Remove All Ads from XDA

[GUIDE] [2013-05-13] Hows and Whens of (manual) Temproot, S-OFF, Flashing, Unlocking

76 posts
Thanks Meter: 65
By paulie-uk, Member on 10th May 2013, 07:49 PM
Post Reply Email Thread
I see so many guides, but lots of information spread all over the place and much of it unclear. Hence, this guide. I hope everything is clear enough for someone completely new to understand, but also contains the information and resources to be useful to experienced members of these forums. If this is your first time attempting to flash your phone from stock (as you bought it), by the time you've read this post you should have the understanding of what steps to take and why you are doing them.

First things first, things you will almost definitely need are
  • ADB and Fastboot as part of Google's platform-tools (16.0.2 windows, linux, macosx)
  • HTC's Drivers for Windows computers (here)
  • Android version number (Settings > System > About Phone)
  • HBoot version number (See hboot section)
  • USB debugging enabled (Settings > Applications > Development > USB debugging)
  • Fastboot disabled (Settings > Power > Fast Boot)
  • Your USB cable

You may also need
  • Your CID (Carrier ID, see hboot section)
  • Matching RUU for your carrier/region (Get here here, how to choose here and below)
  • A GoldCard (made from your SD Card, only needed if RUU for your carrier isn't available, see goldcard section)
  • Binary to get temproot (zergRush or tacoroot)
  • Binary to make your phone think it is a lower version number (misc_version_universal)
  • Revolutionary
  • Your phone's serial number (see hboot section)

Things you may want
  • A custom recovery (e.g. 4ext, zip)
  • An ENG hboot (0.98.2000, 2.00.2002, partition tables change so nandroid before, restore after)
  • signapk.jar to create a signed

To make life easy, I am going to assume that you have saved and extracted all files in the same directory as adb/fastboot.
You may decide to create a folder in the root directory of your computer's hard drive to put all these things in, e.g. C:\desires\
You will probably need an open command prompt or terminal on your computer at this location.
HTC Sync should not be installed on your computer as it can interfere with USB commands.

To access your phone's hboot, disconnect any USB and power down your phone. Next, hold down the volume down button, then hold power down until the screen lights up. Release power before releasing volume.
Hboot is useful for flashing, getting information about your phone and running commands that you simply can't do from within Android.
Upon entering hboot, you should be confronted with a screen similar to one of these (left is hboot's bootloader, right is hboot's fastboot)
*** LOCKED ***                          *** LOCKED ***
HBOOT-x.xx.xxxx                         HBOOT-x.xx.xxxx (PG8810000)
eMMC-boot                               RADIO-yyyy.yy.yy.yy_M
Jan 1 1970, 00:00:00                    eMMC-boot
                                        Jan 1 1970, 00:00:00
<VOL UP> to previous item
<VOL DOWN> to next item                 <VOL UP> to previous item
<POWER> to select item                  <VOL DOWN> to next item
                                        <POWER> to select item
RECOVERY                                BOOTLOADER
FACTORY RESET                           REBOOT
SIMLOCK                                 REBOOT BOOTLOADER
IMAGE CRC                               POWER DOWN
What information should you record here?
  • The HBOOT-x.xx.xxxx (this is your hboot's version)
  • Whether it says S-ON or S-OFF
  • Whether it says SHIP or ENG
If it says S-OFF,
  • You should already be able to flash a custom recovery via a so you can skip ahead.
  • If it says SHIP, you may want to flash an ENG hboot.
  • If it says ENG, you may want to keep a backup of your hboot.
If it says S-ON,
  • If your android version was 4.0.4, you have to unlock the bootloader via htcdev.
  • If your hboot version is 0.98.0002 or lower, you can use revolutionary right away.
  • If your hboot is higher, you will need to downgrade by RUU before you can use revolutionary.
If you will be using revolutionary, you will need a few more bits of information.
If your screen looks like the one on the left, navigate to FASTBOOT and select it, and it will change to the one on the right.
Next, plug in your USB then in your command prompt enter the following commands;
  1. Get your phone's serial number
    fastboot devices
  2. Get your phone's Carrier ID (for use with choosing RUU)
    fastboot getvar cid
You have everything you need from here (for now) so power down or reboot your phone so it starts normally.

