Root ZTE Zmax Pro Official Root Discussion

[SapphireEx]

What's needed for trying to grab the signing keys from the ota update? I haven't updated yet so, I can try to see if I can't get what we need. @SapphireEx @messi2050

A ZTE employee lanyard.

Or a nation class super computer.

*Edit That sounded a bit dickish. But it's true. End users almost never get access to OEM keys, and if we do, it's due to a VERY lucky bruteforce, or an employee leaking it (ZTE AXON).

 

[Nyrixa]

Well hell, all I have is a pen testing dedicated system. Definitely not a server.

 

[SapphireEx]

Well hell, all I have is a pen testing dedicated system. Definitely not a server.

I'm assuming Kali/ Backtrack. You could always help @GarnetSunset with Broadpwn (It's a very complex exploit. Easy to execute, but extremely rough in actually exploiting), or send metasploit payloads to the phone and hope something happens. If you are skilled with reverse engineering, you could always poke the phone with us and see what comes up.

 

[Nyrixa]

I'm assuming Kali/ Backtrack. You could always help @GarnetSunset with Broadpwn (It's a very complex exploit. Easy to execute, but extremely rough in actually exploiting), or send metasploit payloads to the phone and hope something happens. If you are skilled with reverse engineering, you could always poke the phone with us and see what comes up.

Backtrack isn't available any more, unless you can find a legacy upload. Never had the chance to reverse engineer a phone, maybe Cyber Forensics can ahead a small light on something. I'll start running that and let you know if I can find anything worth while, and I'll read up on the exploits while forensics runs.

 

[ZMAX4EVER]

I got a Metro PCS update on mine to b21

Please let us know if this fixes the text message alert problem introduced with b20

 

[SapphireEx]

Backtrack isn't available any more, unless you can find a legacy upload. Never had the chance to reverse engineer a phone, maybe Cyber Forensics can ahead a small light on something. I'll start running that and let you know if I can find anything worth while, and I'll read up on the exploits while forensics runs.

Here's a good starting place: https://www.cvedetails.com/vulnerab...7/version_id-188440/Google-Android-6.0.1.html

While most of these don't have public PoC's, they are starting points.

For a TL;DR of the Z981:
Locked bootloader
DM-Verity enabled
Fastboot has been removed/ hidden
Android version: 6.0.1
Mainboard: Qualcomm MSM8952
Driver support: Generic Google USB
/Dev/* is ---
/tmp is RWX
Phone is suspect to having a SUID user built in
Has full Toybox, and full busybox installed and symlinked.

Various commands known to work:
Reboot bootloader (Acts like a standard reboot)
Reboot recovery
Reboot disemmc (Attempts to disable EMMC write protection, only Messi has gotten anything out of this)
Reboot FTM (Field test mode, has a userland ADB interface)
Reboot EDL (Qualcomm factory interface. Only communicates over qfil and similar programs)
Updates for MetroPCS: B08, B14, B20, B21
B08 is exploitable via Quadrooter (Unconfirmed)
B14 and below confirmed exploitable via Dirty C0w variant intended for LG devices. Gives root access, but system instantly reboots, and wipes the exploit.
B20/B21 unknown

Loony has gained URD access at one point, but I think he said something failed.

Kernel source is available from ZTE (It's rather generic)

 

[JIMMYHENDRIX]

.

 

[JIMMYHENDRIX]

Welp new glitch my phone won't charge past 75% and it would just say full charged please disconnect

 

[JIMMYHENDRIX]

And now i get this evertime i plug it in

 

[JIMMYHENDRIX]

Okay so update if you are on metro PC's don't update while your phone is on the charger or you will have to factory reset

 

[GarnetSunset]

I'm assuming Kali/ Backtrack. You could always help @GarnetSunset with Broadpwn (It's a very complex exploit. Easy to execute, but extremely rough in actually exploiting), or send metasploit payloads to the phone and hope something happens. If you are skilled with reverse engineering, you could always poke the phone with us and see what comes up.

I'd recommend they give it a shot honestly. Super simple stuff. And college just started so I'm a little full of work at the moment.

 

[GarnetSunset]

And now i get this evertime i plug it in

Cool. Note 7 flashbacks.

 

[thatlovingaph]

Ok I'm new here and I just want to know is there root available for zmax pro already...I been looking for forever already

 

[SapphireEx]

Ok I'm new here and I just want to know is there root available for zmax pro already...I been looking for forever already

Short answer: No
Long answer: Yes, but it's unusable due to being available for literally a few CPU cycles, then the phone reboot and wipes the root.

 

[GarnetSunset]

Short answer: No
Long answer: Yes, but it's unusable due to being available for literally a few CPU cycles, then the phone reboot and wipes the root.

Thought you were gonna go with:
Long Answer: Nooooooooooooooooooooooooooooooooooooooo

 

[SapphireEx]

Thought you were gonna go with:

Short answer: No
Long answer: Nooooooooooooooooooo

 

[Kizzmiazz]

I have been following this thread for a long time now and the devs here deserve a huge pat on the back for there efforts. 
I have decided to get a new phone so I can have root and I am torn between ZTE axon 7 , even though I really don't want to give ZTE any more money lol, it has root and is in my $400 price range or the LG v20 , but from what I read the updates for the phone suck. Just wondering your guys recommendations?
I really like the zmax pro, it's been a real good phone and I got it free from metro so can't complain. I just want a phone I can root and play with. Thanks again to the devs here for trying so hard.

