[GUIDE] Bootloader Unlock

[jkuczera]

Can this brick your phone/void your warranty? Of course it could! I wouldn't be posting it on XDA if it couldn't!

Just be aware that once you unlock, you won't get anymore OTA updates at the current moment, and there's not full factory images to fall back on. They will still try to push OTAs if anyone does this bootloader unlock method, but they will always fail due to version checking.

So as it stands right now, if you do this, you're not going to get further updates from ZTE, unless they change their stance.

Here's a method that should work for any brave souls. It's the method I used so far.

My understanding is this update only makes the required patches to allow the command fastboot oem unlock to actually unlock the bootloader. That being said, I do not know for sure that this is not specific to my phone's IMEI. If someone would supply me with the file/link they get from using adb shell logcat > ota.txt while checking for updates, then grep ota.txt | ZDMLog (if you use linux) or do a find for https:// in ota.txt it would be useful for this verification.

For microSD card method:
Take this (Thanks DrakenFX) or this file and put it in /sdcard/, making sure extension is .zip

Enable OEM unlock from the settings->development menu.

Reboot phone (or boot phone) while pressing volume up. This will get you into stock recovery. From here, apply update from SD card, P996A01B20Fastboot_ssl.zip

No microSD card method:
This may also be possible without an SD card using the adb sideload option in stock recovery and "adb sideload P996A01B20Fastboot_ssl.zip" on your desktop. If you are successful using this method, send me a PM so I can update this post.

Now if you reboot into bootloader (which you can do right from recovery), you will hopefully find that "fastboot oem unlock" actually brings up the bootloader unlock prompt on your phone.

You should be able to verify to this point as per below.

Without using the fastboot oem unlock command I have not lost any user data (but it's still a good idea to back it up!) If you do unlock, you will lose your data!

 

[xtermmin]

This method requires 20B to already be installed, correct? If so, is there a way to sideload the 20B update (so one can go from launch firmware -> sideloaded 20B -> sideloaded 20B_boot)? Juuuust in case ZTE puts out a 20C or something that blocks sideloading and renders "unofficial" bootloader unlock attempts like this invalid.

 

[jkuczera]

This method requires 20B to already be installed, correct? If so, is there a way to sideload the 20B update (so one can go from launch firmware -> sideloaded 20B -> sideloaded 20B_boot)? Juuuust in case ZTE puts out a 20C or something that blocks sideloading and renders "unofficial" bootloader unlock attempts like this invalid.

It does require 20B to be installed. It appears 20B can sideloaded as well. The only error message I received was 20B expects 20160624 or 20160707 (and I'm now at 20160805). Maybe someone can try to sideload 20B on 20B?

 

[dennis96411]

So looking through the update script, it seems to check for SHA1 matches for certain parts of the boot, system and recovery partitions. I'm not sure if the patch itself has content specific to an IMEI or if this is just a simple check to make sure the phone has the correct build installed.

Looking at this, it seems the purpose of the part of the script before # ---- start making changes here ---- is used to verify a correctly configured system, with no apparent relation to the IMEI. It looks like the script itself is completely generic, and the checks could probably be removed so this will work on any build. Now we just need another update package to compare the other content (fastboot.img, patch\boot.img.p, patch\recovery.img.p) with to see if they're generic as well. This makes me wonder if flashing fastboot.img alone is enough, as that's what is used to interface with the bootloader unlock.

Helpful references:
Built-in functions in update binary
range_sha1

 

[ultramag69]

So looking through the update script, it seems to check for SHA1 matches for certain parts of the boot, system and recovery partitions. I'm not sure if the patch itself has content specific to an IMEI or if this is just a simple check to make sure the phone has the correct build installed.

Looking at this, it seems the purpose of the part of the script before # ---- start making changes here ---- is used to verify a correctly configured system, with no apparent relation to the IMEI. It looks like the script itself is completely generic, and the checks could probably be removed so this will work on any build. Now we just need another update package to compare the other content (fastboot.img, patch\boot.img.p, patch\recovery.img.p) with to see if they're generic as well. This makes me wonder if flashing fastboot.img alone is enough, as that's what is used to interface with the bootloader unlock.

Helpful references:
Built-in functions in update binary
range_sha1

Man I hope so, then the rest of the world can get a bootloader unlock even if ZTE won't unlock the bootloader for us.....

 

[rczrider]

Has anyone captured 20B and has it for others to try?

My phone won't come until next week (first wave of grays), but I'll try capturing it if it's not already installed. We just have to wait 5 days

 

[xtermmin]

Has anyone captured 20B and has it for others to try?

My phone won't come until next week (first wave of grays), but I'll try capturing it if it's not already installed. We just have to wait 5 days

I think this is it: http://forum.xda-developers.com/showpost.php?p=68109239&postcount=5

There are no full system images available for the US model yet, unfortunately.

