ZTE Whirl z660g only temp root so far


Last Updated: 2014-07-17 03:54:48
  1. Error420

    Error420 Member

    I've been messing around with a zte whirl z660g (tracfone version) that I picked up on black friday for $27, I figured what the heck. The type of work I do I'm not going to drop very much money on a smart phone, I've been using a rugby flip phone I found on the ground at a park. Anyway every since I bought the phone I've been messing around looking at how to root the thing. Basically reading what I can about rooting zte phone's. I really got interested in some things a couple of guys are doing over in another thread and I'm going to try some of the things they are.

    I might have a little bit of a slight edge on them though, I came across a way to temp root the whirl z660g using framaroot. It's kinda a crazy way to do it but I can get a # prompt with adb so I'm thinking thats a plus. Anyway heres the way I've been getting temp root on the whirl.

    1) Install the Framaroot apk
    2) Drain the battery below 25%
    3) Power off the device.
    4) Press the power button just long enough to get the indicator led to blink, I have the best luck blinking the indicator led 3 times.
    5) Power on the device and wait for it to boot
    6) Open Framaroot and I get the whirl to root using the gandolf option.

    This is only a temp root and goes away after a reboot or running certain apps or doing certain other things but I think I'm going to mess around and see about dumping the recovery etc. And seeing what I can come up with.

    This is as far as I've gotten so far and figured I would start a new thread instead of getting in the middle of a couple of other guys thread about a different device.

    Advertisement
    dcorely likes this.
  2. Error420

    Error420 Member

    Here is my output from the cat proc/partitions command in a adb shell.

    cat proc/partitions
    major minor #blocks name

    7 0 16664 loop0
    7 1 2111 loop1
    179 0 3817472 mmcblk0
    179 1 8192 mmcblk0p1
    179 2 8192 mmcblk0p2
    179 3 8192 mmcblk0p3
    179 4 1 mmcblk0p4
    179 5 8192 mmcblk0p5
    179 6 8192 mmcblk0p6
    179 7 8192 mmcblk0p7
    179 8 16384 mmcblk0p8
    179 9 32768 mmcblk0p9
    179 10 16384 mmcblk0p10
    179 11 8192 mmcblk0p11
    179 12 8192 mmcblk0p12
    179 13 65536 mmcblk0p13
    179 14 8192 mmcblk0p14
    179 15 8192 mmcblk0p15
    179 16 16384 mmcblk0p16
    179 17 16384 mmcblk0p17
    179 18 16384 mmcblk0p18
    179 19 614400 mmcblk0p19
    179 20 8192 mmcblk0p20
    179 21 307200 mmcblk0p21
    179 22 2387968 mmcblk0p22
    179 23 212992 mmcblk0p23
    179 32 3813376 mmcblk1
    179 33 3812352 mmcblk1p1
    254 0 16663 dm-0
    254 1 2110 dm-1
  3. Error420

    Error420 Member

    Here is my output from the mount command in a adb shell

    mount
    rootfs / rootfs ro,relatime 0 0
    tmpfs /dev tmpfs rw,nosuid,relatime,mode=755 0 0
    devpts /dev/pts devpts rw,relatime,mode=600 0 0
    proc /proc proc rw,relatime 0 0
    sysfs /sys sysfs rw,relatime 0 0
    none /acct cgroup rw,relatime,cpuacct 0 0
    tmpfs /mnt/asec tmpfs rw,relatime,mode=755,gid=1000 0 0
    tmpfs /mnt/obb tmpfs rw,relatime,mode=755,gid=1000 0 0
    none /dev/cpuctl cgroup rw,relatime,cpu 0 0
    /dev/block/mmcblk0p19 /system ext4 ro,relatime,data=ordered 0 0
    /dev/block/platform/msm_sdcc.3/by-num/p22 /data ext4 rw,nosuid,nodev,relatime,no
    auto_da_alloc,data=ordered 0 0
    /dev/block/mmcblk0p10 /persist ext4 rw,nosuid,nodev,relatime,data=ordered 0 0
    /dev/block/mmcblk0p21 /cache ext4 rw,nosuid,nodev,relatime,data=ordered 0 0
    /dev/fuse /storage/sdcard1 fuse rw,nosuid,nodev,relatime,user_id=1023,group_id=1
    023,default_permissions,allow_other 0 0
    /dev/block/dm-0 /mnt/asec/com.jrummy.liberty.toolboxpro-1 ext4 ro,dirsync,nosuid
    ,nodev,noatime 0 0
    /dev/block/dm-1 /mnt/asec/com.geeksoft.filexpert.donate-1 ext4 ro,dirsync,nosuid
    ,nodev,noatime 0 0
    /dev/block/vold/179:33 /storage/sdcard0 vfat rw,dirsync,nosuid,nodev,noexec,rela
    time,uid=1000,gid=1015,fmask=0702,dmask=0702,allow_utime=0020,codepage=cp437,ioc
    harset=iso8859-1,shortname=mixed,utf8,errors=remount-ro 0 0
    /dev/block/vold/179:33 /mnt/secure/asec vfat rw,dirsync,nosuid,nodev,noexec,rela
    time,uid=1000,gid=1015,fmask=0702,dmask=0702,allow_utime=0020,codepage=cp437,ioc
    harset=iso8859-1,shortname=mixed,utf8,errors=remount-ro 0 0
    tmpfs /storage/sdcard0/.android_secure tmpfs ro,relatime,size=0k,mode=000 0 0
  4. Error420

    Error420 Member

    might look like I'm talking to myself but I'm just going through some of the steps stayboogy has other's going through in a thread about the Zte valet called "i'll help find a root method if..."

    I'm just starting to get some of the stuff listed so the info is in one place and maybe if I'm lucky I can get other with more experience then me to help out a little. Think I might have to even reinstall rom kitchen changed my linux install.
  5. Error420

    Error420 Member

    Here is a screen capture of the folders in my /dev folder

    [​IMG]
  6. Error420

    Error420 Member

    Here is the stock boot.IMG file I extracted with did, I also extracted what was lab led the recovery.IMG. I'm going to do some more looking into it because both images where 16 meg each, just seems odd to me.

    whirl-stock-boot.img
    whirl-stock-recovery.img
  7. stayboogy

    stayboogy Well-Known Member


    hey, i got your .img files downloaded.

    when i get the Jelly Bean repo downloaded and built, i'll start building a fake recovery flash with it that should install no problem on stock 3e recovery. this will give temp cwm which will allow installing unsigned zips that can give full root.

    it'll likely be a few days however.

    if someone who has the cyanogenmod jb repo downloaded and built can build a recovery from the stock kernel extracted from the stock recovery.img/boot.img and the mount and partitions info, before me, then by all means, build away.

    that's all that has to be done.
  8. Error420

    Error420 Member

    Had to insert my text at first but stayboogy that would be great. I'm going to do some more digging after I take care of s few things around the house also. Been backing a few thing up first off.

    Thanks again.

    Gotta love auto correct.


  9. mainefungi

    mainefungi Well-Known Member

    I figured I would post so you were not talking to yourself...

    Be VERY careful if you decide to try to make changes to either of those images. Flashing a modified boot image back to the Valet is what bricked it...

    We were attempting to change ro.secure=1 to ro.secure=1 in the default.prop at boot, which it theory would have allowed adb root access. Changing it in the default.prop only reverts back on reboot.

    Can you explain why the battery needs to be drained for this method? Do you have any documentation as to what effect it has that allows access?

    Cheers!

    EDIT: I see stayboogy already broke your run of talking to yourself LOL
  10. Error420

    Error420 Member

    Not exactly sure why being below 25% lets famaroot gain temp root but it does. Being a partial hardware guy I keep thinking about pin high and low for locking tsops but I bet I'm prob so far off it isnt funny. I do know the voltage drops the lower you drain the battery. I just so happened upon this method by mistake. Got framaroot to work temp when I first go the device but then nothing charged and wouldnt temp root at all. I messed with it for weeks and nothing thought it locked itself. Then one day the power was low and I pressed the button a few times powerd on and got temp root. That night I messed around trying to get su to stick in the /system/xbin directory and couldnt get it. Thought the 3 push deal was the trick and charged phone all the way. Next day couldnt get it to work with a full charge nothing. So I thought about it and the only thing that was different was the battery level. So I downloaded a battery drain app and tested for root every so often. Finally got it to root at 25% and lower battery level. I'm just wondering if this method will work with othe zte devices.

    I'm doing some more reading and I'm going to try to keep from bricking it, but if I do at least it was only $27 and so far I think Ive got my money worth just in the fun Ive had messing with it.
  11. mainefungi

    mainefungi Well-Known Member

    I also wonder if it could also mean a hole in one of the power saving apps or services... Just seems like a interesting combination.

    I know you can power the phone by the usb port without the battery... For giggles, can you do me a favor? Can you try the same method without the battery installed? Just powered by the USB cable...

    I just want to see if some feature is looking for the voltage at the battery terminals to enable or disable write access... Could be some sort of service mode. Still won't get us permanent root, but it may give us something to speculate about about in the design...
  12. Error420

    Error420 Member

    Pretty sure I've tried with usb power and pulling the battery and pretty sure it just reboots. I'll check it out here in a few having to do a fresh ubuntu install. Was messing around and changed everything a while back. The ubuntu partition was actually zentyall had centos installed insted of ubuntu so I trashing all that. Dont really wunna let the nieghbors use a captive portal on my sat connection, I live in the sticks. :D

    The kid thrashed the psu on my laptop so until I replace that I'm stuck on the desktop
  13. Error420

    Error420 Member

    Going to use some of this info and dump my system.img

    shell@android:/ $ su
    su
    root@android:/ # cat /cache/recovery/last_log
    cat /cache/recovery/last_log
    Starting recovery on Sun Dec 22 21:44:51 2013
    framebuffer: fd 4 (320 x 480)
    recovery filesystem table
    =========================
    0 /tmp ramdisk (null) (null) 0
    1 /boot emmc /dev/block/mmcblk0p16 (null) 0
    2 /cache ext4 /dev/block/mmcblk0p21 (null) 0
    3 /data ext4 /dev/block/mmcblk0p22 (null) -16384
    4 /zteforatt ext4 /dev/block/mmcblk0p5 (null) 0
    5 /recovery emmc /dev/block/mmcblk0p17 (null) 0
    6 /splash emmc /dev/block/mmcblk0p18 (null) 0
    7 /misc emmc /dev/block/mmcblk0p20 (null) 0
    8 /sdcard vfat /dev/block/mmcblk1p1 /dev/block/mmcblk1 0
    9 /system ext4 /dev/block/mmcblk0p19 (null) 0
    10 /amss emmc /dev/block/mmcblk0p13 (null) 0
    11 /oemsbl emmc /dev/block/mmcblk0p3 (null) 0
    12 /emmcboot emmc /dev/block/mmcblk0p15 (null) 0
    13 /cefs emmc /dev/block/mmcblk0p11 (null) 0
    14 /qcsblhd_cfgdata emmc /dev/block/mmcblk0p1 (null) 0
    15 /qcsbl emmc /dev/block/mmcblk0p2 (null) 0

    Command: "/sbin/recovery"

    ro.boot.hardware=qcom
    ro.boot.emmc=true
    ro.boot.serialno=be875d1e
    ro.boot.authorized_kernel=true
    ro.boot.baseband=msm
    ro.serialno=be875d1e
    ro.bootmode=unknown
    ro.baseband=msm
    ro.bootloader=unknown
    ro.hardware=qcom
    ro.revision=0
    ro.factorytest=0
    ro.secure=1
    ro.allow.mock.location=0
    ro.debuggable=0
    ro.build.id=JRO03C
    ro.build.display.id=Z660GV1.0.0B10
    ro.build.version.incremental=20130715.135202.31425
    ro.build.version.sdk=16
    ro.build.version.codename=REL
    ro.build.version.release=4.1.1
    ro.build.date=Mon Jul 15 13:52:44 CST 2013
    ro.build.date.utc=1373867564
    ro.build.type=user
    ro.build.user=wsys
    ro.build.host=ubuntu
    ro.build.tags=release-keys
    ro.product.model=Z660G
    ro.product.brand=ZTE
    ro.product.name=P752A21
    ro.product.device=nice
    ro.product.board=nice
    ro.product.cpu.abi=armeabi-v7a
    ro.product.cpu.abi2=armeabi
    ro.product.manufacturer=ZTE
    ro.product.locale.language=en
    ro.product.locale.region=US
    ro.wifi.channels=
    ro.board.platform=msm7627a
    ro.build.product=nice
    ro.build.description=P752A21-user 4.1.1 JRO03C 20130715.135202.31425 release-key
    s
    ro.build.fingerprint=ZTE/P752A21/nice:4.1.1/JRO03C/20130715.135202.31425:user/re
    lease-keys
    ro.build.characteristics=default
    rild.libpath=/system/lib/libril-qc-1.so
    rild.libargs=-d /dev/smd0
    persist.rild.nitz_plmn=
    persist.rild.nitz_long_ons_0=
    persist.rild.nitz_long_ons_1=
    persist.rild.nitz_long_ons_2=
    persist.rild.nitz_long_ons_3=
    persist.rild.nitz_short_ons_0=
    persist.rild.nitz_short_ons_1=
    persist.rild.nitz_short_ons_2=
    persist.rild.nitz_short_ons_3=
    persist.data_netmgrd_mtu=1410
    ril.subscription.types=NV,RUIM
    DEVICE_PROVISIONED=1
    keyguard.no_require_sim=true
    debug.sf.hw=1
    debug.composition.7x27A.type=mdp
    debug.composition.7x25A.type=mdp
    debug.composition.8x25.type=dyn
    debug.hwc.dynThreshold=1.9
    dalvik.vm.heapsize=64m
    ro.sf.lcd_density=160
    net.early.sockets=0
    net.change=net.bt.name
    persist.cne.bat.range.low.med=30
    persist.cne.bat.range.med.high=60
    persist.cne.loc.policy.op=/system/etc/OperatorPolicy.xml
    persist.cne.loc.policy.user=/system/etc/UserPolicy.xml
    persist.cne.bwbased.rat.sel=false
    persist.cne.snsr.based.rat.mgt=false
    persist.cne.bat.based.rat.mgt=false
    persist.cne.rat.acq.time.out=30000
    persist.cne.rat.acq.retry.tout=0
    persist.cne.fmc.init.time.out=30
    persist.cne.fmc.comm.time.out=130
    persist.cne.fmc.retry=false
    persist.cne.feature=0
    media.stagefright.enable-player=true
    media.stagefright.enable-meta=false
    media.stagefright.enable-scan=true
    media.stagefright.enable-http=true
    media.stagefright.enable-fma2dp=true
    media.stagefright.enable-aac=true
    media.stagefright.enable-qcp=true
    headset.hook.delay=500
    audio.legacy.postproc=true
    ro.opengles.version=131072
    ro.use_data_netmgrd=true
    persist.data.ds_fmc_app.mode=0
    persist.ims.regmanager.mode=0
    ro.bluetooth.request.master=true
    ro.qualcomm.bluetooth.ftp=true
    ro.qualcomm.bluetooth.sap=false
    ro.qualcomm.bluetooth.dun=false
    ro.qualcomm.bluetooth.map=true
    ro.bluetooth.remote.autoconnect=true
    persist.sys.strictmode.visual=false
    persist.omh.enabled=1
    ro.config.ehrpd=true
    ro.qualcomm.cabl=1
    telephony.lteOnCdmaDevice=0
    persist.radio.net_pref_0=0
    persist.radio.net_pref_1=0
    ro.ril.transmitpower=true
    ro.fm.analogpath.supported=true
    ro.fm.transmitter=false
    ro.fm.mulinst.recording.support=false
    ro.emmc.sdcard.partition=18
    ro.screen.layout=normal
    debug.enabletr=false
    ro.staticwallpaper.pixelformat=RGB_565
    debug.camcorder.disablemeta=0
    persist.fuse_sdcard=false
    debug.camera.landscape=true
    ro.max.fling_velocity=4000
    httplive.enable.discontinuity=true
    dev.pm.dyn_samplingrate=1
    dev.pm.dyn_sample_period=700000
    persist.service.cdrom.enable=1
    ro.nfc.chip=pn544
    windowsmgr.max_events_per_sec=260
    ro.config.notification_sound=SMS01.ogg
    ro.config.ringtone=Flutes.ogg
    ro.feature.ztedrm.support=1
    persist.sys.usb.menu=enable
    persist.sys.usb.config=cdrom
    persist.sys.usb.noZtePrefix=1
    drm.service.enabled=true
    persist.sys.fuse.dir=auto
    ro.config.sec_storage=4
    ro.camera.cts.flash.enabled=0
    ro.emode.enableSpecialCode=true
    ro.com.google.clientidbase=android-zte
    ro.com.google.clientidbase.yt=android-zte
    ro.com.google.clientidbase.ms=android-americamovil-us
    ro.com.google.clientidbase.am=android-americamovil-us
    persist.sys.timezone=America/New_York
    ro.build.baseband_version=w9sA
    ro.com.google.clientidbase.gmm=android-zte
    ro.build.sw_internal_version=TF_US_P752A21V1.0.0B18
    ro.emode.fm=0
    ro.qualcomm.bluetooth.pan=true
    ro.build.hardware_version=w9sA
    ro.emmc=1
    ro.secure.version=Z660G_SEC_V9.0
    ro.com.android.dataroaming=true
    ro.com.android.dateformat=MM-dd-yyyy
    ro.carrier=unknown
    ro.config.alarm_alert=Dawn_of_the_jungle.ogg
    ro.vendor.extension_library=/system/lib/libqc-opt.so
    dalvik.vm.heapstartsize=4m
    dalvik.vm.heapgrowthlimit=32m
    ro.setupwizard.mode=OPTIONAL
    ro.com.google.gmsversion=4.1_r5
    persist.sys.ztelog.enable=0
    persist.radio.add_power_save=1
    net.bt.name=Android
    dalvik.vm.stack-trace-file=/data/anr/traces.txt
    init.svc.ueventd=running
    init.svc.rmt_storage=running
    init.svc.recovery=running
    init.svc.console=running
    init.svc.diagtest=running
  14. Error420

    Error420 Member

    Deleted some crazy info
  15. stayboogy

    stayboogy Well-Known Member

    i've finally gotten the jelly bean repo downloaded

    but haven't built it yet.

    should have a recovery fake flash available by the weekend, if all goes well, that someone can try to install, and then install a root update.zip to gain permanent root.
    jonsvibe likes this.
  16. Error420

    Error420 Member

    I'm about at the same place, I've finally got the cyanogenmod repo downloaded. I tried the online clockwordmod recovery builder but the file produced by it seems to fail verification so it wont flash from the 3e recovery. I'll keep looking into things some more but with christmas right here on us I've had to do some things for the kiddi.
  17. stayboogy

    stayboogy Well-Known Member


    need the output of

    cat /proc/emmc

    ***may have to be temp rooted for it to give me all i need, not sure though. try without first.

    also need an adb pull of

    /proc/config.gz
  18. stayboogy

    stayboogy Well-Known Member

    here's a recovery fake flash; don't rename it. put on the root of sdcard and reboot to recovery and install

    update

    don't install anything with it.

    just see if it installs from stock recovery and boots the temp clockwork recovery and report back


    ***also still need the info from the post above*
    **
  19. echristopherson

    echristopherson Active Member

    My old Tracfone number is in the process of being ported to my Valet. Does that matter for purposes of rooting (either temporary or permanent)? I'm worried that maybe once it gets activated and the number is ported I won't be able to use either the temporary root method or the fake recovery flash. (On the other hand, maybe it would be *best* to wait until it's active.)
  20. echristopherson

    echristopherson Active Member

    I did Framaroot on my Valet after it got activated and my battery got to 17% or so. It didn't work using either Aragorn or Gandalf.
  21. echristopherson

    echristopherson Active Member

    Stayboogy, is this pretty safe to do, as long as I don't install anything with your update.zip?

    EDIT: I forgot to mention I have the Valet.

    Also, what did you mean by

    ?
  22. stayboogy

    stayboogy Well-Known Member

    this is not for the valet.

    this doesn't do anything but run a recovery from ramdisk

    it's a very base build.

    just need to know if it installs

    and if it does install, if the new recovery loads properly

    that's it.

    it doesn't replace anything, doesn't do anything other than what i said. that's why it's called a fake flash...
  23. Error420

    Error420 Member

    Sorry been messing with stuff and doing alot of christmas stuff. Just logged back on to check things out and see some of the info I posted.

    I built CWM recovery for this device and was going to see if I should flash it with dd to the recovery partition. Then I noticed stayboogy also has built a recovery. I know the fake flash cwm recovery I built and the one that came from the online recovery builder fail verification. I've read that the 3e recovery is really picky about letting things flash. I tried the signed and unsigned fake flash that I produced I'll test the fake flash stayboogy has build before I try to flash the recovery image with dd. I might not try the recovery image I've built because it's only 7 meg and not 16 like the original I might have to look into the device a little more and confige some more params before I go about flashing things with dd
  24. Error420

    Error420 Member

    Stayboogy I tried your update.zip fake recovery flash and it failed at 25% Haven't checked any logs yet but I will. Think I might end up calling it and early night tonight just because I've been up late a few days in a row and had to start the whole work thing again and have to be back in the morning. I might give dd a shot on my recovery and see what I get. What the heck.
  25. Error420

    Error420 Member


    On my whirl I have to press the power button 3 times to blink the light then power on the device then do framaroot sometime's it takes me a couple of tries to finally get the temp root but it seems to be pretty consistant.. Right now as I post think I'm on my 3rd try to do it but I know it works for me so I'll keep it up till I do. I need to cat /proc/mtd and check a few value's and make sure I'm not setting myself up for a brick with this image I built. Think I would if I flashed the img I have its not the same size and the original img.

Share This Page