• After 15+ years, we've made a big change: Android Forums is now Early Bird Club. Learn more here.

Root ZTE ZMAX Pro (Z981) root discussion

Status
Not open for further replies.
messi2050 said:
found this tool to flash firmware for zte in qualcomm 9008 mode
https://yadi.sk/d/mR17-gxhgKcz5
it's the same tool found in this thread
http://www.androidbrick.com/unbrick...-you-have-the-right-kind-of-rom-qhsusb_dload/
it may help flashing twrp..
Click to expand...

I hate to sound like everyone else, but master messi2050, what are you doing lurking the Android forums right now? Get your exams taken care of man. I know you're a beast, I've been lurking through some of your stuff around, but man, education is the key to success...

On another note, thanks for this find, will see if it will allow any type of flashing when I get home. If it does even see our phone, we may have a starting point.
 
Powduh said:
I hate to sound like everyone else, but master messi2050, what are you doing lurking the Android forums right now? Get your exams taken care of man. I know you're a beast, I've been lurking through some of your stuff around, but man, education is the key to success...

On another note, thanks for this find, will see if it will allow any type of flashing when I get home. If it does even see our phone, we may have a starting point.
Click to expand...
Thanks man ,My next exam is after 10 days from now , i had 4 exams this week so i think some play around won't be bad xD , i worked on finding a root workaround for more than 6 hours today almost tried everything including xiaomi mi flash tool , dirtycow, z11 max root method..etc still no success but I will keep trying using the dirtycow as i think that this exploit has the best chance on this phone..
 
RAIDER W said:
Man.. You Use And Abuse The Dirt Off That Cow... :eek:
Bend It.. To Your Will.. ;)
Click to expand...
You need to compile new binaries with every new target init file as we don't know the correct init file to patch so it will take up to 10 trys to figure it out.
I will explain it , this is the target file for the dirtycow patch to set selinux to permissive mode this file exist on lg v20
https://github.com/jcadduono/android_external_dirtycow/blob/android-6.0/recowvery-applypatch.c#L46
No such file on the zmax pro coz of the different vendors so u need to try with every possible target init file..
 
Last edited:
so latest progress , here is the dirtycow binaries compiled by me and based on the twrp tree
http://www.mediafire.com/file/djo41adnyifylrx/dcow+binaries+for+the+zte+zmax+pro.zip
flashing guide can be found here
https://github.com/jcadduono/android_external_dirtycow#running
everything goes well till this step [adb shell reboot recovery] and if i try to boot into recovery using the hardware buttons (volume up+power) i get black screen every time i try to boot into it, just wanted to share it with u .
 
messi2050 said:
so latest progress , here is the dirtycow binaries compiled by me and based on the twrp tree
http://www.mediafire.com/file/djo41adnyifylrx/dcow+binaries+for+the+zte+zmax+pro.zip
flashing guide can be found here
https://github.com/jcadduono/android_external_dirtycow#running
everything goes well till this step [adb shell reboot recovery] and if i try to boot into recovery using the hardware buttons (volume up+power) i get black screen every time i try to boot into it, just wanted to share it with u .
Click to expand...
That's some serious progress.. I have faith in you.. just make time for studies..
 
NeoZiggy said:
Edited: With a locked bootloader we can't have a custom recovery as the bootloader checks for modifications upon boot. However, we can have temp root with dirty cow.... to the best of my knowledge.
Click to expand...
I still think if we can get even temp root we can possibly zero out download mode or recovery to access fastboot and unlock the bootloader. I'd be willing to try it we can get any type of root
 
messi2050 said:
so latest progress , here is the dirtycow binaries compiled by me and based on the twrp tree
http://www.mediafire.com/file/djo41adnyifylrx/dcow+binaries+for+the+zte+zmax+pro.zip
flashing guide can be found here
https://github.com/jcadduono/android_external_dirtycow#running
everything goes well till this step [adb shell reboot recovery] and if i try to boot into recovery using the hardware buttons (volume up+power) i get black screen every time i try to boot into it, just wanted to share it with u .
Click to expand...
OK.. Then this device is locked the way they did the ZTE Speed when @SuperR & I tried. It'll flash but becomes inaccessible since we got smart and started using recovery to obtain Root. No recovery access for us equals less Rooting options. Hence there may be no recovery options until a bypass is figured out. A new ZTE thing.. The Warp Sync is gonna be the last ZTE device I use if they don't loosen up on the boot locks. I told our Carrier that much of their device revenues are tied to their Rooting capability. You guys are doing great, I'll be watching cuz if you make the breakthrough then the other Warp models (Elite & Warp 7) may stand a chance.
 
bcrichster said:
OK.. Then this device is locked the way they did the ZTE Speed when @SuperR & I tried. It'll flash but becomes inaccessible since we got smart and started using recovery to obtain Root. No recovery access for us equals less Rooting options. Hence there may be no recovery options until a bypass is figured out. A new ZTE thing.. The Warp Sync is gonna be the last ZTE device I use if they don't loosen up on the boot locks. I told our Carrier that much of their device revenues are tied to their Rooting capability. You guys are doing great, I'll be watching cuz if you make the breakthrough then the other Warp models (Elite & Warp 7) may stand a chance.
Click to expand...
theres a recovery, just no fastboot although we may be able to use download mode.
 
