Post Reply

Info 2 [GUIDE] [2013-05-13] Hows and Whens of (manual) Temproot, S-OFF, Flashing, Unlocking

OP paulie-uk

10th May 2013, 08:49 PM   |  #1  
OP Member
Flag London
Thanks Meter: 64
 
75 posts
Join Date:Joined: Mar 2013
More
I see so many guides, but lots of information spread all over the place and much of it unclear. Hence, this guide. I hope everything is clear enough for someone completely new to understand, but also contains the information and resources to be useful to experienced members of these forums. If this is your first time attempting to flash your phone from stock (as you bought it), by the time you've read this post you should have the understanding of what steps to take and why you are doing them.

Prerequisites
First things first, things you will almost definitely need are
  • ADB and Fastboot as part of Google's platform-tools (16.0.2 windows, linux, macosx)
  • HTC's Drivers for Windows computers (here)
  • Android version number (Settings > System > About Phone)
  • HBoot version number (See hboot section)
  • USB debugging enabled (Settings > Applications > Development > USB debugging)
  • Fastboot disabled (Settings > Power > Fast Boot)
  • Your USB cable

You may also need
  • Your CID (Carrier ID, see hboot section)
  • Matching RUU for your carrier/region (Get here here, how to choose here and below)
  • A GoldCard (made from your SD Card, only needed if RUU for your carrier isn't available, see goldcard section)
  • Binary to get temproot (zergRush or tacoroot)
  • Binary to make your phone think it is a lower version number (misc_version_universal)
  • Revolutionary
  • Your phone's serial number (see hboot section)

Things you may want
  • A custom recovery (e.g. 4ext, zip)
  • An ENG hboot (0.98.2000, 2.00.2002, partition tables change so nandroid before, restore after)
  • signapk.jar to create a signed update.zip

To make life easy, I am going to assume that you have saved and extracted all files in the same directory as adb/fastboot.
You may decide to create a folder in the root directory of your computer's hard drive to put all these things in, e.g. C:\desires\
You will probably need an open command prompt or terminal on your computer at this location.
HTC Sync should not be installed on your computer as it can interfere with USB commands.

HBoot
To access your phone's hboot, disconnect any USB and power down your phone. Next, hold down the volume down button, then hold power down until the screen lights up. Release power before releasing volume.
Hboot is useful for flashing, getting information about your phone and running commands that you simply can't do from within Android.
Upon entering hboot, you should be confronted with a screen similar to one of these (left is hboot's bootloader, right is hboot's fastboot)
Code:
*** LOCKED ***                          *** LOCKED ***
SAGA PVT SHIP S-ON RL                   SAGA PVT SHIP S-ON RL
HBOOT-x.xx.xxxx                         HBOOT-x.xx.xxxx (PG8810000)
eMMC-boot                               RADIO-yyyy.yy.yy.yy_M
Jan 1 1970, 00:00:00                    eMMC-boot
                                        Jan 1 1970, 00:00:00
HBOOT
                                        FASTBOOT
<VOL UP> to previous item
<VOL DOWN> to next item                 <VOL UP> to previous item
<POWER> to select item                  <VOL DOWN> to next item
                                        <POWER> to select item
FASTBOOT
RECOVERY                                BOOTLOADER
FACTORY RESET                           REBOOT
SIMLOCK                                 REBOOT BOOTLOADER
IMAGE CRC                               POWER DOWN
What information should you record here?
  • The HBOOT-x.xx.xxxx (this is your hboot's version)
  • Whether it says S-ON or S-OFF
  • Whether it says SHIP or ENG
If it says S-OFF,
  • You should already be able to flash a custom recovery via a PG88IMG.zip so you can skip ahead.
  • If it says SHIP, you may want to flash an ENG hboot.
  • If it says ENG, you may want to keep a backup of your hboot.
If it says S-ON,
  • If your android version was 4.0.4, you have to unlock the bootloader via htcdev.
  • If your hboot version is 0.98.0002 or lower, you can use revolutionary right away.
  • If your hboot is higher, you will need to downgrade by RUU before you can use revolutionary.
If you will be using revolutionary, you will need a few more bits of information.
If your screen looks like the one on the left, navigate to FASTBOOT and select it, and it will change to the one on the right.
Next, plug in your USB then in your command prompt enter the following commands;
  1. Get your phone's serial number
    Code:
    fastboot devices
  2. Get your phone's Carrier ID (for use with choosing RUU)
    Code:
    fastboot getvar cid
You have everything you need from here (for now) so power down or reboot your phone so it starts normally.

Temproot Requires Android 2.3.5 or lower.
This is useful if you have to downgrade your RUU. You will need your USB connected for this. You don't need to do this if you already have root, as the aim of temproot is to give you root until you next power down your device.
First, choose your weapon, zergRush or tacoroot. If one isn't working for you, use the other. Don't use both at the same time.
  • Using zergRush
    Code:
    adb push zergRush /data/local/tmp/zergRush
    adb shell
    chmod 755 /data/local/tmp/zergRush
    /data/local/tmp/zergRush
    shell will exit
  • Using tacoroot is a bit more complicated but works on more phones, you need to have gone into recovery at least once (tacoroot has command for this)
    Code:
    adb push tacoroot.bin /data/local/tmp/tacoroot
    adb shell 
    chmod 777 /data/local/tmp/tacoroot
    /data/local/tmp/tacoroot --recovery
    Phone reboots to recovery, once it is there, reboot manually
    Code:
    adb shell /data/local/tmp/tacoroot --setup
    Phone reboots again, if it stops at bootloader, choose reboot. It is now ready to be rooted
    Code:
    adb shell /data/local/tmp/tacoroot --root
You should now be rooted, to check this go back to shell
Code:
adb shell
exit
and look to see that there is now a # where there was a $.

If you have successfully got temproot, next is using misc_version. However, this is also a good time to install Titanium Backup, should you want to save any of your data. Busybox and superuser may also be required for Titanium to work, I didn't do it myself.

misc_version Requires root or temproot.
misc_version is used to trick your phone into thinking it is running an older version. Setting this number lower than the RUU you want makes the phone think the RUU is newer, and so lets it run.
Code:
adb push misc_version /data/local/tmp/misc_version
adb shell chmod 777 /data/local/tmp/misc_version
adb shell /data/local/tmp/misc_version -s 1.27.405.6
You should now be ready to downgrade by RUU.

RUU Requires misc set to lower version number. Will wipe your phone. Bootloader must be locked.
Choosing a RUU is quite simple, take the CID you found in the hboot section and compare it to this list of carriers
Quote:
Originally Posted by prank1

vendor CID

  • SuperCID 11111111
  • AirTel-India ????????
  • Asia-HK-CHT HTC__622
  • ATT CWS__001
  • BM BM___001
  • Bouygues-Telecom BOUYG201
  • Brightstar-PTB BSTAR502
  • Brightstar-SPA BSTAR301
  • Chunghwa-Taiwan CHT__601
  • CT HTCCN702
  • CU HTCCN703
  • DCM DOCOM801
  • DOPOD DOPOD701
  • Era T-MOB009
  • Fastweb-IT FASTW401
  • GOOGLE GOOGL001
  • H3G-DAN H3G__F05
  • H3G-Italy H3G__402
  • H3G-ROI H3G__003
  • H3G-SWE H3G__G04
  • H3G-UK H3G__001
  • HTC-Asia-SEA HTC__037
  • HTC-Asia-SEA-WWE HTC__044
  • HTC-Australia HTC__023
  • HTC-BE HTC__E41
  • HTC-Czech HTC__C24
  • HTC-Denmark HTC__F08
  • HTC-Dutch HTC__E11
  • HTC-EastEurope HTC__032
  • HTC-ELL HTC__N34
  • HTC-FRA HTC__203
  • HTC-FRA-Bouygues HTC__247
  • HTC-GCC HTC__J15
  • HTC-GER HTC__102
  • HTC-India HTC__038
  • HTC-ITA HTC__405
  • HTC-Nor HTC__Y13
  • HTC-Norway HTC__H10
  • HTC-Poland HTC__B25
  • HTC-PTG HTC__506
  • HTC-Russia HTC__A07
  • HTC-Singapore ????????
  • HTC-SPA HTC__304
  • HTC-Sweden HTC__G09
  • HTC-Turkey HTC__M27
  • HTC-WWE HTC__001
  • Hutch-Australia HUTCH001
  • O2-DE O2___102
  • O2-UK O2___001
  • Open-Channel HTCCN701
  • Optus-Australia OPTUS001
  • ORANGE-AT ORANG113
  • ORANGE-BE ORANG012
  • ORANGE-CH-FRA ORANG203
  • ORANGE-CH-GER ORANG104
  • ORANGE-ES ORANG309
  • ORANGE-French ORANG202
  • ORANGE-PL ORANGB10
  • ORANGE-PO ORANG008
  • ORANGE-SK ORANG006
  • ORANGE-UK ORANG001
  • Rogers ROGER001
  • SMC-Voda-HK SMCVD001
  • StarHub-Singapore ????????
  • TELEF-Spain TELEF301
  • Telstra TELST001
  • TELUS TELUS001
  • TIM-Italy TIM__401
  • TMA T-MOB102
  • TMCZ T-MOB004
  • TMD T-MOB101
  • TMH T-MOB007
  • TMHR T-MOB006
  • TMMK T-MOBL11
  • TMNL T-MOB003
  • TMSK T-MOB008
  • TMUK T-MOB005
  • TMUS T-MOB010
  • TWM-TW HTC__621
  • VIRGIN-UK VIRGI001
  • VODA-Africa-South HTC__016
  • VODA-Australia VODAP021
  • VODA-Germany VODAP102
  • VODA-Greece VODAP006
  • VODA-Ireland VODAP019
  • VODA-Italy VODAP405
  • VODA-Mobilkom VODAP120
  • VODA-Netherland VODAPE17
  • VODA-New-Zealand VODAP022
  • VODA-Portugal VODAPD18
  • VODA-Proximus VODAP024
  • VODA-SA VODAP026
  • VODA-SFR VODAP203
  • VODA-Spain VODAP304
  • VODA-Swisscom-DE VODAP110
  • VODA-Swisscom-FR VODAP212
  • VODA-Swisscom-IT VODAP416
  • VODA-Swisscom-WWE VODAP015
  • VODA-TR VODAPM27
  • VODA-UK VODAP001


Now go over to a repository of RUUs and select the oldest one for your carrier. If there isn't one, then try the generic one for your region (e.g. Europe/Asia/WWE).
The purpose of downgrading is to get an older hboot, so you will be looking for a RUU with version number 1.4x.xxx.x or lower.
There are a lot of SAGA RUUs hosted on androidruu.com androidfiles.org

If the install fails, you may need a goldcard (see GoldCard section) then come back here.
If the install works, go on to Revolutionary.

GoldCard
A GoldCard is used to make your phone ignore it's Carrier ID (CID) and branding when updating with a RUU. It, in effect, grants you "Super CID" whilst it is connected to your phone.
There are many ways to make a GoldCard, but not all SD cards work.
My preferred method uses the goldcard binary and is done with your phone connected by USB.
Code:
adb push goldcard /data/local/tmp/
adb shell chmod 777 /data/local/tmp/goldcard
adb shell cat /sys/class/mmc_host/mmc2/mmc2:*/cid > tcid
set/p cid= < tcid
del tcid
adb shell /data/local/tmp/goldcard -c %cid% -o /data/local/tmp/goldcard.img
adb shell dd if=/data/local/tmp/goldcard.img of=/dev/block/mmcblk1
Your SD card should now be a goldcard. Reboot and try running the RUU again.

Unlocking Bootloader Will wipe your phone. Don't do this if you're S-OFF.
This lets you flash a custom recovery and custom ROMs using a S-ON device. If you're able to use revolutionary or are already S-OFF, I advise against unlocking your bootloader. After this, when on a custom ROM that has been rooted, if you want to get S-OFF you can use misc_version, re-lock your bootloader and downgrade by RUU.
To unlock your bootloader, head over to htcdev.com/bootloader, choose "All Other Supported Models" and follow the steps it gives you. You can use the same adb and fastboot as linked in this guide.
You may want to backup /dev/block/mmcblk0p16 and /dev/block/mmcblk0p3 to your SD card (via dd) before unlocking, so you can see what is changed and in the future, if go on to S-OFF your device, attempt to lock as if it was never unlocked.

To re-lock your bootloader with fastboot, issue the following command (note that the device will remember that it was unlocked).
Code:
fastboot oem lock
Flashing Requires S-OFF or unlocked bootloader.
There are many ways to flash your phone; through recovery, using fastboot flash, fastboot flash zip, PG88IMG.zip and using dd. It is useful to know several methods as you may encounter a situation where one may not work but another will. A S-ON but unlocked device will still prevent some parts of the phone from being overwritten (e.g. hboot).
If you have reached here and just want to put a custom ROM onto your device, put the ROM's zip onto your SD card then the next step is to flash a custom recovery (usually via fastboot). After that, boot into the recovery and: 1. Backup your phone (savepoint), 2. Wipe the phone (clean start), 3. "Install from .zip" (flash ROM).
In all examples, I will demonstrate flashing "my_recovery.img" to the recovery partition.

By fastboot flash
Reboot to bootloader, select fastboot, connect USB, then
Code:
fastboot flash recovery my_recovery.img
Wait for it to complete, reboot your device and it is done.
By fastboot flash zip
This is the most similar to the method used by a RUU installer. It requires you to create a zip file as in the PG88IMG.zip for it to work, with the exception that you have the file on the computer and not on the SD card.
Reboot to bootloader, select fastboot, connect USB, then
Code:
fastboot oem rebootRUU
fastboot flash zip PG88IMG.zip
Wait for it to complete, reboot your device and it is done.
By PG88IMG.zip
You create a zip file where the ".img" files are named the same as the partition you want to overwrite, and include an "android-info.txt" file to say "this is an important update".
File structure:
Code:
PG88IMG.zip
├android-info.txt
└recovery.img
Example "android-info.txt"
Code:
modelid: PG8810000
cidnum:VODAP***
cidnum:VIRGI***
cidnum:T-MOB***
cidnum:TIM__***
cidnum:TELST***
cidnum:TELEF***
cidnum:eek:RANG***
cidnum:eek:2___***
cidnum:BOUYG***
cidnum:H3G__***
cidnum: HTC__***
mainver: 14.01.401.2
hbootpreupdate:13
DelCache:1
DelDevlog:1
Place the PG88IMG.zip file in the root of your SD card and reboot to bootloader. It will be automatically detected, preventing you from doing other actions whilst it is there. After it has flashed, remove or rename the file so that the bootloader won't detect it again next time.
Wait for it to complete, reboot your device and it is done.
By dd
This is the only one done by adb (root environment, S-OFF) and the only one that lets you modify un-named partitions and skip version checks. It can also be done from recovery, but remember to mount /sdcard/ if you plan to use it.
Typing a wrong number when doing this can easily brick your phone, so some consider it the most dangerous method.
First, look up which block you want
Code:
mmcblk0p7     rcdata (still protected on revolutionary S-OFF)
mmcblk0p17    misc
mmcblk0p18    hboot
mmcblk0p19    splash1
mmcblk0p21    recovery
mmcblk0p22    boot
mmcblk0p25    system
mmcblk0p27    cache
mmcblk0p26    data
mmcblk0p28    devlog
mmcblk0p29    pdata
Then run the command
Code:
adb push my_recovery.img /sdcard/
adb shell dd if=/sdcard/my_recovery.img of=/dev/block/mmcblk0p21
(if you need to use su to get root, seperate "adb shell" from "dd" and "su" between them)
Wait for it to complete, reboot your device and it is done.
Backups Restores require S-OFF
Other than using your recovery's backup, you can also backup partitions through dd. This does not require S-OFF and is similar to flashing with dd but with the input and output paths the other way around.
For example, to backup your hboot as "my_hboot.img", find the block it is on (listed above) and run the command
Code:
adb shell dd if=/dev/block/mmcblk0p18 of=/sdcard/my_hboot.img
If you are not going to be changing special partitions, normal backups made through your custom recovery are easier and store all your data.

update.zip Requires S-OFF or unlocked bootloader
An update.zip lets you interact with the filesystem as root without fully loading up Android via fastboot, stock recovery or custom recovery. It works in a similar way to PG88IMG.zip but with scripting, and the .zip needs to be signed.
The following is an example of how you might create an update.zip to root your device, grey entries are generated upon signing. Remember to include update-binary.
Code:
update.zip
├META-INF
│├com
││└google
││ └android
││   ├update-binary
││   └updater-script
│├CERT.RSA
│├CERT.SF
│└MANIFEST.MF
└system
 └xbin
  ├busybox
  └su
The updater-script contents for this example could be as follows below.
It is important to leave a blank line at the end of this file so that it works as expected.
Code:
mount("MTD", "system", "/system");
delete("/system/bin/busybox", "/system/xbin/busybox");
delete("/system/bin/su", "/system/xbin/su");
package_extract_dir("system", "/system");
set_perm(0, 0, 06755, "/system/xbin/busybox");
set_perm(0, 0, 06755, "/system/xbin/su");
unmount("/system");
To sign the zip, use signapk.jar with a pem certificate file and pk8 key file. You can generate your own or use the ones in the zip attached below.
Code:
java -jar signapk.jar certificate.pem key.pk8 update.zip update-signed.zip
Once signed, you have two choices of how to apply it
  • By recovery; place the update-signed.zip on the root of your SD card and rename it to update.zip. Now reboot into bootloader, choose recovery. If you're on stock recovery, you may be prompted by an exclamation mark here, hold volume up and volume down, press power and then release the buttons to proceed to the next screen. Now choose to apply update.zip.
  • By fastboot; boot into your bootloader, go to fastboot, and run
    Code:
    fastboot update update-signed.zip

The different commands you have available to you in updater-script are below
Code:
abort()
apply_patch(<source_file>, <targt_file>, <target_sha1>, <target_size>, <patch1_sha1>, <patch1>[, ..., <patchN_sha1>, <patchN>])
apply_patch_check(<file>, sha1_1[, ..., sha1_N])
apply_patch_space(<number_of_bytes>)
assert(<condition>)
delete(file1[, file2, ..., fileN])
delete_recursive(dir1[, dir2,...,dirN])
file_getprop(<property_file>, <key>)
format(<filesystem_type>, <partition_type>, <partition_or_device>)
e.g. filesystem_type; "yaffs2", "ext4"
     partition_type; "MTD", "EMMC"
getprop(<key>)
ifelse(<condition>, <script_if_true>, <script_if_false>)
is_mounted(<mount_point>)
mount([<filesystem_type>, ]<partition_type>, <partition_or_device>, <mount_point>)
e.g. filesystem_type; "yaffs2", "ext4"
     partition_type; "MTD", "EMMC"
package_extract_dir(<package_path>, <destination_path>)
package_extract_file(<package_path>[, <destination_path>])
read_file(<file>)
run_program(<program>, <arg1>[, .., <argN>])
set_perm(<user_id>, <group_id>, <mode>, <file1>[, <file2>, ..., <fileN>])
set_perm_recursive(<user_id>, <group_id>, <dir_mode>, <file_mode>, <dir1>[, ..., <dirN>])
set_progress(<fraction>)
sha1_check(<data>[, <sha1_1>, ..., <sha1_N>])
show_progress(<fraction>, <seconds>)
symlink(<target_path>, <link1>[, ..., <linkN>])
ui_print(<text1>[, ..., <textN>])
unmount(<mount_point>)
write_raw_image(<image_file>, <partition>)


Credits
xp314a, drivers
prank1, CID vendor list
Revolutionary, S-OFFing and zergRush
jcase, tacoroot
zryvffn, misc_version_universal
Google, adb and android
htcdev, bootloader unlocking
Many others

Thanks for reading, hope this clarifies a lot.
Please message me if you see any errors.
Attached Files
File Type: zip goldcard.zip - [Click for QR Code] (9.8 KB, 208 views)
File Type: zip misc_version_universal.zip - [Click for QR Code] (211.8 KB, 252 views)
File Type: zip tacoroot.zip - [Click for QR Code] (6.9 KB, 212 views)
File Type: zip zergRush.zip - [Click for QR Code] (8.0 KB, 312 views)
File Type: zip signapk.zip - [Click for QR Code] (131.6 KB, 134 views)
Last edited by paulie-uk; 17th February 2014 at 04:03 AM. Reason: chmod for misc_version, changed ruu links, more explanation
The Following 16 Users Say Thank You to paulie-uk For This Useful Post: [ View ]
10th May 2013, 09:19 PM   |  #2  
Fatal1ty_93_RUS's Avatar
Senior Member
Flag Moscow
Thanks Meter: 489
 
3,022 posts
Join Date:Joined: Apr 2012
Donate to Me
More
This
Is
Epic
:beer::beer:
10th May 2013, 11:28 PM   |  #3  
jugg1es's Avatar
Senior Member
Thanks Meter: 1,985
 
13,221 posts
Join Date:Joined: May 2012
More
Very nicely done :thumbup::beer:
15th May 2013, 07:23 PM   |  #4  
ben_pyett's Avatar
Recognized Contributor
Flag London, Colchester, Wivenhoe
Thanks Meter: 1,968
 
5,045 posts
Join Date:Joined: Oct 2006
More
how comes you've managed to accumulate all this knowledge? great formatted posting! where were you before XDA?

paul_robo?
The Following User Says Thank You to ben_pyett For This Useful Post: [ View ]
15th May 2013, 11:13 PM   |  #5  
Member
Flag Larissa
Thanks Meter: 31
 
73 posts
Join Date:Joined: Jan 2011
More
Impressive work :thumbup:

Sent from my HTC Desire S using xda premium
16th May 2013, 12:37 AM   |  #6  
OP Member
Flag London
Thanks Meter: 64
 
75 posts
Join Date:Joined: Mar 2013
More
Quote:
Originally Posted by ben_pyett

how comes you've managed to accumulate all this knowledge? great formatted posting! where were you before XDA?

I was not a member here before I joined.

All the knowledge is out there, much on xda, some across wikis and other forums, I accumulated it because rather than just blindly following a guide to S-OFF and flash my phone, I wanted to actually learn and understand what I was doing at each step.
Knowledge begets knowledge.

As for posting it, I was a little surprised to see nobody had compiled all the information I was looking for together, it was either guides based on more guides, or odd posts spread across the internet. I saw a gap so filled it!
The Following 3 Users Say Thank You to paulie-uk For This Useful Post: [ View ]
7th September 2013, 03:59 PM   |  #7  
Junior Member
Thanks Meter: 0
 
1 posts
Join Date:Joined: Sep 2013
How to Root.
Frndz here is my htc Desire HD Information,plz tell me the right way to root it?
Attached Thumbnails
Click image for larger version

Name:	DSC_0002.jpg
Views:	342
Size:	86.6 KB
ID:	2241338   Click image for larger version

Name:	DSC_0006.jpg
Views:	316
Size:	65.5 KB
ID:	2241339   Click image for larger version

Name:	DSC_0007.jpg
Views:	299
Size:	77.3 KB
ID:	2241340   Click image for larger version

Name:	DSC_0005.jpg
Views:	298
Size:	125.0 KB
ID:	2241341  
7th September 2013, 04:11 PM   |  #8  
jugg1es's Avatar
Senior Member
Thanks Meter: 1,985
 
13,221 posts
Join Date:Joined: May 2012
More
Quote:
Originally Posted by shahzaib8711

Frndz here is my htc Desire HD Information,plz tell me the right way to root it?

Try looking in your device forum this is for the desire s (saga).

"You learn something new every day if you're not careful" - Wilf Lunn
27th September 2013, 02:54 AM   |  #9  
bossdwight's Avatar
Junior Member
Thanks Meter: 0
 
1 posts
Join Date:Joined: Sep 2013
More
Very very helpful for a newbie like me, thanks for this.
29th September 2013, 08:58 PM   |  #10  
Senior Member
Thanks Meter: 101
 
833 posts
Join Date:Joined: May 2012
Donate to Me
Quote:
Originally Posted by shahzaib8711

Frndz here is my htc Desire HD Information,plz tell me the right way to root it?

you need to unlock bootloader, then flash custom recovery (for example CWM or 4EXT) via fastboot, then flash superuser flashable zip via recovery

Post Reply Subscribe to Thread

Tags
flashing, goldcard, guide, ruu, s-off
Previous Thread Next Thread
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes