• Introducing XDA Computing: Discussion zones for Hardware, Software, and more!    Check it out!

Bootloader Unlocking on older Qualcomm ZTE Devices, /Devinfo partition modification

Did this method work for your device??

  • YES! Finally unlocked!!!

    Votes: 6 13.6%
  • No.

    Votes: 12 27.3%
  • I don't have a ZTE device, but that's cool!

    Votes: 26 59.1%

  • Total voters
    44
Search This thread

BringBackTron

Member
Sep 26, 2017
5
0
try an edl deep flash cable
Made my own EDL cable and it still won't go into EDL mode or show up as that qualcomm COM device (yes I have the right drivers, i've tried the stock ZTE ones and the qualcomm ones). I also tried unhooking the battery connector, and even shorting the test pins (however I don't know which pins are for testing, so I attached a picture of the mainboard so maybe someone can help me identify the pins used for USB debugging (test mode). Don't really don't know what to do at this point, feels like I've done everything at this point and my phone is just deadly stubborn (debating starting a post with a Paypal reward to anyone who solves this mystery), so I'm really confused how OP confirmed this device.
 

Attachments

  • Z3XssrU.jpg
    Z3XssrU.jpg
    342.2 KB · Views: 10
  • cOBoO25.jpg
    cOBoO25.jpg
    265.4 KB · Views: 9

luridphantom

Senior Member
Apr 4, 2021
125
19
Made my own EDL cable and it still won't go into EDL mode or show up as that qualcomm COM device (yes I have the right drivers, i've tried the stock ZTE ones and the qualcomm ones). I also tried unhooking the battery connector, and even shorting the test pins (however I don't know which pins are for testing, so I attached a picture of the mainboard so maybe someone can help me identify the pins used for USB debugging (test mode). Don't really don't know what to do at this point, feels like I've done everything at this point and my phone is just deadly stubborn (debating starting a post with a Paypal reward to anyone who solves this mystery), so I'm really confused how OP confirmed this device.
i wonder if it will be similar to this, just going based off example: https://forum.xda-developers.com/t/z963vl-edl-test-points-found.3869229/
 

luridphantom

Senior Member
Apr 4, 2021
125
19
@BringBackTron @luridphantom If you're going to do things like short out pins, you should broaden your research a bit. Forensic acquisition requires root access, so if you read up on their blogs they sometimes leave gems like this: https://www.emergingdefense.com/blog/2019/5/20/how-to-put-a-qualcomm-phone-into-edl-mode
i know for sure some adb reboot edl and deep flash cables dont work on some models like the zfive series phones, therefore finding the test points is the last option to getting these devices in edl
 

BringBackTron

Member
Sep 26, 2017
5
0
i know for sure some adb reboot edl and deep flash cables dont work on some models like the zfive series phones, therefore finding the test points is the last option to getting these devices in edl
And is root required while doing test points, or does the phone need to be in a specific state (battery dead, in Android, in recovery menu)? I already tried all of the pins, but I'm an absolute newb. However I thought I could bootloader unlock this phone by now lol
 

luridphantom

Senior Member
Apr 4, 2021
125
19
And is root required while doing test points, or does the phone need to be in a specific state (battery dead, in Android, in recovery menu)? I already tried all of the pins, but I'm an absolute newb. However I thought I could bootloader unlock this phone by now lol
root isnt required. turn the phone off, take out the battery, short the points and then insert the usb cable. if all goes well you will see the 9008d device in qfil
 

SarcBot

New member
Sep 15, 2021
2
0
Also, has anyone successfully unlocked an N9136 Prestige II, N9650 Max, or a Z983 Blade XMaxXL?

I don't see any in the comments, so if you have and you're a lurker, please speak up. I'm trying to not have to buy an EDL cable.

Trying to figure this out myself too. Been hanging on to this ZTE Max XL for years now and haven't had any success with it. Been wondering if I should keep trying or just cut my losses because not to many of these seem to be out there.
 
Trying to figure this out myself too. Been hanging on to this ZTE Max XL for years now and haven't had any success with it. Been wondering if I should keep trying or just cut my losses because not to many of these seem to be out there.
Same. It's an ok phone. The Z983 is a better one, imho. I've kept them around so I could experiment with them sand use them to train myself how to use forensic programs and adb and such.

Problem is, mounting and taking a forensic image requires root.

There is a last ditch option. We form a detective agency or forensic examiner LLC and get it certified as a legit LE agency, then everyone chips in (or we do a car wash/bake sale) and we buy a Cellebrite machine.

Then we could unlock and root and take images of whatever phone we wanted to.
 

luridphantom

Senior Member
Apr 4, 2021
125
19
Same. It's an ok phone. The Z983 is a better one, imho. I've kept them around so I could experiment with them sand use them to train myself how to use forensic programs and adb and such.

Problem is, mounting and taking a forensic image requires root.

There is a last ditch option. We form a detective agency or forensic examiner LLC and get it certified as a legit LE agency, then everyone chips in (or we do a car wash/bake sale) and we buy a Cellebrite machine.

Then we could unlock and root and take images of whatever phone we wanted to.
you dont need to spend that much money on a cellebrite machine when medusa/octoplus can do it for much cheaper

what we need is a chart of what zte phones support edl mode using adb/deep flash cable/shorting points. seems like different models are either generous with letting you in with adb or won't even let a deep flash cable work
 
That doesn't make sense though. EVERY programmer/engineer leaves themselves a backdoor way to get in if the regular way is f*****.

And wasn't there a story like 2 years ago about ZTE phones having backdoors built in (on orders from the Chinese government) that allowed them to spy on and image ZTE phones, which would require unlocked bootloaders and root.

I want to say it causes a trade e.bargo, right about the time ZTE was launching their big flagship phone.

I'm busy right now, but I'll do some googling and see if anything changes from that.
 
@luridphantom FYI, I couldn't figure out EDL mode because I had my head up my rear. Power+Vol+ to FTL mode, plug in to PC, use adb reboot edl.

First victim was my N9560 MaxXL. I ran through the process, but don't know if it worked. I wanted root, so I followed the process outlined by @RedneckTechVet using Magisk to patch the boot image.

Now it's bricked. It'll pull up the ZTE logo, but then goes into EDL mode. Well, I think it's EDL mode. The home button is lit but screen is off. You'd think that wouldn't be a problem, especially since it connects in QFIL (port 10 instead of 12 for some reason), but when you go to partition manager the first thing it wants to do is reboot into EDL. Since it doesn't reboot, it throws up an error that it failed to reboot into EDL.

I tried to factory reset. It wiped the data and cache and restarted, but the problem didn't go away.

I am able to boot to recovery, but the phone doesn't show up in ADB in recovery or EDL so I can't try to boot up a TWRP recovery image file from ADB (if one exists, I don't know). I can choose Sideload, but you can't do anything there but sideload.

Is there any other way I can flash the original boot file back onto the boot partition?
 

luridphantom

Senior Member
Apr 4, 2021
125
19
@luridphantom FYI, I couldn't figure out EDL mode because I had my head up my rear. Power+Vol+ to FTL mode, plug in to PC, use adb reboot edl.

First victim was my N9560 MaxXL. I ran through the process, but don't know if it worked. I wanted root, so I followed the process outlined by @RedneckTechVet using Magisk to patch the boot image.

Now it's bricked. It'll pull up the ZTE logo, but then goes into EDL mode. Well, I think it's EDL mode. The home button is lit but screen is off. You'd think that wouldn't be a problem, especially since it connects in QFIL (port 10 instead of 12 for some reason), but when you go to partition manager the first thing it wants to do is reboot into EDL. Since it doesn't reboot, it throws up an error that it failed to reboot into EDL.

I tried to factory reset. It wiped the data and cache and restarted, but the problem didn't go away.

I am able to boot to recovery, but the phone doesn't show up in ADB in recovery or EDL so I can't try to boot up a TWRP recovery image file from ADB (if one exists, I don't know). I can choose Sideload, but you can't do anything there but sideload.

Is there any other way I can flash the original boot file back onto the boot partition?
seems like your device is in dfu mode. i got mine in that state by holding all 3 buttons until the notification light blinked and turned red. then i used this tool which sent it to edl from dfu: https://forum.xda-developers.com/t/guide-tool-the-ultimate-dfu-unbrick-tool.3854229/

for some reason my firehose is not working but getting it into dfu is already a huge step forward
 

@luridphantom
Same issue. That tool will kick it from comm 10 to comm 12, but gets that weird error whenever I try to flash it with QFIL.

I wonder if the fact this tool was built for different phone has anything to do with it. And if so, can we modify it to the n9560.

