FORUMS
Remove All Ads from XDA

[GUIDE] Unlock the bootloader of Zuk Z1 without using fastboot & wiping userdata

956 posts
Thanks Meter: 2,516
 
By Titokhan, XDA Portal Supporter on 18th November 2015, 02:32 PM
Post Reply Email Thread
Introduction

As we know, the official way to unlock the bootloader of Zuk Z1 is through fastboot.

For a untouched device, the status of the bootloader should be:
Code:
fastboot -i 0x2b4c oem device-info
...
(bootloader)    Device tampered: false
(bootloader)    Device unlocked: false
(bootloader)    Charger screen enabled: false
(bootloader)    Display panel:
To unlock the bootloader, you need to enable 'OEM unlocking' under Developer options first, then via bootloader/fastboot interface:
Code:
fastboot -i 0x2b4c oem unlock-go
It'll eventually erase the userdata.

Then the status of the bootloader should be:
Code:
fastboot -i 0x2b4c oem device-info
...
(bootloader)    Device tampered: false
(bootloader)    Device unlocked: true
(bootloader)    Charger screen enabled: false
(bootloader)    Display panel:
Inspired by the findings on similar devices, we can actually unlock the bootloader of Zuk Z1 without using fastboot, while keeping the userdata intact.

How-to

Warning!
It is dangerous! This whole thing is basically one giant hack - which is not intended to be done by normal users. It is messing with the bootloader partition, so it is possible that something goes wrong and you will have a nice & costly brick in your pocket. Be prepared to revive the device from a hard-brick.

1.
Enable 'OEM unlocking' under Developer options. You may need to tap the Build number 7 times under About phone to get the Developer options under Settings.

2.
We need root access (kinda expected!). To root the device without unlocking bootloader, use KingRoot. Use the Android version.

Now there is a catch! KingRoot can root the device, cause the latest build of Cyanogen OS (cm-12.1-YOG4PAS3OH-ham ATM) contains such vulnerabilities which can be exploited by the root exploits used by KingRoot. But we can't ensure about future.

3.
After being rooted, use adb shell or any terminal emulator to dump the 'aboot' i.e bootloader partition in internal sdcard:
Code:
su
dd if=/dev/block/bootdevice/by-name/aboot of=/sdcard/aboot.img
4.
Now we need to modify the dumped image using hex-editor. For Zuk Z1:
Code:
Unlock Bit Position - 0x001FFE10 Hex
Tamper Bit Position - 0x001FFE14 Hex
'00' means false, '01' means true. So to set the bootloader as unlocked, we just need to change the following:




Save the modified image as 'abootmod.img' inside your sdcard.

5.
Now its time to flash back the modded bootloader. Execute the following from adb shell or any terminal emulator:
Code:
su
dd if=/sdcard/abootmod.img of=/dev/block/bootdevice/by-name/aboot
Do a reboot & voila! You have unlocked the bootloader! Don't just believe me - check the status of the bootloader to ensure.

Note

1. We can also reset the tamper bit using this procedure.
2. If you prefer GUI, then you can use this fantastic app by @wanam.
3. This is tested on an international Zuk Z1 running cm-12.1-YOG4PAS3OH-ham. Please test & post feedback to ensure compatibility.
4. I'm not providing pre-modified images as it increases the risk of bricking the devices having older/newer bootloaders - please do it yourself. The offsets should be unchanged in future, though.

Credits

1. @osm0sis
2. @segv11
3. @Mnt-XDA
4. @Tengo10 - for risking his device for this experiment.
5. Users of XDA.

Happy tinkering!
The Following 22 Users Say Thank You to Titokhan For This Useful Post: [ View ] Gift Titokhan Ad-Free
25th November 2015, 05:21 AM |#3  
gamal001's Avatar
Senior Member
Thanks Meter: 204
 
More
I tested now and working okay. Thaaaaaaaaaaaaaaaaanks
The Following User Says Thank You to gamal001 For This Useful Post: [ View ] Gift gamal001 Ad-Free
25th November 2015, 02:38 PM |#4  
Junior Member
Thanks Meter: 1
 
More
after using dd for writing the modified image it worked. seems to be a problem using the app Partitions Backup & Restore

old post
Quote:

Doesn't worked for me.
fastboot -i 0x2b4c oem device-info still shows

Code:
...
(bootloader)    Device tampered: false
(bootloader)    Device unlocked: false
(bootloader)    Charger screen enabled: false
(bootloader)    Display panel:
OKAY [  0.009s]
finished. total time: 0.010s
when I read the aboot-partition after writing the modified image my modification is gone, i used Partitions Backup & Restore App for reading and writing

The Following User Says Thank You to wchristian For This Useful Post: [ View ] Gift wchristian Ad-Free
29th November 2015, 06:10 PM |#5  
Junior Member
Thanks Meter: 0
 
More
Hi everybody

I am trying to unlock the bootloader with fastboot but I am stucked (I have the drivers installed properly, adb recognize my device):

C:\adb>fastboot -i 0x2b4c oem unlock-go
...
FAILED (remote: oem unlock is not allowed)
finished. total time: 0.003s

I am trying for hours to unlock the device, can you tell me what is wrong?

Thank you
29th November 2015, 09:19 PM |#6  
Planet X's Avatar
Senior Member
Flag Apeldoorn
Thanks Meter: 478
 
More
Quote:
Originally Posted by Lems84

Hi everybody

I am trying to unlock the bootloader with fastboot but I am stucked (I have the drivers installed properly, adb recognize my device):

C:\adb>fastboot -i 0x2b4c oem unlock-go
...
FAILED (remote: oem unlock is not allowed)
finished. total time: 0.003s

I am trying for hours to unlock the device, can you tell me what is wrong?

Thank you

Did you do this?
To unlock the bootloader, you need to enable 'OEM unlocking' under Developer options first
29th November 2015, 09:32 PM |#7  
Junior Member
Thanks Meter: 0
 
More
yes I did it, USB debogging and OEM unlocking on the ZUI interface.

Quote:
Originally Posted by Planet X

Did you do this?
To unlock the bootloader, you need to enable 'OEM unlocking' under Developer options first

16th January 2016, 05:11 PM |#8  
Junior Member
Thanks Meter: 0
 
More
Quote:
Originally Posted by Planet X

Did you do this?
To unlock the bootloader, you need to enable 'OEM unlocking' under Developer options first

I also have the same problem.I enabled OEM.solutions please?kindly?
16th January 2016, 07:57 PM |#9  
ClaudioIT's Avatar
Senior Member
Flag Gela (Italy)
Thanks Meter: 130
 
More
Thanks!
20th January 2016, 02:56 PM |#10  
carstenheuer's Avatar
Senior Member
Flag Berlin
Thanks Meter: 134
 
Donate to Me
More
Hello Titokhan,
can you please upload the modified abootmod.img for the international version. Then it will be very easy for me and the only thing i must do is to install the file... many thx
20th January 2016, 04:29 PM |#11  
Tengo10's Avatar
Member
Flag Munich
Thanks Meter: 21
 
More
Quote:
Originally Posted by carstenheuer

Hello Titokhan,
can you please upload the modified abootmod.img for the international version. Then it will be very easy for me and the only thing i must do is to install the file... many thx

The Problem is that he don't own that phone.
The Following 2 Users Say Thank You to Tengo10 For This Useful Post: [ View ] Gift Tengo10 Ad-Free
Post Reply Subscribe to Thread

Guest Quick Reply (no urls or BBcode)
Message:
Previous Thread Next Thread
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes