Last Updated: June 5th, 2012

New root methods show up all the time, so it's not a huge deal that a rather unknown phone on AT&T is now rooted. So why are we posting about it? Because the root method used is, well... interesting.

It was uncovered by our own Justin Case from TeamAndIRC, and while a big part of the process will look very familiar to some of you, there is one step that induces a wait, what? moment.

Before you get started throwing commands at the little guy, though, you need to grab this file. After that, commence command throwing.

adb shell rm -r /data/local/logs      (if this command gives you an error, do not worry, it is precautionary)
adb shell mkdir /data/local/logs
adb shell ln -s /data/local.prop /data/local/logs/loglast1.tar.gz

Dial *983*7668# on your phone. This does a few things, it mounts /system as writable on boot, and creates the loglast1.tar.gz.
Wait about 10 seconds, then continue.

adb shell echo 'ro.kernel.qemu=1' > /data/local.prop    (Nod to Rosenberg here)
adb reboot

Once the phone reboots, continue

adb push su /system/xbin/su
adb shell chown 0.0 /system/xbin/su
adb shell chmod 06755 /system/xbin/su
adb shell rm -r /data/local/logs
adb shell rm /data/local.prop
adb shell rm /data/property/persist.sys.ztelog.enable
adb shell rm -r /data/local/rwsystag

Head into the Market and grab the Superuser app.


Catch that bold part? Looks like someone at ZTE dropped the ball and left seventy-nine developer codes in the retail version of the device. Oops.

Of course, their mistake is your gain. Hell, there's even a code to disable Carrier IQ: *983*24737#. Enter the code, ???, profit.

While this is definitely an unusual and unique find, it's also quite dangerous. This means that any app can mount the system as writable and, from there, basically control everything. As a result, JCase contacted ZTE to let them know of their oversight.

Cameron Summerson
Cameron is a self-made geek, Android enthusiast, horror movie fanatic, musician, and cyclist. When he's not pounding keys here at AP, you can find him spending time with his wife and kids, plucking away on the 6-string, spinning on the streets, or watching The Texas Chainsaw Massacre on repeat.

  • Fifth313ment

    Let me thing about this the Chinese company ZTE leaving in developer codes which could allow any app (pre-installed system app) or otherwise to take control of your device. Hmm, now I know why the US Justice department is looking into if Chinese phone manufacturers and carriers pose a security risk for our country. I personally think YES and although this may be just a big mistake its hard to believe considering China's efforts to steal US security information and technology.

    • Telanis

      Yeah, because the average citizen carries around important classified information on their phone. And US intelligence agencies are known for letting their employees use uncertified Android devices from foreign countries.

      • Fifth313ment

        You're joking right? You can't actually be serious, can you!? This is the same administration that accidentally leaked our helicopter technology onto the net, the same that lost pages from Afghanistan document (WikiLeaks), that lost out drone to Iran, that gave live guns to criminals, oh and I have more if you'd like. :) Yeah they're right on top of security!

        • Bear

          To add further. If you had an entire network of drone systems that people use on a daily basis, that would actually be a very useful point to point system to launch attacks from.

          Meanwhile, the user of the individual phone does not know, because of the vast number of drone phones in this network, each individual phone would not leak bandwidth in detectable levels.

          If the Chinese are in fact using drones out of such phones, and a vast network of controlled devices, then their objective would be strategic.

          Having a civilian population, of your enemy, be the vectors, by which electronic devices collect data, and then send it back to your Military servers, in large scale masses, would be a redefining moment in the World of Espionage, and open source intelligence gathering by a Military.

          If anyone could pull such a thing off, it would be the Chinese, while acting "like the mouse".

  • n00b

    Excuse a n00b question, but the file at http://download.cunninglogic.com/su - what is that?

    • Zach

      That's a file that the system can run to get root permissions. It's kinda like a "Enable root switch" that the system uses, Superuser just makes sure that only the approved apps can ask the System to use that file.

  • jcase

    There is some confusion (relayed privately) as to if the above info could be used to give an app "complete control". While the code can not be done from an app, however a variation can be used to run commands as root.

    • chavez123

      Can you please put up a tutorial on how to root this phone cause i am completely confused.

  • http://exporience.com Ben Y

    You got one thing wrong. It should be:

    adb shell "echo \"ro.kernel.qemu=1\" > /data/local.prop"

    • jcase

      The command is correct and working, if you are having a problem run it while in a shell on the device.

      Certain OSs (windows?) may not like it, but it works fine on a proper OS.

  • Chowboy

    Can someone please help me root my ZTE Avail with this? I have no idea how to install or use ADB. A tutorial would be great. Just point me in the right direction. I have searched for instructions, but just seem to get more confused the more I read. I know it is a simple process, but I guess I'm not "techie" enough to understand it. Help? Thanks.

    • ChowBoy

      Got it.Read a little more and didn't even have to use ADB to root the Avail. Did it with the number sequence.

      Thanks anyway.

      • p4k-m4n

        this number sequence *983*7668#???

        • God2Pac

          The number is *983*987#

  • SoCalSora

    When i get to the line that says
    adb push su /system/xbin/su

    it tells me:
    cannot stat 'su': no such file or directory

  • MunKiy

    I'm totally new to rooting... How does one get into a command prompt on this phone?

    • milan

      where are we supposed to put su file?

  • http://www.renatocferraz.com Renato

    I think it goes in the same folder the adb.exe is.

    • milan

      Thanks Renato. Can this work on phones from networks other than at&t (mine is on vip serbia)?

  • james bauer

    im gettung the same thing when it comes to the su file and when itry to do the kernel it says access denied

  • Peter

    Warp online update tool:http://wwwen.zte.com.cn/endata/mobile/USA/USA_SoftWare/201201/P020120106363776514730.zip

  • http://www.zte.com.cn Sophia

    Hi,welcome to download ZTE official online upgrade tool to update your smart phone!

  • loco

    can some one just please put a tutorial cause all of this is confusing

  • chavez123

    can some one please help me i am confused on how to root my zte avail

  • gcroote

    ok i am still confused lol i had tried just the number like someone else said works but nothin so please help never dne this before lol

  • Chowboy


    All you have to do is touch the dialer and enter the code *983*7668# and do not press enter. Keep your eyes on the bottom of the dialer screen and it will say "after some minutes your will have root" or something similar. Just wait a few minutes and it will be rooted. I always wait about 5 minutes, then turn the phone off and back on. Check with RootChecker Basic, which is free from the Google Play site. It will tell you if your phone is rooted or not. Very easy and works.

  • http://twitter.com/scotteharris4 Scott Harris

    I keep getting "device not found", what am I supposed to do?

  • Colin Keigher

    make my vag quiver with excitement

  • ZenWarroir

    I also simply dialed the code *983*7668# and nothing absolutely happened.

  • Chowboyken

    When you download the SU file mentioned above, how do you save it, and where does it go?

  • Angvz

    The *983*7668# does not work if att forced a fimware update on you. You need to go to the zte website, http://www.zteusa.com/support/ and grab the t card update instructions and firmware.

    Also i did not at first get

    adb shell echo 'ro.kernel.qemu=1' > /data/local.prop

    ..to work. i think i did a adb reboot after diaking in the root number, but there seems to be a timing factor to it.

  • Demonsrage43087

    Where do you put the su file?

  • http://twitter.com/wiz0floyd Adam Celli

    I just got my Avail and it's version number ends in b18. Does anyone know if this is the version that had these commands removed?

  • opie taylor.

    ok, where's the rest of the directions, i'm a fairly well versed user and this feels like it's starting in the middle, or is this another one of those we give ya some but it's just enough to keep you from finding what you want things?

  • MichaelDs

    the truth is that I am a rookie, but wanted to ask how and with what program I can do that, leave me the link i need program, if the cell or pc, so as to be a little more guidance and to do root in my zte avail, I hope you all can help me.

  • David Shaheen

    I've tried every single command and they all say no devices found

  • streetdog

    one of the best android phones to buy if you are on a budget...

  • Annoyed

    You grab the file then what? how are you supposed to enter those commands? Can someone just make a video tutorial or at least post clear directions for someone who is not familiar with rooting?

  • nomad

    I have the ZTX V768 how do I transfer pics to home pc. the nomad

  • nomad

    can anybody tell me howto transfer pics to my home pc? I have a ZTX concord.