[ROOT] HTC One X AT&T 2.20 Firmware - X-Factor root exploit

Search This thread

bpear96

Senior Member
Sep 30, 2010
1,879
3,583
So this will work with the new HBOOT as well then? Say if someone uses the 2.20 RUU or got an ATT HOXL with the updated bootloader that came with 2.20 ?

Example - I can flash the 2.20 RUU to get a "fresh start" for my phone ( I have the older hboot , unlocked with S-On, never took the 2.20 update), run this, re-unlock, and then put CM10 back on and everything will function as it does now ?

Sent from my One X using Tapatalk 2

Yes of course, this is a root exploit for 2.20 users pretty much.
But keep in mind if you flash the 2.20 ruu you will have the newer HBoot that cant flash kernels, radios etc in recovery so using fastboot will be needed.
 
  • Like
Reactions: Gandalf

Gandalf

Inactive Recognized Developer / Retired Forum Mod
Mar 29, 2011
3,523
6,659
Philadelphia
Why would you want to. Then you would have to flash boot.img separately which isn't that big of a deal but still annoying.

Yes of course, this is a root exploit for 2.20 users pretty much.
But keep in mind if you flash the 2.20 ruu you will have the newer HBoot that cant flash kernels, radios etc in recovery so using fastboot will be needed.


Ah true, totally forgot about that. That's why I asked, knew I was forgetting about something! Thanks!

Sent from my One X using Tapatalk 2
 

maddie01

Senior Member
Feb 5, 2009
664
154
New Orleans
Quick question on Root and Unlock

Will this process to Root and Unlock, Recovery Flash erase any data on the phone or deos that come later when you Flash a New ROM?


This will fully root your phone. Just follow instructions to root, Super CID, unlock BL then flash recovery.

The root itself is a different manner than 1.85 but the whole process after should be the same. This is a method to get you to unlock the BL.
 

ronii1123

Senior Member
Jun 30, 2010
662
115
Massachusetts and stuff
Hey, is it normal for the exploit to close when asking to hit any key to get the unlock token? It just closes as soon as I hit enter, before I get a chance to copy and paste the token.
 

alejobog

Senior Member
Nov 8, 2008
830
117
Bogota
It works for me!, Says my CID is not 11111111, thank you very much
 

Attachments

  • root.jpg
    root.jpg
    74.8 KB · Views: 2,117
Last edited:

djrbliss

Inactive Recognized Developer
Aug 24, 2011
136
2,643
Hey, is it normal for the exploit to close when asking to hit any key to get the unlock token? It just closes as soon as I hit enter, before I get a chance to copy and paste the token.

Haha, good point. Uploaded a new version to the same URL that waits for you to confirm you want to quit. Thanks.
 

MistaButters

Senior Member
May 10, 2012
281
85
San Diego
So this will work with the new HBOOT as well then? Say if someone uses the 2.20 RUU or got an ATT HOXL with the updated bootloader that came with 2.20 ?

Example - I can flash the 2.20 RUU to get a "fresh start" for my phone ( I have the older hboot , unlocked with S-On, never took the 2.20 update), run this, re-unlock, and then put CM10 back on and everything will function as it does now ?

Sent from my One X using Tapatalk 2

I did that before it was known what the new HBOOT would do. Don't do it. After you do it you have to flash the boot.img using fastboot commands and you can not flash any radios. Also, you are stuck with whatever kernel the ROM is using because of the inability to flash boot.img from recovery.
 

xaey

Senior Member
Jul 6, 2012
228
66
College Station
Thank you so much for this and all your hard work. Glad to see your exploit works! Im still on 1.85 so I think I will keep it like that until theres a way to flash boot.img through recovery instead of fastboot. For those of you who are debating to upgrade from 1.85 now, I wouldn't. You will have to flash the boot.img in roms through fastboot in order to flash custom roms and plus if you are already rooted, then you most likely have superCID already and would render this exploit unnecassary since you can just upgrade and immediately flash a custom rom to gain root (with the proper upgrade method of course). But up to you.
 

pak-stars

Senior Member
Oct 17, 2012
208
70
Valencia
Im gna make love my x tonight....my htc one x after root of course

Sent from my HTC One X using xda app-developers app
 

rocketchatb

New member
Oct 23, 2012
2
0
I followed your instructions and it was successful, but when the unlock token came up in CMD, it automatically closed the CMD. Now I'm just in the bootloader menu. Can I reboot my device without penalty and try again since you updated your program or am I stuck?
 

djrbliss

Inactive Recognized Developer
Aug 24, 2011
136
2,643
I followed your instructions and it was successful, but when the unlock token came up in CMD, it automatically closed the CMD. Now I'm just in the bootloader menu. Can I reboot my device without penalty and try again since you updated your program or am I stuck?

Sorry, another user experienced the same bug. I uploaded a new version to the same URL that pauses after printing the unlock token.

You don't need to run the whole exploit again, since you've already changed your CID. You can just boot into bootloader mode with "adb reboot bootloader", then retrieve your token with "fastboot oem get_identifier_token".
 
  • Like
Reactions: sujinge9

Top Liked Posts

  • There are no posts matching your filters.
  • 286
    I have successfully rooted the AT&T HTC One X running build 2.20.

    In the previous build (1.85), S-ON was only partially enforced, so it was possible to modify the /system partition without having unlocked the bootloader, in order to install su and Superuser.apk. This was changed in build 2.20: full S-ON is now in effect. As a result, it is no longer possible to write to /system even after remounting it as writable, since the S-ON feature has NAND-locked the storage.

    In other words, it's impossible have a "permanent root" on 2.20 in the traditional sense without unlocking the bootloader.

    I have prepared an exploit that gains temporary root access by leveraging two vulnerabilities and uses these newly gained root privileges to overwrite the CID ("superCID"), so that it's possible to unlock the bootloader via HTC's website. I'm sorry if you'd prefer to not unlock your bootloader this way, but there are no other options for root access available.

    ===========
    DISCLAIMER
    ===========

    This exploit modifies the CID of your device. Doing so likely voids your warranty, and may be in violation of your contract with AT&T (I am not a lawyer). Additionally, while this exploit has been tested and has not been observed to cause any negative side effects in practice, I am in no way responsible if it turns your device into an expensive paperweight.

    =============
    INSTRUCTIONS
    =============

    1. Download the exploit from:
    http://vulnfactory.org/public/X_Factor_Windows.zip

    Edit: Linux/Mac version available here. Thanks to Jesse Osiecki (@jesseosiecki) for suggesting I support this and providing me with a working version (that I ended up re-writing):
    http://vulnfactory.org/public/X_Factor_Linux_OSX.zip


    2. Extract the entire zip file.

    3. Connect your device via USB, ensure you have the latest HTC USB drivers installed (only on Windows), and ensure USB debugging mode is enabled.

    4. Double-click "run.bat", or if running Linux or OSX, open a terminal, change directories to the extracted exploit, and run "./run.sh".

    5. Follow the instructions printed by the exploit. You will need to authorize two backup restorations during the exploit's execution.

    6. If the exploit is successful, it will print "[+] Set CID!". If it does not print this, the exploit has failed, so please do not continue.

    7. The exploit will automatically reboot into bootloader mode. Press enter after bootloader mode is finished booting, and the exploit will print your CID. If the exploit was successful, it should return "11111111" as your CID.

    8. If your CID was successfully set, press enter to generate an unlock token.

    9. Visit htcdev.com, navigate to the "Bootloader unlock" section, choose "All other supported models" from the drop-down menu, and provide the unlock token when asked.

    10. After unlocking the bootloader, you can flash a custom recovery partition via fastboot, boot into recovery mode, and use a recovery ADB shell or install from an update.zip to install Superuser and su (I do not provide support for custom recoveries, but this is a straightforward process that other people can help with).

    ======
    NOTES
    ======

    I am not affiliated with any Android forum or group, including XDA - this is just where I've chosen to publish this exploit.

    Portions of this exploit are similar in concept to the ADB backup/restore exploit published by Bin4ry, but the vulnerability used in this exploit is entirely distinct from Bin4ry's.

    ========
    CREDITS
    ========

    Thanks to Michael Coppola for pointing me at the vulnerable driver I leverage for the second phase of the exploit, and props for independently discovering the same vulnerability I used. Thanks to jcase and P3Droid for their continuing support - I owe you guys beers.

    ======
    Paypal
    ======
    http://goo.gl/zBGb0
    5
    Go here for instructions on flashing custom recovery and roms:

    http://xdaforums.com/showthread.php?t=1952076
    5
    It utilizes a temp root to change the CID and therefore unlock
    The unlock is permanent, the root is temporary

    Though after you unlock, just flash a SuperUser zip and you will get permanent root ;)
    4
    Great work man! Congrats.

    And welcome to all the new ROM flashers :)
    4
    It's not working for me, dammit

    /system/bin/sh: /data/local/tmp/pwn: cannot execute - Permission denied

    Sent from my HTC One X using Tapatalk 2


    Sorry, made a small mistake. I've uploaded a new version to the same URL, please re-download and try again.