[ROOT] How to Root the ZTE ZMAX [KK][ALL VARIANTS]

Search This thread

mingolianbeef

Senior Member
Apr 14, 2011
2,401
1,502
Yep, you read that right and I'm not trolling. THE ZMAX IS ROOTED!!

Discaimer and N00Bproof warning:

We have root, yes, but that doesn't mean get hasty. At the moment, there are partition images (system, boot and recovery) in my and other users' possession (free of access to all), but we don't have a working recovery at the moment and this process involves deleting the stock recovery (it will make sense later). So, if you screw up and get root-happy, there's no way to recover until we get a recovery and a custom rom, and even then you might be screwed because we don't have access to the bootloader to use fastboot. Things may change, but root-use with caution.

Also, once you root, DO NOT TAKE ETAs from T-Mo and ZTE!!!!!!! Now that we have root, we can capture the OTA and make it root-friendly. To make a long story short, the updater-script (thing that tells your recovery where and how to flash stuff) has a list of stuff it has to... well... flash. If you, for example, delete the stock ZTE Music app, and the ETA replaces the app with a new version, it's going to stop (because the script requires a REPLACEMENT and not a PLACEMENT, computers don't have the best common sense), then it will interrupt and you will likely be bricked. This shouldn't be a problem because you don't have a recovery to begin with, but I'm not taking chances here.

NOW! Let's Root. This is a long process, so don't expect to do anything for a good 10-20 minutes.

FIRST: KINGROOT​

This is one of those things where your mileage may very, there have been many different ways to get KingRoot (not King"O"Root, two different apps) to work, but this one was the one that worked for me. I'll also place alternate KingRoot methods in the second post if you wanna try those. Just for the sake of knowledge, this was run on a T-Mobile ZTE ZMAX, Android 4.4.2, build 22. I don't know if it makes a difference that I factor reset my phone before doing another round of root attempts (not this one specifically, maybe a couple hours worth of attempts).

Credits to @fire3element for this method.

1) Download KingRoot APK from here (the first one with the image of the phone if you are on the desktop site).

2) Install KingRoot and run it. It will restart the phone, and it will fail (or, if you have some Android God luck, it may succeed), this is supposed to happen.

3) Clear KingRoots cache and data (in that order) and power off the phone (not reboot). Then, power it back on again.

4) Now this is where things get... well complicated for this part. You are going to need to load your RAM with a bunch of processor heavy stuff. The person that made this method used CounterSpy and Final Fantasy Type-0 in the PPSSPP v1.0.1-411 emulator, but for those of you that don't have access to that, get creative and load up. Here is what I had running (all at the same time, mind you).

Note: Force Stop Task Manager in the app settings first or it will purge to free memory automatically and this won't work.

1. Next Launcher Lite
2. Apex Launcher
3. Nova Launcher
4. Cheetah Launcher
5. CM Launcher
6. Mi Launcher
7. 25 tabs on Google Chrome (No joke)
8. Both Temple Runs
9. Fruit Ninja
10. Google Play Store
11. Google Now
12. Google Play
13. Amazon
14. Google Play Music

Mine was definitely a bit extreme but I knew all of this stuff would guarantee a good memory hogging.

5) Run all of your apps at the same time. The TL;DR for this is that apparently it's some exploit that the app uses as a buffer overflow. Now, go to settings and Force Stop KingRoot. Then Run it again. If it works, you should go from 0 to 100 real quick (no pun intended). It shouldn't progess slowly or reboot the phone to do this, but your journey does not stop here.

If you did it correctly, the screen from a successful root will have a green checkmark. Run RootChecker to verify root status.

SECOND: PERMA-ROOT

Now you need to permanently root the phone. This method was all @jcase, and simplified by another user. I encourage you to read JCase's original G+ post to learn something, as this guy is the master of exploits, and we are on XDA to learn.

Credits to @xtremeasure for the simplification of JCase's process.

1) Plug phone into computer...

2) Open cmd type "adb shell" (without quotes, moving forward, type all commands without quotes). This will open a terminal for the phone.

