[Guide] Subsidy Unlock, SuperCID, and Radio S-OFF

fattire

Inactive Recognized Developer
Oct 11, 2010
2,280
6,473
113
www.eff.org
Update 12-29-10: Due to problems reported with v03, we now link to v02.

Update 12-23-10:
A new version of gfree, v02, has just been released by Guhl. Links have been updated to the new version, which allows you to set Sim Unlock, CID, and Radio S-ON/OFF independently. If you have previously run gfree, you will receive no additional benefit from running gfree v2, unless you want to change one of the settings.

Notice: gfree is known not to work for radio firmwares with higher versions then 26.03.02.xx -- the reason for this is that HTC patched the hole that allowed scotty2 to power cycle the emmc chip to drop its write protection. So if you installed a radio version with a higher version number, downgrade the radio firmware before using gfree.

Guhl also released gfree_verify, which allows you to verify your phone's settings (regardless of which gfree you used). See the wiki for more on that.

The wiki is usually up to date on the latest of everything, so be sure to check it frequently.

---------------

scotty2 delivers again!

His "gfree" program should do the following for your g2, dz, or dhd:

* Radio S-OFF -- the real deal. This means the g2 will permit permanent root.
* Subsidy Unlock -- AKA "Sim Unlock" AKA "Network Unlock" AKA "Use a foreign SIM Card"
* SuperCID - enables the flashing of any carrier's firmware for the phone.

If you don't know what this means or why you might want it, check the wiki.

INSTRUCTIONS:

NOTE: If you have NOT permarooted your phone previously with the HBOOT/wpthis method, doing so using the new "gfree" method should have the added effect of sim-unlocking the phone, setting superCID and turning Radio S-OFF. In fact, it's the new method for permarooting for G2/DZ and DHD. So if you haven't yet permarooted, look at those instructions.

Again, the instructions below are for people only who have already previously "permarooted" through the earlier hacked-HBOOT method. See the wiki if you are starting from scratch with a new G2/DZ/DHD and have not yet done anything "root-ish".

WARNING: Be aware that by following these instructions you are messing with your phone with potential for screwing things up. Do so at your own risk. The many authors of this guide assume no responsibility for any damage to your phone, health, general well-being, or anything else untoward with respect to these instructions or you following them.

gfree uses a dynamic in-memory patch of the kernel to remove the kernel's write protection of the radio partition.

So, for those of you who have permarooted the old HBOOT way and put on new kernels --The following kernel versions that are known NOT to work yet with gfree. If you have one of the following kernel versions on your phone install a different (stock, OTA or cyanogen) kernel before starting this procedure:

| pershoots 11/30 build
| pershoot's 2.6.32.26 – OC-UV-NEON_FP (1.516GHZ) – G2 - 12/3
| Cyanogen Kernel / release 6.1.1
| 2.6.32.26-cm-virtuous-v1.0 [email protected]#1

Other newer kernels may also not work with gfree. So if you experience problems with this procedure (either the phone reboots during the process or the procedure completes correctly but the verify still shows that the phone is locked) then you may think about downgrading the kernel to an original stock kernel or even better to this kernel.

Okay. So we're assuming you've permarooted already and usb debugging is on (Applications > Development, then enable USB debugging). You'll also need about 5MB free on your sdcard.

You might want to back up your phone with nandroid on the Clockwork recovery image first, just in case.

Note: If you hanker to do it the longer, manual, harder, and more dangerous way, or are just curious what gfree does, see the wiki history for the old instructions.

No? Then let's begin.

==== 1. Download gfree and verify sdcard is not mounted by your computer ====

You will need to download a program called gfree (v02) that will first copy partition 7 of the phone, then patch it, then reflash back to your phone. (verified to work with the g2 and desire z as well as the desire hd). (You will also need adb, which you can download as part of the Android SDK.)

Unzip gfree_02.zip to your computer.

Make sure your computer is not mounting your phone's sdcard.

==== 2. Run gfree on the phone ====

On your computer's terminal/command line, navigate to where the gfree file is, and then...

