ZTE Open Root and install clockwork recovery

[cimourdain]

Hi all,

I'm the lucky owner of a ZTE Open and i'd like to share with you the process i used to root and install recovery.


Disclaimer: This process is very risky, you may brick your phone permanently, so neither xda nor me could be responsible of the resulting consequences.

Note: I did not dev or contribute to any program/process listed there, all credits are going to the listed sources.


I followed successfuly this processus with Debian 7 (32b) and a UK version of the ZTE Open.

1 - Get Root Access
Pre-requisite:
1/Install adb

sudo apt-get install android-tools-adb android-tools-fastboot

2/Update your udev rules for adb to recogize your phone:

#create a file with your udev rules
nano /etc/udev/rules.d/60-fxos

Copy the following in your newly created file:

SUBSYSTEM=="usb", ATTR{idVendor}=="19d2", ATTR{idProduct}=="1350", MODE="0666", GROUP="plugdev"
SUBSYSTEM=="usb", ATTR{idVendor}=="18d1", ATTR{idProduct}=="d00d", MODE="0666", GROUP="plugdev"

Then:

#update permissions of the 60-fxos file
chmod 644  /etc/udev/rules.d/60-fxos 
#Restart udev
sudo service udev restart

On this step my advice is to restart your computer to restart properly adb and to remap udev.

Root exploit:
1/Enable "Remote debugging" on your phone
On your device, in Settings -> Device information -> More Information -> Developer.

Disable

2/Check that your devuce is recognised

# adb devices
List of devices attached 
roamer2	device

Roamer2 is the name of the ZTE Open

3/Root
Download file root-zte-open.zip (see download section below)
uzip its content and put it in your working folder (~/fos/root/ in this example)

#go to your working folder
cd ~/fos/root/
#update permissions of the root-zte-open file (you probably need admin right to do this)
chmod 755 root-zte-open
#launch exploit AS ROOT USER
./run.sh

The output should be the following:

# ./run.sh
Connect your phone to USB, then:
Settings -> Device information -> More Information -> Developer
and enable 'Remote debugging'

1142 KB/s (19208 bytes in 0.016s)

== root for Movistar zte open (roamer2) by  [user=240671]@pof[/user]
== CVE-2012-4220 - discovered by giantpune
== original exploit by Hiroyuki Ikezoe
== if the phone hangs, remove the battery and try again!
roamer2 (OPEN_EU_DEV_FFOS_V1.0.0B01) is not supported.
Attempting to detect from /proc/kallsyms...
roamer2 (OPEN_EU_DEV_FFOS_V1.0.0B01) is not supported.[diag]
Attempting to inject code...
This works only once a boot.
roamer2 (OPEN_EU_DEV_FFOS_V1.0.0B01) is not supported.[diag]
Attempting to inject code...
This works only once a boot.
failed to get root access
Exploit failed, rebooting and trying again!

[...few more fail attempts, 3 in my case]

== root for Movistar zte open (roamer2) by  [user=240671]@pof[/user]
== CVE-2012-4220 - discovered by giantpune
== original exploit by Hiroyuki Ikezoe
== if the phone hangs, remove the battery and try again!
roamer2 (OPEN_EU_DEV_FFOS_V1.0.0B01) is not supported.
Attempting to detect from /proc/kallsyms...
roamer2 (OPEN_EU_DEV_FFOS_V1.0.0B01) is not supported.[diag]
Attempting to inject code...
This works only once a boot.
roamer2 (OPEN_EU_DEV_FFOS_V1.0.0B01) is not supported.[diag]
Attempting to inject code...
This works only once a boot.
Got root! - copying su binary!
Enjoy!

You are now rooted.

Note: my few first attempts failed, i tried few time (restarting all the process) to achieve it successfully.

2 - Install Recovery
1 - Download recovery
In the download section you will find the download link to clockwork recovery 6.0.3.3.

Put the recovery .zip in your working folder.
Navigate into the working foder.

2 - Backup your current stock recovery
If not already done turn on debugging on phone and turn off USB mass storage on phone.
Plug phone in to computer.

#Launch adb shell
adb shell
#get root access
su
#Backup the stock recovery
busybox dd if=/dev/mtd/mtd0 of=/mnt/sdcard/stock-recovery.img bs=4k
exit

2 - Backup your current stock recovery

#Push the CW Recovery to your phone
adb push recovery-clockwork-6.0.3.3-roamer2.img /mnt/sdcard/cwm.img
adb shell
[email protected]:/ $ su
[email protected]:/ # flash_image recovery /mnt/sdcard/cwm.img

In my case the output of the las command was:

[email protected]:/ # flash_image recovery /mnt/sdcard/cwm.img
mtd: successfully wrote block at 0
mtd: successfully wrote block at 20000
mtd: successfully wrote block at 40000
mtd: successfully wrote block at 60000
mtd: successfully wrote block at 80000
mtd: successfully wrote block at a0000
mtd: successfully wrote block at c0000
mtd: successfully wrote block at e0000
mtd: successfully wrote block at 100000
mtd: successfully wrote block at 120000
mtd: successfully wrote block at 140000
mtd: successfully wrote block at 160000
mtd: successfully wrote block at 180000
mtd: successfully wrote block at 1a0000
mtd: successfully wrote block at 1c0000
mtd: successfully wrote block at 1e0000
mtd: successfully wrote block at 200000
mtd: successfully wrote block at 220000
mtd: successfully wrote block at 240000
mtd: successfully wrote block at 260000
mtd: successfully wrote block at 280000
mtd: successfully wrote block at 2a0000
mtd: successfully wrote block at 2c0000
mtd: successfully wrote block at 2e0000
mtd: successfully wrote block at 300000
mtd: successfully wrote block at 320000
mtd: successfully wrote block at 340000
mtd: successfully wrote block at 360000
mtd: successfully wrote block at 380000
mtd: successfully wrote block at 3a0000
mtd: successfully wrote block at 3c0000
mtd: successfully wrote block at 3e0000
mtd: successfully wrote block at 400000
mtd: successfully wrote block at 420000
mtd: successfully wrote block at 440000
mtd: successfully wrote block at 460000
mtd: successfully wrote block at 480000
mtd: successfully wrote block at 4a0000
mtd: successfully wrote block at 4c0000
mtd: successfully wrote block at 4e0000
mtd: successfully wrote block at 500000
mtd: successfully wrote block at 520000
mtd: successfully wrote block at 540000
mtd: successfully wrote block at 560000
mtd: successfully wrote block at 580000
mtd: successfully wrote block at 0

3 - Restart your phone in recovery mode
Power off your phone.
Hold both volume down up and the power button.

What now?
Now in the recovery you can install custom roms.

For example, you can flash the movistar rom (see dowload section).

Flash zip in recovery as you would do for any android rom.

Troubleshooting
"status 7" error installing or updating
This happend to me after installing the spanish rom on my Ebay ZTE (UK). it seems to me that it changed the name of the device from roamer2 to full_inari and cause the updater-script to crash.

Solution found in this topic: http://forum.xda-developers.com/showthread.php?t=2302599
Opened the update.zip file, in the folder META_INF > COM > GOOGLE > ANDROID, edit updater-script and remove the following lines :

assert(getprop("ro.product.device") == "roamer2" ||
getprop("ro.build.product") == "roamer2");
assert(getprop_new("ro.build.display.id") == "OPEN_EU_DEV_FFOS");

Save modified zip and try to install again whith CWM.

Dowloads:
root-zte-open.zip
recovery-clockwork-6.0.3.3-roamer2.img
Movistar - OPEN_FFOS_V1.0.0B04_TME
EU_DEV_FFOS_V1.0.0B02_USER_SD2.zip (official rom from ZTE for the UK version)

Many many thanks to my sources:

• http://pof.eslack.org/2013/07/05/zte-open-firefoxos-phone-root-and-first-impressions/
• https://groups.google.com/forum/#!msg/mozilla.dev.b2g/dvXr_Us0HHc/E9U87zK-lUMJ

 

[azureus77]

...


What now?
Now in the recovery you can install custom roms.

For example, you can flash the movistar rom (see dowload section).

Flash zip in recovery as you would do for any android rom.

....

Give it Custom Roms???For the ZTE Open....

 

[cimourdain]

Give it Custom Roms???For the ZTE Open....

