Bootloader Unlocking on older Qualcomm ZTE Devices, /Devinfo partition modification

Did this method work for your device??

  • YES! Finally unlocked!!!

    Votes: 4 11.1%
  • No.

    Votes: 9 25.0%
  • I don't have a ZTE device, but that's cool!

    Votes: 23 63.9%

  • Total voters
    36
Search This thread

alexenferman

Senior Member
  • Dec 7, 2019
    255
    126
    ...
    Warning: This unlocking method might not work on newer ZTE devices with Oreo+ and flagship devices. You have nothing to lose, but it might not do anything.

    This tutorial is only for Qualcomm ZTE Devices.

    Unlocking the Bootloader:

    Warning: This bootloader unlocking method is not for beginners. It requires at least some knowleage on how to flash ROMS or partitions via QFIL and ADB commands. If you do not understand something here, than the tutorial might not be suitable for you. You can still try it, but at your own risk of course.

    Will not work on:
    Axon 7
    Axon 7 Mini
    Axon 9
    Axon 10
    Axon M
    Zmax 2 (Z958)
    Anything else that has Oreo, PIE or 10
    The unlocking bit on those devices are stored in another partition that can't be easily modifiable

    Working on: (Thanks @deadman96385)

    Snapdragon 210 Processors:
    ZTE Avid Plus (Z828)
    ZTE Maven 2 (Z831) (code-name: chapel)
    ZTE Maven 3 (Z835) (code-name: draco)
    ZTE Majesty Pro Plus (Z899VL) (code-name: elden)
    Unknown ZTE (code-name: forbes)
    ZTE ZMAX One (Z719DL) (code-name: gemi)
    ZTE Tempo X (N9137) (code-name: grayjoylite)
    ZTE Grand X View 2 (K81) (code-name: helen)
    ZTE Overture 3 (Z851) (code-name: jeff)
    ZTE Fanfare 3 (Z852) (code-name: kelly)
    ZTE ZFive G LTE (Z557BL) (code-name: lewis)
    ZTE ZFive C (Z558VL) (code-name: loft)
    Unknown ZTE (code-name: refuge)
    ZTE N818S (code-name: sapphire/sapphire4G)
    ZTE Blade Vantage (Z839) (code-name: sweet)

    Snapdragon 617:
    Android 5.1.1
    ZTE Grand X Max 2 (Z988) (code-name: jerry)
    ZTE Imperial Max (Z963U) (code-name: lily)
    ZTE Max Duo LTE (Z963VL) (code-name: nancy)
    ZTE Axon Max (C2016) (code-name: orchid)
    ZTE Max Duo LTE (Z962BL) (code-name: tom)
    Android 6.0.1
    ZTE ZPAD (K90U) (code-name: gevjon)
    ZTE AT&T Trek 2 (K88) (code-name: jasmine)
    ZTE Grand X Max 2 (Z988) (code-name: jerry)
    ZTE Axon Max (C2016) (code-name: orchid)
    ZTE ZMAX Pro (Z981) (code-name: urd)
    Android 7.1.1
    ZTE AT&T Trek 2 (K88) (code-name: jasmine)

    MSM8920/MSM8937/MSM8940/MSM8953 (Qualcomm Snapdragon 427/430/435/625):
    ZTE Blade Force/ZTE Warp 8 (N9517) (code-name: warp8)
    ZTE Grand X4 (Z956/Z957) (code-name: finacier)
    ZTE Blade Spark (Z971) (code-name: peony)
    ZTE Blade X (Z965) (code-name: proline)
    ZTE Max XL/ZTE Bolton (N9560) (code-name: bolton)
    Unknown ZTE (code-name: flame)
    ZTE Blade X Max (Z983) (code-name: stollen)
    ZTE Blade Max View (Z610DL) (code-name: violet)
    ZTE Max Blue LTE (Z986DL) (code-name: florist)
    ZTE AT&T Primtime (K92) (code-name: primerose)
    Of course, it might work on more models that might not be listed here.

    Want to watch a video instead?


    You will need:

    • A Qualcomm ZTE device (I am using a ZTE Avid Plus Z828)
    • A PC
    • Adb Commands installed
    • QFIL 2.0.1.9
    • Your QFIL firehose (emmc_firehose_8***.mbn) You can get it from here: https://github.com/programmer-collection/zte
    • A Hex editor (Like HxD)


    Tutorial:
    • Hold power and volume down to boot to FTM mode



    • Using ADB commands, type: adb reboot EDL



    Open QFIL, You should see Qualcomm HS-USB QD-Loader 9008 (COM****)

    • Select "Flat build"
    • Select your firehose (emmc_firehose_8***.mbn)



    • Select tools, partition manager
    • Click ok

    We are intrested in the /devinfo partition only!



    • Right click devinfo only and click on "Manage Partition data"



    • Click on "Read Data"
    • Check the logs on the main window, it will show you where it will be saved (Most frequently in the Appdata/Roaming/Qualcomm folder) and the file will be named something like this: ReadData_emmc_Lun0_0x1c000_Len16384_DT_**_**_****_**_**_**.bin
    • Copy the file we read to somewhere like the desktop and make a backup in case it does not work.

    Next, open HxD or any other hex editor

    • Click File>Open and select the file we copied to the desktop

    You should see a layout like this:



    Edit this:

    41 4E 44 52 4F 49 44 2D 42 4F 4F 54 21 00 00 00
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00


    to this:

    41 4E 44 52 4F 49 44 2D 42 4F 4F 54 21 00 00 00
    01 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00




    • Go to offset 007FFE00 and repeat the same steps:



    It looks like ZTE did put another ANDROID-BOOT! at this section, they thought I would not see the second one :D Make sure you edit that second one, otherwise the BL won't be unlocked.

    ___________________________________________________________________________

    What will this do?! The two 01s we put in this file will show to the bootloader that it was unlocked before via fastboot. Of course, we are editing it now and it was never unlocked via fastboot. This is enough to fool it :D

    For people who don't know, on all android devices, there is the /devinfo partition that stores the information of the bootloader such as is_unlocked (aboot), is_tampered, is_verified, charger_screen_enabled, display_panel, bootloader_version, radio_version etc.
    We have to modify it into saying is_unlocked and is_Critiacal_unlocked

    ____________________________________________________________________________________
    • Do not touch anything else and click File>Save
    • Boot your phone into EDL again.

    (You might need to reopen QFIL)



    • Back to the partitions, right-click /devinfo again and click "Manage partition Data" again
    • Click "Load image"



    • Select the file we modified (Should be a .bin)
    • Wait a few seconds and restart your phone and IT SHOULD BOOT SURELY!!

    Your bootloader should be unlocked!!
    You cannot really tell if the Bootloader is unlocked unfortunatley. But, if TWRP boots or ROOT persists then here is your sign :D


    TWRP is booting!

    You can now ROOT, Install custom ROMs, Install Custom Recoveries, kernel modifications & More using QFIL!
    You are now free :D


    Credits to aleph security in the Unlocking the bootloader section at the bottom of the page for showing the Hex values to change: https://alephsecurity.com/2018/01/22/qualcomm-edl-2/
     
    Last edited:

    alexenferman

    Senior Member
  • Dec 7, 2019
    255
    126
    ...
    You may want to limit your statement of all Qualcomm zte's it won't work on anything that launched with Oreo or newer, and certain flagship devices like axon 9, 10, M, etc

    Yes, you are right. It's sad that the unlocking bit is not stored in the /devinfo partition anymore. At least a lot of people with lollipop, marshmallow and probably nougat can still use this method.
     
