Root ZTE Zmax Pro Official Root Discussion

[SapphireEx]

succesfully wrote new bands values to phone and it stay after reboot too

Ooooh. Upload the strings?

 

[jdoggthemaster4089]

succesfully wrote new bands values to phone and it stay after reboot too

Can you write root for it too lol?

 

[messi2050]

Ooooh. Upload the strings?

you can use nv calculator at the play store, check the bands you want to add then write it to nv lte bc config

 

[messi2050]

Can you write root for it too lol?

lol

 

[messi2050]

Ooooh. Upload the strings?

don't forget to backup your nv partition before trying any new values.

 

[messi2050]

to ulock every lte band write this [17592185995263] i don't have lte here so i can't test if it really unlock it or no..

 

[messi2050]

here is a video shows how to modify the lte decimal value

how to enable more bands:
-follow the above video till the lte bc config step
-use nv calculator app in the play store to get the decimal value
-write it to the device all this in ftm mode

 

[Krlypumaa]

here is a video shows how to modify the lte decimal value

<br>

<a href='https://www.youtube.com/embed/GEO1UXuFLbI?wmode=opaque'>https://www.youtube.com/embed/GEO1UXuFLbI?wmode=opaque</a>

Good to see you around and staying connected with us.... Thanks for the sharing...

 

[Beany23]

Thanks, I live in Florida and u wouldn't believe how scared ppl are about it. There's no gas water batteries etc etc. It's bad, sorry for off topic

 

[loonycgb2]

you can use nv calculator at the play store, check the bands you want to add then write it to nv lte bc config

Easier method that can be used on all zte phones.

Dialer-> ##3424#
Then select mtp+diag in drop down list for port.

Then use dfstool, that app has a band tab, click lte, Once in that tab press read...

Then select all the bands you want to enable that are available and then click write.

Don't need to go into ftm mode, can be done with normal boot.

 

[messi2050]

Easier method that can be used on all zte phones.

Dialer-> ##3424#
Then select mtp+diag in drop down list for port.

Then use dfstool, that app has a band tab, click lte, Once in that tab press read...

Then select all the bands you want to enable that are available and then click write.

Don't need to go into ftm mode, can be done with normal boot.

that code didn't work on my zmax

 

[Jimmy Dixx]

So apparently a new exploit has been discovered that affects all Android versions prior to 8.0

It involves the toast messages.
https://threatpost.com/android-user...al&utm_source=twitter.com&utm_campaign=buffer

 

[SapphireEx]

So apparently a new exploit has been discovered that affects all Android versions prior to 8.0

It involves the toast messages.
https://threatpost.com/android-user...al&utm_source=twitter.com&utm_campaign=buffer

Oooooh. Do we have a PoC anywhere?
*Edit Whatever happened to the guy who had Cloak and Dagger running?

 

[SapphireEx]

I have no, but my data just shut off completely. Rip

Are we going to try this exploit?

It seems to be a better version of Cloak and Dagger. I have 0 experience with that exploit though. Maybe @messi2050 would know.

 

[Y314K]

Oooooh. Do we have a PoC anywhere?
<br> *Edit Whatever happened to the guy who had Cloak and Dagger running?

He got others to get it to supposedly work. And he freaked out about ZTE & how this phone was a info leaker. Doubt he would be of any use. From reading the link. Doesn't this just target the App UI overlays so it works like a keylogger ? Don't see how this will get us past the bootloader or rooted.

 

[SapphireEx]

He got others to get it to supposedly work. And he freaked out about ZTE & how this phone was a info leaker. Doubt he would be of any use. From reading the link. Doesn't this just target the App UI overlays so it works like a keylogger ? Don't see how this will get us past the bootloader or rooted.

First paragraph:

Security researchers warned of a high-severity Android flaw on Thursday that stems from what they call a “toast attack” overlay vulnerability. Researchers say criminals could use the Android’s toast notification, a feature that provides simple feedback about an operation in a small pop up, in an attack scenario to obtain admin rights on targeted phones and take complete control of them.

Now, they said admin, and not specifically root, but that could just be the lack of knowledge on the journalist's part. In theory, this exploit should 'just' act as a door, and allow true malware to get installed that does the rooting job.
Still, it would be wise to investigate it and see what happens, as toasting (afaik) is a system level UI element, and not just a userland script.

 

[SapphireEx]

Anyone on a rediculously low firmware like show models and B00-B04 (B03 on tmob I think) feel like testing quadrooter? I know we tested B14 and it came back negative, but earlier patches should be vulnerable to quadrooter.

 

[Y314K]

Anyone on a rediculously low firmware like show models and B00-B04 (B03 on tmob I think) feel like testing quadrooter? I know we tested B14 and it came back negative, but earlier patches should be vulnerable to quadrooter.

Guess you already tried it on B08?

It does not work. I would've rooted ages ago. I just tried it again 'cause why not. King root doesn't root it. I have never gotten temp root on this phone using kingroot and I have on other zte devices before disabling right protection. Etc

Woah I missed a lot, nice progress. Let me know if I can be of any help lol.

Please try QuadRooter for us Chloe936. Don't just try once, but 4-7 times (Come on lucky 7). Let us know how it goes.

Please upload of Pic that includes the Build Number please too. Really need to confirm things. Thanks.

 

[timgreene93]

This may be of no use but I downloaded an update file a while a go it's B08_to_B12 update.zip 300+mb

 

[messi2050]

Maybe just upload it to gdrive. We could use it maybe sometime

Where are those bin files you talked about

 

[Jimmy Dixx]

He got others to get it to supposedly work. And he freaked out about ZTE & how this phone was a info leaker. Doubt he would be of any use. From reading the link. Doesn't this just target the App UI overlays so it works like a keylogger ? Don't see how this will get us past the bootloader or rooted.

I remember that. He said something about a hidden user named "sodu" or something like that.

 

[messi2050]

Yeah let me get you the gdrive link.



Here you go @messi2050

https://drive.google.com/open?id=0BzB13eJzumiNYzhyWWJGS0NzbmM

Don't know how this can be possible but probably that coderam.bin contains our signature keys or is itself is our programmer _-_ this exactly the same zte signing method used on axon and their other devices programmer...

 

[SapphireEx]

Malformed command���invalid header��resource does not exist�unknown client via rpm-npa adapter���	� ���	��	��	��	��	��	��5��	��5��5�HAL_clk_GetNextClockInDomain returned 0 (ClockDomain Index: %d).����Unable to turn ON clock: %s.����%s (Enabled: 1)�Q���B���(��������������Q���B��殪��������������0��(���������������E�H�������system�pmic_arb_base_addr�owner�interrupt�smd_intr_enabled�ClockSources�gcc_rpm_proc_fclk�gcc_sys_noc_axi_clk�gcc_sys_mm_noc_axi_clk�gcc_pcnoc_ahb_clk�gcc_bimc_clk�gcc_apss_tcu_async_clk�gcc_apss_axi_clk�gcc_mss_q6_bimc_axi_clk�gcc_qdss_at_clk�gcc_qdss_traceclkin_clk�gcc_qdss_stm_clk�gcc_qdss_tsctr_div2_clk�gcc_rbcpr_clk�gcc_spmi_ahb_clk�gcc_spmi_ser_clk�gcc_ipa_clk�ClockLogDefaults�ClockVregRailMap�ClockBIMCMMNOCMap�DEFAULT_FREQUENCY�QTIMER_AC_BASE�QTIMER_BASE

Now, this bit is VERY interesting.

Malformed command���invalid header��resource does not exist�unknown client via rpm-npa adapter

Whosawhatsit? http://www.bijishequ.com/detail/486985?p= (block diagram for RPM-NPA)

 

[messi2050]

Now, this bit is VERY interesting.

I think we are very near like this for the first time

 

[SapphireEx]

I'm extracting and formatting all the strings I can find. Will update with the strings (Prepare for very long edits)