• Introducing XDA Computing: Discussion zones for Hardware, Software, and more!    Check it out!

Bootloader Unlocking on older Qualcomm ZTE Devices, /Devinfo partition modification

Did this method work for your device??

  • YES! Finally unlocked!!!

    Votes: 6 13.6%
  • No.

    Votes: 12 27.3%
  • I don't have a ZTE device, but that's cool!

    Votes: 26 59.1%

  • Total voters
    44
Search This thread

luridphantom

Senior Member
Apr 4, 2021
131
21
@luridphantom
Same issue. That tool will kick it from comm 10 to comm 12, but gets that weird error whenever I try to flash it with QFIL.

I wonder if the fact this tool was built for different phone has anything to do with it. And if so, can we modify it to the n9560.

I haven't tried to use miflash yet. I was checking out the firmware I downloaded, looking to see if I could skip a few steps to unlock the bootloader by doing that thing with the boot image before I even flash it, but the boot image is a lot different.

You say it's a big step forward. I hope you're right.
even though qfil didn't work after i wrote that post i opened miflash and was able to unbrick my z839 back to factory through a stock fw someone posted in another thread https://forum.xda-developers.com/t/...-z839-specs-information.3696635/post-78929080

with this dfu to edl miflash method, as long as you have a copy of the stock fw your phone should never be truly bricked
 
even though qfil didn't work after i wrote that post i opened miflash and was able to unbrick my z839 back to factory through a stock fw someone posted in another thread https://forum.xda-developers.com/t/...-z839-specs-information.3696635/post-78929080

with this dfu to edl miflash method, as long as you have a copy of the stock fw your phone should never be truly bricked

First off, after all of the different janky program, driver, and version downloads of all of these different fixes, I'm fairly certain both the Chinese and Indian governments are now using my laptop to spy on each other while some Russian group is sifting through all of the p**n site cookies hoping I dropped a credit card somewhere. And some of those fixes are 2-5 years old and the files/tools they say to use no longer exist at the links they put on their posts.

Anyway...

I've been on this for cumulative 9 hours over two nights, and I'm no closer to a fix.

After reinstalling a QFIL or QPST driver for Windows 10, a process that also reinstalled QPST, I decided to find and pull up a log to see if there was anything behind the "Firehose fail." Everything is doing good until this:

[ICODE]00:35:12: INFO: Looking for file 'cache.img' 00:35:12: DEBUG: 1. Calling stat(C:\Users\ryans\Desktop\ZTE_Max_XL_NMF26F_N9560_21082018_7.1.1_QFIL\Firmware\cache.img') 00:35:12: DEBUG: 2. Calling fopen('C:\Users\ryans\Desktop\ZTE_Max_XL_NMF26F_N9560_21082018_7.1.1_QFIL\Firmware\cache.img') with AccessMode='rb' 00:35:12: DEBUG: Trying get filesize, calling fseek() 00:35:12: DEBUG: Found 'C:\Users\ryans\Desktop\ZTE_Max_XL_NMF26F_N9560_21082018_7.1.1_QFIL\Firmware\cache.img' (10682660 bytes) 00:35:12: DEBUG: 2. Calling fopen('C:\Users\ryans\Desktop\ZTE_Max_XL_NMF26F_N9560_21082018_7.1.1_QFIL\Firmware\cache.img') with AccessMode='rb' 00:35:12: DEBUG: Trying get filesize, calling fseek() 00:35:12: DEBUG: ================================================================================== 00:35:12: DEBUG: ================================================================================== 00:35:12: INFO: Looking for file 'system.img' 00:35:12: DEBUG: 1. Calling stat(C:\Users\ryans\Desktop\ZTE_Max_XL_NMF26F_N9560_21082018_7.1.1_QFIL\Firmware\system.img') 00:35:12: DEBUG: 2. Calling stat(system.img') (_) __ ____ _ _ __ _ __ _ _ __ __ _ \ \ /\ / / _` | '__| '_ \| | '_ \ / _` | \ V V / (_| | | | | | | | | | | (_| | \_/\_/ \__,_|_| |_| |_|_|_| |_|\__, | __/ | |___/ 00:35:12: WARNING: find_file:6641 Couldn't find the file 'system.img', returning NULL _____ | ___| | |__ _ __ _ __ ___ _ __ | __| '__| '__/ _ \| '__| | |__| | | | | (_) | | \____/_| |_| \___/|_| 00:35:12: {ERROR: handleProgram:7403 'system.img' not found. You could possibly try --notfiles=system.img,OtherFileToSkip.bin (note, exiting since you specified --noprompt)[/ICODE]

