Rooting Incredible S - AlphaRevX in Public Beta
AlphaRevX is now in Public Beta!
Bootloader a.k.a HBoot
Update 05/04/2011 - Where we are so far...
I thought I had better update this post, to let people know where we have got to and what we have tried, in case any developers want to join the fight. This will be a little technical and not explained step by step, there is a Q&A if you want to learn more about the goings on.
First off, the 'team'. Below is a list of people currently working on trying to get root, pm any one of us if you want to help. When I say what to help, please don't just PM saying "I want to help, I have no technical knowledge, what can I do?" We have plenty of testers, what we need is technical insight.
Soctty2 was providing a lot of contributions in the early stages but we haven't heard from him in a couple of weeks, so don't contact him directly.
Where we are at at the moment. We can obtain temproot via the psneuter exploit, which allowed bin4ry to attempt to modify the wpthis exploit to allow us to load an S-OFF HBoot which was supplied by an anonymous benefactor. Unfortunately that didn't really amount to anything despite our best efforts, so he has now turned his attention to the kexec method of running a custom kernel, to see if that gives us an in.
Started 05/03/2011 - The race begins...
I am trying to root the Incredible S as no developers appear to have picked it up, but I am pretty new to this and was hoping for a little help. I have tried SuperOneClick and it appears to give some sort of temp root (although SU force closes and the test command fails, it does write to the system partition) and rebooting removes it all.
I am little lost where to go from here, although someone suggested using and older version of SOC and checking the log files, I will let you know what I find.
Frequently Asked questions
Temproot and Permaroot - What's the difference?
First, let me explain root access. Root access, superuser or su (all the same thing) is basically an admin account for Linux. It gives us permission to to access commands that normally couldn't be accessed, and to write information to partitions that normally couldn't be written to. On older devices (such as the Hero), once we had root we could write to the /system and /recovery partitions, and flash custom ROMs. In the case of the IS (and every HTC device since the desire), this isn't true. Getting root access is quite trivial and no where near as useful, because the internal flash memory (NAND or eMMC) is locked down and it means we everything we 'write' to the system (or any other protected partition) is lost on reboot because it is a non permanent change. In short, this stops us from flashing custom ROMs and recovery. This is a problem for any devices that are shipped with the Security flag on (S-ON). To get Permaroot, and the ability to flash custom ROMs, we need S-OFF.
So what's this S-OFF then?
Since the Desire, HTC have been securing their phones better than before by locking the internal flash memory (NAND or eMMC) to stop it being written to, unless the file being flashed is signed by a private key only known to HTC. This is controlled by a flag (@secuflag) and is identified as the device being S-ON. Telling the HBoot the device is Security Off (S-OFF) stops this check for the key, and allows us to write anything to any partition, which is what we are aiming for.
There are actually two levels of S-OFF. The Bootloader (HBoot) and the Radio. Getting S-Off on the HBoot gives us everything we need, but doesn't actually turn off the @secuflag which is set in the radio. What it is possible to do is to flash a HBoot that believes the Radio is set to S-OFF, as the HBoot is responsible for setting that flag. Once the HBoot on the phone is S-OFF, we can write to all the partitions and basically do whatever we want, but it is possible to go one step further. Flashing a radio that is S-OFF and actually setting the @secuflag off gives 100% total access to every part of the phone and it's software, as it becomes network unlocked allowing to you to use any SIM and also allows you to flash a ROM from any carrier (known as Super CID). It also makes it nigh on impossible to permanently loose root no matter what you flash. Once you have radio S-OFF, it makes it much easier to flash new HBoots and ROMs even if you flash something that is locked down tight.
Setting the Radio to S-Off is not necessary, and gaining S-OFF on the HBoot is more than most people will ever need. Radio S-Off is just the last step of the puzzle, but it is worth noting the only points you can permanently brick your phone is flashing a radio or a HBoot, if either of these go wrong you will end up with a shiny expensive paper weight so there is risk involved.
What about this XTC Clip, can that help?
The XTC clip is a hardware device that can unlock HTC phones, regardless of the software. The device ahs been proven to unlock the Incredible S, but will require the purchase of additional hardware. We are aiming to achive full software only root, which will be free. the XTC clip will soon be available in one-off use variations for €25 if you do not want to wait for software root. Please note that the XTC clip doesn't currently allow you to revert back to S-ON if you need to for warranty purposes.
What about people who are getting devices shipped with S-OFF?
There are reports that a lot of devices coming out of China and India are shipping with the @secuflag set off. These are lucky people, and have the ability to write to the flash memory, but it can't help those of us who are S-ON. It is also worth noting that because most devices are S-ON, no one has written any ROMs or kernels for the device so they will probably have to wait until we get a way of turning our devices to S-OFF until anyone creates any software for it.
So, what are you doing about it?
Well, what we were trying to do is finding a way of telling the kernel to allow us to flash a version of the HBoot which was shipped S-OFF, thus allowing us to write to all the right partitions. All of the current exploits that allowed this to happen have been closed off, and none of them help us achieve or goal. The IS is part of a newer breed of HTC phones that are not vulnerable to any existing exploits. The only other released phone that is part of this new breed is the HTC Thunderbolt, but they have managed to get round it by downgrading to an older version of the software which is vulnerable to the older exploits. Although we have the ability to downgrade via a goldcard method (thanks to timbo007up), no one has discovered an RUU old enough to be exploitable. Bin4ry (they guy responsible for finding root on the X10) has been working with myself, timbo007up and hawkysoft trying to adapt the wpthis exploit (the one used on the G2 and DHD) to work with the Incredible S, but it appears that it cannot be done. He is now looking at the kexec method used on the X10 to load a custom kernel, to then allow us to overwrite the HBoot. This is how progress currently stands as of the 5th April 2011.
- This is the piece of software that runs before anything else on the phone. It basically packages it all up, tells what to run in what order e.t.c Every computer device has a bootloader in some form or another, be it an Android Phone, iPhone, Windows PC, iMac e.t.c. The HBoot is accessible by switching your phone off, then holding down volume down as you turn it back on. The first line of the HBoot will tell you if you are S-OFF or S-ON.
- The recovery is the piece of software that allows us to write files to partitions while they aren't being used. It is the portal to allow us to flash custom ROM's and kernels. There are custom recoveries with more options than the stock such as ClockworkMod.
Superuser a.k.a su or Root
- This is a user that is present on all linux distros that allows higher permissions than standard users have access to. Certain apps need superuser permissions to function, such as Titanium Backup.