Possible Bootloader Unlocking On ZTE Devices? /Devinfo partition modifiation

AlexenfermanAlexenferman United StatesPosts: 7 ✭✭
edited May 15, 2020 3:13PM in Developer's Lounge

I don't know if anyone has ever considered taking a look at the /devinfo and /aboot partitions and changing the bits to unlock the bootloader.

Somehow, The post got removed, so I am putting it back

For people who don't know, on all android devices, there is the /devinfo partition that stores the information of the bootloader such as is_unlocked (aboot), is_tampered, is_verified, charger_screen_enabled, display_panel, bootloader_version, radio_version etc. I don't know if those are read or ignored on ZTE devices while booting.

I took a dump of the /devinfo partition of my ZTE device (The ZTE Avid Plus) with temporary root

I opened the file using a hex editor (HxD) and found out that it had a simailar layout (See the image below) There is a 01 highlighted in Yellow, this should mean "Device Tampered" if I am not mistaking. I did tamper with the device, by flashing TWRP Via EDL mode and it did not boot (Because of a locked bootloader).

The best part: Unlocking the Bootloader

According to aleph security in the Unlocking the bootloader section at the bottom of the page: https://alephsecurity.com/2018/01/22/qualcomm-edl-2/

"For some devices, such as several Xiaomi ones, partition flashing is sufficient for being able to unlock the Android Bootloader"

Apparently, you can unlock the bootloader by "Setting 1 at offsets 0x10, 0x18, and flashing the modified devinfo will unlock the bootloader."

So, you edit this:

41 4E 44 52 4F 49 44 2D 42 4F 4F 54 21 00 00 00

00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

To this using a Hex editor like HxD:

41 4E 44 52 4F 49 44 2D 42 4F 4F 54 21 00 00 00

01 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00

It "should" unlock the bootloader.

I did not try this yet, but did anyone consider this method to unlock the bootloader, or it does not work?

Any ideas? I would like to hear them!

How about the Axon 7 with the official bootloader unlocking? How did that work?



Comments

  • AlexenfermanAlexenferman United StatesPosts: 7 ✭✭
    edited May 15, 2020 10:08PM

    Kind of a success??

    Quick update, I did set those unlock bits both at offset 00000000 and 07FFE000 (There are duplicates), and flashed devinfo using QFIL 2.0.1.9 but I can't see if the bootloader is unlocked.

    I flashed the TWRP and Lineage recovery build. Both did not boot, but instead of getting that legendary black screen and Red light "of death", I got the ZTE logo for a bit and then a restart, which leaves me to beleve those 2 things: Either the TWRP and Lineage recoveries that I compiled were badly compiled or the bootloader is still locked.

    Another thing to note is that each time I boot to Android, the Custom recovery gets replaced by the stock one.

    I will be trying to get Magisk ROOT to see if the boot.img boots.

    Any Idea? It will be really appreciated!!

  • AlexenfermanAlexenferman United StatesPosts: 7 ✭✭
    edited May 16, 2020 10:32AM

    GREAT NEWS! It works! Do it!

    I took the stock recovery of another variant of my phone to distinguish them. I disassembled the recovery.img and reassembled it using Android Image Kitchen.

    Before, this did not boot and instead I got that legendary black screen and Red light "of death", meaning that there is no more signature on the recovery.

    After I unlocked the bootloader, I flashed the same modified unsigned recovery image and it actually booted!


    My variant is Z828R but the recovery is an unsigned Z828W. You might not see the difference but trust me, it works.

    This means that my TWRP and Lineage Recovery was not compiled correctly. I will port it or fix it and I will show you guys more proof if you want.

    You guys don't know how happy I am for finally defeating this phone for years.

    THIS SHOULD WORK ON ANY ZTE DEVICE WITH ANDROID 5.0+ IN THE WORLD

  • AlexenfermanAlexenferman United StatesPosts: 7 ✭✭
    edited May 16, 2020 9:24PM

    TWRP is working too! It does not work correctly, but it's a proof of concept


Sign In or Register to comment.