 

[Greysworld007]

I have been following this thread for a long time now and the devs here deserve a huge pat on the back for there efforts. 
I have decided to get a new phone so I can have root and I am torn between ZTE axon 7 , even though I really don't want to give ZTE any more money lol, it has root and is in my $400 price range or the LG v20 , but from what I read the updates for the phone suck. Just wondering your guys recommendations?
I really like the zmax pro, it's been a real good phone and I got it free from metro so can't complain. I just want a phone I can root and play with. Thanks again to the devs here for trying so hard.

Go with the axon 7

 

[SapphireEx]

I have been following this thread for a long time now and the devs here deserve a huge pat on the back for there efforts. 
I have decided to get a new phone so I can have root and I am torn between ZTE axon 7 , even though I really don't want to give ZTE any more money lol, it has root and is in my $400 price range or the LG v20 , but from what I read the updates for the phone suck. Just wondering your guys recommendations?
I really like the zmax pro, it's been a real good phone and I got it free from metro so can't complain. I just want a phone I can root and play with. Thanks again to the devs here for trying so hard.

Really the Axon 7 if it's your only ZTE option. If not, I'd recommend a Nexus device. It has a massive dev base, and is pretty much the de facto modding platform outside of some Samsung devices. If you can't or don't like the nexus, go with the LG. They aren't bad phones, and generally get root rather quickly.

 

[Y314K]

Here's a good starting place: https://www.cvedetails.com/vulnerab...7/version_id-188440/Google-Android-6.0.1.html

While most of these don't have public PoC's, they are starting points.

For a TL;DR of the Z981:
Locked bootloader
DM-Verity enabled
Fastboot has been removed/ hidden
Android version: 6.0.1
Mainboard: Qualcomm MSM8952
Driver support: Generic Google USB
/Dev/* is ---
/tmp is RWX
Phone is suspect to having a SUID user built in
Has full Toybox, and full busybox installed and symlinked.

Various commands known to work:
Reboot bootloader (Acts like a standard reboot)
Reboot recovery
Reboot disemmc (Attempts to disable EMMC write protection, only Messi has gotten anything out of this)
Reboot FTM (Field test mode, has a userland ADB interface)
Reboot EDL (Qualcomm factory interface. Only communicates over qfil and similar programs)
Updates for MetroPCS: B08, B14, B20, B21
B08 is exploitable via Quadrooter (Unconfirmed)
B14 and below confirmed exploitable via Dirty C0w variant intended for LG devices. Gives root access, but system instantly reboots, and wipes the exploit.
B20/B21 unknown

Loony has gained URD access at one point, but I think he said something failed.

Kernel source is available from ZTE (It's rather generic)

I hope for some of us under B14 or B08 (kept all mine on B08) DirtyCow might still be a viable option. But it's above my pay-grade. But hope someone in the know can check the following info out.

Seems some older FW FTV's are rootable thru it.

https://forum.xda-developers.com/fire-tv/general/guide-rooted-fire-tv-via-dirtycow-t3489922/page12

But it is not a single run thing. You have to keep running Dirtycow. And each time it gets farther up until you are rooted. Not sure if that was the approach that was tried here. Doing it one small step at a time until root.

FTV does not have DM-Verify & it seems they did find the Wifi part would give them root access. But they still had to build (run Dirtycow) over & over until stable root.

 

[SapphireEx]

I hope for some of us under B14 or B08 (kept all mine on B08) DirtyCow might still be a viable option. But it's above my pay-grade. But hope someone in the know can check the following info out.

Seems some older FW FTV's are rootable thru it.

https://forum.xda-developers.com/fire-tv/general/guide-rooted-fire-tv-via-dirtycow-t3489922/page12

But it is not a single run thing. You have to keep running Dirtycow. And each time it gets farther up until you are rooted. Not sure if that was the approach that was tried here. Doing it one small step at a time until root.

FTV does not have DM-Verify & it seems they did find the Wifi part would give them root access. But they still had to build (run Dirtycow) over & over until stable root.

The thing is that we aren't/weren't using the original Dirty C0w. We are using a specialized fork, as the original program doesn't seem to work. We can try getting the original to run, but we are still stuck behind dm-verity.

 

[loonycgb2]

Well I currently own a zmax pro and will be picking up a ZTE Max xl today..

I hope to see if there is any difference in phones firmware wise and see if I can find something on the xl that can be used on the pro.

 

[SapphireEx]

Well I currently own a zmax pro and will be picking up a ZTE Max xl today..

I hope to see if there is any difference in phones firmware wise and see if I can find something on the xl that can be used on the pro.

The XL is 7.0 innit? Still it could be useful.

 

[loonycgb2]

The XL is 7.0 innit? Still it could be useful.

Yep, currently got a t-mobile and sprint bill lol so let's see how this goes finding an exploit.

 

[SapphireEx]

So I've been researching the AVC exploit pretty hard, and I found the exact exploitable source code from a blackberry changelog of all things.

Quote: In decoder/ih264d_utils.c in ih264d_allocate_dynamic_bufs (of libavc), there is an out-of-bounds write issue, which could lead to remote arbitrary code execution.

This is a major bug (9.3 in the CVE severity rankings), and now we have an entry point. Out of bounds writing isn't too complex, and if we can get this rolling, we can do a pretty simple, mass exploit on the OS as a whole.

More quotes!


In decoder/ih264d_format_conv.c in ih264d_fmt_conv_420sp_to_420sp (of libavc), a heap buffer overflow could occur due to an unchecked num_rows in the memcpy, which could lead to remote arbitrary code execution in privileged process.