Bootloader Unlocking on older Qualcomm ZTE Devices, /Devinfo partition modification

Did this method work for your device??

  • YES! Finally unlocked!!!

    Votes: 9 12.9%
  • No.

    Votes: 23 32.9%
  • I don't have a ZTE device, but that's cool!

    Votes: 38 54.3%

  • Total voters
    70
Search This thread

alexenferman

Senior Member
Dec 7, 2019
256
178
...
hi I am stuck at qfil and it doesnt detect the port; help please!!

Also this doesnt wipe the phone does it?I am getting this error

2020-09-27 11:34:38.638 11:34:38: ERROR: function: port_connect:100 Failed to open com port handle
2020-09-27 11:34:38.643
2020-09-27 11:34:38.647 11:34:38: ERROR: function: main:297 Could not connect to \\.\COM8
2020-09-27 11:34:38.652 Download Fail:Sahara Fail:QSaharaServer Fail:process fail
2020-09-27 11:34:38.681 Finish Get GPT

Your phone will not be wiped. Looks like you took too long before doing something in EDL mode. You need to reboot to EDL again.
 
Jun 14, 2017
19
4
Orrville
Hey guys, keep getting this error everytime i try to enter partition manager, i get the error.

2020-10-10 02:49:17.606 Start Download
2020-10-10 02:49:17.606 Program Path:C:\Users\Bud36\Desktop\zte\zte-master\Z959\prog_emmc_firehose_8909.mbn
2020-10-10 02:49:17.606 ***** Working Folder:C:\Users\Bud36\AppData\Roaming\Qualcomm\QFIL\COMPORT_3
2020-10-10 02:49:17.873 Binary build date: Jun 25 2019 @ 03:16:15
2020-10-10 02:49:17.873 QSAHARASERVER CALLED LIKE THIS: 'C:\Users\Bud36\Desktop\zte\Qualcomm_Flash_Image_Loader_v2.0.3.5\QSaharaServer.ex'Current working dir: C:\Users\Bud36\AppData\Roaming\Qualcomm\QFIL\COMPORT_3
2020-10-10 02:49:17.873 Sahara mappings:
2020-10-10 02:49:17.873 2: amss.mbn
2020-10-10 02:49:17.889 6: apps.mbn
2020-10-10 02:49:17.889 8: dsp1.mbn
2020-10-10 02:49:17.889 10: dbl.mbn
2020-10-10 02:49:17.889 11: osbl.mbn
2020-10-10 02:49:17.889 12: dsp2.mbn
2020-10-10 02:49:17.889 16: efs1.mbn
2020-10-10 02:49:17.889 17: efs2.mbn
2020-10-10 02:49:17.889 20: efs3.mbn
2020-10-10 02:49:17.889 21: sbl1.mbn
2020-10-10 02:49:17.904 22: sbl2.mbn
2020-10-10 02:49:17.904 23: rpm.mbn
2020-10-10 02:49:17.904 25: tz.mbn
2020-10-10 02:49:17.904 28: dsp3.mbn
2020-10-10 02:49:17.904 29: acdb.mbn
2020-10-10 02:49:17.904 30: wdt.mbn
2020-10-10 02:49:17.904 31: mba.mbn
2020-10-10 02:49:17.904 13: C:\Users\Bud36\Desktop\zte\zte-master\Z959\prog_emmc_firehose_8909.mbn
2020-10-10 02:49:17.904
2020-10-10 02:49:17.904 02:49:17: Requested ID 13, file: "C:\Users\Bud36\Desktop\zte\zte-master\Z959\prog_emmc_firehose_8909.mbn"
2020-10-10 02:49:17.904
2020-10-10 02:49:17.904 02:49:17: 284396 bytes transferred in 0.187000 seconds (1.4504MBps)
2020-10-10 02:49:17.904
2020-10-10 02:49:17.904
2020-10-10 02:49:17.904
2020-10-10 02:49:17.904 02:49:17: File transferred successfully
2020-10-10 02:49:17.904
2020-10-10 02:49:17.904
2020-10-10 02:49:17.904 NOTE: Target requested image 13 which is DeviceProgrammer. Forcing QUIT. This is by design, ** All is well ** SUCCESS!!
2020-10-10 02:49:17.920
2020-10-10 02:49:17.920
2020-10-10 02:49:17.920 02:49:17: Sahara protocol completed
2020-10-10 02:49:17.920 Sending Programmer Finished
2020-10-10 02:49:17.920 Switch To FireHose
2020-10-10 02:49:17.920 Wait for 3 seconds...
2020-10-10 02:49:20.936 Max Payload Size to Target:49152 Bytes
2020-10-10 02:49:20.936 Active Boot Partition:0
2020-10-10 02:49:20.936 Device Type:emmc
2020-10-10 02:49:20.936 Platform:8x26
2020-10-10 02:49:20.936 Disable Ack Raw Data Every N Packets
2020-10-10 02:49:20.936 Skip Write:False
2020-10-10 02:49:20.936 Always Validate:False
2020-10-10 02:49:20.936 Use Verbose:False
2020-10-10 02:49:20.936 ***** Working Folder:C:\Users\Bud36\AppData\Roaming\Qualcomm\QFIL\COMPORT_3
2020-10-10 02:49:20.936 Download Fail:FireHose Fail:FHLoader Fail:The system cannot find the file specified
2020-10-10 02:49:20.951 Finish Get GPT

Any fix would be helpful, my device is an ZTE Z959 (abby)
 

alexenferman

Senior Member
Dec 7, 2019
256
178
...
Hey guys, keep getting this error everytime i try to enter partition manager, i get the error.

2020-10-10 02:49:17.606 Start Download
2020-10-10 02:49:17.606 Program Path:C:\Users\Bud36\Desktop\zte\zte-master\Z959\prog_emmc_firehose_8909.mbn
2020-10-10 02:49:17.606 ***** Working Folder:C:\Users\Bud36\AppData\Roaming\Qualcomm\QFIL\COMPORT_3
2020-10-10 02:49:17.873 Binary build date: Jun 25 2019 @ 03:16:15
2020-10-10 02:49:17.873 QSAHARASERVER CALLED LIKE THIS: 'C:\Users\Bud36\Desktop\zte\Qualcomm_Flash_Image_Loader_v2.0.3.5\QSaharaServer.ex'Current working dir: C:\Users\Bud36\AppData\Roaming\Qualcomm\QFIL\COMPORT_3
2020-10-10 02:49:17.873 Sahara mappings:
2020-10-10 02:49:17.873 2: amss.mbn
2020-10-10 02:49:17.889 6: apps.mbn
2020-10-10 02:49:17.889 8: dsp1.mbn
2020-10-10 02:49:17.889 10: dbl.mbn
2020-10-10 02:49:17.889 11: osbl.mbn
2020-10-10 02:49:17.889 12: dsp2.mbn
2020-10-10 02:49:17.889 16: efs1.mbn
2020-10-10 02:49:17.889 17: efs2.mbn
2020-10-10 02:49:17.889 20: efs3.mbn
2020-10-10 02:49:17.889 21: sbl1.mbn
2020-10-10 02:49:17.904 22: sbl2.mbn
2020-10-10 02:49:17.904 23: rpm.mbn
2020-10-10 02:49:17.904 25: tz.mbn
2020-10-10 02:49:17.904 28: dsp3.mbn
2020-10-10 02:49:17.904 29: acdb.mbn
2020-10-10 02:49:17.904 30: wdt.mbn
2020-10-10 02:49:17.904 31: mba.mbn
2020-10-10 02:49:17.904 13: C:\Users\Bud36\Desktop\zte\zte-master\Z959\prog_emmc_firehose_8909.mbn
2020-10-10 02:49:17.904
2020-10-10 02:49:17.904 02:49:17: Requested ID 13, file: "C:\Users\Bud36\Desktop\zte\zte-master\Z959\prog_emmc_firehose_8909.mbn"
2020-10-10 02:49:17.904
2020-10-10 02:49:17.904 02:49:17: 284396 bytes transferred in 0.187000 seconds (1.4504MBps)
2020-10-10 02:49:17.904
2020-10-10 02:49:17.904
2020-10-10 02:49:17.904
2020-10-10 02:49:17.904 02:49:17: File transferred successfully
2020-10-10 02:49:17.904
2020-10-10 02:49:17.904
2020-10-10 02:49:17.904 NOTE: Target requested image 13 which is DeviceProgrammer. Forcing QUIT. This is by design, ** All is well ** SUCCESS!!
2020-10-10 02:49:17.920
2020-10-10 02:49:17.920
2020-10-10 02:49:17.920 02:49:17: Sahara protocol completed
2020-10-10 02:49:17.920 Sending Programmer Finished
2020-10-10 02:49:17.920 Switch To FireHose
2020-10-10 02:49:17.920 Wait for 3 seconds...
2020-10-10 02:49:20.936 Max Payload Size to Target:49152 Bytes
2020-10-10 02:49:20.936 Active Boot Partition:0
2020-10-10 02:49:20.936 Device Type:emmc
2020-10-10 02:49:20.936 Platform:8x26
2020-10-10 02:49:20.936 Disable Ack Raw Data Every N Packets
2020-10-10 02:49:20.936 Skip Write:False
2020-10-10 02:49:20.936 Always Validate:False
2020-10-10 02:49:20.936 Use Verbose:False
2020-10-10 02:49:20.936 ***** Working Folder:C:\Users\Bud36\AppData\Roaming\Qualcomm\QFIL\COMPORT_3
2020-10-10 02:49:20.936 Download Fail:FireHose Fail:FHLoader Fail:The system cannot find the file specified
2020-10-10 02:49:20.951 Finish Get GPT

Any fix would be helpful, my device is an ZTE Z959 (abby)

Do you have the portable QFIL or did you install QFIL on your PC? Make sure you have the installer version!
 

javaboy1123

New member
Apr 29, 2019
1
0
getting an error, is Z983 supported?

@alexenferman

Z983 is on the list, I grabbed the correct firehose (at least for the correct proc prog_emmc_firehose_8940.mbn), used the installed version of QFIL and the driver provided, rebooted the phone into FTM, and then adb reboot edl several times and still get the following:

Code:
ERROR: function: sahara_rx_data:237 Unable to read packet header. Only read 0 bytes.
ERROR: function: sahara_main:924 Sahara protocol error
ERROR: function: main:303 Uploading Image using Sahara protocol failed

Z983 is in the list of supported phones. Is it actually supported?
 
Last edited:
Oct 25, 2016
10
0
Again, I still have no clue what went wrong in my case. I provided the hex dump of my devinfo partition after modifying it and booting in my last reply, and I still have no working method for my device, as it doesn't seem to work. I'm sure there is some way of going about it for my device, but I haven't had any help and I can't think of anything else to do.
 

alexenferman

Senior Member
Dec 7, 2019
256
178
...
@darkherman We have the same issue. I've made a few replies showing the differences between the thread and what's on our devices, but I haven't gotten a single response.

---------- Post added at 04:25 PM ---------- Previous post was at 04:24 PM ----------

[/COLOR @darkherman We have the same issue. I've made a few replies showing the differences between the thread and what's on our devices, but I haven't gotten a single response.

If you don't see the second line, simply change the first one only, and try it, then see if it works.
 
Oct 25, 2016
10
0
If you don't see the second line, simply change the first one only, and try it, then see if it works.

@alexenferman As I've mentioned in my previous replies, there is already a 0x01 at offsets 0x10 and 0x18. Another user with the username of "RedneckTechVet" had a similar situation. I've documented my failed attempt at following the steps outlined in his reply before. What he did worked for him, but not for me. I also documented the hex dump after rebooting with the modified partition. I just don't really know how to debug this. I'm not sure if the Magisk patcher isn't working, or if the bootloader actually isn't being unlocked, or anything, just whatever I have done puts it into DFU mode, and I'm not sure where to go from here.
If you have any ideas, let me know.
 

damprobot

Senior Member
Jan 12, 2014
68
19
Can anyone explain how they succeeded with the max xl (bolton)? I can access everything in qfil but devinfo doesn't have the lines android boot. It's different.
 

Natsuki Subaru

New member
Dec 30, 2020
3
0
I have a ZTE z983. I'm stuck on QFIL, I kept getting the error bellow:

2020-12-30 11:09:01.560 Validating Application Configuration
2020-12-30 11:09:01.594 Load APP Configuration
2020-12-30 11:09:01.629 COM:7
2020-12-30 11:09:01.629 PBLDOWNLOADPROTOCOL:0
2020-12-30 11:09:01.629 PROGRAMMER:True
2020-12-30 11:09:01.629 PROGRAMMER:C:\Users\Name\Desktop\prog_emmc_firehose_8940.mbn
2020-12-30 11:09:01.629 RESETSAHARASTATEMACHINE:False
2020-12-30 11:09:01.629 SAHARAREADSERIALNO:False
2020-12-30 11:09:01.629 SEARCHPATH:C:\Users\Name\Desktop
2020-12-30 11:09:01.629 ACKRAWDATAEVERYNUMPACKETS:False
2020-12-30 11:09:01.629 ACKRAWDATAEVERYNUMPACKETS:100
2020-12-30 11:09:01.629 MAXPAYLOADSIZETOTARGETINBYTES:False
2020-12-30 11:09:01.629 MAXPAYLOADSIZETOTARGETINBYTES:49152
2020-12-30 11:09:01.629 DEVICETYPE:emmc
2020-12-30 11:09:01.629 PLATFORM:8x26
2020-12-30 11:09:01.629 VALIDATIONMODE:0
2020-12-30 11:09:01.629 RESETAFTERDOWNLOAD:False
2020-12-30 11:09:01.630 MAXDIGESTTABLESIZE:8192
2020-12-30 11:09:01.630 SWITCHTOFIREHOSETIMEOUT:30
2020-12-30 11:09:01.630 RESETTIMEOUT:200
2020-12-30 11:09:01.630 RESETDELAYTIME:2
2020-12-30 11:09:01.630 METABUILD:
2020-12-30 11:09:01.630 METABUILD:
2020-12-30 11:09:01.630 FLATBUILDPATH:C:\
2020-12-30 11:09:01.630 FLATBUILDFORCEOVERRIDE:True
2020-12-30 11:09:01.630 QCNPATH:C:\Temp\00000000.qcn
2020-12-30 11:09:01.630 QCNAUTOBACKUPRESTORE:False
2020-12-30 11:09:01.630 SPCCODE:000000
2020-12-30 11:09:01.630 ENABLEMULTISIM:False
2020-12-30 11:09:01.631 AUTOPRESERVEPARTITIONS:False
2020-12-30 11:09:01.631 PARTITIONPRESERVEMODE:0
2020-12-30 11:09:01.631 PRESERVEDPARTITIONS:0
2020-12-30 11:09:01.631 PRESERVEDPARTITIONS:
2020-12-30 11:09:01.631 ERASEALL:False
2020-12-30 11:09:01.631 Load ARG Configuration
2020-12-30 11:09:01.693 Validating Download Configuration
2020-12-30 11:09:01.696 Image Search Path: C:\Users\Name\Desktop
2020-12-30 11:09:01.702 Programmer Path:C:\Users\Name\Desktop\prog_emmc_firehose_8940.mbn
2020-12-30 11:09:02.222 Process Index:0
2020-12-30 11:09:02.263 Qualcomm Flash Image Loader (QFIL) 2.0.1.9
2020-12-30 11:09:14.195 FireHose Configuration Cancelled
2020-12-30 11:14:32.075 Programmer Path:C:\Users\Name\Desktop\prog_emmc_firehose_8940.mbn
2020-12-30 11:14:32.077 Image Search Path: C:\Users\Name\Desktop
2020-12-30 11:14:45.460 Start Download
2020-12-30 11:14:45.497 Program Path:C:\Users\Name\Desktop\prog_emmc_firehose_8940.mbn
2020-12-30 11:14:45.513 ***** Working Folder:C:\Users\Name\AppData\Roaming\Qualcomm\QFIL\COMPORT_7
2020-12-30 11:16:15.560 Binary build date: Nov 21 2017 @ 02:53:37
2020-12-30 11:16:15.563 QSAHARASERVER CALLED LIKE THIS: 'C:\Users\Name\Desktop\Qualcomm_Flash_Image_Loader_v2.0.1.9\QSaharaServer.ex'Current working dir: C:\Users\Name\AppData\Roaming\Qualcomm\QFIL\COMPORT_7
2020-12-30 11:16:15.567 Sahara mappings:
2020-12-30 11:16:15.568 2: amss.mbn
2020-12-30 11:16:15.570 6: apps.mbn
2020-12-30 11:16:15.571 8: dsp1.mbn
2020-12-30 11:16:15.573 10: dbl.mbn
2020-12-30 11:16:15.574 11: osbl.mbn
2020-12-30 11:16:15.576 12: dsp2.mbn
2020-12-30 11:16:15.578 16: efs1.mbn
2020-12-30 11:16:15.579 17: efs2.mbns
2020-12-30 11:16:15.581 20: efs3.mbn
2020-12-30 11:16:15.582 21: sbl1.mbn
2020-12-30 11:16:15.584 22: sbl2.mbn
2020-12-30 11:16:15.586 23: rpm.mbn
2020-12-30 11:16:15.587 25: tz.mbn
2020-12-30 11:16:15.589 28: dsp3.mbn
2020-12-30 11:16:15.590 29: acdb.mbn
2020-12-30 11:16:15.592 30: wdt.mbn
2020-12-30 11:16:15.593 31: mba.mbn
2020-12-30 11:16:15.595 13: C:\Users\Name\Desktop\prog_emmc_firehose_8940.mbn
2020-12-30 11:16:15.603
2020-12-30 11:16:15.605 11:14:45: Requested ID 13, file: "C:\Users\Name\Desktop\prog_emmc_firehose_8940.mbn"
2020-12-30 11:16:15.608
2020-12-30 11:16:15.609 11:16:15: ERROR: function: sahara_rx_data:237 Unable to read packet header. Only read 0 bytes.
2020-12-30 11:16:15.612
2020-12-30 11:16:15.613 11:16:15: ERROR: function: sahara_main:924 Sahara protocol error
2020-12-30 11:16:15.615
2020-12-30 11:16:15.617 11:16:15: ERROR: function: main:303 Uploading Image using Sahara protocol failed
2020-12-30 11:16:15.619
2020-12-30 11:16:15.621
2020-12-30 11:16:15.623 Download Fail:Sahara Fail:QSaharaServer Fail:process fail
2020-12-30 11:16:15.642 Finish Get GPT

Here is a step by step of what I did:
-I downloaded QFIL v2.0.1.9 from qfiltool.com
-I downloaded ADB
-I downloaded the QFIL firehose (prog_emmc_firehose_8940.mbn)
-I downloaded the driver provided in QFIL
-I downloaded the driver for z983 (ZTE handset usb driver)
-I rebooted my phone to EDL using ADB
-I opened QFIL and it showed Qualcomm HS-USB QD-Loader 9008 (COM7) and in driver manager
-I selected the QFIL firehose
-I tried to open the partition manager

I'm not really good at stuff like this but I really need that root so sorry if I missed something very obvious.
 

Natsuki Subaru

New member
Dec 30, 2020
3
0
I have a ZTE z983. I'm stuck on QFIL, I kept getting the error bellow:

2020-12-30 11:09:01.560 Validating Application Configuration
2020-12-30 11:09:01.594 Load APP Configuration
2020-12-30 11:09:01.629 COM:7
2020-12-30 11:09:01.629 PBLDOWNLOADPROTOCOL:0
2020-12-30 11:09:01.629 PROGRAMMER:True
2020-12-30 11:09:01.629 PROGRAMMER:C:\Users\Name\Desktop\prog_emmc_firehose_8940.mbn
2020-12-30 11:09:01.629 RESETSAHARASTATEMACHINE:False
2020-12-30 11:09:01.629 SAHARAREADSERIALNO:False
2020-12-30 11:09:01.629 SEARCHPATH:C:\Users\Name\Desktop
2020-12-30 11:09:01.629 ACKRAWDATAEVERYNUMPACKETS:False
2020-12-30 11:09:01.629 ACKRAWDATAEVERYNUMPACKETS:100
2020-12-30 11:09:01.629 MAXPAYLOADSIZETOTARGETINBYTES:False
2020-12-30 11:09:01.629 MAXPAYLOADSIZETOTARGETINBYTES:49152
2020-12-30 11:09:01.629 DEVICETYPE:emmc
2020-12-30 11:09:01.629 PLATFORM:8x26
2020-12-30 11:09:01.629 VALIDATIONMODE:0
2020-12-30 11:09:01.629 RESETAFTERDOWNLOAD:False
2020-12-30 11:09:01.630 MAXDIGESTTABLESIZE:8192
2020-12-30 11:09:01.630 SWITCHTOFIREHOSETIMEOUT:30
2020-12-30 11:09:01.630 RESETTIMEOUT:200
2020-12-30 11:09:01.630 RESETDELAYTIME:2
2020-12-30 11:09:01.630 METABUILD:
2020-12-30 11:09:01.630 METABUILD:
2020-12-30 11:09:01.630 FLATBUILDPATH:C:\
2020-12-30 11:09:01.630 FLATBUILDFORCEOVERRIDE:True
2020-12-30 11:09:01.630 QCNPATH:C:\Temp\00000000.qcn
2020-12-30 11:09:01.630 QCNAUTOBACKUPRESTORE:False
2020-12-30 11:09:01.630 SPCCODE:000000
2020-12-30 11:09:01.630 ENABLEMULTISIM:False
2020-12-30 11:09:01.631 AUTOPRESERVEPARTITIONS:False
2020-12-30 11:09:01.631 PARTITIONPRESERVEMODE:0
2020-12-30 11:09:01.631 PRESERVEDPARTITIONS:0
2020-12-30 11:09:01.631 PRESERVEDPARTITIONS:
2020-12-30 11:09:01.631 ERASEALL:False
2020-12-30 11:09:01.631 Load ARG Configuration
2020-12-30 11:09:01.693 Validating Download Configuration
2020-12-30 11:09:01.696 Image Search Path: C:\Users\Name\Desktop
2020-12-30 11:09:01.702 Programmer Path:C:\Users\Name\Desktop\prog_emmc_firehose_8940.mbn
2020-12-30 11:09:02.222 Process Index:0
2020-12-30 11:09:02.263 Qualcomm Flash Image Loader (QFIL) 2.0.1.9
2020-12-30 11:09:14.195 FireHose Configuration Cancelled
2020-12-30 11:14:32.075 Programmer Path:C:\Users\Name\Desktop\prog_emmc_firehose_8940.mbn
2020-12-30 11:14:32.077 Image Search Path: C:\Users\Name\Desktop
2020-12-30 11:14:45.460 Start Download
2020-12-30 11:14:45.497 Program Path:C:\Users\Name\Desktop\prog_emmc_firehose_8940.mbn
2020-12-30 11:14:45.513 ***** Working Folder:C:\Users\Name\AppData\Roaming\Qualcomm\QFIL\COMPORT_7
2020-12-30 11:16:15.560 Binary build date: Nov 21 2017 @ 02:53:37
2020-12-30 11:16:15.563 QSAHARASERVER CALLED LIKE THIS: 'C:\Users\Name\Desktop\Qualcomm_Flash_Image_Loader_v2.0.1.9\QSaharaServer.ex'Current working dir: C:\Users\Name\AppData\Roaming\Qualcomm\QFIL\COMPORT_7
2020-12-30 11:16:15.567 Sahara mappings:
2020-12-30 11:16:15.568 2: amss.mbn
2020-12-30 11:16:15.570 6: apps.mbn
2020-12-30 11:16:15.571 8: dsp1.mbn
2020-12-30 11:16:15.573 10: dbl.mbn
2020-12-30 11:16:15.574 11: osbl.mbn
2020-12-30 11:16:15.576 12: dsp2.mbn
2020-12-30 11:16:15.578 16: efs1.mbn
2020-12-30 11:16:15.579 17: efs2.mbns
2020-12-30 11:16:15.581 20: efs3.mbn
2020-12-30 11:16:15.582 21: sbl1.mbn
2020-12-30 11:16:15.584 22: sbl2.mbn
2020-12-30 11:16:15.586 23: rpm.mbn
2020-12-30 11:16:15.587 25: tz.mbn
2020-12-30 11:16:15.589 28: dsp3.mbn
2020-12-30 11:16:15.590 29: acdb.mbn
2020-12-30 11:16:15.592 30: wdt.mbn
2020-12-30 11:16:15.593 31: mba.mbn
2020-12-30 11:16:15.595 13: C:\Users\Name\Desktop\prog_emmc_firehose_8940.mbn
2020-12-30 11:16:15.603
2020-12-30 11:16:15.605 11:14:45: Requested ID 13, file: "C:\Users\Name\Desktop\prog_emmc_firehose_8940.mbn"
2020-12-30 11:16:15.608
2020-12-30 11:16:15.609 11:16:15: ERROR: function: sahara_rx_data:237 Unable to read packet header. Only read 0 bytes.
2020-12-30 11:16:15.612
2020-12-30 11:16:15.613 11:16:15: ERROR: function: sahara_main:924 Sahara protocol error
2020-12-30 11:16:15.615
2020-12-30 11:16:15.617 11:16:15: ERROR: function: main:303 Uploading Image using Sahara protocol failed
2020-12-30 11:16:15.619
2020-12-30 11:16:15.621
2020-12-30 11:16:15.623 Download Fail:Sahara Fail:QSaharaServer Fail:process fail
2020-12-30 11:16:15.642 Finish Get GPT

Here is a step by step of what I did:
-I downloaded QFIL v2.0.1.9 from qfiltool.com
-I downloaded ADB
-I downloaded the QFIL firehose (prog_emmc_firehose_8940.mbn)
-I downloaded the driver provided in QFIL
-I downloaded the driver for z983 (ZTE handset usb driver)
-I rebooted my phone to EDL using ADB
-I opened QFIL and it showed Qualcomm HS-USB QD-Loader 9008 (COM7) and in driver manager
-I selected the QFIL firehose
-I tried to open the partition manager

I'm not really good at stuff like this but I really need that root so sorry if I missed something very obvious.

I tried using the installer version of QFIL and moving the location of the QFIL firehose from desktop to C:\PROG and rebooting my phone to EDL mode several times, still didn't work. I might have the wrong driver but I'm not sure. Please help
 

Natsuki Subaru

New member
Dec 30, 2020
3
0
I have tried reinstalling the drivers
I tried using QFIL v2.0.1.9, v2.0.3.5 and QPST v2.7.474
It still didn't work :cry:

As to why, I'm not sure.
It might be because there's no firehose specifically for z983
But A0620 has the same SoC as z983 so I used that instead.
Or maybe because I'm missing some drivers but I'm pretty sure I have it all.

Can anyone help
 
Last edited:

HunterAnderson

New member
Jan 27, 2021
2
0
I got all the way to the part with the hex editor but after that my ZTE Z839 was not the same as the guide. The first boot line was there but the second line already had 01's in the right place. Additionally there was no second android boot part and also near the top of the file was a bunch of FF's.
Does that mean by bootloader is unlocked?
Here is the .bin file.
 

Attachments

  • ReadData_emmc_Lun0_0x1c000_Len16384_DT_27_01_2021_11_36_10.bin
    8 MB · Views: 24
Last edited:
I got all the way to the part with the hex editor but after that my ZTE Z839 was not the same as the guide. The first like was there but the second line already had 01's in the right place. Additionally there was no second android boot part and also near the top of the file was a bunch of FF's.
Does that mean by bootloader is unlocked?
Here is the .bin file.


im having the exact same thing happen but i dont know if the bootloader is unlocked or not because im not sure where to flash the magisk_patched boot img i renamed it boot.img but dont know whether to flash it to boot or aboot if anyone knows just let me know and ill try it out

*edit* tried both and they just bootloop "your device failed to start correctly" and thats with and without preserving verity and signing
 
Last edited:

Top Liked Posts

  • There are no posts matching your filters.
  • 13
    Warning: This unlocking method might not work on newer ZTE devices with Oreo+ and flagship devices. You have nothing to lose, but it might not do anything.

    This tutorial is only for Qualcomm ZTE Devices.

    Unlocking the Bootloader:

    Warning: This bootloader unlocking method is not for beginners. It requires at least some knowleage on how to flash ROMS or partitions via QFIL and ADB commands. If you do not understand something here, than the tutorial might not be suitable for you. You can still try it, but at your own risk of course.

    Will not work on:
    Axon 7
    Axon 7 Mini
    Axon 9
    Axon 10
    Axon M
    Zmax 2 (Z958)
    Anything else that has Oreo, PIE or 10
    The unlocking bit on those devices are stored in another partition that can't be easily modifiable

    Working on: (Thanks @deadman96385)

    Snapdragon 210 Processors:
    ZTE Avid Plus (Z828)
    ZTE Maven 2 (Z831) (code-name: chapel)
    ZTE Maven 3 (Z835) (code-name: draco)
    ZTE Majesty Pro Plus (Z899VL) (code-name: elden)
    Unknown ZTE (code-name: forbes)
    ZTE ZMAX One (Z719DL) (code-name: gemi)
    ZTE Tempo X (N9137) (code-name: grayjoylite)
    ZTE Grand X View 2 (K81) (code-name: helen)
    ZTE Overture 3 (Z851) (code-name: jeff)
    ZTE Fanfare 3 (Z852) (code-name: kelly)
    ZTE ZFive G LTE (Z557BL) (code-name: lewis)
    ZTE ZFive C (Z558VL) (code-name: loft)
    Unknown ZTE (code-name: refuge)
    ZTE N818S (code-name: sapphire/sapphire4G)
    ZTE Blade Vantage (Z839) (code-name: sweet)

    Snapdragon 617:
    Android 5.1.1
    ZTE Grand X Max 2 (Z988) (code-name: jerry)
    ZTE Imperial Max (Z963U) (code-name: lily)
    ZTE Max Duo LTE (Z963VL) (code-name: nancy)
    ZTE Axon Max (C2016) (code-name: orchid)
    ZTE Max Duo LTE (Z962BL) (code-name: tom)
    Android 6.0.1
    ZTE ZPAD (K90U) (code-name: gevjon)
    ZTE AT&T Trek 2 (K88) (code-name: jasmine)
    ZTE Grand X Max 2 (Z988) (code-name: jerry)
    ZTE Axon Max (C2016) (code-name: orchid)
    ZTE ZMAX Pro (Z981) (code-name: urd)
    Android 7.1.1
    ZTE AT&T Trek 2 (K88) (code-name: jasmine)

    MSM8920/MSM8937/MSM8940/MSM8953 (Qualcomm Snapdragon 427/430/435/625):
    ZTE Blade Force/ZTE Warp 8 (N9517) (code-name: warp8)
    ZTE Grand X4 (Z956/Z957) (code-name: finacier)
    ZTE Blade Spark (Z971) (code-name: peony)
    ZTE Blade X (Z965) (code-name: proline)
    ZTE Max XL/ZTE Bolton (N9560) (code-name: bolton)
    Unknown ZTE (code-name: flame)
    ZTE Blade X Max (Z983) (code-name: stollen)
    ZTE Blade Max View (Z610DL) (code-name: violet)
    ZTE Max Blue LTE (Z986DL) (code-name: florist)
    ZTE AT&T Primtime (K92) (code-name: primerose)
    Of course, it might work on more models that might not be listed here.

    Want to watch a video instead?


    You will need:

    • A Qualcomm ZTE device (I am using a ZTE Avid Plus Z828)
    • A PC
    • Adb Commands installed
    • QFIL 2.0.1.9
    • Your QFIL firehose (emmc_firehose_8***.mbn) You can get it from here: https://github.com/programmer-collection/zte
    • A Hex editor (Like HxD)


    Tutorial:
    • Hold power and volume down to boot to FTM mode



    • Using ADB commands, type: adb reboot EDL



    Open QFIL, You should see Qualcomm HS-USB QD-Loader 9008 (COM****)

    • Select "Flat build"
    • Select your firehose (emmc_firehose_8***.mbn)



    • Select tools, partition manager
    • Click ok

    We are intrested in the /devinfo partition only!



