• Introducing XDA Computing: Discussion zones for Hardware, Software, and more!    Check it out!

[ROOT] MR1/OTA PermRoot + Unlock Bootloader - Safer/Easier 5/12/2011

Search This thread

jcase

Retired Forum Mod / Senior Recognized Developer
Feb 20, 2010
6,331
15,773
Sequim WA
OUTDATED
Augest 14 2011
Unrevoked and AlpharevX released a new version of their http://revolutionary.io/ tool, use it, and preserve your data.


Do not use the root method below.

Original root left for a good read.

Advanced users wanting a different hboot please see http://forum.xda-developers.com/showthread.php?t=1186022, others continue as is.

Updated May 12th 2011

This guide has been updated to MR1/OTA Firmware 1.13.605.7


This guide has been updated on April 21 2011 to make it more reliable, and faster.

On request I am reposting this in full, but please check out the original here first.


HTC tried to stop us. They made signed images, a signed kernel, and a signed recovery. They locked the memory. In short, the ThunderBolt is their most locked-down phone to date.

We fixed it for you. Unlike the root method we described yesterday, following the instructions below will provide S-OFF, remove signature checks, and unlock eMMC. Enjoy!

Rooting The ThunderBolt – Version 3

Pros
Root with read/write access to /system
Ability to downgrade and flash any RUU (i.e. signed firmware)
S-OFF
Fully unlocked bootloader
All ThunderBolts survived testing

Cons
Voids warranty
Could brick your phone if you aren’t careful

The method of rooting your Android device as described in the article herein is solely for enthusiasts and not for the faint of heart.

IT WILL WIPE YOUR DATA. IT WILL WIPE YOUR DATA. IT WILL WIPE YOUR DATA.

Android Police and Team AndIRC disclaim all liability for any harm that may befall your device, including, but not limited to: bricked phones, voided manufacturer warranties, exploding batteries, etc.

The instructions below assume you already have a strong familiarity with adb command lines – this is not for beginners.


Credits
Scotty2, jamezelle, jcase, and all of Team AndIRC
dsb9938 for the tutorial cleanup
Testers, especially ProTekk and Trident
Thanks to scotty2 for WPThis
Busybox was pulled from a CyanogenMod ROM, source should be available here
psneuter was pulled from somewhere, credit to scotty2, source here
All firmware credit goes to 911sniper
Jaroslav from Android Police for editorial help
If I missed anyone in the credits, it was unintentional and I will fix it soon. Lots of people had their hands in on this project.

*** Please read the instructions in full before you attempt the process or head to IRC to ask questions. Also, make sure your battery is fully charged before taking the plunge. ***

Step 1
First, download these files:

Downgrade RUU PG05IMG_downgrade.zip ( (md5sum : aae974054fc3aed275ba3596480ccd5b) THIS IS THE DOWNGRADE RUU USED IN STEP 4:
Multiupload mirror


Mirrors for the package (contains busybox, wpthis, psneuter, su, readme.txt, misc.img, and hbooteng.nb0) (md5sum : 3b359efd76aac456ba7fb0d6972de3af) THIS IS THE EXPLOITS FILE:
Multiupload mirror
DroidSite mirror

Custom upgrade PG05IMG_MR1_upgrade.zip (md5sum : 7960c7977c25b2c8759605be264843ea) THIS IS THE CUSTOM RUU USED IN STEP 7:
http://www.multiupload.com/NEANZBS5S4



Step 2

Note that adb is required.

Push misc.img, busybox, and psnueter using the following commands:

Code:
adb push psneuter /data/local/
adb push busybox /data/local/
adb push misc.img /data/local/
adb shell chmod 777 /data/local/psneuter
adb shell chmod 777 /data/local/busybox

Step 3

This step will gain temp root and flash the custom misc.img. Run:

Code:
adb shell

Now the shell should display "$".
Run:

Code:
/data/local/psneuter

You will now be kicked out of adb, and adb will restart as root.

Let’s confirm the md5 of misc.img:

Code:
adb shell

At this point, the shell should display "#".

Now run:

Code:
/data/local/busybox md5sum /data/local/misc.img

Output should be "c88dd947eb3b36eec90503a3525ae0de." If it’s anything else, re-download the file and try again.

Now let’s write misc.img:

Code:
dd if=/data/local/misc.img of=/dev/block/mmcblk0p17
exit

Step 4

Here you will rename the downgrade RUU (PG05IMG_downgrade.zip) as PG05IMG.zip and place it on your SD card (put the phone in drive mode and just copy it with your OS). Then, run the following command:

Code:
adb reboot bootloader

Choose the bootloader option and press power; let the ROM flash. When asked to upgrade, choose yes. Don’t freak, it’s a long reboot.
Once done, reboot and delete PG05IMG.zip from your SD card.

Step 5

Set up the two part exploit, to gain root and unlock MMC.

Push wpthis, busybox, and psnueter:

Code:
adb push psneuter /data/local/
adb push busybox /data/local/
adb push wpthis /data/local/
adb shell chmod 777 /data/local/psneuter
adb shell chmod 777 /data/local/busybox
adb shell chmod 777 /data/local/wpthis

Gain root (this will once again throw you out of adb):

Code:
adb shell
/data/local/psneuter

Unlock MMC:

Code:
adb shell
/data/local/wpthis
exit

Step 6

Please pay attention – this is very important. This step involves a small chance of bricking if you mess up.

To push the eng bootloader:

Code:
adb push hbooteng.nb0 /data/local/
adb shell
/data/local/busybox md5sum /data/local/hbooteng.nb0

If the output does not match "6991368ee2deaf182048a3ed9d3c0fcb" exactly, stop, delete it, and re-download it. Otherwise, continue.

Now we will write the new bootloader.

Code:
dd if=/data/local/hbooteng.nb0 of=/dev/block/mmcblk0p18

Confirm proper write:

Code:
/data/local/busybox md5sum /dev/block/mmcblk0p18

If the output does not match "6991368ee2deaf182048a3ed9d3c0fcb," try again; if it still doesn’t work, seek help from chat.andirc.net in channel #root or go here AndIRC Thunderbolt Web Chat DO NOT REBOOT.




Reboot.

Step 7

Now, put the custom MR1 RUU (PG05IMG_MR1_upgrade.zip) on your SD card by putting the phone in drive mode and copying it with your OS. Then rename it to PG05IMG.zip

Then using an md5sum type program, check the md5sum and make sure it matches 7960c7977c25b2c8759605be264843ea, if it does not, redownload it. (Here is a free windows md5summer).

Next, run this command:

Code:
adb reboot bootloader

Choose the bootloader option and press power; let the ROM flash. When asked to upgrade, choose yes. Don’t freak, it’s a long reboot.
Once done, reboot and delete PG05IMG.zip from your SD card.

After it flashes, you will be running release firmware with S-OFF.

Reboot your phone. You should now have full root permissions, an engineering kernel and recovery.

I recommend you get rom manger from market.

If you still have problems, come to the chat: irc.andirc.net #thunderbolt or use http://chat.andirc.net:9090/?channels=#thunderbolt.


.
 
Last edited:

Top Liked Posts

  • There are no posts matching your filters.
  • 189
    OUTDATED
    Augest 14 2011
    Unrevoked and AlpharevX released a new version of their http://revolutionary.io/ tool, use it, and preserve your data.


    Do not use the root method below.

    Original root left for a good read.

    Advanced users wanting a different hboot please see http://forum.xda-developers.com/showthread.php?t=1186022, others continue as is.

    Updated May 12th 2011

    This guide has been updated to MR1/OTA Firmware 1.13.605.7


    This guide has been updated on April 21 2011 to make it more reliable, and faster.

    On request I am reposting this in full, but please check out the original here first.


    HTC tried to stop us. They made signed images, a signed kernel, and a signed recovery. They locked the memory. In short, the ThunderBolt is their most locked-down phone to date.

    We fixed it for you. Unlike the root method we described yesterday, following the instructions below will provide S-OFF, remove signature checks, and unlock eMMC. Enjoy!

    Rooting The ThunderBolt – Version 3

    Pros
    Root with read/write access to /system
    Ability to downgrade and flash any RUU (i.e. signed firmware)
    S-OFF
    Fully unlocked bootloader
    All ThunderBolts survived testing

    Cons
    Voids warranty
    Could brick your phone if you aren’t careful

    The method of rooting your Android device as described in the article herein is solely for enthusiasts and not for the faint of heart.

    IT WILL WIPE YOUR DATA. IT WILL WIPE YOUR DATA. IT WILL WIPE YOUR DATA.

    Android Police and Team AndIRC disclaim all liability for any harm that may befall your device, including, but not limited to: bricked phones, voided manufacturer warranties, exploding batteries, etc.

    The instructions below assume you already have a strong familiarity with adb command lines – this is not for beginners.


    Credits
    Scotty2, jamezelle, jcase, and all of Team AndIRC
    dsb9938 for the tutorial cleanup
    Testers, especially ProTekk and Trident
    Thanks to scotty2 for WPThis
    Busybox was pulled from a CyanogenMod ROM, source should be available here
    psneuter was pulled from somewhere, credit to scotty2, source here
    All firmware credit goes to 911sniper
    Jaroslav from Android Police for editorial help
    If I missed anyone in the credits, it was unintentional and I will fix it soon. Lots of people had their hands in on this project.

    *** Please read the instructions in full before you attempt the process or head to IRC to ask questions. Also, make sure your battery is fully charged before taking the plunge. ***

    Step 1
    First, download these files:

    Downgrade RUU PG05IMG_downgrade.zip ( (md5sum : aae974054fc3aed275ba3596480ccd5b) THIS IS THE DOWNGRADE RUU USED IN STEP 4:
    Multiupload mirror


    Mirrors for the package (contains busybox, wpthis, psneuter, su, readme.txt, misc.img, and hbooteng.nb0) (md5sum : 3b359efd76aac456ba7fb0d6972de3af) THIS IS THE EXPLOITS FILE:
    Multiupload mirror
    DroidSite mirror

    Custom upgrade PG05IMG_MR1_upgrade.zip (md5sum : 7960c7977c25b2c8759605be264843ea) THIS IS THE CUSTOM RUU USED IN STEP 7:
    http://www.multiupload.com/NEANZBS5S4



    Step 2

    Note that adb is required.

    Push misc.img, busybox, and psnueter using the following commands:

    Code:
    adb push psneuter /data/local/
    adb push busybox /data/local/
    adb push misc.img /data/local/
    adb shell chmod 777 /data/local/psneuter
    adb shell chmod 777 /data/local/busybox

    Step 3

    This step will gain temp root and flash the custom misc.img. Run:

    Code:
    adb shell

    Now the shell should display "$".
    Run:

    Code:
    /data/local/psneuter

    You will now be kicked out of adb, and adb will restart as root.

    Let’s confirm the md5 of misc.img:

    Code:
    adb shell

    At this point, the shell should display "#".

    Now run:

    Code:
    /data/local/busybox md5sum /data/local/misc.img

    Output should be "c88dd947eb3b36eec90503a3525ae0de." If it’s anything else, re-download the file and try again.

    Now let’s write misc.img:

    Code:
    dd if=/data/local/misc.img of=/dev/block/mmcblk0p17
    exit

    Step 4

    Here you will rename the downgrade RUU (PG05IMG_downgrade.zip) as PG05IMG.zip and place it on your SD card (put the phone in drive mode and just copy it with your OS). Then, run the following command:

    Code:
    adb reboot bootloader

    Choose the bootloader option and press power; let the ROM flash. When asked to upgrade, choose yes. Don’t freak, it’s a long reboot.
    Once done, reboot and delete PG05IMG.zip from your SD card.

    Step 5

    Set up the two part exploit, to gain root and unlock MMC.

    Push wpthis, busybox, and psnueter:

    Code:
    adb push psneuter /data/local/
    adb push busybox /data/local/
    adb push wpthis /data/local/
    adb shell chmod 777 /data/local/psneuter
    adb shell chmod 777 /data/local/busybox
    adb shell chmod 777 /data/local/wpthis

    Gain root (this will once again throw you out of adb):

    Code:
    adb shell
    /data/local/psneuter

    Unlock MMC:

    Code:
    adb shell
    /data/local/wpthis
    exit

    Step 6

    Please pay attention – this is very important. This step involves a small chance of bricking if you mess up.

    To push the eng bootloader:

    Code:
    adb push hbooteng.nb0 /data/local/
    adb shell
    /data/local/busybox md5sum /data/local/hbooteng.nb0

    If the output does not match "6991368ee2deaf182048a3ed9d3c0fcb" exactly, stop, delete it, and re-download it. Otherwise, continue.

    Now we will write the new bootloader.

    Code:
    dd if=/data/local/hbooteng.nb0 of=/dev/block/mmcblk0p18

    Confirm proper write:

    Code:
    /data/local/busybox md5sum /dev/block/mmcblk0p18

    If the output does not match "6991368ee2deaf182048a3ed9d3c0fcb," try again; if it still doesn’t work, seek help from chat.andirc.net in channel #root or go here AndIRC Thunderbolt Web Chat DO NOT REBOOT.




    Reboot.

    Step 7

    Now, put the custom MR1 RUU (PG05IMG_MR1_upgrade.zip) on your SD card by putting the phone in drive mode and copying it with your OS. Then rename it to PG05IMG.zip

    Then using an md5sum type program, check the md5sum and make sure it matches 7960c7977c25b2c8759605be264843ea, if it does not, redownload it. (Here is a free windows md5summer).

    Next, run this command:

    Code:
    adb reboot bootloader

    Choose the bootloader option and press power; let the ROM flash. When asked to upgrade, choose yes. Don’t freak, it’s a long reboot.
    Once done, reboot and delete PG05IMG.zip from your SD card.

    After it flashes, you will be running release firmware with S-OFF.

    Reboot your phone. You should now have full root permissions, an engineering kernel and recovery.

    I recommend you get rom manger from market.

    If you still have problems, come to the chat: irc.andirc.net #thunderbolt or use http://chat.andirc.net:9090/?channels=#thunderbolt.


    .
    3
    http://www.youtube.com/watch?v=-UK_CiB2SYk

    This video is great.. just follow that for a really quick and easy root using the new revolutionary tool
    2
    Good luck to you guys and thank you for the work you're putting into this. Definitely going to do a lot of projects once I get the TB and we get confirmed permanent root.
    2
    I've never rooted "manually" like this so I have a couple of questions.

    I'm not entirely sure what an RUU is. I saw one site that said it stands for ROM Update Utility. Can someone explain what it is/does?

    Why are there a set of two RUU links? The first (with the long name) and the second labeled "custom" RUUs. What's the difference and why would both be needed?

    Thank you sirs.

    The RUU is just HTC's equivalent of a ROM. The first one downgrades the software so that the exploits work. Once root is obtained using this RUU, you flash the other RUU so that you have the most recent firmware from HTC.
    2
    Need help plz. I put the PG05IMG.zip on my sd card and followed the first temp rooting instructions then rebooted by issuing adb command. Then i selected bootloader option and it identified the PG05IMG file and starting checking it. After checking it, it does nothing, it just sits at the menu, and does not ask me to upgrade. Any ideas on this?

    Trying not to make any assumptions but from what you've said, it SOUNDS like you used the wrong file.

    You need to put the DOWNGRADE file, called either "RUU_Mecha_VERIZON_WWE_1.03.605.10_Radio_1.02.00.0103_2r_NV_8k_1.37_9k_1.52_release_165253_signed.zip" or "PG05IMG_downgrade.zip" if you used the multiupload link. In either case, you rename it to PG05IMG.zip, and reboot to the bootloader etc. Once you choose the bootloader option and press power it'll take a second or two before the screen starts doing anything; it'll "fail" looking for a few different zip files before landing on the right one. After that wait a good 5 minutes or so, but you SHOULD see progress bars in the top right of the screen. Once its done, it'll ask you to update.

    EDIT: And just an FYI it'll reboot midway, and recheck before continuing on. DON'T PANIC, and DO NOT abort the process; its normal; just let it do its thing.