• Introducing XDA Computing: Discussion zones for Hardware, Software, and more!    Check it out!

Bootloader Unlocking on older Qualcomm ZTE Devices, /Devinfo partition modification

Did this method work for your device??

  • YES! Finally unlocked!!!

    Votes: 6 13.6%
  • No.

    Votes: 12 27.3%
  • I don't have a ZTE device, but that's cool!

    Votes: 26 59.1%

  • Total voters
    44
Search This thread

nirwin

New member
Jul 13, 2021
3
0
I'm running this process on a ZTE Blade Vantage (Z839). I'm currently failing at the partition manager step. When I click Tool > Partition Manager > "Ok" in QFIL, the new window that's supposed to allow me to choose the /devinfo partition never appears. I have the firehose downloaded and selected, and the correct port is listed at the top of the QFIL window. I will say that that the phone in EDL is entirely unresponsive, despite that port showing up.

Has anyone else experienced this problem in QFIL? It this just an indication that something is going wrong with the phone connection?
 

luridphantom

Senior Member
Apr 4, 2021
124
19
I'm running this process on a ZTE Blade Vantage (Z839). I'm currently failing at the partition manager step. When I click Tool > Partition Manager > "Ok" in QFIL, the new window that's supposed to allow me to choose the /devinfo partition never appears. I have the firehose downloaded and selected, and the correct port is listed at the top of the QFIL window. I will say that that the phone in EDL is entirely unresponsive, despite that port showing up.

Has anyone else experienced this problem in QFIL? It this just an indication that something is going wrong with the phone connection?
i tried it with a z839 and the firehose supplied in the github doesn't seem to work for me. fyi i'm using the verizon version so not sure if its supposed to be signed differently, kinda like how the zte sonata 3 has a different firehose from the zte maven2
 

luridphantom

Senior Member
Apr 4, 2021
124
19
Yes, I did that last week. You don't even need to get temp root beforehand.
  1. Use the Qualcomm tool as documented in the first post of this thread, but retrieve boot instead of devinfo
  2. Use adb push to send your boot partition image to your sd card
  3. Install Magisk APK
  4. Patch the boot image with Magisk app
  5. Use adb pull to copy the patched boot image back to your PC
  6. Use the Qualcomm tool again - right-click on boot partition, choose "Load Image", and choose the Magisk-patched boot image
that's interesting, wonder if i can use it to root my axon 7 and axon 7 mini w/o bootloader unlocking since i have social media stuff on them i cant easily pull off without root

what device did you test this on btw?
 

nirwin

New member
Jul 13, 2021
3
0
i tried it with a z839 and the firehose supplied in the github doesn't seem to work for me. fyi i'm using the verizon version so not sure if its supposed to be signed differently, kinda like how the zte sonata 3 has a different firehose from the zte maven2
I'm also using the verizon carrier-locked version. Were you able use another method to unlock the bootloader, or is this a project I should quit?
 

luridphantom

Senior Member
Apr 4, 2021
124
19
I'm also using the verizon carrier-locked version. Were you able use another method to unlock the bootloader, or is this a project I should quit?
nope, the firehose provided in the github repo doesn't work for the z839. not sure which firehose someone used to get theirs working because the verizon phone seems to require a differently signed firehose from other phones like the zte maven 2/3, etc
 
  • Like
Reactions: nirwin

luridphantom

Senior Member
Apr 4, 2021
124
19
just an update that i bricked my zte blade pro v8 on marshmallow 6.0.1 trying this method...if anyone knows where i can download firmware files for this phone or get it back into edl from it's bootlooping state that would be great
 

ilya980

Member
Aug 15, 2019
40
1
Hi, does anyone have a firmware PV_ZTE_P816A06V1.0.0B07.zip for a ZTE Z812 phone? I believe, this is one of the early builds. There are a few places on the internet that mention the existence of this build, but they all look shady and want money for the download. There are also MFG_DRV_PKG_QCV1.0.0B04.zip , PV_ZTE_ P816A06_CKETV1.0.0B06.zip , and P816A06_CIQV1.0.0B15_DL.zip mentioned for this phone. Does anyone have any of these files? Thanks.
 

ilya980

Member
Aug 15, 2019
40
1
It is not the phone that is terrible. It is the bloatware pre-installed by AT&T and "partners". Also SD card works great if you move your apps there. But some apps cannot be moved, because of all AT&T, Google, etc. crap. This phone would be a great phone with some barebones Android 7.0 or something.

