FORUMS
Remove All Ads from XDA

ZTE Grand X 4 - Rooting Progress

5 posts
Thanks Meter: 8
 
By scitrice, Junior Member on 28th January 2017, 06:46 AM
Post Reply Email Thread
This thread is made in an effort to root the ZTE Grand X 4 (Z957). At this point I've made some progress by using the Dirty Cow exploit to access a root shell via ADB, but have been unable to install su to the system partition.

Notes: stock rom, no custom recovery.

Exploit method:
Follow the instructions posted by Arinerron on GitHub regarding CVE-2016-5195 (under 10 posts, cannot share direct link)
When successful you will see "[email protected]:/ #" as your shell prompt, however the session will hang after any command. That said, /system/run-as is still updated allowing you to do the following:

$ adb shell
[email protected]:/ $ run-as
uid run-as 2000
uid 0
0 u:r:runas:s0
context 0 u:r:shell:s0
[email protected]:/ # id
uid=0(root) gid=0(root) groups=0(root),1004(input),1007(log),1011(adb),101 5(sdcard_rw),1028(sdcard_r),3001(net_bt_admin),300 2(net_bt),3003(inet),3006(net_bw_stats) context=u:r:shell:s0

you have access to the android system as root within this shell, but this is where I'm getting stuck. I'm not able to find a way to mount the system partition as read/write, and as such unable to install su. Also note that you will need to run the exploit again anytime you reboot the device. I have tried the following methods:

$ adb shell cp /sdcard/Download/su /system/bin/su
cp: /system/bin/su: Read-only file system

[email protected]:/ # mount -o rw,remount /system
mount: Permission denied

adb reboot disemmcwp
#still unable to remount the system partition

At this point I'll share what I've been able to do so far and see if anyone else has ideas for a next step.
The Following 5 Users Say Thank You to scitrice For This Useful Post: [ View ] Gift scitrice Ad-Free
5th February 2017, 07:02 PM |#2  
Junior Member
Thanks Meter: 1
 
More
Have you figured out how to root the z957.
11th February 2017, 05:53 PM |#3  
Junior Member
Thanks Meter: 0
 
More
This worked on my ZTE GrandX Max Plus to permanently disable the write protection on the system partition.

Good luck!!

reboot disemmcwp

If you ever want to re-enable being blocked from mounting system rw:

reboot emmcwpenab
21st February 2017, 07:17 PM |#4  
Junior Member
Thanks Meter: 5
 
More
Any luck on this root? I am looking to buy a phone on Cricket, but I need one that I can root.
26th February 2017, 09:45 AM |#5  
Jcarson237's Avatar
Junior Member
Flag Denver
Thanks Meter: 4
 
Donate to Me
More
Bump? Would love to see root here!
1st March 2017, 07:09 AM |#6  
Junior Member
Thanks Meter: 1
 
More
Bump, I've tried but I also get stuck on the same three methods:

$ adb shell cp /sdcard/Download/su /system/bin/su
cp: /system/bin/su: Read-only file system

[email protected]:/ # mount -o rw,remount /system
mount: Permission denied

adb reboot disemmcwp
#still unable to remount the system partition
The Following User Says Thank You to kbtech For This Useful Post: [ View ] Gift kbtech Ad-Free
11th March 2017, 09:26 PM |#7  
Junior Member
Thanks Meter: 0
 
More
Grand X 4
has anyone successfully rooted the grand x ?!
15th March 2017, 10:44 AM |#8  
OP Junior Member
Thanks Meter: 8
 
More
Thought I would post an update: Still no success on my end.

"Rooting" is easy, but breaking out of the selinux context to do anything is hard. ie. I expanded on timwr/CVE-2016-5195 by trying to use vikiroot to break out of the u:r:shell:s0 context. To do this adb push the vikiroot exploit to /data/local/tmp and then use the timwr method to run that exploit as root:
[email protected]:/ # /data/local/tmp/exploit
Unfortunately I could only get the reverse shell to work as a glorified echo. If anyone knows where I could find some c++ code for running a shell in android for me to work off of I'm willing to see how much further I can get in that direction.

As disemmcwp doesn't work I'm wondering if ZTE found a different way to lock down the system partition? Interestingly there is an OEM-specific settings button that is greyed out (find it at *#*#4636#*#*).

I'm running firmware from Wind/Freedom Mobile so I can access the bootloader and unlock it, but I can't install SU or anything from stock. Additionally, there is no TWRP released for this phone yet. I have no idea where to find the board config files for this phone. Without a custom bootloader I'm not sure how to make permanent changes to the rom at this point.
The Following User Says Thank You to scitrice For This Useful Post: [ View ] Gift scitrice Ad-Free
23rd March 2017, 02:30 AM |#9  
kingkos's Avatar
Junior Member
Thanks Meter: 4
 
More
Thanks for your work on this. Stock Rom is pretty clean, but root would be great on this.
30th March 2017, 04:04 PM |#10  
Junior Member
Thanks Meter: 0
 
More
I've tried many different ways to root this phone. For weeks, I've tried. Nothing. I personally think that there is no way to, not now at least.
21st April 2017, 08:39 PM |#11  
Junior Member
Thanks Meter: 1
 
More
Don't know if this will help but​, I found that they lock the bootloader under the developer settings!
Post Reply Subscribe to Thread

Tags
zte-grand-x4

Guest Quick Reply (no urls or BBcode)
Message:
Previous Thread Next Thread
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes