So I had to get my phone replaced because the USB was borked (AU gave me a completely new one for only $50. Didn't even care that I had obviously S-Off'ed my original), and of course, the new one had the latest software and Hboot 1.54. Don't let anyone tell you Rumrunner will work with this unless you already have root (and not just temproot). Nor could I get the "fake.apk" file to work. Signing it didn't work, because it was corrupted every time I downloaded it (somehow).
Fear not! There are other methods
, thanks to Towelroot!.. you just have the get the original version of it somehow (often called TR1.apk). If you can't find a copy (since it's no longer on the official site), you can try to follow these instructions
The idea is to change the "OS Version" to something older, so that the RUU for the original, crack-tastic version can be installed. You will need the following:
- Original version of Towelroot (tr1.apk)
- HTCSoku's Misc Version Erase Script
- The latest OTA file
for best firmware. (Google Translate if your friend)
- The OG RUU
file (Via HTC Breaking Dev
- The specific, M7_WLJ version
of Revone (No, the latest, general version will not work.) (Via HTCSoku
- A compatible version of Run_root_shell
(or other temproot method)
Note: These instructions assume you have an understanding of ADB, Fastboot, commandline commands, and zip files. They provide no warranty, expressed or implied. IF YOU BRICK YOUR DEVICE FOLLOWING THESE INSTRUCTIONS, IT IS EXCLUSIVELY YOUR OWN FAULT.
1. Rename your OG version of Towelroot to tr.apk and place in the "files" folder of the version erase script.
2. Run the Version Erase Script. Follow the instructions. Your bootloader should now show "OS-" with no numbers after it.
3. Enter the RUU mode via "fastboot oem rebootRUU"
4. extract the firmware.zip from the OTA to your fastboot directory.
5. Flash the OTA with "fastboot flash zip firmware.zip"
6. Place the RUU file into the same directory and flash it with the same command, changing the filename.
7. Use fastboot reboot to boot into the system. Everything will be wiped. Confirm the version is Android 4.1.
8. Yes, your HBoot is still 1.54. Yes, you can still unlock with Revone. It just has to be the M7_WLJ version. No, Rumrunner, Moonshine, or Firewater will not work (or they didn't for me).
9. Push the run_root_shell and revone binaries into /data/local/tmp. Rename them if you don't want to type that out every time.
10. ADB shell and run your temproot then run Revone with the -P option. Your device should reboot.
11. ADB shell back in and run temproot again. then run revone with the -s 0 option (for S-off). Additionally, you can set the bootloader lock state ( -l for locked, -u for unlocked, -r for relocked) and -t to remove the "TAMPERED" banner. (Note, I ran this will -l at first, which meant I didn't realize this worked until trying a number of different things)
12. Reboot into bootloader and conglaturations! You should have S-off! You can now get supercid with "fastboot oem writecid 11111111" and flash a custom recovery with fastboot flash recovery. (tako posts his updates here
. Twrp18.104.22.168 seems to lock up every time it erases the cache; I've had the best luck with the CWM version).
-- Want to go further and also unlock the SIM? Keep in mind, you are much more likely to brick the device doing this than the other things. Make sure you don't typo, particularly with 'if' and 'of'. You'll also need a hex editor. This is not for the feint of heart. (Reference Here
13. Hop into a root adb shell and do the following:
dd if=/dev/block/mmcblk0p19 of=/sdcard/misc.img
DO NOT TYPO. dd commands can easily brick your device.
14. ADB pull the /sdcard/misc.img back to your computer.
15. Hexedit this misc.img so that, at position 00001023, the value is 11 instead of 00.
16. Push the edited misc.img back to wence it came.
17. Now you will run dd again, replacing the partition with your edited version. Once again, make absolutely sure you don't typo:
dd if=/sdcard/misc.img of=/dev/block/mmcblk0p19
19. You should now be sim unlocked! I haven't actually tested this with another SIM since I don't have any spare, but the Japanese comments suggest it works, and at the very least, if done right, it won't break anything.
Currently running CM11 from Tako on mine. GPS is borked (accuracy is limited to approximately within 50 miles) and camera freezes seconds after opening, but it's Kitkat! Also, I more or less refuse to run without privacyguard or similar.
Edit: Found an update in the "old versions" that fixed the camera and (slightly) improved the GPS. At least it accurately tells me which direction I'm pointing now.