https://source.android.com/devices/tech/ota/
According to this the keys for ota updates are stored in the recovery ramdisk in /res/keys, is it possible to pull the stock recovery without root
A typical OTA update contains the following steps:

  1. Device performs regular check in with OTA servers and is notified of the availability of an update, including the URL of the update package and a description string to show the user.
  2. Update downloads to a cache or data partition, and its cryptographic signature is verified against the certificates in /system/etc/security/otacerts.zip. User is prompted to install the update.
  3. Device reboots into recovery mode, in which the kernel and system in the recovery partition are booted instead of the kernel in the boot partition.
  4. Recovery binary is started by init. It finds command-line arguments in /cache/recovery/command that point it to the downloaded package.
  5. Recovery verifies the cryptographic signature of the package against the public keys in /res/keys (part of the RAM disk contained in the recovery partition).
  6. Data is pulled from the package and used to update the boot, system, and/or vendor partitions as necessary. One of the new files left on the system partition contains the contents of the new recovery partition.
  7. Device reboots normally.
    1. The newly updated boot partition is loaded, and it mounts and starts executing binaries in the newly updated system partition.
    2. As part of normal startup, the system checks the contents of the recovery partition against the desired contents (which were previously stored as a file in /system). They are different, so the recovery partition is reflashed with the desired contents. (On subsequent boots, the recovery partition already contains the new contents, so no reflash is necessary.)
The system update is complete!
 
Screenshot from 2016-12-31 03-25-25.png
Run-as-root fails ..error selinux enforcing every time.
 

Attachments

  • Screenshot from 2016-12-31 03-25-25.png
    Screenshot from 2016-12-31 03-25-25.png
    343.6 KB · Views: 159
Last edited:
To the best of my knowledge, after the command when the phone restores recovery upon reboot the phone will flicker and not reboot like the previous dependencies. After I manually reboot of course the exploit is lost
. I even tried disabling selinux for a daemon session ...# setsebool named_disabled_trans 1

output received : SELINUX DISABLED. not sure how to disable boot selinux.
Any thoughts anyone?
 
messi2050 said:
so latest progress , here is the dirtycow binaries compiled by me and based on the twrp tree
http://www.mediafire.com/file/djo41adnyifylrx/dcow+binaries+for+the+zte+zmax+pro.zip
flashing guide can be found here
https://github.com/jcadduono/android_external_dirtycow#running
everything goes well till this step [adb shell reboot recovery] and if i try to boot into recovery using the hardware buttons (volume up+power) i get black screen every time i try to boot into it, just wanted to share it with u .
Click to expand...


And this has somehow restored my faith, that we will obtain root access... Give it hell man
 
yeah zte locked this one up tight. lol luckily I use this phone as entertainment purposes only ..like you tube camera gaming ..etc..LG stylo plus 2 rooted is my daily driver. sorry guys ..I tried ..good specs on this phone and clearing cache stopped the battery drain after the manual b12 update..
Happy new year AF..
I'm done with rooting zte's but if anything's comes up in 2017 I'll be back...
 
I'm thinking we're going to end up needing fastboot. But, if we could manage a kernel with the necessary modifications, is there any way we could achieve systemless root? I'm sincerely hoping something happens to breakthrough for this phone. I've been trying everything I can remember EVER working to gain root access, but either it fails, or force closes, or both. PC methods aren't getting any further.

On another note, upon reading most of this thread again for about the billionth time, I'm also interested to see if we actually have a bootloader/fastboot, and just can't access it without somehow tripping it to come out of hiding. I remember other devices having to run an adb command to open bootloader before we could even attempt to gain root....
 
Powduh said:
I'm thinking we're going to end up needing fastboot. But, if we could manage a kernel with the necessary modifications, is there any way we could achieve systemless root? I'm sincerely hoping something happens to breakthrough for this phone. I've been trying everything I can remember EVER working to gain root access, but either it fails, or force closes, or both. PC methods aren't getting any further.

On another note, upon reading most of this thread again for about the billionth time, I'm also interested to see if we actually have a bootloader/fastboot, and just can't access it without somehow tripping it to come out of hiding. I remember other devices having to run an adb command to open bootloader before we could even attempt to gain root....
Click to expand...
I can compile custom kernel , cm or even anything that can come to your mind but the question will stay the same how to flash it , fastboot was removed (not hidden) even if king root can give root access on this device it will be a temporary root that get lost on reboot, i have dealt with phones from at&t , metro , verizon and t-mobile , metro does not lock their phones or their bootloader (at least for the phones i dealt with) so i think it was zte decision to remove fastboot which is the only way to unlock the bootloader.
 
messi2050 said:
I can compile custom kernel , cm or even anything that can come to your mind but the question will stay the same how to flash it , fastboot was removed (not hidden) even if king root can give root access on this device it will be a temporary root that get lost on reboot, i have dealt with phones from at&t , metro , verizon and t-mobile , metro does not lock their phones or their bootloader (at least for the phones i dealt with) so i think it was zte decision to remove fastboot which is the only way to unlock the bootloader.
Click to expand...
this, my friend allegedly got root access but it reboots after 20 seconds or so however if this is true I believe it's enough to change selinux. and provide permanent privilege.
 
Status
Not open for further replies.
Back
Top Bottom