First things first, things you will almost definitely need are
- ADB and Fastboot as part of Google's platform-tools (16.0.2 windows, linux, macosx)
- HTC's Drivers for Windows computers (here)
- Android version number (Settings > System > About Phone)
- HBoot version number (See hboot section)
- USB debugging enabled (Settings > Applications > Development > USB debugging)
- Fastboot disabled (Settings > Power > Fast Boot)
- Your USB cable
You may also need
- Your CID (Carrier ID, see hboot section)
- Matching RUU for your carrier/region (Get here
here, how to choose here and below)
- A GoldCard (made from your SD Card, only needed if RUU for your carrier isn't available, see goldcard section)
- Binary to get temproot (zergRush or tacoroot)
- Binary to make your phone think it is a lower version number (misc_version_universal)
- Your phone's serial number (see hboot section)
Things you may want
- A custom recovery (e.g. 4ext, zip)
- An ENG hboot (0.98.2000, 2.00.2002, partition tables change so nandroid before, restore after)
- signapk.jar to create a signed update.zip
To make life easy, I am going to assume that you have saved and extracted all files in the same directory as adb/fastboot.
You may decide to create a folder in the root directory of your computer's hard drive to put all these things in, e.g. C:\desires\
You will probably need an open command prompt or terminal on your computer at this location.
HTC Sync should not be installed on your computer as it can interfere with USB commands.
To access your phone's hboot, disconnect any USB and power down your phone. Next, hold down the volume down button, then hold power down until the screen lights up. Release power before releasing volume.
Hboot is useful for flashing, getting information about your phone and running commands that you simply can't do from within Android.
Upon entering hboot, you should be confronted with a screen similar to one of these (left is hboot's bootloader, right is hboot's fastboot)
*** LOCKED *** *** LOCKED *** SAGA PVT SHIP S-ON RL SAGA PVT SHIP S-ON RL HBOOT-x.xx.xxxx HBOOT-x.xx.xxxx (PG8810000) eMMC-boot RADIO-yyyy.yy.yy.yy_M Jan 1 1970, 00:00:00 eMMC-boot Jan 1 1970, 00:00:00 HBOOT FASTBOOT <VOL UP> to previous item <VOL DOWN> to next item <VOL UP> to previous item <POWER> to select item <VOL DOWN> to next item <POWER> to select item FASTBOOT RECOVERY BOOTLOADER FACTORY RESET REBOOT SIMLOCK REBOOT BOOTLOADER IMAGE CRC POWER DOWN
- The HBOOT-x.xx.xxxx (this is your hboot's version)
- Whether it says S-ON or S-OFF
- Whether it says SHIP or ENG
- You should already be able to flash a custom recovery via a PG88IMG.zip so you can skip ahead.
- If it says SHIP, you may want to flash an ENG hboot.
- If it says ENG, you may want to keep a backup of your hboot.
- If your android version was 4.0.4, you have to unlock the bootloader via htcdev.
- If your hboot version is 0.98.0002 or lower, you can use revolutionary right away.
- If your hboot is higher, you will need to downgrade by RUU before you can use revolutionary.
If your screen looks like the one on the left, navigate to FASTBOOT and select it, and it will change to the one on the right.
Next, plug in your USB then in your command prompt enter the following commands;
- Get your phone's serial number Code:
- Get your phone's Carrier ID (for use with choosing RUU) Code:
fastboot getvar cid
Temproot Requires Android 2.3.5 or lower.
This is useful if you have to downgrade your RUU. You will need your USB connected for this. You don't need to do this if you already have root, as the aim of temproot is to give you root until you next power down your device.
First, choose your weapon, zergRush or tacoroot. If one isn't working for you, use the other. Don't use both at the same time.
- Using zergRush
adb push zergRush /data/local/tmp/zergRush adb shell chmod 755 /data/local/tmp/zergRush /data/local/tmp/zergRush
- Using tacoroot is a bit more complicated but works on more phones, you need to have gone into recovery at least once (tacoroot has command for this)
adb push tacoroot.bin /data/local/tmp/tacoroot adb shell chmod 777 /data/local/tmp/tacoroot /data/local/tmp/tacoroot --recovery
adb shell /data/local/tmp/tacoroot --setup
adb shell /data/local/tmp/tacoroot --root
adb shell exit
If you have successfully got temproot, next is using misc_version. However, this is also a good time to install Titanium Backup, should you want to save any of your data. Busybox and superuser may also be required for Titanium to work, I didn't do it myself.
misc_version Requires root or temproot.
misc_version is used to trick your phone into thinking it is running an older version. Setting this number lower than the RUU you want makes the phone think the RUU is newer, and so lets it run.
adb push misc_version /data/local/tmp/misc_version adb shell chmod 777 /data/local/tmp/misc_version adb shell /data/local/tmp/misc_version -s 1.27.405.6
RUU Requires misc set to lower version number. Will wipe your phone. Bootloader must be locked.