3) While in ADB Shell, type "su" to gain root shell privileges


4) Type "getprop ro.build.fingerprint"

Output for that command should be...
zte/P892T57/draconis:4.4.2/KVT49L/20140804.141306.18686:user/release-keys (the part with P892T57 may be different depending on what model ZMAX You have). If you haven't updated that number will be different, this ok, just replace the number in the next command with whatever your output is.

5) type "setprop persist.sys.k P892T57"

6) type "getprop persist.sys.k" and your output should be your build number

7) type "cd /dev/block/platform/msm_sdcc.1/by-name/" to change directories so that we can back up your recovery image (remember I said something about that?) and set the boot to our recovery partition.

8) type "dd if=recovery of=/sdcard/recovery.img" to backup the recovery image.

9) type "dd if=boot of=recovery" to set recovery as boot. Another TL;DR is that this disables the write protection set by the stock recovery, allowing you to write to the system. It will mount the /system partition upon boot.

DELETE KINGUSER NOW

10) type "reboot recovery" and restart your phone. YOU MUST RESTART WITH THIS COMMAND!!!!! It will boot straight into Android, this is good, that means you haven't screwed up anything.

11) Reopene the adb shell (using "adb shell") in your command prompt or terminal (for OSX and Linux) and type "Id". If your output is "uid=0(root) gid=0(root) context=u:r:shell:s0" then It worked...

12) Remount system as writable "mount -o rw,remount /system"

13) Manual install for supersu you can get that here: http://download.chainfire.eu/supersu

14) Type "exit" into the terminal/command and it should drop you back to your normal cmd...unzip the su zip anywhere you want in your cmd switch to that directory...

14B) I advise taking the "su" binary and "install-recovery.sh" file from the superSU folder you downloaded and putting them in the same place (on the desktop or wherever your adb.exe is if you didn't set $PATH on your computer). su can be found in the "arm" folder and install-recovery.sh can be found in the "common" folder. It is important to note that where ever your files are, you will have to type that path (if it isn't in the same directory as your adb). So, as an example, I put mine on the desktop, so I have to type "adb push ~/Desktop/su /data/local/tmp/su". If you do not know how to do that, then stop what you are doing and research it, as that's just too much to explain.

15) "adb push su /data/local/tmp/su"

16) "adb push install-recovery.sh /data/local/tmp"

17) Reenter adb shell with "adb shell"

18) Make sure system is mounted writable with "mount -o remount,rw /system"

19) Move the so files into place with these commands

"cat /data/local/tmp/su > /system/xbin/su"

"cat /data/local/tmp/su > /system/xbin/daemonsu"

"cat /data/local/tmp/install-recovery.sh > /system/etc/install-recovery.sh"

20) Give them all permissions

"chmod 755 /system/xbin/su"

"chmod 755 /system/xbin/daemonsu"

"chmod 755 /system/etc/install-recovery.sh"

21) Reboot your phone to complete install with "reboot"

22) After rebooting go into the play store and install the supersu app. It's going to tell you the su binary is out of date to fix that we need to open the adb shell on our pc again with "adb shell"

23) Reboot into recovery (you're really rebooting the system with r/w privileges) using "reboot recovery"

24) Once rebooted open the app and update your binaries one finished reboot add your done 100% perm rooted

Now, you are rooted! If you did everything right, you should be good. Now people are going to ask, "Is there a script for this?" The short answer is No, don't hold your breath for something immediate. There was a user that said he would be happy to make one for the second half, but the writing, testing and verification of success alone on that will take some time, as the wrong line of code can make you end up with a good old fashioned paperweight. I can verify Xposed works fine, Viper4Android works fine, and if you try to delete system apps, they will just reinstall themselves (I recommend using "System App Remover (ROOT)" on the play store, as it will actually tell you which apps are and aren't safe to install. If you have any questions, after searching of course, feel free to ask. If I can't answer, some freaking body can lol.

CREDITS:
@tech_yeet for showing us the KingRoot
@jcase for his amazing work
@xtremeasure for his method
@fire3element for his method
@the zMAX Community for staying dedicated when the going got tough, it's been a long road. Here's to custom roms and a TWRP recovery!

Please share this with others, as there is a big community of people begging for this info, let's share the love :). If I forgot to credit you, let me know and I'll fix that!

ADDITIONAL INFORMATION
If you by some chance flash the TWRP Recovery Image (found in post 2), and would like to revert back to root ability (being able to write to system). Please follow the steps below:

1. cd /dev/block/platform/msm_sdcc.1/by-name
2. su
3. dd if=/sdcard/recovery.img of=recovery
4. reboot recovery

Please make sure you have the recovery in your sdcard root folder.
 
Last edited:

xIP-

Member
Mar 28, 2015
34
6
Yep, you read that right and I'm not trolling. THE ZMAX IS ROOTED!!

Discaimer and N00Bproof warning:

We have root, yes, but that doesn't mean get hasty. At the moment, there are partition images (system, boot and recovery) in my and other users' possession (free of access to all), but we don't have a working recovery at the moment and this process involves deleting the stock recovery (it will make sense later). So, if you screw up and get root-happy, there's no way to recover until we get a recovery and a custom rom, and even then you might be screwed because we don't have access to the bootloader to use fastboot. Things may change, but root-use with caution.

Also, once you root, DO NOT TAKE ETAs from T-Mo and ZTE!!!!!!! Now that we have root, we can capture the OTA and make it root-friendly. To make a long story short, the updater-script (thing that tells your recovery where and how to flash stuff) has a list of stuff it has to... well... flash. If you, for example, delete the stock ZTE Music app, and the ETA replaces the app with a new version, it's going to stop (because the script requires a REPLACEMENT and not a PLACEMENT, computers don't have the best common sense), then it will interrupt and you will likely be bricked. This shouldn't be a problem because you don't have a recovery to begin with, but I'm not taking chances here.

NOW! Let's Root. This is a long process, so don't expect to do anything for a good 10-20 minutes.

FIRST: KINGROOT​

This is one of those things where your mileage may very, there have been many different ways to get KingRoot (not King"O"Root, two different apps) to work, but this one was the one that worked for me. I'll also place alternate KingRoot methods in the second post if you wanna try those. Just for the sake of knowledge, this was run on a T-Mobile ZTE ZMAX, Android 4.4.2, build 22. I don't know if it makes a difference that I factor reset my phone before doing another round of root attempts (not this one specifically, maybe a couple hours worth of attempts).

Credits to @fire3element for this method.



If you did it correctly, the screen from a successful root will have a blue envelope with a checkmark. Run RootChecker to verify root status.

SECOND: PERMA-ROOT

Now you need to permanently root the phone. This method was all @jcase, and simplified by another user. I encourage you to read JCase's original G+ post to learn something, as this guy is the master of exploits, and we are on XDA to learn.

Credits to @xtremeasure for the simplification of JCase's process.



Now, you are rooted! If you did everything right, you should be good. Now people are going to ask, "Is there a script for this?" The short answer is No, don't hold your breath for something immediate. There was a user that said he would be happy to make one for the second half, but the writing, testing and verification of success alone on that will take some time, as the wrong line of code can make you end up with a good old fashioned paperweight. I can verify Xposed works fine, Viper4Android works fine, and if you try to delete system apps, they will just reinstall themselves (I recommend using "System App Remover (ROOT)" on the play store, as it will actually tell you which apps are and aren't safe to install. If you have any questions, after searching of course, feel free to ask. If I can't answer, some freaking body can lol.

CREDITS:
@tech_yeet for showing us the KingRoot
@jcase for his amazing work
@xtremeasure for his method
@fire3element for his method
@the zMAX Community for staying dedicated when the going got tough, it's been a long road. Here's to custom roms and a TWRP recovery!

Please share this with others, as there is a big community of people begging for this info, let's share the love :). If I forgot to credit you, let me know and I'll fix that!

I have followed EVERYTHING step by step over and over again, and yet i still cant get this to work.

Basically, everything is fine up until reboot recovery.
it goes into android, but i dont start off as root, i start off as if i wasnt rooted, and i always have to do "su" to gain privledges.
afterwards, mount -o remount,rw /system/ does work but i cant write to it still for some reason.

has anyone else gotten this!? have any of you got a clue how to fix?
 
  • Like
Reactions: kdraw44

fire3element

Senior Member
Dec 22, 2009
352
210
Here is some more info for those of you wondering what the KingRoot app is doing.
Screenshots will follow.
Text ABOVE the screenshot is for the image directly under it.
Let's begin -------------->

FIRST SCREEN WHEN YOU OPEN KINGROOT
1431533997246.jpg

SECOND SCREEN
- CLICK BUTTON TO BEGIN ROOT -
1431534066336.jpg

ROOTING IN PROGRESS...
1431534088007.jpg

ROOT FAILURE
[Blue Button]: SUBMIT (submits the error report to KingRoot devs)
1431533195674.jpg

ROOT FAILURE
1431533209965.jpg

ROOT FAILURE
1431533240746.jpg

NO DATA CONNECTION (WiFi or cellular singnal required)
[Blue Button]: ANDROID SETTINGS MENU
1431533310782.jpg

SUCCESSFUL ROOT
1431533463181.jpg

IF YOU SEE THIS MESSAGE POP UP DURING ROOTING, JUST LEAVE IT ALONE. LET THE ROOT FINISH
1431533547992.jpg

SUCCESSFUL ROOT
[trash can]: [...]: [...]:
1431533818201.jpg

SUCCESSFUL ROOT
[Blue Button]: PURIFICATION (I believe this is similar to fixing permissions)
- CLICK IT AND LET IT RUN -
1431533677855.jpg

^ from clicking blue button above ^
PURIFICATION PROCESS
1431533784204.jpg
 

xtremeasure

Senior Member
Mar 29, 2015
253
143
31
Philadelphia
I have followed EVERYTHING step by step over and over again, and yet i still cant get this to work.

Basically, everything is fine up until reboot recovery.
it goes into android, but i dont start off as root, i start off as if i wasnt rooted, and i always have to do "su" to gain privledges.
afterwards, mount -o remount,rw /system/ does work but i cant write to it still for some reason.

has anyone else gotten this!? have any of you got a clue how to fix?

Should just be mount -o remount,rw /system


No extra slash

Sent from my Z970 using XDA Free mobile app

---------- Post added at 04:40 PM ---------- Previous post was at 04:36 PM ----------

I would the recovery image restore commands added.. If people feel the need to recover and try again they should run these

cd /dev/block/platform/msm_sdcc.1/by-name

su


dd if=/sdcard/recovery.img of=recovery

reboot recovery

*edited to remove a potentially harmful commands per jcase's advice*

Sent from my Z970 using XDA Free mobile app
 
Last edited:

xIP-

Member
Mar 28, 2015
34
6
Should just be mount -o remount,rw /system


No extra slash

Sent from my Z970 using XDA Free mobile app

---------- Post added at 04:40 PM ---------- Previous post was at 04:36 PM ----------

I would the recovery image restore commands added.. If people feel the need to recover and try again they should run these

cd /dev/block/platform/msm_sdcc.1/by-name

su


dd if=boot of=boot

dd if=/sdcard/recovery.img of=recovery

reboot recovery

Sent from my Z970 using XDA Free mobile app

even with just one slash I still have a problem

Sent from my Z970 using XDA Free mobile app
 

fire3element

Senior Member
Dec 22, 2009
352
210
Ok, so I am about to flash back the stock recovery from my backup and see if I can go through all these steps again to figure out what is going wrong.
I have a theory as to where and why KingUser is locking down SU in xbin. After I restore stock recovery, I will then Factory Reset and attempt to log my progress.
Stay tuned and I will try to report back later today. Hopefully with more insight on this problem.

@xIP-
Are you talking about pushing "su" , "daemonsu" , and "install-recovery.sh" files to /system ?
Keeps saying permission denied?
If that is the case, you can not. KingUser has a lock on system and is already in place as SU in /system/xbin
You will most likely need to factory reset and try again.

