[TOOL] Unlock bootloader in ASUS ZenPad 3S 10 Z500M (P027)

Search This thread

diplomatic

Senior Member
Mar 12, 2017
1,410
1,910
Tool to Unlock Bootloader in ASUS ZenPad 3S 10 Z500M (P027)

This software essentially unlocks the bootloader in your tablet. I've developed a way to switch a Mediatek bootloader into an unlocked state using root privileges. Luckily, the Z500M does give us temporary root access to run this tool. The result is an "Orange State" boot mode, which disables boot partition verification. As a bonus, this procedure does not erase your data like a typical unlock routine does. It also does not require a PC except to start the temporary rooted image. Note that your tablet will still lack fastboot flashing functionality. But flashing by other means is still possible.

WARNING: Running this tool should be pretty safe. But I don't encourage anyone to try this. Before trying this out, consider the risks and drawbacks involved. By unlocking, you are essentially giving up the security of your device. It's also possible that a future firmware update will relock the bootloader or become incompatible with this tool.

This software is only for ASUS model Z500M/P027. Do not try it on any other device. It will not work. Support for other Mediatek devices may be added in the future. (That's why this is posted in the general forum rather than the ZenPad 10 one.)

And by the way, I don't own this tablet. :)

DISCLAIMER
This software is for educational purposes only. Anything you do that is described in this post is at your own risk. No one else is responsible for any data loss, corruption or damage of your device, including that which results from bugs in this software.

REQUIREMENTS
  • A ZenPad Z500M tablet upgraded to Android N
  • A rooted/patched boot image such as one made by Magisk Manager (method 1)
  • Temporary root with Magisk or other superuser manager installed (method 1)
  • TWRP image (method 2)
  • Knowledge of adb/fastboot and of basic Linux command shell

INSTRUCTIONS
Method 1
  1. Read all of these instructions and make sure you understand them before starting
  2. If you don't have an offline patched boot image, use Magisk Manager to make one from the stock boot.img of your current firmware. Transfer it to your PC.
  3. Reboot your tablet into fastboot mode--either hold vol. down + power to power up, and select Fastboot. Or run 'adb reboot bootloader' while in Android.
  4. Connect your tablet to a PC and run fastboot boot patched_boot.img to start the rooted image in tethered mode
  5. Download the tool zip file to your tablet.
  6. Extract the zip to your /data/local/tmp folder.
  7. Open a root shell with adb shell, then run 'su'
  8. Change your shell current directory to that folder (cd /data/local/tmp)
  9. Run this command to unlock or lock the bootloader
    Code:
    sh unlockbl.sh
  10. Follow the instructions on the screen and type the requested confirmation into the prompt.
  11. Check for completion or any error messages. Report them here.
  12. If no errors, you are unlocked and may modify your boot partition (e.g. install root).

Method 2
  1. Read all of these instructions and make sure you understand them before starting
  2. If you don't have TWRP for your tablet, download the latest image to your PC from this thread.
  3. Download the tool zip file to your tablet.
  4. Extract the zip to your /data/local/tmp folder. (For this method, most other folders should work as well due to permissive selinux mode)
  5. Reboot your tablet into fastboot mode--either hold vol. down + power to start up and select Fastboot, or run 'adb reboot bootloader' from Android
  6. Connect your tablet to a PC and run fastboot boot twrp-*.img to start TWRP in tethered mode
  7. At the TWRP welcome screen, do not select to modify the system partition and touch Keep System Read-only instead. Doing otherwise will render your tablet unbootable.
  8. Mount system in TWRP in read-only mode. Mounting in read/write mode will render your tablet unbootable.
  9. Open a shell with adb shell on your PC or open TWRP's built-in terminal
  10. Change your shell current directory to the folder that you extracted the tool zip into (cd /data/local/tmp)
  11. Run this command to unlock or lock the bootloader
    Code:
    sh unlockbl.sh
  12. Follow the instructions on the screen and type the requested confirmation into the prompt.
  13. Check for completion or any error messages. Report them here.
  14. If no errors, you are unlocked and may modify your boot partition (e.g. install root).

DOWNLOAD

Current Version
Unlock Tool v0.6a


Changelog
v0.6a
  • Actually improve compatibility with TWRP
v0.6
  • Handle units with blank bootloader configs
  • Improve compatibility with TWRP
  • Improve text wrapping for TWRP's terminal
v0.5
  • Major overhaul to remove the need for kernel module
v0.2
  • Made compatible with other FW versions
v0.1
  • First release

CREDITS
@amartolos for being a kick-ass tester

If anyone wants to develop a full Android app around this script, be my guest.

Also, that Thanks button will not click itself...
 

