Just a question...

[Qiangong2]

Have you looked into the bootloader at all? Is it locked? Or not? Also, have you tried compiling twrp yet?

[imasaru]

I haven't really looked into the bootloader. I've been more focused on developing TWRP for the phone. I had a feeling that I could just flash the recovery image without having to unlock any bootloader, which I did successfully on the Galaxy Grand Prime (TF). From what I've heard, it's almost like there's a "lack" of bootloader to begin with on these lower-end phones. I've tried booting into it and been redirected to operating system instead.

I have hit a bit of a roadblock, though—the system partition is write-protected. It can be disabled, but the temp root access that I would use to flash a recovery image doesn't seem possible to gain when protection is disabled (using KingoRoot, the only program that exploits this phone successfully). It works with protection on, though, but that doesn't help much. I wonder why the same exploit couldn't work with write protection on, but I'm not too much of an expert in those matters.

Also, my desktop does not meet the recommended specifications for compiling Android and TWRP 😞 I've halted work on this due to that and my school work. It's a lot of fun, but it takes up too much time...

[Qiangong2]

You don't need to meet the recommended specs :P I used to use a 2gb RAM 64 bit machine to build android 6.0. Linux will make sure it works. Your computer may just sound like it is going to fly away, but you could always limit the jobs to 1 or 2.

Does it at least recognize the stock recovery through ADB?

[imasaru]

Alright, go Linux! I may try having this build when I'm not at home and using my computer. How long did builds usually take on your 2GB RAM machine?

The stock recovery is recognized through ADB, yes. I can "apply an update from ADB" in the recovery and ADB recognizes it as in sideload mode.

When I try to sideload anything, however, I get error:closed.

(The phone doesn't actually run Nougat. I was just using the .zip as an example)

[Qiangong2]

7.1 Builds usually took for me between 3-5 hours on brunch and 4-6 on make -j2 (my CPU is quad core), and 6-8 on make -j1. Only, if you use brunch, expect to not use your computer for anything else while it runs.

It makes sense that you can't send something over ADB, the stock recovery is looking for a specific signature on the file. Can you do adb reboot bootloader on it from the main OS?

Also, a good idea might be to request a copy of the stock ROM/firmware from ZTE.

[imasaru]

I sent a request for the stock firmware 🎉 I have the kernel source for the phone here.

adb reboot bootloader sends me straight into the OS, while adb reboot recovery sends me into the recovery.

[Qiangong2]

Okay.　Have you tried checking these? https://android.stackexchange.com/questions/73567/how-to-check-if-your-bootloader-is-unlocked

That may shed some light.

[imasaru]

The representative redirected me to the kernel source, which I already have... Are they supposed to release the stock ROM under the GPL like the kernel?

Also, I entered the dialer code in that thread, and it seems not to work (no pop-up window)... I didn't try the fastboot solution, as I can't get there...

The /system partition is R/O by default on this phone, but write protection can be disabled with reboot disemmcwp. Hopefully once we have TWRP, flashing .zip files will work, then.

[Qiangong2]

There is no reason for them to provide the stock firmware if they don't want to, but it was worth a shot.

https://forum.xda-developers.com/showthread.php?t=2738234 <-- This says that you should try holding the power and volume-up buttons down until it turns off, then release the power button and volume-up, but hold the volume-down button.

[imasaru]

Nothing with Vol– at boot... it sends me straight into the OS. Vol+ sends me into the recovery, though.

[Qiangong2]

hmmm...

I'm guessing you've tried clicking OEM unlocking on developer options? Then going into the bootloader from there?

[imasaru]

Yep. I've had that option enabled this whole time...

[Qiangong2]

What happens if you try the steps with it disabled?

[imasaru]

No luck :(

[Qiangong2]

:( well darn. Can you manually copy su to the phone while in temp root at least?

[imasaru]

Wow, it's been two days already... Sorry about that 😅

I don't think so... Even though I have root, I still can't write to the /system partition. That's how it was when I last tried it. I will try again though.

EDIT: Yep. I used reboot disemmcwp in ADB to disable /system write protection, and once I got temp root I tried copying files to it. I received the message Read-only partition from my file manager.

[Qiangong2]

mount -o rw,remount /system

The above doesn't do anything I assume?

[imasaru]

I disabled write protection again and attempted to root the phone with Kingo. It failed three times and succeeded on the fourth, but I still can't gain R/W access to /system. Kingo seems only to succeed when write protection is enabled... I wonder if write protection is re-enabled after a certain number of reboots (the phone rebooted multiple times during the rooting process).

I tried your mount command via a su shell and got: mount: Permission denied

This is one seriously tough old man, that's for sure... He isn't giving out any time soon.

I have read in the past about ZTE embedding "root detectors" in their kernels to prevent phones from being rooted. When I attempt to root with write protection enabled, the phone is successfully rooted at around 80-90%. When it is disabled, it instant-reboots at that percentage, and root fails.

Could the kernel detect modifications to /system and reboot the phone automatically?

---

At the end of the day, I'm still wondering whether I can flash a recovery... I somehow get the impression that only /system is write-protected and that flashing other partitions (e.g. recovery) is possible. Maybe if I can find time to finalize TWRP for this device...

[Qiangong2]

Since you can't get into fastboot, it makes it problematic. I'm sure the kernel checks /system, which means for root to stick, you'd have to have systemless root, which requires fastboot to flash the new boot image. Can you dd the recovery and boot partitions with the root you have? Also, maybe you can dd the system partition, you just cannot write to /system directly.

Also, if that doesn't work, you could try to dd the partition directly, instead of through /by-name (through /dev/mmcblk0p?) where ? is the correct partition number.

And Lol :P This is one seriously tough old man, that's for sure... He isn't giving out any time soon.

[imasaru]

Finally, I can say Yes! I have dd'd both the recovery and boot partitions before, and have their images on my SD card. I'm pretty sure I've done the /system partition as well...

I can't quite remember how I used dd to copy the partition, but I look in the recovery.fstab that I made and see /dev/block/mmcblk1p1. I know that's the SD card, but I'll see if I can find anything for the partitions on internal storage.

EDIT: I just opened a root shell and dd'd a random partition. It works!

Also, do you have any suggestions for the TWRP tree here? Is there anything missing from it?

[Qiangong2]

I submitted a pull request with my changes.

Here is the one I compiled: https://mega.nz/#!Rl4GmSSD!d93Zs6OZrI3peE7WuJ1jpUyO18H0glDAd7mQl7mEg0g

To install, you could try to use dd to set it on the partition.

[imasaru]

Agh... No success. I tried to dd the image onto the partition and received another dd: Permission denied. I tried Rashr and other apps to try and write the image... They all failed. I have two ideas at the moment:

1. Try and use FTM (Field Test Mode) on ZTE devices to flash the recovery image.

When I first looked into the recovery partition's contents (recovery.img), I saw a small image with a white background and the words "FTM." Maybe FTM exists for this device? The usual combination (Vol Down + Power) didn't seem to work. One thing is interesting, though—instead of ignoring the combination and proceeding to boot Android, the phone instant reboots. If you hold the buttons indefinitely, the phone will continue rebooting.

2. Ask the folks at Kingo to let the app default to temp root on this phone (or something like that).

When I use KingoRoot with /system write protection enabled, it seems to use temp root as a last resort and succeeds. When write protection is disabled, it fails. I wonder if the app detects R/O status and resorts to temp or not, but because the kernel on this phone seems to detect any /system modifications, a temp root is what we would need to get things going.

[Qiangong2]

I'll start with 2. For Kingo, do you root with the APK or with the application? The PC Application has a lot greater results.

For 1, from what it looks like, there is a check in the recovery/boot image that forces a reboot if you get to the recovery screen. FTM looks like it is just a debugging software, but it is possible that because of that, if it is on, ADB may have R/W enabled on the /system.

[imasaru]

Alright. Let's do it 😎

I always use Kingo for Desktop. The Android version has never worked...

Oops, I should have clarified what I meant... The combination I cited (Vol Down + Power) is the common key combination for entering FTM mode, not recovery. Thankfully, the recovery (Vol Up + Power) is something that works on this device—well, technically not working, but at least it is there.

The reason I mentioned it is that I have read about people using FTM mode and a special application on Windows to flash images to partitions. I was hoping that it would be an alternative.

[Qiangong2]

The firmware flasher talked about here: http://www.modaco.com/forums/topic/343587-guide-de-bricking-a-zte-blade/ may have hope, but it seems like a last resort.

There is also this: http://flashtool.org/8/download-ZTE-flash-tool.html (maybe the qualcomm tool will work?)

You might also want to look at http://root.mgyun.com it was the only application (windows) that worked to root my sp7715ga device.

[imasaru]

Yes... Give me all the Chinese roots 😎

iRoot did not work :/ I tried both the mobile and the desktop version.

I looked at the firmware flasher in the first link. It looks like I could flash just one partition with the recovery.img without having to use the whole restore directory like @hedgepigdaniel did. The problem is that I don't know how to get into download mode. The key combinations just don't work.

I'm not too fond of bricking my device to get into download mode, but I would do it. The problem with that, though, is that I don't know how to do that either 😅

The ZTE Qualcomm tool at flashtool.org seems to need a stock firmware image from ZTE themselves. I have looked in the past for such an image for this phone, but have found nothing. The ZTE firmware/update packages seem to be .bin files. I wonder if modifying the contents of one would be possible, since they seem just to be containers for the imagefiles for the partitions themselves.

[Qiangong2]

One more Chinese root? There is kingroot for PC you could try.

I guess currently the best strategy is to try and get into FTM mode. I bet FTM has a debug setting that will allow you to test the bootloader, or maybe remap startup key combinations.

I'm guessing adb reboot ftm doesn't work?

I believe it should be possible to modify the .bin file, like how in Samsung's ODIN, you can select a different image and put it into the .tar

[Qiangong2]

Any update @imasaru?

[imasaru]

Sorry, I've been busy again...

adb reboot ftm didn't work.

[Qiangong2]

That's fine.

I don't know anymore then what the issue could be. I've never worked with ZTE devices before. Sorry

[imasaru]

Thank you! 😃