---------- Post added at 12:57 PM ---------- Previous post was at 12:37 PM ----------

UPDATE UPDATE!!!

Do not run the dd if=boot of=boot command
Could brick your device. As per Jcase warning. Wait for more info
 

xtremeasure

Senior Member
Mar 29, 2015
253
143
31
Philadelphia
Ok, so I am about to flash back the stock recovery from my backup and see if I can go through all these steps again to figure out what is going wrong.
I have a theory as to where and why KingUser is locking down SU in xbin. After I restore stock recovery, I will then Factory Reset and attempt to log my progress.
Stay tuned and I will try to report back later today. Hopefully with more insight on this problem.

@xIP-
Are you talking about pushing "su" , "daemonsu" , and "install-recovery.sh" files to /system ?
Keeps saying permission denied?
If that is the case, you can not. KingUser has a lock on system and is already in place as SU in /system/xbin
You will most likely need to factory reset and try again.

---------- Post added at 12:57 PM ---------- Previous post was at 12:37 PM ----------

UPDATE UPDATE!!!

Do not run the dd if=boot of=boot command
Could brick your device. As per Jcase warning. Wait for more info

Remember remove kinguser after you run the dd commands but before you reboot recovery...

Sent from my Z970 using XDA Free mobile app
 

xtremeasure

Senior Member
Mar 29, 2015
253
143
31
Philadelphia
Just so this is clear... full Root uninstall through the KingUser app, or just uninstall it through android app settings menu.

^ In case someone else has the same question ^

I would do a full root uninstall....

The backdoor keeps root for adb so installing the new su shouldn't be an issue

Sent from my Z970 using XDA Free mobile app
 

DroidisLINUX

Senior Member
May 28, 2013
494
197
I just read the boot flash advice, I am not going to do it because I know that's a stupid idea, but if it does in fact let us flash boot.IMG, omg overclocking, custom kernels, full read write, awesome recovery, dual boot custom Roms with custom kernels here we come.
Unlocked boot.IMG

Can you Ya hoooouoo

And subscribed.

Sent from my Z970
[email protected]:/ # id
uid=0(root) gid=0(root) context=u:r:init:s0
 

xIP-

Member
Mar 28, 2015
34
6
Ok, so I am about to flash back the stock recovery from my backup and see if I can go through all these steps again to figure out what is going wrong.
I have a theory as to where and why KingUser is locking down SU in xbin. After I restore stock recovery, I will then Factory Reset and attempt to log my progress.
Stay tuned and I will try to report back later today. Hopefully with more insight on this problem.

@xIP-
Are you talking about pushing "su" , "daemonsu" , and "install-recovery.sh" files to /system ?
Keeps saying permission denied?
If that is the case, you can not. KingUser has a lock on system and is already in place as SU in /system/xbin
You will most likely need to factory reset and try again.

---------- Post added at 12:57 PM ---------- Previous post was at 12:37 PM ----------

UPDATE UPDATE!!!

Do not run the dd if=boot of=boot command
Could brick your device. As per Jcase warning. Wait for more info

Is there anyway to do it without a factory reset? Could I just remove kinguser? or it must be factory reset? and will I have to reroot with factory reset?

Sent from my Z970 using XDA Free mobile app
 

mingolianbeef

Senior Member
Apr 14, 2011
2,401
1,502
Sorry guys, kinda been running around all day, have a lot of catching up to do I see. I'll fix the thread with updated information that people have so generously contributed!
 

mingolianbeef

Senior Member
Apr 14, 2011
2,401
1,502
I just read the boot flash advice, I am not going to do it because I know that's a stupid idea, but if it does in fact let us flash boot.IMG, omg overclocking, custom kernels, full read write, awesome recovery, dual boot custom Roms with custom kernels here we come.
Unlocked boot.IMG

Can you Ya hoooouoo

And subscribed.

Sent from my Z970
[email protected]:/ # id
uid=0(root) gid=0(root) context=u:r:init:s0

I know right!!! First hurdle... done... second hurdle, bootloader with no fastboot lmao...
 

noodle2113

New member
Mar 7, 2015
3
1
a bit unclear on this

are we actually rebooting into recovery or its supposed to go straight back into the phone
i was never able to get into recovery

10) type "reboot recovery" and restart your phone. YOU MUST RESTART WITH THIS COMMAND!!!!! It will boot straight into Android, this is good, that means you haven't screwed up anything.


"cat /data/local/tmp/su > /system/xbin/su"
"cat /data/local/tmp/install-recovery.sh > /system/etc/install-recovery.sh"
getting permission denied when running this.

"chmod 755 /system/xbin/su"
"chmod 755 /system/etc/install-recovery.sh"
as well as operation denied or something along those lines. any help would be nice. also and running id on adb. its showing.

uid=0(root) gid=0(root) context=u:r:init:s0

rather than
uid=0(root) gid=0(root) context=u:r:shell:s0
 

mingolianbeef

Senior Member
Apr 14, 2011
2,401
1,502
I have followed EVERYTHING step by step over and over again, and yet i still cant get this to work.

Basically, everything is fine up until reboot recovery.
it goes into android, but i dont start off as root, i start off as if i wasnt rooted, and i always have to do "su" to gain privledges.
afterwards, mount -o remount,rw /system/ does work but i cant write to it still for some reason.

has anyone else gotten this!? have any of you got a clue how to fix?

You have to exit adb shell to push files to /data/local/tmp, which does not require root. That was a major exploit in earlier android versions, as people would push scripts to /data/local/tmp without root, run the exploit in the directory, and it would root. That was patched of course, but that directory can be accessed without root. Once you use "reboot recovery" to reboot, then just plug your phone back up and type "adb shell" to which the phone should respond with a "#" instead of a "$". If you have the $, you are not root and need to go back. If you do, just be patient with it and make sure you are not just copying and pasting (I know this can be the root of the issue at times with command, just type it out). It should work, the second half is the easy part lol.
 
  • Like
Reactions: noodle2113

Top Liked Posts

  • There are no posts matching your filters.
  • 26
    Yep, you read that right and I'm not trolling. THE ZMAX IS ROOTED!!

    Discaimer and N00Bproof warning:

    We have root, yes, but that doesn't mean get hasty. At the moment, there are partition images (system, boot and recovery) in my and other users' possession (free of access to all), but we don't have a working recovery at the moment and this process involves deleting the stock recovery (it will make sense later). So, if you screw up and get root-happy, there's no way to recover until we get a recovery and a custom rom, and even then you might be screwed because we don't have access to the bootloader to use fastboot. Things may change, but root-use with caution.

    Also, once you root, DO NOT TAKE ETAs from T-Mo and ZTE!!!!!!! Now that we have root, we can capture the OTA and make it root-friendly. To make a long story short, the updater-script (thing that tells your recovery where and how to flash stuff) has a list of stuff it has to... well... flash. If you, for example, delete the stock ZTE Music app, and the ETA replaces the app with a new version, it's going to stop (because the script requires a REPLACEMENT and not a PLACEMENT, computers don't have the best common sense), then it will interrupt and you will likely be bricked. This shouldn't be a problem because you don't have a recovery to begin with, but I'm not taking chances here.

    NOW! Let's Root. This is a long process, so don't expect to do anything for a good 10-20 minutes.

    FIRST: KINGROOT​

    This is one of those things where your mileage may very, there have been many different ways to get KingRoot (not King"O"Root, two different apps) to work, but this one was the one that worked for me. I'll also place alternate KingRoot methods in the second post if you wanna try those. Just for the sake of knowledge, this was run on a T-Mobile ZTE ZMAX, Android 4.4.2, build 22. I don't know if it makes a difference that I factor reset my phone before doing another round of root attempts (not this one specifically, maybe a couple hours worth of attempts).

    Credits to @fire3element for this method.

    1) Download KingRoot APK from here (the first one with the image of the phone if you are on the desktop site).

    2) Install KingRoot and run it. It will restart the phone, and it will fail (or, if you have some Android God luck, it may succeed), this is supposed to happen.

    3) Clear KingRoots cache and data (in that order) and power off the phone (not reboot). Then, power it back on again.

    4) Now this is where things get... well complicated for this part. You are going to need to load your RAM with a bunch of processor heavy stuff. The person that made this method used CounterSpy and Final Fantasy Type-0 in the PPSSPP v1.0.1-411 emulator, but for those of you that don't have access to that, get creative and load up. Here is what I had running (all at the same time, mind you).

    Note: Force Stop Task Manager in the app settings first or it will purge to free memory automatically and this won't work.

    1. Next Launcher Lite
    2. Apex Launcher
    3. Nova Launcher
    4. Cheetah Launcher
    5. CM Launcher
    6. Mi Launcher
    7. 25 tabs on Google Chrome (No joke)
    8. Both Temple Runs
    9. Fruit Ninja
    10. Google Play Store
    11. Google Now
    12. Google Play
    13. Amazon
    14. Google Play Music

    Mine was definitely a bit extreme but I knew all of this stuff would guarantee a good memory hogging.

    5) Run all of your apps at the same time. The TL;DR for this is that apparently it's some exploit that the app uses as a buffer overflow. Now, go to settings and Force Stop KingRoot. Then Run it again. If it works, you should go from 0 to 100 real quick (no pun intended). It shouldn't progess slowly or reboot the phone to do this, but your journey does not stop here.

    If you did it correctly, the screen from a successful root will have a green checkmark. Run RootChecker to verify root status.

    SECOND: PERMA-ROOT

    Now you need to permanently root the phone. This method was all @jcase, and simplified by another user. I encourage you to read JCase's original G+ post to learn something, as this guy is the master of exploits, and we are on XDA to learn.

    Credits to @xtremeasure for the simplification of JCase's process.

    1) Plug phone into computer...

    2) Open cmd type "adb shell" (without quotes, moving forward, type all commands without quotes). This will open a terminal for the phone.

    3) While in ADB Shell, type "su" to gain root shell privileges


    4) Type "getprop ro.build.fingerprint"

    Output for that command should be...
    zte/P892T57/draconis:4.4.2/KVT49L/20140804.141306.18686:user/release-keys (the part with P892T57 may be different depending on what model ZMAX You have). If you haven't updated that number will be different, this ok, just replace the number in the next command with whatever your output is.

    5) type "setprop persist.sys.k P892T57"

    6) type "getprop persist.sys.k" and your output should be your build number

    7) type "cd /dev/block/platform/msm_sdcc.1/by-name/" to change directories so that we can back up your recovery image (remember I said something about that?) and set the boot to our recovery partition.

    8) type "dd if=recovery of=/sdcard/recovery.img" to backup the recovery image.

    9) type "dd if=boot of=recovery" to set recovery as boot. Another TL;DR is that this disables the write protection set by the stock recovery, allowing you to write to the system. It will mount the /system partition upon boot.

    DELETE KINGUSER NOW

    10) type "reboot recovery" and restart your phone. YOU MUST RESTART WITH THIS COMMAND!!!!! It will boot straight into Android, this is good, that means you haven't screwed up anything.

    11) Reopene the adb shell (using "adb shell") in your command prompt or terminal (for OSX and Linux) and type "Id". If your output is "uid=0(root) gid=0(root) context=u:r:shell:s0" then It worked...

    12) Remount system as writable "mount -o rw,remount /system"

    13) Manual install for supersu you can get that here: http://download.chainfire.eu/supersu

    14) Type "exit" into the terminal/command and it should drop you back to your normal cmd...unzip the su zip anywhere you want in your cmd switch to that directory...

    14B) I advise taking the "su" binary and "install-recovery.sh" file from the superSU folder you downloaded and putting them in the same place (on the desktop or wherever your adb.exe is if you didn't set $PATH on your computer). su can be found in the "arm" folder and install-recovery.sh can be found in the "common" folder. It is important to note that where ever your files are, you will have to type that path (if it isn't in the same directory as your adb). So, as an example, I put mine on the desktop, so I have to type "adb push ~/Desktop/su /data/local/tmp/su". If you do not know how to do that, then stop what you are doing and research it, as that's just too much to explain.

    15) "adb push su /data/local/tmp/su"

    16) "adb push install-recovery.sh /data/local/tmp"

    17) Reenter adb shell with "adb shell"

    18) Make sure system is mounted writable with "mount -o remount,rw /system"

    19) Move the so files into place with these commands

    "cat /data/local/tmp/su > /system/xbin/su"

    "cat /data/local/tmp/su > /system/xbin/daemonsu"

    "cat /data/local/tmp/install-recovery.sh > /system/etc/install-recovery.sh"

    20) Give them all permissions

    "chmod 755 /system/xbin/su"

    "chmod 755 /system/xbin/daemonsu"

    "chmod 755 /system/etc/install-recovery.sh"

    21) Reboot your phone to complete install with "reboot"

    22) After rebooting go into the play store and install the supersu app. It's going to tell you the su binary is out of date to fix that we need to open the adb shell on our pc again with "adb shell"

    23) Reboot into recovery (you're really rebooting the system with r/w privileges) using "reboot recovery"

    24) Once rebooted open the app and update your binaries one finished reboot add your done 100% perm rooted

    Now, you are rooted! If you did everything right, you should be good. Now people are going to ask, "Is there a script for this?" The short answer is No, don't hold your breath for something immediate. There was a user that said he would be happy to make one for the second half, but the writing, testing and verification of success alone on that will take some time, as the wrong line of code can make you end up with a good old fashioned paperweight. I can verify Xposed works fine, Viper4Android works fine, and if you try to delete system apps, they will just reinstall themselves (I recommend using "System App Remover (ROOT)" on the play store, as it will actually tell you which apps are and aren't safe to install. If you have any questions, after searching of course, feel free to ask. If I can't answer, some freaking body can lol.

    CREDITS:
    @tech_yeet for showing us the KingRoot
    @jcase for his amazing work
    @xtremeasure for his method
    @fire3element for his method
    @the zMAX Community for staying dedicated when the going got tough, it's been a long road. Here's to custom roms and a TWRP recovery!

    Please share this with others, as there is a big community of people begging for this info, let's share the love :). If I forgot to credit you, let me know and I'll fix that!

    ADDITIONAL INFORMATION
    If you by some chance flash the TWRP Recovery Image (found in post 2), and would like to revert back to root ability (being able to write to system). Please follow the steps below:

    1. cd /dev/block/platform/msm_sdcc.1/by-name
    2. su
    3. dd if=/sdcard/recovery.img of=recovery
    4. reboot recovery

    Please make sure you have the recovery in your sdcard root folder.
    9
    Alternate Root Methods and ZTE Custom ROMs/Kernels/etc

    If the above first part doesn't work for you, you can find alternative root methods

    Alternate Method 1 HERE

    Alternate Method 2 HERE

    As I see more added, I'll add them here.

    CUSTOM STUFF

    TWRP Image for ZTE ZMAX
    6
    That's a whole lot to swallow but I'm glad to see y'all can finally get rooted. Definitely not a method for noobs or the faint of heart but its a HUUUGE step in the right direction. Thanks to everyone responsible for this.
    5
    Q&A/Other [UDPATED MAY 13, 2015 @ 5:45PM]

    If A question is asked and you feel like it needs to be here, please tag or DM me with the Q AND THE A so that I can do so.


    OTHER:

    Original Discussion Thread for the ZTE ZMAX

    Please see fire3element's post on what each screen in the KingRoot app means

    WHAT THE SCREENS MEAN IN THE APP
    3
    I am stuck on step 15 I put all folders from the zip file onto the desk top and in the cmd I put this adb push ~/Desktop/su /data/local/tmp/su but ti says there is not such directory ?

    Use this method instead. This root guide says for the z987 but it is the same exact method as the z970.
    http://androidforums.com/index.php?posts/7037139
Our Apps
Get our official app!
The best way to access XDA on your phone
Nav Gestures
Add swipe gestures to any Android
One Handed Mode
Eases uses one hand with your phone