Root ZTE ZMAX Pro (Z981) root discussion

[Powduh]

found this tool to flash firmware for zte in qualcomm 9008 mode
https://yadi.sk/d/mR17-gxhgKcz5
it's the same tool found in this thread
http://www.androidbrick.com/unbrick...-you-have-the-right-kind-of-rom-qhsusb_dload/
it may help flashing twrp..

I hate to sound like everyone else, but master messi2050, what are you doing lurking the Android forums right now? Get your exams taken care of man. I know you're a beast, I've been lurking through some of your stuff around, but man, education is the key to success...

On another note, thanks for this find, will see if it will allow any type of flashing when I get home. If it does even see our phone, we may have a starting point.

 

[messi2050]

I hate to sound like everyone else, but master messi2050, what are you doing lurking the Android forums right now? Get your exams taken care of man. I know you're a beast, I've been lurking through some of your stuff around, but man, education is the key to success...

On another note, thanks for this find, will see if it will allow any type of flashing when I get home. If it does even see our phone, we may have a starting point.

Thanks man ,My next exam is after 10 days from now , i had 4 exams this week so i think some play around won't be bad xD , i worked on finding a root workaround for more than 6 hours today almost tried everything including xiaomi mi flash tool , dirtycow, z11 max root method..etc still no success but I will keep trying using the dirtycow as i think that this exploit has the best chance on this phone..

 

[messi2050]

Man.. You Use And Abuse The Dirt Off That Cow...
Bend It.. To Your Will..

You need to compile new binaries with every new target init file as we don't know the correct init file to patch so it will take up to 10 trys to figure it out.
I will explain it , this is the target file for the dirtycow patch to set selinux to permissive mode this file exist on lg v20
https://github.com/jcadduono/android_external_dirtycow/blob/android-6.0/recowvery-applypatch.c#L46
No such file on the zmax pro coz of the different vendors so u need to try with every possible target init file..

 

[messi2050]

so latest progress , here is the dirtycow binaries compiled by me and based on the twrp tree
http://www.mediafire.com/file/djo41adnyifylrx/dcow+binaries+for+the+zte+zmax+pro.zip
flashing guide can be found here
https://github.com/jcadduono/android_external_dirtycow#running
everything goes well till this step [adb shell reboot recovery] and if i try to boot into recovery using the hardware buttons (volume up+power) i get black screen every time i try to boot into it, just wanted to share it with u .

 

[lambo352]

so latest progress , here is the dirtycow binaries compiled by me and based on the twrp tree
http://www.mediafire.com/file/djo41adnyifylrx/dcow+binaries+for+the+zte+zmax+pro.zip
flashing guide can be found here
https://github.com/jcadduono/android_external_dirtycow#running
everything goes well till this step [adb shell reboot recovery] and if i try to boot into recovery using the hardware buttons (volume up+power) i get black screen every time i try to boot into it, just wanted to share it with u .

That's some serious progress.. I have faith in you.. just make time for studies..

 

[DMedina559]

Edited: With a locked bootloader we can't have a custom recovery as the bootloader checks for modifications upon boot. However, we can have temp root with dirty cow.... to the best of my knowledge.

I still think if we can get even temp root we can possibly zero out download mode or recovery to access fastboot and unlock the bootloader. I'd be willing to try it we can get any type of root

 

[bcrichster]

so latest progress , here is the dirtycow binaries compiled by me and based on the twrp tree
http://www.mediafire.com/file/djo41adnyifylrx/dcow+binaries+for+the+zte+zmax+pro.zip
flashing guide can be found here
https://github.com/jcadduono/android_external_dirtycow#running
everything goes well till this step [adb shell reboot recovery] and if i try to boot into recovery using the hardware buttons (volume up+power) i get black screen every time i try to boot into it, just wanted to share it with u .

