1. Download our Official Android App: Forums for Android!

Thread Status:
Not open for further replies.

Root ZTE Zmax Pro Official Root Discussion

Discussion in 'Android Devices' started by anubis2048, Jan 14, 2017.

  1. Astr4y4L

    Astr4y4L Android Enthusiast
    Rank:
     #130
    Points:
    88
    Posts:
    467
    Joined:
    Dec 3, 2017

    Dec 3, 2017
    467
    203
    88
    Male
    Contractor
    Mudville USA
    wowzers looking at this looks like i just stepped in to kick the proverbial hornets nest, LOL.

    Question,
    Has anyone tried anythings using qualcomm's proprietary tools such as Qfil and QXDM?
    and does anyone have a quick link to grab the firmware for the device?
    those would be my starting point.

    MSM = Qualcom
    a lot of times I've been able to "Modify" certain manufacture's recovery tools to flash individual partitions and such,
    is there a tool for recovering zte devices?

    Oh and EVERY single thing I ever read at GSM forums was full of Krap,
    Every program they claim over there costs WAY too much and I don't believe the Hype about stupid chineese "dongle" softwares...
    It's all designed to take advantage of a desperate situation.


    That being said.
    I will require the firmware for the device.
    I will start by de-compileing that to see the guts of it.
    as for software fuses, mostly thats a bootloader thing,
    if you try to change the boot structure it'll trip the E or Q fuses.

    but, the problem with marshmallow up is DM varity,
    which is only easily bypassed by unlocked bootloader...I
    I read something about dirtycow?

    it looked like @SapphireEX said something about His/Her dcow and recowvery script... which would be actually created by or from the work of
    James Christopher Adduono
    link to that at github is here

    https://github.com/jcadduono/android_external_dirtycow

    precompiled works from that are hosted over at OffensiveSEC "Kali/Nethunter"
    link to that is here

    https://build.nethunter.com/android-tools/dirtycow/

    I have used some of that on other devices with various amounts of success.

    but yeah,
    from here I want a look at the firmware, and i want to extract the /boot from it and get a look at fstab
    see what our flags mounts and varity flags are set to.
    then the next step will be to find something / anything to exploit, to run unsigned code in context of system server...
    if we get that far, we golden.
     

    Advertisement

    d3vvi likes this.
  2. Astr4y4L

    Astr4y4L Android Enthusiast
    Rank:
     #130
    Points:
    88
    Posts:
    467
    Joined:
    Dec 3, 2017

    Dec 3, 2017
    467
    203
    88
    Male
    Contractor
    Mudville USA
    oops quoted myself. LOL

    but would like to also say, if it's succeptable at all to DirtyCow,
    we may be able to write a shell script, name it the same as a script located n system, something already called by system, and dirtycow our script into the place of existing script , trigger the event that causes system to call the script, and at that point it'll call it from memory, and it'll load our script and execute it...
    just an abstract thought here...
    please nobody beat me up for it LoL.
     
  3. derick4

    derick4 Lurker
    Rank:
    None
    Points:
    6
    Posts:
    1
    Joined:
    Jan 30, 2018

    Jan 30, 2018
    1
    2
    6
    We are counting on you, good luck
     
    Meepmoop and Astr4y4L like this.
  4. Astr4y4L

    Astr4y4L Android Enthusiast
    Rank:
     #130
    Points:
    88
    Posts:
    467
    Joined:
    Dec 3, 2017

    Dec 3, 2017
    467
    203
    88
    Male
    Contractor
    Mudville USA
    looks like it deleted my other priev. post too ... oops
    but yeah anybody got a link to firmware?
     
  5. jdoggthemaster4089

    Rank:
    None
    Points:
    33
    Posts:
    50
    Joined:
    Dec 13, 2015

    Dec 13, 2015
    50
    36
    33
    Ha
    Check the discord. That's where progress was made
     
    Astr4y4L likes this.
  6. SapphireEX

    SapphireEX Newbie
    Rank:
    None
    Points:
    18
    Posts:
    19
    Joined:
    Jan 25, 2018

    Jan 25, 2018
    19
    17
    18
    No firmware.

