ZTE Open FirefoxOS Phone, root and first impressions

zte openZTE Open is the first non-developer FirefoxOS phone, sold commercially in Spain by Movistar.

It can be rooted using CVE-2012-4220 aka Qualcomm DIAG root discovered by Giantpune. This security advisory was released by Qualcomm on November 15, 2012. The ZTE Open has been launched commercially 7 months later and neither ZTE nor Movistar have bothered to patch this security hole, shame on them for selling vulnerable devices to customers.

The ZTE Open comes with kernel 3.0.8 which is also vulnerable to CVE-2013-2094 (perf_event) exploit.


I took the exploit by Hiroyuki Ikezoe and adapted it to work on the ZTE Open. The source code is available here, and a redy-to-use compiled exploit is here: DOWNLOAD.

These are the details of the original firmware, as hopefully ZTE will patch the security hole and this exploit might not work in future versions:

ro.build.date=Fri May 31 23:10:17 CST 2013

To run the exploit connect your phone to your computer using the USB cable, and make sure ‘Remote debugging‘ is enabled on your phone in Settings -> Device information -> More Information -> Developer.
You need to have the adb binary in your computer’s path, (if you don’t know what ADB is don’t bother rooting your phone) then execute “run.sh” on Linux or OS X, or “run.bat” on Windows.
If the exploit fails, reboot your ZTE Open and try again (the linux/MAC version will attempt to do that automatically). Once the exploit is successful it will remount the system partition in read/write mode and copy a setuid “su” binary into /system/xbin/su.

Custom ROMs

The bootloader on the ZTE Open does not allow to flash or boot unsigned code through fastboot protocol. The stock recovery image will verify the signature of update packages and not allow you to flash self-signed updates. To overcome that limitation you can flash a custom recovery image that will allow you to backup your current ROM to SD card and flash your customized build of FirefoxOS (or if you want, your own Android port).

You can download ClockWorkMod recovery for ZTE Open here: recovery-clockwork-
To flash it:

# first backup your existing recovery
adb shell dd if=/dev/mtd/mtd0 of=/sdcard/stock-recovery.img bs=4k
adb pull /sdcard/stock-recovery.img
# then flash clockworkmod recovery
adb push recovery-clockwork- /sdcard/cwm.img
adb shell flash_image recovery /sdcard/cwm.img

To boot into recovery mode, hold both volume down up and the power button while powering on the phone.

Enjoy! :)

This entry was posted in FirefoxOS and tagged , , , , , , , . Bookmark the permalink.

112 Responses to ZTE Open FirefoxOS Phone, root and first impressions

  1. Aglezabad says:

    Hello pof:

    First, thank you for dicovering a way to root this model of smartphone.
    I have one of these and i applied your article, but i can’t copy a image of original recovery of ZTE. I’m doing this:
    $ adb shell
    android$ su
    android# dd if=/dev/mtd/mtd0 of=/sdcard/stock-recovery.img bs=4k
    /dev/mtd/mtd0: read error: Invalid argument
    0+0 records in
    0+0 records out
    0 bytes transferred in 0.003 secs (0 bytes/sec)

    I’ve tried doing the same command with mtd0ro, but it shows the same error.

    ¿Any idea?


  2. Jack says:


    Do you know if if is possible to load a bare firefox os from github to ZTE Open? Will it be compatible?
    I mean using that guide – https://developer.mozilla.org/en-US/docs/Mozilla/Firefox_OS/Preparing_for_your_first_B2G_build


    • pof says:

      Should be possible yes, but not as straightforward as with development devices like Keon or Peak.
      Also remember you can’t use fastboot to flash the ZTE Open with a custom firmware, so you’ll have to flash it through a custom recovery image.

  3. jose says:

    got this error on w8 trying to root my device using cmd as administrator

    c:\zteopen>adb wait-for-device
    * daemon not running. starting it now on port 5037 *
    * daemon started successfully *

    c:\zteopen>adb push root-zte-open /data/local/tmp/
    1249 KB/s (19208 bytes in 0.015s)

    c:\zteopen>adb shell /data/local/tmp/root-zte-open
    /system/bin/sh: /data/local/tmp/root-zte-open: cannot execute – Permission denied

  4. tujiokl says:

    but what rooting firefox os gives to us? can we get normal linux shell? i hate dalvik in android…

  5. Carlos says:

    Hello Good Evening friend, a question not open a video tutorial on how to root the ZTE OPEN. It confuses me your steps. Clarified that is more or less Android

  6. marek says:

    Well, I’ve ZTE Open from Movistar bought in July (with newer build id 20130621152332) and this root works no more :-( Such a pity, because I’ve some problems with the device, esp. SIM contacts import went wrong, and I wanted to help Mozilla guys by sending them import log, but such as it is, I cannot… :-((
    I do hope some other root will emerge soon…

  7. trucmuch says:


    For booting into recovery mode, you have to hold both volume up (not down) and the power button.

  8. trucmuch says:

    Thank you for the tutorial, I have rooted my device (build : 20130621152332) and flash the recovery.

    But I can’t find any customized ROM … do you know how to update the OS ? Because Movistar build realy sucks : no french language for example :-)

  9. edu says:

    Hi trucmuch, i have exactly some problem.

    I have checked message “FAILED (status read failed (No such device))” checking source code of flash.sh, but available info is really poor. I thing problem is caused by fastboot command line, please check “adb devices” detect perfectly the device, but “fastboot devices” not work!. flash.sh script use adb and fastboot calls.

    • trucmuch says:

      with device plugged in recovery
      > lsusb
      Bus 002 Device 101: ID 18d1:d001 Google Inc.

      > adb devices
      ROAMER2 recovery

      > fastboot devices

      FYI : I try to use directly the flash_image command in adb shell (I think it’s used by the fastboot command) :

      It works for my built system.img :
      > flash_image system /sdcard/system.img
      mtd: successfully wrote block at 0

      mtd: successfully wrote block at 5900000
      wrote system partition

      But it fails for any userdata (stock and custom) :
      > flash_image userdata /sdcard/userdata.img
      mtd: successfully wrote block at 0
      mtd: successfully wrote block at 20000

      mtd: successfully wrote block at 1900000
      mtd: not erasing bad block at 0×04920000
      mtd: not erasing bad block at 0x05c60000
      wrote userdata partition

      I can’t boot anymore in ffos … recovery works fine fortunatly.
      I’m still waiting for the last official update.zip download … hope that it will works.

      • pof says:

        flashing userdata works, but your NAND has a couple of bad blocks and that’s why you see the “not erasing bad block” error, this is “normal” in NAND devices and shouldn’t be an issue here.

        Try to run adb logcat while the device boots to see what’s failing in your build… also, you have not copied it but I assume you’ve also used flash_image with your custom boot.img, right?

        Also remember you can do a nandroid backup & restore from the custom CWM recovery to your SDCard, so you can return to a working state in case flashing your new system fails.

        • edu says:

          B2G build process do not generate boot.img (almost i can not find it). It is strictly necessary or we can keep boot.img as originally is flashed?

  10. trucmuch says:

    My build doesn’t generate boot.img neither ;-)

    There is all img that I have :

    Does it mean that ramdisk.img == boot.img ?

    To answer to your previous question, this is what I have during my not working boot :
    > adb logcat
    - exec ‘/system/bin/sh’ failed: No such file or directory (2) -

    • pof says:

      ramdisk.img is probably boot.img without the kernel (zImage), but i am not familiar with firefoxOS build system. To check it yourself, you can unpack the ramdisk.img, see: http://www.android-dls.com/wiki/?title=HOWTO:_Unpack,_Edit,_and_Re-Pack_Boot_Images and https://github.com/beide/Bootimg-scripts

      • trucmuch says:

        It’s not a boot imgage for unpack-bootimg.pl : “Could not find any embedded ramdisk images. Are you sure this is a full boot image?”

        I’m lost rigth now !

        I had a stock system with recovery 6, but after flashing succesfully with my built system.img, the phone won’t boot after the firefox splatch screen.

        I have try the same with some customized update.zip from ZTE download
        - one modified with recovery 6 => boot OK and working fine
        - one modified with recovery 6 + built system directory paste on stock one => boot fails

        It seems that I have to build a boot.img (but how to do that ?).

    • edu says:

      Hi trucmuch, you are using CWM recovery to flash update.zip (from ZTE donwload site) directly?

      • trucmuch says:

        Yes, it took to me 2 hours to download it from zte …

        I did not manage to update the phone directly with the zte version but it works with a repacked update.zip (I have droped the assertion on ro.build.display.id in the update script and replaced the stock recovery.img by the custom one).

        You can download these 2 update.zip there :
        - update-zte-recovery6.zip : http://dl.free.fr/f4t178wBA
        - update-zte-stock.zip : http://dl.free.fr/mAS74Gl2x

        FYI : I used the SignApk tool to sign zip and generate the MANIFEST.MF file.

        • vuldin says:

          I’ve install CWM recovery, built a version of firefox for this phone, created a signed update.zip of the files generated during the build process, but when I try to install it fails saying it cannot mount /emmc and one other partition (at least those are the last two messages I see in the log).

          I also tried installing the system.img and userdata.img files via flash_image… system.img installed find but userdata.img gave a segmentation fault I believe. I was unable to boot after that (so I restored my backup).

