Root ZTE ZMAX Pro (Z981) root discussion

[EliiphasLevi7414]

Ok guys I can confirm also that we do have a regular recover mode now. All you have to do is hold volume up when booting. I can also confirm FTM mode, and safe mode. I don't know if it will make a difference since some drivers aren't loaded when starting in safe mode, but I'm about to try KingRoot in safe mode and see the outcome. Just trying random stuff here. Just looking for flaws. Keep up hope we WILL get this lol.

Update: safe mode doesn't show KingRoot installed even if u already installed in on regular system mode. So I tried installing it but it goes through and will only let you choose done installing but not open. Also it doesn't show King user in the app drawer after supposably installing it in safe mode.

 

[EliiphasLevi7414]

So here's an update:

Recovery mode = vol up while booting

FTM mode = vol down while booting

Safe mode = vol up + down while booting

(if ur phone is encrypted with a pin at boot, the phone will boot to the metropcs screen twice and u must hold the key combo again at that second metropcs screen to get safe mode to start up.)

 

[JIMMYHENDRIX]

Has anyone try this? http://androiding.how/dirty-cow-root-android/amp/ I don't own a PC running Linux OS, so I can't try it

have you tried

 

[Spec2nirvash]

Sometimes you can pull off a temp root after a few tries with KingRoot. If it fails, power down, then back on again and run KingRoot again. Even if you get temp root, even if for only a minute that's a huge step forward. Problem is whenever system sees something it doesn't like it's going to reboot. Rebooting is what will ultimately lose temp root. Again, try power cycling and run KingRoot a few more times, very small chance it will work. Maybe even try PC KingoRoot?

That's the luck I've had with some AT&T Kyocera phones I've been trying to butcher.... And they're locked down tight

 

[EliiphasLevi7414]

@Spec2nirvash, TRUE!, This is how it has been with all zte phones I have attempted also, they all would fail with kingroot but if u keep trying and clearing the data and cache of the kingroot app or power cycling it will eventually work, people found with prior zte zmax phones, that causing the ram to run out greatly improved the odds.

Also I feel you about the att phone thing, most Samsung galaxy s 6s had a problem with atts ridiculous boot loader problems as far as I know.

 

[EliiphasLevi7414]

If any of the devs working on this need help with testing anything to do with this phone and Linux I can help. I've been a user of arch Linux for a while now and have experience with ethical hacking and the command line.

Also I have 2 zmax pros one with a broken screen that still works and I don't mind testing on.

 

[str8upx]

Since the #1 rule of rooting/modding is never install updates, I'm not updating. Can someone who did update see if fastboot works in any mode? (especially recovery)

 

[Spec2nirvash]

Since the #1 rule of rooting/modding is never install updates, I'm not willing to update. Can someone who did update see if fastboot works in any mode? (especially recovery)

You're right about the rule. Sorry people if I weren't tied up with ZTE over a warranty issue I'd try it. I have a laptop set up for ADB and hacking, but I just can't risk them sending my Zmax back to me untouched telling me to go F myself because I tampered with it. I already ate my rebate leaving Metro, so I'm left with a $200 device. Gonna try fixing it first

 

[str8upx]

You're right about the rule. Sorry people if I weren't tied up with ZTE over a warranty issue I'd try it. I have a laptop set up for ADB and hacking, but I just can't risk them sending my Zmax back to me untouched telling me to go F myself because I tampered with it. I already ate my rebate leaving Metro, so I'm left with a $200 device. Gonna try fixing it first

Who knows this may be a rare exception. Especially if fastboot support has been added.

 

[EliiphasLevi7414]

Who knows this may be a rare exception. Especially if fastboot support has been added.

I will try now I'm on Linux but give me 10 mins be right back

 

[jhgfrtu]

Since the #1 rule of rooting/modding is never install updates, I'm not updating. Can someone who did update see if fastboot works in any mode? (especially recovery)

No fastboot. Wonder why anyone thought zte would enable fastboot on a non flagship device. I've never heard them do that.

 

[EliiphasLevi7414]

What fastboot commands should I try on my test device that would be the least risky to make sure fastboot is working. I come from galaxy s phones mostly. I've never really used fastboot I don't think on those phones. I've always had Odin and download mode or twrp.

Would:

Fastboot devices

Or

Fastboot -l

Be sufficient to decide if fastboot is working? While at the same time being non-damaging to the device.

Basically I've always had download mode, recovery mode, side loading and things like that. Never really had to mess with fastboot. I have it installed on my arch Linux box.

Being lazy asking, I'll be looking up my question on Google but if anyone reply first I'll go from there.

 

[EliiphasLevi7414]

Ok I've answered my own question with Google fu. Testing now. Only question I would have is what do u mean by trying fastboot in recovery mode??? Like just connect thru USB and try fastboot commands or do u mean something else?

 

[jhgfrtu]

To enter fastboot .
adb command is "adb reboot bootloader"

Then if your lucky ,
fastboot oem unlock
then fastboot flash recovery recovery.img
then fastboot reboot recovery
last, flashing superuser zip.

