[Working] Bootloader Unlocking on most Qualcomm ZTE Devices, /Devinfo partition modifiation

[Alexenferman]

Warning: This unlocking method might not work on newer ZTE devices with Oreo+ and flagship devices. You have nothing to lose, but it might not do anything.

This tutorial is only for Qualcomm ZTE Devices.

Unlocking the Bootloader:

Warning: This bootloader unlocking method is not for beginners. It requires at least some knowleage on how to flash ROMS or partitions via QFIL and ADB commands. If you do not understand something here, than the tutorial might not be suitable for you. You can still try it, but at your own risk of course.

Confirmed Working on:
ZTE Imperial Max (Z963U)
ZTE Tempo X (N9317)
ZTE Avid 4 (Z855)
ZTE Grand X View 2 (K81)
ZTE Avid Plus (Z828)


You will need:

• A Qualcomm ZTE device (I am using a ZTE Avid Plus Z828)
• A PC
• Adb Commands installed
• QFIL 2.0.1.9
• Your QFIL firehose (emmc_firehose_8***.mbn)
• A Hex editor (Like HxD)

Tutorial:

• Hold power and volume down to boot to FTM mode

• Using ADB commands, type: adb reboot EDL

Open QFIL, You should see Qualcomm HS-USB QD-Loader 9008 (COM****)

• Select "Flat build"
• Select your firehose (emmc_firehose_8***.mbn)

• Select tools, partition manager
• Click ok

We are intrested in the /devinfo partition only!

• Right click devinfo only and click on "Manage Partition data"

• Click on "Read Data"
  
• Check the logs on the main window, it will show you where it will be saved (Most frequently in the Appdata/Roaming/Qualcomm folder) and the file will be named something like this: ReadData_emmc_Lun0_0x1c000_Len16384_DT_**_**_****_**_**_**.bin
  
• Copy the file we read to somewhere like the desktop and make a backup in case it does not work.

Next, open HxD or any other hex editor

• Click File>Open and select the file we copied to the desktop

You should see a layout like this:



Edit this:

41 4E 44 52 4F 49 44 2D 42 4F 4F 54 21 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

to this:

41 4E 44 52 4F 49 44 2D 42 4F 4F 54 21 00 00 00
01 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00

• Go to offset 007FFE00 and repeat the same steps:

It looks like ZTE did put another ANDROID-BOOT! at this section, they thought I would not see the second one Make sure you edit that second one, otherwise the BL won't be unlocked.

___________________________________________________________________________

What will this do?! The two 01s we put in this file will show to the bootloader that it was unlocked before via fastboot. Of course, we are editing it now and it was never unlocked via fastboot. This is enough to fool it

For people who don't know, on all android devices, there is the /devinfo partition that stores the information of the bootloader such as is_unlocked (aboot), is_tampered, is_verified, charger_screen_enabled, display_panel, bootloader_version, radio_version etc.
We have to modify it into saying is_unlocked and is_Critiacal_unlocked

____________________________________________________________________________________

• Do not touch anything else and click File>Save

• Boot your phone int EDL again.

(You might need to reopen QFIL)

• Back to the partitions, right-click /devinfo again and click "Manage partition Data" again
• Click "Load image"

• Select the file we modified (Should be a .bin)
• Wait a few seconds and restart your phone and IT SHOULD BOOT SURELY!!

Your bootloader should be unlocked!!

IT IS WORKING!!


TWRP is booting!

Credit to aleph security in the Unlocking the bootloader section at the bottom of the page for the values to change: https://alephsecurity.com/2018/01/22/qualcomm-edl-2/

 

[MrJavi]

I know nothing about the ZTE Avid Plus but I came across link

https://www.google.com/amp/s/gearallnews.com/how-to-unlock-the-bootloader-of-zte-avid-plus/amp/

 

[Alexenferman]

I know nothing about the ZTE Avid Plus but I came across link

https://www.google.com/amp/s/gearallnews.com/how-to-unlock-the-bootloader-of-zte-avid-plus/amp/

ZTE bootloaders are VERY STRIPPED DOWN. There is no fastboot mode for this phone . I would have liked it to be like this but no, it's not like this. You have to modify the bootloader to make it run unsigned code

 

[MrJavi]

Not the samw phone but it offers general advice that you might find useful.

https://www.google.com/amp/s/forum....ng-boot-images-android-verified-t3600606/amp/


https://www.xda-developers.com/quickly-install-adb/

 

[Alexenferman]

Thanks for the links, but this is for boot.img to verify /system. I already disabled that before.
I wanted to disable signature verif from aboot (Bootloader) to Boot.img or Recovery.img
Anyways, this answered my question:
https://alephsecurity.com/2018/01/22/qualcomm-edl-2/ in the Bootloader Unlocking section at the almost bottom of the page.
I hope it works for ZTE. It should. I dumped the "Devinfo" partition and It contains the same code

 

[MrJavi]

Thanks for the links, but this is for boot.img to verify /system. I already disabled that before.
I wanted to disable signature verif to boot from aboot (Bootloader) to Boot.img and Recovery.img
Anyways, this answered my question:
https://alephsecurity.com/2018/01/22/qualcomm-edl-2/ in the Bootloader Unlocking section at the almost bottom of the page.
I hope it works for ZTE. It should. I dumped the "Devinfo" partition and It contains the same code

View attachment 150419

Wish you luck, watch out for dm-verity and drk issues. Their hard to resolve.

 

[Alexenferman]

Kind of a success??

For those intrested in this, here is a quick update, I did set those unlock bits both at offset 00000000 and 07FFE000 (There are duplicates), and flashed devinfo using QFIL 2.0.1.9 but I can't see if the bootloader is unlocked.

I flashed the TWRP and Lineage recovery build. Both did not boot, but instead of getting that legendary black screen and Red light "of death", I got the ZTE logo for a bit and then a restart, which leaves me to beleve those 2 things: Either the TWRP and Lineage recoveries that I compiled were badly compiled or the bootloader is still locked.

Another thing to note is that each time I boot to Android, the Custom recovery gets replaced by the stock one as before.

The thing that I am not sure is what is the 01 highlighted in Yellow in the /devinfo partition? Maybe it's probably "Bootloader Tampered", maybe that is why it will refuse to boot the recovery?



I will be trying to get Magisk ROOT to see if the boot.img boots.

Any Idea? It will be really appreciated!!

I think I am getting very close to a bootloader unlocking!!!

\
\/ The modified /Devinfo partition for those intrested

 

[Alexenferman]

GREAT NEWS! It works! Do it!

I took the stock recovery of another variant of my phone to distinguish them. I disassembled the recovery.img and reassembled it using Android Image Kitchen.

Before, this did not boot and instead I got that legendary black screen and Red light "of death", meaning that there is no more signature on the recovery.

After I unlocked the bootloader, I flashed the same modified unsigned recovery image and it actually booted!


My variant is Z828R but the recovery is an unsigned Z828W. You might not see the difference but trust me, it works.

This means that my TWRP and Lineage Recovery was not compiled correctly. I will port it or fix it and I will show you guys more proof if you want.

You guys don't know how happy I am for finally defeating this phone for years.

THIS SHOULD WORK ON MOST ZTE DEVICES WITH ANDROID 5.0 - 7.1 IN THE WORLD

 

[ocnbrze]

NICE!!!!!!!!!!!!!!!!!!!!!!!

i know this might be asking much, but is there any way you can compose a guide for the less technical person. i'm sure folks here would really appreciate it.

 

[Alexenferman]

Yes I will, Please stand by, it will take 1 to 2 buisness days

You don't need ROOT but you will need a PC

I have to get TWRP working first to show you guys more proof. The only thing that is problematic, once you boot to android and reboot to recovery, it will overwrite the custom one.

I think that flshing a custom ROM will fix this issue.

Those ZTE stock ROMs were not designed with custom recoveries in mind

 

[Alexenferman]

TWRP is also booting

 

[MrJavi]

Yes I will, Please stand by, it will take 1 to 2 buisness days

You don't need ROOT but you will need a PC

I have to get TWRP working first to show you guys more proof. The only thing that is problematic, once you boot to android and reboot to recovery, it will overwrite the custom one.

I think that flshing a custom ROM will fix this issue.


Those ZTE stock ROMs were not designed with custom recoveries in mind

AWESOME & CONGRATULATIONS!!!!!!!!

I would like to encourage you to share your knowledge with the XDA community.

As you know, Im not familiar with ZTE's but try flashing SuperSU. Mabye make a custom kernel in order to keep TWRP intact after each reboot.

After allowing modifications in custom recovery trun off device and boot back into recovery. Then try rebooting. Afterwards tern off and check if TWRP is still there.

There are some scrips you might find helpful

https://forum.xda-developers.com/showthread.php?t=2239421

You might check XDA for no-verity opt encrypt .zips .

There's also AnyKernel 1, 2 and 3 . I believe 3 is for Magisk which is systemless root and you'll most likely need system root package like Chainfire.

https://forum.xda-developers.com/showthread.php?t=2670512

https://github.com/Zackptg5/Disable_Dm-Verity_ForceEncrypt/blob/master/README.md

 

[Nighyhawk658]

Hello all

a very interesting post i came across here and i wonder if this may help my issue

my wifes mobile phone is an Asus Zenfone 5Q ZC600KL X017DA the issue with it will flash up powered by android then the Asus logo will appear and its stuck on the logo i have tried the usual hardware keys to get into factory reset but no options show up other than going into CSC fastboot mode

have tried a number of firmwares for this model phone seems to be so many of them for this model and in fastboot mode they all fail they all show up an error write protected apart from the last firmware i downloaded that will say cannot flash in locked state

when checking some device info it will say bootloader is locked so i assume thats why i cannot flash via fastboot

i have tried using Qfil but i am always getting errors like i will give last line before the error and then the error message

12:25:26: INFO: Reading through sparse file 'system.img' and pulling out relevant header information...
12:25:38: INFO: File system.img is a sparse file, being split up into 7980 separate XML tags

error

12:25:41: {ERROR: StoreXMLFile:8890 2. Too many XML files in XMLStringTable, max is 8000

someone suggested shortening the firmware folder name and placing it on C dive same with the Gfil both have done but still the same error

my goal is obviously to get the phone flashed and running again so if anyone has any information on the flashing process using Qfil and how to resolve the error above i would much appreicate it

but as this topic is about unlocking bootloader and might be an option i am looking to do if i cannot flash via Qfil i wonder if the above instructions would work the same way with with the model phone i mentioned if not then any solution would be great at least keep the wife from chewing anymore of my a$$ off hahaha

many thanks