Root ZTE Zmax Pro Official Root Discussion

[SapphireEx]

So apparently a new exploit has been discovered that affects all Android versions prior to 8.0

It involves the toast messages.
https://threatpost.com/android-user...al&utm_source=twitter.com&utm_campaign=buffer

Oooooh. Do we have a PoC anywhere?
*Edit Whatever happened to the guy who had Cloak and Dagger running?

 

[SapphireEx]

I have no, but my data just shut off completely. Rip

Are we going to try this exploit?

It seems to be a better version of Cloak and Dagger. I have 0 experience with that exploit though. Maybe @messi2050 would know.

 

[Y314K]

Oooooh. Do we have a PoC anywhere?
<br> *Edit Whatever happened to the guy who had Cloak and Dagger running?

He got others to get it to supposedly work. And he freaked out about ZTE & how this phone was a info leaker. Doubt he would be of any use. From reading the link. Doesn't this just target the App UI overlays so it works like a keylogger ? Don't see how this will get us past the bootloader or rooted.

 

[SapphireEx]

He got others to get it to supposedly work. And he freaked out about ZTE & how this phone was a info leaker. Doubt he would be of any use. From reading the link. Doesn't this just target the App UI overlays so it works like a keylogger ? Don't see how this will get us past the bootloader or rooted.

First paragraph:

Security researchers warned of a high-severity Android flaw on Thursday that stems from what they call a “toast attack” overlay vulnerability. Researchers say criminals could use the Android’s toast notification, a feature that provides simple feedback about an operation in a small pop up, in an attack scenario to obtain admin rights on targeted phones and take complete control of them.

Now, they said admin, and not specifically root, but that could just be the lack of knowledge on the journalist's part. In theory, this exploit should 'just' act as a door, and allow true malware to get installed that does the rooting job.
Still, it would be wise to investigate it and see what happens, as toasting (afaik) is a system level UI element, and not just a userland script.

 

[SapphireEx]

Anyone on a rediculously low firmware like show models and B00-B04 (B03 on tmob I think) feel like testing quadrooter? I know we tested B14 and it came back negative, but earlier patches should be vulnerable to quadrooter.

 

[Y314K]

Anyone on a rediculously low firmware like show models and B00-B04 (B03 on tmob I think) feel like testing quadrooter? I know we tested B14 and it came back negative, but earlier patches should be vulnerable to quadrooter.

Guess you already tried it on B08?

It does not work. I would've rooted ages ago. I just tried it again 'cause why not. King root doesn't root it. I have never gotten temp root on this phone using kingroot and I have on other zte devices before disabling right protection. Etc

Woah I missed a lot, nice progress. Let me know if I can be of any help lol.

Please try QuadRooter for us Chloe936. Don't just try once, but 4-7 times (Come on lucky 7). Let us know how it goes.

Please upload of Pic that includes the Build Number please too. Really need to confirm things. Thanks.

 

[timgreene93]

This may be of no use but I downloaded an update file a while a go it's B08_to_B12 update.zip 300+mb

 

[messi2050]

Maybe just upload it to gdrive. We could use it maybe sometime

Where are those bin files you talked about

 

[Jimmy Dixx]

He got others to get it to supposedly work. And he freaked out about ZTE & how this phone was a info leaker. Doubt he would be of any use. From reading the link. Doesn't this just target the App UI overlays so it works like a keylogger ? Don't see how this will get us past the bootloader or rooted.

I remember that. He said something about a hidden user named "sodu" or something like that.

 

[messi2050]

Yeah let me get you the gdrive link.



Here you go @messi2050

https://drive.google.com/open?id=0BzB13eJzumiNYzhyWWJGS0NzbmM

Don't know how this can be possible but probably that coderam.bin contains our signature keys or is itself is our programmer _-_ this exactly the same zte signing method used on axon and their other devices programmer...

 

[SapphireEx]

Malformed command���invalid header��resource does not exist�unknown client via rpm-npa adapter���	� ���	��	��	��	��	��	��5��	��5��5�HAL_clk_GetNextClockInDomain returned 0 (ClockDomain Index: %d).����Unable to turn ON clock: %s.����%s (Enabled: 1)�Q���B���(��������������Q���B��殪��������������0��(���������������E�H�������system�pmic_arb_base_addr�owner�interrupt�smd_intr_enabled�ClockSources�gcc_rpm_proc_fclk�gcc_sys_noc_axi_clk�gcc_sys_mm_noc_axi_clk�gcc_pcnoc_ahb_clk�gcc_bimc_clk�gcc_apss_tcu_async_clk�gcc_apss_axi_clk�gcc_mss_q6_bimc_axi_clk�gcc_qdss_at_clk�gcc_qdss_traceclkin_clk�gcc_qdss_stm_clk�gcc_qdss_tsctr_div2_clk�gcc_rbcpr_clk�gcc_spmi_ahb_clk�gcc_spmi_ser_clk�gcc_ipa_clk�ClockLogDefaults�ClockVregRailMap�ClockBIMCMMNOCMap�DEFAULT_FREQUENCY�QTIMER_AC_BASE�QTIMER_BASE

Now, this bit is VERY interesting.

Malformed command���invalid header��resource does not exist�unknown client via rpm-npa adapter

Whosawhatsit? http://www.bijishequ.com/detail/486985?p= (block diagram for RPM-NPA)

 

[messi2050]

Now, this bit is VERY interesting.

I think we are very near like this for the first time

 

[SapphireEx]

I'm extracting and formatting all the strings I can find. Will update with the strings (Prepare for very long edits)

 

[messi2050]

ok on the left is the axon 7 firehose and on the right is zmax pro coderam pulled by @ExtoliS https://androidforums.com/members/extolis.2017681/
can you see that common zte signing

 

[SapphireEx]

I've cleaned up all the data in that code dump for easy reading (Bear in mind, these files are NO LONGER USABLE for flashing or otherwise. A lot of their data has been removed.) https://discord.gg/6s2JkDv

 

[SapphireEx]

I have some massive news for all of you. CODEBIN is our MBN. QFIL has extracted my GPT.
*Edit My current issue is COM read failure. Seems related to cables. Common issue. @ExtoliS is working on it in the mean time.

 

[GarnetSunset]

@SapphireEx Fix your cables nerd.

I'm working on getting those Auth keys.

 

[timgreene93]

Here is the Google drive for the MPS_b08_b12 Update

https://drive.google.com/file/d/0BxuR_RRfOJ8rNUF1Qms1ZmhFdm8/view?usp=drivesdk

 

[Y314K]

Here is the Google drive for the MPS_b08_b12 Update

https://drive.google.com/file/d/0BxuR_RRfOJ8rNUF1Qms1ZmhFdm8/view?usp=drivesdk

I thought MetroPCS Z981's had gone from B08 to B14. That is what mine has been bugging me to update too.

 

[NeoZiggy]

I thought MetroPCS Z981's had gone from B08 to B14. That is what mine has been bugging me to update too.

B14 was the last before the Beta Program updates, I believe. B20 was the update after the beta program. B21 just came out about a month ago.

I wish I had dumped some of those... Tho I really wouldn't think they'd have been helpful other then to see what they tweaked with battery and kernel settings.

Wish we could go old school "Hackers" and find a lonely guy at a desk somewhere to give us the info. (Great movie, 9600broad modem on a desk with the IP taped under it... lol)

 

[brandonlee199966]

B14 was the last before the Beta Program updates, I believe. B20 was the update after the beta program. B21 just came out about a month ago.

I wish I had dumped some of those... Tho I really wouldn't think they'd have been helpful other then to see what they tweaked with battery and kernel settings.

Wish we could go old school "Hackers" and find a lonely guy at a desk somewhere to give us the info. (Great movie, 9600broad modem on a desk with the IP taped under it... lol)

Im willing to rip the b21 update for metro pcs. If someone one can tell me how? Im still on the b20 update and i blocked the update notification!

 

[messi2050]

B14 was the last before the Beta Program updates, I believe. B20 was the update after the beta program. B21 just came out about a month ago.

I wish I had dumped some of those... Tho I really wouldn't think they'd have been helpful other then to see what they tweaked with battery and kernel settings.

Wish we could go old school "Hackers" and find a lonely guy at a desk somewhere to give us the info. (Great movie, 9600broad modem on a desk with the IP taped under it... lol)

I been checking every update since b08 never got any useful information.

 

[SirMicBic]

please guy dont stop trying. is it possible the to re-edit the scrips if its scrip change verification or possibly emode and adb commands and something else no one has discovery is the problem to our unsuccessful root of the zte z981. ive tried everything went thro 6 zmax pro's with no success.

 

[SapphireEx]

please guy dont stop trying. is it possible the to re-edit the scrips if its scrip change verification or possibly emode and adb commands and something else no one has discovery is the problem to our unsuccessful root of the zte z981. ive tried everything went thro 6 zmax pro's with no success.

Join our discord. A lot of the discussion is ongoing there.

 

[timgreene93]

I thought MetroPCS Z981's had gone from B08 to B14. That is what mine has been bugging me to update too.

When I purchased my phone I think it was on BO8 I'm on B20 it kept trying to force me to update I disabled the app and cleared the storage , I have no experience with newer versions of Android since I stopped messing around with it after ICS , I feel our approach is wrong there have to be some apps that can access system level by default they just have to be reversed engineered it would be nice to mount the phone as R/W on Linux but I don't know how as far as the proper terminal commands go