• After 15+ years, we've made a big change: Android Forums is now Early Bird Club. Learn more here.

Root ZTE Zmax Pro Official Root Discussion

Status
Not open for further replies.
so i got bored.
i also have absolutely no clue on how to root any android phone.
i searched for our processor (MSM8952)
found another thread with a phone that had the same processor, locked bootloader (i think) and no fastboot.
somebody modified someone elses work to make it work for their own device (CAT S60)

prog_emmc_firehose_8952_ddr.mbn
(i know messi was looking for this file)

seemed pretty straight forward.
put it in diag mode
open QFIL
load up .mbn and 2 xml files
download
and done.

google
MSM8952
or
CAT S60 root
or
prog_emmc_firehose_8952_ddr.mbn

hopefully there is someone out here that knows what needs to be done in order for it to work.
or
tell me
"this isn't how it works, stupid!"
 
ohnoiforgotmypas said:
so i got bored.
i also have absolutely no clue on how to root any android phone.
i searched for our processor (MSM8952)
found another thread with a phone that had the same processor, locked bootloader (i think) and no fastboot.
somebody modified someone elses work to make it work for their own device (CAT S60)
prog_emmc_firehose_8952_ddr.mbn
(i know messi was looking for this file)
seemed pretty straight forward.
put it in diag mode
open QFIL
load up .mbn and 2 xml files
download
and done.
google
MSM8952
or
CAT S60 root
or
prog_emmc_firehose_8952_ddr.mbn
hopefully there is someone out here that knows what needs to be done in order for it to work.
or
tell me
'this isn't how it works, stupid!'[/QUOTi believe we tried that.
Click to expand...
 
biledigger said:
Which version of that uat app is the absolute minimum needed to apply twrp and root to our devices?
Click to expand...
If you are talking about the Uni-Android Tool, 14.01 added support for ZTE devices.
I don't know if the method works, but I was looking around and trying to see if I was willing to risk $50 for the program.
 
Last edited:
biledigger said:
Which version of that uat app is the absolute minimum needed to apply twrp and root to our devices?
Click to expand...
If you are still wanting to try.
Well make sure you sandboxie or VM the ramsomeware & mining included. Also pray that your ZTE will just reset itself after things fail & not trigger any eFuses. Make sure you pay with a method you can get ur $50 back once reported as fraud. And record everything to prove things. You do see that only lurkers with only one post or a few post wanderers comment possessively on this fake Method.
 
Last edited:
Hi everyone,
I have been pointed here by a @LV426 as a challenge ,
My Challenge, find a method to exploit this device
for root priv. escalation, as such I'll be hanging around to read the hundred pages or more of what has been tried and didn't work .
I'll need to get to know some of you fine folks as I personally dont have hands on the device, and I'll need some willing testers soon as I get an Idea how to proceed .
There's no guarantee that I can do any better than the great guys here who have tried and fallen short.
But I'm going to try, and I have had success on other devices where NO ONE else managed it. So maybe we'll crack this too.

If anyone knowledgeable about this thread would like to chime in and bring me up to date , kinda sum up everything so I don't have to read 100 + pages to catch up it would be very helpful.

Thanks,
Astr4y4L
Team_Astr4y4L
 
Astr4y4L said:
Hi everyone,
I have been pointed here by a @LV426 as a challenge ,
My Challenge, find a method to exploit this device
for root priv. escalation, as such I'll be hanging around to read the hundred pages or more of what has been tried and didn't work .
I'll need to get to know some of you fine folks as I personally dont have hands on the device, and I'll need some willing testers soon as I get an Idea how to proceed .
There's no guarantee that I can do any better than the great guys here who have tried and fallen short.
But I'm going to try, and I have had success on other devices where NO ONE else managed it. So maybe we'll crack this too.
If anyone knowledgeable about this thread would like to chime in and bring me up to date , kinda sum up everything so I don't have to read 100 + pages to catch up it would be very helpful.
Thanks,
Astr4y4L
Team_Astr4y4L
Click to expand...
Well if you don't want to start at 0 then this is as far as things have gotten: https://androidforums.com/posts/7700211/
 
LV426 said:
A summary would be extremely useful. Thanks Y314K.
Click to expand...
Will be more specific once I get permission to repost. But that links post even has the program created so far.

But basically the biggest road block will be dealing with the bootloader.
 
wowzers looking at this looks like i just stepped in to kick the proverbial hornets nest, LOL.

Question,
Has anyone tried anythings using qualcomm's proprietary tools such as Qfil and QXDM?
and does anyone have a quick link to grab the firmware for the device?
those would be my starting point.

MSM = Qualcom
a lot of times I've been able to "Modify" certain manufacture's recovery tools to flash individual partitions and such,
is there a tool for recovering zte devices?

Oh and EVERY single thing I ever read at GSM forums was full of Krap,
Every program they claim over there costs WAY too much and I don't believe the Hype about stupid chineese "dongle" softwares...
It's all designed to take advantage of a desperate situation.


That being said.
I will require the firmware for the device.
I will start by de-compileing that to see the guts of it.
as for software fuses, mostly thats a bootloader thing,
if you try to change the boot structure it'll trip the E or Q fuses.

but, the problem with marshmallow up is DM varity,
which is only easily bypassed by unlocked bootloader...I
I read something about dirtycow?

it looked like @SapphireEX said something about His/Her dcow and recowvery script... which would be actually created by or from the work of
James Christopher Adduono
link to that at github is here

https://github.com/jcadduono/android_external_dirtycow

precompiled works from that are hosted over at OffensiveSEC "Kali/Nethunter"
link to that is here

https://build.nethunter.com/android-tools/dirtycow/

I have used some of that on other devices with various amounts of success.

but yeah,
from here I want a look at the firmware, and i want to extract the /boot from it and get a look at fstab
see what our flags mounts and varity flags are set to.
then the next step will be to find something / anything to exploit, to run unsigned code in context of system server...
if we get that far, we golden.
 
oops quoted myself. LOL

but would like to also say, if it's succeptable at all to DirtyCow,
we may be able to write a shell script, name it the same as a script located n system, something already called by system, and dirtycow our script into the place of existing script , trigger the event that causes system to call the script, and at that point it'll call it from memory, and it'll load our script and execute it...
just an abstract thought here...
please nobody beat me up for it LoL.
 
Astr4y4L said:
wowzers looking at this looks like i just stepped in to kick the proverbial hornets nest, LOL.

Question,
Has anyone tried anythings using qualcomm's proprietary tools such as Qfil and QXDM?
and does anyone have a quick link to grab the firmware for the device?
those would be my starting point.

MSM = Qualcom
a lot of times I've been able to "Modify" certain manufacture's recovery tools to flash individual partitions and such,
is there a tool for recovering zte devices?

Oh and EVERY single thing I ever read at GSM forums was full of Krap,
Every program they claim over there costs WAY too much and I don't believe the Hype about stupid chineese "dongle" softwares...
It's all designed to take advantage of a desperate situation.


That being said.
I will require the firmware for the device.
I will start by de-compileing that to see the guts of it.
as for software fuses, mostly thats a bootloader thing,
if you try to change the boot structure it'll trip the E or Q fuses.

but, the problem with marshmallow up is DM varity,
which is only easily bypassed by unlocked bootloader...I
I read something about dirtycow?

it looked like @SapphireEX said something about His/Her dcow and recowvery script... which would be actually created by or from the work of
James Christopher Adduono
link to that at github is here

https://github.com/jcadduono/android_external_dirtycow

precompiled works from that are hosted over at OffensiveSEC "Kali/Nethunter"
link to that is here

https://build.nethunter.com/android-tools/dirtycow/

I have used some of that on other devices with various amounts of success.

but yeah,
from here I want a look at the firmware, and i want to extract the /boot from it and get a look at fstab
see what our flags mounts and varity flags are set to.
then the next step will be to find something / anything to exploit, to run unsigned code in context of system server...
if we get that far, we golden.
Click to expand...
We are counting on you, good luck
 
looks like it deleted my other priev. post too ... oops
but yeah anybody got a link to firmware?
 
Astr4y4L said:
wowzers looking at this looks like i just stepped in to kick the proverbial hornets nest, LOL.

Question,
Has anyone tried anythings using qualcomm's proprietary tools such as Qfil and QXDM?
and does anyone have a quick link to grab the firmware for the device?
those would be my starting point.

MSM = Qualcom
a lot of times I've been able to "Modify" certain manufacture's recovery tools to flash individual partitions and such,
is there a tool for recovering zte devices?

Oh and EVERY single thing I ever read at GSM forums was full of Krap,
Every program they claim over there costs WAY too much and I don't believe the Hype about stupid chineese "dongle" softwares...
It's all designed to take advantage of a desperate situation.


That being said.
I will require the firmware for the device.
I will start by de-compileing that to see the guts of it.
as for software fuses, mostly thats a bootloader thing,
if you try to change the boot structure it'll trip the E or Q fuses.

but, the problem with marshmallow up is DM varity,
which is only easily bypassed by unlocked bootloader...I
I read something about dirtycow?

it looked like @SapphireEX said something about His/Her dcow and recowvery script... which would be actually created by or from the work of
James Christopher Adduono
link to that at github is here

https://github.com/jcadduono/android_external_dirtycow

precompiled works from that are hosted over at OffensiveSEC "Kali/Nethunter"
link to that is here

https://build.nethunter.com/android-tools/dirtycow/

I have used some of that on other devices with various amounts of success.

but yeah,
from here I want a look at the firmware, and i want to extract the /boot from it and get a look at fstab
see what our flags mounts and varity flags are set to.
then the next step will be to find something / anything to exploit, to run unsigned code in context of system server...
if we get that far, we golden.
Click to expand...

No firmware.

JCadduono's rec0wvery is being used as a secondary entry point, and has nothing to do with my entry point.

QFIL and etc are not going to work without a signed firehose. Something we discussed a few dozen pages back. The random MBNs found online are not signed. Attempting to use these will result in a Sahara fail due to sig check.

DM-Verity can be bypassed in software rather easily. My tools themselves prove that.

If we had the firmware, we wouldn't be at this stage. The only thing released from ZTE is update packages, and the kernel. Neither of which is useful to exploitation at this stage.

Rec0wvery can be used to elevate to u:r:init:s0, while my tools can be used to elevate to u:r:system_server:s0. Making use of rec0wvery's context hijack would require a hard modification to rec0wvery, something I haven't gotten around to. The main issue is the locked bootloader, and SELinux. Setting permissive is proving to be a challenge.
 
Ahhh, so no firmware....
anybody managed a Dump yet?
individual partitions dumps may be of use...
 
Astr4y4L said:
Ahhh, so no firmware....
anybody managed a Dump yet?
individual partitions dumps may be of use...
Click to expand...
All of /dev/block/* is unreadable to us. Partitions can't be pulled, or even read yet without the recovery context, and that limits us just to recovery.

The mount points are readily available to view, but still no reading content.
 
SapphireEX said:
No firmware.

JCadduono's rec0wvery is being used as a secondary entry point, and has nothing to do with my entry point.

QFIL and etc are not going to work without a signed firehose. Something we discussed a few dozen pages back. The random MBNs found online are not signed. Attempting to use these will result in a Sahara fail due to sig check.

DM-Verity can be bypassed in software rather easily. My tools themselves prove that.

If we had the firmware, we wouldn't be at this stage. The only thing released from ZTE is update packages, and the kernel. Neither of which is useful to exploitation at this stage.

Rec0wvery can be used to elevate to u:r:init:s0, while my tools can be used to elevate to u:r:system_server:s0. Making use of rec0wvery's context hijack would require a hard modification to rec0wvery, something I haven't gotten around to. The main issue is the locked bootloader, and SELinux. Setting permissive is proving to be a challenge.
Click to expand...

this
Making use of rec0wvery's context hijack would require a hard modification to rec0wvery, something I haven't gotten around to.
Click to expand...

would be a great place to start digging then.
and just so i dont have to keep bouncing all over would you mind sharing a link to the tools/kit you put together thus far?
I'd like a look at the source from that code.

and also, If we're going to be working together on all of this,
would everybody please refrain from bashing each other on here?
that type of thing is frowned on and doesn't lead to team-work or productivity...

if someone's a liar or a D****Bag i'm sure they know it . and declaring it publicly on AF isn't going to help us root any phones LoL

All of that said,
I'm willing to work on this with anyone who's knowledgeable about the device and can test things hands on.
and if any one has succeeeded in dumping the partitions , the dumps would help a lot as " NO FIRMWARE"
gives me nothing to disassemble.

Thanks
Astr4y4L
Team_Astr4y4L
 
Astr4y4L said:
this


would be a great place to start digging then.
and just so i dont have to keep bouncing all over would you mind sharing a link to the tools/kit you put together thus far?
I'd like a look at the source from that code.

and also, If we're going to be working together on all of this,
would everybody please refrain from bashing each other on here?
that type of thing is frowned on and doesn't lead to team-work or productivity...

if someone's a liar or a D****Bag i'm sure they know it . and declaring it publicly on AF isn't going to help us root any phones LoL

All of that said,
I'm willing to work on this with anyone who's knowledgeable about the device and can test things hands on.
and if any one has succeeeded in dumping the partitions , the dumps would help a lot as " NO FIRMWARE"
gives me nothing to disassemble.

Thanks
Astr4y4L
Team_Astr4y4L
Click to expand...

I've already sent you a link to our discord, where the latest version of my tools are.
 
Astr4y4L said:
in a perfect world, All of them LoL
but if I can get /system /vendor /recovery/ /modem or /radio that would be good places to start looking to exploit.
A
Click to expand...
I can upload boot and recovery images for now as i have slow connection, only thing i found interesting there is ftm mode has it's own init scripts and system partition is not encrypt in ftm mode.
 
Status
Not open for further replies.
Back
Top Bottom