• After 15+ years, we've made a big change: Android Forums is now Early Bird Club. Learn more here.

Root ZTE Zmax Pro Official Root Discussion

Status
Not open for further replies.
SapphireEx said:
http://imgur.com/a/v7oLl
Error Saraha end error with status:20
From what I can gather, this means you require a deep flash cable, something I don't have, and don't feel like destroying my only good USB-C cable over. You can DIY it yourself. The image I was using was a generic firmware for a different phone to even see if it would try to flash it. It did actually try.
If someone wants to cough up the 10 or so dollars for a deep flash cable and try to flash something yourself, have a go at it. This is a very interesting lead.
Click to expand...
does anyone have a deep flash cable?
 
brandonlee199966 said:
does anyone have a deep flash cable?
Click to expand...

SapphireEx said:
http://imgur.com/a/v7oLl
Error Saraha end error with status:20
From what I can gather, this means you require a deep flash cable, something I don't have, and don't feel like destroying my only good USB-C cable over. You can DIY it yourself. The image I was using was a generic firmware for a different phone to even see if it would try to flash it. It did actually try.
If someone wants to cough up the 10 or so dollars for a deep flash cable and try to flash something yourself, have a go at it. This is a very interesting lead.
Click to expand...
Very interesting.

User Needed with:

- Z981 Phone
- Deep Flash Cable on-hand (Ordering now will take to long) or
- A second USB-C cable & the capability of modding one of their USB-C cables into a Deep Flash Cable
( https://duckduckgo.com/?q=deep+flash+cable&t=ffsb&iax=1&ia=videos )

There are tons of how to vids on creating the Deep Flash Cables. Basically you are adding a switch between two of the inner wires or you can probably just do a straight mod wired since there does seem to be Y versions of this Deep Flash Cable. You would probably have to switch between two wires. Also wonder if modders can still use a USB-B (C1 or C2) cable if they already have a to USB-C adapter. Someone with more knowledge will need to opine on this.
( http://xiaomitips.com/guide/miui-deep-flash-engineering-cable-solution-to-non-edl-device/ )

Let us know if anybody wants to take on this weekend project. Would be good if folks on different FW versions can try this out. Ask here for guidance. SapphireEx can you double check the info here.
 
Last edited:
Y314K said:
Very interesting.

User Needed with:

- Z981 Phone
- Deep Flash Cable on-hand (Ordering now will take to long) or
- A second USB-C cable & the capability of modding one of their USB-C cables into a Deep Flash Cable
( https://duckduckgo.com/?q=deep+flash+cable&t=ffsb&iax=1&ia=videos )

There are tons of how to vids on creating the Deep Flash Cables. Basically you are adding a switch between two of the inner wires or you can probably just do a straight mod wired since there does seem to be Y versions of this Deep Flash Cable. You would probably have to switch between two wires. Also wonder if modders can still use a USB-B (C1 or C2) cable if they already have a to USB-C adapter. Someone with more knowledge will need to opine on this.
( http://xiaomitips.com/guide/miui-deep-flash-engineering-cable-solution-to-non-edl-device/ )

Let us know if anybody wants to take on this weekend project. Would be good if folks on different FW versions can try this out. Ask here for guidance. SapphireEx can you double check the info here.
Click to expand...

Looks about right. FW versions won't matter though, as (from what I understand), EDL is direct-to-SoC protocol, which is essentially the same as Dload mode for Odin, but more barebones.
Now, I don't know if the phone will accept the image, all I know is that miFlash will attempt to send it. It's up to the firmware itself if it accepts it with a generic signature.
 
Some more information about this. Using a port sniffer (not a net port sniffer) and monitoring traffic comes up with nothing, other than the "hello" packet from the phone itself. "Sahara" is an error code for failure to recieve the qcomm version of an ACK, which makes me think the computer isn't actually talking to EDL, but the strange thing is that the phone sent a "hello" packet, but isn't responding to incoming packets. I'm going to attempt to send dirty bits to the port and see if I get an ack. If I get an ack, we can bypass the deep flash cable (which is generally used for getting in to EDL, but some users report error code Sahara without the cable, but get an ack with it) and directly talk over the protocol. If anyone else has pentesting skills, try sending dirty bits to the phone in EDL to see what happens (Not sure if it can cause a brick or not, so use caution). That's about all I have for tonight. @messi want to weigh in?
 
generic signature....... Absolutely not.. but there may be a way to borrow from Peter to pay Paul. If anybody's got the T-Mobile newest update zip I would appreciate if you could post it so I can download it. I had a blonde moment didn't save it. I only really need to header. Everything else is set up
 
The easiest way to make a deep flash cable is to get a usb extension and open it and flip the contacts. That way your usb c cable stays perfectly normal and you just plug it into the modified usb extension cord when you want to deep flash.
 
biledigger said:
The easiest way to make a deep flash cable is to get a usb extension and open it and flip the contacts. That way your usb c cable stays perfectly normal and you just plug it into the modified usb extension cord when you want to deep flash.
Click to expand...

According to various people, it needs to be a button that you can hold down at will for it to work. Not a passive deep flash cable.
 
Well I'm not going to modify cables so I just went ahead and order the deep flash cable. It will arrive around July 23- August 19. I've waited this long for root one month won't hurt
 
anubis2048 said:
This thread is all about rooting the ZTE Zmax Pro and will be updated with the newest information related to rooting the device.

As of now, there is no way to root the Zmax Pro yet.

Right now Messi2050 is working on root and is very close to having it. He needs beta testers. If you don't care about bricking your device PM him and ask to join the hangouts.
Click to expand...


Ok I used the Device Unlock built in app from metro. It perma unlocked. Adb reboot fastboot,. Reboots right back into os. Ok but seems as though there are subtle differences than before...I am able to send fastboot cmds now whilst in the os
 
Sway916 said:
Ok I used the Device Unlock built in app from metro. It perma unlocked. Adb reboot fastboot,. Reboots right back into os. Ok but seems as though there are subtle differences than before...I am able to send fastboot cmds now whilst in the os
Click to expand...
That app is just for unlocking the sims
 
Sway916 said:
Ok I used the Device Unlock built in app from metro. It perma unlocked. Adb reboot fastboot,. Reboots right back into os. Ok but seems as though there are subtle differences than before...I am able to send fastboot cmds now whilst in the os
Click to expand...

How exactly are you sending successful fastboot commands when the phone doesn't have fastboot? "adb reboot <anything>" will simply reboot the phone if it's not a valid (completely spacing out on the word) "area" to reboot to. Current reboot edl, FTM, disemmc, and a few other commands work, but as far as I know, the Z981 does not even have a fastboot binary in firmware.

Provide a screenshot of various successful fastboot commands if you can. If you do indeed have fastboot up and running, it can be another vector of attack.
 
SapphireEx said:
http://imgur.com/a/v7oLl
Error Saraha end error with status:20
From what I can gather, this means you require a deep flash cable, something I don't have, and don't feel like destroying my only good USB-C cable over. You can DIY it yourself. The image I was using was a generic firmware for a different phone to even see if it would try to flash it. It did actually try.
If someone wants to cough up the 10 or so dollars for a deep flash cable and try to flash something yourself, have a go at it. This is a very interesting lead.
Click to expand...
I'll have a deep flash cable on the 7th.
 
kilozz385 said:
wow. this thread died so hard. i came here to post if viewing the system logs of this phone would help at all. no root or pc required, i have discovered a exploit that targets all android versions... let me know if this will help with rooting the device in any way.

EDIT: I will only reply to the most active and trusted members of this thread. i don't want this exploit to go to waste. i have also attached a capture of the systems logs from my phone as proof of concept.
Click to expand...
That's legit just ADB logcat.

btw nice minecraft mods nerd.
"net.zhuoweizhang.mcpelauncher"
 
May have found something interesting.. willing to try.. afraid to brick.. advise before i brick if possible...

anyways.. i installed a program called systemui tuner by zachary...

if you are not rooted it gives following command.. that works...

adb shell pm grant com.zacharee1.systemuituner android.permission.WRITE_SECURE_SETTINGS

adb shell pm grant com.zacharee1.systemuituner android.permission.DUMP

and it installed.. do you think i (we) could install super su.. and force without brick
 
Last edited:
wickedwill69 said:
May have found something interesting.. willing to try.. afraid to brick.. advise before i brick if possible...
anyways.. i installed a program called systemui tuner by zachary...
if you are not rooted it gives following command.. that works...
adb shell pm grant com.zacharee1.systemuituner android.permission.WRITE_SECURE.SETTINGS
adb shell pm grant com.zacharee1.systemuituner android.permission.DUMP
and it installed.. do you think i (we) could install super su.. and force without brick
Click to expand...
I highly doubt it
 
Y314K said:
Very interesting.

User Needed with:

- Z981 Phone
- Deep Flash Cable on-hand (Ordering now will take to long) or
- A second USB-C cable & the capability of modding one of their USB-C cables into a Deep Flash Cable
( https://duckduckgo.com/?q=deep+flash+cable&t=ffsb&iax=1&ia=videos )

There are tons of how to vids on creating the Deep Flash Cables. Basically you are adding a switch between two of the inner wires or you can probably just do a straight mod wired since there does seem to be Y versions of this Deep Flash Cable. You would probably have to switch between two wires. Also wonder if modders can still use a USB-B (C1 or C2) cable if they already have a to USB-C adapter. Someone with more knowledge will need to opine on this.
( http://xiaomitips.com/guide/miui-deep-flash-engineering-cable-solution-to-non-edl-device/ )

Let us know if anybody wants to take on this weekend project. Would be good if folks on different FW versions can try this out. Ask here for guidance. SapphireEx can you double check the info here.
Click to expand...
I have a deep flash cable, I can do it.
 
SapphireEx said:
Looks about right. FW versions won't matter though, as (from what I understand), EDL is direct-to-SoC protocol, which is essentially the same as Dload mode for Odin, but more barebones.
Now, I don't know if the phone will accept the image, all I know is that miFlash will attempt to send it. It's up to the firmware itself if it accepts it with a generic signature.
Click to expand...

SapphireEx said:
Some more information about this. Using a port sniffer (not a net port sniffer) and monitoring traffic comes up with nothing, other than the "hello" packet from the phone itself. "Sahara" is an error code for failure to recieve the qcomm version of an ACK, which makes me think the computer isn't actually talking to EDL, but the strange thing is that the phone sent a "hello" packet, but isn't responding to incoming packets. I'm going to attempt to send dirty bits to the port and see if I get an ack. If I get an ack, we can bypass the deep flash cable (which is generally used for getting in to EDL, but some users report error code Sahara without the cable, but get an ack with it) and directly talk over the protocol. If anyone else has pentesting skills, try sending dirty bits to the phone in EDL to see what happens (Not sure if it can cause a brick or not, so use caution). That's about all I have for tonight. @messi want to weigh in?
Click to expand...

SapphireEx said:
According to various people, it needs to be a button that you can hold down at will for it to work. Not a passive deep flash cable.
Click to expand...

messi2050 said:
There are some sellers who sell it in the u.s
Click to expand...

Meepmoop said:
I have a deep flash cable, I can do it.
Click to expand...
@Meepmoop thanks for your response. Can you let use know what carrier Z981 & on what FW you are on please.


@SapphireEx, please get together with @Meepmoop in order to advice him what exactly & how you need him to test. Other then @messi2050 you are the most knoledgeable when it comes to trying to root our Z981. Use PM or a more direct way of exchanging info. Just let us know how it is going.

Thanks for not giving up on the Z981.

Note: One byproduct of how lock-down the Z981 is that it seems it is almost impossible to brick this phone. It just reverts back to it's prior state. Came to this assessment by following both root threads. I've yet to hear someone unsuccessfully/successfully brick their Z981 no matter what they throw at it. I don't mean to say not to be careful but it seems to be a true assessment.
 
Status
Not open for further replies.
Back
Top Bottom