[GUIDE] How To S-Off; Permanent Root; Custom Recovery

Search This thread


Senior Member
Oct 27, 2011
Not quite...
1) yes
2) once S-off you have a few options here:
a) take the 4.4.4 stock OTA before you flash TWRP or make any changes to your system
b) use dottat's RUU.exe to update to 4.4.4
c) flash the 4.4.4 firmware from Tigerstown's thread in fastboot.

3) No matter what method you use, eventually you will have to flash TWRP in fastboot. Flashify needs root and you don't have that until you flashed SuperSU in recovery. Once rooted you can use Flashify to flash recoveries if you want. I would recommend you use fastboot.

A) So if I choose option C, can I just do the SD card method to update firmware? I've always done it that way with my phones and had no issues.

B) Out of curiosity more than anything, why can't I flash TWRP before updating to 4.4.4?

Thank you so much for the assistance! I'm going to be working on his phone in about an hour. :)


Retired Forum Moderator
Jan 10, 2011
york, pa
Samsung Galaxy Note 20 Ultra
A) So if I choose option C, can I just do the SD card method to update firmware? I've always done it that way with my phones and had no issues.

B) Out of curiosity more than anything, why can't I flash TWRP before updating to 4.4.4?

Thank you so much for the assistance! I'm going to be working on his phone in about an hour. :)
Ota won't flash if twrp is installed.

You can flash twrp and the firmware zip and go straight to a custom Rom if you wish.
  • Like
Reactions: PsiPhiDan


Senior Member
Jan 27, 2009
hi, i have received a refurb with 4.4.2, is there somewhere the firewater file is? if someone could pm it to me to prevent a link from being distributed, id be grateful.


Senior Member
Aug 18, 2010
Is there any alternative to using Sunshine for those of us on 4.4.2? I'd rather not pay $25 for something when there is a version that will work with it for free...somewhere.


Dec 9, 2012
I somehow managed to brick my DNA. I can open Bootloader and S is off. Bootloader is relocked.
Is there any thing I can do? Or just get another phone.

Top Liked Posts

  • There are no posts matching your filters.
  • 73
    How to Achieve Permanent Root and S-Off:

    To get permanent root, you need to S-Off. So lets start with that first. This process will NOT wipe your device. It also works for OS X users. This guide will work on software version 1.55.605.2 (which as of 04/19/2014 is the latest OTA) and below.

    --- S-OFF Instructions ---​
    First, you'll need to download adb, enable its use and setup debugging.
    1. adb is part of the android SDK. You can download it here (OS X users must scroll down and download the OS X version). It does not need to be installed, just unzip it into its own folder. You can also download a zip that contain only adb and fastboot.
    2. once you have adb, you'll need to download the drive for your M8, which can be had from HTC's driver page:
      Then install it. It will install the driver necessary for adb to work. After the installation is finished, uninstall HTC Sync immediately (do this regardless of whether or not you need it; you can reinstall it later if you still want it). This will leave the driver package installed, but remove HTC sync.
    3. Now, back to the phone. Disable all security you have on, including PINs, Pattern Locks, passwords, etc. If you have an exchange forced security policy, you will need to disable the account. You can readd it later.
    4. Enable access to developer options. Jump into the Settings. Then you’re going to scroll down to the bottom and tap on ‘About’, next tap on ‘Software Information’. Now you’ll need to tap on ‘More’, which will give you a new menu. Now just tap on the build number 9 times and you’ll enable Developer options.
    5. Go into developer options menu and enable USB Debugging.
    6. Next, go to Security page and enable "Unknown sources".
    7. Now install weaksauce from here:
    8. If you followed the directions correctly, you should have SuperSU installed and root access. (You can use superuser as well).
    9. Plug in your phone into your computer. Its best to use the factory cable provided with the phone. Use a USB 2.0 type port if possible (USB3.0 ports typically have a blue tab; I have personally used a USB 3.0 Device on Windows 8.1u to perform this without any problems, but your mileage may vary).
    10. Your phone will ask if you if you trust your computer (RSA). Choose "Always Allow".
    11. Ensure adb is working by opening a command prompt (terminal on OS X), navigate to the adt-bundle-[XXXXX]/sdk/platform-tools and typing "adb devices" without quotes. Your phone should show up. Ensure the working directory is the directory that adb is in. Otherwise, transferring firewater may fail. On Windows, you can shift-right-click inside the folder adb is in and click open command prompt to open a cmd in that directory.
    12. Now go download firewater from here:
      http://firewater-soff.com/instructions/ Make sure to use the weaksauce method (second method). Do NOT use the temproot method.
      The firewater file should be called "firewater" without any quotes or extensions (like .bin). Ensure your browser did not partially download or corrupt it.** Make sure its in the same folder as adb. Then follow directions on the firewater site. Be aware the yes/no prompt is case sensitive, so make sure to answer it with an uppercase Y as in "Yes" not "yes". During the process, you will need to enable adb shell to get root. Make sure your phone screen is on so you can see the root request. Grant it and the S-Off process will continue. Otherwise, it will hang there and eventually time out. Sometimes, the process will fail and the phone will reboot. This is okay. Just restart the process. It can sometimes take multiple tries.
    13. When completely successfully, you now have S-OFF. Your phone's bootloader is also unlocked in the process; you do NOT need to perform any additional steps to unlock the bootloader. However, you do not have permanent root. The root that weaksuace provides goes away on reboot and must be reapplied again on startup.
    **The filesize seems to vary depending on what OS/browser is used to download it. It should be around 4,519,496 (on disk) in size. If you can't execute firewater, try redownloading it.

    Getting permanent root:
    -Flash a custom recovery and flash a zip with su.
    -[Optional] Return to stock recovery This option is for people who don't want a custom recovery.
    Be aware, once rooted and S-Off'ed, you do NOT need the kernel module that enables system write access*. All system changes will survive hard reboots (adb reboot).

    -- Recovery Rooting: --​
    1. Move the supersu zip onto your internal sdcard. It can be downloaded here:
      You can use Superuser as well. Its your preference, but this guide uses SuperSU.
    2. Uninstall weaksauce. It's no longer needed.
    3. Uninstall SuperSU. It will be reinstalled when you flash the supersu zip. If you have SuperSU Pro installed, you can leave that in place, as that app only holds a key.
    4. From adb, type:
      adb reboot bootloader
    5. Flash a custom recovery. CWM and TWRP are available. Use the fastboot method. Follow the directions here:
      TWRP - http://teamw.in/project/twrp2/226
      CWM - http://forum.xda-developers.com/showthread.php?t=2708520
    6. Reboot into Recovery
    7. Flash the supersu zip you downloaded.
    8. Reboot and you're done. You have s-off and permanent root.
    You can delete the downloaded supersu zip off your internal sdcard; its not longer needed.

    -- Manual Root --
    Perform all steps noted in section "Recovery Rooting" above.
    -Download the stock recovery:
    -Ensure the stock recovery img file is in the same folder as fastboot.
    -Run the following command from command line: "fastboot flash recovery stockrecovery.img" without the quotes.
    -Wait for the process to finish
    -Reboot the phone. You now have the stock recovery along with root. With the stock recovery installed, you can now accept OTAs provided you haven't modified/deleted any stock system files. Any new OTAs you take will remove any files/folders you added to the system partition and will remove your root. However, with S-off, this can be undone. If you lost loot after taking an OTA, simply start from the beginning of the section "Recovery Rooting".

    -- Common Tweaks --
    All of these are optional and are NOT required. However, you may find some benefit to them.
    -- Wifi Tether Enabled --
    This is unnecessary if you are on a More Everything plan or are paying for hotspot/tethering. You can force enable the native tethering application:
    -- Device Wipe after ten attempts --
    I really dislike this "feature". Here is how to disable it. This works regardless if you enabled the security or its mandated by an exchange policy.
    I use Root Explorer to make this change, but you can use any text editor. Make sure to mount system as R/W. Root explorer can do this from within the app.
    Edit this file:
    change this:
      <item type="integer" name="devicepolicy_max_fail_passwords_for_wipe">10</item>
    to this
      <item type="integer" name="devicepolicy_max_fail_passwords_for_wipe">0</item>
    Reboot and its disabled.
    -- Power Saver Mode --
    Enable "Power Saver" mode using these directions. It's disabled and hidden by default.
    -- *Unsecured Kernel --
    By default, the stock kernel prevents write access to /system. S-off and root should allow you to makes changes to system. However, some people have reported difficulties using ROM toolbox and other mods (like changing boot animations). In some cases, these issues can be resolved by flashing an insecure kernel:
    -- HTC Sense Broswer --
    The stock ROM now includes Chrome as the default browser and omits the Sense Browser. Users who prefer the Sense Browser can download it here:
    -- HTC Flashlight --
    The stock HTC flashlight app.
    -- Disable HTC Sync Virtual CDROM --
    This disables the virtual CD-ROM from mounting.

    -- Donations --
    Don't forget to donate to the developers involved in getting you here. Donations for firecracker go to [email protected] (paypal). Donations for weaksuace go to [email protected] (paypal). If I missed anyone, let me know.
    Been getting some interesting PMs. Here is some of the popular questions.

    Do I need a Java card for this?
    No. You just need a PC/Mac, a USB 2.0 cable and the M8. Since a public S-off method is now available, that method is obsolete and its not recommended anymore.

    Do I have to change or reset my CID?
    No, that is only necessary for people who s-off'ed via a Javacard.

    Do I need to do any of this if I S-off'ed via Javacard?
    No, this method ends with the same result.

    Can I reverse this and return to completely stock?
    Yes, absolutely none of the stuff done here is permanent. You can unroot, relock the bootloader, and S-On as many times as you want. You can flash an HTC RUU to return to completely stock in one go. Note: Be careful with S-On'ing a device. If you S-On a device via a newer RUU and that RUU has no known exploits, you may not be able to S-Off again until an exploit is found.

    Do I need to unlock my bootloader after this?
    No, the firewater exploit will S-Off and unlock your bootloader.

    Will this work on a Mac?
    Yes, please read the directions more carefully.

    Will this work on USB 3.0 ports as that is all I have?
    Usually. On OS X, I've had success using a USB 3.0 port (since recent MBPs only include USB 3). On Windows, the answer seems to be maybe, depending on your OS. Your best bet would be to try on a Windows 8,8.1,8.1u1 machine as that OS includes native support for USB 3.0; that way you aren't relying on vendor specific driver support like on Win7 or below. I have personally done this exploit on USB3 on a Surface Pro.

    Will this brick my phone?
    There is always a chance, but I have honestly never heard of such a thing happening. Worst case is usually a full reset of the phone.

    Will this wipe/format the external SDcard?

    How do I flash this via ODIN?
    This has absolutely nothing to do with ODIN. That is for Samsung devices. You should not even have ODIN running when do any part of this guide.

    How to I convert to a Google Play edition ROM?
    Wait for a developer to make one. I will post a link here if/when that happens.
    See here:

    Does this affect Google Wallet or ISIS?
    Yes and no. Google wallet works just fine. ISIS will detect its rooted and refuse to work. You'll need to shield root from ISIS to use it. Directions on how to do that can be found via google.

    Will this work on non-Verizon HTC M8's?
    Yes, though you will need to use a different recovery.

    Will this unlock my device for other carriers?
    No....because your device is already unlocked in its stock form. AWS band rules force Verizon to keep all their LTE devices unlocked.

    Will this jailbreak my device?
    No. Wrong type of phone.

    I can get red triangle exclamation mark with a black screen. How do I fix this?
    You are in the stock recovery. Hold power and volume up and you will get a menu. You can choose reboot system now to get out of there.
    Well, I'm not asking the wrong questions! if you check the thread you'll find I have written what I've done in detais and in order but you don't seem to read the while posts (You're still telling me "if I'm S-off") and my question is about my inability to S-off!! Anyways, I got what I wanted to know. But as I said earlier, you guys stopped being helpful the way you used to be.... All you could have said is firewater is no longer working!

    ---------- Post added at 06:12 PM ---------- Previous post was at 06:07 PM ----------

    This post is suposed to be a tutorial. So, you should expect questions from people who lack knowledge on the matter. Your duty as a decent forum members is to provide answers for such people instead of mocking them! Otherwise, you can simply disable replies in the thread!
    Makes me wonder why I waste my time trying to help.....
    Yeah, nvm, it's fine now. When I first connected it via debugging, I didn't hit the "Always allow" option on my phone, so after the adb reboot it wasn't allowed to reconnect. Just had to disable debugging and re-enable it, it's all set now.

    Cool. I'll add that to the guide.
    Im happy to see that s-off was achieved and Im going to unlock my phone right now

    but quick question, I'm new to this s-off stuff so I don't know how it works entirely.
    But once we unlock the bootloader

    is there any way to lock it again in case we need to send the phone to HTC?

    sorry for the noob question but just a question that popped into mind.
    Absolutely. Everything in this guide can be reversed. You can return everything back to stock via an RUU.

    So I don't quite understand. I am S-off with the Unofficial CMWR from InvisibleK and I flashed SuperSU zip v1.94. Do I need the system write access kernel module to write to system or no?
    Great guide by the way. Thanks
    You do not. I have modified and added a few system files and they have persisted through several hard reboots.