1. Are you ready for the Galaxy S20? Here is everything we know so far!

[Working] Bootloader Unlocking on most Qualcomm ZTE Devices, /Devinfo partition modifiation

Discussion in 'Android Lounge' started by Alexenferman, May 12, 2020.

  1. Alexenferman

    Alexenferman Member
    Thread Starter

    Warning: This unlocking method might not work on newer ZTE devices with Oreo+ and flagship devices. You have nothing to lose, but it might not do anything.

    This tutorial is only for Qualcomm ZTE Devices.

    Unlocking the Bootloader:

    Warning: This bootloader unlocking method is not for beginners. It requires at least some knowleage on how to flash ROMS or partitions via QFIL and ADB commands. If you do not understand something here, than the tutorial might not be suitable for you. You can still try it, but at your own risk of course.

    Confirmed Working on:
    ZTE Imperial Max (Z963U)
    ZTE Tempo X (N9317)
    ZTE Avid 4 (Z855)
    ZTE Grand X View 2 (K81)
    ZTE Avid Plus (Z828)



    You will need:

    • A Qualcomm ZTE device (I am using a ZTE Avid Plus Z828)
    • A PC
    • Adb Commands installed
    • QFIL 2.0.1.9
    • Your QFIL firehose (emmc_firehose_8***.mbn)
    • A Hex editor (Like HxD)

    Tutorial:

    • Hold power and volume down to boot to FTM mode
    IMG_20200516_114231.jpg
    • Using ADB commands, type: adb reboot EDL

    Captuerereerre.PNG

    Open QFIL, You should see Qualcomm HS-USB QD-Loader 9008 (COM****)
    • Select "Flat build"
    • Select your firehose (emmc_firehose_8***.mbn)
    Captssdsdure.PNG

    • Select tools, partition manager
    • Click ok
    We are intrested in the /devinfo partition only!

    Capturewewewwee.PNG

    • Right click devinfo only and click on "Manage Partition data"

    Capturerererere.PNG

    • Click on "Read Data"
    • Check the logs on the main window, it will show you where it will be saved (Most frequently in the Appdata/Roaming/Qualcomm folder) and the file will be named something like this: ReadData_emmc_Lun0_0x1c000_Len16384_DT_**_**_****_**_**_**.bin
    • Copy the file we read to somewhere like the desktop and make a backup in case it does not work.
    Next, open HxD or any other hex editor

    • Click File>Open and select the file we copied to the desktop
    You should see a layout like this:

    ZTE1.PNG

    Edit this:

    41 4E 44 52 4F 49 44 2D 42 4F 4F 54 21 00 00 00
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00


    to this:

    41 4E 44 52 4F 49 44 2D 42 4F 4F 54 21 00 00 00
    01 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00

    ZTE2.PNG

    • Go to offset 007FFE00 and repeat the same steps:

    ZTE3.PNG

    It looks like ZTE did put another ANDROID-BOOT! at this section, they thought I would not see the second one :D Make sure you edit that second one, otherwise the BL won't be unlocked.

    ___________________________________________________________________________

    What will this do?! The two 01s we put in this file will show to the bootloader that it was unlocked before via fastboot. Of course, we are editing it now and it was never unlocked via fastboot. This is enough to fool it :D


    For people who don't know, on all android devices, there is the /devinfo partition that stores the information of the bootloader such as is_unlocked (aboot), is_tampered, is_verified, charger_screen_enabled, display_panel, bootloader_version, radio_version etc.
    We have to modify it into saying is_unlocked and is_Critiacal_unlocked

    ____________________________________________________________________________________

    • Do not touch anything else and click File>Save
    • Boot your phone int EDL again.
    (You might need to reopen QFIL)

    Capturewewewwee.PNG

    • Back to the partitions, right-click /devinfo again and click "Manage partition Data" again
    • Click "Load image"
    Capturerererere.PNG
    • Select the file we modified (Should be a .bin)
    • Wait a few seconds and restart your phone and IT SHOULD BOOT SURELY!!
    Your bootloader should be unlocked!!

    IT IS WORKING!!

    IMG_20200516_211406.jpg
    TWRP is booting!


    Credit to aleph security in the Unlocking the bootloader section at the bottom of the page for the values to change: https://alephsecurity.com/2018/01/22/qualcomm-edl-2/
     


    #1 Alexenferman, May 12, 2020
    Last edited: May 18, 2020
    ocnbrze likes this.

    1. Download the Forums for Android™ app!


      Download

       
  2. MrJavi

    MrJavi Android Expert

  3. Alexenferman

    Alexenferman Member
    Thread Starter

    ocnbrze likes this.
  4. MrJavi

    MrJavi Android Expert

    #4 MrJavi, May 13, 2020
    Last edited: May 13, 2020
    ocnbrze likes this.
  5. Alexenferman

    Alexenferman Member
    Thread Starter

    Thanks for the links, but this is for boot.img to verify /system. I already disabled that before.
    I wanted to disable signature verif from aboot (Bootloader) to Boot.img or Recovery.img
    Anyways, this answered my question:
    https://alephsecurity.com/2018/01/22/qualcomm-edl-2/ in the Bootloader Unlocking section at the almost bottom of the page.
    I hope it works for ZTE. It should. I dumped the "Devinfo" partition and It contains the same code :D

    Capture.PNG
     
    #5 Alexenferman, May 13, 2020
    Last edited: May 15, 2020
    ocnbrze and MrJavi like this.
  6. MrJavi

    MrJavi Android Expert


    Wish you luck, watch out for dm-verity and drk issues. Their hard to resolve.
     
    ocnbrze likes this.
  7. Alexenferman

    Alexenferman Member
    Thread Starter

    Kind of a success?? :thinking:

    For those intrested in this, here is a quick update, I did set those unlock bits both at offset 00000000 and 07FFE000 (There are duplicates), and flashed devinfo using QFIL 2.0.1.9 but I can't see if the bootloader is unlocked.

    I flashed the TWRP and Lineage recovery build. Both did not boot, but instead of getting that legendary black screen and Red light "of death", I got the ZTE logo for a bit and then a restart, which leaves me to beleve those 2 things: Either the TWRP and Lineage recoveries that I compiled were badly compiled or the bootloader is still locked. :oops:

    Another thing to note is that each time I boot to Android, the Custom recovery gets replaced by the stock one as before.

    The thing that I am not sure is what is the 01 highlighted in Yellow in the /devinfo partition? Maybe it's probably "Bootloader Tampered", maybe that is why it will refuse to boot the recovery?

    Captrererrereure.PNG

    I will be trying to get Magisk ROOT to see if the boot.img boots.

    Any Idea? It will be really appreciated!! :D

    I think I am getting very close to a bootloader unlocking!!! ;)

    \
    \/ The modified /Devinfo partition for those intrested
     

    Attached Files:

    #7 Alexenferman, May 15, 2020
    Last edited: May 15, 2020
    ocnbrze likes this.
  8. Alexenferman

    Alexenferman Member
    Thread Starter

    GREAT NEWS! It works! Do it!

    I took the stock recovery of another variant of my phone to distinguish them. I disassembled the recovery.img and reassembled it using Android Image Kitchen.

    Before, this did not boot and instead I got that legendary black screen and Red light "of death", meaning that there is no more signature on the recovery.

    After I unlocked the bootloader, I flashed the same modified unsigned recovery image and it actually booted!

    IMG_20200516_102451.jpg
    My variant is Z828R but the recovery is an unsigned Z828W. You might not see the difference but trust me, it works.

    This means that my TWRP and Lineage Recovery was not compiled correctly. I will port it or fix it and I will show you guys more proof if you want.

    You guys don't know how happy I am for finally defeating this phone for years.

    THIS SHOULD WORK ON MOST ZTE DEVICES WITH ANDROID 5.0 - 7.1 IN THE WORLD
     
    #8 Alexenferman, May 16, 2020
    Last edited: May 18, 2020
    ocnbrze likes this.
  9. ocnbrze

    ocnbrze DON'T PANIC!!!!!!!!!

    NICE!!!!!!!!!!!!!!!!!!!!!!!

    i know this might be asking much, but is there any way you can compose a guide for the less technical person. i'm sure folks here would really appreciate it.
     
    MrJavi likes this.
  10. Alexenferman

    Alexenferman Member
    Thread Starter

    Yes I will, Please stand by, it will take 1 to 2 buisness days ;)

    You don't need ROOT but you will need a PC

    I have to get TWRP working first to show you guys more proof. The only thing that is problematic, once you boot to android and reboot to recovery, it will overwrite the custom one.

    I think that flshing a custom ROM will fix this issue.

    Those ZTE stock ROMs were not designed with custom recoveries in mind:thinking:
     
    #10 Alexenferman, May 16, 2020
    Last edited: May 16, 2020
    MrJavi and ocnbrze like this.
  11. Alexenferman

    Alexenferman Member
    Thread Starter

    TWRP is also booting :cool:

    IMG_20200516_211406.jpg
     
    #11 Alexenferman, May 16, 2020
    Last edited: May 16, 2020
    ocnbrze and MrJavi like this.
  12. MrJavi

    MrJavi Android Expert




    AWESOME & CONGRATULATIONS!!!!!!!! :)

    I would like to encourage you to share your knowledge with the XDA community. :)

    As you know, Im not familiar with ZTE's but try flashing SuperSU. Mabye make a custom kernel in order to keep TWRP intact after each reboot.

    After allowing modifications in custom recovery trun off device and boot back into recovery. Then try rebooting. Afterwards tern off and check if TWRP is still there.

    There are some scrips you might find helpful

    https://forum.xda-developers.com/showthread.php?t=2239421

    You might check XDA for no-verity opt encrypt .zips .

    There's also AnyKernel 1, 2 and 3 . I believe 3 is for Magisk which is systemless root and you'll most likely need system root package like Chainfire.

    https://forum.xda-developers.com/showthread.php?t=2670512

    https://github.com/Zackptg5/Disable_Dm-Verity_ForceEncrypt/blob/master/README.md
     
    #12 MrJavi, May 16, 2020
    Last edited: May 17, 2020
    ocnbrze likes this.
  13. Nighyhawk658

    Nighyhawk658 Lurker

    Hello all

    a very interesting post i came across here and i wonder if this may help my issue

    my wifes mobile phone is an Asus Zenfone 5Q ZC600KL X017DA the issue with it will flash up powered by android then the Asus logo will appear and its stuck on the logo i have tried the usual hardware keys to get into factory reset but no options show up other than going into CSC fastboot mode

    have tried a number of firmwares for this model phone seems to be so many of them for this model and in fastboot mode they all fail they all show up an error write protected apart from the last firmware i downloaded that will say cannot flash in locked state

    when checking some device info it will say bootloader is locked so i assume thats why i cannot flash via fastboot

    i have tried using Qfil but i am always getting errors like i will give last line before the error and then the error message

    12:25:26: INFO: Reading through sparse file 'system.img' and pulling out relevant header information...
    12:25:38: INFO: File system.img is a sparse file, being split up into 7980 separate XML tags

    error

    12:25:41: {ERROR: StoreXMLFile:8890 2. Too many XML files in XMLStringTable, max is 8000

    someone suggested shortening the firmware folder name and placing it on C dive same with the Gfil both have done but still the same error

    my goal is obviously to get the phone flashed and running again so if anyone has any information on the flashing process using Qfil and how to resolve the error above i would much appreicate it

    but as this topic is about unlocking bootloader and might be an option i am looking to do if i cannot flash via Qfil i wonder if the above instructions would work the same way with with the model phone i mentioned if not then any solution would be great at least keep the wife from chewing anymore of my a$$ off hahaha

    many thanks
     
Loading...

Share This Page

Loading...