• After 15+ years, we've made a big change: Android Forums is now Early Bird Club. Learn more here.

Root How to Unlock the bootloader of the ZTE Avid Plus Z828

This process may be complicated depending on who you are. This tutorial is not for very beginers. You must have experience with root, QFIL and a little bit of bootloader knowleadge.

Unlocking the Bootloader:

You will need:

  • Your ZTE Avid Plus
  • A PC
  • Adb Commands installed
  • QFIL 2.0.1.9
  • Your QFIL firehose (emmc_firehose_8909.mbn) Check the attachments, and download it from there
  • A Hex editor (Like HxD)

Tutorial:

  • Hold power and volume down to boot to FTM mode
IMG_20200516_114231.jpg
  • Using ADB commands, type: adb reboot EDL

Captuerereerre.PNG

Open QFIL, You should see Qualcomm HS-USB QD-Loader 9008 (COM****)
  • Select "Flat build"
  • Select your firehose (emmc_firehose_8909.mbn)
Captssdsdure.PNG
  • Select tools, partition manager
  • Click ok
We are intrested in the /devinfo partition only!

Capturewewewwee.PNG


  • Right click devinfo only and click on "Manage Partition data"

Capturerererere.PNG

  • Click on "Read Data"
  • Check the logs on the main window, it will show you where it will be saved (Most frequently in the Appdata/Roaming/Qualcomm folder) and the file will be named something like this: ReadData_emmc_Lun0_0x1c000_Len16384_DT_**_**_****_**_**_**.bin
  • Copy the file we read to somewhere like the desktop and make a backup in case it does not work.
Next, open HxD or any other hex editor

  • Click File>Open and select the file we copied to the desktop
You should see a layout like this:

ZTE1.PNG

Edit this:

41 4E 44 52 4F 49 44 2D 42 4F 4F 54 21 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00


to this:

41 4E 44 52 4F 49 44 2D 42 4F 4F 54 21 00 00 00
01 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00

ZTE2.PNG

  • Go to offset 007FFE00 and repeat the same steps:
ZTE3.PNG

___________________________________________________________________________

What will this do?! The two 01s we put in this file will show to the bootloader that it was unlocked before via fastboot. Of course, we are editing it now and it was never unlocked via fastboot. This is enough to fool it :D


For people who don't know, on all android devices, there is the /devinfo partition that stores the information of the bootloader such as is_unlocked (aboot), is_tampered, is_verified, charger_screen_enabled, display_panel, bootloader_version, radio_version etc.
We have to modify it into saying is_unlocked and is_Critiacal_unlocked

____________________________________________________________________________________

  • Do not touch anything else and click File>Save
  • Boot your phone int EDL again.
(You might need to reopen QFIL)

Capturewewewwee.PNG

  • Back to the partitions, right-click /devinfo again and click "Manage partition Data" again
  • Click "Load image"
Capturerererere.PNG
  • Select the file we modified (Should be a .bin)
  • Wait a few seconds and restart your phone

Your bootloader should be unlocked!!

Credits to aleph security for the unlock bits https://alephsecurity.com/2018/01/22/qualcomm-edl-2#bootloader-unlocking

Download the Firehose:
 

Attachments

Last edited:
Hello there - I followed the process exactly as described but I seem to be running into a wall. When I proceed via the step "Select tools, partition manager", the partition manager option is greyed out.
 
Back
Top Bottom