[GUIDE] Bootloader Unlock

Search This thread

jkuczera

Senior Member
Dec 16, 2008
84
58
Can this brick your phone/void your warranty? Of course it could! I wouldn't be posting it on XDA if it couldn't! :D

Just be aware that once you unlock, you won't get anymore OTA updates at the current moment, and there's not full factory images to fall back on. They will still try to push OTAs if anyone does this bootloader unlock method, but they will always fail due to version checking.
So as it stands right now, if you do this, you're not going to get further updates from ZTE, unless they change their stance.

Here's a method that should work for any brave souls. It's the method I used so far.

My understanding is this update only makes the required patches to allow the command fastboot oem unlock to actually unlock the bootloader. That being said, I do not know for sure that this is not specific to my phone's IMEI. If someone would supply me with the file/link they get from using adb shell logcat > ota.txt while checking for updates, then grep ota.txt | ZDMLog (if you use linux) or do a find for https:// in ota.txt it would be useful for this verification.

For microSD card method:
Take this (Thanks DrakenFX) or this file and put it in /sdcard/, making sure extension is .zip

Enable OEM unlock from the settings->development menu.

Reboot phone (or boot phone) while pressing volume up. This will get you into stock recovery. From here, apply update from SD card, P996A01B20Fastboot_ssl.zip

No microSD card method:
This may also be possible without an SD card using the adb sideload option in stock recovery and "adb sideload P996A01B20Fastboot_ssl.zip" on your desktop. If you are successful using this method, send me a PM so I can update this post.

Now if you reboot into bootloader (which you can do right from recovery), you will hopefully find that "fastboot oem unlock" actually brings up the bootloader unlock prompt on your phone.

You should be able to verify to this point as per below.

Without using the fastboot oem unlock command I have not lost any user data (but it's still a good idea to back it up!) If you do unlock, you will lose your data!
 

Attachments

  • Screenshot_2016-08-12-00-26-18.jpg
    Screenshot_2016-08-12-00-26-18.jpg
    161.9 KB · Views: 8,882
Last edited:

xtermmin

Senior Member
Mar 27, 2011
1,331
544
This method requires 20B to already be installed, correct? If so, is there a way to sideload the 20B update (so one can go from launch firmware -> sideloaded 20B -> sideloaded 20B_boot)? Juuuust in case ZTE puts out a 20C or something that blocks sideloading and renders "unofficial" bootloader unlock attempts like this invalid.
 

jkuczera

Senior Member
Dec 16, 2008
84
58
This method requires 20B to already be installed, correct? If so, is there a way to sideload the 20B update (so one can go from launch firmware -> sideloaded 20B -> sideloaded 20B_boot)? Juuuust in case ZTE puts out a 20C or something that blocks sideloading and renders "unofficial" bootloader unlock attempts like this invalid.

It does require 20B to be installed. It appears 20B can sideloaded as well. The only error message I received was 20B expects 20160624 or 20160707 (and I'm now at 20160805). Maybe someone can try to sideload 20B on 20B?
 

dennis96411

Senior Member
Dec 9, 2011
1,105
498
¬_¬
ASUS ROG Phone II
ASUS ROG Phone 5
So looking through the update script, it seems to check for SHA1 matches for certain parts of the boot, system and recovery partitions. I'm not sure if the patch itself has content specific to an IMEI or if this is just a simple check to make sure the phone has the correct build installed.

Looking at this, it seems the purpose of the part of the script before # ---- start making changes here ---- is used to verify a correctly configured system, with no apparent relation to the IMEI. It looks like the script itself is completely generic, and the checks could probably be removed so this will work on any build. Now we just need another update package to compare the other content (fastboot.img, patch\boot.img.p, patch\recovery.img.p) with to see if they're generic as well. This makes me wonder if flashing fastboot.img alone is enough, as that's what is used to interface with the bootloader unlock.

Helpful references:
Built-in functions in update binary
range_sha1
 
Last edited:

ultramag69

Senior Member
Nov 6, 2007
5,961
1,055
Waratah
So looking through the update script, it seems to check for SHA1 matches for certain parts of the boot, system and recovery partitions. I'm not sure if the patch itself has content specific to an IMEI or if this is just a simple check to make sure the phone has the correct build installed.

Looking at this, it seems the purpose of the part of the script before # ---- start making changes here ---- is used to verify a correctly configured system, with no apparent relation to the IMEI. It looks like the script itself is completely generic, and the checks could probably be removed so this will work on any build. Now we just need another update package to compare the other content (fastboot.img, patch\boot.img.p, patch\recovery.img.p) with to see if they're generic as well. This makes me wonder if flashing fastboot.img alone is enough, as that's what is used to interface with the bootloader unlock.

Helpful references:
Built-in functions in update binary
range_sha1

Man I hope so, then the rest of the world can get a bootloader unlock even if ZTE won't unlock the bootloader for us.....
 

rczrider

Senior Member
May 20, 2015
729
541
Markarth
Has anyone captured 20B and has it for others to try?

My phone won't come until next week (first wave of grays), but I'll try capturing it if it's not already installed. We just have to wait 5 days :p
 

rczrider

Senior Member
May 20, 2015
729
541
Markarth

xtermmin

Senior Member
Mar 27, 2011
1,331
544
So in theory, the process would be to sideload the 20B update, reboot, then sideload the file in the OP?

Hopefully someone will get around to testing this method (or at least the OP's file) before my phone comes next week, but if not, I'll do it first thing.

In theory, yes (You could also update to 20B normally, but good to have it as a backup). Hopefully 20B_Boot is not device-specific.
 

rczrider

Senior Member
May 20, 2015
729
541
Markarth
In theory, yes (You could also update to 20B normally, but good to have it as a backup). Hopefully 20B_Boot is not device-specific.
I assume the most likely outcome is that it simply wouldn't flash. Even so, I'm willing to be a bit reckless as I can just return the phone for new one (via the retailer, not ZTE) :p
 

reddrago

Member
Sep 15, 2013
46
12
I assume the most likely outcome is that it simply wouldn't flash. Even so, I'm willing to be a bit reckless as I can just return the phone for new one (via the retailer, not ZTE) :p

Haha same but never dealt with B&H so we'll see how that goes. Still waiting for the grey one.

---------- Post added at 09:17 AM ---------- Previous post was at 09:16 AM ----------

So everyone should update to B20 as soon as possible and then not update to anything else.
 

rczrider

Senior Member
May 20, 2015
729
541
Markarth
Haha same but never dealt with B&H so we'll see how that goes. Still waiting for the grey one..
They're fantastic. 30-day (from delivery) no-questions-asked return policy on smartphones. If there's an actual problem with the phone, they'll even pay for return shipping. No restocking fee in either case.

If there is a problem with the phone itself, you can exchange it and the 30-day return policy resets from delivery of the replacement unit.
 
Reboot phone (or boot phone) while pressing volume up. This will get you into stock recovery. From here, apply update from SD card, P996A01B20Fastboot_ssl.zip

I was trying but Can't use " apply update from SDCard " but the "apply update from ADB " seems to be enable just didn't try cuz i don't have my laptop with me at the moment (till i get home) , check picture.

P.S. just to clear things up when i select "apply Update from SDCard" is when i get that message, so the ADB option is the only way for me to apply this and yes I'm in B20.
 

Attachments

  • 20160101_040104.jpg
    20160101_040104.jpg
    243.8 KB · Views: 978
Last edited:

jkuczera

Senior Member
Dec 16, 2008
84
58
I was trying but Can't use " apply update from SDCard " but the "apply update from ADB " seems to be enable just didn't try cuz i don't have my laptop with me at the moment (till i get home) , check picture.
Did you have an update file in /sdcard/ ? Since this is the stock recovery, I'm quite certain it's looking for a physical microSD for this usage scenario.
 
Last edited:
Did you have an update file in /sdcard/ ? Since this is the stock recovery, I'm quite certain it's looking for a physical microSD for this usage scenario.
Yep, have the P996A01B20Fastboot_ssl.zip in actually both internal and SDCard root directory, looks like apply Update from SDCard is block But apply update from ADB isn't (side loading)
 

xtermmin

Senior Member
Mar 27, 2011
1,331
544
Yep, have the P996A01B20Fastboot_ssl.zip in actually both internal and SDCard root directory, looks like apply Update from SDCard is block But apply update from ADB isn't (side loading)

Try changing the filename to P996A01B20Fastboot_ssl.up. The direct-link from ZTE for the 20B update has that extension.
 
  • Like
Reactions: cuervo233

jkuczera

Senior Member
Dec 16, 2008
84
58
Yep, have the P996A01B20Fastboot_ssl.zip in actually both internal and SDCard root directory, looks like apply Update from SDCard is block But apply update from ADB isn't (side loading)
It's got to be another issue altogether because I can pull up the SD card menu even if I don't have files in there.
 

djona12

Senior Member
Aug 25, 2012
297
96
Liège
I got this from the recovery log from the Recovery menu.

sd_upgrade_disable = 1

Check image
You're also getting a
Code:
 get_oem_unlock_statut oem_unlock_enabled=0
that isn't looking good :(.

See, it's bull**** like this that prevents OEMs from wanting to support third party development in the first place with things like bootloader unlocks. In the ZTE forums aren't you arguing that it's fair to not cover software related problems after unlocking, but here you are wanting them to cover that as well. B&H just charges the defective unit back to ZTE in the end.
It's all the same to ZTE in this instance because they will reflash their stock software upon return of the phone since it's not for a warranty repair.
 
Last edited:
You're also getting a
Code:
 get_oem_unlock_statut oem_unlock_enabled=0
that isn't looking good :(.


It's all the same to ZTE in this instance because they will reflash their stock software upon return of the phone since it's not for a warranty repair.
That's because i haven't been able to flash the file from OP and enable OEM after :D
 

Top Liked Posts

  • There are no posts matching your filters.
  • 19
    Can this brick your phone/void your warranty? Of course it could! I wouldn't be posting it on XDA if it couldn't! :D

    Just be aware that once you unlock, you won't get anymore OTA updates at the current moment, and there's not full factory images to fall back on. They will still try to push OTAs if anyone does this bootloader unlock method, but they will always fail due to version checking.
    So as it stands right now, if you do this, you're not going to get further updates from ZTE, unless they change their stance.

    Here's a method that should work for any brave souls. It's the method I used so far.

    My understanding is this update only makes the required patches to allow the command fastboot oem unlock to actually unlock the bootloader. That being said, I do not know for sure that this is not specific to my phone's IMEI. If someone would supply me with the file/link they get from using adb shell logcat > ota.txt while checking for updates, then grep ota.txt | ZDMLog (if you use linux) or do a find for https:// in ota.txt it would be useful for this verification.

    For microSD card method:
    Take this (Thanks DrakenFX) or this file and put it in /sdcard/, making sure extension is .zip

    Enable OEM unlock from the settings->development menu.

    Reboot phone (or boot phone) while pressing volume up. This will get you into stock recovery. From here, apply update from SD card, P996A01B20Fastboot_ssl.zip

    No microSD card method:
    This may also be possible without an SD card using the adb sideload option in stock recovery and "adb sideload P996A01B20Fastboot_ssl.zip" on your desktop. If you are successful using this method, send me a PM so I can update this post.

    Now if you reboot into bootloader (which you can do right from recovery), you will hopefully find that "fastboot oem unlock" actually brings up the bootloader unlock prompt on your phone.

    You should be able to verify to this point as per below.

    Without using the fastboot oem unlock command I have not lost any user data (but it's still a good idea to back it up!) If you do unlock, you will lose your data!
    11
    Holy ****, amazing! When are you going to post TWRP? And what's coming besides TWRP?
    I'll create a thread once I finish the next build. So far besides TWRP I don't plan on going any further as I don't own a device. Just something for my friend Draken FX.

    Sent from my 6045I using Tapatalk
    11
    Has someone with an unlocked phone volunteered to test for them?
    @anaya1213

    here is a Sneak Peak for what's coming so thanks to our pal @Unjustified Dev for the Help beside i know a lot of us know him and he deserve all the credit / beers / donation / everything else :p.
    Right now working out the bugs right now and i'll or he will release it.


    P.S. having fully functional TWRP come Root, :D
    8
    Is this file modified from ones that people received as OTAs, or is it the same file that everyone is getting?

    @DrakenFX, did you try unlocking the bootloader then? Just flashing the update wouldn't necessarily do that part as well.

    There was something odd about the OP file. It had a file which was not in the manifest and the footer on the zip was invalid. This one is proper (full sig file). This would not be possible to replicate without the private signing key. There might be a tweak in the fastboot code for device specific check, but everything has been so vanilla so far, I am positive it will work


    you mean this, Unlocking the Bootloader? so yeah i already unlocked :D :p , i didn't wanna do it but hell of it ...now reinstalling everything LoL :D (yeah "fastboot oem unlock " will wipe device )


    P.S. DON'T GO OVER ZTE Community telling about our finding here, i'm not sure if they are all over checking this stuff but lets keep this just XDA wise
    7
    Did anyone try the zip I uploaded earlier?

    I did not. Maybe you're thinking about me posting in another thread in following up with @tenfar (who said he had root for the Chinese variant)?

    Found what throws out that error
    https://github.com/CyanogenMod/android_bootable_recovery/blob/cm-13.0/verifier.cpp - start at line 108
    My CPP is rusty, but let's see what is used in footer check

    @Jose-MXL

    THANK YOU @jkuczera You DID IT man, Marry Xmas to all :D... if anyone want to jump , just download the NEW uploaded by @jkuczera and change the ext. from " .up " to " .zip " and flashed over stock recovery.

    attachment as proof