Backtrack isn't available any more, unless you can find a legacy upload. Never had the chance to reverse engineer a phone, maybe Cyber Forensics can ahead a small light on something. I'll start running that and let you know if I can find anything worth while, and I'll read up on the exploits while forensics runs.
Here's a good starting place:
https://www.cvedetails.com/vulnerab...7/version_id-188440/Google-Android-6.0.1.html
While most of these don't have public PoC's, they are starting points.
For a TL;DR of the Z981:
Locked bootloader
DM-Verity enabled
Fastboot has been removed/ hidden
Android version: 6.0.1
Mainboard: Qualcomm MSM8952
Driver support: Generic Google USB
/Dev/* is ---
/tmp is RWX
Phone is suspect to having a SUID user built in
Has full Toybox, and full busybox installed and symlinked.
Various commands known to work:
Reboot bootloader (Acts like a standard reboot)
Reboot recovery
Reboot disemmc (Attempts to disable EMMC write protection, only Messi has gotten anything out of this)
Reboot FTM (Field test mode, has a userland ADB interface)
Reboot EDL (Qualcomm factory interface. Only communicates over qfil and similar programs)
Updates for MetroPCS: B08, B14, B20, B21
B08 is exploitable via Quadrooter (Unconfirmed)
B14 and below confirmed exploitable via Dirty C0w variant intended for LG devices. Gives root access, but system instantly reboots, and wipes the exploit.
B20/B21 unknown
Loony has gained URD access at one point, but I think he said something failed.
Kernel source is available from ZTE (It's rather generic)