 

[EliiphasLevi7414]

ok i just booted into FTM mode and Recovery, and even tried in Recovery with sideload option and none of the fastboot commands i tried did anything it would not recognize the device it would just wait forever. I tried:

fastboot -l

fastboot devices

fastboot devices -l <-- probably repetitive here just trying things lol

fastboot flashing unlock_bootloader (although i didn't know what variable this command needs, its the "request " variable, I think this may be accesed by issuing the fastboot flashing get_bootloader_unlock_nonce but i could be wrong funny thing nonce is a variable needed for the pixiedust attack when hacking wifi. Probably a completely different thing but still interesting)

None worked. It could not recognize the device.

 

[EliiphasLevi7414]

To enter fastboot .
adb command is "adb reboot bootloader"

Then if your lucky ,
fastboot oem unlock
then fastboot flash recovery recovery.img
then reboot recovery
last, flashing superuser.

adb reboot bootloader did reboot the phone but it just booted into android

Edit: These is my setup.

1. developer options unlocked
2. OEM unlock checked in developer options (ofcourse this is trivial)
4. usb debugging enabled
5. adb installed on computer and I do have a shell terminal on the phone not root ofcourse.
6. encrypted with a pin (this could be a huge problem seeing as how everything is scattered but still I don't think this ever was a problem on samsung phones and doing anything to do with rooting, but i could be wrong. although Im pretty sure seeing as how fastboot, bootloader, and recovery should be loaded before the encrypted part or sepereate all together anyway I don't think it should be a problem)

honestly i think that fastboot is probably on the phone but there is probably some offset or bytes shifted which may be causing a block.

 

[jhgfrtu]

Nice try

 

[EliiphasLevi7414]

Hey i think messi has probably already looked at the shell scripts in the adb shell root directory but there is some very interesting files in just the regular shell user root directory such as,

the init files (these are files that start at boot basically)

init.qcom.syspart_fixup.sh <--- this makes me think there is a byte offset going on but i leave it to more knowledgeable people.
init.recovery.qcom.sh
verity_key <---- this could be interesting

there are many many more very intersting files here, although they are only on a shell user terminal session they may provide some info.

also if you are in a shell user terminal thru adb and just type "id" you do get the average shell user responce, but there is one very interesting note here

3001(net_bt_admin) <---- this could be a possible exploit point to look at maybe, it seems maybe its stating there is root control over the bluetooth permissions.

 

[Spec2nirvash]

Or maybe Kyocera's way of blocking fastboot. I recall on an older Kyocera of mine, the recovery partition had to be zero'd out in order to gain access to fastboot. But that was on a phone running Jellybean, and I believe before ZTE locked R/W privileges out. Surely things have changed vastly since then. I don't even know if we are as far as being able to modify a partition. Who knows. Just throwing ideas out there.

Android phones have become clamped down so tight starting with KitKat that I've just simply lost interest and learned to work around root access. Spending extra $$ for a Nexus device made it a lot easier to enjoy the rooted extras.

 

[EliiphasLevi7414]

Nexus device :/ im jealous lol, jk. I would love to have a new nexus. But I still cant get around the fact that this device is locked up right now, absolutely no disrespect to all the hard people working on this project. Im just saying, the reason i got into ethical hacking was because I liked to break security and see how far things could be pushed, and now I hack all my devices just for the adventure lol, hell my PS3 has had a mod chip and custom firmware forever and after I installed it I almost lost interest lol. Keep up the great work everyone.

Anyone with any ideas to try but too worried to test I have a test device with a cracked screen, and am willing to try whatever on it if it helps achieve our goal. Post a comment if you want me to test something. I have windows, linux, or mac computers so whatevers clever.

 

[Krlypumaa]

So far nothing has been change when it come to support fastboot...
I have run all the codes i can imagine... Everything run to key verification... Meaning SeLinux will pop before everything. The only thing it comes to mind is finding someone with the skills to create a sdRecovery bootmode i do need to send messi2050 my extra device... i just have been a bit complicated with some family health issues.... Anoyher thing the things we got new was frameworks apk that support all yhe way up yo nougat 7.0.1 (sdk25)
New sdcard flash support from about phone, video call for that you need person in yhe same Carrier plus you need to actiave wificalling and voice over LTE for it to work.

 

[onaikel]

OTA update

https://drive.google.com/file/d/0Bwhm7oEUiwXYZkk4NDloLWlmVE0/view?usp=sharing

 

[EliiphasLevi7414]

@Kriypumaa - I love the idea about a sdRecovery bootmode this is a pretty cool idea. Has this every been accomplished with Android? What about dualbootpatcher? is there anyway to use it to boot from sdcard instead of disk and run TWRP? I cant remember if dualboot pactcher required root or not due to its starting before android. I dont know just throwing something out there. Great Idea Kriypumaa

 

[nino44]

have you tried

I can't

 

[anubis2048]

It'd be nice if the new people actually read the older posts before asking the same questions that everyone else asked... Now we have 2 pages full of crap that was already discussed back in September.

Not being rude, but you guys should read the older posts of this thread, because you were discussing things that had already been tried before.

You can't get to fastboot, you can't control it, you cannot unlock this phone using it. This has been known for a while now.