[GUIDE] How To S-Off; Permanent Root; Custom Recovery

378 posts
Thanks Meter: 180
By MultiDev, Senior Member on 7th April 2014, 02:47 AM
Post Reply Email Thread
How to Achieve Permanent Root and S-Off:

To get permanent root, you need to S-Off. So lets start with that first. This process will NOT wipe your device. It also works for OS X users. This guide will work on software version 1.55.605.2 (which as of 04/19/2014 is the latest OTA) and below.

--- S-OFF Instructions ---

First, you'll need to download adb, enable its use and setup debugging.
  1. adb is part of the android SDK. You can download it here (OS X users must scroll down and download the OS X version). It does not need to be installed, just unzip it into its own folder. You can also download a zip that contain only adb and fastboot.
  2. once you have adb, you'll need to download the drive for your M8, which can be had from HTC's driver page:
    Then install it. It will install the driver necessary for adb to work. After the installation is finished, uninstall HTC Sync immediately (do this regardless of whether or not you need it; you can reinstall it later if you still want it). This will leave the driver package installed, but remove HTC sync.
  3. Now, back to the phone. Disable all security you have on, including PINs, Pattern Locks, passwords, etc. If you have an exchange forced security policy, you will need to disable the account. You can readd it later.
  4. Enable access to developer options. Jump into the Settings. Then you’re going to scroll down to the bottom and tap on ‘About’, next tap on ‘Software Information’. Now you’ll need to tap on ‘More’, which will give you a new menu. Now just tap on the build number 9 times and you’ll enable Developer options.
  5. Go into developer options menu and enable USB Debugging.
  6. Next, go to Security page and enable "Unknown sources".
  7. Now install weaksauce from here:
  8. If you followed the directions correctly, you should have SuperSU installed and root access. (You can use superuser as well).
  9. Plug in your phone into your computer. Its best to use the factory cable provided with the phone. Use a USB 2.0 type port if possible (USB3.0 ports typically have a blue tab; I have personally used a USB 3.0 Device on Windows 8.1u to perform this without any problems, but your mileage may vary).
  10. Your phone will ask if you if you trust your computer (RSA). Choose "Always Allow".
  11. Ensure adb is working by opening a command prompt (terminal on OS X), navigate to the adt-bundle-[XXXXX]/sdk/platform-tools and typing "adb devices" without quotes. Your phone should show up. Ensure the working directory is the directory that adb is in. Otherwise, transferring firewater may fail. On Windows, you can shift-right-click inside the folder adb is in and click open command prompt to open a cmd in that directory.
  12. Now go download firewater from here:
    http://firewater-soff.com/instructions/ Make sure to use the weaksauce method (second method). Do NOT use the temproot method.
    The firewater file should be called "firewater" without any quotes or extensions (like .bin). Ensure your browser did not partially download or corrupt it.** Make sure its in the same folder as adb. Then follow directions on the firewater site. Be aware the yes/no prompt is case sensitive, so make sure to answer it with an uppercase Y as in "Yes" not "yes". During the process, you will need to enable adb shell to get root. Make sure your phone screen is on so you can see the root request. Grant it and the S-Off process will continue. Otherwise, it will hang there and eventually time out. Sometimes, the process will fail and the phone will reboot. This is okay. Just restart the process. It can sometimes take multiple tries.
  13. When completely successfully, you now have S-OFF. Your phone's bootloader is also unlocked in the process; you do NOT need to perform any additional steps to unlock the bootloader. However, you do not have permanent root. The root that weaksuace provides goes away on reboot and must be reapplied again on startup.
**The filesize seems to vary depending on what OS/browser is used to download it. It should be around 4,519,496 (on disk) in size. If you can't execute firewater, try redownloading it.

Getting permanent root:
-Flash a custom recovery and flash a zip with su.
-[Optional] Return to stock recovery This option is for people who don't want a custom recovery.
Be aware, once rooted and S-Off'ed, you do NOT need the kernel module that enables system write access*. All system changes will survive hard reboots (adb reboot).

-- Recovery Rooting: --
  1. Move the supersu zip onto your internal sdcard. It can be downloaded here:
    You can use Superuser as well. Its your preference, but this guide uses SuperSU.
  2. Uninstall weaksauce. It's no longer needed.
  3. Uninstall SuperSU. It will be reinstalled when you flash the supersu zip. If you have SuperSU Pro installed, you can leave that in place, as that app only holds a key.
  4. From adb, type:
    adb reboot bootloader
  5. Flash a custom recovery. CWM and TWRP are available. Use the fastboot method. Follow the directions here:
    TWRP - http://teamw.in/project/twrp2/226
    CWM - http://forum.xda-developers.com/show....php?t=2708520
  6. Reboot into Recovery
  7. Flash the supersu zip you downloaded.
  8. Reboot and you're done. You have s-off and permanent root.
You can delete the downloaded supersu zip off your internal sdcard; its not longer needed.

-- Manual Root --
Perform all steps noted in section "Recovery Rooting" above.
-Download the stock recovery:
-Ensure the stock recovery img file is in the same folder as fastboot.
-Run the following command from command line: "fastboot flash recovery stockrecovery.img" without the quotes.
-Wait for the process to finish
-Reboot the phone. You now have the stock recovery along with root. With the stock recovery installed, you can now accept OTAs provided you haven't modified/deleted any stock system files. Any new OTAs you take will remove any files/folders you added to the system partition and will remove your root. However, with S-off, this can be undone. If you lost loot after taking an OTA, simply start from the beginning of the section "Recovery Rooting".

-- Common Tweaks --
All of these are optional and are NOT required. However, you may find some benefit to them.
-- Wifi Tether Enabled --
This is unnecessary if you are on a More Everything plan or are paying for hotspot/tethering. You can force enable the native tethering application:
-- Device Wipe after ten attempts --
I really dislike this "feature". Here is how to disable it. This works regardless if you enabled the security or its mandated by an exchange policy.
I use Root Explorer to make this change, but you can use any text editor. Make sure to mount system as R/W. Root explorer can do this from within the app.
Edit this file:
change this:
  <item type="integer" name="devicepolicy_max_fail_passwords_for_wipe">10</item>
to this
  <item type="integer" name="devicepolicy_max_fail_passwords_for_wipe">0</item>
Reboot and its disabled.
-- Power Saver Mode --
Enable "Power Saver" mode using these directions. It's disabled and hidden by default.
-- *Unsecured Kernel --
By default, the stock kernel prevents write access to /system. S-off and root should allow you to makes changes to system. However, some people have reported difficulties using ROM toolbox and other mods (like changing boot animations). In some cases, these issues can be resolved by flashing an insecure kernel:
-- HTC Sense Broswer --
The stock ROM now includes Chrome as the default browser and omits the Sense Browser. Users who prefer the Sense Browser can download it here:
-- HTC Flashlight --
The stock HTC flashlight app.
-- Disable HTC Sync Virtual CDROM --
This disables the virtual CD-ROM from mounting.

-- Donations --
Don't forget to donate to the developers involved in getting you here. Donations for firecracker go to [email protected] (paypal). Donations for weaksuace go to [email protected] (paypal). If I missed anyone, let me know.
The Following 74 Users Say Thank You to MultiDev For This Useful Post: [ View ] Gift MultiDev Ad-Free
7th April 2014, 02:48 AM |#2  
OP Senior Member
Thanks Meter: 180

Been getting some interesting PMs. Here is some of the popular questions.

Do I need a Java card for this?
No. You just need a PC/Mac, a USB 2.0 cable and the M8. Since a public S-off method is now available, that method is obsolete and its not recommended anymore.

Do I have to change or reset my CID?
No, that is only necessary for people who s-off'ed via a Javacard.

Do I need to do any of this if I S-off'ed via Javacard?
No, this method ends with the same result.

Can I reverse this and return to completely stock?
Yes, absolutely none of the stuff done here is permanent. You can unroot, relock the bootloader, and S-On as many times as you want. You can flash an HTC RUU to return to completely stock in one go. Note: Be careful with S-On'ing a device. If you S-On a device via a newer RUU and that RUU has no known exploits, you may not be able to S-Off again until an exploit is found.

Do I need to unlock my bootloader after this?
No, the firewater exploit will S-Off and unlock your bootloader.

Will this work on a Mac?
Yes, please read the directions more carefully.

Will this work on USB 3.0 ports as that is all I have?
Usually. On OS X, I've had success using a USB 3.0 port (since recent MBPs only include USB 3). On Windows, the answer seems to be maybe, depending on your OS. Your best bet would be to try on a Windows 8,8.1,8.1u1 machine as that OS includes native support for USB 3.0; that way you aren't relying on vendor specific driver support like on Win7 or below. I have personally done this exploit on USB3 on a Surface Pro.

Will this brick my phone?
There is always a chance, but I have honestly never heard of such a thing happening. Worst case is usually a full reset of the phone.