Choosing a RUU is quite simple, take the CID you found in the hboot section and compare it to this list of carriers
- SuperCID 11111111
- AirTel-India ????????
- Asia-HK-CHT HTC__622
- ATT CWS__001
- BM BM___001
- Bouygues-Telecom BOUYG201
- Brightstar-PTB BSTAR502
- Brightstar-SPA BSTAR301
- Chunghwa-Taiwan CHT__601
- CT HTCCN702
- CU HTCCN703
- DCM DOCOM801
- DOPOD DOPOD701
- Era T-MOB009
- Fastweb-IT FASTW401
- GOOGLE GOOGL001
- H3G-DAN H3G__F05
- H3G-Italy H3G__402
- H3G-ROI H3G__003
- H3G-SWE H3G__G04
- H3G-UK H3G__001
- HTC-Asia-SEA HTC__037
- HTC-Asia-SEA-WWE HTC__044
- HTC-Australia HTC__023
- HTC-BE HTC__E41
- HTC-Czech HTC__C24
- HTC-Denmark HTC__F08
- HTC-Dutch HTC__E11
- HTC-EastEurope HTC__032
- HTC-ELL HTC__N34
- HTC-FRA HTC__203
- HTC-FRA-Bouygues HTC__247
- HTC-GCC HTC__J15
- HTC-GER HTC__102
- HTC-India HTC__038
- HTC-ITA HTC__405
- HTC-Nor HTC__Y13
- HTC-Norway HTC__H10
- HTC-Poland HTC__B25
- HTC-PTG HTC__506
- HTC-Russia HTC__A07
- HTC-Singapore ????????
- HTC-SPA HTC__304
- HTC-Sweden HTC__G09
- HTC-Turkey HTC__M27
- HTC-WWE HTC__001
- Hutch-Australia HUTCH001
- O2-DE O2___102
- O2-UK O2___001
- Open-Channel HTCCN701
- Optus-Australia OPTUS001
- ORANGE-AT ORANG113
- ORANGE-BE ORANG012
- ORANGE-CH-FRA ORANG203
- ORANGE-CH-GER ORANG104
- ORANGE-ES ORANG309
- ORANGE-French ORANG202
- ORANGE-PL ORANGB10
- ORANGE-PO ORANG008
- ORANGE-SK ORANG006
- ORANGE-UK ORANG001
- Rogers ROGER001
- SMC-Voda-HK SMCVD001
- StarHub-Singapore ????????
- TELEF-Spain TELEF301
- Telstra TELST001
- TELUS TELUS001
- TIM-Italy TIM__401
- TMA T-MOB102
- TMCZ T-MOB004
- TMD T-MOB101
- TMH T-MOB007
- TMHR T-MOB006
- TMMK T-MOBL11
- TMNL T-MOB003
- TMSK T-MOB008
- TMUK T-MOB005
- TMUS T-MOB010
- TWM-TW HTC__621
- VIRGIN-UK VIRGI001
- VODA-Africa-South HTC__016
- VODA-Australia VODAP021
- VODA-Germany VODAP102
- VODA-Greece VODAP006
- VODA-Ireland VODAP019
- VODA-Italy VODAP405
- VODA-Mobilkom VODAP120
- VODA-Netherland VODAPE17
- VODA-New-Zealand VODAP022
- VODA-Portugal VODAPD18
- VODA-Proximus VODAP024
- VODA-SA VODAP026
- VODA-SFR VODAP203
- VODA-Spain VODAP304
- VODA-Swisscom-DE VODAP110
- VODA-Swisscom-FR VODAP212
- VODA-Swisscom-IT VODAP416
- VODA-Swisscom-WWE VODAP015
- VODA-TR VODAPM27
- VODA-UK VODAP001
Now go over to a repository of RUUs and select the oldest one for your carrier. If there isn't one, then try the generic one for your region (e.g. Europe/Asia/WWE).
