Root ZTE Zmax Pro Official Root Discussion

[Y314K]

I have B08 and B14 available for testing. I could use more people once I get it solidified though. I'm also tentative to have physical devices test it as

<a href='https://androidforums.com/members/2011113/' class='username' data-user='2011113, @GarnetSunset'>@GarnetSunset</a> had a total SoC failure while running it, so I can't 100% rule out that it can't cause physical damage.

Maybe part of the instructions will be to be in low temp AC room when working on rooting. And maybe sticking the phone in the freezer for 1/2 an hour before beginning.
Not sure what would be a safe amount of time to be left in the freezer. But make sure you double ziplock bag it.

 

[SapphireEx]

Current log

adb reboot ftm
* daemon not running. starting it now on port 5037 *
* daemon started successfully *
//Just rebooted. Did I forget the command?
//FTM successfully entered, had to use VolDown+Power to enter it
//B08 phone connected via USB C to USB 2.0 cable
//QPST_2.7.460 extracted and started
//QPST_2.7.460 deleted the old package I apparently had
//QPST_2.7.460 successfully installed
//Device not detected. No driver loaded. Attempting load via CDD. Failed. Attempting Sigma drivers. Failed
//Hardware ID is: USB\VID_19D2&PID_0500&REV_0310&MI_00 (ZTE Modem/ Composite USB?
//Forced driver install 'Generic ADB driver' successful.
//QPST still not detected. Pretty sure it requires a COM port.
//Reinstall driver as Qualcomm HS-USB QDLoader 9008 (On port 21) successful.
//QPST detects phone as 'MSM8952'
//QPST properties of MSM8952: No MIN Analog, STATE Entering CDMA, VERSION MPSS.TA.1.0.c3-00069-8952_GEN_PACK-1.55637.1.58990.1, MSM 2300-A2
//COMPILED Jun 22 2016
//Service Port Mapping: ERROR Could not read RDM_DEV_MAP from selected phone
//SWITCH MODEM TO DIAG (Did nothing?)
//START CLIENTS- BACKUP instantly crashed QPST
//QPST EFS Explorer (Currently communi...holy shit. We have read access
//Error NV read only state
//So no writing for us eh?
//Backing up NVMemory from phone: Success (A little tip here. Use QCN and NOT XQCN.
//Restoring the just dumped NVMemory: Success! (We have write access)
//Going to try something really stupid. Flashing 8660.mbn. If it does flash, we have unsigned MBN access, on the bad side, I lose a debug phone.
//Error could not create a temp directly. Bloody win10 I swear. Restarting QPST in Admin mode.
//Its backing up the NVRAM currently.
//It did it.
--------------------------
//Final edit. Upon entering Sahara mode, I get an error that is specifically "Could Not Communicate with Flash Programmer"

I will continue to update this as I can

*Edit Holy **** we can communicate.

@messi2050 @GarnetSunset You guys wanna jump in on this?

The debug unit is bricked, but I successfully flashed a bad MBN. Probably. It glitched I think. Phone rebooted as normal.

 

[Beany23]

I'm also getting in on the action downloading qpst now

 

[jdoggthemaster4089]

Current log

<br>

<div style='margin: 1em auto' title='Code'>

<ol class='text' style='font-family:monospace;'>

<li style='font-weight: normal; vertical-align:top;'>

<div style='font: normal normal 1em/1.2em monospace; margin:0; padding:0; background:none; vertical-align:top;'>

adb reboot ftm

</div></li>

<li style='font-weight: normal; vertical-align:top;'>

<div style='font: normal normal 1em/1.2em monospace; margin:0; padding:0; background:none; vertical-align:top;'>

* daemon not running. starting it now on port 5037 *

</div></li>

<li style='font-weight: normal; vertical-align:top;'>

<div style='font: normal normal 1em/1.2em monospace; margin:0; padding:0; background:none; vertical-align:top;'>

* daemon started successfully *

</div></li>

<li style='font-weight: normal; vertical-align:top;'>

<div style='font: normal normal 1em/1.2em monospace; margin:0; padding:0; background:none; vertical-align:top;'>

//Just rebooted. Did I forget the command?

</div></li>

<li style='font-weight: bold; vertical-align:top;'>

<div style='font: normal normal 1em/1.2em monospace; margin:0; padding:0; background:none; vertical-align:top;'>

//FTM successfully entered, had to use VolDown+Power to enter it

</div></li>

<li style='font-weight: normal; vertical-align:top;'>

<div style='font: normal normal 1em/1.2em monospace; margin:0; padding:0; background:none; vertical-align:top;'>

//B08 phone connected via USB C to USB 2.0 cable

</div></li>

<li style='font-weight: normal; vertical-align:top;'>

<div style='font: normal normal 1em/1.2em monospace; margin:0; padding:0; background:none; vertical-align:top;'>

//QPST_2.7.460 extracted and started

</div></li>

<li style='font-weight: normal; vertical-align:top;'>

<div style='font: normal normal 1em/1.2em monospace; margin:0; padding:0; background:none; vertical-align:top;'>

//QPST_2.7.460 deleted the old package I apparently had

</div></li>

<li style='font-weight: normal; vertical-align:top;'>

<div style='font: normal normal 1em/1.2em monospace; margin:0; padding:0; background:none; vertical-align:top;'>

//QPST_2.7.460 successfully installed

</div></li>

<li style='font-weight: bold; vertical-align:top;'>

<div style='font: normal normal 1em/1.2em monospace; margin:0; padding:0; background:none; vertical-align:top;'>

//Device not detected. No driver loaded. Attempting load via CDD. Failed. Attempting Sigma drivers. Failed

</div></li>

<li style='font-weight: normal; vertical-align:top;'>

<div style='font: normal normal 1em/1.2em monospace; margin:0; padding:0; background:none; vertical-align:top;'>

//Hardware ID is: USB\VID_19D2&PID_0500&REV_0310&MI_00 (ZTE Modem/ Composite USB?

</div></li>

<li style='font-weight: normal; vertical-align:top;'>

<div style='font: normal normal 1em/1.2em monospace; margin:0; padding:0; background:none; vertical-align:top;'>

//Forced driver install 'Generic ADB driver' successful.

</div></li>

<li style='font-weight: normal; vertical-align:top;'>

<div style='font: normal normal 1em/1.2em monospace; margin:0; padding:0; background:none; vertical-align:top;'>

//QPST still not detected. Pretty sure it requires a COM port.

</div></li>

<li style='font-weight: normal; vertical-align:top;'>

<div style='font: normal normal 1em/1.2em monospace; margin:0; padding:0; background:none; vertical-align:top;'>

//Reinstall driver as Qualcomm HS-USB QDLoader 9008 (On port 21) successful.

</div></li>

<li style='font-weight: bold; vertical-align:top;'>

<div style='font: normal normal 1em/1.2em monospace; margin:0; padding:0; background:none; vertical-align:top;'>

//QPST detects phone as 'MSM8952'

</div></li>

<li style='font-weight: normal; vertical-align:top;'>

<div style='font: normal normal 1em/1.2em monospace; margin:0; padding:0; background:none; vertical-align:top;'>

//QPST properties of MSM8952: No MIN Analog, STATE Entering CDMA, VERSION MPSS.TA.1.0.c3-00069-8952_GEN_PACK-1.55637.1.58990.1, MSM 2300-A2

</div></li>

<li style='font-weight: normal; vertical-align:top;'>

<div style='font: normal normal 1em/1.2em monospace; margin:0; padding:0; background:none; vertical-align:top;'>

//COMPILED Jun 22 2016

</div></li>

<li style='font-weight: normal; vertical-align:top;'>

<div style='font: normal normal 1em/1.2em monospace; margin:0; padding:0; background:none; vertical-align:top;'>

//Service Port Mapping: ERROR Could not read RDM_DEV_MAP from selected phone

</div></li>

<li style='font-weight: normal; vertical-align:top;'>

<div style='font: normal normal 1em/1.2em monospace; margin:0; padding:0; background:none; vertical-align:top;'>

//SWITCH MODEM TO DIAG (Did nothing?)

</div></li>

<li style='font-weight: bold; vertical-align:top;'>

<div style='font: normal normal 1em/1.2em monospace; margin:0; padding:0; background:none; vertical-align:top;'>

//START CLIENTS- BACKUP instantly crashed QPST

</div></li>

<li style='font-weight: normal; vertical-align:top;'>

<div style='font: normal normal 1em/1.2em monospace; margin:0; padding:0; background:none; vertical-align:top;'>

 

</div></li>

</ol>

</div>I will continue to update this as I can

<br>

<br> *Edit Holy **** we can communicate.

<br>

<br>

<a href='https://androidforums.com/members/1983077/' class='username' data-user='1983077, @messi2050'>@messi2050</a>

<a href='https://androidforums.com/members/2011113/' class='username' data-user='2011113, @GarnetSunset'>@GarnetSunset</a> You guys wanna jump in on this?

Heck yeah bro. Keep the phone cool the the motherboard doesn't glitch out.

 

[SapphireEx]

What happens next?

The phone is being a bastard and rebooting every time I enter EDL mode. But it seems QPST doesn't like EDL anyways.

 

[SapphireEx]

This is also happening with my device too

Do this. Hold VolDown and VolUP, then plug in the USB. You MUST keep holding both down while you work or it will reboot.

 

[Y314K]

Do this. Hold VolDown and VolUP, then plug in the USB. You MUST keep holding both down while you work or it will reboot.

Did u move over to your 2nd device or where you able to get back on your debug unit. Was the debug unit your B14 or B08 unit?

 

[SapphireEx]

Did u move over to your 2nd device or where you able to get back on your debug unit. Was the debug unit your B14 or B08 unit?

I use the B08 for all testing. The build really shouldn't matter as QPST is a Qualcomm level interface.

 

[SapphireEx]

I'm sure @Bigcountry907 or @messi2050 will know what to make about all of this.
Running a port trace didn't actually output any info, so I can't see what's causing the hang up on the programmer. If I had that info I could do some more work, but until then, it's up to people more suited for this kind of work. I'll be over here playing with my little frames.

 

[Ownster]

Nice Progress

 

[SapphireEx]

I came across a 'build id' Idk if it has to do with QPST or Notepad ++ but it was in load.cmm

<br>

<br> ;[''' Build ID: 8952A-SAASANAZA-40000000''''']

<br> ; Time Stamp unavailable from boot loader.

<br> if OS.FILE(OCIMEM.BIN)

<br> (

<br> d.load.binary OCIMEM.BIN 0x8600000 /noclear

<br> )

<br> if OS.FILE(CODERAM.BIN)

<br> (

<br> d.load.binary CODERAM.BIN 0x200000 /noclear

<br> )

<br> if OS.FILE(DATARAM.BIN)

<br> (

<br> d.load.binary DATARAM.BIN 0x290000 /noclear

<br> )

<br> if OS.FILE(MSGRAM.BIN)

<br> (

<br> d.load.binary MSGRAM.BIN 0x60000 /noclear

<br> )

<br> if OS.FILE(IPA_SRAM.bin)

<br> (

<br> d.load.binary IPA_SRAM.bin 0x7945000 /noclear

<br> )

<br> if OS.FILE(IPA_HRAM.bin)

<br> (

<br> d.load.binary IPA_HRAM.bin 0x7949000 /noclear

<br> )

<br> if OS.FILE(IPA_DICT.bin)

<br> (

<br> d.load.binary IPA_DICT.bin 0x794f000 /noclear

<br> )

<br> if OS.FILE(IPA_IRAM.bin)

<br> (

<br> d.load.binary IPA_IRAM.bin 0x7950000 /noclear

<br> )

<br> if OS.FILE(IPA_DRAM.bin)

<br> (

<br> d.load.binary IPA_DRAM.bin 0x7954000 /noclear

<br> )

<br> if OS.FILE(IPA_MBOX.bin)

<br> (

<br> d.load.binary IPA_MBOX.bin 0x7962000 /noclear

<br> )

<br> if OS.FILE(IPA_REG1.bin)

<br> (

<br> d.load.binary IPA_REG1.bin 0x7904000 /noclear

<br> )

<br> if OS.FILE(IPA_REG2.bin)

<br> (

<br> d.load.binary IPA_REG2.bin 0x7940000 /noclear

<br> )

<br> if OS.FILE(IPA_REG3.bin)

<br> (

<br> d.load.binary IPA_REG3.bin 0x7960000 /noclear

<br> )

<br> if OS.FILE(PMIC_PON.BIN)

<br> (

<br> d.load.binary PMIC_PON.BIN 0x86773b18 /noclear

<br> )

<br> if OS.FILE(RST_STAT.BIN)

<br> (

<br> d.load.binary RST_STAT.BIN 0x86773b10 /noclear

<br> )

<br> if OS.FILE(PMIC_RTC.BIN)

<br> (

<br> d.load.binary PMIC_RTC.BIN 0x86773b14 /noclear

<br> )

<br> if OS.FILE(DDR_DATA.BIN)

<br> (

<br> d.load.binary DDR_DATA.BIN 0x86771000 /noclear

<br> )

<br> if OS.FILE(RAMCON.BIN)

<br> (

<br> d.load.binary RAMCON.BIN 0x9ff00000 /noclear

<br> )

<br> if OS.FILE(DDRCS0.BIN)

<br> (

<br> d.load.binary DDRCS0.BIN 0x80000000 /noclear

<br> )

<br> if OS.FILE(DDRCS1.BIN)

<br> (

<br> d.load.binary DDRCS1.BIN 0xc0000000 /noclear

<br> )

<br>

<br> But I'm not fit for this work.

This looks like generic SoC files for the actual motherboard. Not much interesting here. I could be wrong though.

 

[SapphireEx]

Also I've Come across 'ZTE Signing Root0' And 'ShangHail' ?

If ZTE was actually stupid enough to put their key in the system, we'll have everything we need. If it's just a generic folder, meh. Pull what you can and upload it to Gdrive or something. I'm sure it'll be useful to someone.

 

[Ownster]

Can do.

 

[SapphireEx]

What would a signing key possibly look like?

They can be anything. My debug key is literally DebugKey. As those strings have no relevance on Google, I can assume some things.

1. It's the actual signing keys
2. It's the hash (of what algorithm, I have no idea) of the signing key
3. It's random strings from a ZTE engineer that got bored.
4. It's nothing.
5. It's root certificates for SSL and other things. Why they would be there, I have no idea.

 

[SapphireEx]

So almost like a MD5 Hash. Alrighty Then.

<br>

<br> almost like this?

<br> 'e2b7cc41de4c47f96c3a2cd1973f2955'

Aye.

 

[Chloe936]

Woah I missed a lot, nice progress. Let me know if I can be of any help lol.

 

[SapphireEx]

Now, while it's 'possible' to get the key from a hash, it's almost unheard of due to so many variables. Unless we had a massive rainbow table that just happens to contain that hash, we would have to bruteforce all valid key characters (lalphanumeric, alpha, symbols, and with ZTEs country of domain, whatever their alphabet is as well) to get a matching hash. The same way WPA2 bruteforcing works.

 

[SapphireEx]

Woah I missed a lot, nice progress. Let me know if I can be of any help lol.

You could do what @ExtoliS is doing and backing up various files you can get from QPST. It's relatively safe due to you just reading the data and not actually writing, but it's up to you to chance it if you even want to.
*Edit What is this trophy icon next to my name?

 

[SapphireEx]

Raw writing a partition.mbn file I stole from another phone results in a "Could not... Programmer" error.

Alright.

And I believe the country of domain is China.

As I came across ShangHai on multiple occasions.

And if you want me to @SapphireEx I can do bruteforce if it comes to that.