Attachments

  • unlock_tool_z500m_v0.6a.zip
    9.4 KB · Views: 4,262
Last edited:

Joh14vers6

Senior Member
May 27, 2013
75
17
Haarlem
OnePlus 5T
I got this after typing "Yes, I want to unlock"
Extracting binaries
Inserting kernel module
Testing kernel module
Oops! Something went wrong. Aborting
Your system has not been modified
Exit code 126

When running script with terminal on tablet I got exit code 1 on the same stage.
 
Last edited:

loner.

Senior Member
Feb 25, 2013
1,457
289
I haven't been able to get magisk to make a patched boot.img
Any help appreciated.
 
2. Install Magisk Manager and create an offline patched boot image from the stock boot.img if you don't have one.
Apologies. I have Magisk installed on my Nexus 6 but I would not consider myself an expert. With that device I installed the Magisk zip file in TWRP recovery and then installed Magisk Manager. After installation of Magisk Manager on the Z500M and launching the app it asks if I want to install the Magisk 15.2 zip. Should that be done?

At this time I haven't done this and I don't see any method for creating the patched boot image. Can someone direct me via a link or explanation on how to do this?
 

diplomatic

Senior Member
Mar 12, 2017
1,410
1,910
I got this after typing "Yes, I want to unlock"
Extracting binaries
Inserting kernel module
Testing kernel module
Oops! Something went wrong. Aborting
Your system has not been modified
Exit code 126

When running script with terminal on tablet I got exit code 1 on the same stage.
Hmm, that sounds like a permissions problem. Before running the script, can you turn off Selinux enforcement somehow? Try running 'setenforce 0' or maybe there's a setting in Magisk that controls this. Bear with me, I'm trying to get to the bottom of this...

Has anyone besides amartolos gotten this to work yet?
 
Last edited:
  • Like
Reactions: swear0730

loner.

Senior Member
Feb 25, 2013
1,457
289
I ran the tool successfully and it said to reboot and Root. While rebooting it says:
Orange State
Your device has been unlocked and can't be trusted
Your device will reboot in 5 seconds

Then I can't get a root to take.

Edit: I found the problem. After you run the script, run magisk to root before you reboot, while you are still in temp root status.

Sent from my P01MA using Tapatalk
 
Last edited:

diplomatic

Senior Member
Mar 12, 2017
1,410
1,910
I ran the tool successfully and it said to reboot and Root. While rebooting it says:
Orange State
Your device has been unlocked and can't be trusted
Your device will reboot in 5 seconds

Then I can't get a root to take.

Yep, you got it! In order to have persistent root, you actually have to install it to your boot partition while booted up with temporary root.
 
  • Like
Reactions: swear0730

Joh14vers6

Senior Member
May 27, 2013
75
17
Haarlem
OnePlus 5T
I got this after typing "Yes, I want to unlock"

Hmm, that sounds like a permissions problem. Before running the script, can you turn off Selinux enforcement somehow? Try running 'setenforce 0' or maybe there's a setting in Magisk that controls this. Bear with me, I'm trying to get to the bottom of this...

Has anyone besides amartolos gotten this to work yet?
I tried SELinuxModeChanger to set Selinux to permisive and tried setenforce 0 and both give same exit code 1 from the terminal.
 

loner.

Senior Member
Feb 25, 2013
1,457
289
FW WW_14.0210.1709.30 from 04 jan 2018 and yes, I ran from that folder.
Last two numbers should be .27
I checked and yes there is a update, but I don't think I can install it. Since I and already rooted. The size of the update seems to be a security update.

---------- Post added at 05:16 PM ---------- Previous post was at 05:11 PM ----------

Has anyone who successfully rooted this device able to do the update after?
 
I'm glad to see that Asus is releasing security updates even if it does break the unlock. My biggest fear buying this tablet was that it would not be updated. I opted for the update and will hope for an updated patch from @diplomatic.

As an aside. I would encourage anyone in this thread to give hit the "Thanks" button for diplomatic!

EDIT: I just checked and see my last update brought me to WW_14.0210.1711.30_20171206. That's different than the 1/4/2018 update showing on the website which is WW_14.0210.1709.30 and what @Joh14vers6 shows. :confused:
 
Last edited:
  • Like
Reactions: diplomatic

diplomatic

Senior Member
Mar 12, 2017
1,410
1,910
FW WW_14.0210.1709.30 from 04 jan 2018 and yes, I ran from that folder.

OK everyone, this is important... I found an incompatibility between the new FW's kernel and the tool. You have to use the patched boot image from FW 1709.27 for temporary root... In the meantime, I have to fix it to be able to run under the new FW. But it won't be compatible with the old. And I hope it still unlocks...
 

Top Liked Posts

  • There are no posts matching your filters.
  • 46
    Tool to Unlock Bootloader in ASUS ZenPad 3S 10 Z500M (P027)

    This software essentially unlocks the bootloader in your tablet. I've developed a way to switch a Mediatek bootloader into an unlocked state using root privileges. Luckily, the Z500M does give us temporary root access to run this tool. The result is an "Orange State" boot mode, which disables boot partition verification. As a bonus, this procedure does not erase your data like a typical unlock routine does. It also does not require a PC except to start the temporary rooted image. Note that your tablet will still lack fastboot flashing functionality. But flashing by other means is still possible.

