• After 15+ years, we've made a big change: Android Forums is now Early Bird Club. Learn more here.

Root ZTE ZMAX Pro (Z981) root discussion

Status
Not open for further replies.
EliiphasLevi7414 said:
As stated i other posts that doesnt do what ur thinking its completely up to the devs as to what options that switch actually does. And. As stated earlier again we wouldnt have a thread going on for almost 60 pages if it was as simple as checking a switch in dev options.

I know that switch is kinda misleading but these are the facts right now. Keep ideas coming in tho we can use as many people as possible on this.
Click to expand...

Yeah just found that out
 
I've been following this thread since buying the phone at T-Mobile (to replace my old broken Nexus 5) a few weeks ago and just wanted to send warm fuzzles to all participating in the actual root process (not just hanging around or whining). I've been actively trying as well on my Android-dedicated Linux system. Maybe not so wreck less as I would otherwise if my backup phone wasn't trashed. So hey! You guys working at it, keep up the good work.
 
EliiphasLevi7414 said:
@scary alien - what about setting up a decoy server that will act as a signing server with tools like sslstrip or mitmf (man in the middle framework) i think there could maybe be a way to setup a server masquerading as the sig ing server that will just by default not even check the validity of the hashes but just give a "all ok" to the phone by using a web proxy that tampers all requests gpjng in or out allowing editing of the conditions in real timw (burp suite for example or fiddler) in essence bypassing the checks. And allowing the files to be dumped or at least give the oppurtunity to get some information by sniffing the data that goes to the phone and server when that condition is met in real situations.
Click to expand...
Isn't that similar to earlier "iPhone JailBreak" spoofing/server/ssh,etc?
 
Last edited:
EliiphasLevi7414 said:
@LeGiT_dIaMoNd - what you just posted has got me wondering if i could perform some type of hacking-fu to capture keys or possible bruteforce sha1 hashes with some trial and error depending on examining simularities between files and their liknesses in a hex editor or some other method, ok i got to think a min. Keep up the great ideas!
Click to expand...
I was getting ready to try and recreate an entire new update.zip. I wonder if we can bribe a ZTE employee to "leak" the private key used to sign the device packages. Or if we could in a way create our own certificate and public key.

Here's the patent to "Over the Air Updates" Just in case we decide to do what @EliiphasLevi7414 & @Fr3shB0ngWat3r Said similar to the old Jailbreaks
https://www.google.ch/patents/US20130185563
 
Last edited:
LeGiT_dIaMoNd said:
How did you guys extract the boot.img.p file in the .up file I extracted the update_P895T20_MPCS_B08_to_B12.up with winrar. What should I use to extract the boot.img.p file?

I have linked how it looks unpacked
View attachment 112624 View attachment 112625
Click to expand...

Is the mbn file something you can use to root? I googled it coz I saw this mbn test in the app manager after the update. IT is saying it contains files in what I believe is what you need to root. In this case I think they use it to put/boot all those update files.

ON my research odin can read mbn files. Just an idea.

http://forum.xda-developers.com/showthread.php?t=2799160

I don't know why you are ignoring this idea coz I know I am on the right track on all of you. LOL. Look what I found:

http://forum.xda-developers.com/showthread.php?t=2641245

IT works on those mbn files in the attachment come on now, I will post this on xda. Maybe someone will be interested there since you all are ignoring this gem of a find of mine.
 
Last edited:
EliiphasLevi7414 said:
@scary alien - what about setting up a decoy server that will act as a signing server with tools like sslstrip or mitmf (man in the middle framework) i think there could maybe be a way to setup a server masquerading as the sig ing server that will just by default not even check the validity of the hashes but just give a "all ok" to the phone by using a web proxy that tampers all requests gpjng in or out allowing editing of the conditions in real timw (burp suite for example or fiddler) in essence bypassing the checks. And allowing the files to be dumped or at least give the oppurtunity to get some information by sniffing the data that goes to the phone and server when that condition is met in real situations.
Click to expand...

I'm pretty sure that a signing server is not involved. Notice that you can download an OTA and install it later without even being connected to wi-fi or 3G/4G.

I'm pretty sure (*) that the stock recovery contains all of the information needed to compare and verify that a file that is being requested to flash / install matches the signature that it has in it's RAM disk--i.e., the signing keys from the manufacturer.

- - - - - -

* see @Bigcountry907's posts in this thread where he was able to modify the stock recovery with his own signing keys and then flash .zip files that were signed with his signing keys; in essence, it was still a stock recovery (with just it's functions/features) but could do the important function of flashing .zip file--albeit ones that had to be re-signed with his special signing keys
 
Last edited:
Listen i think i may have either found a way to spoof this update into unencryption or actually found a way to recieve the actual signing keys.

I am going to put a big prefice on this because there is a greater chance im mistaken, but this one is getting at me i need someone else to check what ive found. So could some of the main devs that are looking into this device contact me to see if what im thinking and seeing holds any merit. Thx.
 
scary alien said:
I'm pretty sure that a signing server is not involved. Notice that you can download an OTA and install it later without even being connected to wi-fi or 3G/4G

I'm pretty sure (*) that the stock recovery contains all of the information needed to compare and verify that a file that is being requested to flash / install matches the signature that it has in it's RAM disk--i.e., the signing keys from the manufacturer.

- - - - - -

* see @Bigcountry907's posts in this thread where he was able to modify the stock recovery with his own signing keys and then flash .zip files that were signed with his signing keys; in essence, it was still a stock recovery (with just it's functions/features) but could do the important function of flashing .zip file--albeit ones that had to be re-signed with his special signing keys
Click to expand...
Your right on that. But the OTA is signed via a server when it's downloaded. It makes it unique to you from what I'm understanding based on the patent I mentioned above
 
LeGiT_dIaMoNd said:
Your right on that. But the OTA is signed via a server when it's downloaded. It makes it unique to you from what I'm understanding based on the patent I mentioned above
Click to expand...

I don't believe the OTAs are unique--pretty sure they're identical for all downloaders (for that specific device and version of Android, of course).

I've not yet read the patent info you provided (it's a big read, but interesting, I'm sure--thanks for that), but I'm guessing that the actual implementation doesn't follow it 100%...
 
Hey there I've been flipping through this thread and don't recall seeing anything on this, I'm not sure if this will be useful but thought I'd post it and see what you guys think of it. It almost kind of seems similar to odin. DFU (Download Firmware Utility tool) also I did see our devices USB drivers on there for download.

https://androidmtk.com/flash-stock-rom-using-dfu

There is some other info on there about qualcomm devices.
 
Last edited:
Flare106 said:
Hey there I've been flipping through this thread and don't recall seeing anything on this, I'm not sure if this will be useful but thought I'd post it and see what you guys think of it. It almost kind of seems similar to odin. DFU (Download Firmware Utility tool) also I did see our devices USB drivers on there for download.

https://androidmtk.com/flash-stock-rom-using-dfu

There is some other info on there about qualcomm devices.
Click to expand...
Won't work we don't have stock fw
 
EliiphasLevi7414 said:
Listen i think i may have either found a way to spoof this update into unencryption or actually found a way to recieve the actual signing keys.

I am going to put a big prefice on this because there is a greater chance im mistaken, but this one is getting at me i need someone else to check what ive found. So could some of the main devs that are looking into this device contact me to see if what im thinking and seeing holds any merit. Thx.
Click to expand...
Can you give us an update on your idea. You said you think you have a solution but you never posted it. even if it doesn't work it might give us more ideas to try. Also, has anyone tried srs root. It says on their twitter that they found root for this phone. I used srs for a Samsung and it worked so I know their legit. I would try myself but I don't have access to a computer. I don't know if I can post links but if you type "srs root z981" in Google you can find the twitter post confirming root.
 
Last edited:
To all of you who think there will never be root for this device, just be patient. I was a owner of the original ZMAX and was right in the thick of it when we figured out a process that works.

I don't even have this device. I just saw this thread, and thought that I would share my story with you all.

I've gone through the entirety of this thread. You guys are right where we were when we got it figured out. As long as you have people actively working on a solution, you will eventually get one.

Have faith and be patient.

You have an awesome device. Rooted or not. I almost got this phone... But my brother and his wife both did.
 
SRS root doesn't work on b12 update. Can't test on b08. But I have a good SRS root exe for someone willing to try
 
I just tried it and this it what it's saying. Although it's not sticking or it's installing something else entirely on the device. I'm also not on bo8.
IMG_20161205_181142.jpg
 
Status
Not open for further replies.
Back
Top Bottom