I haven't tried to use miflash yet. I was checking out the firmware I downloaded, looking to see if I could skip a few steps to unlock the bootloader by doing that thing with the boot image before I even flash it, but the boot image is a lot different.

You say it's a big step forward. I hope you're right.
 

Top Liked Posts

  • There are no posts matching your filters.
  • 1
    First off, after all of the different janky program, driver, and version downloads of all of these different fixes, I'm fairly certain both the Chinese and Indian governments are now using my laptop to spy on each other while some Russian group is sifting through all of the p**n site cookies hoping I dropped a credit card somewhere. And some of those fixes are 2-5 years old and the files/tools they say to use no longer exist at the links they put on their posts.

    Anyway...

    I've been on this for cumulative 9 hours over two nights, and I'm no closer to a fix.

    After reinstalling a QFIL or QPST driver for Windows 10, a process that also reinstalled QPST, I decided to find and pull up a log to see if there was anything behind the "Firehose fail." Everything is doing good until this:

    [ICODE]00:35:12: INFO: Looking for file 'cache.img' 00:35:12: DEBUG: 1. Calling stat(C:\Users\ryans\Desktop\ZTE_Max_XL_NMF26F_N9560_21082018_7.1.1_QFIL\Firmware\cache.img') 00:35:12: DEBUG: 2. Calling fopen('C:\Users\ryans\Desktop\ZTE_Max_XL_NMF26F_N9560_21082018_7.1.1_QFIL\Firmware\cache.img') with AccessMode='rb' 00:35:12: DEBUG: Trying get filesize, calling fseek() 00:35:12: DEBUG: Found 'C:\Users\ryans\Desktop\ZTE_Max_XL_NMF26F_N9560_21082018_7.1.1_QFIL\Firmware\cache.img' (10682660 bytes) 00:35:12: DEBUG: 2. Calling fopen('C:\Users\ryans\Desktop\ZTE_Max_XL_NMF26F_N9560_21082018_7.1.1_QFIL\Firmware\cache.img') with AccessMode='rb' 00:35:12: DEBUG: Trying get filesize, calling fseek() 00:35:12: DEBUG: ================================================================================== 00:35:12: DEBUG: ================================================================================== 00:35:12: INFO: Looking for file 'system.img' 00:35:12: DEBUG: 1. Calling stat(C:\Users\ryans\Desktop\ZTE_Max_XL_NMF26F_N9560_21082018_7.1.1_QFIL\Firmware\system.img') 00:35:12: DEBUG: 2. Calling stat(system.img') (_) __ ____ _ _ __ _ __ _ _ __ __ _ \ \ /\ / / _` | '__| '_ \| | '_ \ / _` | \ V V / (_| | | | | | | | | | | (_| | \_/\_/ \__,_|_| |_| |_|_|_| |_|\__, | __/ | |___/ 00:35:12: WARNING: find_file:6641 Couldn't find the file 'system.img', returning NULL _____ | ___| | |__ _ __ _ __ ___ _ __ | __| '__| '__/ _ \| '__| | |__| | | | | (_) | | \____/_| |_| \___/|_| 00:35:12: {ERROR: handleProgram:7403 'system.img' not found. You could possibly try --notfiles=system.img,OtherFileToSkip.bin (note, exiting since you specified --noprompt)[/ICODE]

    It's lying. system . img most certainly is there in the folder with all of the rest of the firmware files that go with it. And EVERYTHING I've downloaded and been running during all of this, I put on the desktop (as opposed to drive D, where downloads get put).

    Thoughts? I'm going to redownload the firehose and the firmware (the latter from a different site, which is difficult since I couldn't find an official ZTE firmware site.

    I don't know which project I'm working on is more frustrating. This, the Moto g7 Play I had rooted and working fine until I forgot the pattern lock, hard reset, and can't get root to work again, or the Stylo 3, which says all pattern unlock attempts are wrong, but since it's an older phone and on Nougat I'm trying to find a way around it.
    have you tried miflash?

    if not, then this might be your last hope since you already have the firehose: https://github.com/bkerler/edl
  • 11
    Warning: This unlocking method might not work on newer ZTE devices with Oreo+ and flagship devices. You have nothing to lose, but it might not do anything.

    This tutorial is only for Qualcomm ZTE Devices.

    Unlocking the Bootloader:

    Warning: This bootloader unlocking method is not for beginners. It requires at least some knowleage on how to flash ROMS or partitions via QFIL and ADB commands. If you do not understand something here, than the tutorial might not be suitable for you. You can still try it, but at your own risk of course.

    Will not work on:
    Axon 7
    Axon 7 Mini
    Axon 9
    Axon 10
    Axon M
    Zmax 2 (Z958)
    Anything else that has Oreo, PIE or 10
    The unlocking bit on those devices are stored in another partition that can't be easily modifiable

    Working on: (Thanks @deadman96385)

    Snapdragon 210 Processors:
    ZTE Avid Plus (Z828)
    ZTE Maven 2 (Z831) (code-name: chapel)
    ZTE Maven 3 (Z835) (code-name: draco)
    ZTE Majesty Pro Plus (Z899VL) (code-name: elden)
    Unknown ZTE (code-name: forbes)
    ZTE ZMAX One (Z719DL) (code-name: gemi)
    ZTE Tempo X (N9137) (code-name: grayjoylite)
    ZTE Grand X View 2 (K81) (code-name: helen)
    ZTE Overture 3 (Z851) (code-name: jeff)
    ZTE Fanfare 3 (Z852) (code-name: kelly)
    ZTE ZFive G LTE (Z557BL) (code-name: lewis)
    ZTE ZFive C (Z558VL) (code-name: loft)
    Unknown ZTE (code-name: refuge)
    ZTE N818S (code-name: sapphire/sapphire4G)
    ZTE Blade Vantage (Z839) (code-name: sweet)

    Snapdragon 617:
    Android 5.1.1
    ZTE Grand X Max 2 (Z988) (code-name: jerry)
    ZTE Imperial Max (Z963U) (code-name: lily)
    ZTE Max Duo LTE (Z963VL) (code-name: nancy)
    ZTE Axon Max (C2016) (code-name: orchid)
    ZTE Max Duo LTE (Z962BL) (code-name: tom)
    Android 6.0.1
    ZTE ZPAD (K90U) (code-name: gevjon)
    ZTE AT&T Trek 2 (K88) (code-name: jasmine)
    ZTE Grand X Max 2 (Z988) (code-name: jerry)
    ZTE Axon Max (C2016) (code-name: orchid)
    ZTE ZMAX Pro (Z981) (code-name: urd)
    Android 7.1.1
    ZTE AT&T Trek 2 (K88) (code-name: jasmine)

    MSM8920/MSM8937/MSM8940/MSM8953 (Qualcomm Snapdragon 427/430/435/625):
    ZTE Blade Force/ZTE Warp 8 (N9517) (code-name: warp8)
    ZTE Grand X4 (Z956/Z957) (code-name: finacier)
    ZTE Blade Spark (Z971) (code-name: peony)
    ZTE Blade X (Z965) (code-name: proline)
    ZTE Max XL/ZTE Bolton (N9560) (code-name: bolton)
    Unknown ZTE (code-name: flame)
    ZTE Blade X Max (Z983) (code-name: stollen)
    ZTE Blade Max View (Z610DL) (code-name: violet)
    ZTE Max Blue LTE (Z986DL) (code-name: florist)
    ZTE AT&T Primtime (K92) (code-name: primerose)
    Of course, it might work on more models that might not be listed here.

    Want to watch a video instead?


    You will need:

    • A Qualcomm ZTE device (I am using a ZTE Avid Plus Z828)
    • A PC
    • Adb Commands installed
    • QFIL 2.0.1.9
    • Your QFIL firehose (emmc_firehose_8***.mbn) You can get it from here: https://github.com/programmer-collection/zte
    • A Hex editor (Like HxD)


    Tutorial:
    • Hold power and volume down to boot to FTM mode



    • Using ADB commands, type: adb reboot EDL



    Open QFIL, You should see Qualcomm HS-USB QD-Loader 9008 (COM****)

    • Select "Flat build"
    • Select your firehose (emmc_firehose_8***.mbn)



    • Select tools, partition manager
    • Click ok

    We are intrested in the /devinfo partition only!



    • Right click devinfo only and click on "Manage Partition data"



    • Click on "Read Data"
    • Check the logs on the main window, it will show you where it will be saved (Most frequently in the Appdata/Roaming/Qualcomm folder) and the file will be named something like this: ReadData_emmc_Lun0_0x1c000_Len16384_DT_**_**_****_**_**_**.bin
    • Copy the file we read to somewhere like the desktop and make a backup in case it does not work.

    Next, open HxD or any other hex editor

    • Click File>Open and select the file we copied to the desktop

    You should see a layout like this:



    Edit this:

    41 4E 44 52 4F 49 44 2D 42 4F 4F 54 21 00 00 00
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00


    to this:

    41 4E 44 52 4F 49 44 2D 42 4F 4F 54 21 00 00 00
    01 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00




    • Go to offset 007FFE00 and repeat the same steps:



    It looks like ZTE did put another ANDROID-BOOT! at this section, they thought I would not see the second one :D Make sure you edit that second one, otherwise the BL won't be unlocked.

    ___________________________________________________________________________

    What will this do?! The two 01s we put in this file will show to the bootloader that it was unlocked before via fastboot. Of course, we are editing it now and it was never unlocked via fastboot. This is enough to fool it :D

    For people who don't know, on all android devices, there is the /devinfo partition that stores the information of the bootloader such as is_unlocked (aboot), is_tampered, is_verified, charger_screen_enabled, display_panel, bootloader_version, radio_version etc.
    We have to modify it into saying is_unlocked and is_Critiacal_unlocked

    ____________________________________________________________________________________
    • Do not touch anything else and click File>Save
    • Boot your phone into EDL again.

    (You might need to reopen QFIL)



    • Back to the partitions, right-click /devinfo again and click "Manage partition Data" again
    • Click "Load image"



    • Select the file we modified (Should be a .bin)
    • Wait a few seconds and restart your phone and IT SHOULD BOOT SURELY!!

    Your bootloader should be unlocked!!
    You cannot really tell if the Bootloader is unlocked unfortunatley. But, if TWRP boots or ROOT persists then here is your sign :D


    TWRP is booting!

    You can now ROOT, Install custom ROMs, Install Custom Recoveries, kernel modifications & More using QFIL!
    You are now free :D


    Credits to aleph security in the Unlocking the bootloader section at the bottom of the page for showing the Hex values to change: https://alephsecurity.com/2018/01/22/qualcomm-edl-2/
    7
    Firehose collection

    Here is my collection of ZTE firehoses for use in this guide. I cant guarantee everyone will work but the vast majority of them should. But they are all organized by codename and my best attempt at matching codename to shipping name.

    https://github.com/programmer-collection/zte
    3
    Doesn't seem to be wroking with my ZTE Tempo X N9137. I trried it twice and got two septerate errors. The first was "ERROR: function: sahara_rx_data:247 Command packet length 1702240364 too large to fit" and the second was "ERROR: function: sahara_rx_data:237 Unable to read packet header. Only read 0 bytes."

    So I tested it on my N9137 and it’s working properly. Normally when it can’t get a hello from the device it means your driver is wrong. Sometimes windows defaults to the diagnostic driver instead of the Qdloader one and you need to change it in device manager.

    On another note @alexenferman it might worth while to add to OP known working devices. I’ve tested and confirmed working on
    ZTE Imperial Max (Z963U)
    ZTE Tempo X (N9317)
    ZTE Avid 4 (Z855)
    ZTE Grand X View 2 (K81)

    I will test on the ZTE Maven 3 once I get it’s battery charged
    2
    I dumped all partitions (except cache, system and userdata), and discovered the string ANDROID-BOOT! appeared 3 times in the "aboot" partition. The first time seems to be followed by ASCII string content, but the 2nd and 3rd time it is followed by a bunch of 00s. Should I be editing these?

    No do not edit the aboot partition, you will brick it if you flash your modified one.
    2
    I'm assuming this also won't work on devices that shipped with older OS and were officially updated to Oreo?
    I have an Axon 7 on Oreo and the normal thing is to regress them to unlock bootloader.

    Yeah, it won't work on the Axon 7, I've asked for the article to be updated.

    Anything for the ZTE Blade A462? It's based on the Snapdragon 210 SoC.

    I haven't seen one for it, but you can try this one from the A460 you have a good chance of it working.
    https://github.com/programmer-collection/zte/blob/master/BladeA460/prog_emmc_firehose_8909.mbn

    Tried on ZTE Zmax 2 (Z958) US Version (AT&T but unlocked) with Android 5.1. I had to use QFIL that comes with the latest QPST v2.7.480 to be able to successfully dump the partition data. However, there is no `/devinfo` partition. So I've no clue what to do from here.
    Can you post a picture or a list of partitions you had?