    • Right click devinfo only and click on "Manage Partition data"



    • Click on "Read Data"
    • Check the logs on the main window, it will show you where it will be saved (Most frequently in the Appdata/Roaming/Qualcomm folder) and the file will be named something like this: ReadData_emmc_Lun0_0x1c000_Len16384_DT_**_**_****_**_**_**.bin
    • Copy the file we read to somewhere like the desktop and make a backup in case it does not work.

    Next, open HxD or any other hex editor

    • Click File>Open and select the file we copied to the desktop

    You should see a layout like this:



    Edit this:

    41 4E 44 52 4F 49 44 2D 42 4F 4F 54 21 00 00 00
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00


    to this:

    41 4E 44 52 4F 49 44 2D 42 4F 4F 54 21 00 00 00
    01 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00




    • Go to offset 007FFE00 and repeat the same steps:



    It looks like ZTE did put another ANDROID-BOOT! at this section, they thought I would not see the second one :D Make sure you edit that second one, otherwise the BL won't be unlocked.

    ___________________________________________________________________________

    What will this do?! The two 01s we put in this file will show to the bootloader that it was unlocked before via fastboot. Of course, we are editing it now and it was never unlocked via fastboot. This is enough to fool it :D

    For people who don't know, on all android devices, there is the /devinfo partition that stores the information of the bootloader such as is_unlocked (aboot), is_tampered, is_verified, charger_screen_enabled, display_panel, bootloader_version, radio_version etc.
    We have to modify it into saying is_unlocked and is_Critiacal_unlocked

    ____________________________________________________________________________________
    • Do not touch anything else and click File>Save
    • Boot your phone into EDL again.

    (You might need to reopen QFIL)



    • Back to the partitions, right-click /devinfo again and click "Manage partition Data" again
    • Click "Load image"



    • Select the file we modified (Should be a .bin)
    • Wait a few seconds and restart your phone and IT SHOULD BOOT SURELY!!

    Your bootloader should be unlocked!!
    You cannot really tell if the Bootloader is unlocked unfortunatley. But, if TWRP boots or ROOT persists then here is your sign :D


    TWRP is booting!

    You can now ROOT, Install custom ROMs, Install Custom Recoveries, kernel modifications & More using QFIL!
    You are now free :D


    Credits to aleph security in the Unlocking the bootloader section at the bottom of the page for showing the Hex values to change: https://alephsecurity.com/2018/01/22/qualcomm-edl-2/
    7
    Firehose collection

    Here is my collection of ZTE firehoses for use in this guide. I cant guarantee everyone will work but the vast majority of them should. But they are all organized by codename and my best attempt at matching codename to shipping name.

    https://github.com/programmer-collection/zte
    3
    Doesn't seem to be wroking with my ZTE Tempo X N9137. I trried it twice and got two septerate errors. The first was "ERROR: function: sahara_rx_data:247 Command packet length 1702240364 too large to fit" and the second was "ERROR: function: sahara_rx_data:237 Unable to read packet header. Only read 0 bytes."

    So I tested it on my N9137 and it’s working properly. Normally when it can’t get a hello from the device it means your driver is wrong. Sometimes windows defaults to the diagnostic driver instead of the Qdloader one and you need to change it in device manager.

    On another note @alexenferman it might worth while to add to OP known working devices. I’ve tested and confirmed working on
    ZTE Imperial Max (Z963U)
    ZTE Tempo X (N9317)
    ZTE Avid 4 (Z855)
    ZTE Grand X View 2 (K81)

    I will test on the ZTE Maven 3 once I get it’s battery charged
    2
    I dumped all partitions (except cache, system and userdata), and discovered the string ANDROID-BOOT! appeared 3 times in the "aboot" partition. The first time seems to be followed by ASCII string content, but the 2nd and 3rd time it is followed by a bunch of 00s. Should I be editing these?

    No do not edit the aboot partition, you will brick it if you flash your modified one.
    2
    I'm assuming this also won't work on devices that shipped with older OS and were officially updated to Oreo?
    I have an Axon 7 on Oreo and the normal thing is to regress them to unlock bootloader.

    Yeah, it won't work on the Axon 7, I've asked for the article to be updated.

    Anything for the ZTE Blade A462? It's based on the Snapdragon 210 SoC.

    I haven't seen one for it, but you can try this one from the A460 you have a good chance of it working.
    https://github.com/programmer-collection/zte/blob/master/BladeA460/prog_emmc_firehose_8909.mbn

    Tried on ZTE Zmax 2 (Z958) US Version (AT&T but unlocked) with Android 5.1. I had to use QFIL that comes with the latest QPST v2.7.480 to be able to successfully dump the partition data. However, there is no `/devinfo` partition. So I've no clue what to do from here.
    Can you post a picture or a list of partitions you had?