• After 15+ years, we've made a big change: Android Forums is now Early Bird Club. Learn more here.

ZTE Whirl z660g only temp root so far

Error420

Error420

Newbie
I've been messing around with a zte whirl z660g (tracfone version) that I picked up on black friday for $27, I figured what the heck. The type of work I do I'm not going to drop very much money on a smart phone, I've been using a rugby flip phone I found on the ground at a park. Anyway every since I bought the phone I've been messing around looking at how to root the thing. Basically reading what I can about rooting zte phone's. I really got interested in some things a couple of guys are doing over in another thread and I'm going to try some of the things they are.

I might have a little bit of a slight edge on them though, I came across a way to temp root the whirl z660g using framaroot. It's kinda a crazy way to do it but I can get a # prompt with adb so I'm thinking thats a plus. Anyway heres the way I've been getting temp root on the whirl.

1) Install the Framaroot apk
2) Drain the battery below 25%
3) Power off the device.
4) Press the power button just long enough to get the indicator led to blink, I have the best luck blinking the indicator led 3 times.
5) Power on the device and wait for it to boot
6) Open Framaroot and I get the whirl to root using the gandolf option.

This is only a temp root and goes away after a reboot or running certain apps or doing certain other things but I think I'm going to mess around and see about dumping the recovery etc. And seeing what I can come up with.

This is as far as I've gotten so far and figured I would start a new thread instead of getting in the middle of a couple of other guys thread about a different device.
 
Here is my output from the cat proc/partitions command in a adb shell.

cat proc/partitions
major minor #blocks name

7 0 16664 loop0
7 1 2111 loop1
179 0 3817472 mmcblk0
179 1 8192 mmcblk0p1
179 2 8192 mmcblk0p2
179 3 8192 mmcblk0p3
179 4 1 mmcblk0p4
179 5 8192 mmcblk0p5
179 6 8192 mmcblk0p6
179 7 8192 mmcblk0p7
179 8 16384 mmcblk0p8
179 9 32768 mmcblk0p9
179 10 16384 mmcblk0p10
179 11 8192 mmcblk0p11
179 12 8192 mmcblk0p12
179 13 65536 mmcblk0p13
179 14 8192 mmcblk0p14
179 15 8192 mmcblk0p15
179 16 16384 mmcblk0p16
179 17 16384 mmcblk0p17
179 18 16384 mmcblk0p18
179 19 614400 mmcblk0p19
179 20 8192 mmcblk0p20
179 21 307200 mmcblk0p21
179 22 2387968 mmcblk0p22
179 23 212992 mmcblk0p23
179 32 3813376 mmcblk1
179 33 3812352 mmcblk1p1
254 0 16663 dm-0
254 1 2110 dm-1
 
Here is my output from the mount command in a adb shell

mount
rootfs / rootfs ro,relatime 0 0
tmpfs /dev tmpfs rw,nosuid,relatime,mode=755 0 0
devpts /dev/pts devpts rw,relatime,mode=600 0 0
proc /proc proc rw,relatime 0 0
sysfs /sys sysfs rw,relatime 0 0
none /acct cgroup rw,relatime,cpuacct 0 0
tmpfs /mnt/asec tmpfs rw,relatime,mode=755,gid=1000 0 0
tmpfs /mnt/obb tmpfs rw,relatime,mode=755,gid=1000 0 0
none /dev/cpuctl cgroup rw,relatime,cpu 0 0
/dev/block/mmcblk0p19 /system ext4 ro,relatime,data=ordered 0 0
/dev/block/platform/msm_sdcc.3/by-num/p22 /data ext4 rw,nosuid,nodev,relatime,no
auto_da_alloc,data=ordered 0 0
/dev/block/mmcblk0p10 /persist ext4 rw,nosuid,nodev,relatime,data=ordered 0 0
/dev/block/mmcblk0p21 /cache ext4 rw,nosuid,nodev,relatime,data=ordered 0 0
/dev/fuse /storage/sdcard1 fuse rw,nosuid,nodev,relatime,user_id=1023,group_id=1
023,default_permissions,allow_other 0 0
/dev/block/dm-0 /mnt/asec/com.jrummy.liberty.toolboxpro-1 ext4 ro,dirsync,nosuid
,nodev,noatime 0 0
/dev/block/dm-1 /mnt/asec/com.geeksoft.filexpert.donate-1 ext4 ro,dirsync,nosuid
,nodev,noatime 0 0
/dev/block/vold/179:33 /storage/sdcard0 vfat rw,dirsync,nosuid,nodev,noexec,rela
time,uid=1000,gid=1015,fmask=0702,dmask=0702,allow_utime=0020,codepage=cp437,ioc
harset=iso8859-1,shortname=mixed,utf8,errors=remount-ro 0 0
/dev/block/vold/179:33 /mnt/secure/asec vfat rw,dirsync,nosuid,nodev,noexec,rela
time,uid=1000,gid=1015,fmask=0702,dmask=0702,allow_utime=0020,codepage=cp437,ioc
harset=iso8859-1,shortname=mixed,utf8,errors=remount-ro 0 0
tmpfs /storage/sdcard0/.android_secure tmpfs ro,relatime,size=0k,mode=000 0 0
 
might look like I'm talking to myself but I'm just going through some of the steps stayboogy has other's going through in a thread about the Zte valet called "i'll help find a root method if..."

I'm just starting to get some of the stuff listed so the info is in one place and maybe if I'm lucky I can get other with more experience then me to help out a little. Think I might have to even reinstall rom kitchen changed my linux install.
 
Here is a screen capture of the folders in my /dev folder

shot_2013-12-21_20-20-35.png
 
Error420 said:
Here is the stock boot.IMG file I extracted with did, I also extracted what was lab led the recovery.IMG. I'm going to do some more looking into it because both images where 16 meg each, just seems odd to me.

whirl-stock-boot.img
whirl-stock-recovery.img
Click to expand...


hey, i got your .img files downloaded.

when i get the Jelly Bean repo downloaded and built, i'll start building a fake recovery flash with it that should install no problem on stock 3e recovery. this will give temp cwm which will allow installing unsigned zips that can give full root.

it'll likely be a few days however.

if someone who has the cyanogenmod jb repo downloaded and built can build a recovery from the stock kernel extracted from the stock recovery.img/boot.img and the mount and partitions info, before me, then by all means, build away.

that's all that has to be done.
 
Had to insert my text at first but stayboogy that would be great. I'm going to do some more digging after I take care of s few things around the house also. Been backing a few thing up first off.

Thanks again.

Gotta love auto correct.


stayboogy said:
hey, i got your .img files downloaded.

when i get the Jelly Bean repo downloaded and built, i'll start building a fake recovery flash with it that should install no problem on stock 3e recovery. this will give temp cwm which will allow installing unsigned zips that can give full root.

it'll likely be a few days however.

if someone who has the cyanogenmod jb repo downloaded and built can build a recovery from the stock kernel extracted from the stock recovery.img/boot.img and the mount and partitions info, before me, then by all means, build away.

that's all that has to be done.
Click to expand...
 
I figured I would post so you were not talking to yourself...

Be VERY careful if you decide to try to make changes to either of those images. Flashing a modified boot image back to the Valet is what bricked it...

We were attempting to change ro.secure=1 to ro.secure=1 in the default.prop at boot, which it theory would have allowed adb root access. Changing it in the default.prop only reverts back on reboot.

Can you explain why the battery needs to be drained for this method? Do you have any documentation as to what effect it has that allows access?

Cheers!

EDIT: I see stayboogy already broke your run of talking to yourself LOL
 
Not exactly sure why being below 25% lets famaroot gain temp root but it does. Being a partial hardware guy I keep thinking about pin high and low for locking tsops but I bet I'm prob so far off it isnt funny. I do know the voltage drops the lower you drain the battery. I just so happened upon this method by mistake. Got framaroot to work temp when I first go the device but then nothing charged and wouldnt temp root at all. I messed with it for weeks and nothing thought it locked itself. Then one day the power was low and I pressed the button a few times powerd on and got temp root. That night I messed around trying to get su to stick in the /system/xbin directory and couldnt get it. Thought the 3 push deal was the trick and charged phone all the way. Next day couldnt get it to work with a full charge nothing. So I thought about it and the only thing that was different was the battery level. So I downloaded a battery drain app and tested for root every so often. Finally got it to root at 25% and lower battery level. I'm just wondering if this method will work with othe zte devices.

I'm doing some more reading and I'm going to try to keep from bricking it, but if I do at least it was only $27 and so far I think Ive got my money worth just in the fun Ive had messing with it.
 
I also wonder if it could also mean a hole in one of the power saving apps or services... Just seems like a interesting combination.

