• After 15+ years, we've made a big change: Android Forums is now Early Bird Club. Learn more here.

Root ZTE Zmax Pro Official Root Discussion

Status
Not open for further replies.
Has anybody checked the Qualcomm website? I may be wrong, but I think I remember somebody over there was working on the rooting problem. Off-topic: anyone know if there is a fix for the screen proximity sensor problem? This is my second Max Pro since March 8th.
 
And why, exactly would you copy and paste the OP? You are just taking up space doing that.

As far as the qualcomm website anybody got a link to the discussion about rooting?
 
Phalon4 said:
The ZTE Z Max pro is a (very) great phone and I wouldn't dare try to root it. Remember this is a site that sales phones if you just so happened to brick the one you're screwing around with because something's it's just best left alone.
Click to expand...
So why are you telling us this in a rooting thread?
 
itskathysnet said:
Has anybody checked the Qualcomm website? I may be wrong, but I think I remember somebody over there was working on the rooting problem. Off-topic: anyone know if there is a fix for the screen proximity sensor problem? This is my second Max Pro since March 8th.
Click to expand...
Updated to latest and issues like these were never solved, however if the phone is charging the issues magically vanish until I unplug the charger, give that a shot.
 
Here is some technical talk, those are all the commands i found available in the urd ( zte zmax pro codename) kernel source
https://github.com/messi2050/androi...72d81/drivers/power/reset/msm-poweroff.c#L319
(Adb shell reboot unauth) will send you to the screen that should appear when you modify any system file or partition (keep pressing the power button to exit this mode)
As you can see the disemmcwp (disable system write protection) command is still there
https://github.com/messi2050/androi...72d81/drivers/power/reset/msm-poweroff.c#L344
Been checking those commands the last week and i can say it may or may not get us somewhere xD , i didn't want to share it here at this stage but being busy with my exams till june i thought someone may want to keep digging into this, good luck..
 
I have nothing to do so I will look into this


messi2050 said:
Here is some technical talk, those are all the commands i found available in the urd ( zte zmax pro codename) kernel source

https://github.com/messi2050/androi...72d81/drivers/power/reset/msm-poweroff.c#L319

(Adb shell reboot unauth) will send you to the screen that should appear when you modify any system file or partition (keep pressing the power button to exit this mode)

As you can see the disemmcwp (disable system write protection) is still there

https://github.com/messi2050/androi...72d81/drivers/power/reset/msm-poweroff.c#L344

Been checking those commands the last week and i can say it may or may not get us somewhere xD , i didn't want to share it here at this stage but being busy with my exams till june i thought someone may want to keep digging into this, good luck..
Click to expand...
 
messi2050 said:
Here is some technical talk, those are all the commands i found available in the urd ( zte zmax pro codename) kernel source
https://github.com/messi2050/androi...72d81/drivers/power/reset/msm-poweroff.c#L319
(Adb shell reboot unauth) will send you to the screen that should appear when you modify any system file or partition (keep pressing the power button to exit this mode)
As you can see the disemmcwp (disable system write protection) command is still there
https://github.com/messi2050/androi...72d81/drivers/power/reset/msm-poweroff.c#L344
Been checking those commands the last week and i can say it may or may not get us somewhere xD , i didn't want to share it here at this stage but being busy with my exams till june i thought someone may want to keep digging into this, good luck..
Click to expand...
Looks like oem command unlocks bootloader (0xff) raw write to first byte of boot
 
Screenshot_20170506-081305.png
loonycgb2 said:
Looks like oem command unlocks bootloader (0xff) raw write to first byte of boot
Click to expand...
What is the exact commands for bootloader unlock?
adb reboot oem_unlock ...which I tried..
I did try adb reboot unauth...and yes Messi.. that screen u posted did come up...I just held the power button for 3 seconds to get out of that mode..
Other commands just reboots...

edit
this may have been covered already but when i try to flash superuser,zip via sd card update..the no verity error comes up ...now i see that file is located /verity_key
 
Last edited:
jhgfrtu said:
View attachment 119624
What is the exact commands for bootloader unlock?
adb reboot oem_unlock ...which I tried..
I did try adb reboot unauth...and yes Messi.. that screen u posted did come up...I just held the power button for 3 seconds to get out of that mode..
Other commands just reboots...

edit
this may have been covered already but when i try to flash superuser,zip via sd card update..the no verity error comes up ...now i see that file is located /verity_key
Click to expand...
I'd assume adb reboot oem-

The source doesn't really describe the commands and I don't have this phone yet
 
Ah, this is good stuff. Been staying on the ZTE end of things, and nada. That's a dead end, I don't get what happened to B15 and supposedly killing the firehose. Apparently that didn't end up making it to OTA. No news from ZTE either on new devices etc, they're way to souped over the Boost version which looks a tad more promising. Interesting files pulled @messi2050 some of those commands remind me of the Axon before the OEM unlock became available. I wonder if we're missing something stupid, because ZTE seemed dead intent on pushing out B15 to "quelch the possibility of future security holes" as seen in the XDA post by Carlisle. There's a hole, and they haven't fixed it
 
messi2050 said:
The commands go this way
adb shell reboot (cmd)
For ex:
adb shell reboot rtc
Click to expand...

I tried all those it just reboots. Also if you don't put shell just adb (cmd) there's error message. I do notice that adb shell (cmd) just have same output as in terminal emulator. So I find it a waste of time to connect via adb.

Also scared me with the edl coz I have fastboot installed on my laptop. Only black screen and home button light blinking. I thought I brick the shitty phone. Ugh. Anyway fastboot can't connect so oh well.

At least it's unbrickable lol. Oh I also got this message can't use on production build. Forgot what command gave that error.
 
That source is rather interesting. Given the very brief readthrough I did, I see one thing which could allow us to write directly to the EMMC.

Code: 
} else if (!strncmp(cmd, "disemmcwp", 9)){
        pr_err("disemmcwp\n");
        /* add interface to enable/disable emmc write protct function */
            __raw_writel(0x776655aa, restart_reason);
        } else if (!strncmp(cmd, "emmcwpenab", 10)){
        pr_err("emmcwpenab\n");
            __raw_writel(0x776655bb, restart_reason);

If we can disable the write protection, we can either A. Hardmod the phone with a flasher ans force our own software into the EMMC, or B. Write to it directly from ADB inside one of the various debug modes.

But a little bit later, it's calling for the configuration of the firehose loader. If I can modify the loader configuration to allow unsigned MBNs, this should be easy. But, I don't have a single clue as to how I would go about this.[/code]
 
Status
Not open for further replies.
Back
Top Bottom