Root ZTE Zmax Pro Official Root Discussion

SapphireEx · Jun 25, 2017

Found some interesting things here.
http://forum.gsmhosting.com/vbb/f97...sm8952-check-inside-team-4-more-info-2237562/
This guy somehow has his z981 connecting properly to qfil.
While another user posted these https://www.4shared.com/rar/UQDM1kH1ba/8952_lite_prog_emmc_firehose_8.html?
And they seem to contain various firehoses. While they don't seem to be ZTE specific, it could be a place to start if the phone doesn't care about signatures.

That's about all I have until my jtag clip arrives in 2-6 weeks -_-

JIMMYHENDRIX · Jun 25, 2017

OnePlus 5 got rooted in like 2 days

SapphireEx · Jun 25, 2017

JIMMYHENDRIX said:
OnePlus 5 got rooted in like 2 days

Not all phones are equal. Besides the fact that the one plus line a ton morr popular, therefore attracting higher skilled hackers, it also has an unlocked bootloader, and proper tools to interface with it. The Z981 has a locked bootloader (as far as I can tell), requires ZTE signatures, EDL mode was changed, doesn't interface with any tools, and is heavily locked down in userland.

loonycgb2 · Jun 25, 2017

SapphireEx said:
Found some interesting things here.
http://forum.gsmhosting.com/vbb/f97...sm8952-check-inside-team-4-more-info-2237562/
This guy somehow has his z981 connecting properly to qfil.
While another user posted these https://www.4shared.com/rar/UQDM1kH1ba/8952_lite_prog_emmc_firehose_8.html?
And they seem to contain various firehoses. While they don't seem to be ZTE specific, it could be a place to start if the phone doesn't care about signatures.

That's about all I have until my jtag clip arrives in 2-6 weeks -_-

Thats support for those sim unlocking devices specific forums.

They all interface with edl mode aka qualcomm port.

If they do happen to get a working qfil then we can use it to rewrite the qfil for twrp.

messi2050 · Jun 25, 2017

SapphireEx said:
Found some interesting things here.
http://forum.gsmhosting.com/vbb/f97...sm8952-check-inside-team-4-more-info-2237562/
This guy somehow has his z981 connecting properly to qfil.
While another user posted these https://www.4shared.com/rar/UQDM1kH1ba/8952_lite_prog_emmc_firehose_8.html?
And they seem to contain various firehoses. While they don't seem to be ZTE specific, it could be a place to start if the phone doesn't care about signatures.

That's about all I have until my jtag clip arrives in 2-6 weeks -_-

according to @tenfar the axon 7 same edl method developer, those programmers are signed, he never told me how he get the axon 7 signed programmer... , i tested this method myself and unfortunately there was always sahara failed which i think is due to the wrong signature.

dedbunny · Jun 27, 2017

Uhhhh. Something about root. Bla bla bla. Bump.

ccccccccccc · Jun 27, 2017

Come on people. With respect, let's get it together. Take an outside opinion for what it's worth. You are all thinking to hard on methods that are to much. Who do you think is going to open and soder there phones just for root access? I want root as much as any of you. I was there when mastercheif87 was opening doors for the original zmax to have root. And didn't stop until we had full r/w capabilities!!
Here's a quote from him,

"I think it would be wise to advise noobs to play it safe and use the twrp method. Just a suggestion.
Giving someone without experience full root capabilities without a custom recovery is kind of like giving a 16yr old a new Lamborghini without seatbelts or airbags.
Like I said it's up to you just trying to look out for others."

The answer cannot be that complicated or people will just move on. So I'm asking you all to keep trying. I do believe there has to be a way. If it's locked then there most certainly is a key. So let's all take a step back. And look at this with fresh eyes. I believe in you guys, I really do.
GOOD LUCK!

Jimmy Dixx · Jun 28, 2017

Well, my roommate just cracked the screen on his Zmax Pro, so he is going to get a new phone. When he does, I will have a disposable one I can play with. I think he updated it though, not sure which firmware. Has an option for video calls.

kilozz385 · Jun 28, 2017

wow. this thread died so hard. i came here to post if viewing the system logs of this phone would help at all. no root or pc required, i have discovered a exploit that targets all android versions... let me know if this will help with rooting the device in any way.

EDIT: I will only reply to the most active and trusted members of this thread. i don't want this exploit to go to waste. i have also attached a capture of the systems logs from my phone as proof of concept.

Greysworld007 · Jun 28, 2017

kilozz385 said:
wow. this thread died so hard. i came here to post if viewing the system logs of this phone would help at all. no root or pc required, i have discovered a exploit that targets all android versions... let me know if this will help with rooting the device in any way.
EDIT: I will only reply to the most active and trusted members of this thread. i don't want this exploit to go to waste. i have also attached a capture of the systems logs from my phone as proof of concept.

you sure your the one that 'discovered' it?

kilozz385 · Jun 28, 2017

Greysworld007 said:
you sure your the one that 'discovered' it?

i've been searching for ways to read logs on my device for a long time now. i discovered this completely out of my own curiosity. will it or will it not help with rooting this phone?

messi2050 · Jun 29, 2017

kilozz385 said:
i've been searching for ways to read logs on my device for a long time now. i discovered this completely out of my own curiosity. will it or will it not help with rooting this phone?

that's the usual android logcat that u can get by running this command [adb logcat] while connecting the phone to pc with usb debugging enabled, unfortunately it's not very useful.

nonono · Jun 29, 2017

I don't know so help you guys out. But if you know when you update the phone where it's going what website and password and log on would that help you I have that.??? It is best open up in notepad+ .. I used Cydia impactor ./ Watch log

nonono · Jun 29, 2017

kilozz385 said:
i've been searching for ways to read logs on my device for a long time now. i discovered this completely out of my own curiosity. will it or will it not help with rooting this phone?

sorry but no. To log that is not hard. To get useful information is. Keep On Truckin you never know.

kilozz385 · Jun 29, 2017

nonono said:
sorry but no. To log that is not hard. To get useful information is. Keep On Truckin you never know.

damn. i was hoping this would prove to be useful in some way. i'm getting desperate for root.

SapphireEx · Jun 30, 2017

I know everyone wants to help and all, but consider doing some research before posting. Many of the things people are asking about have already been discussed directly in this thread, and many others can be found on stack exchange/ XDA etc.

I forgot to quote who said it, but yeah custom recovery is max priority. Unless someone can talk over EDL with the firmware controller, we are at a bit of a loss on that. Qfil refuses to interface with the com port (for me anyways), and we basically require that to accept our firmware images. Hopefully when my jtag clip gets here I can shed light on exactly what EDL wants from us, and what we need to do. Until then, I'm just going to keep trying to exploit the kernel until I can get a solid foothold that doesn't require a reboot or instantly crashes.

To me, userland seems like a waste of time. With dm-verity being itself, and the various system protection methods embedded in the firmware itself, userland could very well never be exploited on the current kernel.

Anyone know if we can get a big hacker to help with this? Geohot, chainfire, etc. Some professional input would go a long way (not discounting Messi in any way. Just more/different people).

nonono · Jun 30, 2017

You can definitely talk to the phone in Field Test Mode. I was able to push apks. Could not read my zip file but that was my bad. You can change directories. I had something worth while to send I would I can upload screenshots if you like.

brandonlee199966 · Jun 30, 2017

nonono said:
You can definitely talk to the phone in Field Test Mode. I was able to push apks. Could not read my zip file but that was my bad. You can change directories. I had something worth while to send I would I can upload screenshots if you like.

If you could upload those pics that would be great! Thanks

SapphireEx · Jun 30, 2017

nonono said:
You can definitely talk to the phone in Field Test Mode. I was able to push apks. Could not read my zip file but that was my bad. You can change directories. I had something worth while to send I would I can upload screenshots if you like.

That's not FTM you're talking over, it's a standard userland ADB, the same one we have in standard boot. Nothing really special about it.

EDL talks directly to the firmware, which is what we need

nonono · Jun 30, 2017

Yes it is I put the phone in that mode give it a check it out

nonono · Jun 30, 2017

You know this is why I hate doing this s***. I know exactly what mode is in and how to talk to the phone. Firmware not you can still send commands threw that mode I suggest you look at the build prop. Look long and hard it'll tell you what mode is in.

SapphireEx · Jun 30, 2017

nonono said:
You know this is why I hate doing this s***. I know exactly what mode is in and how to talk to the phone. Firmware not you can still send commands threw that mode I suggest you look at the build prop. Look long and hard it'll tell you what mode is in.

Take a very close look at the first command you gave. "ADB". FTM has it's own set of protocols completely separate from ADB. All you did was open a userland shell from ADB. You can do the exact same command from terminal emulator in standard boot and it would give exact same output you see there. You are not interfacing over actual FTM, you are just in FTM mode, which supplies the very same userland shell that standard boot gives. Literally no difference whatsoever.https://m.imgur.com/a/UKQ39

nonono · Jun 30, 2017

I understand alright ..I just thought it was quite funny. Using a program that was not written for this particular phone.

brandonlee199966 · Jun 30, 2017

SapphireEx said:
Take a very close look at the first command you gave. "ADB". FTM has it's own set of protocols completely separate from ADB. All you did was open a userland shell from ADB. You can do the exact same command from terminal emulator in standard boot and it would give exact same output you see there. You are not interfacing over actual FTM, you are just in FTM mode, which supplies the very same userland shell that standard boot gives. Literally no difference whatsoever.https://m.imgur.com/a/UKQ39

idk but this may help i dont know how to use it but i got miflash too to recognize my zmax pro in edl mode.
http://imgur.com/clj6xGA

nonono · Jun 30, 2017

I don't think talking to it is the problem. You're as I was trying to say I'm using stuff for mtk. And it recognizes it talks to it and all that. It just isn't giving up any secrets. But all in all good phone no real reason to root it. I think somebody will find a way. I don't see why people say this is not a popular phone .

Root ZTE Zmax Pro Official Root Discussion

SapphireEx

Guest

Well-Known Member

SapphireEx

Guest

Android Enthusiast

Android Enthusiast

Newbie

Lurker

Well-Known Member

Lurker

Attachments

Well-Known Member

Lurker

Android Enthusiast

Newbie

Attachments

Newbie

Lurker

SapphireEx

Guest

Newbie

Newbie

SapphireEx

Guest

Newbie

Attachments

Newbie

SapphireEx

Guest

Newbie

Newbie

Newbie

BEST TECH IN 2023

Smartphones

Best Android Phones

Upcoming

Best iPhones

Upcoming

Tablets

Best Tablets

Upcoming

Laptops

Best Laptops

Upcoming

Televisions

Best TVs

Upcoming

Game Consoles

Best Game Consoles

Upcoming

Wearables

Best Wearables

Upcoming

Smart Home

Smart Home Tech

Upcoming

Similar threads