Will this wipe/format the external SDcard?

How do I flash this via ODIN?
This has absolutely nothing to do with ODIN. That is for Samsung devices. You should not even have ODIN running when do any part of this guide.

How to I convert to a Google Play edition ROM?
Wait for a developer to make one. I will post a link here if/when that happens.
See here:

Does this affect Google Wallet or ISIS?
Yes and no. Google wallet works just fine. ISIS will detect its rooted and refuse to work. You'll need to shield root from ISIS to use it. Directions on how to do that can be found via google.

Will this work on non-Verizon HTC M8's?
Yes, though you will need to use a different recovery.

Will this unlock my device for other carriers?
No....because your device is already unlocked in its stock form. AWS band rules force Verizon to keep all their LTE devices unlocked.

Will this jailbreak my device?
No. Wrong type of phone.

I can get red triangle exclamation mark with a black screen. How do I fix this?
You are in the stock recovery. Hold power and volume up and you will get a menu. You can choose reboot system now to get out of there.
The Following 13 Users Say Thank You to MultiDev For This Useful Post: [ View ] Gift MultiDev Ad-Free
7th April 2014, 02:57 AM |#3  
Senior Member
Thanks Meter: 32
appreciate the write up. ill check back here when i find a reason to unlock it
7th April 2014, 03:21 AM |#4  
Senior Member
Thanks Meter: 68
Has anyone done it yet? It's just sitting at "adb wait-for-device push firewater /data/local/tmp" for at least 5 minutes now.
The Following User Says Thank You to sfreemanoh For This Useful Post: [ View ] Gift sfreemanoh Ad-Free
7th April 2014, 03:24 AM |#5  
OP Senior Member
Thanks Meter: 180
Originally Posted by sfreemanoh

Has anyone done it yet? It's just sitting at "adb wait-for-device push firewater /data/local/tmp" for at least 5 minutes now.

I have done everything mentioned in this guide. And it works just fine.

Make sure you are connected via USB2. Also make sure your phone is on and unlocked (as in, no security PIN, pattern, password etc.). Is USB debugging on?

When you type "adb devices" from command prompt, is your device listed?
The Following User Says Thank You to MultiDev For This Useful Post: [ View ] Gift MultiDev Ad-Free
7th April 2014, 03:29 AM |#6  
Senior Member
Thanks Meter: 68
Yeah, nvm, it's fine now. When I first connected it via debugging, I didn't hit the "Always allow" option on my phone, so after the adb reboot it wasn't allowed to reconnect. Just had to disable debugging and re-enable it, it's all set now.
7th April 2014, 03:30 AM |#7  
OP Senior Member
Thanks Meter: 180
Originally Posted by sfreemanoh

Yeah, nvm, it's fine now. When I first connected it via debugging, I didn't hit the "Always allow" option on my phone, so after the adb reboot it wasn't allowed to reconnect. Just had to disable debugging and re-enable it, it's all set now.

Cool. I'll add that to the guide.
The Following 2 Users Say Thank You to MultiDev For This Useful Post: [ View ] Gift MultiDev Ad-Free
7th April 2014, 03:37 AM |#8  
tanium's Avatar
Senior Member
Flag warren
Thanks Meter: 19
Thumbs up
I have not had time to thank and will.
At work and going to hook it up when I get home this morning so I hope no one screws with you guys and gets it pulled.
Very much appreciate all the work they put into it.
Thank you very much for the dummy proof write up
These guys around here are getting to good.
Thank you thank you thank you.
7th April 2014, 04:07 AM |#9  
Thanks Meter: 19
Worked Perfect! Thank you guys!
7th April 2014, 04:45 AM |#10  
mikey2487's Avatar
Senior Member
Thanks Meter: 104
thank you so much! now i can sleep at night knowing that verizon doesn't have control of my device anymore haha!!
7th April 2014, 04:47 AM |#11  
blacknet101's Avatar
Senior Member
Flag California
Thanks Meter: 88
Donate to Me
Im happy to see that s-off was achieved and Im going to unlock my phone right now

but quick question, I'm new to this s-off stuff so I don't know how it works entirely.
But once we unlock the bootloader

is there any way to lock it again in case we need to send the phone to HTC?

sorry for the noob question but just a question that popped into mind.
Post Reply Subscribe to Thread

guide, htc m8, root, s-off, unlock

Guest Quick Reply (no urls or BBcode)
Previous Thread Next Thread
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes