• After 15+ years, we've made a big change: Android Forums is now Early Bird Club. Learn more here.

Root ZTE Zmax Pro Official Root Discussion

Status
Not open for further replies.
Sure but how do I apply temp root


SapphireEx
<font color ='#9e9e9e'> </font>
<font color ='#9e9e9e'>Can we stay on topic? Like really, we don't need to know what phones you own, what you think our chance of rooting the Z981 is, or who has the biggest stick. </font>

<font color ='#9e9e9e'>That being said, use the search function in the forums themselves if you have questions as to avoid asking the same question already answered previously. </font>

<font color ='#9e9e9e'>Sure, but how do I apply the temp root? </font>
<font color ='#9e9e9e'>Finally, I'm looking for ways to pull the boot.img, but I'm not having much luck finding mount points that are rwx outside of ../tmp. If anyone has nothing to do, and little experience with coding, use temp root method and locate a mount point for other people to use. The more people we have working on literally any root related task can bring us closer to installing TWRP. </font>
 
loonycgb2 said:
As i said, its gonna take a bit longer then usual.

In reality i should of kept it quiet not to hype it up to much, but i felt the need to clear out that this phone is not un-hackable.

We got past the first step of bypassing the blocks, but now we just need to get more info off the boot partition so we can gain root suid.
Click to expand...

I found your source but was wondering why your output does not have the menu after the install? Is it coz you don't have the boot.img?

Googling I found this. This is for suid:

https://gist.github.com/KrE80r/42f8629577db95782d5e4f609f437a54

One comment said it works for him coz he made couple of changes, which were intuitive enough. Which makes sense. :

1. [ ] Changing the SUID Binary filename to a file which the non privileged user has read access.
2. [ ] Change the shellcode to suit my 32 bit target machine

I presume this is the line he changed:

char suid_binary[] = "/usr/bin/passwd";

We know we don't have read access on "/usr/bin/ anything. So what file do we have read access that you can replace that line with?

So, is this doable in the one you tried? Loads of suid dirty cow here:

https://github.com/dirtycow/dirtycow.github.io/wiki/PoCs

Only thing I don't like. What is payload? It scares me when I googled it.

Another idea - you guys talking about data/local/temp and gaining root access there. Can you use busybox switch_root command there?
 
Last edited:
Your payload, in this instance, i believe would be your su binary.
asianrocker said:
I found your source but was wondering why your output does not have the menu after the install? Is it coz you don't have the boot.img?

Googling I found this. This is for suid:

https://gist.github.com/KrE80r/42f8629577db95782d5e4f609f437a54

One comment said it works for him coz he made couple of changes, which were intuitive enough. Which makes sense. :

1. [ ] Changing the SUID Binary filename to a file which the non privileged user has read access.
2. [ ] Change the shellcode to suit my 32 bit target machine

I presume this is the line he changed:

char suid_binary[] = "/usr/bin/passwd";

We know we don't have read access on "/usr/bin/ anything. So what file do we have read access that you can replace that line with?

So, is this doable in the one you tried? Loads of suid dirty cow here:

https://github.com/dirtycow/dirtycow.github.io/wiki/PoCs

Only thing I don't like. What is payload? It scares me when I googled it.

Another idea - you guys talking about data/local/temp and gaining root access there. Can you use busybox switch_root command there?
Click to expand...
 
Ethorbit said:
http://imgur.com/a/o7L3U
Nope, go into settings, modify system settings, then show system, make sure you're on the page with Enabled and it says No besides RootPA for me.

Or does that mean it can't modify system settings?
Click to expand...

RootPA has nothing to do with this exploit. At all. Even if you "disable" it, it's still running due to being a kernel level security program.
 
SapphireEx said:
RootPA has nothing to do with this exploit. At all. Even if you "disable" it, it's still running due to being a kernel level security program.
Click to expand...
Yes, I know that as I discovered a page ago. I was asked a question about it, so I answered it.
And it isn't off topic if what I said had "root" in it.
 
Ethorbit said:
Yes, I know that as I discovered a page ago. I was asked a question about it, so I answered it.
And it isn't off topic if what I said had "root" in it.

And what exploit?
I never said disabling it would help us get root either, I was simply wondering what RootPA was and why it was disabled for me.
Click to expand...

The current exploit being used to gain temp root. What the last few pages have been about.
 
SapphireEx said:
The current exploit being used to gain temp root. What the last few pages have been about.
Click to expand...
This is a root discussion not an exploit discussion.

Edit: Meaning I don't necessarily have to talk about the exploit that gets us root but rather I can ask root general questions as this is a root general discussion.

Not sure why the admin restored this conversation, completely leaving out my reasonable edits and the posts arguing with these, now it looks like I'm talking to myself, but do not attempt to continue this argument.
 
Last edited:
Why is it when people are done they don't just be done, or if they don't care they don't just go bye bye rather then telling everyone off first, is getting the last word on a forum that important? I come here for the developments not the drama, crap, now I just contributed to it, apologies.
 
nsip4ever said:
Why is it when people are done they don't just be done, or if they don't care they don't just go bye bye rather then telling everyone off first, is getting the last word on a forum that important? I come here for the developments not the drama, crap, now I just contributed to it, apologies.
Click to expand...

I feel the same way lol
 
Argument is over, right? Unless you have an unlockable bootloader from the manufacturer the only way to obtain root is to find an exploit that allows you to write the su binaries to the system partition. As such, discussing exploits is not only on topic, but it is the topic.


*/posts restored for continuity of the conversation.
 
SapphireEx said:
Can we stay on topic? Like really, we don't need to know what phones you own, what you think our chance of rooting the Z981 is, or who has the biggest stick.

That being said, use the search function in the forums themselves if you have questions as to avoid asking the same question already answered previously.

Finally, I'm looking for ways to pull the boot.img, but I'm not having much luck finding mount points that are rwx outside of ../tmp. If anyone has nothing to do, and little experience with coding, use temp root method and locate a mount point for other people to use. The more people we have working on literally any root related task can bring us closer to installing TWRP.
Click to expand...
I tried Linux dirtycow 7 months ago.
Kingroot
Kingoroot (%90)
And all other rooting methods available to no avail.
Some phones are just made unrootable for various reasons.
Good luck guys..
Done playing with this backup phone..
 
If we wait on KingRoot nothing is going to get done for months. There are 50+ phones ahead of us on the queue and unless one of those is locked in the same manner and a root solution is found that's roots ours as well it's not going to happen. We have come a long way this past few weeks. The phone is not unhackable. It has already become vulnerable to dirty cow via loonys modifications. If you have been reading up on the current status of where we are at we're nearing the home stretch. Again with the negativity. Contributions are what we need here not more haters especially after a mod stepped in. To keep us on topic. On a side note . Ethorbit.... Rooting a phone with so much security and locked down partitions REQUIRES an exploit. How do you think KingRoot does what they do or any other sev looking to root a device with that the regular methods won't work. They require a security loophole to run an exploit and execute arbitrary could to obtain root shell where we need it outside of uaerland so we can push TWRP to our device. Keep up the great work Messi, loony, and Sapphire. You guys rock and bringing ZTE to their knees and making my dreams come true :). Keep it up friends. Good day.
 
jhgfrtu said:
I tried Linux dirtycow 7 months ago.
Kingroot
Kingoroot (%90)
And all other rooting methods available to no avail.
Some phones are just made unrootable for various reasons.
Good luck guys..
Done playing with this backup phone..
Click to expand...

Dirty C0w works, you just need to modify a few values.
 
jhgfrtu said:
How?
Click to expand...
When we tried dirtycow the install of twrp was the culprit.
Unable to execute the install or permission to gain twrp access.

Besides no one knows if the twrp even works. You will basically brick without a way to A. Backup the current stock recovery and B. Able to flash back the stock recovery.. that's y I said good luck..on that way of trying to root..
 
jhgfrtu said:
When we tried dirtycow the install of twrp was the culprit.
Unable to execute the install or permission to gain twrp access.
Click to expand...
armandop_ said:
I need a copy of the update.zip please
Click to expand...
I just downloaded the B12 update from Google plus.
Just Google zmax pro update and find it..simple..
After extracting it the meta-inf folder gave some insight.
But no way to repack without signature oem key..
This device needs a software flashing tool or a bootloader unlock method.
Exploits for 6.0.1 were very limited as all devices made after 2014 were patched pretty good.
So finding an exploit takes quite some time..welcome to the new day in age.
 
Last edited:
jhgfrtu said:
When we tried dirtycow the install of twrp was the culprit.
Unable to execute the install or permission to gain twrp access.

Besides no one knows if the twrp even works. You will basically brick without a way to A. Backup the current stock recovery and B. Able to flash back the stock recovery.. that's y I said good luck..on that way of trying to root..
Click to expand...

Gotta use recowvery dirty cow, not vanilla. It's slightly modified for use on dm-verity enviroments
 
jhgfrtu said:
I just downloaded the B12 update from Google plus.
Just Google zmax pro update and find it..simple..
After extracting it the meta-inf folder gave some insight.
But no way to repack without signature oem key..
Click to expand...

Be aware, the MetroPCS variants are B08, B14, and B20. Tmobile uses different numbers. I wouldn't recommend updating to a different carrier.
 
I am also looking for a way to pull boot.img as well as recovery.img

Any luck yet?


SapphireEx said:
Can we stay on topic? Like really, we don't need to know what phones you own, what you think our chance of rooting the Z981 is, or who has the biggest stick.
That being said, use the search function in the forums themselves if you have questions as to avoid asking the same question already answered previously.

Finally, I'm looking for ways to pull the boot.img, but I'm not having much luck finding mount points that are rwx outside of ../tmp. If anyone has nothing to do, and little experience with coding, use temp root method and locate a mount point for other people to use. The more people we have working on literally any root related task can bring us closer to installing TWRP.
Click to expand...
 
Status
Not open for further replies.
Back
Top Bottom