• Introducing XDA Computing: Discussion zones for Hardware, Software, and more!    Check it out!

Bootloader Unlocking on older Qualcomm ZTE Devices, /Devinfo partition modification

Did this method work for your device??

  • YES! Finally unlocked!!!

    Votes: 6 13.6%
  • No.

    Votes: 12 27.3%
  • I don't have a ZTE device, but that's cool!

    Votes: 26 59.1%

  • Total voters
    44
Search This thread
I have tried reinstalling the drivers
I tried using QFIL v2.0.1.9, v2.0.3.5 and QPST v2.7.474
It still didn't work :cry:

As to why, I'm not sure.
It might be because there's no firehose specifically for z983
But A0620 has the same SoC as z983 so I used that instead.
Or maybe because I'm missing some drivers but I'm pretty sure I have it all.

Can anyone help

you have to immediately...and i mean quick like lightning... the instant that phone goes into edl and the top thing says qualcomm hsusb 9008 or whatever , click whatever button you need( partition flash etc) if it doesnt work the first time you need to reboot the phone or pop the battery and do it again you gotta be quick quick like less than one second
 

ilya980

Member
Aug 15, 2019
40
1
I am getting an error "ERROR: function: sahara_rx_data:276 Unable to read packet header. Only read 0 bytes."
The phone is LTE ZTE Z812 Maven.
Developer options and OEM unlock are enabled.
Gets into FTM fine.
When I type "adb reboot edl", the white square with black FTM letters disappears.
QFIL says "Qualcomm HS-USB QDloader 9008 (COM3).
The firehose file is prog_emmc_firehose_8916.mbn (from the collection linked on the 1-st page of this thread)
Build type is Flat.
Device manager show the device as "Qualcomm HS-USB QDloader 9008 (COM3)". The driver date is 3/25/2016, the driver version is 2.1.2.2, driver provider and signature Qualcomm Incorporated.
I also tried this with the driver version 2.1.3.5 with the date 12/17/2018. Same problem.
Here are the two very similar logs I get with QFIL 2.0.3.5 and 2.0.1.9.

What am I doing wrong? Please help. I tried "lightning fast" method above, but it does not work for me. Thanks.