The purpose of downgrading is to get an older hboot, so you will be looking for a RUU with version number 1.4x.xxx.x or lower.
There are a lot of SAGA RUUs hosted on androidruu.com
If the install fails, you may need a goldcard (see GoldCard section) then come back here.
If the install works, go on to Revolutionary.
A GoldCard is used to make your phone ignore it's Carrier ID (CID) and branding when updating with a RUU. It, in effect, grants you "Super CID" whilst it is connected to your phone.
There are many ways to make a GoldCard, but not all SD cards work.
My preferred method uses the goldcard binary and is done with your phone connected by USB.
adb push goldcard /data/local/tmp/ adb shell chmod 777 /data/local/tmp/goldcard adb shell cat /sys/class/mmc_host/mmc2/mmc2:*/cid > tcid set/p cid= < tcid del tcid adb shell /data/local/tmp/goldcard -c %cid% -o /data/local/tmp/goldcard.img adb shell dd if=/data/local/tmp/goldcard.img of=/dev/block/mmcblk1
Unlocking Bootloader Will wipe your phone. Don't do this if you're S-OFF.
This lets you flash a custom recovery and custom ROMs using a S-ON device. If you're able to use revolutionary or are already S-OFF, I advise against unlocking your bootloader. After this, when on a custom ROM that has been rooted, if you want to get S-OFF you can use misc_version, re-lock your bootloader and downgrade by RUU.
To unlock your bootloader, head over to htcdev.com/bootloader, choose "All Other Supported Models" and follow the steps it gives you. You can use the same adb and fastboot as linked in this guide.
You may want to backup /dev/block/mmcblk0p16 and /dev/block/mmcblk0p3 to your SD card (via dd) before unlocking, so you can see what is changed and in the future, if go on to S-OFF your device, attempt to lock as if it was never unlocked.
To re-lock your bootloader with fastboot, issue the following command (note that the device will remember that it was unlocked).
fastboot oem lock
There are many ways to flash your phone; through recovery, using fastboot flash, fastboot flash zip, PG88IMG.zip and using dd. It is useful to know several methods as you may encounter a situation where one may not work but another will. A S-ON but unlocked device will still prevent some parts of the phone from being overwritten (e.g. hboot).
If you have reached here and just want to put a custom ROM onto your device, put the ROM's zip onto your SD card then the next step is to flash a custom recovery (usually via fastboot). After that, boot into the recovery and: 1. Backup your phone (savepoint), 2. Wipe the phone (clean start), 3. "Install from .zip" (flash ROM).
In all examples, I will demonstrate flashing "my_recovery.img" to the recovery partition.
By fastboot flash
Reboot to bootloader, select fastboot, connect USB, thenBy fastboot flash zip
Wait for it to complete, reboot your device and it is done.Code:fastboot flash recovery my_recovery.img
This is the most similar to the method used by a RUU installer. It requires you to create a zip file as in the PG88IMG.zip for it to work, with the exception that you have the file on the computer and not on the SD card.By PG88IMG.zip
Reboot to bootloader, select fastboot, connect USB, then
Wait for it to complete, reboot your device and it is done.Code:fastboot oem rebootRUU fastboot flash zip PG88IMG.zip
You create a zip file where the ".img" files are named the same as the partition you want to overwrite, and include an "android-info.txt" file to say "this is an important update".By dd
Example "android-info.txt"Code:PG88IMG.zip ├android-info.txt └recovery.img
Place the PG88IMG.zip file in the root of your SD card and reboot to bootloader. It will be automatically detected, preventing you from doing other actions whilst it is there. After it has flashed, remove or rename the file so that the bootloader won't detect it again next time.Code:modelid: PG8810000 cidnum:VODAP*** cidnum:VIRGI*** cidnum:T-MOB*** cidnum:TIM__*** cidnum:TELST*** cidnum:TELEF*** cidnum:eek:RANG*** cidnum:eek:2___*** cidnum:BOUYG*** cidnum:H3G__*** cidnum: HTC__*** mainver: 14.01.401.2 hbootpreupdate:13 DelCache:1 DelDevlog:1
Wait for it to complete, reboot your device and it is done.
This is the only one done by adb (root environment, S-OFF) and the only one that lets you modify un-named partitions and skip version checks. It can also be done from recovery, but remember to mount /sdcard/ if you plan to use it.Backups Restores require S-OFF
Typing a wrong number when doing this can easily brick your phone, so some consider it the most dangerous method.
First, look up which block you want
Then run the commandCode:mmcblk0p7 rcdata (still protected on revolutionary S-OFF) mmcblk0p17 misc mmcblk0p18 hboot mmcblk0p19 splash1 mmcblk0p21 recovery mmcblk0p22 boot mmcblk0p25 system mmcblk0p27 cache mmcblk0p26 data mmcblk0p28 devlog mmcblk0p29 pdata
(if you need to use su to get root, seperate "adb shell" from "dd" and "su" between them)Code:adb push my_recovery.img /sdcard/ adb shell dd if=/sdcard/my_recovery.img of=/dev/block/mmcblk0p21
Wait for it to complete, reboot your device and it is done.
Other than using your recovery's backup, you can also backup partitions through dd. This does not require S-OFF and is similar to flashing with dd but with the input and output paths the other way around.
For example, to backup your hboot as "my_hboot.img", find the block it is on (listed above) and run the command
adb shell dd if=/dev/block/mmcblk0p18 of=/sdcard/my_hboot.img
update.zip Requires S-OFF or unlocked bootloader
An update.zip lets you interact with the filesystem as root without fully loading up Android via fastboot, stock recovery or custom recovery. It works in a similar way to PG88IMG.zip but with scripting, and the .zip needs to be signed.
The following is an example of how you might create an update.zip to root your device, grey entries are generated upon signing. Remember to include update-binary.
update.zip ├META-INF │├com ││└google ││ └android ││ ├update-binary ││ └updater-script │├CERT.RSA │├CERT.SF │└MANIFEST.MF └system └xbin ├busybox └su
It is important to leave a blank line at the end of this file so that it works as expected.
mount("MTD", "system", "/system"); delete("/system/bin/busybox", "/system/xbin/busybox"); delete("/system/bin/su", "/system/xbin/su"); package_extract_dir("system", "/system"); set_perm(0, 0, 06755, "/system/xbin/busybox"); set_perm(0, 0, 06755, "/system/xbin/su"); unmount("/system");
java -jar signapk.jar certificate.pem key.pk8 update.zip update-signed.zip
- By recovery; place the update-signed.zip on the root of your SD card and rename it to update.zip. Now reboot into bootloader, choose recovery. If you're on stock recovery, you may be prompted by an exclamation mark here, hold volume up and volume down, press power and then release the buttons to proceed to the next screen. Now choose to apply update.zip.
- By fastboot; boot into your bootloader, go to fastboot, and run Code:
fastboot update update-signed.zip
The different commands you have available to you in updater-script are below
abort() apply_patch(<source_file>, <targt_file>, <target_sha1>, <target_size>, <patch1_sha1>, <patch1>[, ..., <patchN_sha1>, <patchN>]) apply_patch_check(<file>, sha1_1[, ..., sha1_N]) apply_patch_space(<number_of_bytes>) assert(<condition>) delete(file1[, file2, ..., fileN]) delete_recursive(dir1[, dir2,...,dirN]) file_getprop(<property_file>, <key>) format(<filesystem_type>, <partition_type>, <partition_or_device>) e.g. filesystem_type; "yaffs2", "ext4" partition_type; "MTD", "EMMC" getprop(<key>) ifelse(<condition>, <script_if_true>, <script_if_false>) is_mounted(<mount_point>) mount([<filesystem_type>, ]<partition_type>, <partition_or_device>, <mount_point>) e.g. filesystem_type; "yaffs2", "ext4" partition_type; "MTD", "EMMC" package_extract_dir(<package_path>, <destination_path>) package_extract_file(<package_path>[, <destination_path>]) read_file(<file>) run_program(<program>, <arg1>[, .., <argN>]) set_perm(<user_id>, <group_id>, <mode>, <file1>[, <file2>, ..., <fileN>]) set_perm_recursive(<user_id>, <group_id>, <dir_mode>, <file_mode>, <dir1>[, ..., <dirN>]) set_progress(<fraction>) sha1_check(<data>[, <sha1_1>, ..., <sha1_N>]) show_progress(<fraction>, <seconds>) symlink(<target_path>, <link1>[, ..., <linkN>]) ui_print(<text1>[, ..., <textN>]) unmount(<mount_point>) write_raw_image(<image_file>, <partition>)
prank1, CID vendor list
Revolutionary, S-OFFing and zergRush
Google, adb and android
htcdev, bootloader unlocking
Thanks for reading, hope this clarifies a lot.
Please message me if you see any errors.