    • Like
    Reactions: darkherman

    bernshood

    New member
    May 18, 2020
    4
    0
    Doesn't seem to be wroking with my ZTE Tempo X N9137. I trried it twice and got two septerate errors. The first was "ERROR: function: sahara_rx_data:247 Command packet length 1702240364 too large to fit" and the second was "ERROR: function: sahara_rx_data:237 Unable to read packet header. Only read 0 bytes."

    Here's the log file...
    2020-05-18 14:21:38.733 Validating Application Configuration
    2020-05-18 14:21:38.738 Load APP Configuration
    2020-05-18 14:21:38.751 COM:4
    2020-05-18 14:21:38.751 PBLDOWNLOADPROTOCOL:0
    2020-05-18 14:21:38.751 PROGRAMMER:True
    2020-05-18 14:21:38.751 PROGRAMMER:C:\Users\MikeWin10\Desktop\prog_emmc_firehose_8909.mbn
    2020-05-18 14:21:38.751 RESETSAHARASTATEMACHINE:False
    2020-05-18 14:21:38.751 SAHARAREADSERIALNO:False
    2020-05-18 14:21:38.751 SEARCHPATH:C:\Users\MikeWin10\Desktop
    2020-05-18 14:21:38.751 ACKRAWDATAEVERYNUMPACKETS:False
    2020-05-18 14:21:38.751 ACKRAWDATAEVERYNUMPACKETS:100
    2020-05-18 14:21:38.751 MAXPAYLOADSIZETOTARGETINBYTES:False
    2020-05-18 14:21:38.751 MAXPAYLOADSIZETOTARGETINBYTES:49152
    2020-05-18 14:21:38.751 DEVICETYPE:emmc
    2020-05-18 14:21:38.751 PLATFORM:8x26
    2020-05-18 14:21:38.751 VALIDATIONMODE:0
    2020-05-18 14:21:38.751 RESETAFTERDOWNLOAD:False
    2020-05-18 14:21:38.751 MAXDIGESTTABLESIZE:8192
    2020-05-18 14:21:38.751 SWITCHTOFIREHOSETIMEOUT:30
    2020-05-18 14:21:38.751 RESETTIMEOUT:200
    2020-05-18 14:21:38.751 RESETDELAYTIME:2
    2020-05-18 14:21:38.751 METABUILD:
    2020-05-18 14:21:38.751 METABUILD:
    2020-05-18 14:21:38.751 FLATBUILDPATH:C:\
    2020-05-18 14:21:38.751 FLATBUILDFORCEOVERRIDE:True
    2020-05-18 14:21:38.751 QCNPATH:C:\Temp\00000000.qcn
    2020-05-18 14:21:38.751 QCNAUTOBACKUPRESTORE:False
    2020-05-18 14:21:38.751 SPCCODE:000000
    2020-05-18 14:21:38.751 ENABLEMULTISIM:False
    2020-05-18 14:21:38.751 AUTOPRESERVEPARTITIONS:False
    2020-05-18 14:21:38.751 PARTITIONPRESERVEMODE:0
    2020-05-18 14:21:38.751 PRESERVEDPARTITIONS:0
    2020-05-18 14:21:38.751 PRESERVEDPARTITIONS:
    2020-05-18 14:21:38.751 ERASEALL:False
    2020-05-18 14:21:38.751 Load ARG Configuration
    2020-05-18 14:21:38.768 Validating Download Configuration
    2020-05-18 14:21:38.769 Image Search Path: C:\Users\MikeWin10\Desktop
    2020-05-18 14:21:38.770 Programmer Path:C:\Users\MikeWin10\Desktop\prog_emmc_firehose_8909.mbn
    2020-05-18 14:21:38.900 Process Index:0
    2020-05-18 14:21:38.908 Qualcomm Flash Image Loader (QFIL) 2.0.1.9
    2020-05-18 14:21:45.195 Start Download
    2020-05-18 14:21:45.200 Program Path:C:\Users\MikeWin10\Desktop\prog_emmc_firehose_8909.mbn
    2020-05-18 14:21:45.205 ***** Working Folder:C:\Users\MikeWin10\AppData\Roaming\Qualcomm\QFIL\COMPORT_4
    2020-05-18 14:21:45.225 Binary build date: Nov 21 2017 @ 02:53:37
    2020-05-18 14:21:45.226 QSAHARASERVER CALLED LIKE THIS: 'C:\Users\MikeWin10\Desktop\Qualcomm_Flash_Image_Loader_v2.0.1.9\QSaharaServer.ex'Current working dir: C:\Users\MikeWin10\AppData\Roaming\Qualcomm\QFIL\COMPORT_4
    2020-05-18 14:21:45.227 Sahara mappings:
    2020-05-18 14:21:45.227 2: amss.mbn
    2020-05-18 14:21:45.228 6: apps.mbn
    2020-05-18 14:21:45.228 8: dsp1.mbn
    2020-05-18 14:21:45.228 10: dbl.mbn
    2020-05-18 14:21:45.229 11: osbl.mbn
    2020-05-18 14:21:45.229 12: dsp2.mbn
    2020-05-18 14:21:45.229 16: efs1.mbn
    2020-05-18 14:21:45.229 17: efs2.mbn
    2020-05-18 14:21:45.230 20: efs3.mbn
    2020-05-18 14:21:45.230 21: sbl1.mbn
    2020-05-18 14:21:45.230 22: sbl2.mbn
    2020-05-18 14:21:45.231 23: rpm.mbn
    2020-05-18 14:21:45.231 25: tz.mbn
    2020-05-18 14:21:45.231 28: dsp3.mbn
    2020-05-18 14:21:45.232 29: acdb.mbn
    2020-05-18 14:21:45.232 30: wdt.mbn
    2020-05-18 14:21:45.232 31: mba.mbn
    2020-05-18 14:21:45.233 13: C:\Users\MikeWin10\Desktop\prog_emmc_firehose_8909.mbn
    2020-05-18 14:21:45.233
    2020-05-18 14:21:45.233 14:21:45: ERROR: function: sahara_rx_data:247 Command packet length 1702240364 too large to fit
    2020-05-18 14:21:45.234
    2020-05-18 14:21:45.234 14:21:45: ERROR: function: sahara_main:924 Sahara protocol error
    2020-05-18 14:21:45.234
    2020-05-18 14:21:45.235 14:21:45: ERROR: function: main:303 Uploading Image using Sahara protocol failed
    2020-05-18 14:21:45.235
    2020-05-18 14:21:45.236
    2020-05-18 14:21:45.236 Download Fail:Sahara Fail:QSaharaServer Fail:process fail
    2020-05-18 14:21:45.239 Finish Get GPT
    2020-05-18 14:23:07.631 Start Download
    2020-05-18 14:23:07.634 Program Path:C:\Users\MikeWin10\Desktop\prog_emmc_firehose_8909.mbn
    2020-05-18 14:23:07.635 ***** Working Folder:C:\Users\MikeWin10\AppData\Roaming\Qualcomm\QFIL\COMPORT_4
    2020-05-18 14:24:37.656 Binary build date: Nov 21 2017 @ 02:53:37
    2020-05-18 14:24:37.658 QSAHARASERVER CALLED LIKE THIS: 'C:\Users\MikeWin10\Desktop\Qualcomm_Flash_Image_Loader_v2.0.1.9\QSaharaServer.ex'Current working dir: C:\Users\MikeWin10\AppData\Roaming\Qualcomm\QFIL\COMPORT_4
    2020-05-18 14:24:37.663 Sahara mappings:
    2020-05-18 14:24:37.665 2: amss.mbn
    2020-05-18 14:24:37.666 6: apps.mbn
    2020-05-18 14:24:37.666 8: dsp1.mbn
    2020-05-18 14:24:37.666 10: dbl.mbn
    2020-05-18 14:24:37.667 11: osbl.mbn
    2020-05-18 14:24:37.667 12: dsp2.mbn
    2020-05-18 14:24:37.667 16: efs1.mbn
    2020-05-18 14:24:37.668 17: efs2.mbn
    2020-05-18 14:24:37.668 20: efs3.mbn
    2020-05-18 14:24:37.668 21: sbl1.mbn
    2020-05-18 14:24:37.669 22: sbl2.mbn
    2020-05-18 14:24:37.669 23: rpm.mbn
    2020-05-18 14:24:37.669 25: tz.mbn
    2020-05-18 14:24:37.669 28: dsp3.mbn
    2020-05-18 14:24:37.670 29: acdb.mbn
    2020-05-18 14:24:37.670 30: wdt.mbn
    2020-05-18 14:24:37.670 31: mba.mbn
    2020-05-18 14:24:37.671 13: C:\Users\MikeWin10\Desktop\prog_emmc_firehose_8909.mbn
    2020-05-18 14:24:37.671
    2020-05-18 14:24:37.675 14:24:37: ERROR: function: sahara_rx_data:237 Unable to read packet header. Only read 0 bytes.
    2020-05-18 14:24:37.675
    2020-05-18 14:24:37.675 14:24:37: ERROR: function: sahara_main:924 Sahara protocol error
    2020-05-18 14:24:37.676
    2020-05-18 14:24:37.676 14:24:37: ERROR: function: main:303 Uploading Image using Sahara protocol failed
    2020-05-18 14:24:37.676
    2020-05-18 14:24:37.677
    2020-05-18 14:24:37.677 Download Fail:Sahara Fail:QSaharaServer Fail:process fail
    2020-05-18 14:24:37.681 Finish Get GPT
     

    deadman96385

    Retired Forum Moderator / Recognized Developer
  • Aug 19, 2011
    2,233
    7,774
    Saint Paul, Minnesota
    Doesn't seem to be wroking with my ZTE Tempo X N9137. I trried it twice and got two septerate errors. The first was "ERROR: function: sahara_rx_data:247 Command packet length 1702240364 too large to fit" and the second was "ERROR: function: sahara_rx_data:237 Unable to read packet header. Only read 0 bytes."

    So I tested it on my N9137 and it’s working properly. Normally when it can’t get a hello from the device it means your driver is wrong. Sometimes windows defaults to the diagnostic driver instead of the Qdloader one and you need to change it in device manager.

    On another note @alexenferman it might worth while to add to OP known working devices. I’ve tested and confirmed working on
    ZTE Imperial Max (Z963U)
    ZTE Tempo X (N9317)
    ZTE Avid 4 (Z855)
    ZTE Grand X View 2 (K81)

    I will test on the ZTE Maven 3 once I get it’s battery charged
     

    bernshood

    New member
    May 18, 2020
    4
    0
    It's showing Qualcomm HS-USB QDLoader 9008 (COM4) both in Qfil and within Device manager. I reinstalled the driver and am still getting the errors. This is all happening after the steps Tools>Partition Manager>Ok
     

    alexenferman

    Senior Member
  • Dec 7, 2019
    255
    126
    ...
    It's showing Qualcomm HS-USB QDLoader 9008 (COM4) both in Qfil and within Device manager. I reinstalled the driver and am still getting the errors. This is all happening after the steps Tools>Partition Manager>Ok

    Restart your phone in EDL mode again.
    If you already did this, then it means that your driver is wrong. Try another driver from another source.
     
    • Like
    Reactions: darkherman

    ninegua

    Member
    Nov 28, 2013
    5
    0
    Tried on ZTE Zmax 2 (Z958) US Version (AT&T but unlocked) with Android 5.1. I had to use QFIL that comes with the latest QPST v2.7.480 to be able to successfully dump the partition data. However, there is no `/devinfo` partition. So I've no clue what to do from here.
     

    deadman96385

    Retired Forum Moderator / Recognized Developer
  • Aug 19, 2011
    2,233
    7,774
    Saint Paul, Minnesota
    I'm assuming this also won't work on devices that shipped with older OS and were officially updated to Oreo?
    I have an Axon 7 on Oreo and the normal thing is to regress them to unlock bootloader.

    Yeah, it won't work on the Axon 7, I've asked for the article to be updated.

    Anything for the ZTE Blade A462? It's based on the Snapdragon 210 SoC.

    I haven't seen one for it, but you can try this one from the A460 you have a good chance of it working.
    https://github.com/programmer-collection/zte/blob/master/BladeA460/prog_emmc_firehose_8909.mbn

    Tried on ZTE Zmax 2 (Z958) US Version (AT&T but unlocked) with Android 5.1. I had to use QFIL that comes with the latest QPST v2.7.480 to be able to successfully dump the partition data. However, there is no `/devinfo` partition. So I've no clue what to do from here.
    Can you post a picture or a list of partitions you had?
     

    ninegua

    Member
    Nov 28, 2013
    5
    0
    Can you post a picture or a list of partitions you had?

    I dumped all partitions (except cache, system and userdata), and discovered the string ANDROID-BOOT! appeared 3 times in the "aboot" partition. The first time seems to be followed by ASCII string content, but the 2nd and 3rd time it is followed by a bunch of 00s. Should I be editing these?
     

    deadman96385

    Retired Forum Moderator / Recognized Developer
  • Aug 19, 2011
    2,233
    7,774
    Saint Paul, Minnesota
    I dumped all partitions (except cache, system and userdata), and discovered the string ANDROID-BOOT! appeared 3 times in the "aboot" partition. The first time seems to be followed by ASCII string content, but the 2nd and 3rd time it is followed by a bunch of 00s. Should I be editing these?

    No do not edit the aboot partition, you will brick it if you flash your modified one.
     

    alexenferman

    Senior Member
  • Dec 7, 2019
    255
    126
    ...
    Thanks for the alert! Here are the screenshots showing my partitions

    This means that it might be stored in the rpm partition and I don't think it's possible to unlock it on your phone :crying:

    Before I realized that I modified the wrong partition myself (aboot), I bricked my phone over 2 times. Thankfully, recovery was very easy but don't try that! It won't work.
     

    bernshood

    New member
    May 18, 2020
    4
    0
    Got it to work! But now I'm a little confused on how to actually get into the bootloader. There's an option in recovery to "reboot into the bootloader" but it looks like it just reboots like normal into the system. Sorry for my ignorance. On my Nexus 7 I use fastboot to flash twrp in the bootloader.
     

    alexenferman

    Senior Member
  • Dec 7, 2019
    255
    126
    ...
    Got it to work! But now I'm a little confused on how to actually get into the bootloader. There's an option in recovery to "reboot into the bootloader" but it looks like it just reboots like normal into the system. Sorry for my ignorance. On my Nexus 7 I use fastboot to flash twrp in the bootloader.

    Read the tutorial first. You don't need to get into the BL.
     
    • Like
    Reactions: darkherman

    Top Liked Posts

    • There are no posts matching your filters.
    • 7
      Warning: This unlocking method might not work on newer ZTE devices with Oreo+ and flagship devices. You have nothing to lose, but it might not do anything.

      This tutorial is only for Qualcomm ZTE Devices.

      Unlocking the Bootloader:

      Warning: This bootloader unlocking method is not for beginners. It requires at least some knowleage on how to flash ROMS or partitions via QFIL and ADB commands. If you do not understand something here, than the tutorial might not be suitable for you. You can still try it, but at your own risk of course.

      Will not work on:
      Axon 7
      Axon 7 Mini
      Axon 9
      Axon 10
      Axon M
      Zmax 2 (Z958)
      Anything else that has Oreo, PIE or 10
      The unlocking bit on those devices are stored in another partition that can't be easily modifiable

      Working on: (Thanks @deadman96385)

      Snapdragon 210 Processors:
      ZTE Avid Plus (Z828)
      ZTE Maven 2 (Z831) (code-name: chapel)
      ZTE Maven 3 (Z835) (code-name: draco)
      ZTE Majesty Pro Plus (Z899VL) (code-name: elden)
      Unknown ZTE (code-name: forbes)
      ZTE ZMAX One (Z719DL) (code-name: gemi)
      ZTE Tempo X (N9137) (code-name: grayjoylite)
      ZTE Grand X View 2 (K81) (code-name: helen)
      ZTE Overture 3 (Z851) (code-name: jeff)
      ZTE Fanfare 3 (Z852) (code-name: kelly)
      ZTE ZFive G LTE (Z557BL) (code-name: lewis)
      ZTE ZFive C (Z558VL) (code-name: loft)
      Unknown ZTE (code-name: refuge)
      ZTE N818S (code-name: sapphire/sapphire4G)
      ZTE Blade Vantage (Z839) (code-name: sweet)

      Snapdragon 617:
      Android 5.1.1
      ZTE Grand X Max 2 (Z988) (code-name: jerry)
      ZTE Imperial Max (Z963U) (code-name: lily)
      ZTE Max Duo LTE (Z963VL) (code-name: nancy)
      ZTE Axon Max (C2016) (code-name: orchid)
      ZTE Max Duo LTE (Z962BL) (code-name: tom)
      Android 6.0.1
      ZTE ZPAD (K90U) (code-name: gevjon)
      ZTE AT&T Trek 2 (K88) (code-name: jasmine)
      ZTE Grand X Max 2 (Z988) (code-name: jerry)
      ZTE Axon Max (C2016) (code-name: orchid)
      ZTE ZMAX Pro (Z981) (code-name: urd)
      Android 7.1.1
      ZTE AT&T Trek 2 (K88) (code-name: jasmine)

      MSM8920/MSM8937/MSM8940/MSM8953 (Qualcomm Snapdragon 427/430/435/625):
      ZTE Blade Force/ZTE Warp 8 (N9517) (code-name: warp8)
      ZTE Grand X4 (Z956/Z957) (code-name: finacier)
      ZTE Blade Spark (Z971) (code-name: peony)
      ZTE Blade X (Z965) (code-name: proline)
      ZTE Max XL/ZTE Bolton (N9560) (code-name: bolton)
      Unknown ZTE (code-name: flame)
      ZTE Blade X Max (Z983) (code-name: stollen)
      ZTE Blade Max View (Z610DL) (code-name: violet)
      ZTE Max Blue LTE (Z986DL) (code-name: florist)
      ZTE AT&T Primtime (K92) (code-name: primerose)
      Of course, it might work on more models that might not be listed here.

      Want to watch a video instead?


      You will need:

      • A Qualcomm ZTE device (I am using a ZTE Avid Plus Z828)
      • A PC
      • Adb Commands installed
      • QFIL 2.0.1.9
      • Your QFIL firehose (emmc_firehose_8***.mbn) You can get it from here: https://github.com/programmer-collection/zte
      • A Hex editor (Like HxD)


      Tutorial:
      • Hold power and volume down to boot to FTM mode



      • Using ADB commands, type: adb reboot EDL



      Open QFIL, You should see Qualcomm HS-USB QD-Loader 9008 (COM****)

      • Select "Flat build"
      • Select your firehose (emmc_firehose_8***.mbn)



      • Select tools, partition manager
      • Click ok

      We are intrested in the /devinfo partition only!



      • Right click devinfo only and click on "Manage Partition data"



      • Click on "Read Data"
      • Check the logs on the main window, it will show you where it will be saved (Most frequently in the Appdata/Roaming/Qualcomm folder) and the file will be named something like this: ReadData_emmc_Lun0_0x1c000_Len16384_DT_**_**_****_**_**_**.bin
      • Copy the file we read to somewhere like the desktop and make a backup in case it does not work.