Did not found that much for the moment :-') I'm investigating the way to install 1.1

Envoyé depuis mon GT-I9100 avec Tapatalk

 

[NEOCRIVI]

Did not found that much for the moment :-') I'm investigating the way to install 1.1

Envoyé depuis mon GT-I9100 avec Tapatalk

Any ROM with android and firefox OS for dual boot, i need use whatsapp and others app...

BR

 

[azureus77]

Any ROM with android and firefox OS for dual boot, i need use whatsapp and others app...

BR

for whatsapp go to connacta2.im


it is WA for FFOS

 

[gabyslim]

need a bit of help

i'm kinda new here and i've updated my zte open to firefox os 1.1. i was wondering if there is a way to root it now that i have the new version of firefox os? i searched on google and didn't find anything.

 

[ovasilis74]

i'm kinda new here and i've updated my zte open to firefox os 1.1. i was wondering if there is a way to root it now that i have the new version of firefox os? i searched on google and didn't find anything.

Hi, if you did the above, you already rooted your phone. Or was it a normal update, not for the UK version I suppose. For now I did the SD-update to OPEN_EU_DEV_FFOS_V1.0.0B02, from ZTE Suport (cannot link...yet).
I hope to reach your level with all my hair in place! Then what, dual-boot with 512mbROM?

 

[gabyslim]

Hi, if you did the above, you already rooted your phone. Or was it a normal update, not for the UK version I suppose. For now I did the SD-update to OPEN_EU_DEV_FFOS_V1.0.0B02, from ZTE Suport (cannot link...yet).
I hope to reach your level with all my hair in place! Then what, dual-boot with 512mbROM?

i have the update coming from firefox i guess. i bought my zte open in spain from movistar with prepay sim.

 

[ovasilis74]

Give it Custom Roms???For the ZTE Open....

i'm kinda new here and i've updated my zte open to firefox os 1.1. i was wondering if there is a way to root it now that i have the new version of firefox os? i searched on google and didn't find anything.

i have the update coming from firefox i guess. i bought my zte open in spain from movistar with prepay sim.

Gabyslim, the working enviroment of this guide by cimourdain is Debian7 (Linux operating system). Ubuntu Linux listens to the same comands in the CLI ("comand line interface" I think), I use Xubuntu12.04LTS (12.04 seems to be the most suitable for android playing) for the same modification on my ZTEopenEU(UKeBay). So if your PC runs only Windows, you have to use almost the same android-tools to take root control of your device, (like ADB=Android Debug Bridge), but follow another guide for Windows, also in CLI i suppose, not sure...
Now, if you are sure you have 1.1 rather than 1.0.1.0...etc in a ZTEopen, it 's a very usefull information for me, azureus77, cimourdain and many others probably! I tried to find Movistar support, to see if they uploaded any Fos1.1 in .zip format for manual update, but didn 't have any succes until now and my Espanol understanding is very poor to search further... I could install it on my ZTEopenUK even if I am using english language on my phone (no Greek option in 1.0.1.0), because I think that 1.1 gives many lang-options.
So, Gabyslim, if you 'd like to help a little, please check the lang-options on your phone and the excact version if you like, mine is this:
(I can 't post links yet, fill the rest...)
.4shared.com/photo/KzDRva8i/2013-11-03-08-12-58.html
.4shared.com/photo/LzTHsKji/2013-11-03-08-13-52.html
If you could find-out if Movistar has uploaded any .zip update and post a link, would be a nice gift!
BTW, very good price. I paid double € from the UKeBay(ZTE..."official")...

---------- Post added at 10:01 AM ---------- Previous post was at 09:08 AM ----------

Did not found that much for the moment :-') I'm investigating the way to install 1.1

Envoyé depuis mon GT-I9100 avec Tapatalk

Thanks again cimourdain
I couldn 't use this link
dl.free.fr/f4t178wBA"]Movistar - OPEN_FFOS_V1.0.0B04_TME
is there any other way to have this file?
Also, do you know if this solves the "downloading update error"?

 

[gabyslim]

Gabyslim, the working enviroment of this guide by cimourdain is Debian7 (Linux operating system). Ubuntu Linux listens to the same comands in the CLI ("comand line interface" I think), I use Xubuntu12.04LTS (12.04 seems to be the most suitable for android playing) for the same modification on my ZTEopenEU(UKeBay). So if your PC runs only Windows, you have to use almost the same android-tools to take root control of your device, (like ADB=Android Debug Bridge), but follow another guide for Windows, also in CLI i suppose, not sure...
Now, if you are sure you have 1.1 rather than 1.0.1.0...etc in a ZTEopen, it 's a very usefull information for me, azureus77, cimourdain and many others probably! I tried to find Movistar support, to see if they uploaded any Fos1.1 in .zip format for manual update, but didn 't have any succes until now and my Espanol understanding is very poor to search further... I could install it on my ZTEopenUK even if I am using english language on my phone (no Greek option in 1.0.1.0), because I think that 1.1 gives many lang-options.
So, Gabyslim, if you 'd like to help a little, please check the lang-options on your phone and the excact version if you like, mine is this:
(I can 't post links yet, fill the rest...)
.4shared.com/photo/KzDRva8i/2013-11-03-08-12-58.html
.4shared.com/photo/LzTHsKji/2013-11-03-08-13-52.html
If you could find-out if Movistar has uploaded any .zip update and post a link, would be a nice gift!
BTW, very good price. I paid double € from the UKeBay(ZTE..."official")...

---------- Post added at 10:01 AM ---------- Previous post was at 09:08 AM ----------



Thanks again cimourdain
I couldn 't use this link
dl.free.fr/f4t178wBA"]Movistar - OPEN_FFOS_V1.0.0B04_TME
is there any other way to have this file?
Also, do you know if this solves the "downloading update error"?

the version i have installed now is OPEN_FFOS_V1.1.0B01_TME and i was updated from ffos 1.0 to this version on 26/09/2013.

 

[ovasilis74]

the version i have installed now is OPEN_FFOS_V1.1.0B01_TME and i was updated from ffos 1.0 to this version on 26/09/2013.

Very good you realy have the 1.1 ! Have you the .zip file of OPEN_FFOS_V1.1.0B01_TME ? Could you attach it here or upload it somewhere easy for us to dowload? With the link cimourdain gave about "status 7" error installing or updating, I wouldn't think much flashing my ZTE too!

 

[pcc00]

Version 1.1 here: download.ztedevices.com/UpLoadFiles/product/550/3363/soft/2013110810201108.zip

 

[ovasilis74]

Version 1.1 here: download.ztedevices.com/UpLoadFiles/product/550/3363/soft/2013110810201108.zip

Many thanks pcc00! I 'll post results on ZTEOpen as soon I flash it.

 

[ovasilis74]

Well, I succefully flashed fos1.1, worked OK, but then I found a "reason" to brick the poor device...
I belive I'm not off-topic because I think the Movistar1.1 flashed the ClockworkRecovery also, so I ended with a StockRecoveryMode, that was also inaccesible from adb with my Xubuntu12.04.
I tried to root the ZTEOpen and install ClockworkRecovery again, but both failled... endless reboots after ./run.sh
From the StockRecoveryMode I tried to "apply update from external stor(age)" with:
EU_DEV_FFOS_V1.0.0B02_USER_SD.zip
images-keon-v1.2-2013-11-04.Gecko-9082581.Gaia-f18e209.zip
B2G_P752D04V1.1.0B04_TME(SD).zip
all gave verification errors, also with and without the fix for "status 7 error".
Then i flashed:
Update package of Android GB for OPEN device
from: firefox.ztems.com (search site, cannot link).
The installation was completed, but after that I did something I didn't expect to end like this: I selected "reboot" but in the next screen (asking reboot or not) I selected NOT to reboot, so I review the previous menu again, BUT the device rebooted anyway! I don't realy know if this caused the final problem.
That's the end of the story for now, the "semi-brick-zte" boots either in "Android system recovery <3a>" (volume-up + power-button) or if I select "reboot system now" endless reboots with the fox looking something to the right of the screen...

I'll try to find how "flashboot" works, for now it does not see the device (recovery only).
Any sugestions/guides?

 

[ovasilis74]

...last working state...

 

[tonila]

Stock recovery

I did not bakcup stock recovery and I am not able to upgrade to OPEN_EU_DEV_FFOS_V1.0.0B02 using clockwork recovery that I installed.

Could anyone share a copy of the original stock recovery image?

