Root ZTE Zmax Pro Official Root Discussion

[SapphireEx]

Here's a short rundown on what I personally know about the Z981 so far:

Is protected by DM-Verity.
Is protected by Android Secure Boot.
Has Busybox installed and properly symlinked.
Toybox is properly installed and symlinked.
Has a SUID hidden somewhere.
/Dev/block/* is ---
/System is R--, with some subdirectories with ---
/Data/local/tmp is RWX
Recovery is standard Android Recovery. Does not support unsigned images.
Fastboot has been replaced/ hidden by EDL mode. There is currently no way to interface with it officially. It CAN be interfaced with ADB, but it's a basic userland shell.
Temp root is working, but very unstable and will almost always cause a panic.
B08-B20 (MPCS) are vulnerable to Cloak and Dagger overlay exploit.
B08 is vulnerable to DirtyC0w
B08-B20 is vulnerable to a modified version of DirtyC0w.
Images can be flashed via EDL mode, but require a valid, signed MBN, also called a Firehose. It also requires specialized software which was previously qFil.

That's about all I got so far. If something is wrong, feel free to correct me

I'm going to try and see if I can sign TWRP with the release keys someone found (sorry, forgot your name), and see what happens. I doubt anything will come of it, or even if I get the key, but it's worth a shot

 

[Brandonleee1996]

Here's a short rundown on what I personally know about the Z981 so far:
Is protected by DM-Verity.

Is protected by Android Secure Boot.

Has Busybox installed and properly symlinked.

Toybox is properly installed and symlinked.

Has a SUID hidden somewhere.

/Dev/block/* is ---

/System is R--, with some subdirectories with ---

/Data/local/tmp is RWX

Recovery is standard Android Recovery. Does not support unsigned images.

Fastboot has been replaced/ hidden by EDL mode. There is currently no way to interface with it officially. It CAN be interfaced with ADB, but it's a basic userland shell.

Temp root is working, but very unstable and will almost always cause a panic.

B08-B20 (MPCS) are vulnerable to Cloak and Dagger overlay exploit.

B08 is vulnerable to DirtyC0w

B08-B20 is vulnerable to a modified version of DirtyC0w.

Images can be flashed via EDL mode, but require a valid, signed MBN, also called a Firehose. It also requires specialized software which was previously qFil.
That's about all I got so far. If something is wrong, feel free to correct me
I'm going to try and see if I can sign TWRP with the release keys someone found (sorry, forgot your name), and see what happens. I doubt anything will come of it, or even if I get the key, but it's worth a shot[/QUOTE
] any luck with signing the twrp recovery with keys?

 

[Spec2nirvash]

One silver lining to this phone is I found alternative ways to optimize my phone Without Root.

Adguard premium

Nova launcher with screen off apk for double tap scren off gesture.

Package Disabler apk for disabling bloatware

Status apk for centering clock and removing carrier name from status bar and

Audio pocket apk for YouTube playback in the background.

Could you or somebody link me the 'package Disabler' and status apk you speak of here? I dunno if these are play store items or not, but I can't seem to find them

 

[SapphireEx]

I think you messed your quote up a bit. I haven't been able to find the keys yet. Been at work all day.

 

[Nyrixa]

http://cfig.github.io/2015/10/15/signing-keys-in-android/ this article tells everything about the signing keys, I have only seen two so far I'll look more after work.

 

[Selvius]

Let me preface this with a disclaimer that I'm a complete novice with respect to android, and I'm not sure if this exploit would be relevant. That said, would this exploit be useful in terms of defeating SELinux protections?

http://www.openwall.com/lists/oss-security/2017/05/30/16

 

[Brandonleee1996]

SapphireEx

If that really is the release key, there's tons of things we can do with it. We need a way to flash images though.



If we can get someone to modify the root script where it won't freeze up and panic. So we can get temp root and install flashfire or flashify then install @messi2050 TWRP recovery then we will all set. Even though no one knows if the custom recovery works or not

.

I know the original zmax had to get temp root by kingroot i believe . Then download an app to install TWRP
.

 

[Nyrixa]

SapphireEx

If that really is the release key, there's tons of things we can do with it. We need a way to flash images though.



If we can get someone to modify the root script where it won't freeze up and panic. So we can get temp root and install flashfire or flashify then install @messi2050 TWRP recovery then we will all set. Even though no one knows if the custom recovery works or not

.

I know the original zmax had to get temp root by kingroot i believe . Then download an app to install TWRP
.

Technically if what I'm reading is correct, it doesn't necessarily have to be the signing keys, you can create your own as long as it's signed. Haven't had time to deep look again, but disabling trusted certs gains a bit more access to files and sub-dirs in the root dir. Also it seems that "keychain/keystore" don't directly handle the keys, but they have the information about them and can access them. So it may be possible that with a "keychain/keystore dump" the information we need about the keys can be gotten.

 

[SapphireEx]

Technically if what I'm reading is correct, it doesn't necessarily have to be the signing keys, you can create your own as long as it's signed. Haven't had time to deep look again, but disabling trusted certs gains a bit more access to files and sub-dirs in the root dir. Also it seems that "keychain/keystore" don't directly handle the keys, but they have the information about them and can access them. So it may be possible that with a "keychain/keystore dump" the information we need about the keys can be gotten.

That's if it accepts any signature. I'd much rather have the OEM keys that are nearly impossible to get. I'll give it a go with self signing though.

 

[brandonlee199966]

SapphireEx

I think you messed your quote up a bit. I haven't been able to find the keys yet. Been at work all day.

Found this key idk if im right or not is worth the share
location or file

/etc/security/

Mac_permissions.xml
signature='308204ae30820396a003020102020900abf652fde78f3bc3300d06092a864886f70d0101050500308196310b300906035504061302434e3111300f060355040813085368616e676861693111300f060355040713085368616e67686169310c300a060355040a13035a544531223020060355040b1319536d61727470686f6e6520536f66747761726520446570742e310c300a060355040313035a54453121301f06092a864886f70d0109011612737570706f7274407a74652e636f6d2e636e301e170d3131303330383037313234345a170d3338303732343037313234345a308196310b300906035504061302434e3111300f060355040813085368616e676861693111300f060355040713085368616e67686169310c300a060355040a13035a544531223020060355040b1319536d61727470686f6e6520536f66747761726520446570742e310c300a060355040313035a54453121301f06092a864886f70d0109011612737570706f7274407a74652e636f6d2e636e30820120300d06092a864886f70d01010105000382010d00308201080282010100bf9aadaf6257265ebc6cc4127ab591046fff7df5cb9e5bf2dc6d86d6932f70d2218fc1070cfb66c22d5189d3156e29917233473570379748c2e1c49cd700e8851ec339f4008befaef5cf85f536f22807755c0eab9695d76fcbf8ab2c65d80975a37d859d6784a03e72bf761348c596f042a8e0d323cd57ce97001e47121493bd4c2a34bf62d1d0d09166d965e808348be551a27c1c6e9244762d3afebb3c7bba4ee9b3985c3d426c694cf7338d045c76244a6de4f686c7f84f210b9d25a6b3c8907b097c35c138abcca4cef0d7e29f1155e0c42566b7e4b5bb37fea17dcc39de2b2f9d0d4d3b17f732676c1c21002c84edce336c87b95cfdcadc6745c83f4e4b020103a381fe3081fb301d0603551d0e04160414aba2a127783c12ea32794e657dcbd8342d70680e3081cb0603551d230481c33081c08014aba2a127783c12ea32794e657dcbd8342d70680ea1819ca48199308196310b300906035504061302434e3111300f060355040813085368616e676861693111300f060355040713085368616e67686169310c300a060355040a13035a544531223020060355040b1319536d61727470686f6e6520536f66747761726520446570742e310c300a060355040313035a54453121301f06092a864886f70d0109011612737570706f7274407a74652e636f6d2e636e820900abf652fde78f3bc3300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100 7e35025f08ef1b0a0fb023dafb5d878aa460fa2fef626a9de6f5b59f3183cd0783c8426216f47d03e3b9af873880725198a85bb559eab4e277488d8220709fee7a5d281c9701b89eb30f0c9c6ea6d97abc9e8b76f6ce6e53483980868f8b3c7f2dff1fd73574830c2bb29882223d62683fa84f5108fe7f7435cbb2f32d8e0d28f94367708d02287232982f63c981871f7dcfb24e1faeb586fc255de4ad302fc4b53d7d6b43c84d53d3172024a0b8b0964f0deeca0e3a2fcb9199898c0cbf0d03cb6cace6c92817e1fccd53604f99dec8f2c130388d34cf96d300286726c6dcbea83b38dd12769ac94df9fa6b298aedf617fccc8ff9f503338015f94a8ae0ac88

 

[Nyrixa]

In the root folder there is a file titled "Verity_Key" however it seems that according to http://en.miui.com/thread-310923-1-1.html there's a way to disable the DM_Verity. If not then with temp root the vet will have to be found.

 

[SapphireEx]

SapphireEx

I think you messed your quote up a bit. I haven't been able to find the keys yet. Been at work all day.

Found this key idk if im right or not is worth the share
location or file

/etc/security/

Mac_permissions.xml
signature='308204ae30820396a003020102020900abf652fde78f3bc3300d06092a864886f70d0101050500308196310b300906035504061302434e3111300f060355040813085368616e676861693111300f060355040713085368616e67686169310c300a060355040a13035a544531223020060355040b1319536d61727470686f6e6520536f66747761726520446570742e310c300a060355040313035a54453121301f06092a864886f70d0109011612737570706f7274407a74652e636f6d2e636e301e170d3131303330383037313234345a170d3338303732343037313234345a308196310b300906035504061302434e3111300f060355040813085368616e676861693111300f060355040713085368616e67686169310c300a060355040a13035a544531223020060355040b1319536d61727470686f6e6520536f66747761726520446570742e310c300a060355040313035a54453121301f06092a864886f70d0109011612737570706f7274407a74652e636f6d2e636e30820120300d06092a864886f70d01010105000382010d00308201080282010100bf9aadaf6257265ebc6cc4127ab591046fff7df5cb9e5bf2dc6d86d6932f70d2218fc1070cfb66c22d5189d3156e29917233473570379748c2e1c49cd700e8851ec339f4008befaef5cf85f536f22807755c0eab9695d76fcbf8ab2c65d80975a37d859d6784a03e72bf761348c596f042a8e0d323cd57ce97001e47121493bd4c2a34bf62d1d0d09166d965e808348be551a27c1c6e9244762d3afebb3c7bba4ee9b3985c3d426c694cf7338d045c76244a6de4f686c7f84f210b9d25a6b3c8907b097c35c138abcca4cef0d7e29f1155e0c42566b7e4b5bb37fea17dcc39de2b2f9d0d4d3b17f732676c1c21002c84edce336c87b95cfdcadc6745c83f4e4b020103a381fe3081fb301d0603551d0e04160414aba2a127783c12ea32794e657dcbd8342d70680e3081cb0603551d230481c33081c08014aba2a127783c12ea32794e657dcbd8342d70680ea1819ca48199308196310b300906035504061302434e3111300f060355040813085368616e676861693111300f060355040713085368616e67686169310c300a060355040a13035a544531223020060355040b1319536d61727470686f6e6520536f66747761726520446570742e310c300a060355040313035a54453121301f06092a864886f70d0109011612737570706f7274407a74652e636f6d2e636e820900abf652fde78f3bc3300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100 7e35025f08ef1b0a0fb023dafb5d878aa460fa2fef626a9de6f5b59f3183cd0783c8426216f47d03e3b9af873880725198a85bb559eab4e277488d8220709fee7a5d281c9701b89eb30f0c9c6ea6d97abc9e8b76f6ce6e53483980868f8b3c7f2dff1fd73574830c2bb29882223d62683fa84f5108fe7f7435cbb2f32d8e0d28f94367708d02287232982f63c981871f7dcfb24e1faeb586fc255de4ad302fc4b53d7d6b43c84d53d3172024a0b8b0964f0deeca0e3a2fcb9199898c0cbf0d03cb6cace6c92817e1fccd53604f99dec8f2c130388d34cf96d300286726c6dcbea83b38dd12769ac94df9fa6b298aedf617fccc8ff9f503338015f94a8ae0ac88

This could be interesting, but I can't do a lot with it. Knowing linux, which generally has keys for PAM modules in etc/security, it's currently meaningless until we can find why these keys are here.

 

[SapphireEx]

In the root folder there is a file titled "Verity_Key" however it seems that according to http://en.miui.com/thread-310923-1-1.html there's a way to disable the DM_Verity. If not then with temp root the vet will have to be found.

Requires TWRP. If we had TWRP, we wouldn't be in this position to start with.

 

[Nyrixa]

Requires TWRP. If we had TWRP, we wouldn't be in this position to start with.

If you're trying to flash the "lazy scripter" then yes you need TWRP, but to delete the "Verify" file so signing isn't needed nothing was said about TWRP..

 

[Nyrixa]

Now, I leave you all with one giant chunk of information to do with what you will.......

Build Details

Manufacturer: ZTE
Model: Z981

Brand: ZTE
Board: urd
Device: urd
Hardware: qcom
Product: P895T20_MPCS

Serial Number:

Bootloader: unknown
Radio: -8952_GEN_PACK-1.89347.1.93758.3

Build Fingerprint: ZTE/P895T20_MPCS/urd:6.0.1/MMB29M/20170418.111425:user/release-keys

Release: 6.0.1
Codename: REL
Build Version: MMB29M
Build Type: user
Build Tags: release-keys
Build Date: 2017-04-17
Built By: xuzhenxuan@newsuper3
Build Number: 20170418.111425

API level: 23

CPU ABIs: arm64-v8a

Kernel Version: Linux version 3.10.84-perf-gcdba782-00692-gf675825 (xuzhenxuan@newsuper3) (gcc version 4.9.x-google 20140827 (prerelease) (GCC) ) #1 SMP PREEMPT Tue Apr 18 11:53:28 CST 2017


Found in /Etc title is Xtra_Root_Cert.pem


Certificate:
Data:
Version: 3 (0x2)
Serial Number: 12233244687336499494 (0xa9c5373a87206926)
Signature Algorithm: sha1WithRSAEncryption
Issuer: O=QUALCOMM, Inc., OU=Cryptographic Operations Group, CN=XTRA Admninistrative Root v1
Validity
Not Before: Mar 24 20:03:47 2011 GMT
Not After : Mar 20 20:03:47 2026 GMT
Subject: O=QUALCOMM, Inc., OU=Cryptographic Operations Group, CN=XTRA Admninistrative Root v1
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:a7:de:dd:6d:49:f9:0b:3b:e2:91:94:a9:1c:e5:
64:7a:fc:7b:35:10:04:e4:e3:e5:c9:4d:eb:6c:ed:
71:08:77:b1:b4:aa:60:a5:10:a6:18:45:e6:a6:27:
cd:df:74:38:6a:d4:ac:7f:44:08:a0:f8:aa:f5:6b:
5b:61:9b:0c:53:c0:d9:62:b2:ee:48:51:fa:3f:d3:
bd:7d:5c:aa:33:4b:19:66:99:fd:ed:fa:cb:0f:b4:
fe:fe:7e:eb:f8:fa:92:76:84:49:9e:b4:c3:d6:46:
8f:d6:25:49:b9:94:9a:5b:eb:1c:c7:c4:c8:cc:22:
43:31:fe:aa:58:fd:33:86:2c:ea:21:d1:61:6f:81:
2d:80:19:11:90:4c:54:c6:c4:34:c4:49:81:11:3a:
db:c9:d4:84:a3:dd:1b:7b:ac:0b:91:18:29:02:d5:
36:d3:c6:4a:08:6a:c6:70:d2:82:35:2a:7d:4c:39:
30:2e:7d:15:e3:4f:07:91:0f:a2:37:0e:31:5a:93:
54:45:61:84:a0:dd:e1:f2:13:b3:f8:ed:cc:e8:bd:
92:47:11:f6:d4:fe:02:9c:b8:f4:02:0e:c5:a8:0d:
f9:25:d5:2d:a1:e4:ad:f1:45:09:9e:ff:64:80:18:
77:5f:4a:fd:a1:cd:b4:fa:ec:25:65:33:ae:65:6e:
92:91
Exponent: 3 (0x3)
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:TRUE, pathlen:1
X509v3 Key Usage: critical
Digital Signature, Certificate Sign, CRL Sign
Signature Algorithm: sha1WithRSAEncryption
39:1d:9a:c0:81:a5:91:b8:e1:c2:5a:7c:1c:dc:a7:bc:c8:33:
9e:ff:7e:67:bc:2e:ec:5b:17:47:f9:d0:21:c7:d8:51:d1:3f:
e1:ce:2d:90:11:a8:70:45:20:3f:83:f3:e8:48:0e:ed:c5:42:
bb:59:83:f4:91:b1:c3:be:76:f1:a3:74:82:dc:a7:be:d2:d1:
09:de:d4:af:53:2e:ed:7a:68:c0:60:c2:05:a6:af:89:88:44:
6f:ee:a6:a1:7d:de:a5:41:cc:ee:9f:7c:64:7a:b8:70:04:ed:
7b:4f:fe:c4:5c:2c:6d:f8:4e:62:20:4e:d5:c4:5a:10:d2:24:
7b:dc:8e:57:1f:90:5e:fe:90:c2:c7:52:b4:5c:8f:6d:0c:4e:
08:0a:91:69:03:90:20:74:8f:21:bd:ad:90:7d:b3:5d:bb:98:
46:63:10:c9:04:7a:85:e2:df:73:6f:57:ca:8e:d8:28:44:c8:
a3:cf:96:92:90:4f:bb:57:82:14:b4:59:f2:bb:dd:f4:8d:4a:
65:9a:4e:65:25:2f:c3:7d:45:be:74:b8:0d:2b:65:d6:ab:34:
36:08:ee:3a:89:4a:51:85:80:4d:be:ba:c1:e8:78:80:c5:40:
ad:82:e9:98:5a:dd:d8:96:95:bb:3c:17:77:e8:31:72:88:7c:
55:61:bf:1a



Release letter.x509.pem


-----BEGIN CERTIFICATE-----
MIIErjCCA5agAwIBAgIJAOuCYND5gmZOMA0GCSqGSIb3DQEBBQUAMIGWMQswCQYD
VQQGEwJDTjERMA8GA1UECBMIU2hhbmdoYWkxETAPBgNVBAcTCFNoYW5naGFpMQww
CgYDVQQKEwNaVEUxIjAgBgNVBAsTGVNtYXJ0cGhvbmUgU29mdHdhcmUgRGVwdC4x
DDAKBgNVBAMTA1pURTEhMB8GCSqGSIb3DQEJARYSc3VwcG9ydEB6dGUuY29tLmNu
MB4XDTExMDMwODA3MTM0M1oXDTM4MDcyNDA3MTM0M1owgZYxCzAJBgNVBAYTAkNO
MREwDwYDVQQIEwhTaGFuZ2hhaTERMA8GA1UEBxMIU2hhbmdoYWkxDDAKBgNVBAoT
A1pURTEiMCAGA1UECxMZU21hcnRwaG9uZSBTb2Z0d2FyZSBEZXB0LjEMMAoGA1UE
AxMDWlRFMSEwHwYJKoZIhvcNAQkBFhJzdXBwb3J0QHp0ZS5jb20uY24wggEgMA0G
CSqGSIb3DQEBAQUAA4IBDQAwggEIAoIBAQC6XMcxr5zlAnZfYCeKPgt+w4y/fmB7
SzZSJvCx4hFKKq6m9CHg60vhlVQ4gLkuKb1l+pFbJdrP8yL1YKQqSrWWDAhPcuIl
Lj3UcmzfbMRQhM4mrXf49ees2xyVZO38KjtSSBw/ygvH5PSrX6KFUqQdxVeciLga
tYYoOEpRGKZdeL+HAI0EMFssOow00jPP44IB9Vi9UiEHOqvTHVmDIdQWOmAgWXlA
36sdWsSebLzWXjm2vB6OJaPV93zxy+tym33mkduc2DHQiH6TFUr4YmtDOZJ7y3jZ
2VzJU3VViYNunm/Da0NAPYwtbyeOgr+5npV7CfzY436lqLYaAlHJjx37AgEDo4H+
MIH7MB0GA1UdDgQWBBS6NVREsJ5wGdTi/26mEwf8h2KDfzCBywYDVR0jBIHDMIHA
gBS6NVREsJ5wGdTi/26mEwf8h2KDf6GBnKSBmTCBljELMAkGA1UEBhMCQ04xETAP
BgNVBAgTCFNoYW5naGFpMREwDwYDVQQHEwhTaGFuZ2hhaTEMMAoGA1UEChMDWlRF
MSIwIAYDVQQLExlTbWFydHBob25lIFNvZnR3YXJlIERlcHQuMQwwCgYDVQQDEwNa
VEUxITAfBgkqhkiG9w0BCQEWEnN1cHBvcnRAenRlLmNvbS5jboIJAOuCYND5gmZO
MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBAKSJA12gqyhorPk0EkHN
gUTLJoytol5SHPksdhbMjTOTEsaPiOVQZ0sHk9JDPoXRJlZvLXIvZCtzG+YCjpF8
Gv/uK47jHJsBG5L9LyI/LNctPOTefj3aBQklLxUgeblaaK2AFGb+ygmX8plGSwOz
9p4mgr8UQtPsdXP6gxEejI3oZ8Bz4HmttL+GwabCZAxuF9O2Z4vX1oCYbAVLAKz+
SUoMVXY9hzSa/Ttx+HeH0oHPXdZ0A2VyxpLiFIXdbdC9zWjB8AGQgmYINDHlQRG4
hPH9+NppDljxd19T1cEzkFERFEI8dWkTCaE8mRNQfShSt7N3vW+kfELq8rlkvDMW
9JM=
-----END CERTIFICATE-----



Found with search of .pem


Certificate:
Data:
Version: 3 (0x2)
Serial Number:
31:1a:00:88:05:9a:3a:be:4a:fb:65:20:a6:f7:49:d8
Signature Algorithm: sha1WithRSAEncryption
Issuer: CN=T-Mobile USA Root CA
Validity
Not Before: Jan 4 20:54:35 2007 GMT
Not After : Jan 4 21:00:47 2027 GMT
Subject: CN=T-Mobile USA Root CA
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:9d:67:c5:35:f8:f0:1e:e9:68:45:6e:b3:89:2f:
40:b5:81:18:f2:00:93:36:46:6b:6a:6e:21:b5:27:
3a:7d:14:dd:94:85:9e:13:10:7c:ff:27:76:a6:bd:
cd:e6:9f:22:5d:16:08:cb:54:64:53:0d:a2:4f:d0:
fb:3a:65:f2:3a:1d:0c:2c:6e:b4:a1:8c:2d:3a:77:
75:90:cb:53:c0:14:b5:84:66:86:f7:88:7d:31:bf:
88:57:c0:31:5c:ad:72:66:ca:11:84:52:7f:d9:fb:
1e:9d:59:32:3d:f7:10:eb:9b:83:dd:fa:48:56:41:
85:7c:25:d9:e1:c5:da:31:a3:71:3f:11:b8:04:2b:
a7:c0:ac:1c:ac:5c:cf:97:0b:e7:2a:bf:50:b9:fb:
8e:15:62:28:61:27:70:9c:df:ac:04:df:25:18:94:
8b:a9:e5:ae:ef:13:ca:6c:57:2f:5c:cd:7a:d3:ee:
21:56:5e:44:1f:db:c9:68:75:2b:ce:3c:2d:78:43:
2d:87:a0:96:4d:8a:0d:ab:4b:bc:76:19:5a:38:a8:
df:c0:dc:83:1e:11:dd:bf:7a:a1:e0:e0:33:88:b8:
d8:93:91:43:4f:e3:7d:76:15:aa:e1:19:f6:7a:47:
39:5c:36:b2:fe:5b:40:38:d0:8f:b9:7c:85:90:09:
3d:fd
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage:
Digital Signature, Certificate Sign, CRL Sign
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Subject Key Identifier:
E5:C1:B4:20:15:E8:A7:78:20:E6:C1:F9:E5:EF:E9:5A:76:7A:F7:A6
1.3.6.1.4.1.311.21.1:
...
Signature Algorithm: sha1WithRSAEncryption
02:05:72:db:c9:2d:75:d3:06:ff:74:74:80:15:57:7a:9b:fb:
f9:cc:6e:56:88:d6:5f:0f:29:39:85:2e:30:09:f9:e7:78:8d:
31:f0:c3:bc:73:8c:df:1f:4d:72:b8:18:ab:63:c9:10:a5:be:
bd:c7:dc:af:1d:ab:4e:f9:05:75:41:68:bb:8f:75:bd:39:b8:
57:6e:7a:52:ff:47:12:7d:b0:dd:20:95:5e:8f:f2:50:36:d6:
58:11:8b:c7:ad:bc:cc:7e:20:44:43:46:c2:5b:8a:b8:6b:d0:
70:af:81:20:5b:a5:45:98:fd:89:0c:a1:d7:05:b4:9e:28:20:
49:d8:0a:af:a9:a7:fa:f4:bf:fe:3a:7e:90:68:6a:65:e2:43:
83:e0:0d:1d:48:75:84:4a:13:60:e2:90:5d:99:02:01:6d:f7:
be:5c:b9:1d:f1:31:5b:90:4b:3e:83:05:7d:f0:30:f5:46:f8:
3a:cc:69:15:e6:fd:9b:56:89:32:e2:dd:3f:33:e0:91:64:7a:
4e:ea:66:bb:6d:45:0b:3c:77:5a:27:eb:17:d0:5c:da:41:c6:
51:cf:67:f2:d4:66:d8:9a:55:dd:9b:7e:fd:50:29:fc:b4:54:
d0:28:b4:f8:14:e1:5e:c7:09:1b:c4:f5:02:a9:88:99:3e:a3:
94:70:63:0c



Android.{46b117b….pk}


MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCiiByw0W40uhK+khvIEneisE1pPtvId6ewOeFm4ohO0UVmcnB6RCJz7/J+xk4jlEfqJyfXm5BcRyxdERcbK4uzmDOwSgd4XaV2X+A4iN2EgJ5PdY6kZuWzJ0L2/gyFgbIs+0FWUOc449VoLojPcH/CNmwZultVSU2oBx0+GS7e8QIDAQAB


Android.{46b116b….pn}


BKh5htx/uctqIeTPXYKQeg==,JSELJGrruhYoMjWmTyDIbg==,+e4FeP4cyU3nSCvUGsyzKQ==,ln36NlEPaSPGJRMDPpDgsg==,p+1qMoPzUP9sd6GlVK5W0g==,wTYFRgMH9MlrHBOiTABP/g==,wDzbMeqqHEsC1iEhdW/aew==,umU4HDKB9C/OjhfFIPocqA==,ITosw/OKLkTWhpNAW2bZrA==,aA0DZ5YA968LTHAMaycP5w==,za8EKI70sWksGRK3s7IaJA==,1hVOcCffvhMichY3YySWjA==,siK/E+fc+mk/hHfTrsGb2Q==,JQBIS+G7oxyfMpdLZjTdGQ==,obG75fY9W5bBoPh8GX6/rg==,KNlS2eSRpPXnB9XFa6sHww==,0CHMY/66mmNtk8AN84ecHw==,Qqw38N8Bm2YVKL6QiLxG0A==,jfocHUwv0lkqoShKwB4A6g==,K8P7MC2jaODIbD0O9zTq/Q==,KEEpQUwRFhhv8e6u0zxnhw==,3jIW2Yt2znChbdm91aNAGQ==,FpwhGpoYmhFT08T4RDA2yg==,1PGtepnXDVhz7oy53WXwkw==,OCKsDinP7IlwBZuyHQHwXg==,5rSm9GPfWkOTiVW5+zu6Gw==,xfzxecmHpzjOeyqzxGJkbg==,mBX1OCyo8dJAZ3q1o66hpw==,nIbk1npIr1m3lyvs4MUPnQ==,sIG8g9qQg7Clv8/h6Kq2mw==,UkUOGDLvu1dJj6YtgCJKjw==,YYIg3vyhqa5yeCt1WufeiA==,fy1YChQDQztQDA9odvH87Q==,q/ysxExW6152gZ8kF17Xag==,F2FhvpAODimTSvyoPrET+A==,IU9IeUlWXJ2KfmYMsv0tTg==,hTq2DwbW+QVHncb33ppoJA==,9hrglJF6mqFcUAWpTjseyA==,QnViDp0YacNXzwXQQbH6UA==,jUhUhNKQ7BdVXnrMg9Aagw==,U2xwK0dCnQAVxRN14plVLQ==,qu1w+CG/96NXuFqBOYl/bg==,C1JBgxB0XHJcqwrU5n5TQQ==,Vce2gAAEPXUc8+R44MBUtw==,Vm/M+zQoiD7xGJ7Qpliwsw==,Wq3stoFwXhyn5EOrlklh5Q==,AcCFqpKbFZn93U6m1oEsLQ==,hrp/F7uYeV4i0rEayS1vow==,wwJeXOUP/cKHa0h6VGhhjQ==,Asru2kIUengRjRouyUTNEg==,h9q6EW4AvSTC7cKJO0tpSA==,S/lQ7K3Ky3UbbjCqsr6uhA==,2C6qVGkWM75HFc6kKPA/hQ==,m6ez1V7gDP8/Y6+TX/pSNA==,seiVA0K96uUrV8A4TVXCvQ==,ytEqLh/ISJ0dakKjhal3eQ==,wZ763BhqjdubWh3TTQOeJA==,NIz2Y0yPJcqzqGL1gbcWcA==,+6fgxA5rAtBtXW6BRdOdsQ==,NyOday/JK0FPBLz08IwV5g==,taXFywLKCceExdiBYOLsJA==,LzGEIgB66sNqcxNkyEX09A==,AjYZOfgwij3ALQIyImyZbg==,Z6Bt537Y4NYSBdgfO2LnNA==,f/xjiU85gto9Yy6IZEmMzQ==,NRS+L5mCDH6s+G0FdB/28Q==,QJ+AM89/HOmQY0tCus06Ug==,GE452E0vS51XBdPy3EmrDQ==,eMiIhvlok9TCjv9D+40tMA==,TrgLMsp8o0TjwUxDjOU7yA==,rZyJHLhdtKxTKHxjtLjtOQ==,3oV7MOjI2Uk9O5T4uRt8GQ==,TVo8Spoxg/w7hCtOQCG2VA==,Xis6RJnn3M+tQ8oYPscxgQ==,wxsyNkzhnKj80VCkF+zOWA==,a6WJs1zKX/jyNNtp9Eh+jw==,GAsF+v5yaRsr1XglP7hQLA==,zzz3K9jlOw233bCm8iCK+Q==,+IN8bBRGYpSWDcVI3vEa5g==,iIMre0vIhmr5WXCHPF6Mfw==,wRN+CcV6hv4EmOYuLlJpIA==,mhQ7LC7ygV4/aUnTyA9Dsg==,VlFAY5BJmAmacpD9uGH6lQ==,HDN2RvKYdWcrWmEZK5AQ+Q==,rx4MbkgQBzRPlDZ5CMkIxg==,MD0naGQy2SWbu77WMtKpUA==,wB3GsPUoavtVPZAMQFOojg==,4wej+d+fOA668Qbh3JgLtg==,oiOvlgnrNBf7S//gUcITRw==,il9HJvdFPHe42TYVzttVbQ==,gdURLDtbrdsinutUzFIOOw==,hFmfwh09SLFkJsW+43Kx1g==,1MlgoUdJA4BcPhMMgnEODA==,NjGg7HILnXJstNXGN4oUeg==,VuOm6+q1TYnaL/PE/Fbphg==,ReaGxZR2gGatmRHVTZb3Kw==,2hJ46SiLcSbSHCXQ+ay1aA==,kwOtC/4BIMvDpds/4mBZdw==,KsHt8lbl5WfdDQbX6nWCHA==,FZ6/6cGKIMxraxG64938dQ==,u39Hw3vPzEprNmxqvDjH5Q==,FMRv72IndB+iXdBrazyHMQ==,iiqImXGNrZq0/uY+oiLfBQ==,+GIG+f9auY9Z51ZGp39bxA==,jeYAXJaa82VD7WLLPpSGWA==,39OLCNDeDXo+gRadQDHV0g==,7YMsg/q9KO2+KCO2OY7b7w==,7ARRB3BwjGqP29jeCwunJw==,A1uFBZL/FGvkRT/CzUZAQg==,9giSEvrqAnR/QejkT2C+EQ==,gyBVluW8UPRh0fse34L4tA==,eR7eINp46n0zFlToAOZN+Q==,pzUV0vtl0k24bbT8GWkfew==,wX3xLbR0BbREsRxVAAymgA==,k26iSwA8GPr8G8eDUBkLnA==,hGtEZD7GCfUHgoh4dB4fmg==,PUBWFxPoo7yei8UqXXRAGg==,l4PPia0mQqYmVqVUnfgKYg==,Us503GyebQ9WmujLnP81Fw==,Gzm5O0jWwybpD8ZDkdu9fA==,AIWBm8JY2UBa7PN+m0QRUw==,mBEK8Xi95FDnj/4NTaOO2Q==,CrEaKEaSkT83Kmeyl+qaTw==,UhIIQr51OtYfoMt7r7PEuQ==,TXuN77gJYvn41g2VgK34GA==,4tWz8yt53h1FrNH62W+7Dw==,PZER4tMXG/SII2n0kMCHtA==,sFBMPhAV/Frf+cFC7XwziQ==,ZqOxwsGB/5K4v5RedItvtw==,K5I+q77GR1l2PT+vvRHyJw==,jSrOtxTtFRGEEB0mDawP8w==,dcLteR1RoHzXtfAFANKWsg==,/bdVzcovKduA2b9fcf/SNw==,GgJK3HidPFAH4L8ratXU8w==,CzKOnRQce+a5NqOFR5ZAVg==,Z7+ow5RXOBDm7y8rlrrbDA==,iiWBo/SjE77zUSm/n8jQzQ==,VwB2gKnYx3TnPD0McSzLLg==,Ig/KdJrNn/Q5zpLl6cNvkg==,VLKhXXpq/XyPhlBP8O5fvw==,QN60Abn/6OHfLxzFukgLEg==,6w1C6uAFgqzXCebCfjR+7Q==,mm8qJdQ/9zK43zhCoNNaSQ==,A7KNYS990E8dDk4dvp+a8Q==,fC/0pNuvEz7HaiiBa5eP2Q==,AXDll7wYh42TsK8Kz6+iJw==,G2jmF+yFSgBRBI6wk3rNrA==,PXPpixrTvSV196VlE9iaDA==,Txbz73RJtbTijBVqvMBuFQ==,96o0ghX11Wb55MqGD0dCCQ==,EjUTGe08GEox24cwh6Jvew==,pu89O+NuO/805aWsLlvnnQ==,9W1EjfeOhRImHUv7yzl4xw==,2BS99RqUbWpgNgdHdzLapA==,jPb4AntRcgjgF0VIcmgZ5g==,fLdxjx9ZF2u+LmW5nr2IRg==,fqJMjvkRp5ytckvlMOuA6g==,0oLPiuVRf8Zf03mMRoYyDQ==,KuvGlNXydf8f212iqe50Fw==,XIMAtlUBKxkw8uCnuBv2qQ==,nTC9AD9TM5cxZqrXjGRaTQ==,AouOd01tnZ1GK7dIj8oSAA==,PGKUrC5znJzr2Aap4V4X9A==,FIftrPCcMpa58OaexsHVyA==,Su0yV/J4/Pe/o6vWROIzMw==,I5Xuv8vxMn8H4gXWZp/7qw==,ZrK5Oygxypq2O/cQZprqSw==,ZY9cxflBMymo9SyL/X0VTQ==,7y4IbBXfk4hou/u1gjsKsA==,llu/TRjSBfeCxrhAnFdzpA==,CyprsNskO8MDLlEcaY1Htg==,lGBrfRcSp1PNS+rITtJRFQ==,Qqh21ElAzd2XtTuuiDHtNQ==,BDjrklmY3yCzSC7CVJnSJg==,WDpNN4Lpv4lXZ1YkgJXbrw==,W3JGM9z1Hau9FS7gQfLdrA==,Nt+u3hVv/Zvgy05FoLQwjQ==,yw/0spENkrpZSlRBTIGFwg==,ojsgP9Oq/G3LhOQ43aZ4tg==,A26HQ+VWjsaTcv0zQUouxg==,JkHkYPT/Sdd9fpT6vhWKLA==,Rql5CfVkFt6g8Txh6acuxg==,KgsNYE0NyZ4Evf481Dg7jA==,mBY5YXf4Z5N2p/32SKojwg==,RLHBqDRNqQHXjiHOhAFJuA==,+f5eU3QfhtzDfiWxGTdjbA==,URnWmvppM0M79LoaX58VTA==,lH8rRkqTHJgFIDcjoilrmw==,4OZ8Gq8XGbb7UOx+kgPd4Q==,eodyUOlZnCRX5i6zs4IG9g==,yEDhv5MlsgRrzOXh4TnSZg==,lWfJWoRPbxdlZ9caAGl1xQ==,voCuwduaK1PJ05nbDGAhgQ==,gsipF/MRM4/7rwRgTcx07A==,NU2KL2i8l3XtPJNj2sfjYg==,FeKFrukRrVp7MUDnzDbklw==,kUswT5LTJ0ybVL53ecWgPA==,zS5ofymDqXnxPz6yiVXtyQ==,4gVgBiLKlRHgzBLGyOQ0HQ==,/ADe6cof9uFsaBuxz9bTaw==,DLETHwO2tvlLaje7xJsbRA==,w12MkGugkiadsJReTS2R0Q==,/HBOaxPE+ya/XkEfddqE8g==,7HhaYFlkWxODqEvkkN8Oag==,apVRViK7ZkvWEPrWsJSqsQ==,Hg1dequz3l74BpojbTQjyg==,t/fGyvXfWUkC9gQQqRGBlw==,7TNBbFMMguXT+qerdoK3eg==,3CzUxDMdE1jZIUlZDgYYuA==,/vxjl5p6K2pmqzcVDY/G7w==,qJ/AdhbThMR9bDRac3khdw==,bZm3/Xit1CJbV5G873xhaw==,6Awy7LkJvleWjgBtgh3z9A==,KeG7XqGK8bNqPwAC3ucypw==,GRbVSsrRybL5+1bS+xXZ3g==,PmAZ0FFC66rBNU32OoI22g==,uRnl7JRE3xfe077dG6vhKw==,YaI96HWtMvur2bVhGpvmzQ==,nXwJmct4zrTtT37khh3a7w==,FvENAbnXFA3ncxFPr4Cmbg==,77lbXl9jEqVeop2n6DyWEA==,LGxgjbmzbJxZFmgPELAVsA==,BjL2v2cTuY9JiVZScDISKQ==,b496amnyqil2QSQW7LhPeg==,+dLt61CT96eChNRGx5V8vw==,bPZU+RAhtrwILZ8qdqYleA==,QmpViMURDNAdWvF+R62yIw==,CEqzvDT3qnzP+DZT9Sq6/A==,yaRlYB4XUk3acQpwoXCTng==,1av/6UEq8HzF/WNDWiWmLw==,4K0xMNjLwU5gSsg6BHJn8Q==,gm9KLa6Ff416qQXA9czs9A==,+odyCQNsoZQFkWpgv+pPbQ==,SbPX7ej4KcBMoNvAjayxrA==,dBt/urhooy9gw2RM4NsABg==,4xDje9kjwUZId9RtmuxBOw==,g9sUvkZS7Cs27WB4lkh9Zg==,E8tfQNN6Iqor8KVI7KM43A==,JVZJ0h0SY188tbI25sw7UQ==,mJ58flRzau9J0HIcnIoHYg==,snbds7nidDV+mOL26IJx+Q==,hYhK5cCq9s8nUO/TCoBcXQ==,QbPhQmi8jQ70UradN9UidA==,JypI6xAgYWLFVdxdKUgAGQ==,zB6+82agQOYIrKf6GWhqqA==,x8pH5WEE7qjjpxVq1PEe+w==,7jWp9DK59vN7kxlig2NY3Q==,qIauOpG1XTrHEzFpY0g2Uw==,vFgnQ81z0bG7PmfRot/Zcg==,PE2vn6FTws8OB2wjwJlsTw==,X+D8V/mjqW4EjbpiODWd+w==,0L7bSvGBp/Q5vFGe5PQtaA==,cp9f0bzpTahhfyGNpAKzyA==,Rft0Z5Vnih3tM/rvPFjpxw==,1OkeVoxh7WDc16UjOa+lIw==,hTHYqeRwPPjXPhuVyI2YaQ==,fYkxyHUs66FDUNSvjZqq4Q==,GIPH+FHwG6FuMvDzV9L1aw==,RlEcndORETS3JQBNZuBb4A==,ahhNhJ5Qkseye1G2IGVnnQ==,2aZlIH3BFLNa5QxURVjV5w==