It's lying. system . img most certainly is there in the folder with all of the rest of the firmware files that go with it. And EVERYTHING I've downloaded and been running during all of this, I put on the desktop (as opposed to drive D, where downloads get put).

Thoughts? I'm going to redownload the firehose and the firmware (the latter from a different site, which is difficult since I couldn't find an official ZTE firmware site.

I don't know which project I'm working on is more frustrating. This, the Moto g7 Play I had rooted and working fine until I forgot the pattern lock, hard reset, and can't get root to work again, or the Stylo 3, which says all pattern unlock attempts are wrong, but since it's an older phone and on Nougat I'm trying to find a way around it.
 

luridphantom

Senior Member
Apr 4, 2021
131
21
First off, after all of the different janky program, driver, and version downloads of all of these different fixes, I'm fairly certain both the Chinese and Indian governments are now using my laptop to spy on each other while some Russian group is sifting through all of the p**n site cookies hoping I dropped a credit card somewhere. And some of those fixes are 2-5 years old and the files/tools they say to use no longer exist at the links they put on their posts.

Anyway...

I've been on this for cumulative 9 hours over two nights, and I'm no closer to a fix.

After reinstalling a QFIL or QPST driver for Windows 10, a process that also reinstalled QPST, I decided to find and pull up a log to see if there was anything behind the "Firehose fail." Everything is doing good until this:

[ICODE]00:35:12: INFO: Looking for file 'cache.img' 00:35:12: DEBUG: 1. Calling stat(C:\Users\ryans\Desktop\ZTE_Max_XL_NMF26F_N9560_21082018_7.1.1_QFIL\Firmware\cache.img') 00:35:12: DEBUG: 2. Calling fopen('C:\Users\ryans\Desktop\ZTE_Max_XL_NMF26F_N9560_21082018_7.1.1_QFIL\Firmware\cache.img') with AccessMode='rb' 00:35:12: DEBUG: Trying get filesize, calling fseek() 00:35:12: DEBUG: Found 'C:\Users\ryans\Desktop\ZTE_Max_XL_NMF26F_N9560_21082018_7.1.1_QFIL\Firmware\cache.img' (10682660 bytes) 00:35:12: DEBUG: 2. Calling fopen('C:\Users\ryans\Desktop\ZTE_Max_XL_NMF26F_N9560_21082018_7.1.1_QFIL\Firmware\cache.img') with AccessMode='rb' 00:35:12: DEBUG: Trying get filesize, calling fseek() 00:35:12: DEBUG: ================================================================================== 00:35:12: DEBUG: ================================================================================== 00:35:12: INFO: Looking for file 'system.img' 00:35:12: DEBUG: 1. Calling stat(C:\Users\ryans\Desktop\ZTE_Max_XL_NMF26F_N9560_21082018_7.1.1_QFIL\Firmware\system.img') 00:35:12: DEBUG: 2. Calling stat(system.img') (_) __ ____ _ _ __ _ __ _ _ __ __ _ \ \ /\ / / _` | '__| '_ \| | '_ \ / _` | \ V V / (_| | | | | | | | | | | (_| | \_/\_/ \__,_|_| |_| |_|_|_| |_|\__, | __/ | |___/ 00:35:12: WARNING: find_file:6641 Couldn't find the file 'system.img', returning NULL _____ | ___| | |__ _ __ _ __ ___ _ __ | __| '__| '__/ _ \| '__| | |__| | | | | (_) | | \____/_| |_| \___/|_| 00:35:12: {ERROR: handleProgram:7403 'system.img' not found. You could possibly try --notfiles=system.img,OtherFileToSkip.bin (note, exiting since you specified --noprompt)[/ICODE]

It's lying. system . img most certainly is there in the folder with all of the rest of the firmware files that go with it. And EVERYTHING I've downloaded and been running during all of this, I put on the desktop (as opposed to drive D, where downloads get put).

Thoughts? I'm going to redownload the firehose and the firmware (the latter from a different site, which is difficult since I couldn't find an official ZTE firmware site.

I don't know which project I'm working on is more frustrating. This, the Moto g7 Play I had rooted and working fine until I forgot the pattern lock, hard reset, and can't get root to work again, or the Stylo 3, which says all pattern unlock attempts are wrong, but since it's an older phone and on Nougat I'm trying to find a way around it.
have you tried miflash?

if not, then this might be your last hope since you already have the firehose: https://github.com/bkerler/edl
 
  • Like
Reactions: aIecxs
have you tried miflash?

if not, then this might be your last hope since you already have the firehose: https://github.com/bkerler/edl
I tried 4 or 5 different versions of Miflash. That's the "Chinese gov't" reference. Literally every step gave me error messages, and an hour into the fourth one, I just gave up on that program.

After redownloading both firehose and firmware, I just tried again. Same error. QFIL isn't picking up the system image and I don't know why. I didn't do anything with the settings, and the only box I checked was "flat build." Going through the other QPST programs and there are issues connecting with the server, etc.

In order to get it into EDL mode, I use the A2017 tool that's listed in here. Since bricking, about 80% of the time as soon as I plug it in, it'll refresh and already be in EDL mode. Unless I restart the phone, then I have to do the process to go from DFU to EDL. Like, I thought some of those rows would populate. And that big green button, am I supposed to press it? We're just going from DFU to EDL and we have to have QFIL or Miflash already up so as to hit the button in under a second.

It always shows Disconnected though. No other fields are populated except Port. I couldn't open a help file, but in the folder tree in "help" folder is a Word document. I opened it, translated it to English via Word's translator, and it talked about getting into FTM mode by pressing a volume button and power button. I tried vol up and power and it does to DFU, then power down and power, which goes to recovery menu. I mashed all three down and plugged in the USB cord and my laptop device manager started picking up weird stuff.

Under COM it shows it's in 9008 mode. But it's also showing up under Portable Devices as Drive F.

You can't open it, only right click>properties, and if you hit the Administrator button, you can see it's a Linux File-Stor Gadget USB device, and every row under Details is populated. Idk if that's of interest (like the hex code under Class Default Security) to anyone with more programming knowledge than I do.

I'll try that Github thing you linked next and report back.
 

Top Liked Posts

  • There are no posts matching your filters.
  • 11
    Warning: This unlocking method might not work on newer ZTE devices with Oreo+ and flagship devices. You have nothing to lose, but it might not do anything.

    This tutorial is only for Qualcomm ZTE Devices.

    Unlocking the Bootloader:

    Warning: This bootloader unlocking method is not for beginners. It requires at least some knowleage on how to flash ROMS or partitions via QFIL and ADB commands. If you do not understand something here, than the tutorial might not be suitable for you. You can still try it, but at your own risk of course.

    Will not work on:
    Axon 7
    Axon 7 Mini
    Axon 9
    Axon 10
    Axon M
    Zmax 2 (Z958)
    Anything else that has Oreo, PIE or 10
    The unlocking bit on those devices are stored in another partition that can't be easily modifiable

    Working on: (Thanks @deadman96385)

    Snapdragon 210 Processors:
    ZTE Avid Plus (Z828)
    ZTE Maven 2 (Z831) (code-name: chapel)
    ZTE Maven 3 (Z835) (code-name: draco)
    ZTE Majesty Pro Plus (Z899VL) (code-name: elden)
    Unknown ZTE (code-name: forbes)
    ZTE ZMAX One (Z719DL) (code-name: gemi)
    ZTE Tempo X (N9137) (code-name: grayjoylite)
    ZTE Grand X View 2 (K81) (code-name: helen)
    ZTE Overture 3 (Z851) (code-name: jeff)
    ZTE Fanfare 3 (Z852) (code-name: kelly)
    ZTE ZFive G LTE (Z557BL) (code-name: lewis)
    ZTE ZFive C (Z558VL) (code-name: loft)
    Unknown ZTE (code-name: refuge)
    ZTE N818S (code-name: sapphire/sapphire4G)
    ZTE Blade Vantage (Z839) (code-name: sweet)

    Snapdragon 617:
    Android 5.1.1
    ZTE Grand X Max 2 (Z988) (code-name: jerry)
    ZTE Imperial Max (Z963U) (code-name: lily)
    ZTE Max Duo LTE (Z963VL) (code-name: nancy)
    ZTE Axon Max (C2016) (code-name: orchid)
    ZTE Max Duo LTE (Z962BL) (code-name: tom)
    Android 6.0.1
    ZTE ZPAD (K90U) (code-name: gevjon)
    ZTE AT&T Trek 2 (K88) (code-name: jasmine)
    ZTE Grand X Max 2 (Z988) (code-name: jerry)
    ZTE Axon Max (C2016) (code-name: orchid)
    ZTE ZMAX Pro (Z981) (code-name: urd)
    Android 7.1.1
    ZTE AT&T Trek 2 (K88) (code-name: jasmine)

    MSM8920/MSM8937/MSM8940/MSM8953 (Qualcomm Snapdragon 427/430/435/625):
    ZTE Blade Force/ZTE Warp 8 (N9517) (code-name: warp8)
    ZTE Grand X4 (Z956/Z957) (code-name: finacier)
    ZTE Blade Spark (Z971) (code-name: peony)
    ZTE Blade X (Z965) (code-name: proline)
    ZTE Max XL/ZTE Bolton (N9560) (code-name: bolton)
    Unknown ZTE (code-name: flame)
    ZTE Blade X Max (Z983) (code-name: stollen)
    ZTE Blade Max View (Z610DL) (code-name: violet)
    ZTE Max Blue LTE (Z986DL) (code-name: florist)
    ZTE AT&T Primtime (K92) (code-name: primerose)
    Of course, it might work on more models that might not be listed here.

    Want to watch a video instead?


    You will need:

    • A Qualcomm ZTE device (I am using a ZTE Avid Plus Z828)
    • A PC
    • Adb Commands installed
    • QFIL 2.0.1.9
    • Your QFIL firehose (emmc_firehose_8***.mbn) You can get it from here: https://github.com/programmer-collection/zte
    • A Hex editor (Like HxD)


    Tutorial:
    • Hold power and volume down to boot to FTM mode



    • Using ADB commands, type: adb reboot EDL



    Open QFIL, You should see Qualcomm HS-USB QD-Loader 9008 (COM****)

    • Select "Flat build"
    • Select your firehose (emmc_firehose_8***.mbn)



    • Select tools, partition manager
    • Click ok

    We are intrested in the /devinfo partition only!



    • Right click devinfo only and click on "Manage Partition data"



    • Click on "Read Data"
    • Check the logs on the main window, it will show you where it will be saved (Most frequently in the Appdata/Roaming/Qualcomm folder) and the file will be named something like this: ReadData_emmc_Lun0_0x1c000_Len16384_DT_**_**_****_**_**_**.bin
    • Copy the file we read to somewhere like the desktop and make a backup in case it does not work.

    Next, open HxD or any other hex editor

    • Click File>Open and select the file we copied to the desktop

    You should see a layout like this:



    Edit this:

    41 4E 44 52 4F 49 44 2D 42 4F 4F 54 21 00 00 00
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00


    to this:

    41 4E 44 52 4F 49 44 2D 42 4F 4F 54 21 00 00 00
    01 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00




    • Go to offset 007FFE00 and repeat the same steps:



    It looks like ZTE did put another ANDROID-BOOT! at this section, they thought I would not see the second one :D Make sure you edit that second one, otherwise the BL won't be unlocked.

    ___________________________________________________________________________

    What will this do?! The two 01s we put in this file will show to the bootloader that it was unlocked before via fastboot. Of course, we are editing it now and it was never unlocked via fastboot. This is enough to fool it :D

    For people who don't know, on all android devices, there is the /devinfo partition that stores the information of the bootloader such as is_unlocked (aboot), is_tampered, is_verified, charger_screen_enabled, display_panel, bootloader_version, radio_version etc.
    We have to modify it into saying is_unlocked and is_Critiacal_unlocked

    ____________________________________________________________________________________
    • Do not touch anything else and click File>Save
    • Boot your phone into EDL again.

    (You might need to reopen QFIL)



    • Back to the partitions, right-click /devinfo again and click "Manage partition Data" again
    • Click "Load image"



    • Select the file we modified (Should be a .bin)
    • Wait a few seconds and restart your phone and IT SHOULD BOOT SURELY!!

    Your bootloader should be unlocked!!
    You cannot really tell if the Bootloader is unlocked unfortunatley. But, if TWRP boots or ROOT persists then here is your sign :D


    TWRP is booting!

    You can now ROOT, Install custom ROMs, Install Custom Recoveries, kernel modifications & More using QFIL!
    You are now free :D


    Credits to aleph security in the Unlocking the bootloader section at the bottom of the page for showing the Hex values to change: https://alephsecurity.com/2018/01/22/qualcomm-edl-2/
    7
    Firehose collection

    Here is my collection of ZTE firehoses for use in this guide. I cant guarantee everyone will work but the vast majority of them should. But they are all organized by codename and my best attempt at matching codename to shipping name.

    https://github.com/programmer-collection/zte
    3
    Doesn't seem to be wroking with my ZTE Tempo X N9137. I trried it twice and got two septerate errors. The first was "ERROR: function: sahara_rx_data:247 Command packet length 1702240364 too large to fit" and the second was "ERROR: function: sahara_rx_data:237 Unable to read packet header. Only read 0 bytes."

    So I tested it on my N9137 and it’s working properly. Normally when it can’t get a hello from the device it means your driver is wrong. Sometimes windows defaults to the diagnostic driver instead of the Qdloader one and you need to change it in device manager.

    On another note @alexenferman it might worth while to add to OP known working devices. I’ve tested and confirmed working on
    ZTE Imperial Max (Z963U)
    ZTE Tempo X (N9317)
    ZTE Avid 4 (Z855)
    ZTE Grand X View 2 (K81)

    I will test on the ZTE Maven 3 once I get it’s battery charged
    2
    I dumped all partitions (except cache, system and userdata), and discovered the string ANDROID-BOOT! appeared 3 times in the "aboot" partition. The first time seems to be followed by ASCII string content, but the 2nd and 3rd time it is followed by a bunch of 00s. Should I be editing these?

    No do not edit the aboot partition, you will brick it if you flash your modified one.
    2
    I'm assuming this also won't work on devices that shipped with older OS and were officially updated to Oreo?
    I have an Axon 7 on Oreo and the normal thing is to regress them to unlock bootloader.

    Yeah, it won't work on the Axon 7, I've asked for the article to be updated.

    Anything for the ZTE Blade A462? It's based on the Snapdragon 210 SoC.

    I haven't seen one for it, but you can try this one from the A460 you have a good chance of it working.
    https://github.com/programmer-collection/zte/blob/master/BladeA460/prog_emmc_firehose_8909.mbn

    Tried on ZTE Zmax 2 (Z958) US Version (AT&T but unlocked) with Android 5.1. I had to use QFIL that comes with the latest QPST v2.7.480 to be able to successfully dump the partition data. However, there is no `/devinfo` partition. So I've no clue what to do from here.
    Can you post a picture or a list of partitions you had?