Unlike mainstream phones where the bootloader is the only barrier, ZTE implements kernel-level locks. Even if you unlock the bootloader via fastboot oem unlock, ZDroid re-locks the kernel during the next boot. The kernel checks for digital signatures on any partition modification (system, vendor, or boot). Without unlocking the kernel, any su binary or custom recovery will be rejected at the exec level.
From 2023 onward, ZTE introduced SMT 2.0 with hardware fuses. Traditional Firehose exploits no longer work. For devices like the ZTE Axon 50 Ultra or Nubia RedMagic 9 (yes, Nubia uses ZDroid too), you need to short the test points on the motherboard (CPU_DET and GND) to force 9008 emergency download. Then use an authorized Xiaomi EDL account (ironically, the same server handles ZTE licenses) to send the SMT unlock token. unlock zte kernel zdroid smt
If you lack an authorized account, you can try the seacave method. This involves glitching the voltage on the eMMC clock line during boot to confuse ZDroid into skipping kernel verification. This is extremely advanced and requires oscilloscope soldering skills. Unlike mainstream phones where the bootloader is the
| Problem | Symptom | Solution |
|---------|---------|----------|
| SMT Write Fail | QFIL error “Unable to write to partition” | Ensure you used --memory UFS flag for newer phones; older eMMC requires --memory eMMC |
| ZDroid respawns | After reboot, settings show “Device Locked” | ZDroid has a secondary watchdog in tz.mbn. Flash an unlocked tz partition from a similar chipset. |
| No fastboot | Device only boots to EDL | You deleted aboot. Use sdl.exe to restore aboot backup from Step 3. |
| IMEI = 0 | Radio dead after kernel unlock | Your QCN backup is corrupted. Restore using QPST Software Download → Restore QCN. | SMT is the golden backdoor
SMT is the golden backdoor. Originally designed for factory technicians, SMT mode bypasses all user-level security. When a ZTE device enters SMT mode via a specific hardware key combination or EDL command, it allows:
Crucial distinction: There are two SMT contexts. Factory SMT requires an authorized ZTE token (impossible for consumers). Generic SMT mode leverages leaked Qualcomm programmers to trick the device into thinking it’s in a factory state.
fastboot flashing unlock (or OEM-specific command). Accept wipe.fastboot flash boot boot.img (or recovery method).