FORUMS
Remove All Ads from XDA

[ROOT] How to Root the ZTE ZMAX [KK][ALL VARIANTS]

2,401 posts
Thanks Meter: 1,513
 
Post Reply Email Thread
Yep, you read that right and I'm not trolling. THE ZMAX IS ROOTED!!

Discaimer and N00Bproof warning:

We have root, yes, but that doesn't mean get hasty. At the moment, there are partition images (system, boot and recovery) in my and other users' possession (free of access to all), but we don't have a working recovery at the moment and this process involves deleting the stock recovery (it will make sense later). So, if you screw up and get root-happy, there's no way to recover until we get a recovery and a custom rom, and even then you might be screwed because we don't have access to the bootloader to use fastboot. Things may change, but root-use with caution.

Also, once you root, DO NOT TAKE ETAs from T-Mo and ZTE!!!!!!! Now that we have root, we can capture the OTA and make it root-friendly. To make a long story short, the updater-script (thing that tells your recovery where and how to flash stuff) has a list of stuff it has to... well... flash. If you, for example, delete the stock ZTE Music app, and the ETA replaces the app with a new version, it's going to stop (because the script requires a REPLACEMENT and not a PLACEMENT, computers don't have the best common sense), then it will interrupt and you will likely be bricked. This shouldn't be a problem because you don't have a recovery to begin with, but I'm not taking chances here.

NOW! Let's Root. This is a long process, so don't expect to do anything for a good 10-20 minutes.

FIRST: KINGROOT


This is one of those things where your mileage may very, there have been many different ways to get KingRoot (not King"O"Root, two different apps) to work, but this one was the one that worked for me. I'll also place alternate KingRoot methods in the second post if you wanna try those. Just for the sake of knowledge, this was run on a T-Mobile ZTE ZMAX, Android 4.4.2, build 22. I don't know if it makes a difference that I factor reset my phone before doing another round of root attempts (not this one specifically, maybe a couple hours worth of attempts).

Credits to @fire3element for this method.

Quote:

1) Download KingRoot APK from here (the first one with the image of the phone if you are on the desktop site).

2) Install KingRoot and run it. It will restart the phone, and it will fail (or, if you have some Android God luck, it may succeed), this is supposed to happen.

3) Clear KingRoots cache and data (in that order) and power off the phone (not reboot). Then, power it back on again.

4) Now this is where things get... well complicated for this part. You are going to need to load your RAM with a bunch of processor heavy stuff. The person that made this method used CounterSpy and Final Fantasy Type-0 in the PPSSPP v1.0.1-411 emulator, but for those of you that don't have access to that, get creative and load up. Here is what I had running (all at the same time, mind you).

Note: Force Stop Task Manager in the app settings first or it will purge to free memory automatically and this won't work.

1. Next Launcher Lite
2. Apex Launcher
3. Nova Launcher
4. Cheetah Launcher
5. CM Launcher
6. Mi Launcher
7. 25 tabs on Google Chrome (No joke)
8. Both Temple Runs
9. Fruit Ninja
10. Google Play Store
11. Google Now
12. Google Play
13. Amazon
14. Google Play Music

Mine was definitely a bit extreme but I knew all of this stuff would guarantee a good memory hogging.

5) Run all of your apps at the same time. The TL;DR for this is that apparently it's some exploit that the app uses as a buffer overflow. Now, go to settings and Force Stop KingRoot. Then Run it again. If it works, you should go from 0 to 100 real quick (no pun intended). It shouldn't progess slowly or reboot the phone to do this, but your journey does not stop here.

If you did it correctly, the screen from a successful root will have a green checkmark. Run RootChecker to verify root status.

SECOND: PERMA-ROOT


Now you need to permanently root the phone. This method was all @jcase, and simplified by another user. I encourage you to read JCase's original G+ post to learn something, as this guy is the master of exploits, and we are on XDA to learn.

Credits to @xtremeasure for the simplification of JCase's process.

Quote:

1) Plug phone into computer...

2) Open cmd type "adb shell" (without quotes, moving forward, type all commands without quotes). This will open a terminal for the phone.

3) While in ADB Shell, type "su" to gain root shell privileges


4) Type "getprop ro.build.fingerprint"

Output for that command should be...
zte/P892T57/draconis:4.4.2/KVT49L/20140804.141306.18686:user/release-keys (the part with P892T57 may be different depending on what model ZMAX You have). If you haven't updated that number will be different, this ok, just replace the number in the next command with whatever your output is.

5) type "setprop persist.sys.k P892T57"

6) type "getprop persist.sys.k" and your output should be your build number

7) type "cd /dev/block/platform/msm_sdcc.1/by-name/" to change directories so that we can back up your recovery image (remember I said something about that?) and set the boot to our recovery partition.

8) type "dd if=recovery of=/sdcard/recovery.img" to backup the recovery image.

9) type "dd if=boot of=recovery" to set recovery as boot. Another TL;DR is that this disables the write protection set by the stock recovery, allowing you to write to the system. It will mount the /system partition upon boot.

DELETE KINGUSER NOW

10) type "reboot recovery" and restart your phone. YOU MUST RESTART WITH THIS COMMAND!!!!! It will boot straight into Android, this is good, that means you haven't screwed up anything.

11) Reopene the adb shell (using "adb shell") in your command prompt or terminal (for OSX and Linux) and type "Id". If your output is "uid=0(root) gid=0(root) context=u:r:shell:s0" then It worked...

12) Remount system as writable "mount -o rw,remount /system"

13) Manual install for supersu you can get that here: http://download.chainfire.eu/supersu

14) Type "exit" into the terminal/command and it should drop you back to your normal cmd...unzip the su zip anywhere you want in your cmd switch to that directory...

14B) I advise taking the "su" binary and "install-recovery.sh" file from the superSU folder you downloaded and putting them in the same place (on the desktop or wherever your adb.exe is if you didn't set $PATH on your computer). su can be found in the "arm" folder and install-recovery.sh can be found in the "common" folder. It is important to note that where ever your files are, you will have to type that path (if it isn't in the same directory as your adb). So, as an example, I put mine on the desktop, so I have to type "adb push ~/Desktop/su /data/local/tmp/su". If you do not know how to do that, then stop what you are doing and research it, as that's just too much to explain.

15) "adb push su /data/local/tmp/su"

16) "adb push install-recovery.sh /data/local/tmp"

17) Reenter adb shell with "adb shell"

18) Make sure system is mounted writable with "mount -o remount,rw /system"

19) Move the so files into place with these commands

"cat /data/local/tmp/su > /system/xbin/su"

"cat /data/local/tmp/su > /system/xbin/daemonsu"

"cat /data/local/tmp/install-recovery.sh > /system/etc/install-recovery.sh"

20) Give them all permissions

"chmod 755 /system/xbin/su"

"chmod 755 /system/xbin/daemonsu"

"chmod 755 /system/etc/install-recovery.sh"

21) Reboot your phone to complete install with "reboot"

22) After rebooting go into the play store and install the supersu app. It's going to tell you the su binary is out of date to fix that we need to open the adb shell on our pc again with "adb shell"

23) Reboot into recovery (you're really rebooting the system with r/w privileges) using "reboot recovery"

24) Once rebooted open the app and update your binaries one finished reboot add your done 100% perm rooted

Now, you are rooted! If you did everything right, you should be good. Now people are going to ask, "Is there a script for this?" The short answer is No, don't hold your breath for something immediate. There was a user that said he would be happy to make one for the second half, but the writing, testing and verification of success alone on that will take some time, as the wrong line of code can make you end up with a good old fashioned paperweight. I can verify Xposed works fine, Viper4Android works fine, and if you try to delete system apps, they will just reinstall themselves (I recommend using "System App Remover (ROOT)" on the play store, as it will actually tell you which apps are and aren't safe to install. If you have any questions, after searching of course, feel free to ask. If I can't answer, some freaking body can lol.

CREDITS:
@tech_yeet for showing us the KingRoot
@jcase for his amazing work
@xtremeasure for his method
@fire3element for his method
@the zMAX Community for staying dedicated when the going got tough, it's been a long road. Here's to custom roms and a TWRP recovery!

Please share this with others, as there is a big community of people begging for this info, let's share the love . If I forgot to credit you, let me know and I'll fix that!

ADDITIONAL INFORMATION
If you by some chance flash the TWRP Recovery Image (found in post 2), and would like to revert back to root ability (being able to write to system). Please follow the steps below:

1. cd /dev/block/platform/msm_sdcc.1/by-name
2. su
3. dd if=/sdcard/recovery.img of=recovery
4. reboot recovery

Please make sure you have the recovery in your sdcard root folder.
The Following 26 Users Say Thank You to mingolianbeef For This Useful Post: [ View ] Gift mingolianbeef Ad-Free
13th May 2015, 07:47 AM |#2  
mingolianbeef's Avatar
OP Senior Member
Thanks Meter: 1,513
 
Donate to Me
More
Alternate Root Methods and ZTE Custom ROMs/Kernels/etc
If the above first part doesn't work for you, you can find alternative root methods

Alternate Method 1 HERE

Alternate Method 2 HERE

As I see more added, I'll add them here.

CUSTOM STUFF


TWRP Image for ZTE ZMAX
The Following 9 Users Say Thank You to mingolianbeef For This Useful Post: [ View ] Gift mingolianbeef Ad-Free
13th May 2015, 07:47 AM |#3  
mingolianbeef's Avatar
OP Senior Member
Thanks Meter: 1,513
 
Donate to Me
More
Q&A/Other [UDPATED MAY 13, 2015 @ 5:45PM]
If A question is asked and you feel like it needs to be here, please tag or DM me with the Q AND THE A so that I can do so.


OTHER:

Original Discussion Thread for the ZTE ZMAX

Please see fire3element's post on what each screen in the KingRoot app means

WHAT THE SCREENS MEAN IN THE APP
The Following 5 Users Say Thank You to mingolianbeef For This Useful Post: [ View ] Gift mingolianbeef Ad-Free
13th May 2015, 09:11 AM |#4  
Masterchief87's Avatar
Senior Member
Flag Fort Myers, Florida
Thanks Meter: 257
 
More
That's a whole lot to swallow but I'm glad to see y'all can finally get rooted. Definitely not a method for noobs or the faint of heart but its a HUUUGE step in the right direction. Thanks to everyone responsible for this.
The Following 6 Users Say Thank You to Masterchief87 For This Useful Post: [ View ] Gift Masterchief87 Ad-Free
13th May 2015, 03:10 PM |#6  
Member
Thanks Meter: 6
 
Donate to Me
More
Quote:
Originally Posted by mingolianbeef

Yep, you read that right and I'm not trolling. THE ZMAX IS ROOTED!!

Discaimer and N00Bproof warning:

We have root, yes, but that doesn't mean get hasty. At the moment, there are partition images (system, boot and recovery) in my and other users' possession (free of access to all), but we don't have a working recovery at the moment and this process involves deleting the stock recovery (it will make sense later). So, if you screw up and get root-happy, there's no way to recover until we get a recovery and a custom rom, and even then you might be screwed because we don't have access to the bootloader to use fastboot. Things may change, but root-use with caution.

Also, once you root, DO NOT TAKE ETAs from T-Mo and ZTE!!!!!!! Now that we have root, we can capture the OTA and make it root-friendly. To make a long story short, the updater-script (thing that tells your recovery where and how to flash stuff) has a list of stuff it has to... well... flash. If you, for example, delete the stock ZTE Music app, and the ETA replaces the app with a new version, it's going to stop (because the script requires a REPLACEMENT and not a PLACEMENT, computers don't have the best common sense), then it will interrupt and you will likely be bricked. This shouldn't be a problem because you don't have a recovery to begin with, but I'm not taking chances here.

NOW! Let's Root. This is a long process, so don't expect to do anything for a good 10-20 minutes.

FIRST: KINGROOT


This is one of those things where your mileage may very, there have been many different ways to get KingRoot (not King"O"Root, two different apps) to work, but this one was the one that worked for me. I'll also place alternate KingRoot methods in the second post if you wanna try those. Just for the sake of knowledge, this was run on a T-Mobile ZTE ZMAX, Android 4.4.2, build 22. I don't know if it makes a difference that I factor reset my phone before doing another round of root attempts (not this one specifically, maybe a couple hours worth of attempts).

Credits to @fire3element for this method.



If you did it correctly, the screen from a successful root will have a blue envelope with a checkmark. Run RootChecker to verify root status.

SECOND: PERMA-ROOT


Now you need to permanently root the phone. This method was all @jcase, and simplified by another user. I encourage you to read JCase's original G+ post to learn something, as this guy is the master of exploits, and we are on XDA to learn.

Credits to @xtremeasure for the simplification of JCase's process.



Now, you are rooted! If you did everything right, you should be good. Now people are going to ask, "Is there a script for this?" The short answer is No, don't hold your breath for something immediate. There was a user that said he would be happy to make one for the second half, but the writing, testing and verification of success alone on that will take some time, as the wrong line of code can make you end up with a good old fashioned paperweight. I can verify Xposed works fine, Viper4Android works fine, and if you try to delete system apps, they will just reinstall themselves (I recommend using "System App Remover (ROOT)" on the play store, as it will actually tell you which apps are and aren't safe to install. If you have any questions, after searching of course, feel free to ask. If I can't answer, some freaking body can lol.

CREDITS:
@tech_yeet for showing us the KingRoot
@jcase for his amazing work
@xtremeasure for his method
@fire3element for his method
@the zMAX Community for staying dedicated when the going got tough, it's been a long road. Here's to custom roms and a TWRP recovery!

Please share this with others, as there is a big community of people begging for this info, let's share the love . If I forgot to credit you, let me know and I'll fix that!

I have followed EVERYTHING step by step over and over again, and yet i still cant get this to work.

Basically, everything is fine up until reboot recovery.
it goes into android, but i dont start off as root, i start off as if i wasnt rooted, and i always have to do "su" to gain privledges.
afterwards, mount -o remount,rw /system/ does work but i cant write to it still for some reason.

has anyone else gotten this!? have any of you got a clue how to fix?
The Following User Says Thank You to xIP- For This Useful Post: [ View ] Gift xIP- Ad-Free
13th May 2015, 05:21 PM |#7  
fire3element's Avatar
Senior Member
Thanks Meter: 212
 
More
Here is some more info for those of you wondering what the KingRoot app is doing.
Screenshots will follow.
Text ABOVE the screenshot is for the image directly under it.
Let's begin -------------->

FIRST SCREEN WHEN YOU OPEN KINGROOT
Click image for larger version

Name:	1431533997246.jpg
Views:	3836
Size:	33.9 KB
ID:	3310993

SECOND SCREEN
- CLICK BUTTON TO BEGIN ROOT -
Click image for larger version

Name:	1431534066336.jpg
Views:	3684
Size:	42.0 KB
ID:	3310998

ROOTING IN PROGRESS...
Click image for larger version

Name:	1431534088007.jpg
Views:	3496
Size:	37.3 KB
ID:	3310999

ROOT FAILURE
[Blue Button]: SUBMIT (submits the error report to KingRoot devs)
Click image for larger version

Name:	1431533195674.jpg
Views:	3230
Size:	44.9 KB
ID:	3310966

ROOT FAILURE
Click image for larger version

Name:	1431533209965.jpg
Views:	3110
Size:	41.6 KB
ID:	3310967

ROOT FAILURE
Click image for larger version

Name:	1431533240746.jpg
Views:	3182
Size:	30.6 KB
ID:	3310969

NO DATA CONNECTION (WiFi or cellular singnal required)
[Blue Button]: ANDROID SETTINGS MENU
Click image for larger version

Name:	1431533310782.jpg
Views:	3178
Size:	47.7 KB
ID:	3310970

SUCCESSFUL ROOT
Click image for larger version

Name:	1431533463181.jpg
Views:	3180
Size:	45.2 KB
ID:	3310974

IF YOU SEE THIS MESSAGE POP UP DURING ROOTING, JUST LEAVE IT ALONE. LET THE ROOT FINISH
Click image for larger version

Name:	1431533547992.jpg
Views:	3528
Size:	42.6 KB
ID:	3310975

SUCCESSFUL ROOT
[trash can]: [...]: [...]:
Click image for larger version

Name:	1431533818201.jpg
Views:	3390
Size:	52.1 KB
ID:	3310985

SUCCESSFUL ROOT
[Blue Button]: PURIFICATION (I believe this is similar to fixing permissions)
- CLICK IT AND LET IT RUN -
Click image for larger version

Name:	1431533677855.jpg
Views:	3386
Size:	54.0 KB
ID:	3310978

^ from clicking blue button above ^
PURIFICATION PROCESS
Click image for larger version

Name:	1431533784204.jpg
Views:	3060
Size:	36.7 KB
ID:	3310982
13th May 2015, 05:40 PM |#8  
xtremeasure's Avatar
Senior Member
Flag Philadelphia
Thanks Meter: 143
 
Donate to Me
More
Quote:
Originally Posted by xIP-

I have followed EVERYTHING step by step over and over again, and yet i still cant get this to work.