    JCadduono's rec0wvery is being used as a secondary entry point, and has nothing to do with my entry point.

    QFIL and etc are not going to work without a signed firehose. Something we discussed a few dozen pages back. The random MBNs found online are not signed. Attempting to use these will result in a Sahara fail due to sig check.

    DM-Verity can be bypassed in software rather easily. My tools themselves prove that.

    If we had the firmware, we wouldn't be at this stage. The only thing released from ZTE is update packages, and the kernel. Neither of which is useful to exploitation at this stage.

    Rec0wvery can be used to elevate to u:r:init:s0, while my tools can be used to elevate to u:r:system_server:s0. Making use of rec0wvery's context hijack would require a hard modification to rec0wvery, something I haven't gotten around to. The main issue is the locked bootloader, and SELinux. Setting permissive is proving to be a challenge.
     
    5318008 and Astr4y4L like this.
  7. Astr4y4L

    Astr4y4L Android Enthusiast
    Rank:
     #130
    Points:
    88
    Posts:
    467
    Joined:
    Dec 3, 2017

    Dec 3, 2017
    467
    203
    88
    Male
    Contractor
    Mudville USA
    Ahhh, so no firmware....
    anybody managed a Dump yet?
    individual partitions dumps may be of use...
     
  8. Astr4y4L

    Astr4y4L Android Enthusiast
    Rank:
     #130
    Points:
    88
    Posts:
    467
    Joined:
    Dec 3, 2017

    Dec 3, 2017
    467
    203
    88
    Male
    Contractor
    Mudville USA
    link me Bro
     
  9. Y314K

    Y314K Well-Known Member
    Rank:
    None
    Points:
    63
    Posts:
    145
    Joined:
    Dec 6, 2009

    Dec 6, 2009
    145
    78
    63
    Check the tool for a possible link.
     
  10. messi2050

    messi2050 Android Enthusiast
    Rank:
     #93
    Points:
    173
    Posts:
    530
    Joined:
    Oct 22, 2016

    Oct 22, 2016
    530
    892
    173
    Male
    Hi, Which partitions you need ?
     
  11. SapphireEX

    SapphireEX Newbie
    Rank:
    None
    Points:
    18
    Posts:
    19
    Joined:
    Jan 25, 2018

    Jan 25, 2018
    19
    17
    18
    All of /dev/block/* is unreadable to us. Partitions can't be pulled, or even read yet without the recovery context, and that limits us just to recovery.

    The mount points are readily available to view, but still no reading content.
     
  12. Astr4y4L

    Astr4y4L Android Enthusiast
    Rank:
     #130
    Points:
    88
    Posts:
    467
    Joined:
    Dec 3, 2017

    Dec 3, 2017
    467
    203
    88
    Male
    Contractor
    Mudville USA
    this
    would be a great place to start digging then.
    and just so i dont have to keep bouncing all over would you mind sharing a link to the tools/kit you put together thus far?
    I'd like a look at the source from that code.

    and also, If we're going to be working together on all of this,
    would everybody please refrain from bashing each other on here?
    that type of thing is frowned on and doesn't lead to team-work or productivity...

    if someone's a liar or a D****Bag i'm sure they know it . and declaring it publicly on AF isn't going to help us root any phones LoL

    All of that said,
    I'm willing to work on this with anyone who's knowledgeable about the device and can test things hands on.
    and if any one has succeeeded in dumping the partitions , the dumps would help a lot as " NO FIRMWARE"
    gives me nothing to disassemble.

    Thanks
    Astr4y4L
    Team_Astr4y4L
     
  13. SapphireEX

    SapphireEX Newbie
    Rank:
    None
    Points:
    18
    Posts:
    19
    Joined:
    Jan 25, 2018

    Jan 25, 2018
    19
    17
    18
    I've already sent you a link to our discord, where the latest version of my tools are.
     
    bcrichster likes this.
  14. Astr4y4L

    Astr4y4L Android Enthusiast
    Rank:
     #130
    Points:
    88
    Posts:
    467
    Joined:
    Dec 3, 2017

    Dec 3, 2017
    467
    203
    88
    Male
    Contractor
    Mudville USA
    in a perfect world, All of them LoL
    but if I can get /system /vendor /recovery/ /modem or /radio that would be good places to start looking to exploit.
    A
     
  15. messi2050

    messi2050 Android Enthusiast
    Rank:
     #93
    Points:
    173
    Posts:
    530
    Joined:
    Oct 22, 2016

    Oct 22, 2016
    530
    892
    173
    Male
    I can upload boot and recovery images for now as i have slow connection, only thing i found interesting there is ftm mode has it's own init scripts and system partition is not encrypt in ftm mode.
     
  16. jdoggawesomex

    jdoggawesomex Lurker
    Rank:
    None
    Points:
    6
    Posts:
    8
    Joined:
    Jan 30, 2018

    Jan 30, 2018
    8
    2
    6
    Any link to the tools? Maybe I can use them.
     
  17. Astr4y4L

    Astr4y4L Android Enthusiast
    Rank:
     #130
    Points:
    88
    Posts:
    467
    Joined:
    Dec 3, 2017

    Dec 3, 2017
    467
    203
    88
    Male
    Contractor
    Mudville USA
    ask for access to the discord, I wont post someones work without perms
     
  18. SapphireEX

    SapphireEX Newbie
    Rank:
    None
    Points:
    18
    Posts:
    19
    Joined:
    Jan 25, 2018

    Jan 25, 2018
    19
    17
    18
    Got any technical knowledge?
     
  19. jdoggawesomex

    jdoggawesomex Lurker
    Rank:
    None
    Points:
    6
    Posts:
    8
    Joined:
    Jan 30, 2018

    Jan 30, 2018
    8
    2
    6
    Well, I am still learning
    I do need to get a new computer because the one a use has a bad battery. Only 2 hours on a charge.
     
  20. Y314K

    Y314K Well-Known Member
    Rank:
    None
    Points:
    63
    Posts:
    145
    Joined:
    Dec 6, 2009

    Dec 6, 2009
    145
    78
    63
    I posted above a link to where one of his last versions was posted as a txt link.
     
  21. Astr4y4L

    Astr4y4L Android Enthusiast
    Rank:
     #130
    Points:
    88
    Posts:
    467
    Joined:
    Dec 3, 2017

    Dec 3, 2017
    467
    203
    88
    Male
    Contractor
    Mudville USA
    K well I'll be over on discord discussing these things a bit, soon as I have ANYthing usefull I'll report to the community.
    thanks Astr4y4L
     
  22. jdoggawesomex

    jdoggawesomex Lurker
    Rank:
    None
    Points:
    6
    Posts:
    8
    Joined:
    Jan 30, 2018

    Jan 30, 2018
    8
    2
    6
    Which post?
     
  23. jdoggawesomex

    jdoggawesomex Lurker
    Rank:
    None
    Points:
    6
    Posts:
    8
    Joined:
    Jan 30, 2018

    Jan 30, 2018
    8
    2
    6
    Is it in the discord? If so can I join?
     
  24. Y314K

    Y314K Well-Known Member
    Rank:
    None
    Points:
    63
    Posts:
    145
    Joined:
    Dec 6, 2009

    Dec 6, 2009
    145
    78
    63
  25. SapphireEX

    SapphireEX Newbie
    Rank:
    None
    Points:
    18
    Posts:
    19
    Joined:
    Jan 25, 2018

    Jan 25, 2018
    19
    17
    18
    Fidounlocks is confirmed to being Messi2050.

    If he attempts to ask you for TeamViewer access, I'd suggest using the latest version of Virtual Box

    UAT requires physical access to the phone, something that can't be done over the internet.

    As of now, both of his currently known accounts (and Samuel, plus a few others) are going on a scammer list, and you are advised to avoid them.

    If anyone needs a link to my discord where my tools are being uploaded, PM me.
     
    bcrichster and armandop_ like this.

ZTE Zmax Pro

ZTE Zmax Pro

Share This Page

Loading...