I know you can power the phone by the usb port without the battery... For giggles, can you do me a favor? Can you try the same method without the battery installed? Just powered by the USB cable...

I just want to see if some feature is looking for the voltage at the battery terminals to enable or disable write access... Could be some sort of service mode. Still won't get us permanent root, but it may give us something to speculate about about in the design...
 
Pretty sure I've tried with usb power and pulling the battery and pretty sure it just reboots. I'll check it out here in a few having to do a fresh ubuntu install. Was messing around and changed everything a while back. The ubuntu partition was actually zentyall had centos installed insted of ubuntu so I trashing all that. Dont really wunna let the nieghbors use a captive portal on my sat connection, I live in the sticks. :D

The kid thrashed the psu on my laptop so until I replace that I'm stuck on the desktop
 
Going to use some of this info and dump my system.img

shell@android:/ $ su
su
root@android:/ # cat /cache/recovery/last_log
cat /cache/recovery/last_log
Starting recovery on Sun Dec 22 21:44:51 2013
framebuffer: fd 4 (320 x 480)
recovery filesystem table
=========================
0 /tmp ramdisk (null) (null) 0
1 /boot emmc /dev/block/mmcblk0p16 (null) 0
2 /cache ext4 /dev/block/mmcblk0p21 (null) 0
3 /data ext4 /dev/block/mmcblk0p22 (null) -16384
4 /zteforatt ext4 /dev/block/mmcblk0p5 (null) 0
5 /recovery emmc /dev/block/mmcblk0p17 (null) 0
6 /splash emmc /dev/block/mmcblk0p18 (null) 0
7 /misc emmc /dev/block/mmcblk0p20 (null) 0
8 /sdcard vfat /dev/block/mmcblk1p1 /dev/block/mmcblk1 0
9 /system ext4 /dev/block/mmcblk0p19 (null) 0
10 /amss emmc /dev/block/mmcblk0p13 (null) 0
11 /oemsbl emmc /dev/block/mmcblk0p3 (null) 0
12 /emmcboot emmc /dev/block/mmcblk0p15 (null) 0
13 /cefs emmc /dev/block/mmcblk0p11 (null) 0
14 /qcsblhd_cfgdata emmc /dev/block/mmcblk0p1 (null) 0
15 /qcsbl emmc /dev/block/mmcblk0p2 (null) 0

Command: "/sbin/recovery"

ro.boot.hardware=qcom
ro.boot.emmc=true
ro.boot.serialno=be875d1e
ro.boot.authorized_kernel=true
ro.boot.baseband=msm
ro.serialno=be875d1e
ro.bootmode=unknown
ro.baseband=msm
ro.bootloader=unknown
ro.hardware=qcom
ro.revision=0
ro.factorytest=0
ro.secure=1
ro.allow.mock.location=0
ro.debuggable=0
ro.build.id=JRO03C
ro.build.display.id=Z660GV1.0.0B10
ro.build.version.incremental=20130715.135202.31425
ro.build.version.sdk=16
ro.build.version.codename=REL
ro.build.version.release=4.1.1
ro.build.date=Mon Jul 15 13:52:44 CST 2013
ro.build.date.utc=1373867564
ro.build.type=user
ro.build.user=wsys
ro.build.host=ubuntu
ro.build.tags=release-keys
ro.product.model=Z660G
ro.product.brand=ZTE
ro.product.name=P752A21
ro.product.device=nice
ro.product.board=nice
ro.product.cpu.abi=armeabi-v7a
ro.product.cpu.abi2=armeabi
ro.product.manufacturer=ZTE
ro.product.locale.language=en
ro.product.locale.region=US
ro.wifi.channels=
ro.board.platform=msm7627a
ro.build.product=nice
ro.build.description=P752A21-user 4.1.1 JRO03C 20130715.135202.31425 release-key
s
ro.build.fingerprint=ZTE/P752A21/nice:4.1.1/JRO03C/20130715.135202.31425:user/re
lease-keys
ro.build.characteristics=default
rild.libpath=/system/lib/libril-qc-1.so
rild.libargs=-d /dev/smd0
persist.rild.nitz_plmn=
persist.rild.nitz_long_ons_0=
persist.rild.nitz_long_ons_1=
persist.rild.nitz_long_ons_2=
persist.rild.nitz_long_ons_3=
persist.rild.nitz_short_ons_0=
persist.rild.nitz_short_ons_1=
persist.rild.nitz_short_ons_2=
persist.rild.nitz_short_ons_3=
persist.data_netmgrd_mtu=1410
ril.subscription.types=NV,RUIM
DEVICE_PROVISIONED=1
keyguard.no_require_sim=true
debug.sf.hw=1
debug.composition.7x27A.type=mdp
debug.composition.7x25A.type=mdp
debug.composition.8x25.type=dyn
debug.hwc.dynThreshold=1.9
dalvik.vm.heapsize=64m
ro.sf.lcd_density=160
net.early.sockets=0
net.change=net.bt.name
persist.cne.bat.range.low.med=30
persist.cne.bat.range.med.high=60
persist.cne.loc.policy.op=/system/etc/OperatorPolicy.xml
persist.cne.loc.policy.user=/system/etc/UserPolicy.xml
persist.cne.bwbased.rat.sel=false
persist.cne.snsr.based.rat.mgt=false
persist.cne.bat.based.rat.mgt=false
persist.cne.rat.acq.time.out=30000
persist.cne.rat.acq.retry.tout=0
persist.cne.fmc.init.time.out=30
persist.cne.fmc.comm.time.out=130
persist.cne.fmc.retry=false
persist.cne.feature=0
media.stagefright.enable-player=true
media.stagefright.enable-meta=false
media.stagefright.enable-scan=true
media.stagefright.enable-http=true
media.stagefright.enable-fma2dp=true
media.stagefright.enable-aac=true
media.stagefright.enable-qcp=true
headset.hook.delay=500
audio.legacy.postproc=true
ro.opengles.version=131072
ro.use_data_netmgrd=true
persist.data.ds_fmc_app.mode=0
persist.ims.regmanager.mode=0
ro.bluetooth.request.master=true
ro.qualcomm.bluetooth.ftp=true
ro.qualcomm.bluetooth.sap=false
ro.qualcomm.bluetooth.dun=false
ro.qualcomm.bluetooth.map=true
ro.bluetooth.remote.autoconnect=true
persist.sys.strictmode.visual=false
persist.omh.enabled=1
ro.config.ehrpd=true
ro.qualcomm.cabl=1
telephony.lteOnCdmaDevice=0
persist.radio.net_pref_0=0
persist.radio.net_pref_1=0
ro.ril.transmitpower=true
ro.fm.analogpath.supported=true
ro.fm.transmitter=false
ro.fm.mulinst.recording.support=false
ro.emmc.sdcard.partition=18
ro.screen.layout=normal
debug.enabletr=false
ro.staticwallpaper.pixelformat=RGB_565
debug.camcorder.disablemeta=0
persist.fuse_sdcard=false
debug.camera.landscape=true
ro.max.fling_velocity=4000
httplive.enable.discontinuity=true
dev.pm.dyn_samplingrate=1
dev.pm.dyn_sample_period=700000
persist.service.cdrom.enable=1
ro.nfc.chip=pn544
windowsmgr.max_events_per_sec=260
ro.config.notification_sound=SMS01.ogg
ro.config.ringtone=Flutes.ogg
ro.feature.ztedrm.support=1
persist.sys.usb.menu=enable
persist.sys.usb.config=cdrom
persist.sys.usb.noZtePrefix=1
drm.service.enabled=true
persist.sys.fuse.dir=auto
ro.config.sec_storage=4
ro.camera.cts.flash.enabled=0
ro.emode.enableSpecialCode=true
ro.com.google.clientidbase=android-zte
ro.com.google.clientidbase.yt=android-zte
ro.com.google.clientidbase.ms=android-americamovil-us
ro.com.google.clientidbase.am=android-americamovil-us
persist.sys.timezone=America/New_York
ro.build.baseband_version=w9sA
ro.com.google.clientidbase.gmm=android-zte
ro.build.sw_internal_version=TF_US_P752A21V1.0.0B18
ro.emode.fm=0
ro.qualcomm.bluetooth.pan=true
ro.build.hardware_version=w9sA
ro.emmc=1
ro.secure.version=Z660G_SEC_V9.0
ro.com.android.dataroaming=true
ro.com.android.dateformat=MM-dd-yyyy
ro.carrier=unknown
ro.config.alarm_alert=Dawn_of_the_jungle.ogg
ro.vendor.extension_library=/system/lib/libqc-opt.so
dalvik.vm.heapstartsize=4m
dalvik.vm.heapgrowthlimit=32m
ro.setupwizard.mode=OPTIONAL
ro.com.google.gmsversion=4.1_r5
persist.sys.ztelog.enable=0
persist.radio.add_power_save=1
net.bt.name=Android
dalvik.vm.stack-trace-file=/data/anr/traces.txt
init.svc.ueventd=running
init.svc.rmt_storage=running
init.svc.recovery=running
init.svc.console=running
init.svc.diagtest=running
 
i've finally gotten the jelly bean repo downloaded

but haven't built it yet.

should have a recovery fake flash available by the weekend, if all goes well, that someone can try to install, and then install a root update.zip to gain permanent root.
 
I'm about at the same place, I've finally got the cyanogenmod repo downloaded. I tried the online clockwordmod recovery builder but the file produced by it seems to fail verification so it wont flash from the 3e recovery. I'll keep looking into things some more but with christmas right here on us I've had to do some things for the kiddi.
 
Error420 said:
I'm about at the same place, I've finally got the cyanogenmod repo downloaded. I tried the online clockwordmod recovery builder but the file produced by it seems to fail verification so it wont flash from the 3e recovery. I'll keep looking into things some more but with christmas right here on us I've had to do some things for the kiddi.
Click to expand...


need the output of

cat /proc/emmc

***may have to be temp rooted for it to give me all i need, not sure though. try without first.

also need an adb pull of

/proc/config.gz
 
here's a recovery fake flash; don't rename it. put on the root of sdcard and reboot to recovery and install

update

don't install anything with it.

just see if it installs from stock recovery and boots the temp clockwork recovery and report back


***also still need the info from the post above***
 
My old Tracfone number is in the process of being ported to my Valet. Does that matter for purposes of rooting (either temporary or permanent)? I'm worried that maybe once it gets activated and the number is ported I won't be able to use either the temporary root method or the fake recovery flash. (On the other hand, maybe it would be *best* to wait until it's active.)
 
stayboogy said:
here's a recovery fake flash; don't rename it. put on the root of sdcard and reboot to recovery and install

update

don't install anything with it.

just see if it installs from stock recovery and boots the temp clockwork recovery and report back
Click to expand...

Stayboogy, is this pretty safe to do, as long as I don't install anything with your update.zip?

EDIT: I forgot to mention I have the Valet.

Also, what did you mean by


***also still need the info from the post above***
Click to expand...

?
 
echristopherson said:
Stayboogy, is this pretty safe to do, as long as I don't install anything with your update.zip?

EDIT: I forgot to mention I have the Valet.

Also, what did you mean by



?
Click to expand...

this is not for the valet.

this doesn't do anything but run a recovery from ramdisk

it's a very base build.

just need to know if it installs

and if it does install, if the new recovery loads properly

that's it.

it doesn't replace anything, doesn't do anything other than what i said. that's why it's called a fake flash...
 
Sorry been messing with stuff and doing alot of christmas stuff. Just logged back on to check things out and see some of the info I posted.

I built CWM recovery for this device and was going to see if I should flash it with dd to the recovery partition. Then I noticed stayboogy also has built a recovery. I know the fake flash cwm recovery I built and the one that came from the online recovery builder fail verification. I've read that the 3e recovery is really picky about letting things flash. I tried the signed and unsigned fake flash that I produced I'll test the fake flash stayboogy has build before I try to flash the recovery image with dd. I might not try the recovery image I've built because it's only 7 meg and not 16 like the original I might have to look into the device a little more and confige some more params before I go about flashing things with dd
 
Stayboogy I tried your update.zip fake recovery flash and it failed at 25% Haven't checked any logs yet but I will. Think I might end up calling it and early night tonight just because I've been up late a few days in a row and had to start the whole work thing again and have to be back in the morning. I might give dd a shot on my recovery and see what I get. What the heck.
 
echristopherson said:
I did Framaroot on my Valet after it got activated and my battery got to 17% or so. It didn't work using either Aragorn or Gandalf.
Click to expand...


On my whirl I have to press the power button 3 times to blink the light then power on the device then do framaroot sometime's it takes me a couple of tries to finally get the temp root but it seems to be pretty consistant.. Right now as I post think I'm on my 3rd try to do it but I know it works for me so I'll keep it up till I do. I need to cat /proc/mtd and check a few value's and make sure I'm not setting myself up for a brick with this image I built. Think I would if I flashed the img I have its not the same size and the original img.
 
You must log in or register to reply here.
Back
Top Bottom