• After 15+ years, we've made a big change: Android Forums is now Early Bird Club. Learn more here.

Root ZTE Zmax Pro Official Root Discussion

Status
Not open for further replies.
Ok, my first post here, although Ive been hounding this thread since beginning trying to gain root like everybody and their Mom.
Was on my phone the other day and the strangest thing occurred.
I received a heads up notification on the bottom of screen and just caught a glimpse of text and it read something like kingroot.user or something to that degree. Looked like a su notification.

Even more strange is I had kingroot installed a for long time now hoping they would crack it and lost hope in them and decided to leave app just in case.
Furthermore I go to check kingroot app after heads up only to find it uninstalled. But wait i dont recall uninstalling it. So maybe I did and maybe I hit the wrong button on Lookout antivirus that was built in..but why and the hell am I getting heads up..it only popped up once. Kingroot seems to be embedded and hidden eventhough its uninstalled.Really fishy
 
Y314K said:
@Meepmoop thanks for your response. Can you let use know what carrier Z981 & on what FW you are on please.

Metro
@SapphireEx, please get together with @Meepmoop in order to advice him what exactly & how you need him to test. Other then @messi2050 you are the most knoledgeable when it comes to trying to root our Z981. Use PM or a more direct way of exchanging info. Just let us know how it is going.

Thanks for not giving up on the Z981.

Note: One byproduct of how lock-down the Z981 is that it seems it is almost impossible to brick this phone. It just reverts back to it's prior state. Came to this assessment by following both root threads. I've yet to hear someone unsuccessfully/successfully brick their Z981 no matter what they throw at it. I don't mean to say not to be careful but it seems to be a true assessment.
Click to expand...
 

Attachments

  • Screenshot_20170707-203053.png
    Screenshot_20170707-203053.png
    108.5 KB · Views: 239
@Meepmoop - Great, so MetroPCS on the first B14 update. Which means it still has some of the older vulnerabilities. You'll need a PC for the program. Thanks to @brandonlee199966 for the link.

brandonlee199966 said:
https://www.androidfilehost.com/?fid=817550096634777457
Click to expand...

Get that program & familiarize yourself with:

How to install: http://xiaomiflashtool.com/tutorial/install-xiaomi-flash-tool
How to use: http://xiaomiflashtool.com/tutorial/use-xiaomi-flash-tool

http://xiaomitips.com/guide/miui-deep-flash-engineering-cable-solution-to-non-edl-device/

But I would wait for @SapphireEx for more specifics of what he needs tested. And the safest way for you to get it done.
 
Last edited:
The only thing I personally need tested is just getting an acknowledgement from the phone other than a hello packet.
From what I can tell, there's 3 ways of going about this, from most least dangerous to most.
1. Use the official Z981 stock firehose and attempt to flash it. (No idea if we actually have this or not)
2. Use the official Z981 stock firehose, resign it with a generic key, then attempt to flash it.
3. Take a completely random firehose and attempt to flash it. If it does work, you will be hard bricked. But at least it confirms that we can flash.

The current issue is error Sahara, and the fact that the phone just does not want to communicate with Xiaomi other than the initial hello packet. If we can get both ends communicating properly, we 'should' be able to flash something modified.
 
kennyk001 said:
Ok, my first post here, although Ive been hounding this thread since beginning trying to gain root like everybody and their Mom.
Was on my phone the other day and the strangest thing occurred.
I received a heads up notification on the bottom of screen and just caught a glimpse of text and it read something like kingroot.user or something to that degree. Looked like a su notification.

