• After 15+ years, we've made a big change: Android Forums is now Early Bird Club. Learn more here.

Root ZTE ZMAX Pro (Z981) root discussion

Status
Not open for further replies.
With marshmallow and nougat SuperSU and its binaries don't go in /system. Instead, the boot image is modified and a new mount point is created at /su and that is where the binaries go. The SuperSU app is then placed in /data/app the same place where it would go if you installed it from the play store. The only way to have SuperSU and its binaries installed to /system is to flash a custom kernel before flashing SuperSU.

As far as cf auto root goes, Chainfire only builds it for devices that use fastboot or Odin, and for those of you who don't know how it works, it flashes a custom recovery to your device then uses that recovery to flash SuperSU and then reinstalls the stock recovery.

Adb pull /system will only give you a partial dump of system files because there are a lot of libs and binaries that can't be copied without root privileges. As for pulling partition images from the device like a boot.img, recovery.img, or system.img that cannot be done without root access.
 
What do you suppose we do from this point masterchief? I'm starting to get drained from all this research and trying to think of some kind of exploit that will get root or get our ROM off since we at least have methods to flash things
 
Honestly I dont know but it seems when you do "adb reboot edl" the phone shows up as "Qualcomm HS-USB QDloader 9008" in device manager
6d85c77d2d88724d04eb0b59e21facff.jpg
This could be used to flash a ROM using a program like qpst or qfil but I don't know much of anything about how to use these programs.
Also, I don't know anything about how the files would need to be packaged or what format they would need to be in.
 
I was on that page yesterday actually reading up on this exact idea lol. If you look at page 12 I linked an app that flashes image files and stuff to phone's in dfu mode and we can boot to dfu too. And yeah I linked qfil or something similar after I read up on EDL we've known we have flashing options we've just been spending the day trying to get us the so elusive thing to flash
 
Masterchief87 said:
With marshmallow and nougat SuperSU and its binaries don't go in /system. Instead, the boot image is modified and a new mount point is created at /su and that is where the binaries go. The SuperSU app is then placed in /data/app the same place where it would go if you installed it from the play store. The only way to have SuperSU and its binaries installed to /system is to flash a custom kernel before flashing SuperSU.

As far as cf auto root goes, Chainfire only builds it for devices that use fastboot or Odin, and for those of you who don't know how it works, it flashes a custom recovery to your device then uses that recovery to flash SuperSU and then reinstalls the stock recovery.

Adb pull /system will only give you a partial dump of system files because there are a lot of libs and binaries that can't be copied without root privileges. As for pulling partition images from the device like a boot.img, recovery.img, or system.img that cannot be done without root access.
Click to expand...
So my ideas are pointless,.... Sucks
 
Since pulling and modifying the system img is a no go, they only thing i have left is porting a recovery from a similar device, any devices close enough? Do we have any clue how the partitions are laid out on this phone? What jnfo do we need to even port a recovery?
 
lioryte said:
Too much to read. where we at? What was done so far? Hya btw
Click to expand...
Basically we found out how to flash IMGs on the phone ie: kernels, roms?, Recoverys ect... And a long discussion about how to use that to gain root, all we got at this point is that we need a recovery(but how we gonna get one with pulling the existing one?) Or another temp root exploit till a recovery can be built using the information and files that we can access with said root to build a recovery.
 
ok let me get some info flowing... i have tried to set a flash.zip (no go).. i worked with the EDL stuff (emergency download mode for unbrick. NO GO...) I have tried to worke avery way possible with fastboot and either im doing wrong commands or FASTBOOT commands are completely null FDM its most likely the fastboot mode now the edl stuff its our DLM to flash our firmware now its two firmware around Z981 & Z963U so far kewrnel with not commit working to find vulnerabilities adress to XXXPPLOIT
 
For those of you who are thinking the quadrooter exploit might be the answer to rooting this phone, as far as I know the last time someone found an exploit like this and turned it into a root apk was when geohot made towelroot. Stagefright was found by a security firm and that is probably the case with quadrooter as well. In my opinion it's doubtful that how to implement the quadrooter exploit will ever become public knowledge.
 
as for me im not trying to create a rootkit but im trying get here
eg.
> adb push getroot /data/local/tmp
> adb shell
$ cd /data/local/tmp
$ chmod 0755 getroot
$ ./getroot

# use CVE-2013-6282 vulnerability
# kernel start address 0xc0008000
In some cases, modify KERNEL_START_ADDRESS or KERNEL_SIZE in 'getroot.c'
 
DO NOT ATTEMPT THIS ITS JUST AN EXAMPLE >>>
or comm like this
adb shell
(you should now see a # instead of a $. # = root)
4: exit
5: adb shell "mount -o remount,rw /system"
6: adb push su /system/xbin/su
7: adb push su /system/xbin/daemonsu
8: adb push install-recovery.sh /system/etc/install-recovery.sh
9: adb shell "chown 0.0 /system/xbin/su;chmod 06755 /system/xbin/su"
10: adb shell "chown 0.0 /system/xbin/daemonsu;chmod 06755 /system/xbin/daemonsu"
11: adb shell "chown 0.2000 /system/etc/install-recovery.sh;chmod 755 /system/etc/install-recovery.sh"
12: adb shell "sync;mount -o remount,ro /system"
13: adb install Superuser.apk

REBOOT AFTER STEP #13

Confirm root with rootchecker.
etcetcetc ...
 
Krlypumaa said:
DO NOT ATTEMPT THIS ITS JUST AN EXAMPLE >>>
or comm like this
adb shell
(you should now see a # instead of a $. # = root)
4: exit
5: adb shell "mount -o remount,rw /system"
6: adb push su /system/xbin/su
7: adb push su /system/xbin/daemonsu
8: adb push install-recovery.sh /system/etc/install-recovery.sh
9: adb shell "chown 0.0 /system/xbin/su;chmod 06755 /system/xbin/su"
10: adb shell "chown 0.0 /system/xbin/daemonsu;chmod 06755 /system/xbin/daemonsu"
11: adb shell "chown 0.2000 /system/etc/install-recovery.sh;chmod 755 /system/etc/install-recovery.sh"
12: adb shell "sync;mount -o remount,ro /system"
13: adb install Superuser.apk

REBOOT AFTER STEP #13

Confirm root with rootchecker.
etcetcetc ...
Click to expand...
Don't forget the custom kernel that's needed in order to have root installed on the system partition.
 
UndacoverBrother said:
We will get there. Ive exhausted all my options. Looks like whenever kingroot gets to this device then we can get temp root. After temp root , we can then pull/backup the stock recovery. Therefore port twrp then flash the superuser.zip for permenant root.
I see know other option because of no fastboot functionality.
The first zmax had the same issue.

If theres a temp root solution besides kingroot then porting twrp is the easy part.
Click to expand...
If we get a update (it's ZTE so who knows if that will happen) we would have everything to get a system based root built, but that could be along ways away if at all.
 
jaykoerner said:
im off, the device shiped with 5.01, it's been updated to 6.01, doubt the root its self is cross phone, just wanted to give it a shot
Click to expand...
on closer look, it seems like zte has both a existing phone called the axon mini, and one that is releasing this month? this is confusing.
 
Status
Not open for further replies.
Back
Top Bottom