2021-02-27 22:45:47.659 ***** Working Folder:C:\Users\Ilya\AppData\Roaming\Qualcomm\QFIL\BHI
2021-02-27 22:45:47.681 Validating Application Configuration
2021-02-27 22:45:47.681 Load APP Configuration
2021-02-27 22:45:47.712 COM:3
2021-02-27 22:45:47.712 PBLDOWNLOADPROTOCOL:0
2021-02-27 22:45:47.712 PROGRAMMER:True
2021-02-27 22:45:47.712 PROGRAMMER:I:\Programs\ZTE Z812\prog_emmc_firehose_8916.mbn
2021-02-27 22:45:47.712 RESETSAHARASTATEMACHINE:False
2021-02-27 22:45:47.712 SAHARAREADSERIALNO:False
2021-02-27 22:45:47.712 SEARCHPATH:I:\Programs\ZTE Z812
2021-02-27 22:45:47.712 ACKRAWDATAEVERYNUMPACKETS:False
2021-02-27 22:45:47.712 ACKRAWDATAEVERYNUMPACKETS:100
2021-02-27 22:45:47.712 MAXPAYLOADSIZETOTARGETINBYTES:False
2021-02-27 22:45:47.712 MAXPAYLOADSIZETOTARGETINBYTES:49152
2021-02-27 22:45:47.712 ACTIVEBOOTPARTITION:False
2021-02-27 22:45:47.712 ACTIVEBOOTPARTITION:0
2021-02-27 22:45:47.712 PHYPARTITIONS:False
2021-02-27 22:45:47.712 PHYPARTITIONS:0
2021-02-27 22:45:47.712 DEVICETYPE:emmc
2021-02-27 22:45:47.712 PLATFORM:8x26
2021-02-27 22:45:47.712 VALIDATIONMODE:0
2021-02-27 22:45:47.712 RESETAFTERDOWNLOAD:False
2021-02-27 22:45:47.712 SWITCHTOFIREHOSETIMEOUT:30
2021-02-27 22:45:47.712 RESETTIMEOUT:200
2021-02-27 22:45:47.712 RESETDELAYTIME:2
2021-02-27 22:45:47.712 METABUILD:
2021-02-27 22:45:47.712 METABUILD:
2021-02-27 22:45:47.712 FLATBUILDPATH:C:\
2021-02-27 22:45:47.712 FLATBUILDFORCEOVERRIDE:True
2021-02-27 22:45:47.712 QCNPATH:C:\Temp\00000000.qcn
2021-02-27 22:45:47.712 QCNAUTOBACKUPRESTORE:False
2021-02-27 22:45:47.712 SPCCODE:000000
2021-02-27 22:45:47.712 ENABLEMULTISIM:False
2021-02-27 22:45:47.712 AUTOPRESERVEPARTITIONS:False
2021-02-27 22:45:47.712 PARTITIONPRESERVEMODE:0
2021-02-27 22:45:47.712 PRESERVEDPARTITIONS:0
2021-02-27 22:45:47.712 PRESERVEDPARTITIONS:
2021-02-27 22:45:47.712 ERASEALL:False
2021-02-27 22:45:47.712 Load ARG Configuration
2021-02-27 22:45:47.828 Validating Download Configuration
2021-02-27 22:45:47.828 Image Search Path: I:\Programs\ZTE Z812
2021-02-27 22:45:47.828 Programmer Path:I:\Programs\ZTE Z812\prog_emmc_firehose_8916.mbn
2021-02-27 22:45:48.181 Process Index:0
2021-02-27 22:45:48.197 Qualcomm Flash Image Loader (QFIL) 2.0.3.5
2021-02-27 22:46:54.403 Start Download
2021-02-27 22:46:54.406 Program Path:I:\Programs\ZTE Z812\prog_emmc_firehose_8916.mbn
2021-02-27 22:46:54.408 ***** Working Folder:C:\Users\Ilya\AppData\Roaming\Qualcomm\QFIL\COMPORT_3
2021-02-27 22:48:24.623 Binary build date: Jun 25 2019 @ 03:16:15
2021-02-27 22:48:24.624 QSAHARASERVER CALLED LIKE THIS: 'C:\Program Files (x86)\Qualcomm\QPST\bin\QSaharaServer.ex'Current working dir: C:\Users\Ilya\AppData\Roaming\Qualcomm\QFIL\COMPORT_3
2021-02-27 22:48:24.625 Sahara mappings:
2021-02-27 22:48:24.626 2: amss.mbn
2021-02-27 22:48:24.627 6: apps.mbn
2021-02-27 22:48:24.628 8: dsp1.mbn
2021-02-27 22:48:24.629 10: dbl.mbn
2021-02-27 22:48:24.629 11: osbl.mbn
2021-02-27 22:48:24.630 12: dsp2.mbn
2021-02-27 22:48:24.631 16: efs1.mbn
2021-02-27 22:48:24.632 17: efs2.mbn
2021-02-27 22:48:24.632 20: efs3.mbn
2021-02-27 22:48:24.633 21: sbl1.mbn
2021-02-27 22:48:24.634 22: sbl2.mbn
2021-02-27 22:48:24.635 23: rpm.mbn
2021-02-27 22:48:24.635 25: tz.mbn
2021-02-27 22:48:24.636 28: dsp3.mbn
2021-02-27 22:48:24.637 29: acdb.mbn
2021-02-27 22:48:24.638 30: wdt.mbn
2021-02-27 22:48:24.639 31: mba.mbn
2021-02-27 22:48:24.644 13: I:\Programs\ZTE Z812\prog_emmc_firehose_8916.mbn
2021-02-27 22:48:24.645
2021-02-27 22:48:24.646 22:46:54: Requested ID 13, file: "I:\Programs\ZTE Z812\prog_emmc_firehose_8916.mbn"
2021-02-27 22:48:24.647
2021-02-27 22:48:24.647 22:48:24: ERROR: function: sahara_rx_data:276 Unable to read packet header. Only read 0 bytes.
2021-02-27 22:48:24.648
2021-02-27 22:48:24.649 22:48:24: ERROR: function: sahara_main:982 Sahara protocol error
2021-02-27 22:48:24.650
2021-02-27 22:48:24.651 22:48:24: ERROR: function: main:320 Uploading Image using Sahara protocol failed
2021-02-27 22:48:24.652
2021-02-27 22:48:24.652
2021-02-27 22:48:24.654 Download Fail:Sahara Fail:QSaharaServer Fail:process fail
2021-02-27 22:48:24.663 Finish Get GPT

and with QFIL 2.0.1.9

021-02-27 19:48:27.199 Validating Application Configuration
2021-02-27 19:48:27.214 Load APP Configuration
2021-02-27 19:48:27.245 COM:0
2021-02-27 19:48:27.245 PBLDOWNLOADPROTOCOL:0
2021-02-27 19:48:27.245 PROGRAMMER:True
2021-02-27 19:48:27.245 PROGRAMMER:
2021-02-27 19:48:27.245 RESETSAHARASTATEMACHINE:False
2021-02-27 19:48:27.245 SAHARAREADSERIALNO:False
2021-02-27 19:48:27.245 SEARCHPATH:C:\
2021-02-27 19:48:27.245 ACKRAWDATAEVERYNUMPACKETS:False
2021-02-27 19:48:27.245 ACKRAWDATAEVERYNUMPACKETS:100
2021-02-27 19:48:27.245 MAXPAYLOADSIZETOTARGETINBYTES:False
2021-02-27 19:48:27.245 MAXPAYLOADSIZETOTARGETINBYTES:49152
2021-02-27 19:48:27.245 DEVICETYPE:emmc
2021-02-27 19:48:27.245 PLATFORM:8x26
2021-02-27 19:48:27.245 VALIDATIONMODE:0
2021-02-27 19:48:27.245 RESETAFTERDOWNLOAD:False
2021-02-27 19:48:27.245 MAXDIGESTTABLESIZE:8192
2021-02-27 19:48:27.245 SWITCHTOFIREHOSETIMEOUT:30
2021-02-27 19:48:27.245 RESETTIMEOUT:200
2021-02-27 19:48:27.245 RESETDELAYTIME:2
2021-02-27 19:48:27.245 METABUILD:
2021-02-27 19:48:27.245 METABUILD:
2021-02-27 19:48:27.245 FLATBUILDPATH:C:\
2021-02-27 19:48:27.245 FLATBUILDFORCEOVERRIDE:True
2021-02-27 19:48:27.245 QCNPATH:C:\Temp\00000000.qcn
2021-02-27 19:48:27.245 QCNAUTOBACKUPRESTORE:False
2021-02-27 19:48:27.245 SPCCODE:000000
2021-02-27 19:48:27.245 ENABLEMULTISIM:False
2021-02-27 19:48:27.245 AUTOPRESERVEPARTITIONS:False
2021-02-27 19:48:27.245 PARTITIONPRESERVEMODE:0
2021-02-27 19:48:27.245 PRESERVEDPARTITIONS:0
2021-02-27 19:48:27.245 PRESERVEDPARTITIONS:
2021-02-27 19:48:27.245 ERASEALL:False
2021-02-27 19:48:27.245 Load ARG Configuration
2021-02-27 19:48:27.355 Validating Download Configuration
2021-02-27 19:48:27.370 Image Search Path: C:\
2021-02-27 19:48:28.308 Process Index:0
2021-02-27 19:48:28.324 Qualcomm Flash Image Loader (QFIL) 2.0.1.9
2021-02-27 19:48:37.870 Programmer Path:I:\Programs\ZTE Z812\prog_emmc_firehose_8916.mbn
2021-02-27 19:48:37.870 Image Search Path: I:\Programs\ZTE Z812
2021-02-27 19:48:43.214 Start Download
2021-02-27 19:48:43.230 Program Path:I:\Programs\ZTE Z812\prog_emmc_firehose_8916.mbn
2021-02-27 19:48:43.245 ***** Working Folder:C:\Users\Ilya\AppData\Roaming\Qualcomm\QFIL\COMPORT_3
2021-02-27 19:50:13.433 Binary build date: Nov 21 2017 @ 02:53:37
2021-02-27 19:50:13.433 QSAHARASERVER CALLED LIKE THIS: 'I:\Programs\ZTE Z812\Qualcomm_Flash_Image_Loader_v2.0.1.9\Qualcomm_Flash_Image_Loader_v2.0.1.9\QSaharaServer.ex'Current working dir: C:\Users\Ilya\AppData\Roaming\Qualcomm\QFIL\COMPORT_3
2021-02-27 19:50:13.433 Sahara mappings:
2021-02-27 19:50:13.433 2: amss.mbn
2021-02-27 19:50:13.433 6: apps.mbn
2021-02-27 19:50:13.433 8: dsp1.mbn
2021-02-27 19:50:13.433 10: dbl.mbn
2021-02-27 19:50:13.433 11: osbl.mbn
2021-02-27 19:50:13.433 12: dsp2.mbn
2021-02-27 19:50:13.433 16: efs1.mbn
2021-02-27 19:50:13.433 17: efs2.mbn
2021-02-27 19:50:13.433 20: efs3.mbn
2021-02-27 19:50:13.433 21: sbl1.mbn
2021-02-27 19:50:13.433 22: sbl2.mbn
2021-02-27 19:50:13.433 23: rpm.mbn
2021-02-27 19:50:13.449 25: tz.mbn
2021-02-27 19:50:13.449 28: dsp3.mbn
2021-02-27 19:50:13.449 29: acdb.mbn
2021-02-27 19:50:13.449 30: wdt.mbn
2021-02-27 19:50:13.449 31: mba.mbn
2021-02-27 19:50:13.449 13: I:\Programs\ZTE Z812\prog_emmc_firehose_8916.mbn
2021-02-27 19:50:13.449
2021-02-27 19:50:13.449 19:48:43: Requested ID 13, file: "I:\Programs\ZTE Z812\prog_emmc_firehose_8916.mbn"
2021-02-27 19:50:13.449
2021-02-27 19:50:13.449 19:50:13: ERROR: function: sahara_rx_data:237 Unable to read packet header. Only read 0 bytes.
2021-02-27 19:50:13.449
2021-02-27 19:50:13.449 19:50:13: ERROR: function: sahara_main:924 Sahara protocol error
2021-02-27 19:50:13.449
2021-02-27 19:50:13.449 19:50:13: ERROR: function: main:303 Uploading Image using Sahara protocol failed
2021-02-27 19:50:13.449
2021-02-27 19:50:13.449
2021-02-27 19:50:13.449 Download Fail:Sahara Fail:QSaharaServer Fail:process fail
2021-02-27 19:50:13.465 Finish Get GPT
 
Last edited:

ilya980

Member
Aug 15, 2019
40
1
I tried this on a 32 bit Windows 7 laptop. It seems that I've got a little further, but I am still getting an error about some file missing. Please help.
Here is the log from 32-bit Win 7 system:
2021-02-28 18:26:16.381 Start Download
2021-02-28 18:26:16.397 Program Path:C:\prog_emmc_firehose_8916.mbn
2021-02-28 18:26:16.397 ***** Working Folder:C:\Users\Ira&Ilya\AppData\Roaming\Qualcomm\QFIL\COMPORT_17
2021-02-28 18:26:16.724 Binary build date: Jun 25 2019 @ 03:16:15
2021-02-28 18:26:16.724 QSAHARASERVER CALLED LIKE THIS: 'C:\Programs\ZTE Z812\Qualcomm_Flash_Image_Loader_v2.0.3.5\QSaharaServer.ex'Current working dir: C:\Users\Ira&Ilya\AppData\Roaming\Qualcomm\QFIL\COMPORT_17
2021-02-28 18:26:16.740 Sahara mappings:
2021-02-28 18:26:16.740 2: amss.mbn
2021-02-28 18:26:16.756 6: apps.mbn
2021-02-28 18:26:16.756 8: dsp1.mbn
2021-02-28 18:26:16.756 10: dbl.mbn
2021-02-28 18:26:16.771 11: osbl.mbn
2021-02-28 18:26:16.771 12: dsp2.mbn
2021-02-28 18:26:16.771 16: efs1.mbn
2021-02-28 18:26:16.771 17: efs2.mbn
2021-02-28 18:26:16.771 20: efs3.mbn
2021-02-28 18:26:16.787 21: sbl1.mbn
2021-02-28 18:26:16.787 22: sbl2.mbn
2021-02-28 18:26:16.787 23: rpm.mbn
2021-02-28 18:26:16.787 25: tz.mbn
2021-02-28 18:26:16.802 28: dsp3.mbn
2021-02-28 18:26:16.802 29: acdb.mbn
2021-02-28 18:26:16.802 30: wdt.mbn
2021-02-28 18:26:16.802 31: mba.mbn
2021-02-28 18:26:16.802 13: C:\prog_emmc_firehose_8916.mbn
2021-02-28 18:26:16.818
2021-02-28 18:26:16.818 18:26:16: Requested ID 13, file: "C:\prog_emmc_firehose_8916.mbn"
2021-02-28 18:26:16.818
2021-02-28 18:26:16.818 18:26:16: 223504 bytes transferred in 0.172000 seconds (1.2392MBps)
2021-02-28 18:26:16.818
2021-02-28 18:26:16.834
2021-02-28 18:26:16.834
2021-02-28 18:26:16.834 18:26:16: File transferred successfully
2021-02-28 18:26:16.849
2021-02-28 18:26:16.849
2021-02-28 18:26:16.849 NOTE: Target requested image 13 which is DeviceProgrammer. Forcing QUIT. This is by design, ** All is well ** SUCCESS!!
2021-02-28 18:26:16.865
2021-02-28 18:26:16.865
2021-02-28 18:26:16.865 18:26:16: Sahara protocol completed
2021-02-28 18:26:16.865 Sending Programmer Finished
2021-02-28 18:26:16.865 Switch To FireHose
2021-02-28 18:26:16.880 Wait for 3 seconds...
2021-02-28 18:26:19.891 Max Payload Size to Target:49152 Bytes
2021-02-28 18:26:19.891 Active Boot Partition:0
2021-02-28 18:26:19.907 Device Type:emmc
2021-02-28 18:26:19.907 Platform:8x26
2021-02-28 18:26:19.907 Disable Ack Raw Data Every N Packets
2021-02-28 18:26:19.907 Skip Write:False
2021-02-28 18:26:19.922 Always Validate:False
2021-02-28 18:26:19.922 Use Verbose:False
2021-02-28 18:26:19.938 ***** Working Folder:C:\Users\Ira&Ilya\AppData\Roaming\Qualcomm\QFIL\COMPORT_17
2021-02-28 18:26:19.954 Download Fail:FireHose Fail:FHLoader Fail:The system cannot find the file specified
2021-02-28 18:26:19.969 Finish Get GPT
 

ilya980

Member
Aug 15, 2019
40
1
I installed QPST 2.7.496 and was able to get a step further. I generated port_trace.txt, but I still get an error. Now it is "Download Fail:FireHose Fail:FHLoader Fail:Flash Information is not filled". The log file suggests that PC is talking to the phone just fine. Does anyone know what is still wrong? Thanks.
 

Attachments

  • 132590432830014198.log
    8.6 KB · Views: 6
  • port_trace.txt
    11.7 KB · Views: 4

ilya980

Member
Aug 15, 2019
40
1
I was only able to make it work with Win7 x32. For the Z812 I used Qualcomm HS-USB QDloader 9008 driver 2.1.3.5 dated 12/17/2018, QPST 2.7.460 (latest QPST did not work!), the QFIL that comes with it, and the latest ADB driver. The phone is recognized as QSHUSB_BULK under Win10 x64, and is recognized by QFIL on a COM port, but I was never able to get past the sahara error on Win10 x64 ("ERROR: function: sahara_rx_data:237 Unable to read packet header. Only read 0 bytes.").