Basically, everything is fine up until reboot recovery.
it goes into android, but i dont start off as root, i start off as if i wasnt rooted, and i always have to do "su" to gain privledges.
afterwards, mount -o remount,rw /system/ does work but i cant write to it still for some reason.

has anyone else gotten this!? have any of you got a clue how to fix?

Should just be mount -o remount,rw /system


No extra slash

Sent from my Z970 using XDA Free mobile app

---------- Post added at 04:40 PM ---------- Previous post was at 04:36 PM ----------

I would the recovery image restore commands added.. If people feel the need to recover and try again they should run these

cd /dev/block/platform/msm_sdcc.1/by-name

su


dd if=/sdcard/recovery.img of=recovery

reboot recovery

*edited to remove a potentially harmful commands per jcase's advice*

Sent from my Z970 using XDA Free mobile app
13th May 2015, 06:29 PM |#9  
Member
Thanks Meter: 6
 
Donate to Me
More
Quote:
Originally Posted by xtremeasure

Should just be mount -o remount,rw /system


No extra slash

Sent from my Z970 using XDA Free mobile app

---------- Post added at 04:40 PM ---------- Previous post was at 04:36 PM ----------

I would the recovery image restore commands added.. If people feel the need to recover and try again they should run these

cd /dev/block/platform/msm_sdcc.1/by-name

su


dd if=boot of=boot

dd if=/sdcard/recovery.img of=recovery

reboot recovery

Sent from my Z970 using XDA Free mobile app

even with just one slash I still have a problem

Sent from my Z970 using XDA Free mobile app
13th May 2015, 06:57 PM |#10  
fire3element's Avatar
Senior Member
Thanks Meter: 212
 
More
Ok, so I am about to flash back the stock recovery from my backup and see if I can go through all these steps again to figure out what is going wrong.
I have a theory as to where and why KingUser is locking down SU in xbin. After I restore stock recovery, I will then Factory Reset and attempt to log my progress.
Stay tuned and I will try to report back later today. Hopefully with more insight on this problem.

@xIP-
Are you talking about pushing "su" , "daemonsu" , and "install-recovery.sh" files to /system ?
Keeps saying permission denied?
If that is the case, you can not. KingUser has a lock on system and is already in place as SU in /system/xbin
You will most likely need to factory reset and try again.

---------- Post added at 12:57 PM ---------- Previous post was at 12:37 PM ----------

UPDATE UPDATE!!!

Do not run the dd if=boot of=boot command
Could brick your device. As per Jcase warning. Wait for more info
13th May 2015, 07:02 PM |#11  
xtremeasure's Avatar
Senior Member
Flag Philadelphia
Thanks Meter: 143
 
Donate to Me
More
Quote:
Originally Posted by fire3element

Ok, so I am about to flash back the stock recovery from my backup and see if I can go through all these steps again to figure out what is going wrong.
I have a theory as to where and why KingUser is locking down SU in xbin. After I restore stock recovery, I will then Factory Reset and attempt to log my progress.
Stay tuned and I will try to report back later today. Hopefully with more insight on this problem.

@xIP-
Are you talking about pushing "su" , "daemonsu" , and "install-recovery.sh" files to /system ?
Keeps saying permission denied?
If that is the case, you can not. KingUser has a lock on system and is already in place as SU in /system/xbin
You will most likely need to factory reset and try again.

---------- Post added at 12:57 PM ---------- Previous post was at 12:37 PM ----------

UPDATE UPDATE!!!

Do not run the dd if=boot of=boot command
Could brick your device. As per Jcase warning. Wait for more info

Remember remove kinguser after you run the dd commands but before you reboot recovery...

Sent from my Z970 using XDA Free mobile app
Post Reply Subscribe to Thread

Tags
zte-zmax

Guest Quick Reply (no urls or BBcode)
Message:
Previous Thread Next Thread
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes