Root ZTE ZMAX Pro (Z981) root discussion

Masterchief87 · Sep 8, 2016

With marshmallow and nougat SuperSU and its binaries don't go in /system. Instead, the boot image is modified and a new mount point is created at /su and that is where the binaries go. The SuperSU app is then placed in /data/app the same place where it would go if you installed it from the play store. The only way to have SuperSU and its binaries installed to /system is to flash a custom kernel before flashing SuperSU.

As far as cf auto root goes, Chainfire only builds it for devices that use fastboot or Odin, and for those of you who don't know how it works, it flashes a custom recovery to your device then uses that recovery to flash SuperSU and then reinstalls the stock recovery.

Adb pull /system will only give you a partial dump of system files because there are a lot of libs and binaries that can't be copied without root privileges. As for pulling partition images from the device like a boot.img, recovery.img, or system.img that cannot be done without root access.

paragontrix · Sep 8, 2016

What do you suppose we do from this point masterchief? I'm starting to get drained from all this research and trying to think of some kind of exploit that will get root or get our ROM off since we at least have methods to flash things

Masterchief87 · Sep 8, 2016

Honestly I dont know but it seems when you do "adb reboot edl" the phone shows up as "Qualcomm HS-USB QDloader 9008" in device manager

This could be used to flash a ROM using a program like qpst or qfil but I don't know much of anything about how to use these programs.
Also, I don't know anything about how the files would need to be packaged or what format they would need to be in.

Masterchief87 · Sep 8, 2016

I found a little more info about Qualcomm HS-USB QDloader 9008 mode. Maybe someone can make heads or tails of it idk.
http://www.droidsavvy.com/unbrick-qualcomm-mobiles/

paragontrix · Sep 8, 2016

I was on that page yesterday actually reading up on this exact idea lol. If you look at page 12 I linked an app that flashes image files and stuff to phone's in dfu mode and we can boot to dfu too. And yeah I linked qfil or something similar after I read up on EDL we've known we have flashing options we've just been spending the day trying to get us the so elusive thing to flash

jaykoerner · Sep 8, 2016

Masterchief87 said:
With marshmallow and nougat SuperSU and its binaries don't go in /system. Instead, the boot image is modified and a new mount point is created at /su and that is where the binaries go. The SuperSU app is then placed in /data/app the same place where it would go if you installed it from the play store. The only way to have SuperSU and its binaries installed to /system is to flash a custom kernel before flashing SuperSU.

As far as cf auto root goes, Chainfire only builds it for devices that use fastboot or Odin, and for those of you who don't know how it works, it flashes a custom recovery to your device then uses that recovery to flash SuperSU and then reinstalls the stock recovery.

Adb pull /system will only give you a partial dump of system files because there are a lot of libs and binaries that can't be copied without root privileges. As for pulling partition images from the device like a boot.img, recovery.img, or system.img that cannot be done without root access.

So my ideas are pointless,.... Sucks

jaykoerner · Sep 8, 2016

Since pulling and modifying the system img is a no go, they only thing i have left is porting a recovery from a similar device, any devices close enough? Do we have any clue how the partitions are laid out on this phone? What jnfo do we need to even port a recovery?

mussio · Sep 8, 2016

Adb shell cat /proc/partitions shows some stuff

ThemasterEd · Sep 8, 2016

Hello everybody

Will see if I can help when my laptop come

Btw I'm new
Xda member
When Note 3 first released

lioryte · Sep 8, 2016

Too much to read. where we at? What was done so far? Hya btw

NGD1 · Sep 8, 2016

lioryte said:
Too much to read. where we at? What was done so far? Hya btw

Oi! We all had to read this join the club
Aye aye for edumication

jaykoerner · Sep 8, 2016

lioryte said:
Too much to read. where we at? What was done so far? Hya btw

Basically we found out how to flash IMGs on the phone ie: kernels, roms?, Recoverys ect... And a long discussion about how to use that to gain root, all we got at this point is that we need a recovery(but how we gonna get one with pulling the existing one?) Or another temp root exploit till a recovery can be built using the information and files that we can access with said root to build a recovery.

jaykoerner · Sep 8, 2016

well i have tried my hardest to get firmware from zte, 3 different occasions with costumer support with a fake email panamacomputerrepair@gmail.com and no dice, any clue who else to hit up for firmware?

jaykoerner · Sep 8, 2016

here is the tool to flash in edl mode(so far as i know) www.androidbrick.com/download/latest-qpst-2-7-build-425-qfil-xqcn-qcn-qualcomm-imei-flasher/ don't mess with it if you don't know what your doing we have nothing to flash yet guys

Krlypumaa · Sep 8, 2016

ok let me get some info flowing... i have tried to set a flash.zip (no go).. i worked with the EDL stuff (emergency download mode for unbrick. NO GO...) I have tried to worke avery way possible with fastboot and either im doing wrong commands or FASTBOOT commands are completely null FDM its most likely the fastboot mode now the edl stuff its our DLM to flash our firmware now its two firmware around Z981 & Z963U so far kewrnel with not commit working to find vulnerabilities adress to XXXPPLOIT

Masterchief87 · Sep 8, 2016

For those of you who are thinking the quadrooter exploit might be the answer to rooting this phone, as far as I know the last time someone found an exploit like this and turned it into a root apk was when geohot made towelroot. Stagefright was found by a security firm and that is probably the case with quadrooter as well. In my opinion it's doubtful that how to implement the quadrooter exploit will ever become public knowledge.

Krlypumaa · Sep 8, 2016

as for me im not trying to create a rootkit but im trying get here
eg.
> adb push getroot /data/local/tmp
> adb shell
$ cd /data/local/tmp
$ chmod 0755 getroot
$ ./getroot

# use CVE-2013-6282 vulnerability
# kernel start address 0xc0008000
In some cases, modify KERNEL_START_ADDRESS or KERNEL_SIZE in 'getroot.c'

Krlypumaa · Sep 8, 2016

DO NOT ATTEMPT THIS ITS JUST AN EXAMPLE >>>
or comm like this
adb shell
(you should now see a # instead of a $. # = root)
4: exit
5: adb shell "mount -o remount,rw /system"
6: adb push su /system/xbin/su
7: adb push su /system/xbin/daemonsu
8: adb push install-recovery.sh /system/etc/install-recovery.sh
9: adb shell "chown 0.0 /system/xbin/su;chmod 06755 /system/xbin/su"
10: adb shell "chown 0.0 /system/xbin/daemonsu;chmod 06755 /system/xbin/daemonsu"
11: adb shell "chown 0.2000 /system/etc/install-recovery.sh;chmod 755 /system/etc/install-recovery.sh"
12: adb shell "sync;mount -o remount,ro /system"
13: adb install Superuser.apk

REBOOT AFTER STEP #13

Confirm root with rootchecker.
etcetcetc ...

Masterchief87 · Sep 8, 2016

Krlypumaa said:
DO NOT ATTEMPT THIS ITS JUST AN EXAMPLE >>>
or comm like this
adb shell
(you should now see a # instead of a $. # = root)
4: exit
5: adb shell "mount -o remount,rw /system"
6: adb push su /system/xbin/su
7: adb push su /system/xbin/daemonsu
8: adb push install-recovery.sh /system/etc/install-recovery.sh
9: adb shell "chown 0.0 /system/xbin/su;chmod 06755 /system/xbin/su"
10: adb shell "chown 0.0 /system/xbin/daemonsu;chmod 06755 /system/xbin/daemonsu"
11: adb shell "chown 0.2000 /system/etc/install-recovery.sh;chmod 755 /system/etc/install-recovery.sh"
12: adb shell "sync;mount -o remount,ro /system"
13: adb install Superuser.apk

REBOOT AFTER STEP #13

Confirm root with rootchecker.
etcetcetc ...

Don't forget the custom kernel that's needed in order to have root installed on the system partition.

Krlypumaa · Sep 9, 2016

Masterchief87 said:
Don't forget the custom kernel that's needed in order to have root installed on the system partition.

yes i understand.. im just trying to get to some door..some how understanding this devices im so stock with lgs i know we are gonna get there.

jaykoerner · Sep 9, 2016

UndacoverBrother said:
We will get there. Ive exhausted all my options. Looks like whenever kingroot gets to this device then we can get temp root. After temp root , we can then pull/backup the stock recovery. Therefore port twrp then flash the superuser.zip for permenant root.
I see know other option because of no fastboot functionality.
The first zmax had the same issue.

If theres a temp root solution besides kingroot then porting twrp is the easy part.

If we get a update (it's ZTE so who knows if that will happen) we would have everything to get a system based root built, but that could be along ways away if at all.

jaykoerner · Sep 9, 2016

someone got root for the zte axon mini(in china), it's a snapdragon 617 based phone on 6.01 . there is a link to it on xda, but it's dead http://forum.xda-developers.com/zte-axon/development/zte-axon-mini-root-custom-roms-t3289640

jaykoerner · Sep 9, 2016

jaykoerner said:
someone got root for the zte axon mini(in china), it's a snapdragon 617 based phone on 6.01 . there is a link to it on xda, but it's dead http://forum.xda-developers.com/zte-axon/development/zte-axon-mini-root-custom-roms-t3289640

im off, the device shiped with 5.01, it's been updated to 6.01, doubt the root its self is cross phone, just wanted to give it a shot

jaykoerner · Sep 9, 2016

jaykoerner said:
im off, the device shiped with 5.01, it's been updated to 6.01, doubt the root its self is cross phone, just wanted to give it a shot

on closer look, it seems like zte has both a existing phone called the axon mini, and one that is releasing this month? this is confusing.

Jimmy Dixx · Sep 9, 2016

The new one is a budget, underpowered version of the old one.

Edit: Meh I misread that they were referring to the Axon 7. But the new Axon 7 mini is snapdragon 617.

http://www.pcmag.com/review/347379/zte-axon-7-mini

Root ZTE ZMAX Pro (Z981) root discussion

Android Expert

Newbie

Android Expert

Android Expert

Newbie

Well-Known Member

Well-Known Member

Well-Known Member

Lurker

Newbie

Android Expert

Well-Known Member

Well-Known Member

Well-Known Member

Android Expert

Android Expert

Android Expert

Android Expert

Android Expert

Android Expert

Well-Known Member

Well-Known Member

Well-Known Member

Well-Known Member

Well-Known Member

BEST TECH IN 2023

Smartphones

Best Android Phones

Upcoming

Best iPhones

Upcoming

Tablets

Best Tablets

Upcoming

Laptops

Best Laptops

Upcoming

Televisions

Best TVs

Upcoming

Game Consoles

Best Game Consoles

Upcoming

Wearables

Best Wearables

Upcoming

Smart Home

Smart Home Tech

Upcoming

Similar threads