[ROOT] HTC One X AT&T 2.20 Firmware - X-Factor root exploit

Search This thread


Retired Forum Moderator
Jun 29, 2011
Knocking on your door
OnePlus 9 Pro
I'm using Windows 8.1 and Windows 7 but no luck maybe I can uninstall the drivers and try again do you know whats version is the latest HTC drivers? Thanks
Ok, don't bother with Win8.1 because getting fastboot to work on that is virtually impossible. Keep trying with Win7, there's a thread in our General Section for this device that contains HTC drivers.

Transmitted via Bacon


Aug 13, 2010
Ok, don't bother with Win8.1 because getting fastboot to work on that is virtually impossible. Keep trying with Win7, there's a thread in our General Section for this device that contains HTC drivers.

Transmitted via Bacon

Here's how to get fastboot to work for Windows 8/Windows 10:

Took me forever to find the solution but finally got this Root to work in Windows 10! Posting solution for posterity's sake :)


Jul 9, 2016
Hi Everybody , I was trying to root my AT&T HTC One X and was trying to unlock the bootloader , but appears an error next to the second backup of this exploit. Can anybody help me?, or do yo know a better way to unlock this?

Top Liked Posts

  • There are no posts matching your filters.
  • 286
    I have successfully rooted the AT&T HTC One X running build 2.20.

    In the previous build (1.85), S-ON was only partially enforced, so it was possible to modify the /system partition without having unlocked the bootloader, in order to install su and Superuser.apk. This was changed in build 2.20: full S-ON is now in effect. As a result, it is no longer possible to write to /system even after remounting it as writable, since the S-ON feature has NAND-locked the storage.

    In other words, it's impossible have a "permanent root" on 2.20 in the traditional sense without unlocking the bootloader.

    I have prepared an exploit that gains temporary root access by leveraging two vulnerabilities and uses these newly gained root privileges to overwrite the CID ("superCID"), so that it's possible to unlock the bootloader via HTC's website. I'm sorry if you'd prefer to not unlock your bootloader this way, but there are no other options for root access available.


    This exploit modifies the CID of your device. Doing so likely voids your warranty, and may be in violation of your contract with AT&T (I am not a lawyer). Additionally, while this exploit has been tested and has not been observed to cause any negative side effects in practice, I am in no way responsible if it turns your device into an expensive paperweight.


    1. Download the exploit from:

    Edit: Linux/Mac version available here. Thanks to Jesse Osiecki (@jesseosiecki) for suggesting I support this and providing me with a working version (that I ended up re-writing):

    2. Extract the entire zip file.

    3. Connect your device via USB, ensure you have the latest HTC USB drivers installed (only on Windows), and ensure USB debugging mode is enabled.

    4. Double-click "run.bat", or if running Linux or OSX, open a terminal, change directories to the extracted exploit, and run "./run.sh".

    5. Follow the instructions printed by the exploit. You will need to authorize two backup restorations during the exploit's execution.

    6. If the exploit is successful, it will print "[+] Set CID!". If it does not print this, the exploit has failed, so please do not continue.

    7. The exploit will automatically reboot into bootloader mode. Press enter after bootloader mode is finished booting, and the exploit will print your CID. If the exploit was successful, it should return "11111111" as your CID.

    8. If your CID was successfully set, press enter to generate an unlock token.

    9. Visit htcdev.com, navigate to the "Bootloader unlock" section, choose "All other supported models" from the drop-down menu, and provide the unlock token when asked.

    10. After unlocking the bootloader, you can flash a custom recovery partition via fastboot, boot into recovery mode, and use a recovery ADB shell or install from an update.zip to install Superuser and su (I do not provide support for custom recoveries, but this is a straightforward process that other people can help with).


    I am not affiliated with any Android forum or group, including XDA - this is just where I've chosen to publish this exploit.

    Portions of this exploit are similar in concept to the ADB backup/restore exploit published by Bin4ry, but the vulnerability used in this exploit is entirely distinct from Bin4ry's.


    Thanks to Michael Coppola for pointing me at the vulnerable driver I leverage for the second phase of the exploit, and props for independently discovering the same vulnerability I used. Thanks to jcase and P3Droid for their continuing support - I owe you guys beers.

    Go here for instructions on flashing custom recovery and roms:

    It utilizes a temp root to change the CID and therefore unlock
    The unlock is permanent, the root is temporary

    Though after you unlock, just flash a SuperUser zip and you will get permanent root ;)
    Great work man! Congrats.

    And welcome to all the new ROM flashers :)
    It's not working for me, dammit

    /system/bin/sh: /data/local/tmp/pwn: cannot execute - Permission denied

    Sent from my HTC One X using Tapatalk 2

    Sorry, made a small mistake. I've uploaded a new version to the same URL, please re-download and try again.