 

[rczrider]

I think this is it: http://forum.xda-developers.com/showpost.php?p=68109239&postcount=5

There are no full system images available for the US model yet, unfortunately.

So in theory, the process would be to sideload the 20B update, reboot, then sideload the file in the OP?

Hopefully someone will get around to testing this method (or at least the OP's file) before my phone comes next week, but if not, I'll do it first thing.

 

[xtermmin]

So in theory, the process would be to sideload the 20B update, reboot, then sideload the file in the OP?

Hopefully someone will get around to testing this method (or at least the OP's file) before my phone comes next week, but if not, I'll do it first thing.

In theory, yes (You could also update to 20B normally, but good to have it as a backup). Hopefully 20B_Boot is not device-specific.

 

[rczrider]

In theory, yes (You could also update to 20B normally, but good to have it as a backup). Hopefully 20B_Boot is not device-specific.

I assume the most likely outcome is that it simply wouldn't flash. Even so, I'm willing to be a bit reckless as I can just return the phone for new one (via the retailer, not ZTE)

 

[reddrago]

I assume the most likely outcome is that it simply wouldn't flash. Even so, I'm willing to be a bit reckless as I can just return the phone for new one (via the retailer, not ZTE)

Haha same but never dealt with B&H so we'll see how that goes. Still waiting for the grey one.

---------- Post added at 09:17 AM ---------- Previous post was at 09:16 AM ----------

So everyone should update to B20 as soon as possible and then not update to anything else.

 

[rczrider]

Haha same but never dealt with B&H so we'll see how that goes. Still waiting for the grey one..

They're fantastic. 30-day (from delivery) no-questions-asked return policy on smartphones. If there's an actual problem with the phone, they'll even pay for return shipping. No restocking fee in either case.

If there is a problem with the phone itself, you can exchange it and the 30-day return policy resets from delivery of the replacement unit.

 

[DrakenFX]

Reboot phone (or boot phone) while pressing volume up. This will get you into stock recovery. From here, apply update from SD card, P996A01B20Fastboot_ssl.zip

I was trying but Can't use " apply update from SDCard " but the "apply update from ADB " seems to be enable just didn't try cuz i don't have my laptop with me at the moment (till i get home) , check picture.

P.S. just to clear things up when i select "apply Update from SDCard" is when i get that message, so the ADB option is the only way for me to apply this and yes I'm in B20.

 

[jkuczera]

I was trying but Can't use " apply update from SDCard " but the "apply update from ADB " seems to be enable just didn't try cuz i don't have my laptop with me at the moment (till i get home) , check picture.

Did you have an update file in /sdcard/ ? Since this is the stock recovery, I'm quite certain it's looking for a physical microSD for this usage scenario.

 

[DrakenFX]

Did you have an update file in /sdcard/ ? Since this is the stock recovery, I'm quite certain it's looking for a physical microSD for this usage scenario.

Yep, have the P996A01B20Fastboot_ssl.zip in actually both internal and SDCard root directory, looks like apply Update from SDCard is block But apply update from ADB isn't (side loading)

 

[xtermmin]

Yep, have the P996A01B20Fastboot_ssl.zip in actually both internal and SDCard root directory, looks like apply Update from SDCard is block But apply update from ADB isn't (side loading)

Try changing the filename to P996A01B20Fastboot_ssl.up. The direct-link from ZTE for the 20B update has that extension.

 

[jkuczera]

Yep, have the P996A01B20Fastboot_ssl.zip in actually both internal and SDCard root directory, looks like apply Update from SDCard is block But apply update from ADB isn't (side loading)

It's got to be another issue altogether because I can pull up the SD card menu even if I don't have files in there.

 

[DrakenFX]

It's got to be another issue altogether because I can pull up the SD card menu even if I don't have files in there.

I got this from the recovery log from the Recovery menu.

sd_upgrade_disable = 1

Check image

 

[djona12]

I got this from the recovery log from the Recovery menu.

sd_upgrade_disable = 1

Check image

You're also getting a

 get_oem_unlock_statut oem_unlock_enabled=0

that isn't looking good .

See, it's bull**** like this that prevents OEMs from wanting to support third party development in the first place with things like bootloader unlocks. In the ZTE forums aren't you arguing that it's fair to not cover software related problems after unlocking, but here you are wanting them to cover that as well. B&H just charges the defective unit back to ZTE in the end.

It's all the same to ZTE in this instance because they will reflash their stock software upon return of the phone since it's not for a warranty repair.

 

[DrakenFX]

You're also getting a

 get_oem_unlock_statut oem_unlock_enabled=0

that isn't looking good .


It's all the same to ZTE in this instance because they will reflash their stock software upon return of the phone since it's not for a warranty repair.

That's because i haven't been able to flash the file from OP and enable OEM after