have bootloop I can't go to the Edl. In axon 7 there is control spot, that you can short circuit in a board and get to Edl. Maybe someone could see or already knows if mini has this spot too?
Click to expand...
Click to collapse
 
K

kurok154

Member
Sep 18, 2009
11
0
37
Pechora
Lenovo zuk z2 reboots into Edl by short circuit data- in USB and connect it to charger. Maybe this phone have this feature too?
 
You must log in or register to reply here.

Similar threads

tdm
[RECOVERY] TWRP 7.1 (unofficial)
Replies
111
Views
38K
C
crazydarsh
TheSSJ
[DISCONTINUED][ROM][STABLE] LineageOS 16.0 (unofficial) for ZTE Axon 7 Mini (aka tulip)
Replies
323
Views
50K
O
ortizjammet
tdm
[STOCK] Boot images with verity removed
Replies
57
Views
18K
SGH-i200
SGH-i200
liamtw22
[UNOFFICIAL]Resurrection Remix 5.8.5 [ZTE Axon 7 Mini]
Replies
49
Views
15K
NewbieGamingYT
NewbieGamingYT
J
[ROM] LineageOS 14.1 (UNOFFICIAL) Life after official support
Replies
7
Views
2K
J
javadahut

Top Liked Posts

24 Hours All time
  • There are no posts matching your filters.
  • 16
    tdm
    tdm
    First let's get the warnings out of the way:


    This is a dangerous tool. It can render your device permanently unusable.
    If you use it, your warranty will likely be void.
    You accept all responsibility for the consequences.

    This is not an official ZTE unlock tool. The official ZTE unlock tool is in another thread.


    Acknowledgments
    Special thanks to @rombdeta for providing the OEM programmer binary. This would not be possible without his help.

    What is tuliptool?
    This tool allows you to:
    • Check status of your boot loader
    • Unlock your boot loader
    • Lock your boot loader
    • Install a custom recovery
    • Install a custom boot image

    NOTE WELL
    The first rule of intelligent tinkering is to save all the parts.
    • Always backup your partitions before writing new contents, so that you can get back to where you started.
    • Never write both boot and recovery in one session. Always make sure that you can boot into the other partition in case something fails.
    • Locking and unlocking will erase all user data. Make sure you backup first!

    The zip includes:
    • tuliptool for Linux
    • tuliptool for Win64
    • tuliptool for Win32
    • tuliptool for MacOS

    Preparation
    1. Extract the package.
    You will find the binary files listed above. Note: This is a command line utility, so you must open a command prompt to run it.

    2a. Setup for Linux
    Create a file named /etc/udev/rules.d/99-qcom.rules with this content exactly as shown:
    SUBSYSTEM=="usb", ATTRS{idVendor}=="05c6", GROUP="plugdev"
    Ensure your login user is in the plugdev group.

    2b. Setup for Win32/Win64
    1. Download zadig.
    2. Connect your device in EDL mode (see below).
    3. Windows will want to install the Qualcomm USB driver. We won't be using it so you can cancel if you wish, but it won't hurt anything.
    4. Run zadig. Find device 05c6:9008 and install the WinUSB driver for it.
    5. Disconnect the device.

    2c. Setup for MacOS
    No setup should be necessary.

    3. Download boot and/or recovery files to flash.
    You will find these in other threads in this section.

    Connecting in EDL mode
    Via adb
    This should work for all models, but you need adb access.
    adb reboot edl
    Via key combo
    If you have a US model device (or the aboot from a US model device) you may use the key combo:
    1. Power off and unplug the device.
    2. Hold both volume buttons.
    3. Plug device into your PC.
    4. Wait about 3 seconds and release the buttons.

    Note: There will be no feedback on the device -- no lights, no vibration, nothing. The only way to verify that the device is in EDL mode is that device 05c6:9008 is visible on the PC.

    Usage: (un)locking
    After some testing, it appears that the Axon 7 Mini is not locked in any way. In other words, unlocking seems to be completely unnecessary. This section is mostly provided for completeness.

    tuliptool lock status
    tuliptool lock unlock
    tuliptool lock lock

    Usage: reading boot/recovery
    Note command line options have changed
    tuliptool read boot
    tuliptool read recovery

    Usage: writing boot/recovery
    Note command line options have changed
    tuliptool write boot <filename>/I]
    tuliptool write recovery <filename>

    So, for example, to write a TWRP image, run:
    tuliptool write recovery tulip-twrp-7.1-r1.img.

    Multiple operations
    This is a "one shot" tool. After performing an operation, it will reset the device with a 5 second countdown. If you wish do perform multiple operations (eg. backup, unlock, flash), simply hold down the volume buttons while the device resets and it should go back to EDL mode.

    Download
    tuliptool.zip
    md5=58f34850005510b51a832d27a6bce607

    Common problems
    Device not found: first enter EDL mode, then run the tool.
    Device is visible in device manager or lspci but cannot be found by the tool: connect directly to the PC, not through a hub.
    Windows says bad file descriptor: the WinUSB driver is not installed.
    Linux says permission denied: your login user is not in the plugdev group.