You can go to "Storage"->"Used space"->"Apps" and then select bloatware apps one by one and then Clear cache, clear data, uninstall, disable, and force stop. Really helps a lot, but you have to be careful not to disable something you need. I went through like 10 or 15 apps like this right after factory reset.

There is no devinfo partition, but theqwertman says it is possible to root by reading boot image with QFIL, patching with Magisk, and then writing back with QFIL without bricking. I haven't tried because I can't find any custom recovery or custom ROM for this phone. Maybe someone could build a TWRP (or another recovery) and some custom ROM for this phone?
 

luridphantom

Senior Member
Apr 4, 2021
124
19
It is not the phone that is terrible. It is the bloatware pre-installed by AT&T and "partners". Also SD card works great if you move your apps there. But some apps cannot be moved, because of all AT&T, Google, etc. crap. This phone would be a great phone with some barebones Android 7.0 or something.

You can go to "Storage"->"Used space"->"Apps" and then select bloatware apps one by one and then Clear cache, clear data, uninstall, disable, and force stop. Really helps a lot, but you have to be careful not to disable something you need. I went through like 10 or 15 apps like this right after factory reset.

There is no devinfo partition, but theqwertman says it is possible to root by reading boot image with QFIL, patching with Magisk, and then writing back with QFIL without bricking. I haven't tried because I can't find any custom recovery or custom ROM for this phone. Maybe someone could build a TWRP (or another recovery) and some custom ROM for this phone?
you don't need twrp to flash magisk if you already have qfil access. read back the boot img from qfil, change the dumped binary to something like boot-original.img then copy it to your phone and pass it through the magisk app. take the patched boot img off your phone and qfil that to the boot partition

one thing to watch for is dm-verity, always be ready to flash your original boot img through qfil if something goes wrong
 

ilya980

Member
Aug 15, 2019
40
1
you don't need twrp to flash magisk if you already have qfil access. read back the boot img from qfil, change the dumped binary to something like boot-original.img then copy it to your phone and pass it through the magisk app. take the patched boot img off your phone and qfil that to the boot partition

one thing to watch for is dm-verity, always be ready to flash your original boot img through qfil if something goes wrong
Yes, but how do I upgrade this phone beyond Android 5.1? Many apps require newer Android OS version. Do I need to build it from scratch? Also, how do I remove the annoying bloatware from AT&T, Google, and who else knows what pre-installed on this phone. Clean custom ROM install solves this problem. With boot.img patched by Magisk I would have to chase every bloatware that is installed (and there are a lot!) and somehow manually delete them. Do you have a clean OS image for this phone?
 

luridphantom

Senior Member
Apr 4, 2021
124
19
Yes, but how do I upgrade this phone beyond Android 5.1? Many apps require newer Android OS version. Do I need to build it from scratch? Also, how do I remove the annoying bloatware from AT&T, Google, and who else knows what pre-installed on this phone. Clean custom ROM install solves this problem. With boot.img patched by Magisk I would have to chase every bloatware that is installed (and there are a lot!) and somehow manually delete them. Do you have a clean OS image for this phone?
if the universal debloater script doesn't work for att apps you can use titanium backup once rooted to uninstall system apps

you can try to compile your own lineageos build to test out if you're brave enough

there's no clean os image since it's always been a subsidized carrier phone. mine is also from att like yours so it has a lot of crap i took off
 
  • Like
Reactions: ilya980

Top Liked Posts

  • There are no posts matching your filters.
  • 1
    First off, after all of the different janky program, driver, and version downloads of all of these different fixes, I'm fairly certain both the Chinese and Indian governments are now using my laptop to spy on each other while some Russian group is sifting through all of the p**n site cookies hoping I dropped a credit card somewhere. And some of those fixes are 2-5 years old and the files/tools they say to use no longer exist at the links they put on their posts.

    Anyway...

    I've been on this for cumulative 9 hours over two nights, and I'm no closer to a fix.

    After reinstalling a QFIL or QPST driver for Windows 10, a process that also reinstalled QPST, I decided to find and pull up a log to see if there was anything behind the "Firehose fail." Everything is doing good until this:

    [ICODE]00:35:12: INFO: Looking for file 'cache.img' 00:35:12: DEBUG: 1. Calling stat(C:\Users\ryans\Desktop\ZTE_Max_XL_NMF26F_N9560_21082018_7.1.1_QFIL\Firmware\cache.img') 00:35:12: DEBUG: 2. Calling fopen('C:\Users\ryans\Desktop\ZTE_Max_XL_NMF26F_N9560_21082018_7.1.1_QFIL\Firmware\cache.img') with AccessMode='rb' 00:35:12: DEBUG: Trying get filesize, calling fseek() 00:35:12: DEBUG: Found 'C:\Users\ryans\Desktop\ZTE_Max_XL_NMF26F_N9560_21082018_7.1.1_QFIL\Firmware\cache.img' (10682660 bytes) 00:35:12: DEBUG: 2. Calling fopen('C:\Users\ryans\Desktop\ZTE_Max_XL_NMF26F_N9560_21082018_7.1.1_QFIL\Firmware\cache.img') with AccessMode='rb' 00:35:12: DEBUG: Trying get filesize, calling fseek() 00:35:12: DEBUG: ================================================================================== 00:35:12: DEBUG: ================================================================================== 00:35:12: INFO: Looking for file 'system.img' 00:35:12: DEBUG: 1. Calling stat(C:\Users\ryans\Desktop\ZTE_Max_XL_NMF26F_N9560_21082018_7.1.1_QFIL\Firmware\system.img') 00:35:12: DEBUG: 2. Calling stat(system.img') (_) __ ____ _ _ __ _ __ _ _ __ __ _ \ \ /\ / / _` | '__| '_ \| | '_ \ / _` | \ V V / (_| | | | | | | | | | | (_| | \_/\_/ \__,_|_| |_| |_|_|_| |_|\__, | __/ | |___/ 00:35:12: WARNING: find_file:6641 Couldn't find the file 'system.img', returning NULL _____ | ___| | |__ _ __ _ __ ___ _ __ | __| '__| '__/ _ \| '__| | |__| | | | | (_) | | \____/_| |_| \___/|_| 00:35:12: {ERROR: handleProgram:7403 'system.img' not found. You could possibly try --notfiles=system.img,OtherFileToSkip.bin (note, exiting since you specified --noprompt)[/ICODE]

    It's lying. system . img most certainly is there in the folder with all of the rest of the firmware files that go with it. And EVERYTHING I've downloaded and been running during all of this, I put on the desktop (as opposed to drive D, where downloads get put).

    Thoughts? I'm going to redownload the firehose and the firmware (the latter from a different site, which is difficult since I couldn't find an official ZTE firmware site.

    I don't know which project I'm working on is more frustrating. This, the Moto g7 Play I had rooted and working fine until I forgot the pattern lock, hard reset, and can't get root to work again, or the Stylo 3, which says all pattern unlock attempts are wrong, but since it's an older phone and on Nougat I'm trying to find a way around it.
    have you tried miflash?

    if not, then this might be your last hope since you already have the firehose: https://github.com/bkerler/edl
  • 11
    Warning: This unlocking method might not work on newer ZTE devices with Oreo+ and flagship devices. You have nothing to lose, but it might not do anything.

    This tutorial is only for Qualcomm ZTE Devices.

    Unlocking the Bootloader:

    Warning: This bootloader unlocking method is not for beginners. It requires at least some knowleage on how to flash ROMS or partitions via QFIL and ADB commands. If you do not understand something here, than the tutorial might not be suitable for you. You can still try it, but at your own risk of course.