It's not worth it until we can confirm what those strings are, and even then, it'd be better to self sign an MBN with that 'key' and try to flash it. If it does come down to a brute force, you'd be better off with a nation class super computer. The max permutations is an absolutely absurd number due to the lack of a keylimit. Even 000000000000000 with laphanumeric could take centuries.

 

[SapphireEx]

Welp... My company I own has a super computer... But I don't feel like using it. And I only have one lifetime to live, so never mind on that bruteforce. I'll just go crash my PC with programming again.

I've read somewhere that Sahara responds to python code, and raw codes (00 00 00 00 etc). You could give that a go.

 

[loonycgb2]

Don't forget qpst only reads nvram aka memory and readable partitions.

One of the screenshots posted was of the cert partition for all debug/user key and encryption storage

 

[messi2050]

Also I've Come across "ZTE Signing Root0" And "ShangHai1" ?
ZTE10UZTE Signing Root0
160126101502Z
360121101502Z0j1

But like i said im not fit for this work. Im just a basic progammer

Is exactly in same format, you can expect everything from zte.

 

[messi2050]

Do you think we're close to having root on this device?

When i was surfing other zte firehoses i always came across those (ZTE10UZTE Signing Root0) it was typially 3 or 4 per one programmer, idk have to try on my zmax to check those new information.

 

[messi2050]

Current log

adb reboot ftm
* daemon not running. starting it now on port 5037 *
* daemon started successfully *
//Just rebooted. Did I forget the command?
//FTM successfully entered, had to use VolDown+Power to enter it
//B08 phone connected via USB C to USB 2.0 cable
//QPST_2.7.460 extracted and started
//QPST_2.7.460 deleted the old package I apparently had
//QPST_2.7.460 successfully installed
//Device not detected. No driver loaded. Attempting load via CDD. Failed. Attempting Sigma drivers. Failed
//Hardware ID is: USB\VID_19D2&PID_0500&REV_0310&MI_00 (ZTE Modem/ Composite USB?
//Forced driver install 'Generic ADB driver' successful.
//QPST still not detected. Pretty sure it requires a COM port.
//Reinstall driver as Qualcomm HS-USB QDLoader 9008 (On port 21) successful.
//QPST detects phone as 'MSM8952'
//QPST properties of MSM8952: No MIN Analog, STATE Entering CDMA, VERSION MPSS.TA.1.0.c3-00069-8952_GEN_PACK-1.55637.1.58990.1, MSM 2300-A2
//COMPILED Jun 22 2016
//Service Port Mapping: ERROR Could not read RDM_DEV_MAP from selected phone
//SWITCH MODEM TO DIAG (Did nothing?)
//START CLIENTS- BACKUP instantly crashed QPST
//QPST EFS Explorer (Currently communi...holy shit. We have read access
//Error NV read only state
//So no writing for us eh?
//Backing up NVMemory from phone: Success (A little tip here. Use QCN and NOT XQCN.
//Restoring the just dumped NVMemory: Success! (We have write access)
//Going to try something really stupid. Flashing 8660.mbn. If it does flash, we have unsigned MBN access, on the bad side, I lose a debug phone.
//Error could not create a temp directly. Bloody win10 I swear. Restarting QPST in Admin mode.
//Its backing up the NVRAM currently.
//It did it.
--------------------------
//Final edit. Upon entering Sahara mode, I get an error that is specifically "Could Not Communicate with Flash Programmer"

I will continue to update this as I can

*Edit Holy **** we can communicate.

@messi2050 @GarnetSunset You guys wanna jump in on this?

The debug unit is bricked, but I successfully flashed a bad MBN. Probably. It glitched I think. Phone rebooted as normal.

Is adb reboot ftmmode to enter ftm

 

[messi2050]

Also I've Come across "ZTE Signing Root0" And "ShangHai1" ?
ZTE10UZTE Signing Root0
160126101502Z
360121101502Z0j1

But like i said im not fit for this work. Im just a basic progammer

where was those information ?