[S-Off] Facepalm S-Off for HTC One XL

Search This thread

ChongoDroid

Senior Member
Jul 29, 2010
6,294
2,960
Vancouver
Google Pixel 4
Google Pixel 4 XL
Ok folks thanks to c5satelite and other helpful folks at S OFF PARTY AND IRC we figured out how to fix this whole "error 99" shenanigans.


Step 1. Download the latest stockish ROM (I used Viper 3.2.3)

Step 2. Boot into bootloader and fastboot flash the kernel.. then reboot back into recovery

Step 3. Wipe /system and factory reset in TWRP

Step 4. Install rom in TWRP

Step 5. For *Viper Only* Don't wipe in Aroma, and uncheck reboot at the end.

Step 6. Reboot into bootloader from recovery (Don't boot into the ROM)

Step 7. Follow the instructions in the OP to a T ... read reread.. go get some coffee.. and try again.. hopefully you see Error 92 and not 99

This worked for me with ViperROM on hboot 2.14

Thank you to all the folks involved you guys are rockstars from Mars! :highfive:
 

Dacra

Senior Member
Jan 15, 2013
206
41
Liverpool
If you need superCID, do steps 1 to 11 in this thread: http://xdaforums.com/showthread.php?t=1671396

I got superCID using that method and then followed the instructions in the OP of this thread and I'm S-OFF.

Ive done this and fastboot oem readcid tells me 11111111, but cid getter app tells me its still ORANG001.

Can somebody tell me which I should believe, and if trying s-off if i dont really have super cid could cause problems?

European One XL, hboot 1.14.
 

mrjayviper

Senior Member
Sep 6, 2012
1,774
152
Ive done this and fastboot oem readcid tells me 11111111, but cid getter app tells me its still ORANG001.

Can somebody tell me which I should believe, and if trying s-off if i dont really have super cid could cause problems?

European One XL, hboot 1.14.

Have you tried fast boot getvar cid? OR you can take one for the team and try the s-off tool anyway... :D
 
Last edited:

AngioNicholai

Senior Member
Feb 7, 2010
465
185
Denver
Confirmed working method!

Ok folks thanks to c5satelite and other helpful folks at S OFF PARTY AND IRC we figured out how to fix this whole "error 99" shenanigans.


Step 1. Download the latest stockish ROM (I used Viper 3.2.3)

Step 2. Boot into bootloader and fastboot flash the kernel.. then reboot back into recovery

Step 3. Wipe /system and factory reset in TWRP

Step 4. Install rom in TWRP

Step 5. For *Viper Only* Don't wipe in Aroma, and uncheck reboot at the end.

Step 6. Reboot into bootloader from recovery (Don't boot into the ROM)

Step 7. Follow the instructions in the OP to a T ... read reread.. go get some coffee.. and try again.. hopefully you see Error 92 and not 99

This worked for me with ViperROM on hboot 2.14

Thank you to all the folks involved you guys are rockstars from Mars! :highfive:

After hours of failing I tried this method and on the first try it worked. (there was talk in IRC about timing and after I entered the last command before rebooting into bootloader I did wait 15 seconds, so try that if all else fails) if it helps anyone here is the folder I used to S-OFF http://d-h.st/mz3

PROOF!
http://postimage.org/image/tqumikyvb/
 

AlxMAX

Senior Member
Sep 30, 2007
560
138
Bucharest
After running the last line: adb shell su -c "/data/local.tmp.soffbin3"

I got this "Segmentation fault"

No S-OFF :). I've been cycling around for several time with (Error remote 92) but still get this message

Any suggestion pls ?
Would you mind posting your phone model or running adb shell getprop ro.aa.romver before posting any complaint?
 

Dacra

Senior Member
Jan 15, 2013
206
41
Liverpool
If you need superCID, do steps 1 to 11 in this thread: http://xdaforums.com/showthread.php?t=1671396

I got superCID using that method and then followed the instructions in the OP of this thread and I'm S-OFF.

Confirm this worked to get my non AT&T cid updated to 11111111.

Then the instruction in OP flowed through without issue, S-OFF achieved :)

UK Tmobile/orange/EE One XL, hboot 1.14, after accepting JB OTA.
 
  • Like
Reactions: mrjayviper

Chrysis

Senior Member
Jun 18, 2012
150
11
Reno, NV
So was getting the ADB offline error at first but updating my SDK fixed that. Was looking good until I first booted back into the OS after flashing the OneX.zip and now it's stuck at 'offline' again when i check devices, and I can't perform any of the commands in step 8 or even restart now. I tried unplugging it, turned USB debugging off and on, rebooted the phone, still says my device is offline. SDK is updated now.

Really looking forward to S-OFF, any ideas?
 

ChongoDroid

Senior Member
Jul 29, 2010
6,294
2,960
Vancouver
Google Pixel 4
Google Pixel 4 XL
Re: [S-Off] Facepalm S-Off for HTC Devices One S, One XL, Droid DNA

yay!! great news i was wondering if it would flash the boot.img now because of s-off.... thanks for confirming this!!

no more flashing boot and then flashing rom!!

Not sure about touchscreen issues as I don't have the updated TS drivers. But the kernel flashed :)

Sent from my One X
 

thedailyl3af

Senior Member
Apr 16, 2012
740
221
The Moon ;)
Re: [S-Off] Facepalm S-Off for HTC Devices One S, One XL, Droid DNA

What ifi had done this x factor root method to get root in the first place do I need to do it again?

Sent from my Venomized Elemental Evita
 

twistedddx

Senior Member
Oct 23, 2010
963
577
So PJ8312000-OneX.zip is just firmware.zip from 3.17.707.1 OTA.

Boot into RUU mode, where flashing firmware.zip is allowed anyways.
You push a firmware.zip only once where it would require 3 times to be actually fully flashed.
Boot into system and push a crafted binary.

So the facepalm exploit is totally just HTC end up leaving eMMC security off while the device is preparing for a firmware.zip flash?!
Wow HTC.. Facepalm indeed.

Some report the phone can be in either of the states below, not just SUPERCID state but perhaps the pre-update state may have bad side effects, eg what is this "pre-update":
FAILED (remote: 92 supercid! please flush image again immediately)
FAILED (remote: 90 hboot pre-update! please flush image again immediately)

Well done HTC; Flush immediately otherwise eMMC security will be off :p

Well done to beaups for working this out!
 
Last edited:

stumpy352

Senior Member
Sep 20, 2011
2,000
1,267
Re: [S-Off] Facepalm S-Off for HTC Devices One S, One XL, Droid DNA

Was curious about how this works. Also glad to hear it works on 2.14 hboot. Now I can finally begin.

Sent from my HTC One XL using xda premium
 

twistedddx

Senior Member
Oct 23, 2010
963
577
Was curious about how this works. Also glad to hear it works on 2.14 hboot. Now I can finally begin.

Yep works fine on hboot 2.14 on my Asia MID PJ8312000.

The signed firmware.zip is obviously key to RUU mode turning off eMMC security, then it is just sloppy HTC not turning it back on if you exit before finishing.
 
Last edited:

esaloch

Member
Dec 13, 2012
24
6
Bloomington
Re: [S-Off] Facepalm S-Off for HTC Devices One S, One XL, Droid DNA

Make sure you understand how to get adb root access working on your device/rom before starting this. A lot of questions could have been avoided with this little bit of research.

Sent from my One X using xda app-developers app
 

Top Liked Posts

  • There are no posts matching your filters.
  • 440
    http://www.youtube.com/watch?v=zNswkPGYtLc

    note: updated 2/20 @ 9:20 EST, better ICS compatibility.

    Welcome to Facepalm S-Off for the HTC One XL.

    Credits and terms:

    Exploit by beaups. Full guide, testing, and concept by jcase and beaups. Thanks to dsb9938 and dr_drache for support and testing. Thanks also to all of the regulars at teamandirc.

    Both beaups and jcase will collect the applicable active bounties. Further donations are greatly appreciated and can be sent to:

    beaups - Donate to beaups
    jcase - Donate to jcase
    dsb9938 - Donate to dsb9938
    dr_drache - Donate to dr_drache


    You can also come by irc for support or just to say thanks: #FacePalm http://chat.andirc.net:8080/?channels=facepalm

    While this process shouldn’t be too risky, bricks can happen. None of us will be accountable. If you are worried, don’t do it.

    This is a pretty simple method, however, you will need to have a working adb and fastboot environment. This method will work on any operating system that supports adb and fastboot. You should understand how to use a terminal window in your O/S. If you don’t understand adb and fastboot, you probably don’t need S-off.

    Lastly, the work herein should not be stolen, repackaged, one clicked, bat’d, etc. soffbin3 is not GPL and may not be reused, integrated into other work, reposted, or redistributed without our permission.

    For this to work, you must be rooted and have superCID (unlock/custom recovery is optional), see the threads below for help and information regarding obtaining superCID, unlock, root, etc. Note these threads are provided for convenience only. Please look for support for them in each respective thread if you need it, do NOT clutter this thread with support requests regarding obtaining superCID and/or root! If you try this process without superCID, it will not work, and you may have issues!:

    HTC One XL: http://xdaforums.com/showthread.php?t=1952038 (2.2)


    Once you have confirmed you have SuperCID, get started (read it through first so you understand it all):

    1.) Download patcher and unzip it in your working directory:
    soffbin3.zip soffbin3.zip Mirror

    2.) Download the zip below

    OneX.zip = MD5: 99a8eced1010543e12cbd4e4e8f9638f, Mirror

    3.)
    Code:
    adb reboot bootloader
    (wait for bootloader)

    4.)
    Code:
    fastboot oem rebootRUU
    (wait for black HTC Screen)

    5.)
    Code:
    fastboot flash zip PJ8312000-OneX.zip
    After a while, You should see the following error “FAILED (remote: 92 supercid! please flush image again immediately)”

    6.) Immediately issue the following command:

    Code:
    fastboot oem boot

    You may see some errors, just wait for the device to boot into Android (only now, you should be booted into Android with no eMMC write protection of any kind active).

    7.) Issue the following 3 commands to update the security partition with S-off flags (one command at a time!):

    Code:
    adb push soffbin3 /data/local/tmp/
    adb shell chmod 744 /data/local/tmp/soffbin3
    adb shell su -c "/data/local/tmp/soffbin3"

    (wait for a few seconds)

    8.)
    Code:
    adb reboot bootloader

    9.) You should see what you are looking for!

    If you need help or just care to say thanks, join us on IRC: #FacePalm http://chat.andirc.net:8080/?channels=facepalm

    Enjoy.
    15
    Fix for error 99, that doesn't involve flashing roms hoping it solves the problem:

    fastboot oem writecid 11111111
    power down completely, go to fastboot
    continue from the fastboot oem rebootRUU command

    thans attn1 and jcase for the help
    9
    Ok folks thanks to c5satelite and other helpful folks at S OFF PARTY AND IRC we figured out how to fix this whole "error 99" shenanigans.


    Step 1. Download the latest stockish ROM (I used Viper 3.2.3)

    Step 2. Boot into bootloader and fastboot flash the kernel.. then reboot back into recovery

    Step 3. Wipe /system and factory reset in TWRP

    Step 4. Install rom in TWRP

    Step 5. For *Viper Only* Don't wipe in Aroma, and uncheck reboot at the end.

    Step 6. Reboot into bootloader from recovery (Don't boot into the ROM)

    Step 7. Follow the instructions in the OP to a T ... read reread.. go get some coffee.. and try again.. hopefully you see Error 92 and not 99

    This worked for me with ViperROM on hboot 2.14

    Thank you to all the folks involved you guys are rockstars from Mars! :highfive:
    6
    For those with PJ8310000 Model IDs, do it anyway. That zip works regardless of One X/XL Model ID.
    I tried it and am now S-Off'd. My Model ID is PJ8310000.

    Also, thanks so much to those involved!!
    6
    we will add more hoxl model id's and zips shortly