Jump to content

ZTE Blade S6 Lollipop Kernel(3.10.49) kernel source code


Guest KonstaT

Recommended Posts

Guest KonstaT
ZTE has released a kernel source for this device. Happy hacking. :)
 
There's also an updated stock firmware available (ZTE_AS_Blade_S6V1.0.0B08 - Android 5.0.2).
Link to comment
Share on other sites

  • 3 weeks later...
Guest KonstaT
Another updated stock firmware (ZTE_AS_Blade_S6V1.0.0B10 - Android 5.0.2).
 
BTW is there any truth in the rumors that this device has a locked bootloader? What happens if you try to fastboot boot e.g. boot.img extracted from the above stock firmware?
adb reboot bootloader
fastboot boot boot.img
If that works I could create a stock recovery with test keys that you could use to flash a SuperSU zip to gain root access. It should be a bit easier than building a custom recovery as I don't have this device. ;)
Link to comment
Share on other sites

Guest KonstaT

hello! root has not yet been hacked? probably would have bothered advertising

Sorry, I can't quite understand what you mean.
 
Flashing a SuperSU package in custom (or modified stock) recovery is the easiest way to 'root' any device - not silly root exploits (it might be even quite impossible to find one in recent Android version and strict SELinux policies Lollipop enforces). Recovery is a mini-OS of its own and it always has root access. Stock recovery sets a limit that you can only use it to install packages signed with very specific keys (proprietary, unknown) - this can be worked around. You would only need to have a device with unlocked bootloader accessible with fastboot for this method to work. That's what I was trying to find out...
 
AFAIK no one has achieved root access on this device yet.
Link to comment
Share on other sites

Guest KonstaT

Konstat. is there a check you can do to see if dm-verity is active?

dm-verity is not enabled on this device (or any device that I'm aware of). There's verity_key file included in the kernel ramdisk but it doesn't yet mean it's actually used. dm-verity is enabled by setting a 'verify' fs_mgr flag for /system partition in fstab. It could also be easily disabled if that was the case. Also the required kernel option (CONFIG_DM_VERITY) is not set on this device.
 
FYI Moto E 2015 doesn't have dm-verity enabled either (and it also already has TWRP+root).
Link to comment
Share on other sites

Guest KonstaT

I already made the modified stock recovery. If someone is feeling a little adventurous and wants to test a possible rooting method, please contact me. :)

 

It's been tested. It would appear that ZTE has cripled the bootloader on this device for some reason. Bootloader doesn't accept any fastboot commands and it's impossible to boot/flash a recovery image.

Link to comment
Share on other sites

Guest Enr1988

I already made the modified stock recovery. If someone is feeling a little adventurous and wants to test a possible rooting method, please contact me. :)

It's been tested. It would appear that ZTE has cripled the bootloader on this device for some reason. Bootloader doesn't accept any fastboot commands and it's impossible to boot/flash a recovery image.

Hi, there aren't news about get root on blade s6, right?
Link to comment
Share on other sites

Guest KonstaT

Hi, there aren't news about get root on blade s6, right?

You tell me. I don't even have a device to test with. Finding a root exploit that would work on Lollipop might be quite difficult to find. Using a recovery image to flash SuperSU would be the easiest way to gain root access.
 
Last time I had someone test some ideas, bootloader refused to accept any fastboot commands. Even simple 'fastboot reboot' didn't work to boot out of the bootloader. :o I've heard there's an option in the recovery menu to boot to bootloader (vs. using 'adb reboot bootloader'). Also using the latest fastboot executable from Android SDK platform-tools would be recommended. I highly doubt either of these are going to make any difference though. Bootloader seems to be locked and you'd need some means from ZTE to unlock it.
Link to comment
Share on other sites

Guest mehdid83

I'm playing a bit with it (Power + Down) then (Down only after logo) and I get to the FTM screen.

From there, I can "adb shell" the device (see attachment 001 - 2 pages).
However, I don't know how to log in as "root" (no "su" command available).
The "id" command gives me :

Quote:

id
uid=2000(shell) gid=2000(shell) groups=1004(input),1007(log),1011(adb),1015(sdcard _rw),1028(sdcard_r),3001(net_bt_admin),3002(net_bt ),3003(inet),3006(net_bw_stats) context=u:r:shell:s0

 

I can easily reboot in bootloader mode, etc. And FASTBOOT command works as well.

>fastboot devices

gives me

>c1bace2f      fastboot

Is that helpful to anyone ?
Anyone to guide me trying to root that phone ?

Otherwise, how did I get to that step ?
With the phone plugged onto USB to my laptop in regular mode, I got the "Fake" CD-ROM available on the computer and setup the provided drivers.
I also triggered the USB debug mode ON by tapping the menu item 7 times (which then added the "Developper" menu item to my Settings menu), and triggered the mode on.
Than I just used the Power + Down, then Down only until it showed "FTM" on the screen. Then unplugged USB and replugged it again.

 

I'm also using Fastboot from "Minimal ADB and fastboot" and copied it into the ZTE folder which I got from the fake CD-ROM setup executable run.

 

Let me know if I can be of any help.

Link to comment
Share on other sites

Guest KonstaT

I can easily reboot in bootloader mode, etc. And FASTBOOT command works as well.

>fastboot devices

gives me

>c1bace2f      fastboot

Is that helpful to anyone ?

Yeah, but it doesn't accept any fastboot commands beyond that. Even a simple 'fastboot reboot' doesn't work and you can't 'fastboot boot image.img' or 'fastboot flash partition image.img' either.

Link to comment
Share on other sites

Guest mehdid83

KonstaT,

 

Indeed, reboot using fastboot doesn't work. It works only using ADB.

However, could you please point me towards some place that explains how current Lollipop phone's bootloader were unlocked ?

Also, if B10 "update.zip" can be flashed, why can't we flash sthg else ? Because ROM happens after bootloader ? Or because "update.zip" is signed ?

 

Thx !

Link to comment
Share on other sites

Guest KonstaT

KonstaT,

 

Indeed, reboot using fastboot doesn't work. It works only using ADB.

However, could you please point me towards some place that explains how current Lollipop phone's bootloader were unlocked ?

Also, if B10 "update.zip" can be flashed, why can't we flash sthg else ? Because ROM happens after bootloader ? Or because "update.zip" is signed ?

 

Thx !

It doesn't matter how bootloaders are unlocked on other devices (simply 'fastboot oem unlock' usually) if it's unlockable on this one. ZTE would need to provide some means to unlock the bootloader.
 
ZTE update.zip is signed with ZTE's keys (proprietary, unknown to us) and stock recovery refuses to install any packages that are not signed with that specific key. I've made hacked stock recovery that would accept packages signed with a common test key but there's no way to get that recovery image booted/flashed on the device, so...
Link to comment
Share on other sites

Guest mehdid83

It doesn't matter how bootloaders are unlocked on other devices (simply 'fastboot oem unlock' usually) if it's unlockable on this one. ZTE would need to provide some means to unlock the bootloader.

ZTE update.zip is signed with ZTE's keys (proprietary, unknown to us) and stock recovery refuses to install any packages that are not signed with that specific key. I've made hacked stock recovery that would accept packages signed with a common test key but there's no way to get that recovery image booted/flashed on the device, so...

So, if I understood correctly, either we have ZTE private key, or we're definitely stuck. Right ? Edited by mehdid83
Link to comment
Share on other sites

how about doing following in fastboot mode

 

fastboot -i c1bace2f boot boot.img

 

my zte v5 max uses above type of commands in fastboot

Edited by k2wl
Link to comment
Share on other sites

Guest KonstaT

how about doing following in fastboot mode

 

fastboot -i c1bace2f boot boot.img

 

my zte v5 max uses above type of commands in fastboot

Interesting. :) This didn't even cross my mind and I was quite sure ZTE vendor id was already included in fastboot anyway (I checked the source and it's not). All my ZTE devices have just used the generic Google mode in fastboot.
 
It should be the vendor id you'd need to use as an interface, not the device serial number though.
fastboot -i 0x19d2 boot boot.img
0x19d2 is the ZTE id but I guess it could be something else on this device too. You can easily verify this if you're running Linux (no idea how to check this on Windows). Boot your device into bootloader and run 'lsusb' on you host PC. 
Bus 002 Device 004: ID 18d1:d00d Google Inc.

18d1 is the vendor id in this example so you'd use 'fastboot -i 0x18d1' on this device.

Link to comment
Share on other sites

fastboot -i 0x19d2 flash boot boot.img

 

on zte v5 max this works with above .

0x19d2 is vendor id in zte v5 max

 

 

can anyone post only stock boot.img of blade s6???

Edited by k2wl
Link to comment
Share on other sites

Guest mehdid83

Using which "boot.img" ?
And if I do it, any chance I can brick the device or not ?

Because I can't afford to... :-(

Edited by mehdid83
Link to comment
Share on other sites

Using which "boot.img" ?

And if I do it, any chance I can brick the device or not ?

Because I can't afford to... :-(

it is just a information.

dont worry......there is no custom rom/kernel for this device right now...

Link to comment
Share on other sites

Guest KonstaT

No luck, I've been told. :(

C:\Minimal ADB and Fastboot>fastboot -i 0x19d2 boot recovery.img
downloading 'boot.img'...
OKAY [  0.464s]
booting...
FAILED (remote: unknown command)
finished. total time: 0.468s

Could someone verify what mode it actually uses on fastboot? Simply run 'lsusb' on Linux. Not sure how to check this on Windows but there's probably some info in device manager.

Link to comment
Share on other sites

Guest KonstaT

 

Thanks. So using 0x19d2 fastboot vendor id is not even correct for this device. It uses the generic Google mode (18d1:d00d) for fastboot like all the other ZTE devices I've seen so far.

Link to comment
Share on other sites

Guest KonstaT

Actually, Fastboot gives a 0x18D1 Vendor ID while ADB gives the 0x19D2 Vendor ID.

Yeah, that's the way it's supposed to be. It uses ZTE vendor id and modes for ADB, MTP, PTP, UMS, etc when booted to Android - generic Google vendor id and mode for fastboot when booted to bootloader.

Link to comment
Share on other sites

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now
×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use.