Root [info/FAQ] root and s-off MT4GS,all hboots!

[scotty85]

this is not so much a guide,but rather a collection of info for the most current and up to date methods of rooting and obtaining s-off. i hope to emliminate some confusion with this thread.

any questions,comments or concerns feel free to start a thread here in the ATR section,and we will be happy to help you.

*first and foremost,if you happen to aquire a MT4GS thats still on hboot 1.44.0007 because its been powered off or used in a cave for the last year,stop and rejoice. download and run Revolutionary immediately. the revolutionary tool is extremely easy,does not require any pre-rooting or prep,just read their FAQ,download and run it. it will give you permanent nand-unlock(radio s-off) leaving you free to accept OTAs or run an ruu afterward,and easily be able to install recovery and root at any time.


*if you find your MT4GS to be on hboot 1.45.0013,s off is still possible. just gonna be a lil more work. the 1.45.0013 method will work on 1.44.0007 as well,but revolutionary is a simpler tool to use. whatever option you choose is ultimately up to you. the "wire trick" used by the juopunut bear tool looks a bit intimidating,but really isnt that bad.

____________________________________________________________________________________
the 1.45.0013 method:
1)unlock,install recovery and superuser by using htcdev
http://androidforums.com/mytouch-sl...uide-unlock-htcdev-install-recovery-root.html

2)run juopunuts bears radio s-off tool
Unlimited.IO


____________________________________________________________________________________

please read the following posts for some warnings,disclaimers,and additional info.

remember,any questions,start a thread and ask... we are here to help! :smokingsomb:

 

[scotty85]

DO NOT unlock with htcdev after s-off

____________________________________________________________________________________

Spoiler

read this: the purpose of this post is to let folks know that if you htcdev unlock with s-off,your device will go back to reading unlocked until you relock it,at wich time it will read relocked,just like before you s-offed.

what does this mean?! if you dont care about getting back to a locked state for warranty purposes,then it doesnt mean anything. if one of the big reasons that you s-offed in the first place was to get back to locked,then,as this post says,dont unlock with htcdev after s-off. you can install recoveries and hboots via hboot in a PG59IMG files,or you can install available patched hboots to enable engineering commands.

i hope this helps clarify it for those who were confused by the title. my intention was not to cause panic,simply to educate folks in what id found,as i know the subject of locked/relocked is very important to some.

ACTUALLY...
this isnt as big a deal as it used to be. if you do want to unlock,you can change the lock status flag with this thread: http://androidforums.com/mytouch-sl...t/670782-how-reset-your-lock-status-flag.html

 

[scotty85]

DISCLAIMER:

i feel all the new rooters need to see this:

Spoiler

please be careful!

after s-off,you can now have complete control of your phone. you can change whatever you want since its not doing ANY security checks at all. as such you have a much greater responsibility to know what your flashing and why,and that your files are 100% unmolested and uncorrupt.

please be aware that a bad bootloader or radio flash can and will brick your phone,possibly beyond recovery.

you do not any longer have the s-on safety net of htcdev.

on the other forums,im seeing alot of flip-flopping bootloaders around,and most folks dont even know why they want the eng hboot.please think about this.its risky- flashing a a new bootloader is prolly THE biggest risk you can take on your device,as without a bootloader NOTHING will load. i.e.,you have a brick. if your current bootloader suits your needs(ie boots youre phone and supports the fastboot commands you regularly use) then why are you changing it?

s-off is awsome,i know but again,i just want everyone that has been asking various question to realize the the seriousness that having this privelege is. have fun flashing roms and slpash screens,but be extremely cautious/careful with the important parts of your device.

-make sure you know what your flashing,and why
-make sure you have an md5 summer and use it.
-if you just asked "whats an md5??" then learn it
-make sure you are comepletely comfortable with all procedures for things you do.

last and not least,please ask any questions BEFORE your phone makes a short lil buzz,shuts off,and wont come back on

im not trying to scare anyone into staying s-on,i just want everyone to use caution and have safe,happy flashing

 

[scotty85]

s-off FAQ

Spoiler

some frequently asked questions and general info about s-off

*what exactly IS s-off?
the simple answer is "security-off" on the normal checks that the phone does before it allows you to change different partitions,or revert to an older software/firmware combination.

more specifically,what the s-off procedure gives the device is a "radio s-off" by changing a setting in the radio NVRAM called the "secure flag" to "off". this method of s-off is ideal,as it is below the radio level of the phone,and will remain no matter what other changes are made. radios,hboots,etc. can all be changed and the radio secure flag will remain off.

ruus can be run,OTAs accepted,etc. and the s-off will stay,until it is purposely changed.

other devices use a "patched" hboot,wich is basically an hboot,that does not listen to the radio secure flag. the radio secure flag is still s-on,the patched hboot simply ignores it. these hboots can be further patched to prevent themselves from being overwritten,so the s-off is not lost during an ruu or OTA. with older phones,this works fine until a new hboot is required for an OS upgrade.

with the new devices,this type of s-off is not possible(or we would have had it a long time ago) due to the complex checks that the phone makes when it boots. if the s-on radio checks hboot and finds it to be unsigned,the phone is put into a "do not boot" mode that is only reversible by htc,becoming effectively a hard brick.

"why not patch the radio just like we patched the hboot??" partially because its easier said than done,partially because other checks are going on,and if the radio is found to be unsigned,again, "no boot mode". basically there are just too many checks going on to patch them all. since it all starts with the radio secure flag,its the only practical way to gain complete access to the phone.

*isnt my unlocked via htcdev bootloader the same as s-off? i thot thats what unlocked means?
sorry,no. its not the same. the key difference is that htcdev unlock only allows access to boot/system/recovery. the phone is still s-on,and still doing plently of checks that prevent you from:
-changing firmware
-changing your splash screen
-going backwards in software/firmware build version numbers.

it also does not allow you to write the boot image from the recovery partition,as we all know that have flashed roms on s-on phones. since the kernel lives in the boot image,the kernel can only be changed by:
1)flashing it seperately via hboot or fastboot
or
2)launching your recovery from fastboot.

a permanently installed recovery cannot install kernels with htcdev unlock

*so what does s-off do for me??
-first and foremost,it makes rom flashing and nandroid restoring ALOT easier by allowing the permanently installed recovery to write the boot image,making the PC no longer a required part of the flash/restore equAtion you can now download a rom right to your phone,move it to the root of your sd with a file manager,and boot to a recovery and flash it,without a PC anywhere in sight.(note that i do not download roms to my phone,i prefer to download to pc,then transfer. a personal preference)
-second,it alows changing of firmware,so you can run a "patched" or engnieering hboot,the advantages of will be discussed later
-it lets you upgrade your radio and related firmware wihtout running a huge,signed,full RUU
-it lets you go backwards in build numbers. this is handy becasue you can,without fear,flash the latest leak,and if its bad,revert back to older software/firmware without issue.
-you can change your splash screen,wich is not important functionally,but fun. anything from carman electra, to your cat,to your grandkids can replace the htc splash screen.
-last and not least,the ability to add a patched or engineering hboot,combined with the ability to run any RUU that exists,gives a much greater opportunity to revive a "soft bricked" phone.
-one last big plus is that the procedure will change your unlocked or relocked status back to locked wich,visiually,is good for warranty purposes

*can i get back to 100% s-on stock??
yes,you can. because the process changes you back to locked,you just need to run a signed RUU and turn the secure flag back on. directions in the following post.

*what is an engineering hboot?
an "eng" or "engineering" hboot is simply a bootloader that allows for extra fastboot commands. for most folks,99% of these commands will never be used. the main commands that users of an eng hboot will use,over a stock hboot are:
fastboot flash wich is used to flash recoveries,boot images,splash images,hboots,et.
and
fastboot boot wich is used to boot(launch) an image directly into phones memory. most common use of this is recovery. you can use it to get recovery running,without having to permantly flash it,thus leaving the stock one installed. this is good for users that want to recieve OTAs,and dont use recovery much.


*what is a patched hboot?
a "patched" hboot is simply an hboot that has been patched to provide some or all of the same commands as a real engineering hboot. they can be considered safer than a real eng hboot,since they are generally made of newer,more reliable hboot versions. eng hboots have generally been around since prior to the phones release. a patched hboot also can block itself from being overwritten by other hboots,wich can be a huge advantage on phones where the radio secure flag is actually "on" as the s-off hboot will always remain,even if OTAs are taken,or RUUs run.

the thunderbolts revolutionary patched hboot is a prime example of a ship hboot patched for eng commands,and preventing itself from being over written.

*how do install or change recovery now that im s-off,but locked?
there are a couple ways to skin this cat:
1)simply allow juopunutbear to install its patched hboot. this will let you use fastboot flash and fastboot boot if you are used to these commands.
2)as a PxxxIMG file. splash images,recoveries,hboots,or any other firmware can be changed by packing up the images,along with an android info text document, into a zip file,that is then renamed PxxxIMG,placed on the sd card,and updated in hboot.

donate to my device fund

 

[scotty85]

*please note that this is only intended for warranty purposes. there are NO benefits of s-on,whatsoever. you can recieve OTAs,you can unroot,etc. while -off. staying s-off also offers greater flexibility for recovering soft bricked devices(even devices that may have been hard bricked with s-on),and it also ensures youll be able to easliy re-root in the future,despite exploit patches.

if youre doing it to sell the device,dont. 9 out of 10 uses wont even realize its there. it wont hurt phone function,and the 1 out of 10 that know what s-off means,will prolly be really excited to find it

____________________________________________________________________________________

WARNING!!!
DO NOT turn your secureflag on unless on a stock,signed hboot.

s-on with an eng signed or patched hboot will hard brick your device immediately.(read: permanently bricked,unrecoverable)

in other words,ONLY use the writesecureflag 3 command AFTER running an RUU. never before.

how to turn s-on:

Spoiler

*if you are unlocked,you can reset your lock flag status back to ***locked*** with this thread: http://androidforums.com/mytouch-sl...t/670782-how-reset-your-lock-status-flag.html

1)donwload and run an RUU for the most current build
2)open a cmd window. plug in phone,charge only mode,usb debugging on.
3)run the following:

cd c:\mini-adb (or whatever folder you keep adb/fastboot)

adb devices

adb reboot bootloader

fastboot devices

fastboot oem writesecureflag 3

fastboot reboot-bootloader

*verify you are locked s-on

fastboot reboot

Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Users\Scott>[COLOR="Red"]cd c:\mini-adb_vigor[/COLOR]

c:\mini-adb_vigor>[COLOR="red"]adb devices[/COLOR]
List of devices attached
HTxxxxxxxxxx    device


c:\mini-adb_vigor>[COLOR="Red"]adb reboot bootloader[/COLOR]

c:\mini-adb_vigor>[COLOR="red"]fastboot devices[/COLOR]
HTxxxxxxxxxx    fastboot

c:\mini-adb_vigor>[COLOR="red"]fastboot oem writesecureflag 3[/COLOR]
                              ... OKAY [  0.051s]
finished. total time: 0.051s

c:\mini-adb_vigor>[COLOR="red"]fastboot reboot-bootloader[/COLOR]
     rebooting into bootloader... OKAY [  0.177s]
finished. total time: 0.177s

c:\mini-adb_vigor>[COLOR="red"]fastboot reboot[/COLOR]
                     rebooting...
finished. total time: 0.168s

c:\mini-adb_vigor>

*verified working if you need it for warranty.