 

[walter_wireless]

Hello.
I try to achieve root with OPEN_US_DEV_FFOS_V1.0.0B02 installed.
But the process always stops on "This works only once a boot."
And then phone just reboots and script failes, like this one:

== root for Movistar zte open (roamer2) by @pof
== CVE-2012-4220 - discovered by giantpune
== original exploit by Hiroyuki Ikezoe
== if the phone hangs, remove the battery and try again!
roamer2 (OPEN_US_DEV_FFOS_V1.0.0B02) is not supported.
Attempting to detect from /proc/kallsyms...
roamer2 (OPEN_US_DEV_FFOS_V1.0.0B02) is not supported.[diag]
Attempting to inject code...
This works only once a boot.

D:\Software\Google Nexus 4 ToolKit>

I would appreciate any suggestions.
Thanks!

PS: Am I right that the official v1.1 is available now? Anyway, I need to get CWM to have more freedom for experiments.
PPS: After all, official Spain 1.1 from ZTE returns me the "Error in /tmp/sideload/package.zip". And if I modify zip to fix Error 7, it doesn't pass signature check and we return to the rooting problem

Please, help me to defeat this damn phone.

 

[aversario]

Well, I succefully flashed fos1.1, worked OK, but then I found a "reason" to brick the poor device...
I belive I'm not off-topic because I think the Movistar1.1 flashed the ClockworkRecovery also, so I ended with a StockRecoveryMode, that was also inaccesible from adb with my Xubuntu12.04.
I tried to root the ZTEOpen and install ClockworkRecovery again, but both failled... endless reboots after ./run.sh
From the StockRecoveryMode I tried to "apply update from external stor(age)" with:
EU_DEV_FFOS_V1.0.0B02_USER_SD.zip
images-keon-v1.2-2013-11-04.Gecko-9082581.Gaia-f18e209.zip
B2G_P752D04V1.1.0B04_TME(SD).zip
all gave verification errors, also with and without the fix for "status 7 error".
Then i flashed:
Update package of Android GB for OPEN device
from: firefox.ztems.com (search site, cannot link).
The installation was completed, but after that I did something I didn't expect to end like this: I selected "reboot" but in the next screen (asking reboot or not) I selected NOT to reboot, so I review the previous menu again, BUT the device rebooted anyway! I don't realy know if this caused the final problem.
That's the end of the story for now, the "semi-brick-zte" boots either in "Android system recovery <3a>" (volume-up + power-button) or if I select "reboot system now" endless reboots with the fox looking something to the right of the screen...

I'll try to find how "flashboot" works, for now it does not see the device (recovery only).
Any sugestions/guides?

Hi ovasilis74,

there you go, the same text again, but with links:

I've tried something similar you have.
I did root the FFOS V1.0.0, and flashed ClockWorkMod recovery, but then I've tried some Columbia offical Zte Open firmware and it flashed recovery. Then I updated the zip file from the same link as you did (firefox.ztems.com). Then I've downloaded another firmware from here -> triplew.ztedevices.com/support/smart_phone/cba40ed6-d3ab-44c0-bdee-3a15803dc187.html?type=software and sign it with this command -> java -Xmx1024m -jar signapk.jar -w testkey.x509.pem testkey.pk8 test.zip test-signed.zip (thanks to that page -> wiki.rootzwiki.com/Signing ) (I've downloded signapk software somewhere from internet, I can't remember)
Then I've uploaded that signed zip file to sdcard, and ran install from zip file in this android system recovery.
I hope it helps.

 

[ovasilis74]

Hello.
I try to achieve root with OPEN_US_DEV_FFOS_V1.0.0B02 installed.
But the process always stops on "This works only once a boot."
And then phone just reboots and script failes, like this one:
...

I think you are using Windows and executing "run.bat", because in Linux the "run.sh" is automaticaly executed and after some times rooting succedes. My first attempt was this:

[email protected]:~/root-zte-open$ sudo ./run.sh
Connect your phone to USB, then:
Settings -> Device information -> More Information -> Developer
and enable 'Remote debugging'

444 KB/s (19208 bytes in 0.042s)

== root for Movistar zte open (roamer2) by @pof
== CVE-2012-4220 - discovered by giantpune
== original exploit by Hiroyuki Ikezoe
== if the phone hangs, remove the battery and try again!
roamer2 (OPEN_EU_DEV_FFOS_V1.0.0B02) is not supported.
Attempting to detect from /proc/kallsyms...
roamer2 (OPEN_EU_DEV_FFOS_V1.0.0B02) is not supported.[diag]
Attempting to inject code...
This works only once a boot.
roamer2 (OPEN_EU_DEV_FFOS_V1.0.0B02) is not supported.[diag]
Attempting to inject code...
This works only once a boot.
failed to get root access
Exploit failed, rebooting and trying again!

445 KB/s (19208 bytes in 0.042s)

== root for Movistar zte open (roamer2) by @pof
== CVE-2012-4220 - discovered by giantpune
== original exploit by Hiroyuki Ikezoe
== if the phone hangs, remove the battery and try again!
roamer2 (OPEN_EU_DEV_FFOS_V1.0.0B02) is not supported.
Attempting to detect from /proc/kallsyms...
roamer2 (OPEN_EU_DEV_FFOS_V1.0.0B02) is not supported.[diag]
Attempting to inject code...
This works only once a boot.
roamer2 (OPEN_EU_DEV_FFOS_V1.0.0B02) is not supported.[diag]
Attempting to inject code...
This works only once a boot.
Got root! - copying su binary!
Enjoy!
[email protected]:~/root-zte-open$

I got root the second time, but I think they could be more...
If you use Windows repeat the "run.bat" command or whatever you do in Windows ( I haven't tried) and normaly rooting sould hapen, ...then be careful, I wasn't...
Note, that after flashing the 1.1 the CWM will be replaced by the stock-recovery. I've read somewhere that if you delete the recovery.img from the .zip(e.g. 1.1.zip) you can avoid that.
Good luck!

 

[walter_wireless]

I think you are using Windows and executing "run.bat", because in Linux the "run.sh" is automaticaly executed and after some times rooting succedes. My first attempt was this:

[email protected]:~/root-zte-open$ sudo ./run.sh
Connect your phone to USB, then:
Settings -> Device information -> More Information -> Developer
and enable 'Remote debugging'

444 KB/s (19208 bytes in 0.042s)

== root for Movistar zte open (roamer2) by @pof
== CVE-2012-4220 - discovered by giantpune
== original exploit by Hiroyuki Ikezoe
== if the phone hangs, remove the battery and try again!
roamer2 (OPEN_EU_DEV_FFOS_V1.0.0B02) is not supported.
Attempting to detect from /proc/kallsyms...
roamer2 (OPEN_EU_DEV_FFOS_V1.0.0B02) is not supported.[diag]
Attempting to inject code...
This works only once a boot.
roamer2 (OPEN_EU_DEV_FFOS_V1.0.0B02) is not supported.[diag]
Attempting to inject code...
This works only once a boot.
failed to get root access
Exploit failed, rebooting and trying again!

445 KB/s (19208 bytes in 0.042s)

== root for Movistar zte open (roamer2) by @pof
== CVE-2012-4220 - discovered by giantpune
== original exploit by Hiroyuki Ikezoe
== if the phone hangs, remove the battery and try again!
roamer2 (OPEN_EU_DEV_FFOS_V1.0.0B02) is not supported.
Attempting to detect from /proc/kallsyms...
roamer2 (OPEN_EU_DEV_FFOS_V1.0.0B02) is not supported.[diag]
Attempting to inject code...
This works only once a boot.
roamer2 (OPEN_EU_DEV_FFOS_V1.0.0B02) is not supported.[diag]
Attempting to inject code...
This works only once a boot.
Got root! - copying su binary!
Enjoy!
[email protected]:~/root-zte-open$

I got root the second time, but I think they could be more...
If you use Windows repeat the "run.bat" command or whatever you do in Windows ( I haven't tried) and normaly rooting sould hapen, ...then be careful, I wasn't...
Note, that after flashing the 1.1 the CWM will be replaced by the stock-recovery. I've read somewhere that if you delete the recovery.img from the .zip(e.g. 1.1.zip) you can avoid that.
Good luck!

I have tried different variations of this script for many-many times. And it writes nothing, not "failed", just nothing. And then phone reboots.
But OK, I will try to repeat all operations in Linux, although I don't see the principal difference, seems like the problem lies in damn phone
I will post the results. Thanks. And thank you for precautions about recovery.:good: