• Introducing XDA Computing: Discussion zones for Hardware, Software, and more!    Check it out!

[GUIDE] How to get root/flash custom roms with HTCDEV unlock

Search This thread

Nipqer

Senior Member
Mar 14, 2011
905
391
I know some people out there will use the new "official" htcdev.com unlock option for the G2/DZ, but they will still need to do **** to get root or flash custom roms.

I REALLY RECOMMEND USING THE XDA METHOD OF ACQUIRING ROOT AND S-OFF


S-OFF is possible! We can relock the bootloader to allow a downgrade
Go to FASTBOOT USB mode (where you got the unlock token code, and unlocked the bootloader)
Code:
fastboot oem lock
You can then downgrade by following this guide
And get S-OFF with this guide

DO NOT LOCK THE BOOTLOADER IF YOU DON'T WANT TO ROOT PROPERLY!
LOCKING THE BOOTLOADER WILL CAUSE THE REST OF THIS GUIDE TO FAIL!


-------------------------------------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------------------------------------

First, some background as to why these methods are needed.
The HTC 'official' unlock method lets /system be written (given root access) in any mode.
The boot partition, and recovery are only writeable in fastboot mode though. So we need to flash a recovery through fastboot, flash a custom rom, then flash its boot image to be able to boot it.

GAINING ROOT ON STOCK ROM

Gaining Temp Root

DHD USERS WITH SENSE 3.x WILL HAVE TO USE TACOROOT


1. Download the attached files, unzip them, and place the files in your platform-tools folder. To elaborate, place the fre3vo file inside of the fre3vo.zip file in your platform-tools directory.
2. Run the following command to verify the exploit has access to what it needs. (Only the first line is the command. The second line should be the result returned if all goes well.)

Code:
> adb shell cat /dev/msm_rotator
[I]/dev/msm_rotator: invalid length[/I]

4. If you received the same message, you're good to continue on. If not... I'd recommend going back to #g2root and asking them. (I am just passing along the information after all).
5. Run the following commands from your platform-tools directory.

Code:
> adb push fre3vo /data/local/tmp
> adb shell
$ chmod 777 /data/local/tmp/fre3vo
$ /data/local/tmp/fre3vo -debug -start FAA90000 -end FFFFFFFF

6. After you enter that command, with luck you should see something similar to the last few lines in the following displayed. (It may take a minute or two. From what I can tell, this appears to be the quickest method as the exploit seems to be found in the latter regions.)

Code:
[I]Buffer offset:      00000000
Buffer size:        8192
Scanning region fb7b0000...
Scanning region fb8a0000...
Scanning region fb990000...
Scanning region fba90000...
Potential exploit area found at address fbb4d600:a00.
Exploiting device...[/I]

7. If you did get kicked out of adb shell, open it again. You should now see the lovely # instead of $, thus granting you temp root. Go ahead and exit out of shell to proceed to the next stage.

Code:
> adb shell
# exit

Getting Perm-Root


1. Download the attached file, "Vision-fre3vo-temp-root.zip".
2. Extract the contents to your platform-tools directory.
3. Run the following commands in command prompt while in platform-tools directory:
Code:
> adb push su /data/local/tmp/
> adb push busybox /data/local/tmp/
> adb push fixsu.sh /data/local/tmp/
> adb install SuperUser.apk
> adb shell chmod 755 /data/local/tmp/fixsu.sh
> adb shell chmod 755 /data/local/tmp/busybox
> adb shell /data/local/tmp/fixsu.sh
Note: If you get permission denied errors on busybox when trying to run fixsu.sh, please let me know.

4. Reboot phone, you should now have perm-root.



FLASHING A CUSTOM ROM


Flashing a custom recovery

Note: this only needs to be done once

1. Download a custom recovery: Latest Clockworkmod, Clockworkmod Touch, 4ext Touch
2. Place the recovery img in the folder with fastboot.exe (which you used to unlock your device), rename the recovery to recovery.img
3. Reboot phone to fastboot mode: Either pull battery and hold TRACKPAD and press power, or run 'adb reboot bootloader' from a cmd/terminal
4. Run
Code:
> fastboot flash recovery recovery.img

[I]sending 'recovery' (4930 KB)...
OKAY [  0.851s]
writing 'recovery'...
OKAY [  0.819s]
finished. total time: 1.670s[/I]

Flashing a custom rom

1. Download the rom.zip you wish to run.
2. Extract boot.img from the zip and place it in the folder with fastboot.
3. Copy the rom.zip to your sdcard
4. Flash the rom.zip from your sdcard
5. Reboot to fastboot mode (as above)
6. Run from a cmd/terminal
Code:
> fastboot flash boot boot.img

[I]sending 'boot' (4096 KB)...
OKAY [  0.711s]
writing 'boot'...
OKAY [  1.085s]
finished. total time: 1.798s[/I]
7. Reboot, you will now have a custom rom!

Credits:
Setherio, seeing as I ripped off half his guide.
Pierre_ja, helping figure out how to go about this.

If you get stuck with any of this, join #G2ROOT on freenode


-Nipqer
 

Attachments

  • fre3vo.zip
    5.5 KB · Views: 2,562
  • Vision-fre3vo-temp-root.zip
    1 MB · Views: 3,754
Last edited:

textillim

New member
Jul 22, 2010
3
0
Nacka
I'll try this ASAP. This bootloader have only brought me a **** load of headache, hope this works..

Thanks!
 

strawmetal

Senior Member
Dec 23, 2011
408
364
Hyderabad
fixsu.sh permissions denied

good to know that xda has people like you to help out

couldn't get root here's the result

C:\Android SDK\android-sdk\platform-tools>adb shell cat /dev/msm_rotator
/dev/msm_rotator: invalid length

C:\Android SDK\android-sdk\platform-tools>adb push fre3vo /data/local/tmp
869 KB/s (9796 bytes in 0.011s)

C:\Android SDK\android-sdk\platform-tools>adb shell
$ chmod 777 /data/local/tmp
chmod 777 /data/local/tmp
$ chmod 777 /data/local/tmp/fre3vo
chmod 777 /data/local/tmp/fre3vo
$ /data/local//tmp/fre3vo -debug -start FAA90000 -end FFFFFFFF
/data/local//tmp/fre3vo -debug -start FAA90000 -end FFFFFFFF
fre3vo by #teamwin
Please wait...
Attempting to modify ro.secure property...
fb_fix_screeninfo:
id: msmfb
smem_start: 802160640
smem_len: 3145728
type: 0
type_aux: 0
visual: 2
xpanstep: 0
ypanstep: 1
line_length: 1920
mmio_start: 0
accel: 0
fb_var_screeninfo:
xres: 480
yres: 800
xres_virtual: 480
yres_virtual: 1600
xoffset: 0
yoffset: 0
bits_per_pixel: 32
activate: 16
height: 80
width: 48
rotate: 0
grayscale: 0
nonstd: 0
accel_flags: 0
pixclock: 0
left_margin: 0
right_margin: 0
upper_margin: 0
lower_margin: 0
hsync_len: 0
vsync_len: 0
sync: 0
vmode: 0
Buffer offset: 00000000
Buffer size: 8192
Scanning region faa90000...
Scanning region fab80000...
Scanning region fac70000...
Scanning region fad60000...
Scanning region fae50000...
Scanning region faf40000...
Scanning region fb030000...
Scanning region fb120000...
Scanning region fb210000...
Scanning region fb300000...
Scanning region fb3f0000...
Scanning region fb4e0000...
Scanning region fb5d0000...
Scanning region fb6c0000...
Scanning region fb7b0000...
Scanning region fb8a0000...
Scanning region fb990000...
Scanning region fba80000...
Potential exploit area found at address fbb6e200:e00.
Exploiting device...

C:\Android SDK\android-sdk\platform-tools>adb shell
# exit
exit

C:\Android SDK\android-sdk\platform-tools>adb push su /data/local/tmp/
1205 KB/s (22228 bytes in 0.018s)

C:\Android SDK\android-sdk\platform-tools>adb push busybox /data/local/tmp/
1683 KB/s (1372660 bytes in 0.796s)

C:\Android SDK\android-sdk\platform-tools>adb push fixsu.sh /data/local/tmp/
109 KB/s (560 bytes in 0.005s)

C:\Android SDK\android-sdk\platform-tools>adb install Superuser.apk
1060 KB/s (196521 bytes in 0.181s)
pkg: /data/local/tmp/Superuser.apk
Success

C:\Android SDK\android-sdk\platform-tools>adb shell chmod 755 /data/local/tmp/fi
xsu.sh

C:\Android SDK\android-sdk\platform-tools>adb shell /data/local/tmp/fixsu.sh
/data/local/tmp/fixsu.sh: /data/local/tmp/busybox: permission denied
/data/local/tmp/fixsu.sh: /data/local/tmp/busybox: permission denied
/data/local/tmp/fixsu.sh: /data/local/tmp/busybox: permission denied
/data/local/tmp/fixsu.sh: /data/local/tmp/busybox: permission denied

C:\Android SDK\android-sdk\platform-tools>adb shell chmod 755 /data/local/tmp/fi
xsu.sh

C:\Android SDK\android-sdk\platform-tools>adb shell /data/local/tmp/fixsu.sh
/data/local/tmp/fixsu.sh: /data/local/tmp/busybox: permission denied
/data/local/tmp/fixsu.sh: /data/local/tmp/busybox: permission denied
/data/local/tmp/fixsu.sh: /data/local/tmp/busybox: permission denied
/data/local/tmp/fixsu.sh: /data/local/tmp/busybox: permission denied

C:\Android SDK\android-sdk\platform-tools>
 

Nipqer

Senior Member
Mar 14, 2011
905
391
Hmm, I wonder why thats happening...
Want to join the IRC channel so we can sort this out?

-Nipqer
 
  • Like
Reactions: ahmedrzvi

steviewevie

Retired Forum Moderator
Oct 28, 2009
5,335
617
UK
Sorry if I have missed something, but don't you need the eng hboot in order to use "fastboot flash" ?

Sent from my Desire Z running CM7.
 

wm6.5

Member
Sep 16, 2010
10
0
Amsterdam
I've done everything as above.

Everything went just fine.

But when I start SetCPU, It comes up with "root acces not detected" did you allow setcpu through superuser permissions?

In the superuser app (which is visible) I can't edit anything?

Also, it's not showing a pop up with "allow"

Am I doing something wrong?
 

wm6.5

Member
Sep 16, 2010
10
0
Amsterdam
C:\>cd android

C:\Android>cd platform-tools

C:\Android\platform-tools>adb shell
adb server is out of date. killing...
* daemon started successfully *
$ fastboot flash recovery recovery.img

fastboot flash recovery recovery.img
fastboot: permission denied
$
$ exit
exit

C:\Android\platform-tools>fastboot flash recovery recovery.img
< waiting for device >
 

petarpLab

Senior Member
Jan 6, 2011
167
57
Sorry if I have missed something, but don't you need the eng hboot in order to use "fastboot flash" ?

Sent from my Desire Z running CM7.

the hboot htc provides for the unlock supports fastboot commands, took us a while to figure that out at #g2root.

---------- Post added at 05:11 PM ---------- Previous post was at 05:08 PM ----------

C:\>cd android

C:\Android>cd platform-tools

C:\Android\platform-tools>adb shell
adb server is out of date. killing...
* daemon started successfully *
$ fastboot flash recovery recovery.img

fastboot flash recovery recovery.img
fastboot: permission denied
$
$ exit
exit

C:\Android\platform-tools>fastboot flash recovery recovery.img
< waiting for device >

you have to boot in fastboot mode to be able to issue fastboot commands:
from shell ($ or #) while the phone is connected to the computer:
Code:
exit
adb reboot bootloader
from normal win cmd (the > prompt):
Code:
adb reboot bootloader
 
  • Like
Reactions: baaabovka and wm6.5

steviewevie

Retired Forum Moderator
Oct 28, 2009
5,335
617
UK
C:\>cd android

C:\Android>cd platform-tools

C:\Android\platform-tools>adb shell
adb server is out of date. killing...
* daemon started successfully *
$ fastboot flash recovery recovery.img

fastboot flash recovery recovery.img
fastboot: permission denied
$
$ exit
exit

You need to run fastboot from your PC, not the phone ;)


Sent from my Desire Z running CM7.
 

Nipqer

Senior Member
Mar 14, 2011
905
391
wm6.5: I don't know if SetCPU can work on stock roms with root. You might need a different kernel for it.

-Nipqer
 
  • Like
Reactions: wm6.5

LcLc

New member
Jan 19, 2012
1
0
London
Thanks this saved me! The guys on g2root irc are way too helpful! Much thanks to them, no thanks to HTC unlocker for wasting a day of my life.
 

Top Liked Posts

  • There are no posts matching your filters.
  • 21
    I know some people out there will use the new "official" htcdev.com unlock option for the G2/DZ, but they will still need to do **** to get root or flash custom roms.

    I REALLY RECOMMEND USING THE XDA METHOD OF ACQUIRING ROOT AND S-OFF


    S-OFF is possible! We can relock the bootloader to allow a downgrade
    Go to FASTBOOT USB mode (where you got the unlock token code, and unlocked the bootloader)
    Code:
    fastboot oem lock
    You can then downgrade by following this guide
    And get S-OFF with this guide

    DO NOT LOCK THE BOOTLOADER IF YOU DON'T WANT TO ROOT PROPERLY!
    LOCKING THE BOOTLOADER WILL CAUSE THE REST OF THIS GUIDE TO FAIL!


    -------------------------------------------------------------------------------------------------------------------
    -------------------------------------------------------------------------------------------------------------------

    First, some background as to why these methods are needed.
    The HTC 'official' unlock method lets /system be written (given root access) in any mode.
    The boot partition, and recovery are only writeable in fastboot mode though. So we need to flash a recovery through fastboot, flash a custom rom, then flash its boot image to be able to boot it.

    GAINING ROOT ON STOCK ROM

    Gaining Temp Root

    DHD USERS WITH SENSE 3.x WILL HAVE TO USE TACOROOT


    1. Download the attached files, unzip them, and place the files in your platform-tools folder. To elaborate, place the fre3vo file inside of the fre3vo.zip file in your platform-tools directory.
    2. Run the following command to verify the exploit has access to what it needs. (Only the first line is the command. The second line should be the result returned if all goes well.)

    Code:
    > adb shell cat /dev/msm_rotator
    [I]/dev/msm_rotator: invalid length[/I]

    4. If you received the same message, you're good to continue on. If not... I'd recommend going back to #g2root and asking them. (I am just passing along the information after all).
    5. Run the following commands from your platform-tools directory.

    Code:
    > adb push fre3vo /data/local/tmp
    > adb shell
    $ chmod 777 /data/local/tmp/fre3vo
    $ /data/local/tmp/fre3vo -debug -start FAA90000 -end FFFFFFFF

    6. After you enter that command, with luck you should see something similar to the last few lines in the following displayed. (It may take a minute or two. From what I can tell, this appears to be the quickest method as the exploit seems to be found in the latter regions.)

    Code:
    [I]Buffer offset:      00000000
    Buffer size:        8192
    Scanning region fb7b0000...
    Scanning region fb8a0000...
    Scanning region fb990000...
    Scanning region fba90000...
    Potential exploit area found at address fbb4d600:a00.
    Exploiting device...[/I]

    7. If you did get kicked out of adb shell, open it again. You should now see the lovely # instead of $, thus granting you temp root. Go ahead and exit out of shell to proceed to the next stage.

    Code:
    > adb shell
    # exit

    Getting Perm-Root


    1. Download the attached file, "Vision-fre3vo-temp-root.zip".
    2. Extract the contents to your platform-tools directory.
    3. Run the following commands in command prompt while in platform-tools directory:
    Code:
    > adb push su /data/local/tmp/
    > adb push busybox /data/local/tmp/
    > adb push fixsu.sh /data/local/tmp/
    > adb install SuperUser.apk
    > adb shell chmod 755 /data/local/tmp/fixsu.sh
    > adb shell chmod 755 /data/local/tmp/busybox
    > adb shell /data/local/tmp/fixsu.sh
    Note: If you get permission denied errors on busybox when trying to run fixsu.sh, please let me know.

    4. Reboot phone, you should now have perm-root.



    FLASHING A CUSTOM ROM


    Flashing a custom recovery

    Note: this only needs to be done once

    1. Download a custom recovery: Latest Clockworkmod, Clockworkmod Touch, 4ext Touch
    2. Place the recovery img in the folder with fastboot.exe (which you used to unlock your device), rename the recovery to recovery.img
    3. Reboot phone to fastboot mode: Either pull battery and hold TRACKPAD and press power, or run 'adb reboot bootloader' from a cmd/terminal
    4. Run
    Code:
    > fastboot flash recovery recovery.img
    
    [I]sending 'recovery' (4930 KB)...
    OKAY [  0.851s]
    writing 'recovery'...
    OKAY [  0.819s]
    finished. total time: 1.670s[/I]

    Flashing a custom rom

    1. Download the rom.zip you wish to run.
    2. Extract boot.img from the zip and place it in the folder with fastboot.
    3. Copy the rom.zip to your sdcard
    4. Flash the rom.zip from your sdcard
    5. Reboot to fastboot mode (as above)
    6. Run from a cmd/terminal
    Code:
    > fastboot flash boot boot.img
    
    [I]sending 'boot' (4096 KB)...
    OKAY [  0.711s]
    writing 'boot'...
    OKAY [  1.085s]
    finished. total time: 1.798s[/I]
    7. Reboot, you will now have a custom rom!

    Credits:
    Setherio, seeing as I ripped off half his guide.
    Pierre_ja, helping figure out how to go about this.

    If you get stuck with any of this, join #G2ROOT on freenode


    -Nipqer
    3
    Yay a tester. let me know how it works.
    We've had 1 person get root, and 2 flash custom roms with this, but I'd appreciate any feedback.

    -Nipqer
    2
    Sorry if I have missed something, but don't you need the eng hboot in order to use "fastboot flash" ?

    Sent from my Desire Z running CM7.

    the hboot htc provides for the unlock supports fastboot commands, took us a while to figure that out at #g2root.

    ---------- Post added at 05:11 PM ---------- Previous post was at 05:08 PM ----------

    C:\>cd android

    C:\Android>cd platform-tools

    C:\Android\platform-tools>adb shell
    adb server is out of date. killing...
    * daemon started successfully *
    $ fastboot flash recovery recovery.img

    fastboot flash recovery recovery.img
    fastboot: permission denied
    $
    $ exit
    exit

    C:\Android\platform-tools>fastboot flash recovery recovery.img
    < waiting for device >

    you have to boot in fastboot mode to be able to issue fastboot commands:
    from shell ($ or #) while the phone is connected to the computer:
    Code:
    exit
    adb reboot bootloader
    from normal win cmd (the > prompt):
    Code:
    adb reboot bootloader
    1
    Hmm, I wonder why thats happening...
    Want to join the IRC channel so we can sort this out?

    -Nipqer
    1
    Go to http://webchat.freenode.net/
    choose a nickname, in channels enter #G2ROOT (with the hash)

    -Nipqer