Code:
 adb push gfree /data/local
 adb shell
This copies gfree to your phone, then puts you in your phone's terminal. Then do this:

Code:
 su
 cd /data/local
 chmod 777 gfree
 ./gfree -f
 sync
Wait a few moments for the sync to "take". Then reboot your phone. That's it!

gfree created a backup of your original partition 7 at /sdcard/part7backup-<time>.bin you might consider copying this to a safe location on your computer.

Now you can try using a new SIM card to verifiy that it worked. Also, if you had to flash a different kernel before running gfree, you may now reflash the kernel you originally had.


Thanks to the gang at #g2root, including IntuitiveNipple, scotty2, tmzt, rhcp, ciwrl, and guhl... among many others.

Wiki: How to enable Radio S-OFF, SuperCID, and SIM-unlock (with some informational background)

File: gfree_02.zip

File: gfree_verify_v01.zip

Feel free to use the "Thanks" button below. Also, Scotty2's paypal email is walker.scott AT gmail.com if you want to make a contribution.



Finally, Americans might consider making a donation to the Electronic Frontier Foundation who fight to defend your legal right to root or unlock your own phone when the carriers and phone manufacturers may lobby or otherwise try to stop you. The EFF can always use your tax-deductible support.
 
Last edited:

nycjv321

Senior Member
Jun 20, 2009
63
1
0
...

I just bricked my phone LMAO!!! :)

I did the perm root that was easy... this jeez... followed the [Guide] How to recover your semi-brick (OMFG Thank you guys over there!) BUT I'm back... I literally almost **** my pants. Well... Gonna try this again maybe after finals LOL :)
 

nycjv321

Senior Member
Jun 20, 2009
63
1
0
Question though (going to try it later tonight LOL =P) the guide says I need a "custom cyanogenmod based kernel and provides the boot image that contains it.. I am using the nightlies do they contain that same function or no? also when I did flash that boot image and ran "insmod /sdcard/wpthis-cyanogen.ko" it said error function not implemented? Anyone not run into this issue? or have any ideas?
 

fattire

Inactive Recognized Developer
Oct 11, 2010
2,280
6,473
113
www.eff.org
Question though (going to try it later tonight LOL =P) the guide says I need a "custom cyanogenmod based kernel and provides the boot image that contains it.. I am using the nightlies do they contain that same function or no?
Nope.

also when I did flash that boot image and ran "insmod /sdcard/wpthis-cyanogen.ko" it said error function not implemented? Anyone not run into this issue? or have any ideas?
"Error function not implemented" means it worked.
 

nycjv321

Senior Member
Jun 20, 2009
63
1
0
Ok I ran it all again and worked but when I was verifying it I got all the supposed feedback except at "echo -e 'AT$QCPWRDN\r' > /dev/smd0" I got AT$QCPWRDN and then +CME Error: 0.... (No OK as said in the guide? :( ) and then it rebooted? what didn't work?
 

nycjv321

Senior Member
Jun 20, 2009
63
1
0
This may be a stupid question but doesn't 0 also equate to no error? (In my older post) (Its just not stated in the guide, I don't want to overlook something which is why I asked :) ) You guys are AWESOME!!!
 

emperorchan

New member
Nov 30, 2010
4
0
0
This may be a stupid question but doesn't 0 also equate to no error? (In my older post) (Its just not stated in the guide, I don't want to overlook something which is why I asked :) ) You guys are AWESOME!!!
After entering the following into ADB Shell command prompt:

# echo -e 'AT$QCPWRDN\r' > /dev/smd0

The reply I got was a bunch of numbers (which filled the screen and wrapped to a new line) from what I can recall and then the phone rebooted. I didn't save the command window so I don't have the full details.

When the phone re-booted, I get signal from the local Thailand carrier AIS using a pre-paid SIM card.

The first time I went through the process I made a mistake setting the following using the Hex Editor:

"...set the 4 bytes at 0x807fc to 49 53 F4 7D"

The second time around I figured out what the "c" in "0x807fc" meant in terms of location on the Hex Editor. That was it.