Alexenferman
Member
This process may be complicated depending on who you are. This tutorial is not for very beginers. You must have experience with root, QFIL and a little bit of bootloader knowleadge.
Unlocking the Bootloader:
You will need:
Tutorial:
Open QFIL, You should see Qualcomm HS-USB QD-Loader 9008 (COM****)
Edit this:
41 4E 44 52 4F 49 44 2D 42 4F 4F 54 21 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
to this:
41 4E 44 52 4F 49 44 2D 42 4F 4F 54 21 00 00 00
01 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00
___________________________________________________________________________
What will this do?! The two 01s we put in this file will show to the bootloader that it was unlocked before via fastboot. Of course, we are editing it now and it was never unlocked via fastboot. This is enough to fool it
For people who don't know, on all android devices, there is the /devinfo partition that stores the information of the bootloader such as is_unlocked (aboot), is_tampered, is_verified, charger_screen_enabled, display_panel, bootloader_version, radio_version etc.
We have to modify it into saying is_unlocked and is_Critiacal_unlocked
____________________________________________________________________________________
Your bootloader should be unlocked!!
Credits to aleph security for the unlock bits https://alephsecurity.com/2018/01/22/qualcomm-edl-2#bootloader-unlocking
Download the Firehose:
Unlocking the Bootloader:
You will need:
- Your ZTE Avid Plus
- A PC
- Adb Commands installed
- QFIL 2.0.1.9
- Your QFIL firehose (emmc_firehose_8909.mbn) Check the attachments, and download it from there
- A Hex editor (Like HxD)
Tutorial:
- Hold power and volume down to boot to FTM mode
- Using ADB commands, type: adb reboot EDL
Open QFIL, You should see Qualcomm HS-USB QD-Loader 9008 (COM****)
- Select "Flat build"
- Select your firehose (emmc_firehose_8909.mbn)
- Select tools, partition manager
- Click ok
- Right click devinfo only and click on "Manage Partition data"
- Click on "Read Data"
- Check the logs on the main window, it will show you where it will be saved (Most frequently in the Appdata/Roaming/Qualcomm folder) and the file will be named something like this: ReadData_emmc_Lun0_0x1c000_Len16384_DT_**_**_****_**_**_**.bin
- Copy the file we read to somewhere like the desktop and make a backup in case it does not work.
- Click File>Open and select the file we copied to the desktop
Edit this:
41 4E 44 52 4F 49 44 2D 42 4F 4F 54 21 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
to this:
41 4E 44 52 4F 49 44 2D 42 4F 4F 54 21 00 00 00
01 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00
- Go to offset 007FFE00 and repeat the same steps:
___________________________________________________________________________
What will this do?! The two 01s we put in this file will show to the bootloader that it was unlocked before via fastboot. Of course, we are editing it now and it was never unlocked via fastboot. This is enough to fool it
For people who don't know, on all android devices, there is the /devinfo partition that stores the information of the bootloader such as is_unlocked (aboot), is_tampered, is_verified, charger_screen_enabled, display_panel, bootloader_version, radio_version etc.
We have to modify it into saying is_unlocked and is_Critiacal_unlocked
____________________________________________________________________________________
- Do not touch anything else and click File>Save
- Boot your phone int EDL again.
- Back to the partitions, right-click /devinfo again and click "Manage partition Data" again
- Click "Load image"
- Select the file we modified (Should be a .bin)
- Wait a few seconds and restart your phone
Your bootloader should be unlocked!!
Credits to aleph security for the unlock bits https://alephsecurity.com/2018/01/22/qualcomm-edl-2#bootloader-unlocking
Download the Firehose:
Attachments
Last edited: