I have seen reports of getting Temp-Root.
Please share how you are getting Temp Root.
Enable OEM-UNLOCKING ---->>> Without the switch in the Developer Options.
The OEM-UNLOCKING switch simply sets the last byte of the FRP partition to 01 or 00.
00 means the boot loader can not be unlocked.
01 means it can.
Steps
1 ) Enable developer options on the device and turn on usb debugging.
2 ) Get the Temp Root Access ( We need to use the adb shell )
3 ) Copy the FRP partition to a image file. (execute the below command in adb shell)
Code:
dd if=/dev/block/bootdevice/by-name/frp of=/sdcard/frp.img
3 ) Copy the FRP image file to a computer . (execute the below command in command window)
Code:
adb pull /sdcard/frp.img
4 ) Open the frp.img in a hex editor like HXD.
change the last byte from 00 to 01. See pics below.
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
5) First copy the edited frp.img to the sdcard.
Code:
adb push frp.img /sdcard/
6) Flash the edited frp.img to the device
Code:
dd if=/sdcard/frp.img of=/dev/block/bootdevice/by-name/frp
Now boot the device into download mode
7) Get the unlock token for the htc dev site.
Code:
fastboot oem get identifier token
Go to HTC-DEV site and finish unlocking the Boot-Loader.
To Get Perm Root
1) After unlocking the boot loader flash TWRP recovery.
Code:
fastboot flash recovery twrprecovery.img
I can build the TWRP recovery ( Possibly even use Desire 626s TWRP Recovery )
2) Install supersu using TWRP.
3) Enjoy the Rooted Desire 526 ( VERIZON Model)
Can someone please share with us how you are obtaining temp root
So I guess No One is getting temp root ???
A thought on how to get root.
I'm not an app guy but what I suggest is.......
On a HTC Desire 626s toggle the OEM_UNLOCKING switch on and off.
Capture the command the switch uses to set the last byte of the FRP partition.
Create a app or command that is the same to run on the desire 526.
If we can set the last byte to 01 instead of 00 then we can unlock the bootloader with the normal HTC DEV.
If you tell me how to caputre / log that command I can do it on my desire 626s.
Work around
BigCountry907 said:
So I guess No One is getting temp root ???
A thought on how to get root.
I'm not an app guy but what I suggest is.......
On a HTC Desire 626s toggle the OEM_UNLOCKING switch on and off.
Capture the command the switch uses to set the last byte of the FRP partition.
Create a app or command that is the same to run on the desire 526.
If we can set the last byte to 01 instead of 00 then we can unlock the bootloader with the normal HTC DEV.
If you tell me how to caputre / log that command I can do it on my desire 626s.
Click to expand...
Click to collapse
Are you saying you need a screenshot of the oem token for the 626? I have both the Verizon 526 and cricket 626. If necessary, I can get it. Really hoping you find a workaround.
@Darcliet
Are you saying you need a screenshot of the oem token for the 626? I have both the Verizon 526 and cricket 626. If necessary, I can get it. Really hoping you find a workaround.
Click to expand...
Click to collapse
No thats bot what i'm saying.
This is a way to get the needed OEM Unlock Token from the desire 526.
If we can set the last byte of the FRP partition to 01 then FASTBOOT OEM_UNLOCK will generate the TOKEN.
So what we need to accomplish is
Either:
A) find a way to get temp root so we can dd flash the frp partition.
B) Replicate the command that is executed on the android system to set the byte.
My reference to the Desire 626s is that the 626s has the Enable OEM Unlocking in the Developer Options.
So if we turn on and off the oem unlocking switch and then logcat the command that is executed we can use the logged command to set the FRP on the 526.
If someone tells me how to get temp root, or how to log the command from the 626s. We can give it a try.
Logcat of the switch
So I toggled on and off my Oem-Unlocking Switch in Developer Options ( Desire 626s)
This is the output I believe for that switch.
Code:
[COLOR="SeaGreen"]V/WindowManager( 911): not Base app: Adding window Window{52eef4 u0 com.android.settings/com.android.settings.SubSettings} at 4 of 10
I/PhoneStatusBar( 4325): setSystemUiNavVisibility(swipe=false hasFocus=false hasPolicy=false shadeState=true)
I/PhoneStatusBar( 4325): hiding the MENU button mLongPressHomeMenu = false
D/FindExtension(15804): FindExtension: before mHardwareRenderer.initialize, mSurface.isValid() = true
I/ThreadedRenderer(15804): Defer allocateBuffers to drawing time
W/Settings(15804): Setting adb_blocked has moved from android.provider.Settings.Secure to android.provider.Settings.Global.
W/Settings(15804): Setting bugreport_in_power_menu has moved from android.provider.Settings.Secure to android.provider.Settings.Global.
I/PhoneStatusBar( 4325): setSystemUiNavVisibility(swipe=false hasFocus=false hasPolicy=false shadeState=true)
I/PhoneStatusBar( 4325): hiding the MENU button mLongPressHomeMenu = false
W/InputMethodManagerService( 911): Window already focused, ignoring focus gain of: [email protected] attribute=null, token = [email protected], client pid=15804, inputType=0x(null)[/COLOR]
So someone who knows more about how this works, maybe they can come up with a way to replicate those commands.
So we could execute them on the 526.
It looks like this is setting the byte maybe???
Window already focused, ignoring focus gain of: [email protected] attribute=null, token = [email protected], client pid=15804, inputType=0x
I'm not sure, this is a little out of my realm of expertise.
One thing I do know is if we can set the last bit of FRP to 01 then we can get the oem unlock token from fastboot.
flashed new frp with 0 changed to 1...
but when proceeding to htcdev website to enter my device identifier token i get the following error
"We're sorry, but it appears your attempt to unlock the bootloader on this device has failed. This could be caused by several factors including simple errors in the entry of the unlock token, problems with your device, or a lack of manufacturer support for the unlocking process. Please see the specific error code listed below, and try again if necessary.
Error Code: 170.
Error Reason: CID Not Allowed."
Gators850 said:
flashed new frp with 0 changed to 1...
but when proceeding to htcdev website to enter my device identifier token i get the following error
"We're sorry, but it appears your attempt to unlock the bootloader on this device has failed. This could be caused by several factors including simple errors in the entry of the unlock token, problems with your device, or a lack of manufacturer support for the unlocking process. Please see the specific error code listed below, and try again if necessary.
Error Code: 170.
Error Reason: CID Not Allowed."
Click to expand...
Click to collapse
Ok so at least your getting the unlock token now
We can try to edit the misc.img the same way.
Pull it off your phone and open in hex editor.
You will find the CID in there.
Change it to the cid for metro pcs.
We might need to edit the board_info.img the same way too.
Then try again.
Im trying to get my temp root back.
I had it and had to factory reset my phone.
now kingo is not working again.
Took me like 20 times before.
is the highlighted section what im looking for??
BigCountry907 said:
Ok so at least your getting the unlock token now
We can try to edit the misc.img the same way.
Pull it off your phone and open in hex editor.
You will find the CID in there.
Change it to the cid for metro pcs.
We might need to edit the board_info.img the same way too.
Then try again.
Im trying to get my temp root back.
I had it and had to factory reset my phone.
now kingo is not working again.
Took me like 20 times before.
Click to expand...
Click to collapse
No that's not it.
Got to look at build.prop
# begin build properties
# autogenerated by buildinfo.sh
htc.build.stage=2
ro.aa.customizationid=3026008
ro.aa.project=A13_WL_L51_DESIRE_SENSE70_VZW
ro.prot=true
ro.aa.maincid=VZW__003
ro.aa.cidlist=VZW__003
ro.aa.rid=205
ro.aa.modelid=0PM310000
ro.aa.report=com
ro.aa.skulist=603
ro.aa.taskid=448911
ro.aa.mainsku=603
ro.aa.romver=1.07.603.5
ro.onecid=1
ro.cwkey=VZW__003
ro.build.id=LMY47O
ro.build.display.id=LMY47O release-keys
ro.build.version.incremental=564390.5
ro.build.version.sdk=22
ro.build.version.codename=REL
ro.build.version.all_codenames=REL
ro.build.version.release=5.1
This is the CID:
ro.aa.maincid=VZW__003
This is the MAINVER:
ro.aa.romver=1.07.603.5
If you search for 1.07.603.5
you will see the CID right by it.
You might only find.
0PM310000
We should change that too.
I'm kinda thinking there is more in the frp.img thats causing the problem.
I want to drop the FRP.img from my desire 626s and give it a try.
Be careful could end up bricking.
If I can get this thing to root again im going to try and push my misc.img and frp.img from my desire 626s to the 526.
they are both msm8909 chipsets so should be compatible.
Crossing things up like that could cause a brick.
But ill take the chance. only paid $35 for the thing.
Heres the info for the 626s
# begin build properties
# autogenerated by buildinfo.sh
htc.build.stage=2
ro.aa.customizationid=3031505
ro.aa.project=A32E_UL_L51_DESIRE_SENSE70
ro.prot=true
ro.aa.maincid=METRO001
ro.aa.modelid=0PM911000
ro.aa.rid=427
ro.aa.taskid=455088
ro.aa.cidlist=METRO001
ro.aa.report=com
ro.aa.skulist=1550
ro.aa.mainsku=1550
ro.aa.romver=1.23.1550.3
ro.onecid=1
ro.cwkey=METRO001
ro.build.id=LMY47O
ro.build.display.id=LMY47O release-keys
ro.build.version.incremental=637541.3
ro.build.version.sdk=22
ro.build.version.codename=REL
ro.build.version.all_codenames=REL
ro.build.version.release=5.1
use the CID and Mainver And device model from here.
If you are changing your misc.img.
mainver = 1.23.1550.3
cid = METRO001
mid= 0PM911000
change mainver to 1.00.0000.0
Theese are the files from my 626s.
You can try to dd them over.
dd if=/sdcard/frp.img of=/dev/block/bootdevice/by-name/frp
dd if=/sdcard/misc.img of=/dev/block/bootdevice/by-name/misc
dd if=/sdcard/board_info.img of=/dev/block/bootdevice/by-name/board_info
It Could cause you not to boot.
I would do frp.img and try unlock
then if dont work add misc.img
then if dont work add board_info
Backup your original files first so if it goes wrong there might be a chance to put them back.
flashed the files you provided,again once proceeding to the htcdev website to enter the token i get same error as before
BigCountry907 said:
Theese are the files from my 626s.
You can try to dd them over.
dd if=/sdcard/frp.img of=/dev/block/bootdevice/by-name/frp
dd if=/sdcard/misc.img of=/dev/block/bootdevice/by-name/misc
dd if=/sdcard/board_info.img of=/dev/block/bootdevice/by-name/board_info
It Could cause you not to boot.
I would do frp.img and try unlock
then if dont work add misc.img
then if dont work add board_info
Backup your original files first so if it goes wrong there might be a chance to put them back.
Click to expand...
Click to collapse
flashed the files you provided,again once proceeding to the htcdev website to enter the token i get same error as before
Click to expand...
Click to collapse
Well that makes things much more complicated.
Chances are it's probably coded in the boot-loader itself.
If you don't mind I want to have you pull all the firmware files off the phone.
All of them.
I'll write you a script. (I still never got my temp root back).
I would like to take a look at the recovery and the kernel in the boot.img.
Like I said the Desire 626s and the Desire 530 both are msm8909 chipsets. This also includes the newer Desire 526 as well. This means that the actual firmware running the chips is the same. My initial Idea was to build my own firmware for the 626s and test flash it on the 526. If that works then theoretically we could take the boot-loader and radio images from a S-off device and flash it to a non s-off and have s-off.
Yes I know there is no way to write to those partitions without s-off ( By normal means anyway ).
Now if you intentionally cause the right kind of brick by removing the right firmware and not removing the wrong firmware to force the device into Emergency Download Mode then provided that we have the other files we need for QPST and or QFIL ( for msm8909 chips ) we can take the firmware files from the RUU for the 626s and push it to the 526.
Pretty crazy I know. For sure not easy. And also after such a flash the 526 would actually be a 626s.
If you want to know how we could do this then go here and download the whole Qualcomm Tech Folder.
https://github.com/dante198406/Qual...0-NR964-4_C_MSM8909_LA_SW_User_Manual_SPD.pdf
Learn the QPST - QFIL stuff and away we go.
Not sure what my issue is getting root now.
Kingo keeps getting stuck at lime 52% till I reboot and then stuck at 65% till reboot then stuck at 77% till fail root.
Any Ideas?
Heres a Link To the process in general.
http://www.droidsavvy.com/unbrick-qualcomm-mobiles/
Ya im frustrated now.
I spent a whole day trying to get temp root back.
No luck.
It Seems to be an issue with the kingo link app on the phone.
When i did get root it wasnt poping up now it keeps popping up.
cmd
Would this be the correct code I'd go about to back up Img?
adb shell
su
dd if=/dev/block/mmcblk0 of=/storage/sdcard1/backup.img bs=512 count=30535646
New to this so do apologize
Would this be the correct code I'd go about to back up Img?
adb shell
su
dd if=/dev/block/mmcblk0 of=/storage/sdcard1/backup.img bs=512 count=30535646
Click to expand...
Click to collapse
Almost but not quite.
If you ran that command go to your sdcard1 folder and delete the backup.img.
Otherwise your phone memory is more than full.
The htc devices seem to use sdcard2 as the external sd card.
So first you will need a 32gb sd card.
The image size will be like 16gb.
then the command I would use is.
Code:
adb shell
su
dd if=/dev/block/mmcblk0 of=/storage/sdcard2/backup.img
then
Code:
exit
exit
so that you are at the regular command window.
then
Code:
adb pull /sdcard2/backup.img
To get it to the computer.
That is 1 of the backups we need.
But we need each partition individually too.
Give me a little wile and Ill post the commands.
And Please don't try to intentionally brick your phone.
It might not be so easy to use qfil or qpst to fix it.
There are other files we need to get for qpst first.
so this code gave me a file or directory does not exsit:
adb shell
su
dd if=/dev/block/mmcblk0 of=/storage/sdcard2/backup.img
So I Changed It To The Following:
adb shell
su
dd if=/dev/block/mmcblk0 of=/storage/ext_sd/backup.img
BigCountry907 said:
Almost but not quite.
If you ran that command go to your sdcard1 folder and delete the backup.img.
Otherwise your phone memory is more than full.
The htc devices seem to use sdcard2 as the external sd card.
So first you will need a 32gb sd card.
The image size will be like 16gb.
then the command I would use is.
Code:
adb shell
su
dd if=/dev/block/mmcblk0 of=/storage/sdcard2/backup.img
then
Code:
exit
exit
so that you are at the regular command window.
then
Code:
adb pull /sdcard2/backup.img
To get it to the computer.
That is 1 of the backups we need.
But we need each partition individually too.
Give me a little wile and Ill post the commands.
And Please don't try to intentionally brick your phone.
It might not be so easy to use qfil or qpst to fix it.
There are other files we need to get for qpst first.
Click to expand...
Click to collapse
Ok as long as the file goes to the external sdcard your good to go.
I found the kingoroot issue. The root works fine but the kingosuperuser app is not giving me the prompt to grant root permission. They need to fix kingosuperuser. Get it out to them and if they fix it many more people will easily get temp root. After you have it working the 1st time. Like actually working with adb shell
su
after reboot run kingoroot again and temp root comes right back.
I cant get past the su part again.
Related
Vibrant 4G/SGS 4G manual method here
PRO App also works on Vibrant 4G/SGS 4G for anyone who doesn't feel comfortable with a hex editor
Do NOT try this or any other unlock method on the SC-02B Docomo phone. Please see thread here for progress on the SC-02B
Please note the same information used to develop the app is in the guide for free... the app just makes it easier
ALL METHODS FOR NEWER PHONES REQUIRE ROOT... PLEASE GO GET ROOT ON YOUR PHONE AND THEN COME BACK.
Oh and BTW... I cannot be held responsible for anything that happens to your phone.... EVER!
Before you start... if you don't have root you WILL need it unless you are on a really old version of android 2.1 (look in Appendix A for depreciated methods)
Step 1. - Retrieve nv_data.bin file
use "adb shell" or a terminal emulator to get a terminal prompt and run the following commands
Code:
su
cat /efs/nv_data.bin >> /sdcard/nv_data.bin
Step 2. - Edit nv_data.bin file
mount the internal SD Card on your computer
make a backup copy of the nv_data.bin file on your computer
using your favorite HEX editor open the nv_data.bin on the sdcard
jump to address 0x181468
you should see a string like this
ff 01 00 00 00 00 46 46
there are 5 different types of locks in 5 different bytes
the FF byte should be left alone
the first byte after the FF is the network lock
the next byte is the network subset lock
the next byte is the sp lock
the next byte is the cp lock
the last byte appears to be a data lock.
the 46 46 should be left alone
Change any 0x01 to 0x00 (or 0x00 to 0x01 to lock for warranty)
It should read ff 00 00 00 00 00 46 46 for unlocked
save and close file
unmount SD Card
Step 3. - Replace nv_data.bin file
I want to say it again so no one misses it MAKE SURE YOU HAVE A BACKUP OF YOUR NV_DATA.BIN FILE BEFORE YOU CONTINUE!!!!!
use "adb shell" or a terminal emulator to get a terminal prompt and run the following commands
Code:
su
rm /efs/nv_data.bin
rm /efs/nv_data.bin.md5
cat /sdcard/nv_data.bin >> /efs/nv_data.bin
chmod 755 /efs/nv_data.bin
chown radio.radio /efs/nv_data.bin || chown 1001.1001 /efs/nv_data.bin
reboot
your phone is now unlocked... enjoy
[OPTIONAL] Use the PRO app [OPTIONAL]
Please note that this step is ONLY here for people that are not comfortable using a Hex editor.
Search "Vibrant unlock" in the market or scan the QR code:
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
Install and run app
press menu
press Unlock Phone
Select phone
allow root
at this point if you get an error code make SURE you mount your internal SD card on your computer and backup the nv_data.bin.orig file that is there.
press unlock
restart and your phone is now unlocked
to lock your phone for warranty
press lock instead of unlock
restart your phone, remove root, and take your phone in for warranty
APPENDIX A (DEPRECIATED)
DOES NOT WORK ON 90% PHONES PLEASE USE THE APP
Using ADB
Make sure that Network Lock is the only thing on... go to phone and enter *#7465625#
Make sure USB debugging is enabled (Settings->Applications->Development->USB Debugging)
Using APP (Thanks ClarkeHackworth and DaGentooBoy)
ClarkHackworth's page about the app
Same thing as before if this bricks your phone sorry but we aren't responsible.
Step A.1. – Get your code
Search Samsung Galaxy S Unlock Tool in the market or scan the QR code.
Install SGS_Unlock.apk
Applications->SGS Unlock
Menu->Root Gen Codes (Root method is the most reliable method at this point)
Jump to Step A.2.
Step A.1.alternate – Get your code
For Mac Updated!!! New Script
nbs11 said:
1. Download the Samsung Galaxy S Unlocker for Mac from this here:
http://www.multiupload.com/9NEBR6FAKD
2. Mount the DMG and drag the folder onto the hard drive. DO NOT DRAG THE ICON WITH THE LOCK (the app). Once the file is finished copying continue.
3. Open the application with the lock. It should open a terminal window. Let it run for a few seconds and then it should show a screen like this:
4. Write down your unlock code
Click to expand...
Click to collapse
For Windows UPDATED!!! With Un-Freeze Codes
Video Guide
Download and extract the attached Generate Unlock Windows.zip.
Run Generate_Code.bat
Look for the line Network Control Key:YourCode
Save the code
Step A.2. – Enter the code
Power down your phone
Put in a SIM card from another carrier
Power up your phone
When it boots up it will ask for the unlock code that you found above
OR
NO SIM Method (Thanks RazvanG)
(Apparently this just adds another SIM to the accepted SIM list... can someone confirm?)
remove sim card
power on phone without sim
enter *7465625*638*# and relock the phone to another network other than the one u have u'r sim card (eg 22610)
power off phone
insert sim card back
power on and enter nck code extracted from .bak file
phone unlocked
Step A.3. – Flash back (IF THE CODE DIDN'T WORK)
Flash back to an older firmware (I9000XXJF7 with 513.pit worked for me on an I9000)
Now enter the unlock code you generated in Step 2.
RazvanG said:
HOW TO LOCK SAMSUNG GALAXY S - FOR WARRANTY PURPOSES ONLY (TESTED)
After you get the NCK code using the method above, enter: *7465625*638*#
There will be a pop-up box.
Complete the first field (MCC/MNC) with the network you want your phone locked to (eg. 226 10 where 226 = romania; 10 = orange etc.) and the second field (Control Key) with the NCK extracted from the .bak file.
Press OK and your phone should relock.
RazvanG
Click to expand...
Click to collapse
Guide in Spanish here
Guide in Italian here
Guide in Chinese here
LEGAL NOTES (because information should be free for all):
YOU MAY NOT, BY ANY MEANS, USE THIS SOLUTION/CODE OR PART OF IT FOR COMMERCIAL PURPOSES.
DO NOT USE THIS EXTRACTION METHOD COMMERCIALLY
PLEASE give credit (and donations if you can) to
For those of you that have donated THANKS! (You know who you are... you paid for my developer account so I could post the app)
DaGentooBoy For this AWESOME guide, the free and PRO apps, finding the other unlock bits, the original mac and windows scripts, the no root cat nv_data method, the unfreeze code portion of the mac script, and a lot of troubleshooting (Paypal)
dawen, Helroz, and NWolf for discovering the hex location of the lock bit in the nv_data.bin file (donate to NWolf here)
RazvanG for pointing galaxysguy in the right direction, finding the Freeze Code location in the .bak file, the code for re-locking the phone to any network, and the solution to unlock with only one sim card (Paypal)
rbnet.it and marcopon for the cool SGUX utility for windows to extract both the Unlock and Unfreeze codes (donate to marcopon and rbnet.it Here)
nbs11 for the new mac script that makes it REALLY easy (donate here)
Bowsa2511 for the command to extract the unlock code on a Mac (Paypal here)
rhcp0112345 for finding the file and giving me (and others) a place to start (Donate here)
galaxysguy for confirming that I was looking at the right code (Paypal here)
AllGamer for starting the Bounty thread and giving the XDA devs the motivation to get started.
If you want me to extract the code for you just PM me with a link to your zipped bml3.bak or nv_data.bin file and I will send you back the code. If it works please feel free to donate via Paypal
Great work dagentooboy. I was working on a free unlock myself but approaching it from a slightly different angle. Unfortunately bricking my phone held me up a lot but I'm glad to see someone has done it now.
re: credits
apparently marcopon helped rbnet.it to write that sgux utility.
AllGamer said:
re: credits
apparently marcopon helped rbnet.it to write that sgux utility.
Click to expand...
Click to collapse
thanks... I saw the bounty thread is updated. Feel free to link to the instructions on this thread so that they all go to one place.
AllGamer said:
re: credits
apparently marcopon helped rbnet.it to write that sgux utility.
Click to expand...
Click to collapse
Yes! It's shown in the credits:
Uploaded with ImageShack.us
This is just the thing I've been looking for. Thanks a lot. Just out of curiosity, why do you have to flash back to older firmware after entering the unlock code?
Yes, I usually go by the Mark0 nick but it was already used in the forum (IIRC).
I want also to thanks andars05 for a post he made that provided some inspiration.
Nice to see that the tool is proving to be useful!
Feel free to donate to the PayPal link rbnet.it provided!
Got "Permission denied" after su in step 1 - I've got rooted Captivate with stock firmware - I know that is probably problem with access to root account, but all apps are working properly with it. Any idea for solution?
I've Windows 7, tried running command line with administrator privileges, but it didn't helped.
TheNaturat said:
Got "Permission denied" after su in step 1 - I've got rooted Captivate with stock firmware - I know that is probably problem with access to root account, but all apps are working properly with it. Any idea for solution?
I've Windows 7, tried running command line with administrator privileges, but it didn't helped.
Click to expand...
Click to collapse
After "su", have you allowed the root access on the phone?
Jreddekopp said:
This is just the thing I've been looking for. Thanks a lot. Just out of curiosity, why do you have to flash back to older firmware after entering the unlock code?
Click to expand...
Click to collapse
Sorry That is what it took to unlock mine. I updated the first post... you don't have to do that if the code works.
Thanks so much, it worked on my Globe locked SGS (Philippines).
MAC users use 0xED Hex Editor and just search SSNV and you'll get your 8 digits unlock code.
TheNaturat said:
Got "Permission denied" after su in step 1 - I've got rooted Captivate with stock firmware - I know that is probably problem with access to root account, but all apps are working properly with it. Any idea for solution?
I've Windows 7, tried running command line with administrator privileges, but it didn't helped.
Click to expand...
Click to collapse
I found the same code in the nv_data.bin file... if you can't get the dd thing to work try
Code:
cat /efs/nv_data.bin >> /sdcard/nv_data.bin
having problems pulling the file but I have SU permissions.
$ su
su
dd if=/dev/block/bml3 of=/sdcard/bml3.bak
dd if=/dev/block/bml3 of=/sdcard/bml3.bak
Permission denied
$ dd: can't open '/dev/block/bml3': Permission denied
$
antz88c said:
Thanks so much, it worked on my Globe unlocked SGS (Philippines).
MAC users use 0xED Hex Editor and just search SSNV and you'll get your 8 digits unlock code.
Click to expand...
Click to collapse
I used HexEdit
http://sourceforge.net/projects/hexedit/
You can try both but the important thing is finding the code. Searching for SSNV should get you right there.
nickbarbs said:
having problems pulling the file but I have SU permissions.
$ su
su
dd if=/dev/block/bml3 of=/sdcard/bml3.bak
dd if=/dev/block/bml3 of=/sdcard/bml3.bak
Permission denied
$ dd: can't open '/dev/block/bml3': Permission denied
$
Click to expand...
Click to collapse
Try this and let me know if it works.
samsung galaxy s sgh-i897
has anyone unlocked the samsung galaxy s sgh-i897 useing this method?
Network unlock successful
Click to expand...
Click to collapse
Thank you guys!
WOWOOWOWOWOOWWWW
NETWORK UNLOCK SUCCESSFULL
as soon as i get my 25$ refund from this guy and 6£ from someone else you'll get it
EDIT: I'm Samsung Captivate Sgh-i897
turilo said:
has anyone unlocked the samsung galaxy s sgh-i897 useing this method?
Click to expand...
Click to collapse
I haven't heard of anyone but you are welcome to give it a try. Please let me know if it works.
ok i will try so first i download the file? then follow the directions? if this works im definetly donateing
This guide is now obsolete. Please use this guide instead.
For Gingerbread Phones, Please use this guide.
Hey guys, this is probably the easiest guide to follow for rooting a branded desire Z. The reason why this can sometimes be hard is cause it uses a unique identifier (INFOCID) and the companies that brand the phones ONLY want roms from their company on them. This stops us from using a WWE rom like every else to downgrade and then root.
But ultimately, the reason I'm making this is because every other guide I've read constantly links you to other guides or other pages and it sorta annoyed me. So after I figured it all out I posted one concise guide that doesn't redirect you 50 times.
Now I’m gonna run you through EVERYTHING so you won’t get stuck anywhere.
This guide will work with:
Device: Desire Z or G2
Firmware Version: Any Firmware version will be fine (All you need to do is downgrade using step 1)
Android Version: Froyo or any previous variation of Android (Absolutely no gingerbread device will root with this method)
Btw, I take no responsibility for any damage taken by using these procedures. Sorry =P
Also if you don't have ADB and Fastboot set up then go ahead and follow the guides on the first two posts here. -Thanks nephron
g4b4g3 said:
If your INFOCID is NOT one of these you need to make a goldcard to downgrade!
HTC__001
HTC__032
HTC__E11
HTC__203
HTC__Y13
HTC__102
HTC__405
HTC__304
HTC__A07
HTC__N34
HTC__J15
Which can be checked by typing the following two commands:
adb reboot bootloader
fastboot oem boot
Click to expand...
Click to collapse
If your CID matches one of the CID's above then you can skip Step 1.
1. Creating a Goldcard:
Prerequisites:
ADB Set up and running fine (to check if it is working just connect your phone and have USB debugging enabled. Then type adb devices in your CMD Prompt)
HxD Hex Editor (see attachments of post 1)
USB Debugging enabled on your phone
1.Firstly we need to mount the memory card on a windows PC.
2. Format the memory card as FAT32 using all the default options.
3. Mount the memory card on your Phone. Then give it a couple of seconds.
4. Remount the memory card on your PC.
5. Find your CID by using the follow command in your cmd prompt (YOU NEED ADB)
Code:
adb shell cat /sys/class/mmc_host/mmc2/mmc2:*/cid
6. Use the excel sheet provided to reverse the CID (see Attachments)
7. Goto this website and send yourself a goldcard.img
http://psas.revskills.de/?q=goldcard
8. Run HxD hex editor AS AN ADMINISTRATOR! (I can’t stress how important having admin rights is)
9. Go to Extras > Open Disk Image. Then select your goldcard.img
10. Go to Extras > Open Disk. IMPORTANT: Select your memory card UNDER the Physical Drives category. DO NOT open the logical drive.
11. Switch to your goldcard.img tab. Go to Edit > Select All. Then Edit > Copy.
12. Go to the physical drive tab and select the lines 00000000 until you get to the one with 00000170.
13. Go To Edit > Paste Write.
14. You should have a huge block of red characters now. This is good btw.
15. Mount your SD card on your Phone and let it detect it. If it comes up with a corrupt SD card error you have done it wrong and you may have to start over.
16. You are done with the goldcard.
2. Downgrading and Debranding
Before you start this please do the following:
1a. Download the RUU I’ve linked (it should be a ~300mb exe file) -Thanks g4rb4g3
ii. If you are a BELL User. Please download this RUU instead.
1b. Run the setup until you get to the screen with the tick boxes (Some Users may have to run this as an Administrator)
1c. Leave the setup running and go to C:\Users\<your account name>\AppData\local\temp ( Or Try %AppData%\Local\Temp\ ). Then right click and Sort By Date Modified. Look for the most recently created folder which should look like {xxxxxxx-xxxxxx-xxxxxxxx}. Then navigate into it and its then into its one folder. Look for rom.zip and copy that to your goldcard/memory card.
1d. Rename the rom.zip on your memory card to PC10IMG.zip (Make sure it is exactly the same as the way I've typed it there)
1e. Mount your sd card back onto your phone.
2. Download the attachments (misc_version & psneuters) and extract them in a folder like C:\RootVision\
Now you are ready to begin:
1. Open a CMD prompt window
2. Navigate your way to the folder with psneuter & misc_version IN CMD PROMPT. (So the cmd prompt window should be something like this C:\RootVision> )
3. Now we will use the following 5 commands one after the other
Code:
adb push psneuter /data/local/tmp
adb push misc_version /data/local/tmp
adb shell chmod 777 /data/local/tmp/psneuter
adb shell chmod 777 /data/local/tmp/misc_version
adb shell /data/local/tmp/psneuter
adb shell
4. After the last command you should have a # and a flashing line for you to enter text. This is good. (If you get a $ you have done it wrong and should try typing the commands out again)
5. Now you have the # type the following command in: (This will spoof the radio version)
Code:
/data/local/tmp/misc_version –s 1.33.405.5
Then go ahead and type:
Code:
exit
6. Type this command into your cmd prompt (btw you should be back with the normal C:\RootVision>)
Code:
adb reboot bootloader
7. Once on your white screen with colourful text you can go ahead and press the power button ONCE
8. Now just wait for the rom to install and verify. If you get INCORRECT CID your gold card doesn’t work or your CID doesn't match and you'll need a goldcard. (Go to Step 1. and make a goldcard for your phone)
9. Go ahead and install the rom when it asks you.
10. You are done downgrading and can now begin the Rooting process.
See Post 2 For Rooting
Assuming all as gone well and you now have a rom without superuser but you have a baseband version that is 1.34xxxx.
Alright, let’s begin.
Prerequisites:
Download psneuter
Download gfree 0.5
Download root_psn
Download flash_image
Download the Desire Z hboot
Download Clockwork Recovery
ALL of these are in the attachments section
They all should be extracted into the same folder. Use something simple like C:\RootVision\Root
3. Root your Desire Z!
Before you start:
Enable USB Debugging and Allow Unknown Market Installations again.
Also delete the PC10IMG.zip on your phone if you downgraded.
Okay lets go:
1. Now Assuming you succeeded at the last part you should have a stock-ish rom without superuser. What we want to do is start by pushing all the files across with the following adb commands (use in cmd prompt the same way you pushed files in 2.)
Code:
adb push psneuter /data/local/tmp/
adb push gfree /data/local/tmp/
adb push busybox /data/local/tmp/
adb push root_psn /data/local/tmp/
adb push flash_image /data/local/tmp/
adb push su /sdcard/
adb push hboot-eng.img /data/local/tmp/
adb push Superuser.apk /sdcard/
adb shell chmod 755 /data/local/tmp/*
2. Alright now we have all the files we need to root the phone. Input the following command. This is just putting our clockwork recovery in a convenient place with an easy name.
Code:
adb push recovery-clockwork-3.0.2.4-vision.img /data/local/tmp/recovery.img
3. Now we’re gonna temp root again by typing in the following:
Code:
adb shell /data/local/tmp/psneuter
adb shell
4. This should leave us with another #. Now enter the following commands:
Code:
cd /data/local/tmp
./gfree -f -b hboot-eng.img
./flash_image recovery recovery.img
./root_psn
sync
5. Type in: (thanks for the correction john_d1974)
Code:
reboot
6. You should have a rooted phone with superuser after the reboot. Also it will have clockworkmod, SuperCID, secu-flag off & an Unlocked HBOOT-ENG.
If gfree 0.5 doesnt work for you then this section is for you:
Prerequisites:
Download psneuter
Download gfree 0.2
Download root_psn
Download flash_image
Download the Desire Z hboot
Download Clockwork Recovery
ALL of these are in the attachments section
They all should be extracted into the same folder. Use something simple like C:\RootVision\Root
1. Now Assuming you succeeded at the last part you should have a stock-ish rom without superuser. What we want to do is start by pushing all the files across with the following adb commands (use in cmd prompt the same way you pushed files in 2.)
Code:
adb push psneuter /data/local/tmp/
adb push gfree /data/local/tmp/
adb push busybox /data/local/tmp/
adb push root_psn /data/local/tmp/
adb push flash_image /data/local/tmp/
adb push su /sdcard/
adb push hboot-eng.img /data/local/tmp/
adb push Superuser.apk /sdcard/
adb shell chmod 755 /data/local/tmp/*
2. Alright now we have all the files we need to root the phone. Input the following command. This is just putting our clockwork recovery in a convenient place with an easy name.
Code:
adb push recovery-clockwork-3.0.2.4-vision.img /data/local/tmp/recovery.img
3. Now we’re gonna temp root again by typing in the following:
Code:
adb shell /data/local/tmp/psneuter
adb shell
4. This should leave us with another #. Now enter the following commands:
Code:
cd /data/local/tmp
./gfree -f
./flash_image recovery recovery.img
./root_psn
sync
5. Type in: (thanks for the correction john_d1974)
Code:
reboot
6. You should have a rooted phone with superuser after the reboot. Also it will have clockworkmod, SuperCID and secu-flag off.
4. Installing your own custom ROM
This section is just in case you don't know how to install a custom ROM.
Note: Always make sure the ROM you are installing is FOR YOUR PHONE! If you install a ROM meant for another phone you could potentially damage it or brick the phone itself.
1. Download the ROM you want and copy it to your SD Card. (Try to keep it in a folder that is easy to get to)
2. Turn off your phone.
3. Hold down the volume down button and then press the Power Button. This should take you to a white screen with lots of colourful text. One of which says FASTBOOT or FASTBOOT_USB.
4. Press the power button ONCE when BOOTLOADER is selected(BLUE)
5. Navigate using the volume buttons until you get to RECOVERY and then press the Power Button again.
6. The HTC Logo will come up then you will get a black screen with text.
7. From here you should Always do a NANDROID Backup so you can restore a working ROM if something fails.
NANDROID Backup
7a. Navigate to 'backup and restore' and then select it by pressing the trackpad button.
7b. Select 'Backup' and then let it finish. Once done you have a backup of your android.
8. Now you want to do these before you start installing:
a. 'wipe data/factory reset
b. 'wipe cache partition'
c. Go into 'advanced' and select 'Wipe Dalvik Cache'
9. Now you can install the ROM itself. This is done by selecting 'install zip from sdcard' in the main menu. Now you can select 'choose zip from sdcard' and just go ahead and select the ROM you copid to your sd card earlier.
9a. If the phone says verification failed then just toggle the signature verification option.
FAQ - For Anyone with any issues.
1. My version is 1.7xxxx or higher. Can I use this method?
Yes you can. This method will downgrade your phone to 1.34 so your radio is no longer locked thereby allowing you remove the secu-flag, add superCID and allow you to install a custom recovery (like ClockWorkMod)
2. My CID is XXXXXXXX and isn't on that list, will this method still work?
Yes it will. The reason why it will work is because a goldcard is essentially a manufacturers way of bypassing the CID checks used by ROMs. Therefore, by creating our own unique goldcards we can also bypass the CID check.
3. My CID is on the list that you mentioned. Do I need this goldcard?
No, you can skip the 1st step because when the ROM checks your phones CID it will match up perfectly and the phone will install the older radio without issue.
4. What Benefits does rooting a phone grant you?
Simply, it allows you to install any ROM of your choosing onto the phone as well as use custom kernels and certain applications that access locked functions on the phone. This can ultimately lead to; a longer battery life; more stable roms and more frequently updated roms; and finally an overall faster Android experience.
5. What is root access?
Root access essentially gives you access anything locked by the manufacturer on the phone. This most importantly means that you can read and write to any system partitions on the phone that would normally be locked.
6. Whats psneuter?
psneuter is an application used to grant temporary root access. This is done through an exploit in the android system and will give us a window to further exploit the system and ultimately grant us Permanent Root Access.
7. How do I find my CID?
To find your CID you run two commands. Firstly, in your CMD prompt you type 'adb reboot bootloader' when your phone is connected and USB debugging is active. This will restart your phone into its bootloader. Then once you see the words FASTBOOT_USB you type 'fastboot oem boot'. Then look for the words CID and then just read the 8 character CID.
Also there is a post with a screenshot here.
8. My phone will not find PC10IMG.zip
You will need to double check that the PC10IMG.zip is the correct ZIP file from the RUU that has been linked. It should be roughly 250mb in size and should be placed in the root folder of your SD Card. Also your SD Card must be compatible with your device (able to be read/written to). If you cannot access your SD Card from your Desire Z or G2 then there is probably something wrong with your SD Card. It should probably be reformatted.
9. Can I use this on the Desire Z/G2 running Gingerbread?
So far no one has been able to root the gingerbread version of android on the Desire Z/G2. Unfortunately, this guide still cannot root gingerbread desire Zs or G2s.
If there are any more, feel free to post them and I'll add them
10.I'm Missing my AdbWinApi.dll? What now?
espentan[U said:
][/U]
I don't know if you've figured this one out yet, but here's the solution to a potential cause.
You need to add the directory containing the "AdbWinApi.dll" to Windows' path under Environment Variables, so Windows know where to look for the necessary files when you enter commands in the shell.
For this exercise I'm going to assume that you have installed the Android SDK in the directory called "android-sdk-windows" on your C: hard drive. If you have it installed somewhere else, change the path I'm mentioning below accordingly.
Go to the Windows "Control Panel".
Click on "System and Security".
Click on "System".
Click on "Advanced system settings" in the left column of the window you're in.
Find the button called "Environment Variables" in the window that opens (it's at the bottom on the first tab).
Scroll down in the "System variables" box until you find "Path".
Select "Path" and click the "Edit" button.
At the very beginning of the input field called "Variable value" enter the following:
"C:\android-sdk-windows\platform-tools;" (without the quotes).
Do not remove any of the other paths, and make sure you have a semi colon at the end of the new path you're adding.
Reboot.
Now the windows command shell knows where to find the necessary DLL's and whatnot.
Click to expand...
Click to collapse
will this work if i have 1.84.666.2?
anyone? thought?
Should work fine as long as you've got a Desire Z or G2 lol.
hi, manageage to root the DZ sucessfully, however on step 5 you say
"5. Type in:
Code:
Reboot"
i got an Reboot: error not found
i retried with with "reboot" and was sucessful
Hi, im sure this has been covered before in other posts, but, could someone tell me, if i were to use the above method to downgrade and root etc, would this prevent me from doing an official upgrade, to, say gingerbread in the near future? Also is there any real benefits to going to gingerbread? I ask as im sure ive read somewhere its only possible to flash to cooked roms, not official ones (once downgraded and rooted etc).. this would concern me as ive moved over from win mo to android, and in my experiance, EVERY cooked unoficial rom i ever flashed (xperia x1) was simply rubbish, and i tried alot of them. (Even though people would say the roms would be fine, bugs smoothed out etc), i went back to stock in the end after constant dissapointment.
Sorry for the rant, just need to know where i stand.. thanks people..
jmpcrx said:
Hi, im sure this has been covered before in other posts, but, could someone tell me, if i were to use the above method to downgrade and root etc, would this prevent me from doing an official upgrade, to, say gingerbread in the near future? Also is there any real benefits to going to gingerbread? I ask as im sure ive read somewhere its only possible to flash to cooked roms, not official ones (once downgraded and rooted etc).. this would concern me as ive moved over from win mo to android, and in my experiance, EVERY cooked unoficial rom i ever flashed (xperia x1) was simply rubbish, and i tried alot of them. (Even though people would say the roms would be fine, bugs smoothed out etc), i went back to stock in the end after constant dissapointment.
Sorry for the rant, just need to know where i stand.. thanks people..
Click to expand...
Click to collapse
It is pretty difficult to go back to stock updates from your carrier for example Vodafone. This is because of the unique CIDs used and the fact that it is extremely hard to find a stock ROM since no one can give you a NANDROID backup.
Anyways, there are numerous benefits to rooting your phone included with most ROMs. These benefits include longer battery life, faster ROMs & various other things depending on each chef.
Ok, thanks, but are the roms buggy at all, will some of the hardware not work properly, or will i have freezing probs etc, as i found this always to be the case with win mo roms?.. have you personally found a rom that works perfectly that includes htc sense? As i do like the UI..
My goal is to have all security off, full perm root, with a perfecly working sense rom that i can then overclock to a speed that works well with my particular phone, and to underclock when idle etc..
Thanks..
I need to verify that my Tmobile G2's INFOCID is compatible.
I typed in the two commands:
adb reboot bootloader
fastboot oem boot
The first one worked. The second command is not recognized once I'm in the bootloader. Can someone suggest a solution?
Newbie question,
how to unroot if i rooting the phone using this metode?
and how to go back to original rom?
Vader™ said:
Newbie question,
how to unroot if i rooting the phone using this metode?
and how to go back to original rom?
Click to expand...
Click to collapse
Firstly, to root the phone just follow the steps and once you've finished them all you will be done.
Second, it should technically be possible once you've rooted the phone to simply do a NANDROID backup via ClockWorkMod Recovery before you start flashing new ROMs. If you have backed it up and later decide you want to unroot then all you would need to do from there is restore your nandroid backup and unroot the phone through this method.
forceOnature said:
I need to verify that my Tmobile G2's INFOCID is compatible.
I typed in the two commands:
adb reboot bootloader
fastboot oem boot
The first one worked. The second command is not recognized once I'm in the bootloader. Can someone suggest a solution?
Click to expand...
Click to collapse
Using this method you don't have to worry about your CID. If you make a goldcard it will completely bypass the need for one of the CID's listed in the first post. So to put it simply, you don't need to worry about your unique CID if you create and use a goldcard to downgrade.
Aegishua said:
It should technically be possible once you've rooted the phone to simply do a NANDROID backup via ClockWorkMod Recovery before you start flashing new ROMs. If you have backed it up and later decide you want to unroot then all you would need to do from there is restore your nandroid backup and unroot the phone through this method.
Click to expand...
Click to collapse
okay, but we need to root the device first right? before ClockWorkMod Recovery can run, the problem is, if I root the device first, the device must be downgrade to build 1.34.405.5, and now my Desire Z using build 1.82.xxx.x
is it if we backup via ClockWorkMod, the ROM that we backup is 1.34.405.5? not my current build?
please help bro, really confused here
Hi forceonature, im no expert, but when i was having a look myself, i found out it was simply my enviroment variables wernt set up for the directory fastboot was located.. an easy way round this was just to enter the directory fastboot was in (program files, 'some directory'.. do a quick search) within your command prompt, and type the second command from there.. hope that helps..
Everything goes fine until
mmap() failed. Operation not permitted
when I put in
adb shell /data/local/tmp/psneuter
Any help?
Also I can only put su and Superuser.apk on my sdcard if I manually transfer them.
Hi forceonature, im no expert, but when i was having a look myself, i found out it was simply my enviroment variables wernt set up for the directory fastboot was located.. an easy way round this was just to enter the directory fastboot was in (program files, 'some directory'.. do a quick search) within your command prompt, and type the second command from there.. hope that helps..
Click to expand...
Click to collapse
I need to verify that my Tmobile G2's INFOCID is compatible.
I typed in the two commands:
adb reboot bootloader
fastboot oem boot
The first one worked. The second command is not recognized once I'm in the bootloader. Can someone suggest a solution?
Click to expand...
Click to collapse
I tried the same thing to get my DZ phones CID and the first one worked and the second didn't. If I don't have to make a gold card all the better. How can I find out for sure if my CID is on the list or not? Also if I have to make a gold card do I need to have a micro SD card to make the gold card?
Thanks,
Chevy
chevy2410 said:
I tried the same thing to get my DZ phones CID and the first one worked and the second didn't. If I don't have to make a gold card all the better. How can I find out for sure if my CID is on the list or not? Also if I have to make a gold card do I need to have a micro SD card to make the gold card?
Thanks,
Chevy
Click to expand...
Click to collapse
You should get a line that says INFOt.cid=XXXXXXXX or any of the lines that say your 8 Digit CID. However, as you can see there are multiple lines that say it and they should all be the same.
If your CID does match one on that list then you will not need a goldcard.
I've attached a screenshot to make things easier.
forceOnature said:
okay, but we need to root the device first right? before ClockWorkMod Recovery can run, the problem is, if I root the device first, the device must be downgrade to build 1.34.405.5, and now my Desire Z using build 1.82.xxx.x
is it if we backup via ClockWorkMod, the ROM that we backup is 1.34.405.5? not my current build?
please help bro, really confused here
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
Click to expand...
Click to collapse
Yeah, you can only have a NANDroid backup of 1.34.xxx because there is no way to get clockwork onto a 1.72+ rom.
Hi, I'm new to rooting the G2. Iv'e been trying to follow this tutorial, but I'm having some trouble. After renaming Rom.zip to PC10IMG.zip I booted into the bootloader and it says 'no image found' or something like that. What am I doing wrong? Am I not supposed to put the zip file on the root of the SD card? Is it possible to just use the RUU to downgrade?
And regarding the downgrade, the build number on my G2 shows 1.22 . Isn't that lower than 1.34?
Any help is appreciated!
I followed the instructions twice and both times I get to
"/data/local/tmp/misc_version –s 1.33.405.5"
I get
/
Patching and backing up partition 17
Error opening backup file.
#
The first time around I iqnored it and went through hboot, the rom PC10IMG.zip was checked and verified and finally failed prompting "the main version is older"
what am I missing?
EDIT: checked SD card, unmount and remounted phone/sdcard no avail.
Will try 1.33 Bell rom next.
EDIT2: Patching and backing up sucessful, problem was I couldn't get my phone to stay in debugged mode without being in DISK DRIVE, had to start HTC Sync to mount the phone in that way to relieve the sd card, allowing adb to patch the file. Now running through PC10IMG.zip with fingers crossed.
EDIT3: Everything went smooth after that! Thanks. Now I will attempt to update to 2.3 and Sense 3.0
EDIT4: Now running on 2.3.3 and Sense 3.0 Virtuous port. Testing...probably going back to more stable gingerbread and sense 2.1
So... I recently had my evo replaced. As a result i found that i can no longer use Unrevoked to root, nand unlock and S-off my new phone. The current guides all point to using htcdev.com/bootloader however it seems rather unreliable because i attempted to access it, and the site kept reporting it had an incorrect .php file or some stuff. Google Searches proved that this site goes down frequently.
So with some google searching i have pieced together an Offline way to root an Evo4g. From the sounds of it, i think this method will root, Nand Unlock, S-off, and push a recovery to any device. At least from what i am understanding. Also apparently this method WILL NOT void your HTC warranty because you do not need to use HTCDEV.COM/Bootloader
Soooooo... My disclaimer.. I am not a dev, i have no idea what the first thing a dev does. I give ALL credit to the people that put in the hard work to allow me to achieve root. I will also post credits and the origional thread i pulled this information from. Also, if you mess things up, i cant help you. I probably wont even be able to answer any of your questions.
This method uses a hack provided by SimonSimon34 on these forums for his HTC Wildfire, but it WILL work on our Evo's.
First things first.
1. Turn on your phone
2. Go To Settings->Apps->Development Enable Usb Debugging.
3. Visit Simonsimons34 Wildfire Unlock Thread
4. Download the V2 Universal Rar he has
5. The instructions for this zip are easy. once downloaded, i suggest moving it to the Desktop. Extract to a Folder on the desktop and name it root.
6. Once extracted open your folder you just named root. There will be a file in there called Simonsutility.bak double click on it.
7. You are presented with 4 options.
1. Bootloader Unlock and Root (Universal)
2. Custom Recovery (Unlocked or S-Off)
3. S-Off
4. Install Drivers
Connect your phone to the computer, Choose Charge only. Choose 1 and press enter
8. The phone then does alot of stuff. not exactly sure what any of it means, but if you watch the Simonsutility window it kind of explains as its going what it is doing. when its finished choose option 2 and press enter.
9. You should now be staring at your bootloader screen. Now you need to choose a recovery. I reccomend Amon_Ra's as i have yet to have any catastrophic issues using it. This can be downloaded Amon_ra Recovery Current version is v.2.3 just make sure you download it.
10. Once downloaded i suggest moving it to the folder we created earlier called Root and renaming it to recovery.img because its going to make things easier in the next step.
11. Now you have all you need to push the new recovery. Open up the root folder and shift+right click on fastboot and choose open command prompt here. If you do not have that option, click on your start menu, type CMD, and then navigate to your C:/users/*username/desktop/root folder (*username is obv your user profile name).
12. Once you are in the fastboot folder/directory type
Code:
Fastboot flash recovery recovery.img
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
Once it is finished you can select reboot recovery and you will now be in the Amon_ra Recovery.
From here you can flash a Rom of which for first time rooters, i would reccomend Fresh Evo 4.3.3 just because of its stability.
Below are the paypal accounts and origional threads i ripped off all of this information from. If there is enough interest i will update everything with pics. As i know the resources for this information is very low.
Thanks To
-==-=-=-=-=-=-=-
SimonSimon34
Simons Paypal
Simons Wildfire Thread
Amon_ra
Amon_ra's Paypal
Amon_ra's Origional Thread
Captain Throwback
Captian Throwbacks Thread
Im Placing Captain Throwback up here because his thread was the origional thread i was following, however since the HTC site was down i wasnt able to do anything, but i stole his Picture of the Amon recovery push.
Anyways, if i missed something feel free to flame me incessantly.
ACTUALLY THIS THREAD IS IN THE WRONG SECTION.
It does appear to work without going to the Htcdev site.
Well, someone had to test this method besides Hamspiced (Thanks for the tip). To summarize the method and give a brief description of what was done: I first S-ON and unrooted the phone back to 4.67 with the bootloader LOCKED (OWW). Dowloaded the file from
http://goo.im/devs/simonsimons34/HTC_Universal/Htc_Utilityv2Windows.zip
and unzipped it to a folder called root. Then,
1. Went to Setting/Applications and turned off Fastboot, then Settings/Applications/Development and enabled USB debugging.
2. Went to the root folder and ran the Drivers.exe program (to install the MYHTC drivers).
3. Connected the phone to my computer.
4. Ran the simonsutility.bat file, and was given the set of options:
1. Bootloader Unlock and Root (Universal)
2. Custom Recovery (Unlocked or S-Off)
3. S-Off
4. Install Drivers
and chose option 1.
5. After following a series of instructions, the phone finally rebooted into the bootloader and then read UNLOCKED, to my surprise. Also I tried options 2-4, but none of them seem compatible with the EVO 4g. So, the phone is now unlocked, but S-ON, but as long as the bootloader is unlocked, I can still do anything to the phone that I want, including installing the custom Recovery and turning it back S-OFF (I've done this many times).
So based on the experiment, there does seem to be an alternative right now to going to the Htcdev site to unlock the bootloader. It should work on other phones with the same type of bootloader (LOCK OWW) as well. I see that this takes advantage of a known vulnerability which I am not going to detail here to flash to the bootloader. I'm sure HTC knows about it and will patch it on future phones.
Well awesome! Im glad that my only mess up was that i posted it in the wrong section.
I was tired of the HTCDev site consistantly not working properly. I always had issues accessing it.
It's actually quite simple to understand without using the program (well I read programs very well): Temp root, Copy misc partition to data directory, unlock it with the bool file, flash unlocked misc image back to misc partition...with no Htcdev site. I've done it manually several times. I don't see why no one discovered it sooner.
shortydoggg said:
It's actually quite simple to understand without using the program (well I read programs very well): Temp root, Copy misc partition to data directory, unlock it with the bool file, flash unlocked misc image back to misc partition...with no Htcdev site. I've done it manually several times. I don't see why no one discovered it sooner.
Click to expand...
Click to collapse
Isn't this the same thing TacoRoot does, essentially?
Captain_Throwback said:
Isn't this the same thing TacoRoot does, essentially?
Click to expand...
Click to collapse
It does use tacoroot, but instead of running a PC36IMG file or RUU to downgrade, it uses some file called bool to unlock the bootloader almost directly. The main syntax after Tacoroot (once the files are given the chmod 755 command from the /data/local directory):
dump_image misc /data/local/misc.img
bool /data/local/misc.img unlock
flash_image misc /data/local/misc.img
I'm typing the commands from the top of my head, so there may be a spelling error. Reboot the phone, and the bootloader goes from "LOCKED OOW" TO "UNLOCKED".
Will this method reformat your phone or no?
This response is a little late because l'm on another phone now, but for those that want to know;
It unlocks the bootloader without wiping your phone, unlike the HTCdev site.
Sent from my SAMSUNG-SGH-I747 using xda premium
shortydoggg said:
So, the phone is now unlocked, but S-ON, but as long as the bootloader is unlocked, I can still do anything to the phone that I want, including installing the custom Recovery and turning it back S-OFF (I've done this many times).
Click to expand...
Click to collapse
Hamspiced, thank you for this method, I was having the same problem (had to get a replacement evo with the new software, and htc dev crashes every time I loaded the token)
I have a question for shortydoggg, how were you able to achieve s-off using this method? And were you able to remove the watermark?
wjHarnish said:
Hamspiced, thank you for this method, I was having the same problem (had to get a replacement evo with the new software, and htc dev crashes every time I loaded the token)
I have a question for shortydoggg, how were you able to achieve s-off using this method? And were you able to remove the watermark?
Click to expand...
Click to collapse
The method is just an alternative to going to the HTCdev site (and wiping the phone) to unlock the bootloader. It only unlocks the bootloader so that you can flash a custom recovery and flash superuser to obtain root access without wiping data. The phone will still be S-ON. You would then need to follow Captain Throwback's guide to obtaining S-OFF to remove the watermark and obtain S-OFF afterwards.
Sent from my SAMSUNG-SGH-I747 using xda premium
You can also show it as locked boot loader and send back to HTC leaving your warranty intact. That's in my next update
Sent from my One V using Tapatalk 2
This looks cool.I am trying to root my brother-in-law's EVO. I tried HTCDev and had no luck what so ever. I'll report back as well once I get his phone charged up.
10:35 pm est
Looks like Goo.im is down or something.Unable to download any of the links for the Utility.
Does anyone have the file laying around?
shortydoggg said:
It's actually quite simple to understand without using the program (well I read programs very well): Temp root, Copy misc partition to data directory, unlock it with the bool file, flash unlocked misc image back to misc partition...with no Htcdev site. I've done it manually several times. I don't see why no one discovered it sooner.
Click to expand...
Click to collapse
It seems that when goo.im went down SimonSimon34's source code was lost with it.
If you would be so kind as to detail the manual version of this method it would be helpful to me, and I'm sure others, until SimonSimon34 finishes rewriting his utility, unfortunately, from the ground up.
Thank you much,
J.
jackfrost909 said:
It seems that when goo.im went down SimonSimon34's source code was lost with it.
If you would be so kind as to detail the manual version of this method it would be helpful to me, and I'm sure others, until SimonSimon34 finishes rewriting his utility, unfortunately, from the ground up.
Thank you much,
J.
Click to expand...
Click to collapse
I'm going to detail the method as much as possible here, since some want to see it. I have added links to the original SimonSimon34 source code, as well as a zip file with the necessary files for a manual method. I have walked through the manual mode step by step and have provided as much step by step proceedure as I have time for. Just remember 2 things here:
1. This method was originally made by SimonSimon34.
2. Any attempt at unlocking your bootloader and rooting your phone is at your own risk, so if you brick your phone, it's nobody's fault but your own.
Links:
SimonSimon34 original source code:
https://dl.dropbox.com/u/38127313/Htc_Utilityv2Windows.zip
Shortydoggg's breakdown and additions to SimonSimon's file for Manual Method.
https://dl.dropbox.com/u/38127313/Root 2.3.5.zip
(YOU NEED TO UNZIP THE FILES TO A FOLDER OF LIKING.)
NOW FOR A DESCRIPTION OF HOW THE ROOT METHOD WORKS (MANUALLY). YOU COULD ALSO JUST RUN THE Htc_Utilityv2Windows UTILITY (simonsutility.bat) SINCE IT IS PROBABLY EASIER, ALTHOUGH I FOUND SOME ERRORS AND MADE MY OWN CORRECTED VERSION WHICH I'M NOT GOING TO POST DUE TO MOST OF IT IS NOT MY OWN WORK. ALSO, THE WAY I ENTER MY COMMANDS IS SLIGHTLY DIFFERENT THAN THE WAY SIMONSIMON34 DOES HIS INSIDE HIS PROGRAM.
1. THE PHONE SHOULD BE IN CHARGE ONLY MODE WITH IT PLUGGED INTO YOUR COMPUTER'S USB.
2. RUN THE DRIVERS.exe file
3. TURN OFF FASTBOOT UNDER SETTINGS/APPLICATIONS
4. ENABLE USB DEBUGGING UNDER SETTINGS/APPLICATIONS/DEVELOPMENT
5. NOW YOU WOULD OPEN A COMMAND PROMPT AT THE FOLDER WHERE YOU UNZIPPED THE FILES, THEN TYPE:
adb push tacoroot.sh /data/local <ENTER>
adb push flash_image /data/local <ENTER>
adb push dump_image /data/local <ENTER>
adb push bool /data/local <ENTER>
adb push Superuser.zip /sdcard/ <ENTER>
adb shell
cd /data/local
chmod 755 tacoroot.sh
chmod 755 flash_image
chmod 755 dump_image
chmod 755 bool
./tacoroot.sh --recovery
(HOLD VOLLUME UP +VOLUME DOWN + POWER BUTTONS WHEN THE RED TRIANGLE APPEARS, THEN HIT THE POWER BUTTON TO REBOOT THE PHONE.)
(ONCE IT REBOOTS, TYPE
adb shell
/data/local/tacoroot.sh --setup
(HOLD VOLLUME UP +VOLUME DOWN + POWER BUTTONS WHEN THE RED TRIANGLE APPEARS, THEN HIT THE POWER BUTTON TO REBOOT THE PHONE.)
(ONCE IT REBOOTS, TYPE
adb shell
/data/local/tacoroot.sh --root
(IF AT ANYTIME THE PROCESS IS MESSED AFTER THIS POINT, YOU MUST REBOOT THE PHONE THEN TYPE:
adb shell
/data/local/tacoroot.sh --undo
IN ORDER TO RESTORE YOUR PHONE BACK TO WORKING CONDITION)
adb shell
cd /data/local
./dump_image misc misc.img
./bool misc.img unlock
./flash_image misc misc.img
./tacoroot.sh --undo
(ONCE THE PHONE REBOOTS, THEN BOOT INTO THE BOOTLOADER BY TYPING
adb shell
reboot bootloader
fastboot flash recovery recovery.img
fastboot reboot-bootloader
(WHEN THE PHONE REBOOTS, HIT THE POWER BUTTON, USE THE VOLUME DOWN BUTTON THE THE POWER BUTTON TO GO INTO RECOVERY, THEN FLASH THE SUPERUSER.ZIP APP WHICH SHOULD BE ON THE ROOT OF THE SDCARD. REBOOT THE PHONE AND IT SHOULD NOW BE ROOTED.)
bool misc.img lock will lock it back how it was before, locked. Not relocked. But full blown locked
Sent from my One V using Tapatalk 2
If anyone has a copy of the Htc_Utilityv2Windows can you please post it, since it was lost from goo when they crashed.
Thanks
gadgetdaddy said:
If anyone has a copy of the Htc_Utilityv2Windows can you please post it, since it was lost from goo when they crashed.
Thanks
Click to expand...
Click to collapse
I already posted a link in this thread.
Sent from my SGH-I747M using xda premium
Mention github has utility 2 please
Sent from my One V using Tapatalk 2
simonsimons34 said:
bool misc.img lock will lock it back how it was before, locked. Not relocked. But full blown locked
Sent from my One V using Tapatalk 2
Click to expand...
Click to collapse
Not sure what you mean by "full blown locked" as opposed to "relocked"
Do you mean it will go back to s-on even if you went the full way to s-off, our are you referring to something else?
Sorry for the noobish question.
Thank you.
Sent from my PC36100 using Tapatalk 2
jackfrost909 said:
Not sure what you mean by "full blown locked" as opposed to "relocked"
Do you mean it will go back to s-on even if you went the full way to s-off, our are you referring to something else?
Sorry for the noobish question.
Thank you.
Sent from my PC36100 using Tapatalk 2
Click to expand...
Click to collapse
I mean like how the phone was when you bought it. If you need to send it in for warranty you would flash the stock hboot, send the son command, run bool lock command, and flash the ruu then your phone will be exactly like when you bought it was
Sent from my One V using Tapatalk 2
if you have recently s-off'ed using a java card,or some other exploit that did not remove your tampered banner from the bootloader screen,then this thread is for you.
you do NOT need to downgrade your hboot. this simple adb command works without any scary hboot downgrades.
*you must be s off.
*you must have superuser installed(see this thread if you need help installing superuser)
read this:
this will not work if your s on
the usual disclaimers:
use this info at your own risk. if it melts your phone into a little pile of aluminum goo,its not my fault.
credits
-beaups for giving me the echo comand,so yall didnt need to dump,edit with a hex editor,and copy back
[email protected] for testing it
IF you are an advanced user with adb/fastboot set up and some basic knowlede of the cmd window,you can skip to #2
1)set up adb
-download this file
-install drivers: if you have htc sync installed,you should allready have drivers. if not,you can install htc sync,or install these modified htc drivers from revolutionary (driver mirror)
-unzip your miniadb_v1031.zip file. this is native funtionality in windows 7. you otherwise may need a utility such as "7-zip" to extract,or unzip it. place the unzipped folder onto the root of your C drive on your PC. root means the top level,not inside any folders. so just copy and paste,or drag and drop the folder onto C with everything else that is there. you may want to rename it to "miniadb_m7" since youll be putting some device specific files in here.
-open a command window. on windows 7,click the start bubble in the lower left and type "command" in the search box. xp i believe is similar or the same. doing this should open a small black command window.
-change to your miniadb_m7 directory. type the following at the prompt in your cmd window:
cd c:\miniadb_m7
your command promt should change to "c:miniadb_m7>" provided you: 1)unzipped the miniadb_v1031 zip file,and 2)put the folder on your c drive,and 3)entered the name of the folder correctly ("miniadb_m7" in this case)
-now make sure usb debugging is checked in developer options(you will need to turn it on first),and plug your phone into your PC with a usb cable
-make sure your phone is being recognized- type:
adb devices
if your drivers are installed correctly,this should return your phones serial number. you should hear the "found device" noises when you plug your phone in. if it starts installing drivers,wait for it to finish before typing the adb devices command.
if you get your serial number back,then enter this command:
adb reboot bootloader
this should take your phone to the "fastboot" screen,wich is white with colored letters. this is one mode of your bootloaders interactive modes. at the top youll see fastboot devices as confirmation youre in fastboot.
now enter:
fastboot devices
again,this should return your phones serial number. you should hear the "found device" noises when you plug your phone in. if it starts installing drivers,wait for it to finish before typing the adb devices command.
if you get your serial number back,you can enter the following to boot back to the phones OS:
fastboot reboot
and now,youve installed adb/fastboot and tested youre phones drivers. if at either spot,you have trouble and dont get your serial number back,there is some sort of connection issue. use these steps to troubleshoot:
troubleshooting connectivity issues:
-try a reboot of the PC
-try different usb cables and ports
-dont use a usb hub
-dont use usb 3.0
-make sure nothing capable of comunicating with the phone is enabled and running. htc sync,pdanet,easy tether,and even itunes have all been known to cause issues.
-windows 8 has been known to have issues. try a windows 7 or older machine
failing the above,
-i use these drivers for fastboot and adb(donwload and run as admin): http://downloads.unrevoked.com/HTCDriver3.0.0.007.exe (mirror)
failing that,try manually updating the drivers in the following manner:
-put the phone in fastboot mode(select fastboot from the hboot menu)
-open device manager on the PC
-plug in phone,watch for it to pop up in device manager.
-update drivers with device manager,pointing the wizard to the extracted
driver download folder from above
note that you can check the connectivity of the phone,and make sure drivers are working by in the following manner:
-open cmd window. change to directory containing adb/fastboot utilities
-adb with the phone in the booted OS,usb debug enabled,enter:
adb devices in a cmd window
-fastboot with phone in fastboot,enter:
fastboot devices in cmd window
in either case,a properly connected phone with working drivers installed should report back the phones serial number.
Click to expand...
Click to collapse
this process,in your cmd window,should look something like this:
Code:
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Users\Scott>[COLOR="red"]cd c:\miniadb_m7[/COLOR]
c:\miniadb_m7>adb devices
* daemon not running. starting it now on port 5037 *
* daemon started successfully *
List of devices attached
FAxxxxxxxxxx device
c:\miniadb_m7>[COLOR="red"]adb reboot bootloader[/COLOR]
c:\miniadb_m7>[COLOR="red"]fastboot devices[/COLOR]
FAxxxxxxxxxx fastboot
c:\miniadb_m7>[COLOR="red"]fastboot reboot[/COLOR]
rebooting...
finished. total time: 0.037s
c:\miniadb_m7>
2)reset your "tampered flag"
enter the following:
adb devices
adb shell
su (if needed to get a # prompt)
echo -ne '\x00' | dd of=/dev/block/mmcblk0p7 bs=1 seek=4265988
(i would very strongly recomend you copy/paste this)
exit
(exit a second time if you need to to get back to a normal > prompt)
adb reboot bootloader
verify tamered is gone
mine
Disregard, I figured it out...
Any way to remove the unlocked tag?
santod040 said:
Just wanted to say thanks for this and all your helpful posts about the forums. (as always)
I also wanted to ask your opinion on the Regaw Mod Customizer.
Following the steps for creating a plugin, I made one in Visual Studio as directed for hboot 1.54.
However, when I place newly built .dll, made using our hboot and info.txt, in the directory with the customizer, it fails to see any plugins...?
Any thoughts or suggestions? I can move this elsewhere if need be as well.
Seemed here was as good a place as any though.
I didn't wanna make a thread for a broken plugin, but would like to get it done.
I also asked in the Dev's thread :fingers-crossed: and uploaded my not yet working for me/broken? plugin for him.
Just thought maybe you might have some input, maybe not.
No worries either way and thanks again.
Click to expand...
Click to collapse
your quite welcome,glad to help as always.
while i do get the desire to customize all aspects of ones device,im not a fan of the bootloader modifier for a couple simple reasons:
-it carries a certain amount of risk.no matter how small,i just dont think folks should mess with the bootloader too much since its such an important piece of firmware.
-some folks are using it to decieve their carriers about being s on and locked,rather than taking the time to restore to stock correctly.
so unfortunately,no ideas or suggestions for you there,lol. ive never messed with it and have no idea how it works.
GrayTheWolf said:
Any way to remove the unlocked tag?
Click to expand...
Click to collapse
I think Scotty can help you put it back to "locked" if you want
Sent from my HTC6500LVW using XDA Premium 4 mobile app
GrayTheWolf said:
Any way to remove the unlocked tag?
Click to expand...
Click to collapse
yup!
http://forum.xda-developers.com/showthread.php?t=2470340
assuming you want it to read locked and not gone entirely
scotty1223 said:
yup!
http://forum.xda-developers.com/showthread.php?t=2470340
assuming you want it to read locked and not gone entirely
Click to expand...
Click to collapse
Sorry, that's what I meant. I want to look as stock as possible in case I have another radio mishap.
But does that completely relock the bootloader, or just reset the flag?
Pretty sure stock has a locked flag
Sent from my Stock, Locked Down HTC6500LVWBLU using Tapatalk 4
If I've helped, please hit the thanks button
GrayTheWolf said:
Sorry, that's what I meant. I want to look as stock as possible in case I have another radio mishap.
But does that completely relock the bootloader, or just reset the flag?
Click to expand...
Click to collapse
well,both. its NOT a patched or hex edited hboot.
hboot checks mmcblk0p3 to see what the status is. if it finds 00 00 00 00 then it keeps itself locked,allows no access,and displays locked. if it finds HTCL,same scenario,but it displays relocked. finding HTCU it will allow access to boot,system,and recovery and display unlocked
when you first flash unlock_code.bin,the flag is set to HTCU
when you enter fastboot oem lock the flag is set to HTCL,and is not accessible while s on. so once youve unlocked while s on,someone can always tell.
even while s off,there is no "naturally occuring" situation(like running an ruu) that can change the lock flag back to stock locked,as p3 is not a block that is updated,and no other scenarios other than flashing unlock_code.bin or entering fastboot oem lock will set the flag.
the command is resetting the flag in p3 to 00 00 00 00,wich is just like it came from the factory. no tricks or false banners,its now 100% from the box stock
hope that clears it up
Thanks for that little bit of insight Scotty.
Sent from my HTC6500LVW using XDA Premium 4 mobile app
scotty1223 said:
well,both. its NOT a patched or hex edited hboot.
hboot checks mmcblk0p3 to see what the status is. if it finds 00 00 00 00 then it keeps itself locked,allows no access,and displays locked. if it finds HTCL,same scenario,but it displays relocked. finding HTCU it will allow access to boot,system,and recovery and display unlocked
when you first flash unlock_code.bin,the flag is set to HTCU
when you enter fastboot oem lock the flag is set to HTCL,and is not accessible while s on. so once youve unlocked while s on,someone can always tell.
even while s off,there is no "naturally occuring" situation(like running an ruu) that can change the lock flag back to stock locked,as p3 is not a block that is updated,and no other scenarios other than flashing unlock_code.bin or entering fastboot oem lock will set the flag.
the command is resetting the flag in p3 to 00 00 00 00,wich is just like it came from the factory. no tricks or false banners,its now 100% from the box stock
hope that clears it up
Click to expand...
Click to collapse
So I wouldn't be able to do fastboot commands over ADB.
GrayTheWolf said:
So I wouldn't be able to do fastboot commands over ADB.
Click to expand...
Click to collapse
correct. being unlocked lets you use fastboot flash partition imagename.img and fastboot boot imagename.img ,but only for boot,system and recovery,so their useage is pretty limited. you still cant fastboot flash a radio,hboot,splash screen etc.
its not a terribly big deal,you just need to install things in RUU mode,using the fastboot flash zip zipname.zip command. so you can still do everything you could with an unlocked bootloader,you just have to go about it a bit differently.
alternately,beaups new method will possibly include a patched hboot,wich will let you fastboot flash all partitions(tho still not give you all the eng commands)
since its easy enuff to make it locked again,i keep mine unlocked. but it honestly doesnt matter much.
This worked perfectly! Thanks, scotty!
Thanks I can use this now that s-off is available.
thanks guys this worked awesome . love all the help you can get here !
Thank you! Hated that tampered badge.
Thanks much! worked great!
Worked for me, thanks!
Thanks for posting this method, it worked great for me.
this thread will let you unlock your bootloader without htcdev,or let you change your hboot watermark from relocked or locked back to stock.
originally,we used a zip file flashable in recovery. i have found it to work on gsm devices with 1.44 hboot and CW recovery. it did not work with twrp. if the following is too scary,feel free to test the zip files. that thread,info,and downloads can be found here. since not all recoverys are working,these values can be changed with simple adb commands.
advantages
-no hassle with htcdev,tokens,or unlock codes
-no submitting your phones personal info to htc
-the ability to get back to 100% stock without any visual traces or records of having been s off or unlocking your bootloader.
you do NOT need to downgrade your hboot. this simple adb command works without any scary hboot downgrades.
*you must be s off.
*you must have superuser installed(see this thread if you need help installing superuser. use the keep bootloader locked directions)
read this:
this will not work if your s on. its not a way to magically unlock
the usual disclaimers:
use this info at your own risk. if it melts your phone into a little pile of aluminum goo,its not my fault.
credits
-beaups for giving me the echo comand,so yall didnt need to dump,edit with a hex editor,and copy back
-strace for originally discovering the location of the lock status flag(check out this thread for more info)
-kdj67f for fearlessly testing and putting up some screenshots in post 5. thanks!
IF you are an advanced user with adb/fastboot set up and some basic knowlede of the cmd window,you can skip to #2
1)set up adb
-download this file
-install drivers: if you have htc sync installed,you should allready have drivers. if not,you can install htc sync,or install these modified htc drivers from revolutionary (driver mirror)
-unzip your miniadb_v1031.zip file. this is native funtionality in windows 7. you otherwise may need a utility such as "7-zip" to extract,or unzip it. place the unzipped folder onto the root of your C drive on your PC. root means the top level,not inside any folders. so just copy and paste,or drag and drop the folder onto C with everything else that is there. you may want to rename it to "miniadb_m7" since youll be putting some device specific files in here.
-open a command window. on windows 7,click the start bubble in the lower left and type "command" in the search box. xp i believe is similar or the same. doing this should open a small black command window.
-change to your miniadb_m7 directory. type the following at the prompt in your cmd window:
cd c:\miniadb_m7
your command promt should change to "c:miniadb_m7>" provided you: 1)unzipped the miniadb_v1031 zip file,and 2)put the folder on your c drive,and 3)entered the name of the folder correctly ("miniadb_m7" in this case)
-now make sure usb debugging is checked in developer options(you will need to turn it on first),and plug your phone into your PC with a usb cable
-make sure your phone is being recognized- type:
adb devices
if your drivers are installed correctly,this should return your phones serial number. you should hear the "found device" noises when you plug your phone in. if it starts installing drivers,wait for it to finish before typing the adb devices command.
if you get your serial number back,then enter this command:
adb reboot bootloader
this should take your phone to the "fastboot" screen,wich is white with colored letters. this is one mode of your bootloaders interactive modes. at the top youll see fastboot devices as confirmation youre in fastboot.
now enter:
fastboot devices
again,this should return your phones serial number. you should hear the "found device" noises when you plug your phone in. if it starts installing drivers,wait for it to finish before typing the adb devices command.
if you get your serial number back,you can enter the following to boot back to the phones OS:
fastboot reboot
and now,youve installed adb/fastboot and tested youre phones drivers. if at either spot,you have trouble and dont get your serial number back,there is some sort of connection issue. use these steps to troubleshoot:
troubleshooting connectivity issues:
-try a reboot of the PC
-try different usb cables and ports
-dont use a usb hub
-dont use usb 3.0
-make sure nothing capable of comunicating with the phone is enabled and running. htc sync,pdanet,easy tether,and even itunes have all been known to cause issues.
-windows 8 has been known to have issues. try a windows 7 or older machine
failing the above,
-i use these drivers for fastboot and adb(donwload and run as admin): http://downloads.unrevoked.com/HTCDriver3.0.0.007.exe (mirror)
failing that,try manually updating the drivers in the following manner:
-put the phone in fastboot mode(select fastboot from the hboot menu)
-open device manager on the PC
-plug in phone,watch for it to pop up in device manager.
-update drivers with device manager,pointing the wizard to the extracted
driver download folder from above
note that you can check the connectivity of the phone,and make sure drivers are working by in the following manner:
-open cmd window. change to directory containing adb/fastboot utilities
-adb with the phone in the booted OS,usb debug enabled,enter:
adb devices in a cmd window
-fastboot with phone in fastboot,enter:
fastboot devices in cmd window
in either case,a properly connected phone with working drivers installed should report back the phones serial number.
Click to expand...
Click to collapse
this process,in your cmd window,should look something like this:
Code:
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Users\Scott>[COLOR="red"]cd c:\miniadb_m7[/COLOR]
c:\miniadb_m7>adb devices
* daemon not running. starting it now on port 5037 *
* daemon started successfully *
List of devices attached
FAxxxxxxxxxx device
c:\miniadb_m7>[COLOR="red"]adb reboot bootloader[/COLOR]
c:\miniadb_m7>[COLOR="red"]fastboot devices[/COLOR]
FAxxxxxxxxxx fastboot
c:\miniadb_m7>[COLOR="red"]fastboot reboot[/COLOR]
rebooting...
finished. total time: 0.037s
c:\miniadb_m7>
2)reset your "lock status flag"
to LOCK your bootloader,enter the following:
adb devices
adb shell
su (if needed to get a # prompt)
echo -ne '\x00\x00\x00\x00' | dd of=/dev/block/mmcblk0p3 bs=1 seek=33796
(i would very strongly recomend you copy/paste this)
exit
(exit a second time if you need to to get back to a normal > prompt)
adb reboot bootloader
verify you are now locked
_____________________________________________________________________________________________
to UNLOCK your bootloader,enter the following:
adb devices
adb shell
su (if needed to get a # prompt)
echo -ne "HTCU" | dd of=/dev/block/mmcblk0p3 bs=1 seek=33796
(i would very strongly recomend you copy/paste this)
exit
(exit a second time if you need to to get back to a normal > prompt)
adb reboot bootloader
verify you are now unlocked
*i have tested this on my gsm htc one. if someone wants to test on vzw,ill add you to the credits
mine!
So, this will work with hboot 1.54? And are you sure the memory blocks are correct for Verizon? I will test...
I'm s-off, stock Rom, cwm recovery and rooted.
Sent from my HTC6500LVW using XDA Premium 4 mobile app
kdj67f said:
So, this will work with hboot 1.54? And are you sure the memory blocks are correct for Verizon? I will test...
I'm s-off, stock Rom, cwm recovery and rooted.
Sent from my HTC6500LVW using XDA Premium 4 mobile app
Click to expand...
Click to collapse
99% sure we can certainly dump p3 and have a look-see first,if you'd like. We woukd need a dump from someone whose unlocked or relocked
Sent from my HTC One using Tapatalk 2
99% is good enough for me haha! Phone just hut 50% charged, give me a minute. Will post back with pictures.
Sent from my HTC6500LVW using XDA Premium 4 mobile app
---------- Post added at 08:56 PM ---------- Previous post was at 08:41 PM ----------
Confirmed, code working. Flags set/reset. Phone even reboots and works will upload pics/screenshots.
Thanks!
Starting out unlocked:
Locking:
Locked:
Unlocking:
Re-unlocked:
Very good work!
Awesome! Thanks for confirming
Sent from my HTC One using Tapatalk 2
That was super easy... great write up! This will save so much time getting an unlocktoken and running through HTCdev. Many thanks!
scotty1223 said:
99% sure we can certainly dump p3 and have a look-see first,if you'd like. We woukd need a dump from someone whose unlocked or relocked
Click to expand...
Click to collapse
Verizon HTC One here, S-Off with SuperSU but otherwise stock, locked bootloader, hboot 1.54. I just did
Code:
dd if=/dev/block/mmcblk0p3 of=orig bs=1 seek=33796 count=4
and looked at the resulting dump and it has "PGFS" not nulls at that offset. I'm wondering if we should write "PGFS" back on Verizon/hboot 1.54 and not nulls?
bjorheden said:
Verizon HTC One here, S-Off with SuperSU but otherwise stock, locked bootloader, hboot 1.54. I just did
Code:
dd if=/dev/block/mmcblk0p3 of=orig bs=1 seek=33796 count=4
and looked at the resulting dump and it has "PGFS" not nulls at that offset. I'm wondering if we should write "PGFS" back on Verizon/hboot 1.54 and not nulls?
Click to expand...
Click to collapse
sounds like youre looking at offsets 00 01 02 03. every device ive looked at so far has the PGFS at that location. i havent looked ata vzw p3,but t mobile follows that. youll find the HTCU,HTCL,or nulls at 8404 8505 8406 8407.
im not sure your command is showing you the correct location. id dump and look at the whole thing.
dd if=/dev/block/mmcblk0p3 of=/sdcard/mmcblk0p3
Hey Scotty,
I can't thank you enough for this info. I really didn't want to unlock via htcdev and it's been getting tiring making zips for everything I want to flash. This solved my problem and is reversible without record. You are the man and thanks for putting in the time.
isdnmatt said:
Hey Scotty,
I can't thank you enough for this info. I really didn't want to unlock via htcdev and it's been getting tiring making zips for everything I want to flash. This solved my problem and is reversible without record. You are the man and thanks for putting in the time.
Click to expand...
Click to collapse
glad to help
Can someone explain the benefits to me of being able to change between locked/unlocked? If not.... That's cool.
Sent from my HTC6500LVW using Tapatalk now Free
BaBnkr said:
Can someone explain the benefits to me of being able to change between locked/unlocked? If not.... That's cool.
Sent from my HTC6500LVW using Tapatalk now Free
Click to expand...
Click to collapse
For this thread and most people's needs, unlocking this way after s-off saves time. Re-locking just proved it was reversible in case someone did want to be locked again. Another way to get back to stock for warranty purposes, etc...
Most importantly, to prove it can be done!
Sent from my HTC6500LVW using XDA Premium 4 mobile app
Fantastic, can this work for HTC One S too?
maybe needs finding correct blocks?
what it is unclear to me is that:
your method to unlock bootloader needs S-OFF, but S-OFF needs Unlocked bootloader and SuperCID, so maybe for HTC One S it's different
thanks for clarification
icest0rm said:
Fantastic, can this work for HTC One S too?
maybe needs finding correct blocks?
what it is unclear to me is that:
your method to unlock bootloader needs S-OFF, but S-OFF needs Unlocked bootloader and SuperCID, so maybe for HTC One S it's different
thanks for clarification
Click to expand...
Click to collapse
blocks are the same for one s.
method does indeed need s off. most common way to achieve s off for devices on the unlock program is via intial unlock thru htcdev to install root and recovery. at this point the commands are useful to get back to locked,and if one needs unlock after being locked for some reason. vzw is a bit different in that they cannot use htcdev,so a hack is needed to temproot,then s off. this does give them the luxury of being able to unlock without htcdev alltogether.
its also possible to s off via a java card,or be lucky enuff to find a user trial device that came that way. in this situation htcdev can be left out of the picture entirely.
hope that clarifes it
scotty1223 said:
blocks are the same for one s.
Click to expand...
Click to collapse
ok!
scotty1223 said:
method does indeed need s off. most common way to achieve s off for devices on the unlock program is via intial unlock thru htcdev to install root and recovery. at this point the commands are useful to get back to locked,and if one needs unlock after being locked for some reason.
Click to expand...
Click to collapse
ok...clear
scotty1223 said:
vzw is a bit different in that they cannot use htcdev,so a hack is needed to temproot,then s off. this does give them the luxury of being able to unlock without htcdev alltogether.
Click to expand...
Click to collapse
ehm...sorry...what is vzw?
its also possible to s off via a java card,or be lucky enuff to find a user trial device that came that way. in this situation htcdev can be left out of the picture entirely.
hope that clarifes it
Click to expand...
Click to collapse
thanks :good:
vzw=Verizon wireless
Sent from my HTC One VX using Tapatalk
scotty1223 said:
vzw=Verizon wireless
Sent from my HTC One VX using Tapatalk
Click to expand...
Click to collapse
ah ok...
but since they need a temproot to get unlock without htcdev, wouldn't this be possible for all htc one (s)?
why is it limited to vzw?
icest0rm said:
ah ok...
but since they need a temproot to get unlock without htcdev, wouldn't this be possible for all htc one (s)?
why is it limited to vzw?
Click to expand...
Click to collapse
technically,yes. you could use a temp root and make a tool for any other carriers device so you would not have to unlock.
however, temp root exploits are typically patched quickly. htcdev is a reliable means of root to make other tools/exploits work. its much,much easier to simply unlock and install root and recovery than to keep looking for softwate temp root exploits.
with verizon you have no choice,since they do not allow official unlock.
Hello, can you please tell me why do i get this error ?