New root methods show up all the time, so it's not a huge deal that a rather unknown phone on AT&T is now rooted. So why are we posting about it? Because the root method used is, well... interesting.
It was uncovered by our own Justin Case from TeamAndIRC, and while a big part of the process will look very familiar to some of you, there is one step that induces a wait, what? moment.
Before you get started throwing commands at the little guy, though, you need to grab this file. After that, commence command throwing.
adb shell rm -r /data/local/logs (if this command gives you an error, do not worry, it is precautionary)
adb shell mkdir /data/local/logs
adb shell ln -s /data/local.prop /data/local/logs/loglast1.tar.gz
Dial *983*7668# on your phone. This does a few things, it mounts /system as writable on boot, and creates the loglast1.tar.gz.
Wait about 10 seconds, then continue.
adb shell echo 'ro.kernel.qemu=1' > /data/local.prop (Nod to Rosenberg here)
Once the phone reboots, continue
adb push su /system/xbin/su
adb shell chown 0.0 /system/xbin/su
adb shell chmod 06755 /system/xbin/su
adb shell rm -r /data/local/logs
adb shell rm /data/local.prop
adb shell rm /data/property/persist.sys.ztelog.enable
adb shell rm -r /data/local/rwsystag
Head into the Market and grab the Superuser app.
Catch that bold part? Looks like someone at ZTE dropped the ball and left seventy-nine developer codes in the retail version of the device. Oops.
Of course, their mistake is your gain. Hell, there's even a code to disable Carrier IQ: *983*24737#. Enter the code, ???, profit.
While this is definitely an unusual and unique find, it's also quite dangerous. This means that any app can mount the system as writable and, from there, basically control everything. As a result, JCase contacted ZTE to let them know of their oversight.