Root ZTE ZMAX Pro (Z981) root discussion

[str8upx]

I'm pretty sure that every OTA sent out for Android devices are signed...there are SHA1 digests for each file inside the OTA fileset as well as the signing certificate, all contained in the META-INF folder structure.

The signing serves two purposes:

1. Allows for verification that the file actually came from the purported "official" source

2. Provides a way to guarantee that the file (.zip) and the individual files contained therein, are whole an uncorrupted

Devices with unlocked bootloaders also do have signed OTA files--its just that an unlocked bootloader will not enforce the signature checking when trying to flash/boot/install a file (amongst other things)--i.e., caveat emptor for those that unlock their device.

Was just about to say the same thing. Also I'm really surprised Messi thought sig verification fails = locked bootloader.

 

[LeGiT_dIaMoNd]

Is everyone really just skipping over my post?! Do I not exist. I would enable it but it concerns me. Is that service KingRoot root?

 

[messi2050]

Is everyone really just skipping over my post?! Do I not exist. I would enable it but it concerns me. Is that service KingRoot root?

No

 

[LeGiT_dIaMoNd]

No

Thank you. I'll have to wipe the phone or track down what installed that service to remove it.

 

[EliiphasLevi7414]

So we need to find out how to turn off package signing and checking and then remove the entry in the OTA

 

[EliiphasLevi7414]

Did you try updating with the settings menu sdcard update program or through the android recovery with you custom OTA?

 

[Krlypumaa]

Can someone pl3se try creating a sdrecovery bootmode to see if we can flash n clean through sd like we did with B&N nook encore, LG motion, F6 Samsung' s3 I wil try it myself.

 

[LeGiT_dIaMoNd]

How does one catch the ota? to work on the signing issue at hand?

 

[lambo352]

How does one catch the ota? to work on the signing issue at hand?

Page44..

Messi has his modded version which is probably the one you want..

 

[lambo352]

Is bootloader unlocked after sim unlock or is just unlocking another service?

 

[wwwFrAnKwww]

I don't think we will ever get our hands on the stock ROM, that makes getting a custom ROM difficult... Meaning, rooting through recovery modes is not the best option

 

[JIMMYHENDRIX]

I don't think this phone is gonna get root

 

[nino44]

I don't think this phone is gonna get root

Oh, thank you.

 

[LeGiT_dIaMoNd]

How did you guys extract the boot.img.p file in the .up file I extracted the update_P895T20_MPCS_B08_to_B12.up with winrar. What should I use to extract the boot.img.p file?

I have linked how it looks unpacked
​

 

[LeGiT_dIaMoNd]

I don't think this phone is gonna get root

Never say never my friend
http://forum.xda-developers.com/lg-g-stylo/how-to/lg-g-stylo-boost-mobile-t3113080
That's the device i owned prior. It took forever to achieve root. metro devices are generally easier because the metro version had root before the boost mobile version.

 

[lambo352]

How did you guys extract the boot.img.p file in the .up file I extracted the update_P895T20_MPCS_B08_to_B12.up with winrar. What should I use to extract the boot.img.p file?

I have linked how it looks unpacked
View attachment 112624 View attachment 112625​

I've been trying different things for days and got nothing

 

[moosiemooose]

Did you guys that got that far with Kingroot take the update before you used k/r?

 

[LeGiT_dIaMoNd]

Potentially Useful Info:

\META-INF\ and its contents
Please Understand How android Signing works
http://nelenkov.blogspot.com/2013/04/android-code-signing.html​

So inside the update the folder \META-INF\ there are three files

1. CERT.RSA
2. CERT.SF
3. MANIFEST.MF

What You Can Do To APK without the private key.​

Code Within Each:

CERT.RSA to CERT.pem Had to make it into a pem to get info from the rsa.

Spoiler: CERT.pem CODE

subject=/C=CN/ST=Shanghai/L=Shanghai/O=ZTE/OU=Smartphone Software Dept./CN=ZTE/emailAddress=support@zte.com.cn
issuer=/C=CN/ST=Shanghai/L=Shanghai/O=ZTE/OU=Smartphone Software Dept./CN=ZTE/emailAddress=support@zte.com.cn
-----BEGIN CERTIFICATE-----
MIIErjCCA5agAwIBAgIJAOuCYND5gmZOMA0GCSqGSIb3DQEBBQUAMIGWMQswCQYD
VQQGEwJDTjERMA8GA1UECBMIU2hhbmdoYWkxETAPBgNVBAcTCFNoYW5naGFpMQww
CgYDVQQKEwNaVEUxIjAgBgNVBAsTGVNtYXJ0cGhvbmUgU29mdHdhcmUgRGVwdC4x
DDAKBgNVBAMTA1pURTEhMB8GCSqGSIb3DQEJARYSc3VwcG9ydEB6dGUuY29tLmNu
MB4XDTExMDMwODA3MTM0M1oXDTM4MDcyNDA3MTM0M1owgZYxCzAJBgNVBAYTAkNO
MREwDwYDVQQIEwhTaGFuZ2hhaTERMA8GA1UEBxMIU2hhbmdoYWkxDDAKBgNVBAoT
A1pURTEiMCAGA1UECxMZU21hcnRwaG9uZSBTb2Z0d2FyZSBEZXB0LjEMMAoGA1UE
AxMDWlRFMSEwHwYJKoZIhvcNAQkBFhJzdXBwb3J0QHp0ZS5jb20uY24wggEgMA0G
CSqGSIb3DQEBAQUAA4IBDQAwggEIAoIBAQC6XMcxr5zlAnZfYCeKPgt+w4y/fmB7
SzZSJvCx4hFKKq6m9CHg60vhlVQ4gLkuKb1l+pFbJdrP8yL1YKQqSrWWDAhPcuIl
Lj3UcmzfbMRQhM4mrXf49ees2xyVZO38KjtSSBw/ygvH5PSrX6KFUqQdxVeciLga
tYYoOEpRGKZdeL+HAI0EMFssOow00jPP44IB9Vi9UiEHOqvTHVmDIdQWOmAgWXlA
36sdWsSebLzWXjm2vB6OJaPV93zxy+tym33mkduc2DHQiH6TFUr4YmtDOZJ7y3jZ
2VzJU3VViYNunm/Da0NAPYwtbyeOgr+5npV7CfzY436lqLYaAlHJjx37AgEDo4H+
MIH7MB0GA1UdDgQWBBS6NVREsJ5wGdTi/26mEwf8h2KDfzCBywYDVR0jBIHDMIHA
gBS6NVREsJ5wGdTi/26mEwf8h2KDf6GBnKSBmTCBljELMAkGA1UEBhMCQ04xETAP
BgNVBAgTCFNoYW5naGFpMREwDwYDVQQHEwhTaGFuZ2hhaTEMMAoGA1UEChMDWlRF
MSIwIAYDVQQLExlTbWFydHBob25lIFNvZnR3YXJlIERlcHQuMQwwCgYDVQQDEwNa
VEUxITAfBgkqhkiG9w0BCQEWEnN1cHBvcnRAenRlLmNvbS5jboIJAOuCYND5gmZO
MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBAKSJA12gqyhorPk0EkHN
gUTLJoytol5SHPksdhbMjTOTEsaPiOVQZ0sHk9JDPoXRJlZvLXIvZCtzG+YCjpF8
Gv/uK47jHJsBG5L9LyI/LNctPOTefj3aBQklLxUgeblaaK2AFGb+ygmX8plGSwOz
9p4mgr8UQtPsdXP6gxEejI3oZ8Bz4HmttL+GwabCZAxuF9O2Z4vX1oCYbAVLAKz+
SUoMVXY9hzSa/Ttx+HeH0oHPXdZ0A2VyxpLiFIXdbdC9zWjB8AGQgmYINDHlQRG4
hPH9+NppDljxd19T1cEzkFERFEI8dWkTCaE8mRNQfShSt7N3vW+kfELq8rlkvDMW
9JM=
-----END CERTIFICATE-----

CERT.SF

Spoiler: CERT.SF CODE

Signature-Version: 1.0
SHA1-Digest-Manifest: b1on4WOzKdxRtA7NwjMs6HXxrpQ=
Created-By: 1.0 (Android SignApk)

Name: META-INF/com/google/android/updater-script
SHA1-Digest-Manifest: qX1srb3fDGKhGe+1kGi0RIRZj2E=

Name: patch/recovery.img.p
SHA1-Digest-Manifest: z8tyy4KD05Hjtk5hpCEZVklvmuE=

Name: META-INF/com/android/otacert
SHA1-Digest-Manifest: v/aWOVpZo3UMWFyYl+aXq32OKdA=

Name: META-INF/com/google/android/update-binary
SHA1-Digest-Manifest: 7S3ALd30t3c0tB+GLyM9Vdzg5ps=

Name: patch/hyp.mbn.p
SHA1-Digest-Manifest: cyE8G1fr9sxdmKE28yLfrkcqpks=

Name: system.patch.dat
SHA1-Digest-Manifest: HV1Xx61RsDEwETluo0kmzf6IF64=

Name: patch/fingerid.mbn.p
SHA1-Digest-Manifest: Dyzj2V2C5DMxFLLxIVOUbhgRR7I=

Name: patch/tz.mbn.p
SHA1-Digest-Manifest: oNTqNvuKRfDQkq+bgGB0k6xiDrQ=

Name: system.transfer.list
SHA1-Digest-Manifest: Wiw4pCKgbXf6miM1pdQl2q+aFTA=

Name: patch/boot.img.p
SHA1-Digest-Manifest: kSXaSHHS9fPdGuGR1pKNLuwGLJ4=

Name: system.new.dat
SHA1-Digest-Manifest: 3JnPmUkBkc2sDTrrZAjUckN0GVQ=

Name: patch/NON-HLOS.bin.p
SHA1-Digest-Manifest: iWuFb8t4ZiNMGeAMpcFVVaEwINE=

Name: META-INF/com/android/metadata
SHA1-Digest-Manifest: 0xAoSoK8CSXden9T9wdJDEzm1Sk=

Name: adspso.bin
SHA1-Digest-Manifest: ODwrM+YxhLOyVk9mdWv+y9AgBzg=

Name: patch/emmc_appsboot.mbn.p
SHA1-Digest-Manifest: Adus9fFpGl2w5F9QFWDXTwfV0ek=

Name: cmnlib.mbn
SHA1-Digest-Manifest: u8p/wnQvLsRdhys4N6HBxSAwZFE=

Name: patch/keymaster.mbn.p
SHA1-Digest-Manifest: 2BEnvDg7vskRHk6GU1ZRanjLeHM=

Name: patch/rpm.mbn.p
SHA1-Digest-Manifest: tCCHfy+/Cgw4lGD/vP5DnU0qPiY=

Name: patch/sbl1.mbn.p
SHA1-Digest-Manifest: s8LJRRr6T0af90kVXRTe82pUPY0=

MANIFEST.MF

Spoiler: MANIFEST.MF CODE

Manifest-Version: 1.0
Created-By: 1.0 (Android SignApk)

Name: META-INF/com/google/android/updater-script
SHA1-Digest: jS8ZM4SHvw5v05kTt095tTlYsJs=

Name: patch/recovery.img.p
SHA1-Digest: UVWXEIAtxsbz7PONI2V4F1S6XJ8=

Name: META-INF/com/android/otacert
SHA1-Digest: EiHYt21KYr1jCrUKAs4TQdT6+5c=

Name: META-INF/com/google/android/update-binary
SHA1-Digest: xNLR16rU6795hSE4pI1Nw00k/0A=

Name: patch/hyp.mbn.p
SHA1-Digest: 5xeosu4RuK1U36A6PDcw20CWOGM=

Name: system.patch.dat
SHA1-Digest: 6Z63G1Hl5DXTlKa9tTnsWAAI7Vw=

Name: patch/fingerid.mbn.p
SHA1-Digest: LtG/LahiOT61IzcujuTmkiP88Y8=

Name: patch/tz.mbn.p
SHA1-Digest: iIg7emDY9R1Do4ImK6k26yUGsNE=

Name: system.transfer.list
SHA1-Digest: oW0aYCOiShlRgbBOOGvvNhbaFac=

Name: patch/boot.img.p
SHA1-Digest: Msilp9pOpAXglMsNJE4R6NKSaW0=

Name: system.new.dat
SHA1-Digest: 6gog712ePYwFQrW4yfY9Wdkpf+k=

Name: patch/NON-HLOS.bin.p
SHA1-Digest: Syk/OS4ptDhtYl1147fKEsZhoNA=

Name: META-INF/com/android/metadata
SHA1-Digest: /fMZCDkUMTsfyKyt4SXwHlNsIFU=

Name: adspso.bin
SHA1-Digest: gE9pNRnQs0v1n0d0PlkMIyixJic=

Name: patch/emmc_appsboot.mbn.p
SHA1-Digest: uUvso1ROzCsL2nGf5yjqpLCiAIM=

Name: cmnlib.mbn
SHA1-Digest: tEIA0IXACDm60gVqALS8nZs+Z9w=

Name: patch/keymaster.mbn.p
SHA1-Digest: p5YmYkxoYy+QYRy+BZKMXM5ljnc=

Name: patch/rpm.mbn.p
SHA1-Digest: iTf3zbMlCDD57L4o7FObZSgZH48=

Name: patch/sbl1.mbn.p
SHA1-Digest: pZ6YZmbmUeUYrmQGNdCloi2XqFI=

META-INF\com\android​

Again List of files | these files have no
extensions
metadata
otacert

metadata

Spoiler: metadata Code

post-build=ZTE/P895T20_MPCS/urd:6.0.1/MMB29M/20161030.150238:user/release-keys
post-timestamp=1477811841
pre-build=ZTE/P895T20_MPCS/urd:6.0.1/MMB29M/20160622.141326:user/release-keys
pre-device=urd

otacert

Spoiler: otacert CODE/ Key?

-----BEGIN CERTIFICATE-----
MIIErjCCA5agAwIBAgIJAOuCYND5gmZOMA0GCSqGSIb3DQEBBQUAMIGWMQswCQYD
VQQGEwJDTjERMA8GA1UECBMIU2hhbmdoYWkxETAPBgNVBAcTCFNoYW5naGFpMQww
CgYDVQQKEwNaVEUxIjAgBgNVBAsTGVNtYXJ0cGhvbmUgU29mdHdhcmUgRGVwdC4x
DDAKBgNVBAMTA1pURTEhMB8GCSqGSIb3DQEJARYSc3VwcG9ydEB6dGUuY29tLmNu
MB4XDTExMDMwODA3MTM0M1oXDTM4MDcyNDA3MTM0M1owgZYxCzAJBgNVBAYTAkNO
MREwDwYDVQQIEwhTaGFuZ2hhaTERMA8GA1UEBxMIU2hhbmdoYWkxDDAKBgNVBAoT
A1pURTEiMCAGA1UECxMZU21hcnRwaG9uZSBTb2Z0d2FyZSBEZXB0LjEMMAoGA1UE
AxMDWlRFMSEwHwYJKoZIhvcNAQkBFhJzdXBwb3J0QHp0ZS5jb20uY24wggEgMA0G
CSqGSIb3DQEBAQUAA4IBDQAwggEIAoIBAQC6XMcxr5zlAnZfYCeKPgt+w4y/fmB7
SzZSJvCx4hFKKq6m9CHg60vhlVQ4gLkuKb1l+pFbJdrP8yL1YKQqSrWWDAhPcuIl
Lj3UcmzfbMRQhM4mrXf49ees2xyVZO38KjtSSBw/ygvH5PSrX6KFUqQdxVeciLga
tYYoOEpRGKZdeL+HAI0EMFssOow00jPP44IB9Vi9UiEHOqvTHVmDIdQWOmAgWXlA
36sdWsSebLzWXjm2vB6OJaPV93zxy+tym33mkduc2DHQiH6TFUr4YmtDOZJ7y3jZ
2VzJU3VViYNunm/Da0NAPYwtbyeOgr+5npV7CfzY436lqLYaAlHJjx37AgEDo4H+
MIH7MB0GA1UdDgQWBBS6NVREsJ5wGdTi/26mEwf8h2KDfzCBywYDVR0jBIHDMIHA
gBS6NVREsJ5wGdTi/26mEwf8h2KDf6GBnKSBmTCBljELMAkGA1UEBhMCQ04xETAP
BgNVBAgTCFNoYW5naGFpMREwDwYDVQQHEwhTaGFuZ2hhaTEMMAoGA1UEChMDWlRF
MSIwIAYDVQQLExlTbWFydHBob25lIFNvZnR3YXJlIERlcHQuMQwwCgYDVQQDEwNa
VEUxITAfBgkqhkiG9w0BCQEWEnN1cHBvcnRAenRlLmNvbS5jboIJAOuCYND5gmZO
MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBAKSJA12gqyhorPk0EkHN
gUTLJoytol5SHPksdhbMjTOTEsaPiOVQZ0sHk9JDPoXRJlZvLXIvZCtzG+YCjpF8
Gv/uK47jHJsBG5L9LyI/LNctPOTefj3aBQklLxUgeblaaK2AFGb+ygmX8plGSwOz
9p4mgr8UQtPsdXP6gxEejI3oZ8Bz4HmttL+GwabCZAxuF9O2Z4vX1oCYbAVLAKz+
SUoMVXY9hzSa/Ttx+HeH0oHPXdZ0A2VyxpLiFIXdbdC9zWjB8AGQgmYINDHlQRG4
hPH9+NppDljxd19T1cEzkFERFEI8dWkTCaE8mRNQfShSt7N3vW+kfELq8rlkvDMW
9JM=
-----END CERTIFICATE-----

META-INF\com\google\android​

Again List of files | these files have no
extensions
updater-binary
updater-script

updater-binary​

NOT SURE HOW TO DECODE OR VIEW BINARY's

updater-script​

Spoiler: UPDATER SCRIPT

getprop("ro.product.device") == "urd" || abort("This package is for \"urd\" devices; this is a \"" + getprop("ro.product.device") + "\".");
assert(getprop("ro.product.name") == "P895T20_MPCS");
ui_print("Source: ZTE/P895T20_MPCS/urd:6.0.1/MMB29M/20160622.141326:user/release-keys");
ui_print("Target: ZTE/P895T20_MPCS/urd:6.0.1/MMB29M/20161030.150238:user/release-keys");
ui_print("Verifying current system...");
getprop("ro.build.fingerprint") == "ZTE/P895T20_MPCS/urd:6.0.1/MMB29M/20160622.141326:user/release-keys" ||
    getprop("ro.build.fingerprint") == "ZTE/P895T20_MPCS/urd:6.0.1/MMB29M/20161030.150238:user/release-keys" ||
    abort("Package expects build fingerprint of ZTE/P895T20_MPCS/urd:6.0.1/MMB29M/20160622.141326:user/release-keys or ZTE/P895T20_MPCS/urd:6.0.1/MMB29M/20161030.150238:user/release-keys; this device has " + getprop("ro.build.fingerprint") + ".");
show_progress(0.400000, 180);
apply_patch_check("EMMC:/dev/block/bootdevice/by-name/keymaster:177568:3ce6072b9916ed474b0894df8ca065bfdecf8f1e:177568:35f8381525ab8c92d575e17f181081b8a0067f44", "3ce6072b9916ed474b0894df8ca065bfdecf8f1e", "35f8381525ab8c92d575e17f181081b8a0067f44") || abort("\"EMMC:/dev/block/bootdevice/by-name/keymaster:177568:3ce6072b9916ed474b0894df8ca065bfdecf8f1e:177568:35f8381525ab8c92d575e17f181081b8a0067f44\" has unexpected contents.");
apply_patch_check("EMMC:/dev/block/bootdevice/by-name/fingerid:32852:068ac7141e4f542f152de1a73c2538261cf60ba6:32852:3b7cb8f151cffec7653fe829024e72744fdee033", "068ac7141e4f542f152de1a73c2538261cf60ba6", "3b7cb8f151cffec7653fe829024e72744fdee033") || abort("\"EMMC:/dev/block/bootdevice/by-name/fingerid:32852:068ac7141e4f542f152de1a73c2538261cf60ba6:32852:3b7cb8f151cffec7653fe829024e72744fdee033\" has unexpected contents.");
apply_patch_check("EMMC:/dev/block/bootdevice/by-name/rpm:166088:b401574da32636f9395ce3964eb1ba23fb5a0f5f:166088:9f41eb1cfad9b56a76617e079f6cd9bf44dfa8ec", "b401574da32636f9395ce3964eb1ba23fb5a0f5f", "9f41eb1cfad9b56a76617e079f6cd9bf44dfa8ec") || abort("\"EMMC:/dev/block/bootdevice/by-name/rpm:166088:b401574da32636f9395ce3964eb1ba23fb5a0f5f:166088:9f41eb1cfad9b56a76617e079f6cd9bf44dfa8ec\" has unexpected contents.");
apply_patch_check("EMMC:/dev/block/bootdevice/by-name/modem:76438016:de3acc0716a8053819b0bb50c02bb1da796da7a0:76585472:87747dc9371cc6503ac340fb55cf27a34b1dda36", "de3acc0716a8053819b0bb50c02bb1da796da7a0", "87747dc9371cc6503ac340fb55cf27a34b1dda36") || abort("\"EMMC:/dev/block/bootdevice/by-name/modem:76438016:de3acc0716a8053819b0bb50c02bb1da796da7a0:76585472:87747dc9371cc6503ac340fb55cf27a34b1dda36\" has unexpected contents.");
apply_patch_check("EMMC:/dev/block/bootdevice/by-name/tz:632644:fbcf8dbae397d91f6f4fc5d6f4160880d36ab43b:632644:07023648051d47bb91463bb3a562dd6a5c2a384c", "fbcf8dbae397d91f6f4fc5d6f4160880d36ab43b", "07023648051d47bb91463bb3a562dd6a5c2a384c") || abort("\"EMMC:/dev/block/bootdevice/by-name/tz:632644:fbcf8dbae397d91f6f4fc5d6f4160880d36ab43b:632644:07023648051d47bb91463bb3a562dd6a5c2a384c\" has unexpected contents.");
apply_patch_check("EMMC:/dev/block/bootdevice/by-name/hyp:73728:eeb375641b66b96dc0336d0abd78e0f8e9b22e95:73728:1c2079d70a233d6117685920aeb3e909362bfbab", "eeb375641b66b96dc0336d0abd78e0f8e9b22e95", "1c2079d70a233d6117685920aeb3e909362bfbab") || abort("\"EMMC:/dev/block/bootdevice/by-name/hyp:73728:eeb375641b66b96dc0336d0abd78e0f8e9b22e95:73728:1c2079d70a233d6117685920aeb3e909362bfbab\" has unexpected contents.");
apply_patch_check("EMMC:/dev/block/bootdevice/by-name/sbl1:321952:7bbc1a2d7fd68ef08c3c036dded254459e083453:322976:abf067334f85bb7854b7241e973e884fc3b7ce7f", "7bbc1a2d7fd68ef08c3c036dded254459e083453", "abf067334f85bb7854b7241e973e884fc3b7ce7f") || abort("\"EMMC:/dev/block/bootdevice/by-name/sbl1:321952:7bbc1a2d7fd68ef08c3c036dded254459e083453:322976:abf067334f85bb7854b7241e973e884fc3b7ce7f\" has unexpected contents.");
apply_patch_check("EMMC:/dev/block/bootdevice/by-name/aboot:891516:89f232cdc51a357933466f9e53b9c32e26e3c59b:902616:f689e5d837c772053fa3f9c344a521d8083b76e6", "89f232cdc51a357933466f9e53b9c32e26e3c59b", "f689e5d837c772053fa3f9c344a521d8083b76e6") || abort("\"EMMC:/dev/block/bootdevice/by-name/aboot:891516:89f232cdc51a357933466f9e53b9c32e26e3c59b:902616:f689e5d837c772053fa3f9c344a521d8083b76e6\" has unexpected contents.");
apply_patch_check("EMMC:/dev/block/bootdevice/by-name/boot:35087544:532a00dec3cd779ede9c48a935de00a860cbe953:35312824:60a0891fdb09b392cc85ae1541e08a72f87c166a", "532a00dec3cd779ede9c48a935de00a860cbe953", "60a0891fdb09b392cc85ae1541e08a72f87c166a") || abort("\"EMMC:/dev/block/bootdevice/by-name/boot:35087544:532a00dec3cd779ede9c48a935de00a860cbe953:35312824:60a0891fdb09b392cc85ae1541e08a72f87c166a\" has unexpected contents.");
apply_patch_check("EMMC:/dev/block/bootdevice/by-name/recovery:33338556:c8f1b92d125277898c5a6deca3a541b126d919c9:33561788:1ea424ce307870c3fdd1577b2bd36bd08cfc70c4", "c8f1b92d125277898c5a6deca3a541b126d919c9", "1ea424ce307870c3fdd1577b2bd36bd08cfc70c4") || abort("\"EMMC:/dev/block/bootdevice/by-name/recovery:33338556:c8f1b92d125277898c5a6deca3a541b126d919c9:33561788:1ea424ce307870c3fdd1577b2bd36bd08cfc70c4\" has unexpected contents.");
if (range_sha1("/dev/block/bootdevice/by-name/system", "98,1,32770,32961,32963,33471,65535,65536,65538,66046,98303,98304,98306,98497,98499,99007,131071,131072,131074,131582,163839,163840,163842,164033,164035,164543,196607,196608,196610,197118,229375,229376,229378,229569,229571,230079,262143,262144,262146,262654,294911,294912,294914,295105,295107,295615,327679,327680,327682,328190,360447,360448,360450,360958,393215,393216,393218,393726,425983,425984,425986,426494,458751,458752,458754,459262,491519,491520,491522,492030,524287,524288,524290,524798,557055,557056,557058,557566,589823,589824,589826,590334,622200,622592,622594,623102,633814,655360,655362,688128,688130,720896,720898,753664,753666,754174,780230,780231,786384") == "55e6914bdff2cb175d56aa068f1ed5927b6a25f1" || block_image_verify("/dev/block/bootdevice/by-name/system", package_extract_file("system.transfer.list"), "system.new.dat", "system.patch.dat")) then
ui_print("Verified system image...");
else
abort("system partition has unexpected contents");
endif;

# ---- start making changes here ----

ui_print("Patching system image after verification.");
show_progress(0.550000, 0);
block_image_update("/dev/block/bootdevice/by-name/system", package_extract_file("system.transfer.list"), "system.new.dat", "system.patch.dat") ||
    abort("Failed to update system image.");
show_progress(0.050000, 10);
ui_print("Patching keymaster.mbn image...");
apply_patch("EMMC:/dev/block/bootdevice/by-name/keymaster:177568:3ce6072b9916ed474b0894df8ca065bfdecf8f1e:177568:35f8381525ab8c92d575e17f181081b8a0067f44",
            "-", 35f8381525ab8c92d575e17f181081b8a0067f44, 177568,
            3ce6072b9916ed474b0894df8ca065bfdecf8f1e, package_extract_file("patch/keymaster.mbn.p"));
ui_print("Patching fingerid.mbn image...");
apply_patch("EMMC:/dev/block/bootdevice/by-name/fingerid:32852:068ac7141e4f542f152de1a73c2538261cf60ba6:32852:3b7cb8f151cffec7653fe829024e72744fdee033",
            "-", 3b7cb8f151cffec7653fe829024e72744fdee033, 32852,
            068ac7141e4f542f152de1a73c2538261cf60ba6, package_extract_file("patch/fingerid.mbn.p"));
ui_print("Patching adspso.bin image...");
package_extract_file("adspso.bin", "/dev/block/bootdevice/by-name/dsp");
ui_print("Patching rpm.mbn image...");
apply_patch("EMMC:/dev/block/bootdevice/by-name/rpm:166088:b401574da32636f9395ce3964eb1ba23fb5a0f5f:166088:9f41eb1cfad9b56a76617e079f6cd9bf44dfa8ec",
            "-", 9f41eb1cfad9b56a76617e079f6cd9bf44dfa8ec, 166088,
            b401574da32636f9395ce3964eb1ba23fb5a0f5f, package_extract_file("patch/rpm.mbn.p"));
ui_print("Patching NON-HLOS.bin image...");
apply_patch("EMMC:/dev/block/bootdevice/by-name/modem:76438016:de3acc0716a8053819b0bb50c02bb1da796da7a0:76585472:87747dc9371cc6503ac340fb55cf27a34b1dda36",
            "-", 87747dc9371cc6503ac340fb55cf27a34b1dda36, 76585472,
            de3acc0716a8053819b0bb50c02bb1da796da7a0, package_extract_file("patch/NON-HLOS.bin.p"));
ui_print("Patching tz.mbn image...");
apply_patch("EMMC:/dev/block/bootdevice/by-name/tz:632644:fbcf8dbae397d91f6f4fc5d6f4160880d36ab43b:632644:07023648051d47bb91463bb3a562dd6a5c2a384c",
            "-", 07023648051d47bb91463bb3a562dd6a5c2a384c, 632644,
            fbcf8dbae397d91f6f4fc5d6f4160880d36ab43b, package_extract_file("patch/tz.mbn.p"));
ui_print("Patching hyp.mbn image...");
apply_patch("EMMC:/dev/block/bootdevice/by-name/hyp:73728:eeb375641b66b96dc0336d0abd78e0f8e9b22e95:73728:1c2079d70a233d6117685920aeb3e909362bfbab",
            "-", 1c2079d70a233d6117685920aeb3e909362bfbab, 73728,
            eeb375641b66b96dc0336d0abd78e0f8e9b22e95, package_extract_file("patch/hyp.mbn.p"));
ui_print("Patching sbl1.mbn image...");
apply_patch("EMMC:/dev/block/bootdevice/by-name/sbl1:321952:7bbc1a2d7fd68ef08c3c036dded254459e083453:322976:abf067334f85bb7854b7241e973e884fc3b7ce7f",
            "-", abf067334f85bb7854b7241e973e884fc3b7ce7f, 322976,
            7bbc1a2d7fd68ef08c3c036dded254459e083453, package_extract_file("patch/sbl1.mbn.p"));
ui_print("Patching emmc_appsboot.mbn image...");
apply_patch("EMMC:/dev/block/bootdevice/by-name/aboot:891516:89f232cdc51a357933466f9e53b9c32e26e3c59b:902616:f689e5d837c772053fa3f9c344a521d8083b76e6",
            "-", f689e5d837c772053fa3f9c344a521d8083b76e6, 902616,
            89f232cdc51a357933466f9e53b9c32e26e3c59b, package_extract_file("patch/emmc_appsboot.mbn.p"));
ui_print("Patching cmnlib.mbn image...");
package_extract_file("cmnlib.mbn", "/dev/block/bootdevice/by-name/cmnlib");
ui_print("Patching boot image...");
apply_patch("EMMC:/dev/block/bootdevice/by-name/boot:35087544:532a00dec3cd779ede9c48a935de00a860cbe953:35312824:60a0891fdb09b392cc85ae1541e08a72f87c166a",
            "-", 60a0891fdb09b392cc85ae1541e08a72f87c166a, 35312824,
            532a00dec3cd779ede9c48a935de00a860cbe953, package_extract_file("patch/boot.img.p"));
ui_print("Patching recovery image...");
apply_patch("EMMC:/dev/block/bootdevice/by-name/recovery:33338556:c8f1b92d125277898c5a6deca3a541b126d919c9:33561788:1ea424ce307870c3fdd1577b2bd36bd08cfc70c4",
            "-", 1ea424ce307870c3fdd1577b2bd36bd08cfc70c4, 33561788,
            c8f1b92d125277898c5a6deca3a541b126d919c9, package_extract_file("patch/recovery.img.p"));
set_progress(1.000000);

Learn How to read/write these types of scripts
http://forum.xda-developers.com/showpost.php?p=25136429&postcount=2

This May Be Important to you people trying to bypass and inject files

 

[Fr3shB0ngWat3r]

This "thread" is getting more interesting everyday

 

[LeGiT_dIaMoNd]

I may have that entire thing wrong. I've been looking through sha1 hashes and those are some sort of encrypted hashes so you can't spoof the files. like in previous versions of android

 

[EliiphasLevi7414]

I don't think this phone is gonna get root

Look im not a mod or anything but i just need to say this, when you come on a thread and tell thousands of users that have been using their spare time to not only test and research for bugs but have also took time to log in and share what they have found, coming in here and posting a negative comment like that is tant amount to a spoiled kid jumping up and down and saying, "why dont i have what i want right now." im not being a d!ck im just saying negative comments like those is like a slap in the face to progress and time. Invested. If the time frame that this model takes for R&D to get root doesnt fit ur expectations i suggest you come up with some leads or create your own exploit.

Once again im really not being overly harsh. I just have been on these forums for a week and the comradary i have seen im just this one thread alone is enough to seal the deal for me that we will get root. Findijg bugs and then creating exploits is only the end part of development, there are numerous variables that go into every model. So before you give up remember that this kind of work is what has made android great. You litterally can click one Damn button and get root on hundreds of models, but a lot of people forget that behind that are devs and a community that bust their ass to make end users have that luxury.

Just a rant from another sys admin (Me) who daily gets asked why things arent done quick enough from his boss that might as well be cracking a whip with his out of Touch understanding of what i do for his company fml lol.

 

[EliiphasLevi7414]

@LeGiT_dIaMoNd - what you just posted has got me wondering if i could perform some type of hacking-fu to capture keys or possible bruteforce sha1 hashes with some trial and error depending on examining simularities between files and their liknesses in a hex editor or some other method, ok i got to think a min. Keep up the great ideas!

 

[EliiphasLevi7414]

@scary alien - what about setting up a decoy server that will act as a signing server with tools like sslstrip or mitmf (man in the middle framework) i think there could maybe be a way to setup a server masquerading as the sig ing server that will just by default not even check the validity of the hashes but just give a "all ok" to the phone by using a web proxy that tampers all requests gpjng in or out allowing editing of the conditions in real timw (burp suite for example or fiddler) in essence bypassing the checks. And allowing the files to be dumped or at least give the oppurtunity to get some information by sniffing the data that goes to the phone and server when that condition is met in real situations.

 

[Matt Addy]

Okay I've made a discovery in the developers options. There is a mode called OEM unlocking which allows bootloader to be unlocked. I'm about to try it myself.

 

[EliiphasLevi7414]

Okay I've made a discovery in the developers options. There is a mode called OEM unlocking which allows bootloader to be unlocked. I'm about to try it myself.

As stated i other posts that doesnt do what ur thinking its completely up to the devs as to what options that switch actually does. And. As stated earlier again we wouldnt have a thread going on for almost 60 pages if it was as simple as checking a switch in dev options.

I know that switch is kinda misleading but these are the facts right now. Keep ideas coming in tho we can use as many people as possible on this.