    Will not work on:
    Axon 7
    Axon 7 Mini
    Axon 9
    Axon 10
    Axon M
    Zmax 2 (Z958)
    Anything else that has Oreo, PIE or 10
    The unlocking bit on those devices are stored in another partition that can't be easily modifiable

    Working on: (Thanks @deadman96385)

    Snapdragon 210 Processors:
    ZTE Avid Plus (Z828)
    ZTE Maven 2 (Z831) (code-name: chapel)
    ZTE Maven 3 (Z835) (code-name: draco)
    ZTE Majesty Pro Plus (Z899VL) (code-name: elden)
    Unknown ZTE (code-name: forbes)
    ZTE ZMAX One (Z719DL) (code-name: gemi)
    ZTE Tempo X (N9137) (code-name: grayjoylite)
    ZTE Grand X View 2 (K81) (code-name: helen)
    ZTE Overture 3 (Z851) (code-name: jeff)
    ZTE Fanfare 3 (Z852) (code-name: kelly)
    ZTE ZFive G LTE (Z557BL) (code-name: lewis)
    ZTE ZFive C (Z558VL) (code-name: loft)
    Unknown ZTE (code-name: refuge)
    ZTE N818S (code-name: sapphire/sapphire4G)
    ZTE Blade Vantage (Z839) (code-name: sweet)

    Snapdragon 617:
    Android 5.1.1
    ZTE Grand X Max 2 (Z988) (code-name: jerry)
    ZTE Imperial Max (Z963U) (code-name: lily)
    ZTE Max Duo LTE (Z963VL) (code-name: nancy)
    ZTE Axon Max (C2016) (code-name: orchid)
    ZTE Max Duo LTE (Z962BL) (code-name: tom)
    Android 6.0.1
    ZTE ZPAD (K90U) (code-name: gevjon)
    ZTE AT&T Trek 2 (K88) (code-name: jasmine)
    ZTE Grand X Max 2 (Z988) (code-name: jerry)
    ZTE Axon Max (C2016) (code-name: orchid)
    ZTE ZMAX Pro (Z981) (code-name: urd)
    Android 7.1.1
    ZTE AT&T Trek 2 (K88) (code-name: jasmine)

    MSM8920/MSM8937/MSM8940/MSM8953 (Qualcomm Snapdragon 427/430/435/625):
    ZTE Blade Force/ZTE Warp 8 (N9517) (code-name: warp8)
    ZTE Grand X4 (Z956/Z957) (code-name: finacier)
    ZTE Blade Spark (Z971) (code-name: peony)
    ZTE Blade X (Z965) (code-name: proline)
    ZTE Max XL/ZTE Bolton (N9560) (code-name: bolton)
    Unknown ZTE (code-name: flame)
    ZTE Blade X Max (Z983) (code-name: stollen)
    ZTE Blade Max View (Z610DL) (code-name: violet)
    ZTE Max Blue LTE (Z986DL) (code-name: florist)
    ZTE AT&T Primtime (K92) (code-name: primerose)
    Of course, it might work on more models that might not be listed here.

    Want to watch a video instead?


    You will need:

    • A Qualcomm ZTE device (I am using a ZTE Avid Plus Z828)
    • A PC
    • Adb Commands installed
    • QFIL 2.0.1.9
    • Your QFIL firehose (emmc_firehose_8***.mbn) You can get it from here: https://github.com/programmer-collection/zte
    • A Hex editor (Like HxD)


    Tutorial:
    • Hold power and volume down to boot to FTM mode



    • Using ADB commands, type: adb reboot EDL



    Open QFIL, You should see Qualcomm HS-USB QD-Loader 9008 (COM****)

    • Select "Flat build"
    • Select your firehose (emmc_firehose_8***.mbn)



    • Select tools, partition manager
    • Click ok

    We are intrested in the /devinfo partition only!



    • Right click devinfo only and click on "Manage Partition data"



    • Click on "Read Data"
    • Check the logs on the main window, it will show you where it will be saved (Most frequently in the Appdata/Roaming/Qualcomm folder) and the file will be named something like this: ReadData_emmc_Lun0_0x1c000_Len16384_DT_**_**_****_**_**_**.bin
    • Copy the file we read to somewhere like the desktop and make a backup in case it does not work.

    Next, open HxD or any other hex editor

    • Click File>Open and select the file we copied to the desktop

    You should see a layout like this:



    Edit this:

    41 4E 44 52 4F 49 44 2D 42 4F 4F 54 21 00 00 00
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00


    to this:

    41 4E 44 52 4F 49 44 2D 42 4F 4F 54 21 00 00 00
    01 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00




    • Go to offset 007FFE00 and repeat the same steps:



    It looks like ZTE did put another ANDROID-BOOT! at this section, they thought I would not see the second one :D Make sure you edit that second one, otherwise the BL won't be unlocked.

    ___________________________________________________________________________

    What will this do?! The two 01s we put in this file will show to the bootloader that it was unlocked before via fastboot. Of course, we are editing it now and it was never unlocked via fastboot. This is enough to fool it :D

    For people who don't know, on all android devices, there is the /devinfo partition that stores the information of the bootloader such as is_unlocked (aboot), is_tampered, is_verified, charger_screen_enabled, display_panel, bootloader_version, radio_version etc.
    We have to modify it into saying is_unlocked and is_Critiacal_unlocked

    ____________________________________________________________________________________
    • Do not touch anything else and click File>Save
    • Boot your phone into EDL again.

    (You might need to reopen QFIL)



    • Back to the partitions, right-click /devinfo again and click "Manage partition Data" again
    • Click "Load image"



    • Select the file we modified (Should be a .bin)
    • Wait a few seconds and restart your phone and IT SHOULD BOOT SURELY!!

    Your bootloader should be unlocked!!
    You cannot really tell if the Bootloader is unlocked unfortunatley. But, if TWRP boots or ROOT persists then here is your sign :D


    TWRP is booting!

    You can now ROOT, Install custom ROMs, Install Custom Recoveries, kernel modifications & More using QFIL!
    You are now free :D


    Credits to aleph security in the Unlocking the bootloader section at the bottom of the page for showing the Hex values to change: https://alephsecurity.com/2018/01/22/qualcomm-edl-2/
    7
    Firehose collection

    Here is my collection of ZTE firehoses for use in this guide. I cant guarantee everyone will work but the vast majority of them should. But they are all organized by codename and my best attempt at matching codename to shipping name.

    https://github.com/programmer-collection/zte
    3
    Doesn't seem to be wroking with my ZTE Tempo X N9137. I trried it twice and got two septerate errors. The first was "ERROR: function: sahara_rx_data:247 Command packet length 1702240364 too large to fit" and the second was "ERROR: function: sahara_rx_data:237 Unable to read packet header. Only read 0 bytes."

    So I tested it on my N9137 and it’s working properly. Normally when it can’t get a hello from the device it means your driver is wrong. Sometimes windows defaults to the diagnostic driver instead of the Qdloader one and you need to change it in device manager.

    On another note @alexenferman it might worth while to add to OP known working devices. I’ve tested and confirmed working on
    ZTE Imperial Max (Z963U)
    ZTE Tempo X (N9317)
    ZTE Avid 4 (Z855)
    ZTE Grand X View 2 (K81)

    I will test on the ZTE Maven 3 once I get it’s battery charged
    2
    I dumped all partitions (except cache, system and userdata), and discovered the string ANDROID-BOOT! appeared 3 times in the "aboot" partition. The first time seems to be followed by ASCII string content, but the 2nd and 3rd time it is followed by a bunch of 00s. Should I be editing these?

    No do not edit the aboot partition, you will brick it if you flash your modified one.
    2
    I'm assuming this also won't work on devices that shipped with older OS and were officially updated to Oreo?
    I have an Axon 7 on Oreo and the normal thing is to regress them to unlock bootloader.

    Yeah, it won't work on the Axon 7, I've asked for the article to be updated.

    Anything for the ZTE Blade A462? It's based on the Snapdragon 210 SoC.

    I haven't seen one for it, but you can try this one from the A460 you have a good chance of it working.
    https://github.com/programmer-collection/zte/blob/master/BladeA460/prog_emmc_firehose_8909.mbn

    Tried on ZTE Zmax 2 (Z958) US Version (AT&T but unlocked) with Android 5.1. I had to use QFIL that comes with the latest QPST v2.7.480 to be able to successfully dump the partition data. However, there is no `/devinfo` partition. So I've no clue what to do from here.
    Can you post a picture or a list of partitions you had?