Root ZTE Zmax Pro Official Root Discussion

[messi2050]

ok on the left is the axon 7 firehose and on the right is zmax pro coderam pulled by @ExtoliS https://androidforums.com/members/extolis.2017681/
can you see that common zte signing

 

[SapphireEx]

I've cleaned up all the data in that code dump for easy reading (Bear in mind, these files are NO LONGER USABLE for flashing or otherwise. A lot of their data has been removed.) https://discord.gg/6s2JkDv

 

[SapphireEx]

I have some massive news for all of you. CODEBIN is our MBN. QFIL has extracted my GPT.
*Edit My current issue is COM read failure. Seems related to cables. Common issue. @ExtoliS is working on it in the mean time.

 

[GarnetSunset]

@SapphireEx Fix your cables nerd.

I'm working on getting those Auth keys.

 

[timgreene93]

Here is the Google drive for the MPS_b08_b12 Update

https://drive.google.com/file/d/0BxuR_RRfOJ8rNUF1Qms1ZmhFdm8/view?usp=drivesdk

 

[Y314K]

Here is the Google drive for the MPS_b08_b12 Update

https://drive.google.com/file/d/0BxuR_RRfOJ8rNUF1Qms1ZmhFdm8/view?usp=drivesdk

I thought MetroPCS Z981's had gone from B08 to B14. That is what mine has been bugging me to update too.

 

[brandonlee199966]

B14 was the last before the Beta Program updates, I believe. B20 was the update after the beta program. B21 just came out about a month ago.

I wish I had dumped some of those... Tho I really wouldn't think they'd have been helpful other then to see what they tweaked with battery and kernel settings.

Wish we could go old school "Hackers" and find a lonely guy at a desk somewhere to give us the info. (Great movie, 9600broad modem on a desk with the IP taped under it... lol)

Im willing to rip the b21 update for metro pcs. If someone one can tell me how? Im still on the b20 update and i blocked the update notification!

 

[messi2050]

B14 was the last before the Beta Program updates, I believe. B20 was the update after the beta program. B21 just came out about a month ago.

I wish I had dumped some of those... Tho I really wouldn't think they'd have been helpful other then to see what they tweaked with battery and kernel settings.

Wish we could go old school "Hackers" and find a lonely guy at a desk somewhere to give us the info. (Great movie, 9600broad modem on a desk with the IP taped under it... lol)

I been checking every update since b08 never got any useful information.

 

[SirMicBic]

please guy dont stop trying. is it possible the to re-edit the scrips if its scrip change verification or possibly emode and adb commands and something else no one has discovery is the problem to our unsuccessful root of the zte z981. ive tried everything went thro 6 zmax pro's with no success.

 

[SapphireEx]

please guy dont stop trying. is it possible the to re-edit the scrips if its scrip change verification or possibly emode and adb commands and something else no one has discovery is the problem to our unsuccessful root of the zte z981. ive tried everything went thro 6 zmax pro's with no success.

Join our discord. A lot of the discussion is ongoing there.

 

[timgreene93]

I thought MetroPCS Z981's had gone from B08 to B14. That is what mine has been bugging me to update too.

When I purchased my phone I think it was on BO8 I'm on B20 it kept trying to force me to update I disabled the app and cleared the storage , I have no experience with newer versions of Android since I stopped messing around with it after ICS , I feel our approach is wrong there have to be some apps that can access system level by default they just have to be reversed engineered it would be nice to mount the phone as R/W on Linux but I don't know how as far as the proper terminal commands go

 

[timgreene93]

The same methods used on older IOS jailbreaks might work , browser based vulnerabilities may not be the best move but if we were able to modify an app that can be installed to system with certain permissions with an embedded program similar to a DLL windows file exploit it might work , or instead of flashing a custom bootloader why not add some more options to the inbuilt if thats possible with the dumps that have been curated these past months , another idea if we can find someone over at XDA to write a virus that takes over the phone but instead of stealing user information it dumps the phone or , compile a fake virus scanner that can retrieve information or dump to system , but I feel an embedded app approach could work - I'm just a tinkerer not a developer

 

[Bigcountry907]

So where are we actually at here. If someone has the got backup. Which is the first 17408 bytes of the Emmc I can accomplish some stuff with it.

I also heard someone say keys.
Is this both the public half and private half of the key. For example. Pk8 and. X509. If you have the private half of the key I have a bash script for signing zip files. After signing the zip you can flash anything using the stock recovery and updater script.

GPT and Keys please.

I'll send you back a big mack and you'll be singing that I'm loving it song.

Please just don't dress like ronald

 

[Y314K]

So where are we actually at here. If someone has the got backup. Which is the first 17408 bytes of the Emmc I can accomplish some stuff with it.

<br>

<br> I also heard someone say keys.

<br> Is this both the public half and private half of the key. For example. Pk8 and. X509. If you have the private half of the key I have a bash script for signing zip files. After signing the zip you can flash anything using the stock recovery and updater script.

<br>

<br> GPT and Keys please.

<br>

<br> I'll send you back a big mack and you'll be singing that I'm loving it song.

<br>

<br> Please just don't dress like ronald

Check it PM BC.

 

[SirMicBic]

Join our discord. A lot of the discussion is ongoing there.

send me an invite.username is the same as here.

 

[Y314K]

send me an invite.username is the same as here.

Anybody can join in. It is just the invite got moved to the Irma thread.

"*Edit I've set up a Discord here: https://discord.gg/6s2JkDv, which should allow faster communication between people. I'll still be using this forum for posting general exploits and similar."

This is where the sausage is being made.

 

[GarnetSunset]

The same methods used on older IOS jailbreaks might work , browser based vulnerabilities may not be the best move but if we were able to modify an app that can be installed to system with certain permissions with an embedded program similar to a DLL windows file exploit it might work , or instead of flashing a custom bootloader why not add some more options to the inbuilt if thats possible with the dumps that have been curated these past months , another idea if we can find someone over at XDA to write a virus that takes over the phone but instead of stealing user information it dumps the phone or , compile a fake virus scanner that can retrieve information or dump to system , but I feel an embedded app approach could work - I'm just a tinkerer not a developer

So you're saying use privilege escalation?
Why have we never thought of that before /s

Freal tho that's the basis for every root exploit ever, use what's already there to escalate from user privs to system privs.

 

[SapphireEx]

Pretty much doing anything on any device requires you to elevate privileges. It's when those privileges are locked pretty much the Only way is getting a system app with low level privileges to call a script and run it with those fore-mentioned low level privs.

<br>

<br> For example the flashlight app in the old Evo 3Ds for some freaking reason had system privileges and that was their way in.

Apparently a lot of our media decoders also have kernel level RWX

 

[GarnetSunset]

Pretty much doing anything on any device requires you to elevate privileges. It's when those privileges are locked pretty much the Only way is getting a system app with low level privileges to call a script and run it with those fore-mentioned low level privs.

For example the flashlight app in the old Evo 3Ds for some freaking reason had system privileges and that was their way in.

Apparently a lot of our media decoders also have kernel level RWX

Yush.

 

[Chloe936]

Here people keep asking for this.

Btw the quadcore do you mean the app that lets you scan? @SapphireEx

 

[Chloe936]

Btw guys I might be late with replies. I had to move to GA due to the hurricane. Now everything is flooded so we cannot return... At least not right now

 

[CaseyRockStar]

Jumping in here .....


I'm not quite an expert in mobile devices or Android programming, but I'm pretty good with English, and I think it's possible we've all missed something on this topic.

In "Settings > Developer Options" (once you've activated Developer Options by tapping), there's an option to unlock the bootloader for OEM processes:

When you activate the slider, you first get a warning:

​

Okay, this option is likely merely part of the OS, and it's functionality is likely stymied by whatever ZTE blockages have given rise to all the angry and lengthy threads on this topic, but ....

BUT: Android does say "Device protection features won't work on this device . . ." If that's not true, and device protections DO still work on this device, isn't that something Google/Android would want to know?

 

[scary alien]

@CaseyRockStar, those Settings -> Developer menu options work in conjunction with the dm-verity and other device integrity checks and I'm pretty sure aren't in play unless the bootloader is actually unlocked (which you guys cannot (yet) do for this device).

For the Nexus/Pixel line of devices (for example, that have those same Settings), you do indeed have to enable/allow bootloader unlocking before you (or try to) unlock the bootloader from fastboot.

If/when you have unlocked the bootloader (like I have on my Nexus 6P) you'll get warnings when you reboot that the device integrity cannot be checked--i.e., because the bootloader has been unlocked and is therefore "open" to modification (i.e., untrusted).

BTW, I keep my bootloader unlocked (on my devices) for recovery purposes...not necessarily to have root installed anymore.

 

[ohnoiforgotmypas]

Would it be possible for the new Bluetooth "blueborne" attack would be able to help us?
I can't find any news articles that go in depth about the attack.

 

[ZMAX4EVER]

This thread has produced some of the best cliffhangers. Just a shame there never seems to be a conclusion. Just after it seems everyone is nearing a breakthrough......... the sound of crickets. Haha