• After 15+ years, we've made a big change: Android Forums is now Early Bird Club. Learn more here.

Root ZTE Zmax Pro Official Root Discussion

Status
Not open for further replies.
This is still a very solid device that is very much worth rooting, I have two Metro PCS phones with nearly identical specs, and I frequently switch my service back and forth between them, but I enjoy the ZTE more because of the larger screen and there seems to be more variety of custom cases out there for it.
 
nsip4ever said:
This is still a very solid device that is very much worth rooting, I have two Metro PCS phones with nearly identical specs, and I frequently switch my service back and forth between them, but I enjoy the ZTE more because of the larger screen and there seems to be more variety of custom cases out there for it.
Click to expand...
Honestly, I wish I never switched from my Desire 626S. While it had far weaker specs, HTCs rooting process is beyond easy, and it had a pretty major following in the custom ROM area. I'm sure the Z981 will get there after it gets rooted, but something being locked down this tight for the exceptional specs it has (for the price), it's a major turn off.
 
Bigcountry907 said:
Dumping and rooting the B00 / B03 devices if the bootloader is unlock able would be pretty straight forward.

The hardest part would be getting a working TWRP up and running.
I have taken TWRP builds from one HTC Device and swapped the kernel + edit the fstab if necessary and Run it succesfully on another device.

We need only a root shell.
And adb shell in TWRP is root by default.

Then issuing the following commands to get the dump.

adb shell
su <<<<<---- Not needed in TWRP
dd if=/dev/block/mmcblk0 of=/sdcard/EMMC-Dump.img

That would be a copy of the emmc.
Next in linux shell run this command to pull the GPT Partiton Table.

dd if=/path-to/EMMC-Dump.img of=/path-to/GPT-Dump.bin bs=1 count=17408

That copies the GPT to an image or .bin file.

Next using linux hexdump.

in a linux terminal

hexdump -C -v /path-to/GPT-Dump.bin /path-to/GPT-Dump.txt

I can take the resultant txt file and put it in my spreadsheet to decode the GPT and show me the partition layout.

For Example.

View attachment 123128

View attachment 123129

View attachment 123130


So basically you guys would be set.
Click to expand...
Count on me on the twrp part that's my game :cool: i did the same with lg stylo 3 plus twrp there wasn't any boot or recovery images available and i managed to boot twrp on it.
 
messi2050 said:
Count on me on the twrp part that's my game&nbsp; i did the same with lg stylo 3 plus twrp there wasn't any boot or recovery images available and i managed to boot twrp on it.
Click to expand...
Speaking of which, how do you actually make TWRP forks without any phone specific images? That's some voodoo.
 
What makes anyone believe there are b00 devices out there? Also, I think b03 was just the T-Mobile version of the MetroPCS b08 ? Am I wrong?
 
messi2050 said:
All we need is the physical bootloader, and BootStomp will do the hard part of actually analyzing it. Anyone got a bootloader rip?
Click to expand...

Why not run this on the axon 7 N bootloader. (aboot).
I actually have IDA Pro for linux but im not sure if the decompiler is included.

One thing i have been thinking about this whole time I leveraging a sdcard to get in. But i need to do alot more research on sdcards and ZTE.

I was able to unlock HTC Verizon Bootloaders by creating a bootable sd card that contained HTC Firmware from carrier devices that allowed unlocking.

If i had a device GPT and a Device Backup I could burn a bootable sd card. Depending on weather this sdcard boot function is disabled by ZTE it could be another way in.

https://forum.xda-developers.com/desire-526/general/verizon-htc-desire-526-boot-loader-root-t3587118

https://forum.xda-developers.com/desire-526/general/super-sd-htc-526-vzw-t3596497

The big advantage here is we dont need the ability to edit anything on our locked devices.
All editing and testing is done to the SD Card.
This makes it so you can try anything and not worry about bricking.
You just pull the sd card out and re burn it.
 
Last edited:
messi2050 said:
Link to BootStomp https://github.com/ucsb-seclab/BootStomp
All we need is the physical bootloader, and BootStomp will do the hard part of actually analyzing it. Anyone got a bootloader rip?
Click to expand...

Lets run this on the Axon 7 Nougat bootloader. (aboot)
I would think our devices would have any found vulnerabilities as well.

You will need IDA Pro and Hexrays decompiler.
I have IDA for ubuntu but im not sure about the decompiler.
Anyway i will see what i can do.
 
messi2050 said:
Did you see my inquiries
Click to expand...

Ah, I see them now. I'll edit this once I run them.

*Edit @messi2050 Nothing. Only request is available.

Code: 
1|shell@urd:/system $ mkdir /system/test
mkdir: '/system/test': Read-only file system
1|shell@urd:/system $ cd /dev/block/by-name/
/system/bin/sh: cd: /dev/block/by-name: Permission denied
2|shell@urd:/system $
 
Last edited by a moderator:
Bigcountry907 said:
Lets run this on the Axon 7 Nougat bootloader. (aboot)

&lt;br&gt; I would think our devices would have any found vulnerabilities as well.

&lt;br&gt;

&lt;br&gt; You will need IDA Pro and Hexrays decompiler.

&lt;br&gt; I have IDA for ubuntu but im not sure about the decompiler.

&lt;br&gt; Anyway i will see what i can do.
Click to expand...
I'm not saying pirate it, but 1,409$ is 1,409$.
I doubt ZTE/Qualcomm would have changed things up between bootloaders due to them being closed source, and rarely actually touched, so I'm with you on that. If the axon7 has a glaring bug, the Z981 should as well.
I have no idea on how I would go about actually exploiting any bugs we found though. Sure, if it allows booting from state drives then hosting the firmware on an SD would be a viable option, but if it doesn't, I wouldn't even begin to know how to interface with the bootloader to actually exploit it.
 
SapphireEx said:
I'm not saying pirate it, but 1,409$ is 1,409$.

I wouldn't even begin to know how to interface with the bootloader to actually exploit it.
Click to expand...

I know IDA has some of the older versions that are free to use for the general public. And im pretty sure you can get a demo of the decompiler. Knowing how to use IDA could be the hard part but there are some good tutorials.

As far as how to use an vulnerability I would think a method similar to thees would work.

http://bits-please.blogspot.com/2016/02/unlocking-motorola-bootloader.html

http://blog.azimuthsecurity.com/2013/04/unlocking-motorola-bootloader.html

Despite using it for the reverse of unlocking.
This is a very good article.

https://ge0n0sis.github.io/posts/20...-mode-using-an-undocumented-feature-of-aboot/

http://newandroidbook.com/AIvI-M-RL1.pdf

http://newandroidbook.com/Articles/aboot.html

Now if one can understand and put all those things together you can figure out how to use an exploit.
 
Bigcountry907 said:
I know IDA has some of the older versions that are free to use for the general public. And im pretty sure you can get a demo of the decompiler. Knowing how to use IDA could be the hard part but there are some good tutorials.

As far as how to use an vulnerability I would think a method similar to thees would work.

http://bits-please.blogspot.com/2016/02/unlocking-motorola-bootloader.html

http://blog.azimuthsecurity.com/2013/04/unlocking-motorola-bootloader.html

Despite using it for the reverse of unlocking.
This is a very good article.

https://ge0n0sis.github.io/posts/20...-mode-using-an-undocumented-feature-of-aboot/

http://newandroidbook.com/AIvI-M-RL1.pdf

http://newandroidbook.com/Articles/aboot.html

Now if one can understand and put all those things together you can figure out how to use an exploit.
Click to expand...

I'm quite adept at reverse engineering and use decompilers. I don't have IDA though. I use X64DBG for all my debugging needs.
 
Bigcountry907 said:
I know IDA has some of the older versions that are free to use for the general public. And im pretty sure you can get a demo of the decompiler. Knowing how to use IDA could be the hard part but there are some good tutorials.

As far as how to use an vulnerability I would think a method similar to thees would work.

http://bits-please.blogspot.com/2016/02/unlocking-motorola-bootloader.html

http://blog.azimuthsecurity.com/2013/04/unlocking-motorola-bootloader.html

Despite using it for the reverse of unlocking.
This is a very good article.

https://ge0n0sis.github.io/posts/20...-mode-using-an-undocumented-feature-of-aboot/

http://newandroidbook.com/AIvI-M-RL1.pdf

http://newandroidbook.com/Articles/aboot.html

Now if one can understand and put all those things together you can figure out how to use an exploit.
Click to expand...
Keep in mind those are curated exclusively for the Snapdragon 800 chipset which features a nasty bug.
 
Status
Not open for further replies.
Back
Top Bottom