Even more strange is I had kingroot installed a for long time now hoping they would crack it and lost hope in them and decided to leave app just in case.
Furthermore I go to check kingroot app after heads up only to find it uninstalled. But wait i dont recall uninstalling it. So maybe I did and maybe I hit the wrong button on Lookout antivirus that was built in..but why and the hell am I getting heads up..it only popped up once. Kingroot seems to be embedded and hidden eventhough its uninstalled.Really fishy
Click to expand...
Kingroot is known to stay around after uninstalling. I'm pretty sure they even released an uninstall tool to pair it with the official app.
 
my zte v770 is seeing by miflash like this:
pic1 conected normal(phone ON)
pic2 conected FTM
pic3 conected Bootloader(download)
i dont have a service cable, so i used a normal usb cable(but i can modify it)
just to know if that method work.
thankyou!

ps. i whant to ask if the miflash can see the proper partitions on zte and flash it right
messing the partitions will result a brick
on zte-v770 the partitions are(see txt) and should be the same with zte Zmax Pro
 

Attachments

Last edited:
vaserbanix said:
my zte v770 is seeing by miflash like this:
pic1 conected normal(phone ON)
pic2 conected FTM
pic3 conected Bootloader(download)
i dont have a service cable, so i used a normal usb cable(but i can modify it)
just to know if that method work.
thankyou!

ps. i whant to ask if the miflash can see the proper partitions on zte and flash it right
messing the partitions will result a brick
on zte-v770 the partitions are(see txt) and should be the same with zte Zmax Pro
Click to expand...
The same goes on the zmax pro but you can't flash anything
 
kennyk001 said:
Its the su heads up that I dont understand.
Doesnt that show only when root is gained?
Click to expand...
"Kingroot.ro SuperSU exception" and various other similar notifications are just kingroot being kingroot. Doesn't mean a whole lot
 
Y314K said:
@Meepmoop - Great, so MetroPCS on the first B14 update. Which means it still has some of the older vulnerabilities. You'll need a PC for the program. Thanks to @brandonlee199966 for the link.



Get that program & familiarize yourself with:

How to install: http://xiaomiflashtool.com/tutorial/install-xiaomi-flash-tool
How to use: http://xiaomiflashtool.com/tutorial/use-xiaomi-flash-tool

http://xiaomitips.com/guide/miui-deep-flash-engineering-cable-solution-to-non-edl-device/

But I would wait for @SapphireEx for more specifics of what he needs tested. And the safest way for you to get it done.
Click to expand...

SapphireEx said:
The only thing I personally need tested is just getting an acknowledgement from the phone other than a hello packet.
From what I can tell, there's 3 ways of going about this, from most least dangerous to most.
1. Use the official Z981 stock firehose and attempt to flash it. (No idea if we actually have this or not)
2. Use the official Z981 stock firehose, resign it with a generic key, then attempt to flash it.
3. Take a completely random firehose and attempt to flash it. If it does work, you will be hard bricked. But at least it confirms that we can flash.

The current issue is error Sahara, and the fact that the phone just does not want to communicate with Xiaomi other than the initial hello packet. If we can get both ends communicating properly, we 'should' be able to flash something modified.
Click to expand...

Ive tried to stay out of this as it seems yall have chosen messi as yalls go to guy lol.

Anyway sahara is not an error.

Qualcomm devices use edl aka sahara mode, as ive said multiple times this device will reject non signed firehose if it does not use the original signature.

The reason for this is because of secure boot, ive used just about every situation, even creating a custom qfill file. The only thing you can do in edl/sahara without the firehose is use sahara debug which uses certain commands to receive different responses.

Xiamio or whatever tool is based off the original qualcomm 9008 tool which is on github, but it is just a new gui for the phone line in specific.

Tenfar also used the same code to make a axon root tool, he leaked the firehose himself and embedded it in the tool its self.

Jtag or some new secure boot root would be the only possible case to get anything at the moment, but feel free to continue testing.

I told messi about the edl thing since long ago now, his choice for not stating it by now that its of no use or maybe he did not believe me.
 
loonycgb2 said:
Ive tried to stay out of this as it seems yall have chosen messi as yalls go to guy lol.

Anyway sahara is not an error.

Qualcomm devices use edl aka sahara mode, as ive said multiple times this device will reject non signed firehose if it does not use the original signature.

The reason for this is because of secure boot, ive used just about every situation, even creating a custom qfill file. The only thing you can do in edl/sahara without the firehose is use sahara debug which uses certain commands to receive different responses.