          I’m not sure about just modifying the ZTE zip posted in this thread since it seems to be for the version of the phone released in Spain and elsewhere (although maybe it would work just fine). What I’d really like to figure out is how to my own custom built version of Firefox. It’s a shame the flash.sh command doesn’t work as they mention in the MDN wiki: https://developer.mozilla.org/en-US/docs/Mozilla/Firefox_OS/Installing_on_a_mobile_device

          • defier says:

            I tried it like you did, except I flashed userdata.img first (which went fine) and system.img afterwards, both using flash_image via adb.
            Both things worked, but the scrack was black afterwards and I could not re-run flash_image probably due to kernel userland/mismatch as I didnt flash ramdisk.img. I was getting this error:

            link_image[1936]: 556 could not load needed library ‘liblog.so’ for ‘flash_image’ (link_image[1936]: 556 could not load needed library ‘libc.so’ for ‘liblog.so’ (link_image[1908]: 556 missing essential tables))CANNOT LINK EXECUTABLE

            Well what is worse, if I reboot the phone into clockworkmod, it only shows the hat and the “clockworkmod recovery” label at the bottom, but it does not display the menu anymore so I cannot restore any nandroid backups. I also can’t boot the phone into fastboot anymore.

            Anybody an idea how to get back at least a working recovery? :(

        • Sebastien says:

          Hey !
          Where is the update script to remove the assertion ? I’m facing the same issue when trying to pack my own update.zip

        • urKh says:

          How to sign the update.zip with SignApk? try it, but the stock recovery tells me “signature failure” :(

          PD: I have v1.1 official image of zte

          Sorry for my poor english

  11. edu says:

    Starting B2G building docs, it said: “Important: Only devices running at least Android 4 (aka Ice Cream Sandwich) are supported. If your device is listed above but running an older version of Android, please update it before doing anything.”.
    Probably B2G build use a fixed kernel version as used by Android 4

  12. edu says:

    Looking on google groups i found successful experiences building ffos 1.1 for Alcatel On touch fire. With zte open apparently is really tricky. Problem is basically fail on flash.sh script, zte open do not accepts fastboot commands, but is necessary get manual methods using commamd line.
    You have sucessfully build snd flash on zte open?

  13. vuldin says:

    I just received the ZTE Open today, and when attempting to run the root-zte-open application it fails with: roamer2 (OPEN_US_DEV_FFOS_V1.0.0B02) is not supported.

    I cloned your git repo and see that you have OPEN_FFOS_V1.0.0B04_TME as the supported string. Is it as simple as changing the two strings to match what is needed for my version of the phone, build it and then continue with the instructions here?


    • vuldin says:

      Root works on this phone without modifying anything! I just restarted the phone and retried the steps and it worked.

      • defier says:

        I also got this more open (orange, not movistar) version of the ZTE. But for me root does not work out of the box, in adb I can’t su and running dd on the mtd device renders “permission denied”.
        What did you do to get root if you did not run the exploit beforehand?

        • robert_valiant says:

          You have to run the exploit first, that’s what enables root (su). I used these steps on my orange US version ZTE Open:

          1) Turn on debugging on phone.
          2) Turn off USB mass storage on phone.
          3) Plug phone in to computer.
          4) Open terminal on computer, navigate to folder with uncompressed exploit.
          5) Switch to root.
          6) Run exploit (./run.sh).
          7) Reboot phone.

          In order to backup the stock recovery, I had to do this:

          adb shell
          busybox dd if=/dev/mtd/mtd0 of=/mnt/sdcard/stock-recovery.img bs=4k

          To install CWM, I did this (from the directory that contains the CWM recovery image):

          adb push recovery-clockwork- /mnt/sdcard/cwm.img
          adb shell
          flash_image recovery /mnt/sdcard/cwm.img

          • defier says:

            Thanks, that’s how I did it also in the end, except that I backed up all 20 partitions, just in case. But in theory, since the bootloader is open you should have been able to flash an update.zip containing the “su” binary directly via stock recovery?

            I also tried to get into fastboot mode, but when “adb reboot fastboot” does not work and with the volup+power I get a screen with a white box and black printed “FWM” (or FTM) inside. “fastboot devices” doesn’t detect anything, other keys also don’t work except taking out the battery.

          • trev_h says:

            Thanks!! This also worked for me with an orange ZTE bought from the HongKong ebay store in late October 2013 (Software version OPEN_US_DEV-FFOS_V1.0.0B02).

            After not reading this blog closely enough, I spent my first week of owning my Firefox OS ZTE Open feeling very sad, thinking that the bootloader was locked.

            What a joy to find that my FFOS_V1.0.0B02 version phone is BOOTLOADER UNLOCKED! :) :)

            I now have original recovery backed up, cwm recovery installed, and a nandroid backup of my phone’s factory setup (well, factory plus a few apps from the Mozilla Firefox OS Market). The only small change I made was because I use Ubuntu 12.04 Linux at present so I needed to change the adb su commands in terminal to sudo (but not the su command in the ZTE’s shell). Example:-

            sudo flash_image recovery /mnt/sdcard/cwm.img

  14. azureus says:


    I bought on Holidays 3 “ZTE OPEN” with FirefoxOS for my Family and me. At home I want to do my simcard in this Phone but it is SimLock`t!!

    Can i Flash this Image in the ZTE OPEN and Unlock this???

    p.s.: Any Howto for (noobs) to Flash the ZTE OPEN????

    • trucmuch says:


      I don’t think flashing an image could simunlock your phone.

      I have a spanish one (Movistar) and I have unlocked it for 10€ with SIMUnlock24.com (it was the less expansive that I found).

  15. PoorKitty says:

    Hi azureus,

    You have to call the service customer (+346999910004) and explain you ‘re now in another country and ask to remove the simlock protection,
    they will give you a number with 16 digit to unlock your phone.

    Don’t hesitate to call multiple time because some of them will say that you have to buy 120 euros of communication before they give you this number, but it’s not true, you have to insist.

    To enter this number, you have to put another sim in it and the phone will ask you a code (the 16 digit)

    Good luck because i had to call 15 times but now it’s ok.

    and it’s free of course

  16. defier says:

    Could somebody please comment on whether after flashing clockworkmod as described here FTM is still operational (boot up holding voldown + power)? Thanks!

    • edu says:

      Flashing CWM works perfectly. Steps explained on this must be applied with a small variation: dd command (backup of stock recovery step) must be realized with busybox tool. In fact, i have flashed dozens times my own FFOS 1.1 build unsuccessfully (become a recoverable brick) and all times i could go back to the functional FFOS (stock) using CWM restore.

      • defier says:

        Thanks, but if you read my posting above I have done all that successfully (flashed cwm, compiled ffos, flashed system etc.), but after flashing userdata.img my phone is bricked and I can’t get either into CWM anymore nor into FTM (although I don’t have a tool to reflash userdata this way either).

        I was just curious whether FTM got bricked by flashing CWM or by flashing userdata, that’s why I was asking.

        • edu says:

          I have flashed userdata.img several times and CWM is not affected. Your case is curious.

          • defier says:

            Probably because you flashed userdata.img via flash.sh resp. fastboot? It seems like fastboot only transfers the images to the phone but then aborts, at least this is what happened to me. That’s why I reflashed both userdata.img and system.img directly from the sdcard via flash_image in adb. Seemed like both worked fine, but I guess the bootimage is not compatible with system/userdata and thus it hangs on boot. Before bricking it this way I tried flashing only system.img via flash_image, this also lead to the system not booting up but at least the recovery remained intact so I was able to revert to my backup of the original system.img.

            I am just surprised that clockworkmod somehow (pürobably?) depends on userdata and that you can brick the phone this way. Well of course there is probably some way to unbrick it via TPT flash or other lowlevel methods, but if FTM was intact it would be probably easier.

          • edu says:

            Your case is different to mine, i have used flash_image all time because flash.sh not work, and phone always is recoverable.

          • edu says:

            Me too, flash.sh do not work. I’m frustrated with B2G built. I have tried all and don’t work, almost my phone not become brick. Inclusive i have tried install Android because zte one is very close to zte kis, then tried a Android CM of zte kis, but become again a recoverable brick.

        • pof says:

          @defier: you said above that you can only get to the “clockworkmod recovery” label but do not get the menu. Have you checked if the recovery is reachable trough ‘adb shell’ when this happens?

          • defier says:

            Yes I checked and no I was not able to connect via adb. I always thought you had to explicitely enable adb access to recovery manually through the menus. Is your recovery accessible via adb without any manual steps?

  17. defier says:

    I see. Then in fact it is really different, although I don’t understand why. I just could explain in if I accidentally flashed one of the images to the wrong partition (i.e. system to recovery partition), but then recovery wouldn’t boot up until the splash screen I guess.

    Seems like the ZTE Open is not as hard to brick as I hoped. :(

  18. edu says:

    Now my concerns are 1) Where is boot.img in B2G build?, it is necessary or possibly works with previously flashed (stock boot.img), B2G do not generate boot.img because this build use boot partition of a previous Android 4? 2) What must i do with ramdisk.img? flash.sh do not use ramdisk.img, then is ramdisk.img a part of a aborted boot.img build?
    I’m frustrated!

    • defier says:

      Thanks for the hint with the ZTE kis, it seems like it’s almost the same device and also called “roamer2″ internally. I will try to download the official ffos zte firmware for the Open (the spanish variant I guess) and see if the phone can be persuaded to reflash this via TPT.