Android.{46b117b….60}


Mhz1Qpy5jqK1rwGQJPWzqQ==


Android.{46b117b….wr}


com.estrongs.android.pop

 

[loonycgb2]

Both methods recently posted.. disable dm-verity and signing boot image with certain keys..

First zte ALWAYS requires oem keys so do not sign a boot with your own keys or upload an unsigned boot.

Second to disable dm-verity is not possible at this current moment as you cannot pull or push a new boot image.

IF someone could manage to pull the boot img so we may get to the ramdisk then YES we could disable dm-verity using dirtyc0w.

But in the end both require flashing a new boot.

 

[SapphireEx]

Both methods recently posted.. disable dm-verity and signing boot image with certain keys..

First zte ALWAYS requires oem keys so do not sign a boot with your own keys or upload an unsigned boot.

Second to disable dm-verity is not possible at this current moment as you cannot pull or push a new boot image.

IF someone could manage to pull the boot img so we may get to the ramdisk then YES we could disable dm-verity using dirtyc0w.

But in the end both require flashing a new boot.

I thought you pulled the boot a bit ago?

 

[loonycgb2]

I thought you pulled the boot a bit ago?

Never got it to work

 

[biledigger]

Sorry guys. I am new at this part. Where is the boot.img located on our devices? I have been very lucky with extracting and modifying pre-existing system files on all my devices in the past. I will try whatever comes to mind to try and extract it.

 

[Jon Greenwood]

I'm sorry guys, you guys are really close to where I was when I stumbled on the blood diamond. Re-read some of what has been posted, the SUID is there, think outside the box. DMVERITY is where you need to look.

 

[Jon Greenwood]

I have seen everything about the china backdoors and such, but wheres the actual proof of what you "found".

I cant find any sodu.ja or even find a single blip of network connections to unknown sources..

How would you be able to know of a modem backdoor without direct access to a decompiled modem partition or even a kernel backdoor?

On top of it all you have a semi temp root and instead of passing the info you delete it all because you feel your done?

I seriously doubt you honestly found any real traces of anything.

Traces of a secondary root can be found in the emode decompiled source. It is the only way that is currently linked to unlocking system read and write. It was also placed in place along with ftm mode.

Much appreciated for the skepticism, nothing to prove here, I got what I came for and in the process lost the faith in humanity to continue with this device. Re-read what I said carefully, and perhaps you'll figure it out.

 

[Jon Greenwood]

This has been obvious to me since the first inklings that the phone was lock down like it is not to keep us out. But to keep what it is doing behind the curtain secret. They only way we will be able to confirm anything will be thru discovery. And the real targets should be MetroPCS, TMobile & to a lesser extent the other carriers if they also did not include fastboot or a method to peak at what ZTE & the repubic of fine china is up to. Since ALL businesses from China are nothing but an extension of said completely corrupt state. The only people that can put any pressure on ZTE is MetroPCS & TMobile.

If I am not mistaken, ZTE is still under probation from getting caught for illegal sales of tech to NK & Iran.

The only award that should be accepted, other then lawyer fees. Should be the unlocking of every bootloader on any ZTE device past, present & future.

For the millionth time, carriers have NOTHING to do with loading software. MPCS phones ship directly from ZTE. Notice the box color (purple) of different handsets is different? Yeah well it's because they ship direct. THE OEM LOADS MPCS SOFTWARE!

 

[Phoenix7331]

I haven't read everything and I'm no expert but why isn't simply flashing recovery in fastboot with TWRP and using TWRP to root not working?

My phone has the OEM unlock option in developer options so the bootloader is unlocked, right?

 

[brandonlee199966]

<font color ='#9e9e9e'>Phoenix7331 </font>
<font color ='#9e9e9e'>I haven't read everything and I'm no expert but why isn't simply flashing recovery in fastboot with TWRP and using TWRP to root not working? </font>

<font color ='#9e9e9e'>My phone has the OEM unlock option in developer options so the bootloader is unlocked, right? </font>



No! read all 97 pages then ask questions

 

[Ownster]

For the millionth time, carriers have NOTHING to do with loading software. MPCS phones ship directly from ZTE. Notice the box color (purple) of different handsets is different? Yeah well it's because they ship direct. THE OEM LOADS MPCS SOFTWARE!

Like you had faith in humanity to begin with lol