So, I was able to obtain 2 dumps using QFIL. One dump of partitions from the EDL mode (Vol down+Power into FTM mode, then "adb reboot EDL), and another dump from "download mode" (Vol down+Vol up+Power), but I don't know what to do with these dumps. I've tried looking at /aboot with IDA, found references to strings indicating unlocked device, but I don't have skills to figure out what is disabled and whether there is a way to patch the /aboot or the flags it checks.

Anyone can help me understand /aboot? Thanks.
 

ilya980

Member
Aug 15, 2019
40
1
Have you installed the adb driver? It is not the same as Qualcomm HS-USB QDloader 9008 driver. Just having adb.exe is not enough. Also, the adb installer I used has some GUI, which I could not click through unless the phone was in the FTM mode. Try putting the phone in the FTM mode, then install that adb driver, then do adb reboot EDL (you might need to reboot after installing adb driver). I recall that some versions of adb worked for me and others did not.
 

ikasemota

Member
Jun 9, 2018
6
0
please i have a zte n9131 device(Sprint) that was sent to me as a gift. i have tried all method to unlock it to use all network but not working. will this method to unlock the bootloader work?
 
Am I missing something? I followed the directions without any issues to a T and when I got to editing the hex , it was already the way it was supposed to be edited so I reflashed it anyway and nothing.. ? Z839 Blade Vantage
Same here- hex was already properly modified - using the Z855 - was also not sure now to continue. Any thoughts? Happy to provide more details and field questions if needed to help diagnose.
 

ebrahimwaleed

Member
Jun 18, 2016
32
3
Cairo
i have a

TracFone ZTE Jasper LTE Z718TL​

Qualcomm Snapdragon 210 MSM8909
i tried booting to ftm the phone just boots the os i only have access to phone stuck recovery and os
any help will be nice
 

theqwertman

Member
Feb 3, 2013
25
3
My interpretation of everything I researched is that flashing through QFIL in EDL mode is a way to bypass the need for an unlocked bl. If the ability to flash through QFIL indicates that the bl is unlocked, then why is it necessary to flash a modified devinfo to unlock it?
I confirmed as well that QFIL is perfectly capable of writing to the boot partition. There is no secureboot (at least, not on the N9835), so if you grab an untouched-from-the-factory phone and do absolutely nothing other than overwrite the boot partition with custom code, the blissfully ignorant bootloader will run your custom code.

I guess ZTE assumed that nobody would ever leak the Qualcomm tools that are capable of leveraging EDL. If the bootloader is the front door, it doesn't matter that it's locked, because there's a back door that's unlocked. It's just that the back door is in an obscure location - people had no idea how to get to it for a while, and even now it's difficult to find the right directions to get to it.

So, what's the reason for bothering to unlock the bootloader? Well, going through the front door is easier, even after you've figured out how to get to the back door. The point is being able to run the familiar fastboot commands, instead of having to fiddle with the Windows-only Qualcomm GUI. And, beyond convenience, an unlocked bootloader has additional capabilities that EDL doesn't, like booting an image without having to flash it first.

But if all you want is to load a custom recovery, kernel, and/or system, then as long as you can get QFIL to work, then there's no need to unlock the bootloader.
 

luridphantom

Senior Member
Apr 4, 2021
125
19
I confirmed as well that QFIL is perfectly capable of writing to the boot partition. There is no secureboot (at least, not on the N9835), so if you grab an untouched-from-the-factory phone and do absolutely nothing other than overwrite the boot partition with custom code, the blissfully ignorant bootloader will run your custom code.

I guess ZTE assumed that nobody would ever leak the Qualcomm tools that are capable of leveraging EDL. If the bootloader is the front door, it doesn't matter that it's locked, because there's a back door that's unlocked. It's just that the back door is in an obscure location - people had no idea how to get to it for a while, and even now it's difficult to find the right directions to get to it.

So, what's the reason for bothering to unlock the bootloader? Well, going through the front door is easier, even after you've figured out how to get to the back door. The point is being able to run the familiar fastboot commands, instead of having to fiddle with the Windows-only Qualcomm GUI. And, beyond convenience, an unlocked bootloader has additional capabilities that EDL doesn't, like booting an image without having to flash it first.

But if all you want is to load a custom recovery, kernel, and/or system, then as long as you can get QFIL to work, then there's no need to unlock the bootloader.
does this mean you can flash magisk without unlocking the bootloader?
 

theqwertman

Member
Feb 3, 2013
25
3
does this mean you can flash magisk without unlocking the bootloader?
Yes, I did that last week. You don't even need to get temp root beforehand.
  1. Use the Qualcomm tool as documented in the first post of this thread, but retrieve boot instead of devinfo
  2. Use adb push to send your boot partition image to your sd card
  3. Install Magisk APK
  4. Patch the boot image with Magisk app
  5. Use adb pull to copy the patched boot image back to your PC
  6. Use the Qualcomm tool again - right-click on boot partition, choose "Load Image", and choose the Magisk-patched boot image

Is there anyway to use this on Linux (Without installing Windows or a Virtual machine)?
I have a z957 btw
Unfortunately, not until/unless somebody reverse-engineers the binary protocols used in the Qualcomm app and builds a clone of it for Linux. You can try WINE, otherwise you'll need Windows. You can always do Windows in a VM, as long as the VM supports USB.
 

GreenCanMan

New member
Jun 12, 2021
3
0
Yes, I did that last week. You don't even need to get temp root beforehand.
  1. Use the Qualcomm tool as documented in the first post of this thread, but retrieve boot instead of devinfo
  2. Use adb push to send your boot partition image to your sd card
  3. Install Magisk APK
  4. Patch the boot image with Magisk app
  5. Use adb pull to copy the patched boot image back to your PC
  6. Use the Qualcomm tool again - right-click on boot partition, choose "Load Image", and choose the Magisk-patched boot image


Unfortunately, not until/unless somebody reverse-engineers the binary protocols used in the Qualcomm app and builds a clone of it for Linux. You can try WINE, otherwise you'll need Windows. You can always do Windows in a VM, as long as the VM supports USB.
But everytime i use a Windows 7 32 bit VM QFIL just crashes and in a Windows XP 32 bit VM It wont even launch I can try a Windows 7 64 Bit VM or a Windows 8.1 32 Bit VM If That Would Help
 

ilya980

Member
Aug 15, 2019
40
1
Yes, I did that last week. You don't even need to get temp root beforehand.
  1. Use the Qualcomm tool as documented in the first post of this thread, but retrieve boot instead of devinfo
  2. Use adb push to send your boot partition image to your sd card
  3. Install Magisk APK
  4. Patch the boot image with Magisk app
  5. Use adb pull to copy the patched boot image back to your PC
  6. Use the Qualcomm tool again - right-click on boot partition, choose "Load Image", and choose the Magisk-patched boot image


Unfortunately, not until/unless somebody reverse-engineers the binary protocols used in the Qualcomm app and builds a clone of it for Linux. You can try WINE, otherwise you'll need Windows. You can always do Windows in a VM, as long as the VM supports USB.
Does this allow to remove all the AT&T bloatware from the phone? My phone is Z812. There is no devinfo and fasboot oem bootloader is disabled. Wouldn't patching a boot.img this way cause a brick since patched boot.img is not signed? Also is there a TWRP or any custom ROM for this phone? Thanks.
 

Top Liked Posts

  • There are no posts matching your filters.
  • 1
    First off, after all of the different janky program, driver, and version downloads of all of these different fixes, I'm fairly certain both the Chinese and Indian governments are now using my laptop to spy on each other while some Russian group is sifting through all of the p**n site cookies hoping I dropped a credit card somewhere. And some of those fixes are 2-5 years old and the files/tools they say to use no longer exist at the links they put on their posts.

    Anyway...

    I've been on this for cumulative 9 hours over two nights, and I'm no closer to a fix.

    After reinstalling a QFIL or QPST driver for Windows 10, a process that also reinstalled QPST, I decided to find and pull up a log to see if there was anything behind the "Firehose fail." Everything is doing good until this:

    [ICODE]00:35:12: INFO: Looking for file 'cache.img' 00:35:12: DEBUG: 1. Calling stat(C:\Users\ryans\Desktop\ZTE_Max_XL_NMF26F_N9560_21082018_7.1.1_QFIL\Firmware\cache.img') 00:35:12: DEBUG: 2. Calling fopen('C:\Users\ryans\Desktop\ZTE_Max_XL_NMF26F_N9560_21082018_7.1.1_QFIL\Firmware\cache.img') with AccessMode='rb' 00:35:12: DEBUG: Trying get filesize, calling fseek() 00:35:12: DEBUG: Found 'C:\Users\ryans\Desktop\ZTE_Max_XL_NMF26F_N9560_21082018_7.1.1_QFIL\Firmware\cache.img' (10682660 bytes) 00:35:12: DEBUG: 2. Calling fopen('C:\Users\ryans\Desktop\ZTE_Max_XL_NMF26F_N9560_21082018_7.1.1_QFIL\Firmware\cache.img') with AccessMode='rb' 00:35:12: DEBUG: Trying get filesize, calling fseek() 00:35:12: DEBUG: ================================================================================== 00:35:12: DEBUG: ================================================================================== 00:35:12: INFO: Looking for file 'system.img' 00:35:12: DEBUG: 1. Calling stat(C:\Users\ryans\Desktop\ZTE_Max_XL_NMF26F_N9560_21082018_7.1.1_QFIL\Firmware\system.img') 00:35:12: DEBUG: 2. Calling stat(system.img') (_) __ ____ _ _ __ _ __ _ _ __ __ _ \ \ /\ / / _` | '__| '_ \| | '_ \ / _` | \ V V / (_| | | | | | | | | | | (_| | \_/\_/ \__,_|_| |_| |_|_|_| |_|\__, | __/ | |___/ 00:35:12: WARNING: find_file:6641 Couldn't find the file 'system.img', returning NULL _____ | ___| | |__ _ __ _ __ ___ _ __ | __| '__| '__/ _ \| '__| | |__| | | | | (_) | | \____/_| |_| \___/|_| 00:35:12: {ERROR: handleProgram:7403 'system.img' not found. You could possibly try --notfiles=system.img,OtherFileToSkip.bin (note, exiting since you specified --noprompt)[/ICODE]

    It's lying. system . img most certainly is there in the folder with all of the rest of the firmware files that go with it. And EVERYTHING I've downloaded and been running during all of this, I put on the desktop (as opposed to drive D, where downloads get put).

    Thoughts? I'm going to redownload the firehose and the firmware (the latter from a different site, which is difficult since I couldn't find an official ZTE firmware site.

    I don't know which project I'm working on is more frustrating. This, the Moto g7 Play I had rooted and working fine until I forgot the pattern lock, hard reset, and can't get root to work again, or the Stylo 3, which says all pattern unlock attempts are wrong, but since it's an older phone and on Nougat I'm trying to find a way around it.
    have you tried miflash?

    if not, then this might be your last hope since you already have the firehose: https://github.com/bkerler/edl
  • 11
    Warning: This unlocking method might not work on newer ZTE devices with Oreo+ and flagship devices. You have nothing to lose, but it might not do anything.

    This tutorial is only for Qualcomm ZTE Devices.

    Unlocking the Bootloader:

    Warning: This bootloader unlocking method is not for beginners. It requires at least some knowleage on how to flash ROMS or partitions via QFIL and ADB commands. If you do not understand something here, than the tutorial might not be suitable for you. You can still try it, but at your own risk of course.

    Will not work on:
    Axon 7
    Axon 7 Mini
    Axon 9
    Axon 10
    Axon M
    Zmax 2 (Z958)
    Anything else that has Oreo, PIE or 10
    The unlocking bit on those devices are stored in another partition that can't be easily modifiable

    Working on: (Thanks @deadman96385)

    Snapdragon 210 Processors:
    ZTE Avid Plus (Z828)
    ZTE Maven 2 (Z831) (code-name: chapel)
    ZTE Maven 3 (Z835) (code-name: draco)
    ZTE Majesty Pro Plus (Z899VL) (code-name: elden)
    Unknown ZTE (code-name: forbes)
    ZTE ZMAX One (Z719DL) (code-name: gemi)
    ZTE Tempo X (N9137) (code-name: grayjoylite)
    ZTE Grand X View 2 (K81) (code-name: helen)
    ZTE Overture 3 (Z851) (code-name: jeff)
    ZTE Fanfare 3 (Z852) (code-name: kelly)
    ZTE ZFive G LTE (Z557BL) (code-name: lewis)
    ZTE ZFive C (Z558VL) (code-name: loft)
    Unknown ZTE (code-name: refuge)
    ZTE N818S (code-name: sapphire/sapphire4G)
    ZTE Blade Vantage (Z839) (code-name: sweet)

    Snapdragon 617:
    Android 5.1.1
    ZTE Grand X Max 2 (Z988) (code-name: jerry)
    ZTE Imperial Max (Z963U) (code-name: lily)
    ZTE Max Duo LTE (Z963VL) (code-name: nancy)
    ZTE Axon Max (C2016) (code-name: orchid)
    ZTE Max Duo LTE (Z962BL) (code-name: tom)
    Android 6.0.1
    ZTE ZPAD (K90U) (code-name: gevjon)
    ZTE AT&T Trek 2 (K88) (code-name: jasmine)
    ZTE Grand X Max 2 (Z988) (code-name: jerry)
    ZTE Axon Max (C2016) (code-name: orchid)
    ZTE ZMAX Pro (Z981) (code-name: urd)
    Android 7.1.1
    ZTE AT&T Trek 2 (K88) (code-name: jasmine)

    MSM8920/MSM8937/MSM8940/MSM8953 (Qualcomm Snapdragon 427/430/435/625):
    ZTE Blade Force/ZTE Warp 8 (N9517) (code-name: warp8)
    ZTE Grand X4 (Z956/Z957) (code-name: finacier)
    ZTE Blade Spark (Z971) (code-name: peony)
    ZTE Blade X (Z965) (code-name: proline)
    ZTE Max XL/ZTE Bolton (N9560) (code-name: bolton)
    Unknown ZTE (code-name: flame)
    ZTE Blade X Max (Z983) (code-name: stollen)
    ZTE Blade Max View (Z610DL) (code-name: violet)
    ZTE Max Blue LTE (Z986DL) (code-name: florist)
    ZTE AT&T Primtime (K92) (code-name: primerose)
    Of course, it might work on more models that might not be listed here.

    Want to watch a video instead?


    You will need:

    • A Qualcomm ZTE device (I am using a ZTE Avid Plus Z828)
    • A PC
    • Adb Commands installed
    • QFIL 2.0.1.9
    • Your QFIL firehose (emmc_firehose_8***.mbn) You can get it from here: https://github.com/programmer-collection/zte
    • A Hex editor (Like HxD)


    Tutorial:
    • Hold power and volume down to boot to FTM mode



    • Using ADB commands, type: adb reboot EDL



    Open QFIL, You should see Qualcomm HS-USB QD-Loader 9008 (COM****)

    • Select "Flat build"
    • Select your firehose (emmc_firehose_8***.mbn)



    • Select tools, partition manager
    • Click ok

    We are intrested in the /devinfo partition only!



