• After 15+ years, we've made a big change: Android Forums is now Early Bird Club. Learn more here.

Root ZTE Zmax Pro Official Root Discussion

Status
Not open for further replies.
So it's come down to hoping it doesn't require a signed key it seems. I found this http://www.all-gsm-solutions.xyz/2016/12/infinity-box-cm2-qualcomm-v1.07-setup-download.html doing some random searches. The part that piqued my interest was this:
Code: 
Supported CPU List:

Qualcomm MSM 8974/A (SnapDragon 801)
Qualcomm MSM 8952 (SnapDragon 650)
Qualcomm MSM 8976 (SnapDragon 652)

and

Code: 
FW reader engine updated
Brand-specific changes and improvements
Creation for some damaged/erased partitions activated
CM2 now will build some lost/erased/damaged partitions (partitions tables and filesystems)
File naming revised
Verification improved

Unlike other "solutions", CM2 make FIRMWARE, but not a useless plain dump
That mean all device unique data, security etc. will remain safe after flashing
Forensic engine updated
Export updated ( compatibility revised )

Service operations:
New FRP Types supported (Alcatel and ZTE)

So it seems this software (Which is backed by some unlocking scenes) can read partitions by itself, and can flash. Maybe it will do you guys some good.
 
Bigcountry907 said:
No mann,,, And you are lucky m being civil.

If you respected my warninig and flashed my alcatel recove
ry before you bricked well then you wouldnt have a btick.

Obviusly it was too late for you.

Doubt me as you might but i promise to be the individual that may cause u to face palm yourself.

You sould do some research on XDA and see my achievement in the HTC Realm. I singily busted ter grat big red Verizon Boootloafdr.

JCase hAS VERIFIED MY WORK.


At any rate this is a waste of time.
I'm not your savior. Im here looking to find other individuals with the skills i lack in order to benifit us all
Click to expand...

Well then. Don't know all the history here, but dude was obviously asking for help, not your certifications. There's no reason to bring toxicity to the thread.
 
Bigcountry907 said:
No mann,,, And you are lucky m being civil.

If you respected my warninig and flashed my alcatel recove
ry before you bricked well then you wouldnt have a btick.

Obviusly it was too late for you.

Doubt me as you might but i promise to be the individual that may cause u to face palm yourself.

You sould do some research on XDA and see my achievement in the HTC Realm. I singily busted ter grat big red Verizon Boootloafdr.

JCase hAS VERIFIED MY WORK.


At any rate this is a waste of time.
I'm not your savior. Im here looking to find other individuals with the skills i lack in order to benifit us all
Click to expand...
That was random...

As is jcase only does what benefits him, alot of us don't help to get fame and fortune.
Ive helped and rooted many devices behind the scene, but I don't cry about achieving things.

But congratulations on all your achievements.. i gave up on working on the zmax pro since I've exhausted all spots to crack it open.

I won't even bother trying to mess with the fbop partition till you can find a working firehose that will get accepted by the Qualcomm loader app.
 
Bigcountry907 said:
This is a Qualcomm Signed Loader.

View attachment 123074

The zte axon firehose isn't even signed by qualcomm test keys. And the one we are looking at is totally unsigned and unverified. This is beacuse ZTE is using the stock qualcomm programmer that is unsigned and unverified.

Considering i pulled the axon programmer from a nugget firmware unbrick package I would have to conclude this was not chaned after Lolipop.


This is the ZTE axon programmer.
View attachment 123075


A look at the bootloader aboot giving us an idea of how signatures are verified.

View attachment 123076



This is from aboot but.....
This is what we would expect to find if the file is signed by ZTE.

View attachment 123077


This does not mean that the firehose files for our device are not signed.

But looking at ZTE past record and considering the firehose for nougat is not signed I would think we have a great chance.

All companies like to make as much money as they can. They make more money by STANDARDIZATION.

If they develop a new security scheme for every device it cost more money per device. If they recycle as much standard code as possible they save more money per device.

Qualcomm in this instance (Axom 7) has done the work for ZTE. Its a part of there service agreement.

ZTE could choose to re write a lot of code to change the security schemes and customize it to there liking.

But it cost money.

The funny thing is we can leverage that greed (standardization) to our advantage.
Click to expand...
no unfortunately the axon 7 firehose was signed... i asked @tenfar [axon 7 firehose publisher] how he was able to get the signed firehose... got no reply from him..
 

Attachments

  • Screenshot from 2017-09-01 07-21-43.png
    Screenshot from 2017-09-01 07-21-43.png
    411.9 KB · Views: 293
mikesanchezx said:
Guys I have a ZTE zmax on b03 if that could be of any use?
Click to expand...

SapphireEx said:
Can you post proof? Not even sure B03 is a thing.
Click to expand...

loonycgb2 said:
B00 and b03 we're on the first releases of the zmax before the bootloader lock.

My pro had an unlocked bootloader as well before I updated
Click to expand...

So it seems we should find a ZMP on B00 or B03 with unlocked bootloader to get a full dump off it. All of mine came on B08. But that is because I waited until early Sept. 2016 to get them.

If someone has a ZMP on B00 or B03. Please post proof & get with SapphireEx so he can tell you how to dump everything off it or so you can send it to him. Seem finding an unlocked bootloader phone might be the best way to get a good starting point to unlocking the rest of the FW.

I am willing to send anybody that sends a ZMP B00 & B03 with unlocked boatloader one of my New In Box B08 ZMP (Unlocked for any GSM carrier) once SapphireEx has received & verified the FW. (Kept two as cheap backups if my main ZMP broked & for Family/Friends). I am also willing to refund any shipping costs with sending it/them to SapphireEx once verified too.

If I had known about the B00 & B03 FW versions I would of started to scavenge for them ages ago. If you pre-ordered any ZMP's or bought them in August of 2016 & have kept them in the box without updating then you might have the FW we are looking for.
 
Last edited:
ExtoliS said:
I would've been willing to give Sapphire mine because it had the B03 firmware, but it force updated to the next FW release.
If there's anything else I could do to help, I'll be willing to do so.
Click to expand...
Same happened with me, it upgraded by itself..
 
Last edited:
Y314K said:
So it seems we should find a ZMP on B00 or B03 with unlocked bootloader to get a full dump off it. All of mine came on B08
Click to expand...

If you get that firmware dump. I can get your z max pros unlocked im sure,

SapphireEx said:
Well then. Don't know all the history here, but dude was obviously asking for help, not your certifications. There's no reason to bring toxicity to the thread
Click to expand...

Sorry i had a few beers and probably took that the wrong way.
I will fix it.
 
messi2050 said:
no unfortunately the axon 7 firehose was signed... i asked @tenfar [axon 7 firehose publisher] how he was able to get the signed firehose... got no reply from him.
Click to expand...

I looked at the firehose again in my hex editor and you are right.
So yes any firehose is gonna need to be signed by ZTE.

Only place to find signed firehose would be in a fastboot rom for a zte device with the same chip. I find alot on Needrom usually.
 
I can try Amazon. If the seller has there contact information there. I can just ask them what the firmware version is. If they are a large distributor they might already have them sitting around collecting dust. Y'all can try it too if ya like. They may even be able to track it down.
 
Greysworld007 said:
I can try Amazon. If the seller has there contact information there. I can just ask them what the firmware version is. If they are a large distributor they might already have them sitting around collecting dust. Y'all can try it too if ya like. They may even be able to track it down.
Click to expand...
Which specific resellers ?
Please do ask for any on FW B00 & B03.  But tell him/them to make sure they don't connect them to Wifi or any data so it doesn't auto-update.  And as long as it's guarantee to be in that FW we can donate to reimburse you once they go directly to SapphireEx.  Unless you think you can fully dump them.
 
Y314K said:
So it seems we should find a ZMP on B00 or B03 with unlocked bootloader to get a full dump off it. All of mine came on B08. But that is because I waited until early Sept. 2016 to get them.

<br>

<br> If someone has a ZMP on B00 or B03. Please post proof & get with SapphireEx so he can tell you how to dump everything off it or so you can send it to him. Seem finding an unlocked bootloader phone might be the best way to get a good starting point to unlocking the rest of the FW.

<br>

<br> I am willing to send anybody that sends a ZMP B00 & B03 with unlocked boatloader one of my New In Box B08 ZMP (Unlocked for any GSM carrier) once SapphireEx has received & verified the FW. (Kept two as cheap backups if my main ZMP broked & for Family/Friends). I am also willing to refund any shipping costs with sending it/them to SapphireEx once verified too.

<br>

<br> If I had known about the B00 & B03 FW versions I would of started to scavenge for them ages ago. If you pre-ordered any ZMP's or bought them in August of 2016 & have kept them in the box without updating then you might have the FW we are looking for.
Click to expand...
Hey now, @Bigcountry907 would be the person to talk to about dumping images. I'm more in the realm of software and reverse engineering.
 
My current thoughts. I'm gonna keep working on stuff with @SapphireEx and I have been looking at once the device @Kristiann Guthrie so graciously is providing!

If we can get our hands on some earlier FW files, we can check diffs to see if there are any MASSIVE flaws that shipped. 3DS did this kinda thing, made a change to the OTP and that made many scratch their heads, but, opened the floodgates to further exploitation.
 
Dumping B00/B03 would be great for everyone here. For one, it would prove without a doubt if the Z981 actually has a SUID or not. That's been bugging me for a long time now.
But on a more technical front, a raw 1:1 image would open exploitation everywhere. Knowing ZTE, and knowing how sloppy they can be, it wouldn't surprise me if a backdoor was present and ready for exploitation.
 
GarnetSunset said:
My current thoughts. I'm gonna keep working on stuff with

<a href='https://androidforums.com/members/2001698/' class='username' data-user='2001698, @SapphireEx'>@SapphireEx</a> and I have been looking at once the device

<a href='https://androidforums.com/members/1947985/' class='username' data-user='1947985, @Kristiann Guthrie'>@Kristiann Guthrie</a> so graciously is providing!

<br>

<br> If we can get our hands on some earlier FW files, we can check diffs to see if there are any MASSIVE flaws that shipped. 3DS did this kinda thing, made a change to the OTP and that made many scratch their heads, but, opened the floodgates to further exploitation.
Click to expand...
Off topic, but my o3DS XL is being a bitch right now. I made a pretty massive mistake of updating Luma from 10.4 to 11.4, but for some reason, my 3DS switched from EmuNAND to SysNAND during the update. It's resisted all of my exploits so far, so I guess a hard mod is my only option now.
 
SapphireEx said:
Off topic, but my o3DS XL is being a bitch right now. I made a pretty massive mistake of updating Luma from 10.4 to 11.4, but for some reason, my 3DS switched from EmuNAND to SysNAND during the update. It's resisted all of my exploits so far, so I guess a hard mod is my only option now.
Click to expand...
NO! You can actually rehack it and get boot9strap with nothing but an R4 and a magnet. No joke.

https://3ds.guide/
 
GarnetSunset said:
NO! You can actually rehack it and get boot9strap with nothing but an R4 and a magnet. No joke.

<br>

<br>

<a href='https://3ds.guide/' target='_blank' class='externalLink' rel='nofollow'>https://3ds.guide/</a>
Click to expand...

If I had a second 3DS, I would just system transfer the EmuNAND into SysNAND. And the DSIWare exploit doesn't have true kernel access, so I can't downgrade either
 
SapphireEx said:
If I had a second 3DS, I would just system transfer the EmuNAND into SysNAND. And the DSIWare exploit doesn't have true kernel access, so I can't downgrade either
Click to expand...
DSi has access to full Nand as it runs as ARM9 on the nand.

You can downgrade. But. This system with the magnet runs on the latest firmware, and only requires a flash cart. Do it!
 
SapphireEx said:
Hey now, @Bigcountry907 would be the person to talk to about dumping images. I'm more in the realm of software and reverse engineering.
Click to expand...

Dumping and rooting the B00 / B03 devices if the bootloader is unlock able would be pretty straight forward.

The hardest part would be getting a working TWRP up and running.
I have taken TWRP builds from one HTC Device and swapped the kernel + edit the fstab if necessary and Run it succesfully on another device.

We need only a root shell.
And adb shell in TWRP is root by default.

Then issuing the following commands to get the dump.

adb shell
su <<<<<---- Not needed in TWRP
dd if=/dev/block/mmcblk0 of=/sdcard/EMMC-Dump.img

That would be a copy of the emmc.
Next in linux shell run this command to pull the GPT Partiton Table.

dd if=/path-to/EMMC-Dump.img of=/path-to/GPT-Dump.bin bs=1 count=17408

That copies the GPT to an image or .bin file.

Next using linux hexdump.

in a linux terminal

hexdump -C -v /path-to/GPT-Dump.bin /path-to/GPT-Dump.txt

I can take the resultant txt file and put it in my spreadsheet to decode the GPT and show me the partition layout.

For Example.

upload_2017-9-1_21-33-28.png


upload_2017-9-1_21-35-10.png


upload_2017-9-1_21-36-0.png



So basically you guys would be set.

 
Bigcountry907 said:
Dumping and rooting the B00 / B03 devices if the bootloader is unlock able would be pretty straight forward.

&lt;br&gt;

&lt;br&gt; The hardest part would be getting a working TWRP up and running.

&lt;br&gt; I have taken TWRP builds from one HTC Device and swapped the kernel + edit the fstab if necessary and Run it succesfully on another device.

&lt;br&gt;

&lt;br&gt; We need only a root shell.

&lt;br&gt; And adb shell in TWRP is root by default.

&lt;br&gt;

&lt;br&gt; Then issuing the following commands to get the dump.

&lt;br&gt;

&lt;br&gt;

&lt;span style='color: #0000ff'&gt;adb shell&lt;br&gt; &lt;span style='color: #0059b3'&gt;su &amp;lt;&amp;lt;&amp;lt;&amp;lt;&amp;lt;---- Not needed in TWRP&lt;/span&gt;&lt;/span&gt;

&lt;br&gt;

&lt;span style='color: #0000ff'&gt;dd if=/dev/block/mmcblk0 of=/sdcard/EMMC-Dump.img&lt;br&gt; &lt;br&gt; That would be a copy of the emmc.&lt;br&gt; Next in linux shell run this command to pull the GPT Partiton Table.&lt;br&gt; &lt;br&gt; dd if=/path-to/EMMC-Dump.img of=&lt;span style='color: #0000ff'&gt;/path-to/GPT-Dump.bin bs=1 count=17408&lt;br&gt; &lt;br&gt; That copies the GPT to an image or .bin file.&lt;br&gt; &lt;br&gt; Next using linux hexdump.&lt;br&gt; &lt;br&gt; in a linux terminal&lt;br&gt; &lt;br&gt; hexdump -C -v &lt;span style='color: #0000ff'&gt;&lt;span style='color: #0000ff'&gt;/path-to/GPT-Dump.bin &lt;span style='color: #0000ff'&gt;&lt;span style='color: #0000ff'&gt;&lt;span style='color: #0000ff'&gt;&lt;span style='color: #0000ff'&gt;/path-to/GPT-Dump.txt&lt;br&gt; &lt;br&gt; I can take the resultant txt file and put it in my spreadsheet to decode the GPT and show me the partition layout.&lt;br&gt; &lt;br&gt; For Example.&lt;br&gt; &lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;br&gt; &lt;a href='https://androidforums.com/attachments/123128/'&gt;View attachment 123128&lt;/a&gt;&lt;br&gt; &lt;br&gt; &lt;a href='https://androidforums.com/attachments/123129/'&gt;View attachment 123129&lt;/a&gt;&lt;br&gt; &lt;br&gt; &lt;a href='https://androidforums.com/attachments/123130/'&gt;View attachment 123130&lt;/a&gt;&lt;br&gt; &lt;br&gt; &lt;br&gt; So basically you guys would be set.&lt;br&gt; &lt;/span&gt;&lt;br&gt; &lt;/span&gt;
Click to expand...
@messi2050 already has a TWRP build ready to go.
 
NeoZiggy said:
Without unlocking the bootloader it doesn't matter how you try to achieve root. You need to unlock the bootloader.
Click to expand...
That's really not true. Systemless doesn't require the bootloader at all. The only reason you'd need to unlock the bootloader is custom images like the bootloader, recovery, and the actual OS. After you boot and are in the OS, you can make whatever changes you like with a proper systemless root. What we used to do with locked bootloaders was have a script sit in /tmp/, which is RWX by default, and simply call it with terminal emulator or ADB, and that script housed the exploit to reenable root.
Also, according to a few people here, B00 and B03 shipped with an unlocked bootloader, so even that is moot.
 
bigcountry all I can say is wtf. I read the one you deleted. wow. you must be really drunk and nasty. I gave up completely on this shtty phone but good luck to y'all.
 
Status
Not open for further replies.
Back
Top Bottom