Temproot Requires Android 2.3.5 or lower.
This is useful if you have to downgrade your RUU. You will need your USB connected for this. You don't need to do this if you already have root, as the aim of temproot is to give you root until you next power down your device.
First, choose your weapon, zergRush or tacoroot. If one isn't working for you, use the other. Don't use both at the same time.
  • Using zergRush
    adb push zergRush /data/local/tmp/zergRush
    adb shell
    chmod 755 /data/local/tmp/zergRush
    shell will exit
  • Using tacoroot is a bit more complicated but works on more phones, you need to have gone into recovery at least once (tacoroot has command for this)
    adb push tacoroot.bin /data/local/tmp/tacoroot
    adb shell 
    chmod 777 /data/local/tmp/tacoroot
    /data/local/tmp/tacoroot --recovery
    Phone reboots to recovery, once it is there, reboot manually
    adb shell /data/local/tmp/tacoroot --setup
    Phone reboots again, if it stops at bootloader, choose reboot. It is now ready to be rooted
    adb shell /data/local/tmp/tacoroot --root
You should now be rooted, to check this go back to shell
adb shell
and look to see that there is now a # where there was a $.

If you have successfully got temproot, next is using misc_version. However, this is also a good time to install Titanium Backup, should you want to save any of your data. Busybox and superuser may also be required for Titanium to work, I didn't do it myself.

misc_version Requires root or temproot.
misc_version is used to trick your phone into thinking it is running an older version. Setting this number lower than the RUU you want makes the phone think the RUU is newer, and so lets it run.
adb push misc_version /data/local/tmp/misc_version
adb shell chmod 777 /data/local/tmp/misc_version
adb shell /data/local/tmp/misc_version -s 1.27.405.6
You should now be ready to downgrade by RUU.

RUU Requires misc set to lower version number. Will wipe your phone. Bootloader must be locked.
Choosing a RUU is quite simple, take the CID you found in the hboot section and compare it to this list of carriers
Originally Posted by prank1

vendor CID

  • SuperCID 11111111
  • AirTel-India ????????
  • Asia-HK-CHT HTC__622
  • ATT CWS__001
  • BM BM___001
  • Bouygues-Telecom BOUYG201
  • Brightstar-PTB BSTAR502
  • Brightstar-SPA BSTAR301
  • Chunghwa-Taiwan CHT__601
  • CT HTCCN702
  • CU HTCCN703
  • DCM DOCOM801
  • Era T-MOB009
  • Fastweb-IT FASTW401
  • H3G-DAN H3G__F05
  • H3G-Italy H3G__402
  • H3G-ROI H3G__003
  • H3G-SWE H3G__G04
  • H3G-UK H3G__001
  • HTC-Asia-SEA HTC__037
  • HTC-Asia-SEA-WWE HTC__044
  • HTC-Australia HTC__023
  • HTC-BE HTC__E41
  • HTC-Czech HTC__C24
  • HTC-Denmark HTC__F08
  • HTC-Dutch HTC__E11
  • HTC-EastEurope HTC__032
  • HTC-ELL HTC__N34
  • HTC-FRA HTC__203
  • HTC-FRA-Bouygues HTC__247
  • HTC-GCC HTC__J15
  • HTC-GER HTC__102
  • HTC-India HTC__038
  • HTC-ITA HTC__405
  • HTC-Nor HTC__Y13
  • HTC-Norway HTC__H10
  • HTC-Poland HTC__B25
  • HTC-PTG HTC__506
  • HTC-Russia HTC__A07
  • HTC-Singapore ????????
  • HTC-SPA HTC__304
  • HTC-Sweden HTC__G09
  • HTC-Turkey HTC__M27
  • HTC-WWE HTC__001
  • Hutch-Australia HUTCH001
  • O2-DE O2___102
  • O2-UK O2___001
  • Open-Channel HTCCN701
  • Optus-Australia OPTUS001
  • ORANGE-French ORANG202
  • Rogers ROGER001
  • SMC-Voda-HK SMCVD001
  • StarHub-Singapore ????????
  • TELEF-Spain TELEF301
  • Telstra TELST001
  • TIM-Italy TIM__401
  • TMA T-MOB102
  • TMCZ T-MOB004
  • TMD T-MOB101
  • TMH T-MOB007
  • TMHR T-MOB006
  • TMNL T-MOB003
  • TMSK T-MOB008
  • TMUK T-MOB005
  • TMUS T-MOB010
  • TWM-TW HTC__621
  • VODA-Africa-South HTC__016
  • VODA-Australia VODAP021
  • VODA-Germany VODAP102
  • VODA-Greece VODAP006
  • VODA-Ireland VODAP019
  • VODA-Italy VODAP405
  • VODA-Mobilkom VODAP120
  • VODA-Netherland VODAPE17
  • VODA-New-Zealand VODAP022
  • VODA-Portugal VODAPD18
  • VODA-Proximus VODAP024
  • VODA-Spain VODAP304
  • VODA-Swisscom-DE VODAP110
  • VODA-Swisscom-FR VODAP212
  • VODA-Swisscom-IT VODAP416
  • VODA-Swisscom-WWE VODAP015

Now go over to a repository of RUUs and select the oldest one for your carrier. If there isn't one, then try the generic one for your region (e.g. Europe/Asia/WWE).
The purpose of downgrading is to get an older hboot, so you will be looking for a RUU with version number or lower.
There are a lot of SAGA RUUs hosted on

If the install fails, you may need a goldcard (see GoldCard section) then come back here.
If the install works, go on to Revolutionary.

A GoldCard is used to make your phone ignore it's Carrier ID (CID) and branding when updating with a RUU. It, in effect, grants you "Super CID" whilst it is connected to your phone.
There are many ways to make a GoldCard, but not all SD cards work.
My preferred method uses the goldcard binary and is done with your phone connected by USB.
adb push goldcard /data/local/tmp/
adb shell chmod 777 /data/local/tmp/goldcard
adb shell cat /sys/class/mmc_host/mmc2/mmc2:*/cid > tcid
set/p cid= < tcid
del tcid
adb shell /data/local/tmp/goldcard -c %cid% -o /data/local/tmp/goldcard.img
adb shell dd if=/data/local/tmp/goldcard.img of=/dev/block/mmcblk1
Your SD card should now be a goldcard. Reboot and try running the RUU again.

Unlocking Bootloader Will wipe your phone. Don't do this if you're S-OFF.
This lets you flash a custom recovery and custom ROMs using a S-ON device. If you're able to use revolutionary or are already S-OFF, I advise against unlocking your bootloader. After this, when on a custom ROM that has been rooted, if you want to get S-OFF you can use misc_version, re-lock your bootloader and downgrade by RUU.
To unlock your bootloader, head over to, choose "All Other Supported Models" and follow the steps it gives you. You can use the same adb and fastboot as linked in this guide.
You may want to backup /dev/block/mmcblk0p16 and /dev/block/mmcblk0p3 to your SD card (via dd) before unlocking, so you can see what is changed and in the future, if go on to S-OFF your device, attempt to lock as if it was never unlocked.

To re-lock your bootloader with fastboot, issue the following command (note that the device will remember that it was unlocked).
fastboot oem lock
Flashing Requires S-OFF or unlocked bootloader.
There are many ways to flash your phone; through recovery, using fastboot flash, fastboot flash zip, and using dd. It is useful to know several methods as you may encounter a situation where one may not work but another will. A S-ON but unlocked device will still prevent some parts of the phone from being overwritten (e.g. hboot).
If you have reached here and just want to put a custom ROM onto your device, put the ROM's zip onto your SD card then the next step is to flash a custom recovery (usually via fastboot). After that, boot into the recovery and: 1. Backup your phone (savepoint), 2. Wipe the phone (clean start), 3. "Install from .zip" (flash ROM).
In all examples, I will demonstrate flashing "my_recovery.img" to the recovery partition.

By fastboot flash
Reboot to bootloader, select fastboot, connect USB, then
fastboot flash recovery my_recovery.img
Wait for it to complete, reboot your device and it is done.
By fastboot flash zip
This is the most similar to the method used by a RUU installer. It requires you to create a zip file as in the for it to work, with the exception that you have the file on the computer and not on the SD card.
Reboot to bootloader, select fastboot, connect USB, then
fastboot oem rebootRUU
fastboot flash zip
Wait for it to complete, reboot your device and it is done.
You create a zip file where the ".img" files are named the same as the partition you want to overwrite, and include an "android-info.txt" file to say "this is an important update".
File structure:
Example "android-info.txt"
modelid: PG8810000
cidnum: HTC__***
mainver: 14.01.401.2
Place the file in the root of your SD card and reboot to bootloader. It will be automatically detected, preventing you from doing other actions whilst it is there. After it has flashed, remove or rename the file so that the bootloader won't detect it again next time.
Wait for it to complete, reboot your device and it is done.
By dd
This is the only one done by adb (root environment, S-OFF) and the only one that lets you modify un-named partitions and skip version checks. It can also be done from recovery, but remember to mount /sdcard/ if you plan to use it.
Typing a wrong number when doing this can easily brick your phone, so some consider it the most dangerous method.
First, look up which block you want
mmcblk0p7     rcdata (still protected on revolutionary S-OFF)
mmcblk0p17    misc
mmcblk0p18    hboot
mmcblk0p19    splash1
mmcblk0p21    recovery
mmcblk0p22    boot
mmcblk0p25    system
mmcblk0p27    cache
mmcblk0p26    data
mmcblk0p28    devlog
mmcblk0p29    pdata
Then run the command
adb push my_recovery.img /sdcard/
adb shell dd if=/sdcard/my_recovery.img of=/dev/block/mmcblk0p21
(if you need to use su to get root, seperate "adb shell" from "dd" and "su" between them)
Wait for it to complete, reboot your device and it is done.
Backups Restores require S-OFF
Other than using your recovery's backup, you can also backup partitions through dd. This does not require S-OFF and is similar to flashing with dd but with the input and output paths the other way around.
For example, to backup your hboot as "my_hboot.img", find the block it is on (listed above) and run the command
adb shell dd if=/dev/block/mmcblk0p18 of=/sdcard/my_hboot.img
If you are not going to be changing special partitions, normal backups made through your custom recovery are easier and store all your data. Requires S-OFF or unlocked bootloader
An lets you interact with the filesystem as root without fully loading up Android via fastboot, stock recovery or custom recovery. It works in a similar way to but with scripting, and the .zip needs to be signed.
The following is an example of how you might create an to root your device, grey entries are generated upon signing. Remember to include update-binary.
││ └android
││   ├update-binary
││   └updater-script
The updater-script contents for this example could be as follows below.
It is important to leave a blank line at the end of this file so that it works as expected.
mount("MTD", "system", "/system");
delete("/system/bin/busybox", "/system/xbin/busybox");
delete("/system/bin/su", "/system/xbin/su");
package_extract_dir("system", "/system");
set_perm(0, 0, 06755, "/system/xbin/busybox");
set_perm(0, 0, 06755, "/system/xbin/su");
To sign the zip, use signapk.jar with a pem certificate file and pk8 key file. You can generate your own or use the ones in the zip attached below.
java -jar signapk.jar certificate.pem key.pk8
Once signed, you have two choices of how to apply it
  • By recovery; place the on the root of your SD card and rename it to Now reboot into bootloader, choose recovery. If you're on stock recovery, you may be prompted by an exclamation mark here, hold volume up and volume down, press power and then release the buttons to proceed to the next screen. Now choose to apply
  • By fastboot; boot into your bootloader, go to fastboot, and run
    fastboot update

The different commands you have available to you in updater-script are below
apply_patch(<source_file>, <targt_file>, <target_sha1>, <target_size>, <patch1_sha1>, <patch1>[, ..., <patchN_sha1>, <patchN>])
apply_patch_check(<file>, sha1_1[, ..., sha1_N])
delete(file1[, file2, ..., fileN])
delete_recursive(dir1[, dir2,...,dirN])
file_getprop(<property_file>, <key>)
format(<filesystem_type>, <partition_type>, <partition_or_device>)
e.g. filesystem_type; "yaffs2", "ext4"
     partition_type; "MTD", "EMMC"
ifelse(<condition>, <script_if_true>, <script_if_false>)
mount([<filesystem_type>, ]<partition_type>, <partition_or_device>, <mount_point>)
e.g. filesystem_type; "yaffs2", "ext4"
     partition_type; "MTD", "EMMC"
package_extract_dir(<package_path>, <destination_path>)
package_extract_file(<package_path>[, <destination_path>])
run_program(<program>, <arg1>[, .., <argN>])
set_perm(<user_id>, <group_id>, <mode>, <file1>[, <file2>, ..., <fileN>])
set_perm_recursive(<user_id>, <group_id>, <dir_mode>, <file_mode>, <dir1>[, ..., <dirN>])
sha1_check(<data>[, <sha1_1>, ..., <sha1_N>])
show_progress(<fraction>, <seconds>)
symlink(<target_path>, <link1>[, ..., <linkN>])
ui_print(<text1>[, ..., <textN>])
write_raw_image(<image_file>, <partition>)

xp314a, drivers
prank1, CID vendor list
Revolutionary, S-OFFing and zergRush
jcase, tacoroot
zryvffn, misc_version_universal
Google, adb and android
htcdev, bootloader unlocking
Many others

Thanks for reading, hope this clarifies a lot.
Please message me if you see any errors.
Attached Files
File Type: zip - [Click for QR Code] (9.8 KB, 270 views)
File Type: zip - [Click for QR Code] (211.8 KB, 326 views)
File Type: zip - [Click for QR Code] (6.9 KB, 282 views)
File Type: zip - [Click for QR Code] (8.0 KB, 404 views)
File Type: zip - [Click for QR Code] (131.6 KB, 182 views)
The Following 16 Users Say Thank You to paulie-uk For This Useful Post: [ View ] Gift paulie-uk Ad-Free
10th May 2013, 08:19 PM |#2  
PVL_93_RU's Avatar
Senior Member
Flag Moscow
Thanks Meter: 528
10th May 2013, 10:28 PM |#3  
jugg1es's Avatar
Senior Member
Thanks Meter: 1,997
Very nicely done :thumbup::beer:
15th May 2013, 06:23 PM |#4  
ben_pyett's Avatar
Recognized Contributor
Flag London, Colchester, Wivenhoe
Thanks Meter: 2,364
how comes you've managed to accumulate all this knowledge? great formatted posting! where were you before XDA?

The Following User Says Thank You to ben_pyett For This Useful Post: [ View ] Gift ben_pyett Ad-Free
15th May 2013, 10:13 PM |#5  
Flag Larissa
Thanks Meter: 31
Impressive work :thumbup:

Sent from my HTC Desire S using xda premium
15th May 2013, 11:37 PM |#6  
OP Member
Flag London
Thanks Meter: 65
Originally Posted by ben_pyett

how comes you've managed to accumulate all this knowledge? great formatted posting! where were you before XDA?

I was not a member here before I joined.

All the knowledge is out there, much on xda, some across wikis and other forums, I accumulated it because rather than just blindly following a guide to S-OFF and flash my phone, I wanted to actually learn and understand what I was doing at each step.
Knowledge begets knowledge.

As for posting it, I was a little surprised to see nobody had compiled all the information I was looking for together, it was either guides based on more guides, or odd posts spread across the internet. I saw a gap so filled it!
The Following 3 Users Say Thank You to paulie-uk For This Useful Post: [ View ] Gift paulie-uk Ad-Free
7th September 2013, 02:59 PM |#7  
Junior Member
Thanks Meter: 0
How to Root.
Frndz here is my htc Desire HD Information,plz tell me the right way to root it?
Attached Thumbnails
Click image for larger version

Name:	DSC_0002.jpg
Views:	432
Size:	86.6 KB
ID:	2241338   Click image for larger version

Name:	DSC_0006.jpg
Views:	410
Size:	65.5 KB
ID:	2241339   Click image for larger version

Name:	DSC_0007.jpg
Views:	389
Size:	77.3 KB
ID:	2241340   Click image for larger version

Name:	DSC_0005.jpg
Views:	382
Size:	125.0 KB
ID:	2241341  
7th September 2013, 03:11 PM |#8  
jugg1es's Avatar
Senior Member
Thanks Meter: 1,997
Originally Posted by shahzaib8711

Frndz here is my htc Desire HD Information,plz tell me the right way to root it?

Try looking in your device forum this is for the desire s (saga).

"You learn something new every day if you're not careful" - Wilf Lunn
27th September 2013, 01:54 AM |#9  
bossdwight's Avatar
Junior Member
Thanks Meter: 0
Very very helpful for a newbie like me, thanks for this.
29th September 2013, 07:58 PM |#10  
Senior Member
Thanks Meter: 101
Donate to Me
Originally Posted by shahzaib8711

Frndz here is my htc Desire HD Information,plz tell me the right way to root it?

you need to unlock bootloader, then flash custom recovery (for example CWM or 4EXT) via fastboot, then flash superuser flashable zip via recovery
16th February 2014, 11:08 AM |#11  
Junior Member
Thanks Meter: 1
EXCELLENT! Just installed a new ROM and a Desire S for the first time, and this was a lifesaver

(One minor correction: think you need to chmod misc_version before you run it, at least I did.)
The Following User Says Thank You to dbdkmezz For This Useful Post: [ View ] Gift dbdkmezz Ad-Free
Post Reply Subscribe to Thread

flashing, goldcard, guide, ruu, s-off

Guest Quick Reply (no urls or BBcode)
Previous Thread Next Thread
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes