• After 15+ years, we've made a big change: Android Forums is now Early Bird Club. Learn more here.

Root ZTE Zmax Pro Official Root Discussion

Jump to latest Follow Reply
Status
Not open for further replies.
Sort by date Sort by votes
#2,951
messi2050 said:
All we need is the physical bootloader, and BootStomp will do the hard part of actually analyzing it. Anyone got a bootloader rip?
Click to expand...

Why not run this on the axon 7 N bootloader. (aboot).
I actually have IDA Pro for linux but im not sure if the decompiler is included.

One thing i have been thinking about this whole time I leveraging a sdcard to get in. But i need to do alot more research on sdcards and ZTE.

I was able to unlock HTC Verizon Bootloaders by creating a bootable sd card that contained HTC Firmware from carrier devices that allowed unlocking.

If i had a device GPT and a Device Backup I could burn a bootable sd card. Depending on weather this sdcard boot function is disabled by ZTE it could be another way in.

https://forum.xda-developers.com/desire-526/general/verizon-htc-desire-526-boot-loader-root-t3587118

https://forum.xda-developers.com/desire-526/general/super-sd-htc-526-vzw-t3596497

The big advantage here is we dont need the ability to edit anything on our locked devices.
All editing and testing is done to the SD Card.
This makes it so you can try anything and not worry about bricking.
You just pull the sd card out and re burn it.
 
Last edited:
  • Like
Reactions: 5318008, RootBeerGuy and ExtoliS
Upvote 0
#2,952
messi2050 said:
Link to BootStomp https://github.com/ucsb-seclab/BootStomp
All we need is the physical bootloader, and BootStomp will do the hard part of actually analyzing it. Anyone got a bootloader rip?
Click to expand...

Lets run this on the Axon 7 Nougat bootloader. (aboot)
I would think our devices would have any found vulnerabilities as well.

You will need IDA Pro and Hexrays decompiler.
I have IDA for ubuntu but im not sure about the decompiler.
Anyway i will see what i can do.
 
  • Like
Reactions: RootBeerGuy and ExtoliS
Upvote 0
#2,953
messi2050 said:
Did you see my inquiries
Click to expand...

Ah, I see them now. I'll edit this once I run them.

*Edit @messi2050 Nothing. Only request is available.

Code: 
1|shell@urd:/system $ mkdir /system/test
mkdir: '/system/test': Read-only file system
1|shell@urd:/system $ cd /dev/block/by-name/
/system/bin/sh: cd: /dev/block/by-name: Permission denied
2|shell@urd:/system $
 
Last edited by a moderator:
  • Like
Reactions: messi2050 and ExtoliS
Upvote 0
#2,954
Bigcountry907 said:
Lets run this on the Axon 7 Nougat bootloader. (aboot)

<br> I would think our devices would have any found vulnerabilities as well.

<br>

<br> You will need IDA Pro and Hexrays decompiler.

<br> I have IDA for ubuntu but im not sure about the decompiler.

<br> Anyway i will see what i can do.
Click to expand...
I'm not saying pirate it, but 1,409$ is 1,409$.
I doubt ZTE/Qualcomm would have changed things up between bootloaders due to them being closed source, and rarely actually touched, so I'm with you on that. If the axon7 has a glaring bug, the Z981 should as well.
I have no idea on how I would go about actually exploiting any bugs we found though. Sure, if it allows booting from state drives then hosting the firmware on an SD would be a viable option, but if it doesn't, I wouldn't even begin to know how to interface with the bootloader to actually exploit it.
 
Upvote 0
#2,956
SapphireEx said:
I'm not saying pirate it, but 1,409$ is 1,409$.

I wouldn't even begin to know how to interface with the bootloader to actually exploit it.
Click to expand...

I know IDA has some of the older versions that are free to use for the general public. And im pretty sure you can get a demo of the decompiler. Knowing how to use IDA could be the hard part but there are some good tutorials.

As far as how to use an vulnerability I would think a method similar to thees would work.

http://bits-please.blogspot.com/2016/02/unlocking-motorola-bootloader.html

http://blog.azimuthsecurity.com/2013/04/unlocking-motorola-bootloader.html

Despite using it for the reverse of unlocking.
This is a very good article.

https://ge0n0sis.github.io/posts/20...-mode-using-an-undocumented-feature-of-aboot/

http://newandroidbook.com/AIvI-M-RL1.pdf

http://newandroidbook.com/Articles/aboot.html

Now if one can understand and put all those things together you can figure out how to use an exploit.
 
Upvote 0
#2,957
Bigcountry907 said:
I know IDA has some of the older versions that are free to use for the general public. And im pretty sure you can get a demo of the decompiler. Knowing how to use IDA could be the hard part but there are some good tutorials.

As far as how to use an vulnerability I would think a method similar to thees would work.

http://bits-please.blogspot.com/2016/02/unlocking-motorola-bootloader.html

http://blog.azimuthsecurity.com/2013/04/unlocking-motorola-bootloader.html

Despite using it for the reverse of unlocking.
This is a very good article.

https://ge0n0sis.github.io/posts/20...-mode-using-an-undocumented-feature-of-aboot/

http://newandroidbook.com/AIvI-M-RL1.pdf

http://newandroidbook.com/Articles/aboot.html

Now if one can understand and put all those things together you can figure out how to use an exploit.
Click to expand...

I'm quite adept at reverse engineering and use decompilers. I don't have IDA though. I use X64DBG for all my debugging needs.
 
Upvote 0
#2,958
Bigcountry907 said:
I know IDA has some of the older versions that are free to use for the general public. And im pretty sure you can get a demo of the decompiler. Knowing how to use IDA could be the hard part but there are some good tutorials.

As far as how to use an vulnerability I would think a method similar to thees would work.

http://bits-please.blogspot.com/2016/02/unlocking-motorola-bootloader.html

http://blog.azimuthsecurity.com/2013/04/unlocking-motorola-bootloader.html

Despite using it for the reverse of unlocking.
This is a very good article.

https://ge0n0sis.github.io/posts/20...-mode-using-an-undocumented-feature-of-aboot/

http://newandroidbook.com/AIvI-M-RL1.pdf

http://newandroidbook.com/Articles/aboot.html

Now if one can understand and put all those things together you can figure out how to use an exploit.
Click to expand...
Keep in mind those are curated exclusively for the Snapdragon 800 chipset which features a nasty bug.
 
Upvote 0
#2,963
Well about all i can think of to do now is try to burn a sd card with the axon 7 partitions and GPT. The hope would be that our device reads the fbop partition and opens up fastboot access.

If there was a temp root or a way to get a backup of our devices the chances i could make it work would be much higher.

So generally i am passing some time.
My skills aren't so great when it comes to aboot disassembly. I'm pretty good with a hex editor and linux terminal but i need to learn arm code and dissassembly.
 
Upvote 0
#2,964
Bigcountry907 said:
Well about all i can think of to do now is try to burn a sd card with the axon 7 partitions and GPT. The hope would be that our device reads the fbop partition and opens up fastboot access.

<br>

<br> If there was a temp root or a way to get a backup of our devices the chances i could make it work would be much higher.

<br>

<br> So generally i am passing some time.

<br> My skills aren't so great when it comes to aboot disassembly. I'm pretty good with a hex editor and linux terminal but i need to learn arm code and dissassembly.
Click to expand...
We have temp root, but it lasts for literally a few CPU cycles before restarting and clearing the root.
 
  • Like
Reactions: GarnetSunset
Upvote 0
#2,965
Bigcountry907 said:
Well about all i can think of to do now is try to burn a sd card with the axon 7 partitions and GPT. The hope would be that our device reads the fbop partition and opens up fastboot access.

If there was a temp root or a way to get a backup of our devices the chances i could make it work would be much higher.

So generally i am passing some time.
My skills aren't so great when it comes to aboot disassembly. I'm pretty good with a hex editor and linux terminal but i need to learn arm code and dissassembly.
Click to expand...

If you can manage to get a aboot image I can deal with the arm code and removing encryption flags.

Only other way someone can get a copy that I know of is to take the time to convert the patch file in one of the updates to a regular image.
 
Upvote 0
#2,969
messi2050 said:
is not that easy flashing twrp on a locked bootloader device will trigger dm-verity and you will be send to that screen [ adb reboot unauth].
Click to expand...

I've heard that the screen executed by adb reboot unauth is on its own partition hidden until the phone is modified maybe with any of the possible above exploits if we could disable it completely we could make the whole partition useless so adb reboot unauth would be no different than typing adb reboot ysydhd which will default to system giving it's possible root if paired with an exploit idk it's all speculation
 
Last edited:
  • Like
Reactions: fusdomain
Upvote 0
#2,970
GrifterGrifts said:
I've heard that the screen executed by adb reboot unauth is on its own partition hidden until the phone is modified maybe with any of the possible above exploits if we could disable it completely we could make the whole partition useless so adb reboot unauth would be no different than typing adb reboot ysydhd which will default to system giving it's possible root if paired with an exploit idk it's all speculation
Click to expand...
Yes it get enabled when the device detect changes on boot, It can't be disabled as built in kernel, no communications are available when you are in this mode is just a way to force you to not use your device after making modifications to it.
 
Upvote 0
#2,971
Hey, Everyone. Sorry to say I am one of the few that has been lurking since the old post got taken down due to off topic stuff.
Anyways! I have a zmax pro on b01 I have never updated. It was from Walmart on T. I did say I was lurking for awhile, as for b00 I never knew it existed. I got my zmax pro back in Aug of last year.
(Honestly I wonder if the ones still left in Walmart are on b01...)
 
  • Like
Reactions: NeoZiggy, Y314K and Greysworld007
Upvote 0
#2,973
Chloe936 said:
Hey, Everyone. Sorry to say I am one of the few that has been lurking since the old post got taken down due to off topic stuff.
<br> Anyways! I have a zmax pro on b01 I have never updated. It was from Walmart on T. I did say I was lurking for awhile, as for b00 I never knew it existed. I got my zmax pro back in Aug of last year.
<br> (Honestly I wonder if the ones still left in Walmart are on b01...)
Click to expand...

Doubt about them still being available at Walmart. But you never know. Maybe the ones that can dump them can check a few stores. Is that phone your daily driver ? Would you want to just donate it or would you prefer to exchange your T-B01 for a M-B08. Or would you like to get specifics instructions on how to try to dump your phones FW yourself. Not sure what it would all in tale. What are your thoughts right now ?
 
Last edited:
Upvote 0
#2,974
Chloe936 said:
Hey, Everyone. Sorry to say I am one of the few that has been lurking since the old post got taken down due to off topic stuff.
Anyways! I have a zmax pro on b01 I have never updated. It was from Walmart on T. I did say I was lurking for awhile, as for b00 I never knew it existed. I got my zmax pro back in Aug of last year.
(Honestly I wonder if the ones still left in Walmart are on b01...)
Click to expand...
Does issuing the command
Adb reboot bootloader
Send you to fastboot or it just reboots back to system
 
  • Like
Reactions: NeoZiggy
Upvote 0
#2,975
Chloe936 said:
Hey, Everyone. Sorry to say I am one of the few that has been lurking since the old post got taken down due to off topic stuff.

<br> Anyways! I have a zmax pro on b01 I have never updated. It was from Walmart on T. I did say I was lurking for awhile, as for b00 I never knew it existed. I got my zmax pro back in Aug of last year.

<br> (Honestly I wonder if the ones still left in Walmart are on b01...)
Click to expand...
Now you are reading B01 in the Build Number right ? & Not on the BaseBand ?
 
Upvote 0
Status
Not open for further replies.

BEST TECH IN 2023

We've been tracking upcoming products and ranking the best tech since 2007. Thanks for trusting our opinion: we get rewarded through affiliate links that earn us a commission and we invite you to learn more about us.

Smartphones

Best Android Phones

See All
  1. Google Pixel 8 Pro Check Price
  2. Samsung Galaxy S23 Ultra Check Price
  3. Samsung Galaxy Z Fold5 Check Price
  4. Google Pixel 8 Check Price
  5. Samsung Galaxy S23 Check Price

Upcoming

See All
  1. Samsung Galaxy S24 Early Access

Best iPhones

See All
  1. Apple iPhone 15 Pro Max Check Price
  2. Apple iPhone 15 Pro Check Price
  3. Apple iPhone 15 Plus Check Price
  4. Apple iPhone 15 Check Price
  5. Apple iPhone SE (2022) Check Price

Upcoming

See All
  1. Apple iPhone 16 Early Access

Tablets

Best Tablets

See All
  1. Samsung Galaxy Tab S9 Ultra Check Price
  2. Apple iPad Pro (2022) Check Price
  3. Apple iPad Air (2022) Check Price
  4. Apple iPad Mini (2021) Check Price
  5. Microsoft Surface Pro 9 Check Price

Upcoming

See All
  1. Apple iPad Air 6 Early Access
  2. Apple iPad Fold Early Access

Laptops

Best Laptops

See All
  1. Apple Macbook Pro Check Price
  2. Apple Macbook Air (2023) Check Price
  3. Dell XPS 13 Check Price
  4. Acer Chromebook Spin 714 Check Price
  5. Dell Alienware m18 (2022) Check Price

Upcoming

See All
  1. Microsoft Surface Laptop 6 Early Access
  2. Microsoft Surface Pro 10 Early Access

Televisions

Best TVs

See All
  1. Samsung The Frame TV Check Price
  2. Samsung Neo QLED 4K QN90C Check Price
  3. LG G3 OLED Check Price
  4. LG A2 OLED Check Price
  5. ROKU Plus Series Check Price
  6. Samsung S90C OLED Check Price
  7. SunBriteTV Veranda 3 Check Price

Upcoming

See All
  1. Hisense 110UX ULED X TV Early Access

Game Consoles

Best Game Consoles

See All
  1. Nintendo Switch OLED Check Price
  2. Microsoft XBOX Series X Check Price
  3. Sony Playstation 5 Check Price
  4. Microsoft XBOX Series S Check Price
  5. Nintendo Switch Lite Check Price

Upcoming

See All
  1. Nintendo Switch 2 Early Access

Wearables

Best Wearables

See All
  1. Oura Ring 3 Check Price
  2. Apple Watch Series 9 Check Price
  3. Google Pixel Watch 2 Check Price
  4. Samsung Galaxy Watch 6 Classic Check Price
  5. Fitbit Inspire 3 Check Price
  6. Amazfit Amazfit Band 7 Check Price
  7. Apple Watch SE Check Price
  8. Apple Watch Ultra 2 Check Price

Upcoming

See All
  1. Samsung Galaxy Watch 7 Early Access

Smart Home

Smart Home Tech

See All
  1. Amazon Echo (4th Gen) Check Price
  2. Schlage Encode Smart Lock Check Price
  3. Amazon Blink Smart Cameras Check Price
  4. Google Nest Thermostat Check Price
  5. Phillips Hue Smart Lights Check Price

Upcoming

See All
  1. Apple Homepod Vision Early Access

Similar threads

Upvote 0
Samsung
  • Suggestion
Samsung’s ‘AI for All’ Vision Unveiled at CES 2024
Replies
0
Views
232
Breaking News
Samsung
Samsung
Upvote 0
Samsung
  • Suggestion
Samsung Electronics Launches 2024 Neo QLED, MICRO LED, OLED and Lifestyle Displays To Spark the AI Screen Era and New Ways of Life
Replies
0
Views
613
Breaking News
Samsung
Samsung
kisame010588
Root [ROM] CyanogenMod/ROOT/firmware for the LG Motion 4G LGMS770 Ultimate Guide 2022
Replies
0
Views
7K
Smartphones
kisame010588
kisame010588
Upvote 0
Samsung
  • Suggestion
Samsung Introduces Latest Home Appliance Lineup Featuring Enhanced Connectivity and AI Capabilities at the ‘Welcome to BESPOKE AI’ Global Launch Event
Replies
0
Views
141
Breaking News
Samsung
Samsung
D
ZTE Blade A3 Prime Thread
Replies
16
Views
15K
Smartphones
Deleted User
D
Top Bottom
Back
Jump to latest Follow Reply
Jump to latest Follow Reply