    Why call it tuliptool?
    Tulip is the device "code name" for the Axon 7 Mini (at least the US version).
    View
    5
    Y
    ygb7
    TDM,

    Thank you. I was able to successfully root my Axon 7 Mini (North America model) & install TWRP 3.1.1. I also rooted with SU 2.79.

    I am one of the original pledge members in "We need help from Original Axon 7 Developers If we want Root and Roms we need to Give" forum. Please post your paypal link. I am a man of my word & will submit my pledge.

    I used your TulipTool & the procedures on this forum opening Page (OP) to unlock, root & flash TWRP on my Axon 7 Mini.

    My Hardware Specs
    • Phone: Axon 7 Mini (North America model). Platinum Gray. 32GB & 3GB Memory.
    • Android Version: 7.1.1
    • ROM: Stock ZTE B2017G_USAV1.2.0B14
    • Computer: Windows 10 64-Bit Version 1709 (OS Build 16299.15)

    General Notes to consider in addition to instructions on the OP
    1. Download all prerequisites first.
    Download Tulip tool
    Download Boot Image
    Download TWRP Recovery image
    Download SU 2.79
    Download Zadiag
    Download Min ADB

    2. Turn on Developers Option.
    3. Turn on OEM unlock setting in developer settings
    4. Turn on USB Debugging


    Observations

    1. First, read the instructions on the forum opening page (page 1) carefully. Follow the instructions exactly.

    2. As recommended in the OP procedures, Backup you Stock Boot & Recovery Partitions . I used these command to create my backup files shown below.

    tuliptool-win64.exe read boot c:\temp\A7Mini_Boot_Partition.bak
    tuliptool-win64.exe read recovery c:\temp\A7Mini_Recovery_Partition.bak

    3. I also installed Min ADB. I used "adb reboot edl" command to get into EDL. Use the phone keys to get into EDL mode if it works for you.

    4. As recommended in the OP procedures, Never write both boot and recovery in one session. Always make sure that you can boot into the other partition in case something fails.

    5. After each TulipTool command. My phone reset. I lost EDL mode after reset each time. Therefore, I had to enter EDL again before each tooliptool command. My flashing steps are below

    !!!WARNING!!!. Make sure you use the correct B12, B14, etc image for your phone model. US model, version 7.1.1 b12, US model, version 7.1.1 b14 or EU model, version 7.1.1 b09

    • C:\Temp>tuliptool-win64.exe write boot c:\temp\tulip-us-7.1.1-b14-boot-noverity.img
    Sending programmer...Connecting to programmer...log: logbuf@0x08067EB8 fh@0x08064D20
    log: logbuf@0x08067EB8 fh@0x08064D20
    log: Finished sector address 0
    log: Finished sector address 0
    log: Finished sector address 0
    Writing boot ...
    log: start 1050624, num 49152
    Write 25165824 bytes, 49152 sectors
    log: Finished sector address 1099776
    Success!
    Reset in 5 seconds ...
    Reset in 4 seconds ...
    Reset in 3 seconds ...
    Reset in 2 seconds ...
    Reset in 1 seconds …

    • C:\Temp\adb reboot edl - (i.e Put my phone back in EDL mode)

    • C:\Temp\>tuliptool-win64.exe write recovery c:\temp\tulip-twrp-7.1-r1.img
    Sending programmer...Connecting to programmer...log: logbuf@0x08067EB8 fh@0x08064D20
    log: logbuf@0x08067EB8 fh@0x08064D20
    log: Finished sector address 0
    log: Finished sector address 0
    log: Finished sector address 0
    Writing recovery ...
    log: start 1181696, num 49152
    Write 25165824 bytes, 49152 sectors
    log: Finished sector address 1230848
    Success!
    Reset in 5 seconds ...
    Reset in 4 seconds ...
    Reset in 3 seconds ...
    Reset in 2 seconds ...
    Reset in 1 seconds ...

    • Reboot to System. Success!!!

    I hope this info help the next person who wants to Unlock, Root & TWRP their Axon 7 Mini.
    View
    4
    T
    tprfd
    I am shocked... Verdandi source posted quickly:
    http://opensource.ztedevice.com/
    ZTE B2017G Marshmallow(6.0.1) Kernel(3.10.84)
    @tdm re: Lineage...awesome job!
    View
    3
    M
    Meme Queen
    first! it's nice to see someone working on the lesser-known devices for once, thanks love!

    okay so on that note everything goes perfectly, right up until i try to actually run the tool lol. installing the driver through Zadig does fine, and from everything i can tell, the PC recognizes it. i mean, it's in EDL and everything. what's going wrong? running the tuliptool-win64.exe just opens and closes instantly, and opening a command prompt in the directory just tells me that tuliptool is not a valid command/operation blah blah blah. it's probably something simple but i'm kind of trying to get all over this so :good:
    View
    3
    tdm
    tdm
    Okay I've uploaded a new version of the tool with better error handling and better error messages (particularly for the Win64 version). I successfully wrote TWRP using the Win64 version. Please check the OP for the new link and download it again.

    @Meme Queen and @MrWhite0429 please try again. I think the problem was that you didn't copy tulip-twrp-7.1.1.img to recovery.bin.

    I can modify the tool to take a filename as a parameter if that helps with the confusion.

    Edit: Also fixed a typo in the OP which had the wrong filename in the example. This may have been the source of the confusion.
    View

New posts