Xiamio or whatever tool is based off the original qualcomm 9008 tool which is on github, but it is just a new gui for the phone line in specific.

Tenfar also used the same code to make a axon root tool, he leaked the firehose himself and embedded it in the tool its self.

Jtag or some new secure boot root would be the only possible case to get anything at the moment, but feel free to continue testing.

I told messi about the edl thing since long ago now, his choice for not stating it by now that its of no use or maybe he did not believe me.
Click to expand...

The specific error code that I posted was a miscommunication error, that I shortened to just Sahara. A basic port sniffer will show that the phone isn't communicating over the port to the computer, and just flat out denying everything. This is what we are discussing here.
 
SapphireEx said:
The specific error code that I posted was a miscommunication error, that I shortened to just Sahara. A basic port sniffer will show that the phone isn't communicating over the port to the computer, and just flat out denying everything. This is what we are discussing here.
Click to expand...
EDL wont accept any requests unless the connection is certified by the firehose.
 
i was try to compile a kernel for zte v770.
not being a dev i get "fail" on compile process :(
is not a big problem!
but i get that files in kernel folder after the process are fail.
can be that the security signature?
Thankyou!
 

Attachments

  • Screenshot from 2017-07-09 13-43-54.png
    Screenshot from 2017-07-09 13-43-54.png
    12.4 KB · Views: 192
  • Screenshot from 2017-07-09 13-47-23.png
    Screenshot from 2017-07-09 13-47-23.png
    40.1 KB · Views: 175
  • Screenshot from 2017-07-09 13-52-24.png
    Screenshot from 2017-07-09 13-52-24.png
    22 KB · Views: 178
vaserbanix said:
i was try to compile a kernel for zte v770.
not being a dev i get "fail" on compile process :(
is not a big problem!
but i get that files in kernel folder after the process are fail.
can be that the security signature?
Thankyou!
Click to expand...

Not trying to be a dick, but this is the Z981 thread, not the 770. You may want to start a new thread about that one.
 
SapphireEx said:
Not trying to be a dick, but this is the Z981 thread, not the 770. You may want to start a new thread about that one.
Click to expand...
OK!
sorry, i will not post anymore other comments.
i did 'till now becouse i see the devices are the same(spec's)with small differences and indeed different name
also both devices has the same problems, cant root and bootloader locked.
sorry again and i will follow you from the shadow.
dont see a reazon to opend other thread for the same problems, that different name doesnt matter too much.
Thankyou!
 
vaserbanix said:
OK!
sorry, i will not post anymore other comments.
i did 'till now becouse i see the devices are the same(spec's)with small differences and indeed different name
also both devices has the same problems, cant root and bootloader locked.
sorry again and i will follow you from the shadow.
dont see a reazon to opend other thread for the same problems, that different name doesnt matter too much.
Thankyou!
Click to expand...

It's not an issue of similar specs and etc, it's just that even the same exact phone just from different carriers can have different rooting methods, and if someone did manage to root the Z981 via EDL, it would almost certainly brick the 770 using the same methods. Take the S5 for example. The ATT variant is still unrootable at the moment past a certain update, while the Verizon model used your generic odin root method from the start.
It's best in the long run to segregate different phone models into different threads just to keep confusion down, not even considering that someone may be explicitly looking for 770 root, but not finding information on it.
 
kennyk001 said:
Besides another more popular phone will always come out and zmax pro will just get pushed back.
Click to expand...
True but the reason I said kingroot is a no go is because I think kingroot uses scripts to root phones for example the dirty-c0w and things like that. They are things we could run ourself with a simple Linux machine and since how we already tried many scrips and they all failed. Thus lead me to think kingroot is using them to root phones. Plus we can't really do anything with a locked bootloader anyway.
 
I'm moving on to the Pixel some time soon, but I'll still be around with both of my Z981's in case anyone needs debug testing, and I'll still be going the JTAG route once my clip arrives. I probably won't be as active when my Pixel arrives though. Good luck everyone.
 
Status
Not open for further replies.
Back
Top Bottom