    WARNING: Running this tool should be pretty safe. But I don't encourage anyone to try this. Before trying this out, consider the risks and drawbacks involved. By unlocking, you are essentially giving up the security of your device. It's also possible that a future firmware update will relock the bootloader or become incompatible with this tool.

    This software is only for ASUS model Z500M/P027. Do not try it on any other device. It will not work. Support for other Mediatek devices may be added in the future. (That's why this is posted in the general forum rather than the ZenPad 10 one.)

    And by the way, I don't own this tablet. :)

    DISCLAIMER
    This software is for educational purposes only. Anything you do that is described in this post is at your own risk. No one else is responsible for any data loss, corruption or damage of your device, including that which results from bugs in this software.

    REQUIREMENTS
    • A ZenPad Z500M tablet upgraded to Android N
    • A rooted/patched boot image such as one made by Magisk Manager (method 1)
    • Temporary root with Magisk or other superuser manager installed (method 1)
    • TWRP image (method 2)
    • Knowledge of adb/fastboot and of basic Linux command shell

    INSTRUCTIONS
    Method 1
    1. Read all of these instructions and make sure you understand them before starting
    2. If you don't have an offline patched boot image, use Magisk Manager to make one from the stock boot.img of your current firmware. Transfer it to your PC.
    3. Reboot your tablet into fastboot mode--either hold vol. down + power to power up, and select Fastboot. Or run 'adb reboot bootloader' while in Android.
    4. Connect your tablet to a PC and run fastboot boot patched_boot.img to start the rooted image in tethered mode
    5. Download the tool zip file to your tablet.
    6. Extract the zip to your /data/local/tmp folder.
    7. Open a root shell with adb shell, then run 'su'
    8. Change your shell current directory to that folder (cd /data/local/tmp)
    9. Run this command to unlock or lock the bootloader
      Code:
      sh unlockbl.sh
    10. Follow the instructions on the screen and type the requested confirmation into the prompt.
    11. Check for completion or any error messages. Report them here.
    12. If no errors, you are unlocked and may modify your boot partition (e.g. install root).

    Method 2
    1. Read all of these instructions and make sure you understand them before starting
    2. If you don't have TWRP for your tablet, download the latest image to your PC from this thread.
    3. Download the tool zip file to your tablet.
    4. Extract the zip to your /data/local/tmp folder. (For this method, most other folders should work as well due to permissive selinux mode)
    5. Reboot your tablet into fastboot mode--either hold vol. down + power to start up and select Fastboot, or run 'adb reboot bootloader' from Android
    6. Connect your tablet to a PC and run fastboot boot twrp-*.img to start TWRP in tethered mode
    7. At the TWRP welcome screen, do not select to modify the system partition and touch Keep System Read-only instead. Doing otherwise will render your tablet unbootable.
    8. Mount system in TWRP in read-only mode. Mounting in read/write mode will render your tablet unbootable.
    9. Open a shell with adb shell on your PC or open TWRP's built-in terminal
    10. Change your shell current directory to the folder that you extracted the tool zip into (cd /data/local/tmp)
    11. Run this command to unlock or lock the bootloader
      Code:
      sh unlockbl.sh
    12. Follow the instructions on the screen and type the requested confirmation into the prompt.
    13. Check for completion or any error messages. Report them here.
    14. If no errors, you are unlocked and may modify your boot partition (e.g. install root).

    DOWNLOAD

    Current Version
    Unlock Tool v0.6a


    Changelog
    v0.6a
    • Actually improve compatibility with TWRP
    v0.6
    • Handle units with blank bootloader configs
    • Improve compatibility with TWRP
    • Improve text wrapping for TWRP's terminal
    v0.5
    • Major overhaul to remove the need for kernel module
    v0.2
    • Made compatible with other FW versions
    v0.1
    • First release

    CREDITS
    @amartolos for being a kick-ass tester

    If anyone wants to develop a full Android app around this script, be my guest.

    Also, that Thanks button will not click itself...
    6
    Version 0.5

    New version uploaded. This one should have pretty universal compatibility because there is no more kernel module. Everything is done in userspace. It's a pretty significant overhaul. It might even work with other devices. ;)
    6
    By the way, guys, you can now skip dealing with the whole patched boot image part. Now that we have TWRP, you can use that to run the tool. Just boot it with 'fastboot boot twrp-xxx.img'. Mount System inside TWRP. Then open an adb shell on your computer and continue as if you were running a rooted image. I will update the instructions to include this later....
    6
    New version

    A new version of the tool has been posted that's compatible with patched images from FW 14.0210.1711.30. But it doesn't work with older releases. So pick the version that matches your image....