OK.. Then this device is locked the way they did the ZTE Speed when @SuperR & I tried. It'll flash but becomes inaccessible since we got smart and started using recovery to obtain Root. No recovery access for us equals less Rooting options. Hence there may be no recovery options until a bypass is figured out. A new ZTE thing.. The Warp Sync is gonna be the last ZTE device I use if they don't loosen up on the boot locks. I told our Carrier that much of their device revenues are tied to their Rooting capability. You guys are doing great, I'll be watching cuz if you make the breakthrough then the other Warp models (Elite & Warp 7) may stand a chance.

 

[Elix9000]

OK.. Then this device is locked the way they did the ZTE Speed when @SuperR & I tried. It'll flash but becomes inaccessible since we got smart and started using recovery to obtain Root. No recovery access for us equals less Rooting options. Hence there may be no recovery options until a bypass is figured out. A new ZTE thing.. The Warp Sync is gonna be the last ZTE device I use if they don't loosen up on the boot locks. I told our Carrier that much of their device revenues are tied to their Rooting capability. You guys are doing great, I'll be watching cuz if you make the breakthrough then the other Warp models (Elite & Warp 7) may stand a chance.

theres a recovery, just no fastboot although we may be able to use download mode.

 

[DMedina559]

https://source.android.com/devices/tech/ota/
According to this the keys for ota updates are stored in the recovery ramdisk in /res/keys, is it possible to pull the stock recovery without root

Spoiler

A typical OTA update contains the following steps:

1. Device performs regular check in with OTA servers and is notified of the availability of an update, including the URL of the update package and a description string to show the user.
2. Update downloads to a cache or data partition, and its cryptographic signature is verified against the certificates in /system/etc/security/otacerts.zip. User is prompted to install the update.
3. Device reboots into recovery mode, in which the kernel and system in the recovery partition are booted instead of the kernel in the boot partition.
4. Recovery binary is started by init. It finds command-line arguments in /cache/recovery/command that point it to the downloaded package.
5. Recovery verifies the cryptographic signature of the package against the public keys in /res/keys (part of the RAM disk contained in the recovery partition).
6. Data is pulled from the package and used to update the boot, system, and/or vendor partitions as necessary. One of the new files left on the system partition contains the contents of the new recovery partition.
7. Device reboots normally.
   1. The newly updated boot partition is loaded, and it mounts and starts executing binaries in the newly updated system partition.
   2. As part of normal startup, the system checks the contents of the recovery partition against the desired contents (which were previously stored as a file in /system). They are different, so the recovery partition is reflashed with the desired contents. (On subsequent boots, the recovery partition already contains the new contents, so no reflash is necessary.)

The system update is complete!

 

[jhgfrtu]

Run-as-root fails ..error selinux enforcing every time.

 

[jhgfrtu]

To the best of my knowledge, after the command when the phone restores recovery upon reboot the phone will flicker and not reboot like the previous dependencies. After I manually reboot of course the exploit is lost
. I even tried disabling selinux for a daemon session ...# setsebool named_disabled_trans 1

output received : SELINUX DISABLED. not sure how to disable boot selinux.
Any thoughts anyone?

 

[jhgfrtu]

Well at least if no root I was able to install Ubuntu finally and run as root via sudo gnome-terminal ..lol

 

[Powduh]

so latest progress , here is the dirtycow binaries compiled by me and based on the twrp tree
http://www.mediafire.com/file/djo41adnyifylrx/dcow+binaries+for+the+zte+zmax+pro.zip
flashing guide can be found here
https://github.com/jcadduono/android_external_dirtycow#running
everything goes well till this step [adb shell reboot recovery] and if i try to boot into recovery using the hardware buttons (volume up+power) i get black screen every time i try to boot into it, just wanted to share it with u .

And this has somehow restored my faith, that we will obtain root access... Give it hell man

 

[messi2050]

i contacted [jcadduono at xda] who is the maintainer of twrp and the method to flash twrp through the dirtycow exploit on lg v20 asking about the black screen issue after applying the patch , i got this reply :
[nope that's not how it works, it is for devices with unlocked bootloader, which the zmax pro is not] -_-

 

[Powduh]

i contacted [jcadduono at xda] who is the maintainer of twrp and the method to flash twrp through the dirtycow exploit on lg v20 asking about the black screen issue after applying the patch , i got this reply :
[nope that's not how it works, it is for devices with unlocked bootloader, which the zmax pro is not] -_-

So that makes dirty cow a dead end also?

 

[messi2050]

So that makes dirty cow a dead end also?

yes..

 

[Powduh]

yes..

Not cool. We can't even access bootloader... Anywho... NEXXXT....lmao

 

[joshua molina]

sad

 

[jhgfrtu]

yeah zte locked this one up tight. lol luckily I use this phone as entertainment purposes only ..like you tube camera gaming ..etc..LG stylo plus 2 rooted is my daily driver. sorry guys ..I tried ..good specs on this phone and clearing cache stopped the battery drain after the manual b12 update..
Happy new year AF..
I'm done with rooting zte's but if anything's comes up in 2017 I'll be back...

 

[Powduh]

I'm thinking we're going to end up needing fastboot. But, if we could manage a kernel with the necessary modifications, is there any way we could achieve systemless root? I'm sincerely hoping something happens to breakthrough for this phone. I've been trying everything I can remember EVER working to gain root access, but either it fails, or force closes, or both. PC methods aren't getting any further.

On another note, upon reading most of this thread again for about the billionth time, I'm also interested to see if we actually have a bootloader/fastboot, and just can't access it without somehow tripping it to come out of hiding. I remember other devices having to run an adb command to open bootloader before we could even attempt to gain root....

 

[Elix9000]

The adb command is "adb reboot fastboot" then when your in fastboot mode "fastboot oem unlock". We are far past that. Those days are over unless you buy an unlocked device online that is independent of a carrier.

correction,unless you buy a pixel

 

[messi2050]

I'm thinking we're going to end up needing fastboot. But, if we could manage a kernel with the necessary modifications, is there any way we could achieve systemless root? I'm sincerely hoping something happens to breakthrough for this phone. I've been trying everything I can remember EVER working to gain root access, but either it fails, or force closes, or both. PC methods aren't getting any further.

On another note, upon reading most of this thread again for about the billionth time, I'm also interested to see if we actually have a bootloader/fastboot, and just can't access it without somehow tripping it to come out of hiding. I remember other devices having to run an adb command to open bootloader before we could even attempt to gain root....

I can compile custom kernel , cm or even anything that can come to your mind but the question will stay the same how to flash it , fastboot was removed (not hidden) even if king root can give root access on this device it will be a temporary root that get lost on reboot, i have dealt with phones from at&t , metro , verizon and t-mobile , metro does not lock their phones or their bootloader (at least for the phones i dealt with) so i think it was zte decision to remove fastboot which is the only way to unlock the bootloader.

 

[Krlypumaa]

I have been a lt busy with health issues in Family.... N havbeen travelling a lot .... But can someone try this to see what exactly it'll do on our device
https://android-developers.googleblog.com/2016/07/protecting-android-with-more-linux.html?m=1

https://android.googlesource.com/platform/system/sepolicy/+/38ac77e4c2b3c3212446de2f5ccc42a4311e65fc

 

[Krlypumaa]

Changing with a 0 it wii grant access

 

[Deleted User]

I can compile custom kernel , cm or even anything that can come to your mind but the question will stay the same how to flash it , fastboot was removed (not hidden) even if king root can give root access on this device it will be a temporary root that get lost on reboot, i have dealt with phones from at&t , metro , verizon and t-mobile , metro does not lock their phones or their bootloader (at least for the phones i dealt with) so i think it was zte decision to remove fastboot which is the only way to unlock the bootloader.

this, my friend allegedly got root access but it reboots after 20 seconds or so however if this is true I believe it's enough to change selinux. and provide permanent privilege.