Root ZTE Zmax Pro Official Root Discussion

[Billyckansbar]

I have to say I'm as paranoid as you can get, but even I find it pretty crazy. I sincerely doubt that the company is spending valuable time tracking the various forums just to track our progress to stop us. Just doesn't make sense. I mean think about it... Why? To prevent us from getting root? I eagerly they have better things to do than track the community that closely and try to thwart is at every turn. They sent out the software the way they did then walk away. Sure the updates will have but fixes but I doubt derived be spying on us. They made it hard to root and if we find a way it's easier for they to just disclaim warranty etc than some vast spring conspiracy. This is from someone who encrypts everything, uses multiple VPN's, etc. I just don't see how that level of tracking and counter intelligence measures makes business sense... Paying someone to spy etc. Just can't see a justification. Maybe the NSA pulls that but ZTE? They want a secure product sure, but they are not, I'm sure, against the increased sales a rooted phone might get. I imagine they only have it this secure to protect the average users and because of contractual restrictions with carriers. Just my 2¢ tho... They aren't that fast patching bugs but they are hyper aware to patch root avenues. What next accuse them of reading messages to Messi or other developers? I love a conspiracy but it had to be logical

If ZTE really doesn't want the Zte Max pro rooted why wouldn't they monitor AF and XDA?

It just seems so logical, but it's a crazy world where logical thought is frowned upon. Oops stay in the box!

 

[Beany23]

Enlighten me again... Ftm mode? What happened with that? I've tried finding it on the thread but no go I ask only because I can boot into ftm mode and maybe use SRS root?

 

[loonycgb2]

Hey try this on emulator:

cd $bindir
Toybox mount -o remount,re

LOL. WTF did I just do. Is re even a valid command?

Hmmm I did
Toybox mount -o remount,rw

With same output. So did I mount it rw? I can see most directories have been mounted rewritable except for rootfs it is still in ro mode.

I crack it huh? OR not? Anyone?

Holy shit guys selinux dir is rw mode! go crack it!

To do a remount r/w you need to specify the partition you are trying to remount or else it will give you a bad command.

Enlighten me again... Ftm mode? What happened with that? I've tried finding it on the thread but no go I ask only because I can boot into ftm mode and maybe use SRS root?

FTM mode can be accessed by vol down and power i think? But it gives you a locked down shell only.

FTM is used to unbrick at system level and EDL is used to unbrick at bootloader level.

But FTM tools created by zte were leaked long ago, but nobody has the files to use it as its per device usage.

 

[asianrocker]

To do a remount r/w you need to specify the partition you are trying to remount or else it will give you a bad command.

ok give me a list of partitions I can try. I tried / - which I assume is the root. But with the list that came out in the command - root fs is ro mode, selinux is rw mode though so I don't know why setenforce command still gives permission denied.

 

[loonycgb2]

ok give me a list of partitions I can try. I tried / - which I assume is the root. But with the list that came out in the command - root fs is ro mode, selinux is rw mode though so I don't know why setenforce command still gives permission denied.

The only partition that would need r/w is system as thats where root would be needed.

mount -o remount,rw /system

Also the "setenforce" commands needs root or higher permission level.

You cant set it as a user.

 

[lambo352]

Enlighten me again... Ftm mode? What happened with that? I've tried finding it on the thread but no go I ask only because I can boot into ftm mode and maybe use SRS root?

Tried it and fails.. it said I was rooted but fail root checker.. maybe if we quit focusing on one thing we can get somewhere.. me, Messi and several other folks on here already informed you guys that MBN files plus qfil is our only hope.. we obviously don't have access to the MBN but I been posted a link for our pros to make them and yet.. no one tried.. no results on how many files were successfully created. I just keep reading about you guys repeating what has been done.. can we revisit the MBN and focus our attention on that.. with this knowledge I expected root by now.. I wish I had Linux skills to pay the bills.. old have root already.. the link to the tools to create MBN files is a few pages back. I've been MIA like most cause I'm beta testing but I'm still trying to help.. if someone succeed at creating the MBN, please pass it on to Messi to inject recovery. Don't be a glory hog.. I also was looking to pull an OTA.. in ES file manager when I search OTA from the root directory a key folder showed up.. I tried to pull it and it said it pulled but could not locate the file in the directory it was supposed to go to..

 

[lambo352]

To do a remount r/w you need to specify the partition you are trying to remount or else it will give you a bad command.
From tools!?.. how come no one shared them.. the last tool I used which works is qfil


FTM mode can be accessed by vol down and power i think? But it gives you a locked down shell only.

FTM is used to unbrick at system level and EDL is used to unbrick at bootloader level.

But FTM tools created by zte were leaked long ago, but nobody has the files to use it as its per device usage.

Which ftm tools.. no one shared them.. I've been using qfil..

 

[Greysworld007]

I have to say I'm as paranoid as you can get, but even I find it pretty crazy. I sincerely doubt that the company is spending valuable time tracking the various forums just to track our progress to stop us. Just doesn't make sense. I mean think about it... Why? To prevent us from getting root? I eagerly they have better things to do than track the community that closely and try to thwart is at every turn. They sent out the software the way they did then walk away. Sure the updates will have but fixes but I doubt derived be spying on us. They made it hard to root and if we find a way it's easier for they to just disclaim warranty etc than some vast spring conspiracy. This is from someone who encrypts everything, uses multiple VPN's, etc. I just don't see how that level of tracking and counter intelligence measures makes business sense... Paying someone to spy etc. Just can't see a justification. Maybe the NSA pulls that but ZTE? They want a secure product sure, but they are not, I'm sure, against the increased sales a rooted phone might get. I imagine they only have it this secure to protect the average users and because of contractual restrictions with carriers. Just my 2¢ tho... They aren't that fast patching bugs but they are hyper aware to patch root avenues. What next accuse them of reading messages to Messi or other developers? I love a conspiracy but it had to be logical

It makes perfect sense. This thread is the only thread that made any kind of headway in rooting the zmax pro. That's why they watch it. Every company wants a unhackable firmware. That's why they watch this thread. It's not the phone that's being locked down it's the firmware Wich means the same unhackable basic firmware and be updated and transfered to there latest phones. That's why they watch this thread. It's much easier to sell the general public(people who don't root) a unhackable phone,because the general public main concern is security. The average consumer DOESN'T want a phone that can be rooted. That's why they watch this thread. No matter how many professionals they employ, all it takes is one bright idea from the average Joe with a little knowledge about rooting to compromise the security of there firmware. That's why they watch this thread. It all comes down to money. The more unhackable a system is, the easier it is to sell Wich means more money for the company. That's why they watch this thread.

 

[asianrocker]

Well installing gnuroot app I think takes me to root I was able to go to boot dir. Don't know what to do with it though. Go crack it. And su command works. What do I do with this?

Yap this has su installed LOL. Don't know what to do with this guys. If installing gnuroot app gives us root access. Am I the one that will get the money for rooting this shitty phone? LOL.

I got root coz I get the # prompt instead of just $. Also clearly says root in the command prompt.

It has su command but no busybox, toybox and setenforce commands so far that I tried.

Mount command also fails. But I know it is just a matter of time now. As long as su command works.

 

[tunajelly]

What I believe you have is a Linux sub system that does not require root on the device. If you think you have full root check to see if super user binaries are installed then use root checker install ROM toolbox and see if you can get past the first screen and approve root access. Good luck. This would be great.

 

[asianrocker]

What I believe you have is a Linux sub system that does not require root on the device. If you think you have full root check to see if super user binaries are installed then use root checker install ROM toolbox and see if you can get past the first screen and approve root access. Good luck. This would be great.

What's good with this is you can install binary packages. And if I am an expert in linux I would know what binaries I need to install to make this in rw mode or you know fully rooted. I am putting this really good app out here that is really close in getting root.

The mount command here at least tried to mount /system but failed for some reason.

 

[armandop_]

What I believe you have is a Linux sub system that does not require root on the device. If you think you have full root check to see if super user binaries are installed then use root checker install ROM toolbox and see if you can get past the first screen and approve root access. Good luck. This would be great.

That app creates a virtual Linux system hence why the su command works. It's basically like the Linux subsystem on Windows 10

 

[asianrocker]

That app creates a virtual Linux system hence why the su command works. It's basically like the Linux subsystem on Windows 10

Yap but playing on apt-get command in the help info.. it says this apt has super cow powers! LOL. Is that more powerful than dirty cow?

 

[Jimmy Dixx]

Not quite. Much older though.

 

[Jimmy Dixx]

Apt-get is basically like the Play store for command line Linux.

 

[biledigger]

New kingroot released on XDA. I didnt get root. But im on b14. B08 might work. Give it a shot.

 

[biledigger]

Seriously. Wtf am i tampering with and is this even worth touching?

 

[biledigger]

How would we go about installing the busybox already built into our phones by hand using a terminal and choosing an alternate installation path that we can get control over? The built in busybox installer has the su binaries inside of it.

 

[Duardo]

Hello, been viewing the forum quite sometime now, Impressive so far. Created an acct so i can say I have a..
ZTE Z981 build B08
and I tried the new kingroot V5.0.5 with no luck. It even said successfully rooted at the end, but it wasnt true. Stop around 70 percent. Ive also tried the windows desktop version with no luck.

 

[Duardo]

What the future Beholds!

 

[jaykoerner]

You know what, I've switched to a Verizon s5(had Samsung emmc so I was able to root and Install linageOS 7.1.X) I give zero shits about this phone right now and am willing to open the phone up and try finding uart pads(only have a rs232 to usb adapter hopefully that's what they are using), and if possible to directly mount the emms via soldering it to a sdcard reader(and clone everything), anyone opened the phone up? I would prefer to not rip off the finger print sensor like I almost did the last time I tried opening the phone. Any clue?

 

[jaykoerner]

Well it looks like I will have to desolder some rf cans, annoying. I'll give it a shot when I get home, hopefully there are some trace's that I can soldering on to get access to the emmc rx tx, I can hope

 

[asianrocker]

Root checker apps are failing because of wrong pathing maybe?
Some body mentioned in this thread, maybe this is already rooted?
Has anybody found it?
If im still on stock there should be no references to super user or 'su' in any area that is readable correct?

Terminal, see the error?

Yes I see the error and if you can edit where the magic number is. Just put the number it is looking for and try again. The number it wants/needs is 0xf97cff8c. So if you can put it where it should be. Maybe it will work.

 

[jaykoerner]

First random bit of info from taking it apart, the zmax pro has dual SIM slots, why? IDK but the slot can accept either 1 sim + micro SD or 2 sims, it's just that the tray can only support one sim

 

[jaykoerner]

First random bit of info from taking it apart, the zmax pro has dual SIM slots, why? IDK but the slot can accept either 1 sim + micro SD or 2 sims, it's just that the tray can only support one sim

No pads for uart(that i can see), and can't identify any traces controlling the emmc(minimum of a triple layer board and the emmc also contains the ram), can't find a pinout of the emmc, might be a dead end. If I could find the pinout I could just dump the entire device and it would help everyone, but not having luck