    • Right click devinfo only and click on "Manage Partition data"



    • Click on "Read Data"
    • Check the logs on the main window, it will show you where it will be saved (Most frequently in the Appdata/Roaming/Qualcomm folder) and the file will be named something like this: ReadData_emmc_Lun0_0x1c000_Len16384_DT_**_**_****_**_**_**.bin
    • Copy the file we read to somewhere like the desktop and make a backup in case it does not work.

    Next, open HxD or any other hex editor

    • Click File>Open and select the file we copied to the desktop

    You should see a layout like this:



    Edit this:

    41 4E 44 52 4F 49 44 2D 42 4F 4F 54 21 00 00 00
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00


    to this:

    41 4E 44 52 4F 49 44 2D 42 4F 4F 54 21 00 00 00
    01 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00




    • Go to offset 007FFE00 and repeat the same steps:



    It looks like ZTE did put another ANDROID-BOOT! at this section, they thought I would not see the second one :D Make sure you edit that second one, otherwise the BL won't be unlocked.

    ___________________________________________________________________________

    What will this do?! The two 01s we put in this file will show to the bootloader that it was unlocked before via fastboot. Of course, we are editing it now and it was never unlocked via fastboot. This is enough to fool it :D

    For people who don't know, on all android devices, there is the /devinfo partition that stores the information of the bootloader such as is_unlocked (aboot), is_tampered, is_verified, charger_screen_enabled, display_panel, bootloader_version, radio_version etc.
    We have to modify it into saying is_unlocked and is_Critiacal_unlocked

    ____________________________________________________________________________________
    • Do not touch anything else and click File>Save
    • Boot your phone into EDL again.

    (You might need to reopen QFIL)



    • Back to the partitions, right-click /devinfo again and click "Manage partition Data" again
    • Click "Load image"



    • Select the file we modified (Should be a .bin)
    • Wait a few seconds and restart your phone and IT SHOULD BOOT SURELY!!

    Your bootloader should be unlocked!!
    You cannot really tell if the Bootloader is unlocked unfortunatley. But, if TWRP boots or ROOT persists then here is your sign :D


    TWRP is booting!

    You can now ROOT, Install custom ROMs, Install Custom Recoveries, kernel modifications & More using QFIL!
    You are now free :D


    Credits to aleph security in the Unlocking the bootloader section at the bottom of the page for showing the Hex values to change: https://alephsecurity.com/2018/01/22/qualcomm-edl-2/
    7
    Firehose collection

    Here is my collection of ZTE firehoses for use in this guide. I cant guarantee everyone will work but the vast majority of them should. But they are all organized by codename and my best attempt at matching codename to shipping name.

    https://github.com/programmer-collection/zte
    3
    Doesn't seem to be wroking with my ZTE Tempo X N9137. I trried it twice and got two septerate errors. The first was "ERROR: function: sahara_rx_data:247 Command packet length 1702240364 too large to fit" and the second was "ERROR: function: sahara_rx_data:237 Unable to read packet header. Only read 0 bytes."

    So I tested it on my N9137 and it’s working properly. Normally when it can’t get a hello from the device it means your driver is wrong. Sometimes windows defaults to the diagnostic driver instead of the Qdloader one and you need to change it in device manager.

    On another note @alexenferman it might worth while to add to OP known working devices. I’ve tested and confirmed working on
    ZTE Imperial Max (Z963U)
    ZTE Tempo X (N9317)
    ZTE Avid 4 (Z855)
    ZTE Grand X View 2 (K81)

    I will test on the ZTE Maven 3 once I get it’s battery charged
    2
    I dumped all partitions (except cache, system and userdata), and discovered the string ANDROID-BOOT! appeared 3 times in the "aboot" partition. The first time seems to be followed by ASCII string content, but the 2nd and 3rd time it is followed by a bunch of 00s. Should I be editing these?

    No do not edit the aboot partition, you will brick it if you flash your modified one.
    2
    I'm assuming this also won't work on devices that shipped with older OS and were officially updated to Oreo?
    I have an Axon 7 on Oreo and the normal thing is to regress them to unlock bootloader.

    Yeah, it won't work on the Axon 7, I've asked for the article to be updated.

    Anything for the ZTE Blade A462? It's based on the Snapdragon 210 SoC.

    I haven't seen one for it, but you can try this one from the A460 you have a good chance of it working.
    https://github.com/programmer-collection/zte/blob/master/BladeA460/prog_emmc_firehose_8909.mbn

    Tried on ZTE Zmax 2 (Z958) US Version (AT&T but unlocked) with Android 5.1. I had to use QFIL that comes with the latest QPST v2.7.480 to be able to successfully dump the partition data. However, there is no `/devinfo` partition. So I've no clue what to do from here.
    Can you post a picture or a list of partitions you had?