      Next, open HxD or any other hex editor

      • Click File>Open and select the file we copied to the desktop

      You should see a layout like this:



      Edit this:

      41 4E 44 52 4F 49 44 2D 42 4F 4F 54 21 00 00 00
      00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00


      to this:

      41 4E 44 52 4F 49 44 2D 42 4F 4F 54 21 00 00 00
      01 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00




      • Go to offset 007FFE00 and repeat the same steps:



      It looks like ZTE did put another ANDROID-BOOT! at this section, they thought I would not see the second one :D Make sure you edit that second one, otherwise the BL won't be unlocked.

      ___________________________________________________________________________

      What will this do?! The two 01s we put in this file will show to the bootloader that it was unlocked before via fastboot. Of course, we are editing it now and it was never unlocked via fastboot. This is enough to fool it :D

      For people who don't know, on all android devices, there is the /devinfo partition that stores the information of the bootloader such as is_unlocked (aboot), is_tampered, is_verified, charger_screen_enabled, display_panel, bootloader_version, radio_version etc.
      We have to modify it into saying is_unlocked and is_Critiacal_unlocked

      ____________________________________________________________________________________
      • Do not touch anything else and click File>Save
      • Boot your phone into EDL again.

      (You might need to reopen QFIL)



      • Back to the partitions, right-click /devinfo again and click "Manage partition Data" again
      • Click "Load image"



      • Select the file we modified (Should be a .bin)
      • Wait a few seconds and restart your phone and IT SHOULD BOOT SURELY!!

      Your bootloader should be unlocked!!
      You cannot really tell if the Bootloader is unlocked unfortunatley. But, if TWRP boots or ROOT persists then here is your sign :D


      TWRP is booting!

      You can now ROOT, Install custom ROMs, Install Custom Recoveries, kernel modifications & More using QFIL!
      You are now free :D


      Credits to aleph security in the Unlocking the bootloader section at the bottom of the page for showing the Hex values to change: https://alephsecurity.com/2018/01/22/qualcomm-edl-2/
      5
      Firehose collection

      Here is my collection of ZTE firehoses for use in this guide. I cant guarantee everyone will work but the vast majority of them should. But they are all organized by codename and my best attempt at matching codename to shipping name.

      https://github.com/programmer-collection/zte
      3
      Doesn't seem to be wroking with my ZTE Tempo X N9137. I trried it twice and got two septerate errors. The first was "ERROR: function: sahara_rx_data:247 Command packet length 1702240364 too large to fit" and the second was "ERROR: function: sahara_rx_data:237 Unable to read packet header. Only read 0 bytes."

      So I tested it on my N9137 and it’s working properly. Normally when it can’t get a hello from the device it means your driver is wrong. Sometimes windows defaults to the diagnostic driver instead of the Qdloader one and you need to change it in device manager.

      On another note @alexenferman it might worth while to add to OP known working devices. I’ve tested and confirmed working on
      ZTE Imperial Max (Z963U)
      ZTE Tempo X (N9317)
      ZTE Avid 4 (Z855)
      ZTE Grand X View 2 (K81)

      I will test on the ZTE Maven 3 once I get it’s battery charged
      2
      I dumped all partitions (except cache, system and userdata), and discovered the string ANDROID-BOOT! appeared 3 times in the "aboot" partition. The first time seems to be followed by ASCII string content, but the 2nd and 3rd time it is followed by a bunch of 00s. Should I be editing these?

      No do not edit the aboot partition, you will brick it if you flash your modified one.
      2
      Am I missing something? I followed the directions without any issues to a T and when I got to editing the hex , it was already the way it was supposed to be edited so I reflashed it anyway and nothing.. ? Z839 Blade Vantage