quick question, when you're all temp rooted, do you still have /system locked? if so, here's a fix. (POSSIBLY, I havent managed to get king root to work on my fierce 2 so yeah. anyone who is temp rooted should try this.)
(Just saying, this is not my work. Credits to Jcase for doing this to the ZMAX.)
Using Kingroot 4.0, or whatever root exploit you have up your sleeve, gain root.
in android terminal or ADB Shell, input the following:
(if you're not root@draconis:/# then do "su")
root@draconis:/# id
uid=0(root) gid=0(root) context=u:r:init:s0
Ok GOOD we have root.
root@draconis:/# mount -o remount,rw /system
mount: Permission denied
(if you don't get any errors, this is good and you can write to system.)
What firmware are we on?
root@draconis:/# getprop ro.build.fingerprint
zte/P892T57/draconis:4.4.2/KVT49L/20140804.141306.18686:user/release-keys
(THIS WILL BE DIFFERENT FOR THE ONE TOUCH, THIS WAS THE ZMAX'S RESULTS!)
Ok good.
Lets use that backdoor we just talked about in the other post to make sure we can keep root through reboots
root@draconis:/# getprop
ro.product.name
P892T57
(again, the zmax's, will vary for one touch. also, if you have _MPCS after, make sure to include it when setting the prop.)
root@draconis:/# setprop persist.sys.k P892T57 (Don't use that one, use whichever the result on your screen was.)
root@draconis:/# getprop persist.sys.k
P892T57 (make sure your result is the same as when you set it.)
(Now, i dont know if this is the same directory, but basically, find the directory that boot and recovery is in.)
root@draconis:/# cd /dev/block/platform/msm_sdcc.1/by-name/
Lets backup recovery
root@draconis:/dev/block/platform/msm_sdcc.1/by-name# dd if=recovery of=/sdcard/recovery.img
Lets write boot to recovery!
root@draconis:/dev/block/platform/msm_sdcc.1/by-name# dd if=boot of=recovery
root@draconis:/dev/block/platform/msm_sdcc.1/by-name# reboot recovery
^ If you boot into android, this is good.
Now, using ADB, you should have your backdoor working.
root@draconis:/# id
uid=0(root) gid=0(root) context=u:r:shell:s0
ehh the backdoor doesnt give the best context, but hey its enough to set selinux permissive
root@draconis:/# setenforce 0
root@draconis:/# getenforce
Permissive
root@draconis:/# mount -o remount,rw /system
root@draconis:/#
If my theory worked, you should have no errors like the ZMAX did.
Lets install supersu, cause the backdoor is only for adb.
root@draconis:/# exit
Jons-Mac-Pro:su jcase$ unzip UPDATE-SuperSU-v2.46.zip
Jons-Mac-Pro:su jcase$ adb push arm/su /data/local/tmp/su
1301 KB/s (133472 bytes in 0.100s)
Jons-Mac-Pro:su jcase$ adb push common/install-recovery.sh /data/local/tmp
136 KB/s (629 bytes in 0.004s)
Jons-Mac-Pro:su jcase$ adb shell
root@draconis:/# mount -o remount,rw /system
root@draconis:/# cat /data/local/tmp/su > /system/xbin/su
root@draconis:/# cat /data/local/tmp/su > /system/xbin/daemonsu root@draconis:/# cat /data/local/tmp/install-recovery.sh > /system/etc/install-recovery.sh
root@draconis:/# chmod 755 /system/xbin/su
root@draconis:/# chmod 755 /system/xbin/daemonsu
root@draconis:/# chmod 755 /system/etc/install-recovery.sh
root@draconis:/# reboot
Any time you want write to system, reboot to recovery. Want to flash an update, probably need to unroot and write back that recovery backup
again, this was Jcase's method for the ZMAX. make sure you read through this carefully and follow closely. You wouldn't want to mess your device up. However, since root method was the same Im thinking this method is the same too.