      I was also wondering what ramdisk.img is about, maybe you can try to disassemble the boot partition image (from mtd1: 00800000 00020000 “boot”) and see if it’s divided up into ramdisk and boot. My humble assumption is that you only need to replace the ramdisk to get FFOS 1.1 running.

      • pof says:

        mtd1 contains both, boot and ramdisk:

        $ unpack-bootimg.pl mtd1.bin

        kernel written to mtd1.bin-kernel.gz
        ramdisk written to mtd1.bin-ramdisk.cpio.gz

      • edu says:

        Effectively, i exploded stock boot partition, replaced initrd.img with ramdisk.img, repack using mkbootimg, reflashed boot partition, then results was…. same, a recoverable brick !

        I will continue, someday i will get FFOS 1.1 working

        • Sianis says:

          Is there any progress about this? It would be great if I can test some OS modification on device.

          • edu says:

            Hi Sianis, unfortunately i don’t have real progress building FxOS 1.1 Flashing using manual methods aren’t problem. Recently i was studying init scripts of stock system comparing with init scripts generated on building and i found too much differences, i thing problem is here

      • edu says:

        Hi defier, the zte open is practically same than zte V790, just now i have flashed a Android ICS and is working good except by lack of control buttons, if you enter to a app, you can’t exit :-)

        • defier says:

          That’s interesting, thanks for the hint. So it’s not the “kis” but the “kis lite” then? And which ROM did you flash? Did you flash userdata, boot and system or just system and are using the FFOS kernel for Android4?

          • edu says:

            Used CWM recovery for install zip from zte kis lite roms found on internet. Have tried 3 different roms and work good partially, great problem is lack of physical buttons as zte kis lite. IMPORTANT: all zip found is necessary delete recovery.img because you can destroy flashed CWM of this post.

        • js says:

          Hi Edu,
          Have you tried with virtual button bar app?? (simulates hardware buttons over screen)
          where can I find ICS for zte open? (or kid lite)

          • edu says:

            Hi, yeap i tested a virtual button app and worked perfect. However, SIM card wasn’t detected, then the Android is unusable. I’m tempted on cook my own Android for zte open.

  19. mojo706 says:

    Hahaha I like how he says if you don’t know ADB (don’t bother rooting…. ) I was once a noob too but for sure the internet and a few bricked phones later I am wiser :). Thanks for this too!

  20. trucmuch says:

    Hi guys,

    I have exactly the same pbm than defier, my phone has been bricked after flashing userdata : no more system boot neither recovery boot (only splash screen for both).

    I don’t think I was dumb enouth to flash userdata.img in recovery but … who kown’s actualy :-{
    … is it possible that ZTE nand memory is just a big shit ?.. remember that I had “mtd: not erasing bad block at 0×04920000″ when I’ve tried to flash userdata partition.

    Now, I can’t find any mode to re-flash : no adb shell available in normal boot, recovery or “download” (== hold on volume up + down at boot).

    • defier says:

      Welcome on board. :-( I am pretty sure I didn’t flash accidentally the recovery partition and I didn’t get any “not erasing bad block” messages at all. The only mode possible to reflash is probably the low level TPT. You need to hold voldown+volup then press power. You will get not visual feedback, but the device announced itself as:

      ZTE Corporation ZTE WCDMA Handset Diagnostic Port

      In theory, you should be able to reflash the phone in this mode using some ZTE low level flasher, provided you know how to do that exactly. For some phones like the ZTE blade there was also an option to reflash from SD card when you put specific files (the backed up partitions) plus the md5 sums etc. in the root (or image?) folder of the sdcard. You can find some instructions for TPT flashing the ZTE blade on xda-developers, but I didn’t try this out yet (I have copies of all 20 stock partitions luckily).

      I am really disappointed about this device being marketed as “developer phone” when it’s so easy to brick it. Don’t know if the Alcatel is better here, though. Actually I would advice nobody to flash userdata unless you have a way for low level flash (like sbf for motorola, odin for samsung etc.). I am pretty convinced that this is possible on the ZTE Open as well if you know how to do that.

      • js says:

        now my zte is also bricked. I press vol up&down and power but nothing. always black screen, no led, no charging, no recovery boot…
        Any ideas??

        • defier says:

          Normally the red LED should flash once but the screen would remain black. The screen remains black, but the device announces itself as “diagnostic port” as described above.

          • jose says:

            then as I can update it in that way? a program called ndl q for firefox I think it’s called, but not able to update and

  21. Angela says:

    ZTE Open factory image released 30 August 2013. The image is supposedly the original for the EU (eBay) device. Image

    After installation 6 application updates download and install, but not any 13.34Mb system files. However the message advising of a failed update no longer appears.

  22. Angela says:

    Anyone having problems with bluetooth connections? I have a sound bar and car audio which ZTE_Open sees and supposedly pairs with, but fails to connect. My Nexus 4 works with these devices.

  23. defier says:

    I am pretty much disappointed about ZTE’s support for this device! The local ZTE service in my country refuses to help me because the device is not officially sold here (okay). The same goes for ZTE China and ZTE UK, they all forwarded me to the ebay seller although they could do much better in providing the community with the instructions how to reflash the device yourself.

    The ebay seller published two e-mail adresses and promises an answer within two working days. I tried the gmail-address and now four working days have passed and I did not get an answer. They also published a phone number which was busy each time I tried calling, now I am trying the other e-mail adress they posted.

    I mean, this is not some “third party” eBay seller – ZTE officially announced that they would be selling the device via eBay. Imho they should also provide some support for it instead of forwarding people to (their own) seller who does not respond.

  24. d7rk says:

    Hum… all those bricked devices makes me shudder. Maybe I should keep away from 1.1 for now.
    I’ve rooted the phone though, with your fantastic instructions so it’s tempting to try…
    Any idea why I get a device not found when I try a adb pull ? knowing that it is recognised as roamer2 when I do adb devices….

    Yeah ZTE is clearly lagging behind in terms of help, communication or updates. And it’s clearly not a developper phone. I’m wondering if it’s not just a shitty one. Anyway. Time will tell. Maybe I should just invest in a Nexus. It seems much easier to customize (FFOS, ubuntu phone…)

  25. edu says:

    Finally i have installed FxOS 1.1 successfully. However i used only:

    ./flash.sh gaia
    ./flash.sh gecko

    without errors, (fastboot not work yet, possibly zte will offer a tool so fastboot will be enable)
    Before flashing, is necessary change default property so adbd into phone can run as root.
    - Enter to phone using adb shell
    - change to su
    - extract boot partition:

    cat /dev/mtd/mtd1 > /sdcard/boot.img

    -exit of phone and explode boot.img with: abootimg (you must install it):

    adb pull /sdcard/boot.img
    abootimg -x boot.img

    - create a directory and enter into then explode initrd.img

    mkdir a_dir; cd a_dir
    gunzip -c ../initrd.img | cpio -

    - change content of default.prop to:


    - repack ramdisk:

    /out/host/linux-x86/bin/mkbootfs . | gzip > ../newinitramfs.cpio.gz

    - go to dir back and repack boot.img:

    cd ..
    /out/host/linux-x86/bin/mkbootimg --kernel zImage --ramdisk newinitramfs.cpio.gz --base 0x200000 --cmdline 'androidboot.hardware=roamer2' -o newboot.img

    - push new boot image:

    adb push newboot.img /sdcard/newboot.img

    - restart the phone on CWM recovery mode and enter into phone using adb shell and flash boot.img:

    mount /sdcard
    flash_image boot /sdcard/newboot.img

    - restart yout phone and exec flash command as B2G tutorial explain (again, fastboot do not works, use flash.sh gaia and flash.sh gecko
    - restart the phone
    - if you have problems, try enter to settings, and reset phone, then try flash gaia and flash gecko again and restart

    Just now my zte open is working perfectly with FxOS 1.1/gaia 18.1

    • d7rk says:


      Would you have a build/rom that I could use?
      I wasn’t able to make one (linux 32bits) and so am stuck at the flash.sh gaia/gecko.

    • edu says:

      Para los de habla hispana, detallo todo esto en mi blog http://sl.edujose.org/2013/09/zte-open-hack-actualizando-fxos-11.html incluyendo un video demostrativo de zte open corriendo el FxOS 1.1

    • vuldin says:

      Awesome job edu, I’ll be going through the same steps soon. I’ll post my results.

    • Sebastien says:

      Thkx a lot Edu, followed your steps and it work perfectly !

    • vuldin says:

      The instructions work great. I had to make some slight changes for my environment… I’ll write it up in detail later. Thanks!

    • edu says:

      I’m checking how re-enable the apps updates via marketplace. Unfortunately, flash of FxOS has disabled this function. According to the b2g forums, solution is define VARIANT=user just calling flash.sh but i tried it and not works. The idea is no loss update notifications of apps post-installed. Apparently, flashing as default set webapps folder on a different path incompatible with update proccess… i’m not sure

    • vuldin says:

      I’ve put all the info on the process I went through in a gist: https://gist.github.com/joshuapurcell/6513333

      My steps were almost identical to edu’s, but I added info on how to get mkbootfs and mkbootimg. Also, I had to change the steps related to gunzip and cpio (the commands didn’t work otherwise).

      • Sebastien says:

        mkbootfs and mkbootimg should already be in your build repo /out/host/linux-x86/bin/mkbootfs but indeed your solution works also

      • edu says:

        /out/host/linux-x86/bin/mkbootfs and /out/host/linux-x86/bin/mkbootimg was absolute paths because i used but the CMS interpreted it as a html tag… CMS is guilty :-)
        A alternative text style:

  26. Frits says:

    Hello, are the devices from Movistar different then from Ebay?
    Can you flash the image intendet for the Ebay devices onto the movistar devices?

  27. azureus says:


    any chance to change the language to German in my zte open from movistar ?
    it give german files! https://hg.mozilla.org/gaia-l10n/de/

  28. vuldin says:

    This message is to the OP, pof. Where did you get the clockworkmod recovery image? The latest I can find elsewhere is, available here: http://android.podtwo.com/recovery.php?device=roamer2

    Did you compile version yourself? If so, I would like to repeat the steps to get a more recent version. There is a new feature in recent clockworkmod recovery versions which allow easy creation of a ROM zip that can be transferred to others and installed via CWM. Thanks!

  29. jkxktt says:

    In ZTE Open in 1.10pre (updated today), this doesn’t work.

  30. cimourdain says:


    Thanks for this helpful topic, i have a ZTE Open (UK) from Ebay. I successfully installed the Spanish version provided on this comment: http://pof.eslack.org/2013/07/05/zte-open-firefoxos-phone-root-and-first-impressions/#comment-1695
    I have now an issue, my phone won’t update.

    I have a system update info, downloading it successfully, the phone reboot to cwm automatically and try to install it with CWM:
    -Verification fail, so i tried to accept installing it anyway
    -The install fail with the following message:

    assert failed: apply_patch_check("MTD:boot.425.3669:f1b49597284de698063112824cf8535a69934a10:4710400:2ccf401adc16b0f59eb4f8cd585123379645a777")
    E:error in /sdcard/updates/fota/update.zip
    (status 7)
    Installation aborted.

    Note that if i try to revert to the official rom for the UK ZTE from here i also have this “Statut 7″ error in CWM.

    thanks in advance for your help

    • cimourdain says:

      If anyone is interested, i solved my issue following this topic: http://forum.xda-developers.com/showthread.php?t=2302599

      I opened the .zip file (from ZTE website), in the folder META_INF > COM > GOOGLE > ANDROID, i edited updater-script. I removed the following lines :

      assert(getprop("ro.product.device") == "roamer2" ||
      getprop("ro.build.product") == "roamer2");
      assert(getprop_new("ro.build.display.id") == "OPEN_EU_DEV_FFOS");

      Then i tried to install to updated zip and it worked like a charm.

  31. Russell says:

    Welp, I got to the root hack to work! Had to go to my linux rig to get it to do so, though. Running it on Windows wasn’t working for some odd, reason.

    Guess we need busybox, but not sure how to put that on the ZTE to back things up, might also want to replace the guide to reflect needing that on your phone.

    if I can ever get CWM on this phone, I’ll see about getting 1.3 on it.

  32. Danny says:

    so I rooted a zte open, installed the zte ffos upgrade, then did a adb shell and then
    # dd if=/dev/mtd/mtd0 of=/sdcard/stock-recovery.img bs=4k
    and get
    /sdcard/stock-recovery.img: cannot open for write: Read-only file system

    This is what /mnt looks like
    shell@android:/mnt # ls -l
    drwxr-xr-x root system 2013-11-18 20:21 asec
    drwxr-xr-x root system 2013-11-18 20:21 obb
    d——— system system 2013-11-18 20:21 sdcard
    d——— system system 2013-11-18 20:21 sdcard2
    drwx—— root root 2013-11-18 20:21 secure

    so, why can’t I write to the sdcard?
    thanks in advance.

  33. elav says:

    Hello. Everything worked perfectly with my ZTE Open American Edition while having version 1.0. When I upgraded to version 1.1 using a ROM Movistar Spain, I could not root anymore.

  34. John Blake says:

    ZTE Open (US- E-Bay): Root, CMR and update to Firefox OS 1.1

    Here are the steps I used to update my ZTE Open using Windows 7

    1. Obtain Android SDK
    2. Put Android in windows “Path” I used this guide: http://www.youtube.com/watch?v=Khrxo0-NieM (thank you to Reverendkjr)
    3. Used Pof.HQ ( http://pof.eslack.org/2013/07/05/zte-open-firefoxos-phone-root-and-first-impressions/ ) method to root and install CMR. However run.bat file did not work (permission denied message) so opened it in notepad and ran commands separately using cmd.exe to open command line window:
    a. adb wait-for-device
    b. adb push root-zte-open /data/local/tmp/
    c. adb shell
    d. su (This was the missing step in the run.bat file)
    e. adb /data/local/tmp/root-zte-open. (If you do not add “su” line after opening shell command, you will not have superuser privileges and get “permission denied” error.)

    4. recovery-clockwork-
    a. # first backup your existing recovery
    adb shell su
    adb busybox dd if=/dev/mtd/mtd0 of=/sdcard/stock-recovery.img bs=4k
    adb pull /sdcard/stock-recovery.img

    b. # then flash clockworkmod recovery
    adb push recovery-clockwork- /sdcard/cwm.img
    adb shell su
    adb flash_image recovery /sdcard/cwm.img

    5. Next I downloaded FirefoxOS update from ZTE: http://www.ztedevices.com/support/smart_phone/b5a2981a-1714-4ac7-89e1-630e93e220f8.html

    Tried to copy to SD card and install via CMR but got a:
    assert failed: getprop_new(“ro.build.display.id”) == “OPEN_US_DEV_FFOS_”
    E:Error in /sdcard/update.zip
    (Status 7)
    Installation aborted.

    More research found I was lucky it failed as it will unroot and remove CMR.

    So need to make following mods
    6. Look in US_DEV_FFOS_V1.1.0B04_UNFUS_SD.zip (do not extract files)
    Find updater-script in Meta-inf/com/google/android
    7. Open in word/notepad etc and delete first 3 lines
    assert(getprop(“ro.product.device”) == “roamer2″ ||
    getprop(“ro.build.product”) == “roamer2″);
    assert(getprop_new(“ro.build.display.id”) == “OPEN_EU_DEV_FFOS”);
    8. I saved file to desktop and then open it with Notepad++
    a. Under edit menu look for EOL conversion and convert to UNIX/OSX format
    b. Save again
    c. Now click and drag it back to Meta-inf/com/google/android after deleting original version.(windows compress it automatically- takes time- be patient)
    (May want to reopen it in notepad++ just to make sure the changes “took”)
    To retain root and retain CMR
    9. Locate recovery.img in US_DEV_FFOS_V1.1.0B04_UNFUS_SD.zip and delete it.
    10. Rename recovery-clockwork- to recovery.img
    11. Click and drag recovery.img you just created into US_DEV_FFOS_V1.1.0B04_UNFUS_SD.zip and allow windows to comress it.
    12. Copy US_DEV_FFOS_V1.1.0B04_UNFUS_SD.zip onto SD card of ZTE Open
    13. Safely remove ZTE open from computer and reboot into recovery (Power +volume up)
    a. Once in CMR select update from SD card and select US_DEV_FFOS_V1.1.0B04_UNFUS_SD.zip
    b. Once done reboot ZTE open and enjoy FirefoxOS 1.1 with retained root and CMR

  35. Elias says:

    Hi, my phone has the 1.1 version and when I try to root I get:
    failed to open /dev/diag due to Permission denied
    I read that one way to root is installing 1.0 version, but since in my country ZTE Open came with 1.1v as the starting version I’m not able to do that. Can anyone help me?

    • Mauricio says:

      Hola Elias,
      ¿Qué es lo que sucede cuando intentas des-actualizar, por qué no puedes?

      ¿Has probado a flashear la imagen usando fastboot?

  36. Aversario says:

    Can someone be really nice and please dump the bootloader from working ZTE Open in send it to me?

    I’ve found some guy, who maybe can help me write bootloder with JTAG.

  37. Mauricio says:

    Hello there, and thank you for the script!

    It worked like a charm on a ZTE Open 1.0, but now I have this one and I’m stuck on it:
    roamer2 (OPEN_LATAM_FFOS_V1.1.0B01) is not supported.
    This one will not boot (stuck on Firefox OS logo), nor fastboot flash, nor fastboot boot cwm.img.
    So I think the only thing that can save me is being able to get root, but your script is also not working on this particular case:

    451 KB/s (19208 bytes in 0.041s)

    == root for Movistar zte open (roamer2) by @pof
    == CVE-2012-4220 - discovered by giantpune
    == original exploit by Hiroyuki Ikezoe
    == if the phone hangs, remove the battery and try again!
    roamer2 (OPEN_LATAM_FFOS_V1.1.0B01) is not supported.
    Attempting to detect from /proc/kallsyms...
    failed to open /dev/diag due to Permission denied.failed to get root access
    Exploit failed, rebooting and trying again!

    Do you have any Idea that can do de trick?
    Thank you again!

  38. Mauricio says:

    BTW, I’m also unable to update/downgrade via Recovery because of:
    E:Failed to load keys Installation aborted.

  39. Pingback: ZTE Open: Unbrick via TPT bzw. Firmware Flasher? - Android-Hilfe.de

  40. isa says:

    i have same issue, phone is upgrade to B2G OS, and issue that there is no signal on it…it keep searching.
    i cannot downgraded it, or upgrade it or even root it…it say permission denied.

    any help?

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>