Related
I have compiled this guide from the other one posted on this forum, the discussion therein, and my own knowledge. If you have any suggestions on making it better or to correct any mistakes I may have made please let me know.
This guide is intended for Windows and includes detailed instructions. It will cover the steps necessary to root, flash the new recovery image, create a full backup. This will work with software versions 1.29.651.1 and 1.56.651.2 (aka Android 1.5). If you have updated to 2.1 please following this guide here. I am not responsible for any damage done to your phone using this guide. Root at your own risk.
I have put to together a video on YouTube for you to follow along as well. The version numbers of certain files are now outdated in the video so change file names as necessary.
If you own a non-Sprint Hero, you will need to do some extra steps. Follow the guide in the How to Root Non-Sprint CDMA Hero thread.
Step 1: Download the Android SDK from http://developer.android.com/sdk/index.html The Windows file is called android-sdk_r06-windows.zip. Extract the files to your C: drive so that you now have the folder C:\android-sdk-windows
Step 2: Download the asroot2 exploit file from http://forum.xda-developers.com/attachment.php?attachmentid=244212&d=1257621154 Extract asroot2.zip to C:\android-sdk-windows\tools folder.
Step 3: Download the Hero recovery image from http://forum.xda-developers.com/showpost.php?p=4898505&postcount=1g Place this file in C:\android-sdk-windows\tools as well.
Step 4: Make sure USB Debugging is off by going to Settings>Applications>Development. Now connect the phone to your PC via USB cable.
Step 5: Mount your sdcard; Browse to the HTC Sync folder and install HTC Sync on your pc. After it is done installing unmount the sdcard then enable your USB debugging.
Step 6: Open a command prompt by clicking the Start button and typing cmd into the search box and pressing enter or found under All Programs>Accessories.
Step 7: You will now enter a series of commands which I will place inside code boxes to indicate the entire command. You may copy and then paste them into the command prompt window by right clicking. Only enter one command at a time.
1:
Code:
cd C:\android-sdk-windows\tools
2:
Code:
adb devices
If you've been following this guide you will see your phone's serial number. If you get "device not found" error, you either need to make sure you the drivers were properly installed or make sure you enable USB debugging AFTER you connect the USB cable. Continue on once you get the proper phone serial output.
3:
Code:
adb push asroot2 /data/local/
4:
Code:
adb shell
5:
Code:
chmod 0755 /data/local/asroot2
6:
Code:
/data/local/asroot2 /system/bin/sh
You should see an output that says:
$ /data/local/asroot2 /system/bin/sh
[+] Using newer pope_inode_info layout
Opening: /proc/857/fd/3
SUCCESS: Enjoy the shell.
#Now for a few last commands.
7:
Code:
mount -o remount,rw -t yaffs2 /dev/block/mtdblock3 /system
8:
Code:
cd /system/bin
9:
Code:
cat sh > su
10:
Code:
chmod 4755 su
You are now officially rooted. A few more steps and you will have flashed the recovery image.
11:
Code:
exit
12:
Code:
exit
13:
Code:
adb push recovery-RA-heroc-v1.6.2.img /sdcard
Pushing is equivalent of copy the file to the root of your sdcard. By the time you finished reading this it should be done. You'll know its done because the ouput will say something like transferred X bytes in X secs.
14:
Code:
adb shell reboot
This will cause the phone to restart automatically. Wait till it is fully booted to continue.
15:
Code:
adb shell
16:
Code:
su
17:
Code:
cd /sdcard/
18:
Code:
flash_image recovery recovery-RA-heroc-v1.6.2.img
FLASHING TO THE RECOVERY TAKES SEVERAL SECONDS-- BE PATIENT. ENTER THE NEXT COMMAND ONLY AFTER THE COMMAND PROMPT RETURNS TO THE # (ROOT SYMBOL).
19:
Code:
reboot recovery
Step 8: This is the last command; you may now close the cmd prompt. This will cause your phone to boot into recovery mode; it should take no longer than 30 secs. The third option on the list is "- Backup/Restore"; select it. Now, select the first option "- Nand backup". The phone will prompt you to press HOME to confirm which is want you want to do. The backup will begin. You will see the screen say, "Performing backup : .........." When done, the bottom of the screen will say "Backup complete!" and you will be given the menu options again. Go back to the main menu and select reboot system. Rebooting your phone after installing the new recovery image may take several minutes.
Step 9: Once your phone is fully booted, mount the sdcard. You will see a folder called "nandroid"; I highly recommend you copy this to your pc in case you lose your sdcard data or reformat it. Your phone is rooted, 100% backed up, and ready to install a custom rom if you wish!
wow dude,
instructions worked great on Win7
i was able to download the missing usb_drivers by running SDK Setup in C:\android-sdk-windows, and selecting the usb driver from the available packages. I was unable to download the index for the SDK Setup program until I enabled "force http://" in the settings menu.
had to copy over asroot again after i ran SDK Setup (that program deleted it from the directory)
your instructions worked like a charm. total time spent rooting this thing after finding your post: 18 minutes.
(you might want to add a line there in the "mount and copy over the zip file step" to backup the nandroid folder from your SDCard to your comp just as a backup of your stock phone image)
anyway.. cheers!
izanagi said:
wow dude,
i'm about to follow these instructions. thank's for the precise list!
(btw, about to try it on Win7.. may have to change some folder pathing but we'll see)
okay.. typo on the first command in parentheses, and I'm missing the usb_drivers folder (do you have it / can sent it to me) so am unable to install the device in win7.
Click to expand...
Click to collapse
Heh, thanks for the misspell heads up. I did my rooting from Win7 pc; it automatically installed correct drivers for me. To check go to the Control Panel>View devices and printers. You see one device named "Android Phone". Otherwise as far as Ive heard installing HTC Sync installs proper drivers.
izanagi said:
*** edit had to copy over asroot again after i ran SDK Setup (that program deleted it from the directory)
**** edit: all done.. your instructions worked like a charm. total time spent rooting this thing after finding your post: 18 minutes.
(you might want to add a line there in the "mount and copy over the zip file step" to backup the nandroid folder from your SDCard to your comp just as a backup of your stock phone image)
anyway.. cheers!
Click to expand...
Click to collapse
Thank you for taking the time help make my guide better. I'm very glad to know there are little to no hiccups.
When I do step 5, instead of:
5. "/data/local/asroot2 /system/bin/sh"
You should see an output that says:
$ /data/local/asroot2 /system/bin/sh
[+] Using newer pope_inode_info layout
Opening: /proc/857/fd/3
SUCCESS: Enjoy the shell.
#
I get:
[1] Killed /data/local/asroot2 /system/bin/sh
Any suggestions? Should I just be quiet until there is an Eris specific way to do this?
When I do step 5, instead of:
5. "/data/local/asroot2 /system/bin/sh"
You should see an output that says:
$ /data/local/asroot2 /system/bin/sh
[+] Using newer pope_inode_info layout
Opening: /proc/857/fd/3
SUCCESS: Enjoy the shell.
#
I get:
[1] Killed /data/local/asroot2 /system/bin/sh
Any suggestions? Should I just be quiet until there is an Eris specific way to do this?
detox702 said:
When I do step 5, instead of:
5. "/data/local/asroot2 /system/bin/sh"
You should see an output that says:
$ /data/local/asroot2 /system/bin/sh
[+] Using newer pope_inode_info layout
Opening: /proc/857/fd/3
SUCCESS: Enjoy the shell.
#
I get:
[1] Killed /data/local/asroot2 /system/bin/sh
Any suggestions? Should I just be quiet until there is an Eris specific way to do this?
Click to expand...
Click to collapse
This guide is for the CDMA Hero not the Eris!
When I go to apply the rom I get an white screen with skateboarding androids on the bottom and the prompt to erase data yes/no. I press the home key and the Hero reboots without asking to "Apply sdcard:choose zip". This is done from the boot menu. Does the rom load automatically? Did I do something wrong? I got root with no problem. A tip; to make it easier and to avoid spelling mistakes copy and paste the rooting commands from the instructions. Made it go faster too. Thanks in advance.
Never mind. I held down Home and Power at
the same time instead of Home THEN power! ARRGH! Loading up now as I type. Sorry.
ELIMINATED said:
When I go to apply the rom I get an white screen with skateboarding androids on the bottom and the prompt to erase data yes/no.
I press the home key and the Hero reboots without asking to "Apply sdcard:choose zip".This is done from the boot menu.
Does the rom load automatically? Did I do something wrong? I got root with no problem.
A tip; to make it easier and to avoid spelling mistakes copy and paste the rooting commands from the instructions. Made it go faster too. Thanks in advance.
Click to expand...
Click to collapse
yuck... break up your sentences, that's alot of crap to throw on someone all at once... and the bold doesn't help it any.
check to see if you have the custom recovery installed....
-turn off phone
-hold vol down + power
-should search for some stuff then give three options
-press "home" to enter recovery image
do you see "!" and a phone.... does it just hang or do you see a green/yellow menu?
At the end of his post he says he figured it out. He wasn't holding down home key
None of this is working for me at all... I'm not sure what I'm doing wrong, but every time I enter ANY of the commands into the prompt all I get is "cannot find the path specified".
For reference, i have done everything in this guide to the letter, everything is downloaded, unzipped to the correct location, USB drivers installed, etc etc. Not sure what's wrong.
EDIT: I figured it out.. user error, awesome. Worked great, thanks for this!
awesomeindeed said:
None of this is working for me at all... I'm not sure what I'm doing wrong, but every time I enter ANY of the commands into the prompt all I get is "cannot find the path specified".
For reference, i have done everything in this guide to the letter, everything is downloaded, unzipped to the correct location, USB drivers installed, etc etc. Not sure what's wrong.
EDIT: I figured it out.. user error, awesome. Worked great, thanks for this!
Click to expand...
Click to collapse
"cd C:\android-sdk-windows\tools" is actually "cd C:\android-sdk_r3-windows\tools"
is that where you are stuck?
thank you TS. I've been lurking xda for a couple years now when i had the mogul and tp. First time on an android device. Thank you for your time in helping me.
someone buy this man a drink!!!
Invaluable piece of work right here, helped me get it done in no time at all....real clear concise and very helpful....REQUEST THIS BE A STICKY!!!!!
fenske09 said:
"cd C:\android-sdk-windows\tools" is actually "cd C:\android-sdk_r3-windows\tools"
is that where you are stuck?
Click to expand...
Click to collapse
That was the name of the zip file not the extracted folder.
Please help, I followed all of your instructions, I received no errors however I can't boot the recovery image. I checked and it is in the sd card, but every time it just hangs at the HTC logo
I downloaded a terminal emulator and typed su and it gave me # so I assuming I am rooted?!
newtodroid said:
Please help, I followed all of your instructions, I received no errors however I can't boot the recovery image. I checked and it is in the sd card, but every time it just hangs at the HTC logo
I downloaded a terminal emulator and typed su and it gave me # so I assuming I am rooted?!
Click to expand...
Click to collapse
Redownload the recovery image and reflash it. The one you're using probably became corrupt during DL or something.
theresthatguy said:
Redownload the recovery image and reflash it. The one you're using probably became corrupt during DL or something.
Click to expand...
Click to collapse
also make sure you have the heroc version there's a hero and heroC, i messed that up once and had similar results
new ROM
So i loaded the custom ROM, and i followed all the istructions as listed on this guide. When i rebooted my phone, a bunch of my apps started Force Closing on startup.
did i miss something, or do something wrong?
if i reinstall them on the new ROM will they work right?
thanks for any insight
kristaps said:
So i loaded the custom ROM, and i followed all the istructions as listed on this guide. When i rebooted my phone, a bunch of my apps started Force Closing on startup.
did i miss something, or do something wrong?
if i reinstall them on the new ROM will they work right?
thanks for any insight
Click to expand...
Click to collapse
you converted your sd card to fat32,ext2,swap and now the apps are looking for the program on your sd card,
turn off your phone
take out sd card
turn on phone
uninstall app
turn off phone
put in sd card
turn on phone
reinstall app
this should fix you
Make sure your battery has a decent amount of charge in it, you don't want to run out of juice in the middle of this.
You will need to have the android sdk installed, as you will need to use the adb tool.
Windows users will need to install HTC Sync in order to get the usb driver for the phone installed.
Part 1: In which we find that the Evo spreads easier than a Thai whore during tourist season
Code:
adb shell "rm /data/local/rights/mid.txt"
adb shell "ln -s /dev/mtd/mtd1 /data/local/rights/mid.txt"
adb reboot
Part 2: In which we find that engineers have no personality, but they make one hell of a bootloader
Put the files from Toast's Part 2, for nand unlock onto the sdcard (PC36IMG.zip, mtd-eng.img, recovery.img, flash_image)
then (after making sure the sdcard is remounted to the phone if you used disk mode to xfer the files):
Code:
adb shell "cat /sdcard/flash_image > /data/local/rights/flash_image"
adb shell "chmod 755 /data/local/rights/flash_image"
adb shell "/data/local/rights/flash_image misc /sdcard/mtd-eng.img"
adb reboot bootloader
When asked if you want to update, say yes. Relax for a while, the update takes some time.
When the phone eventually boots back up:
Part 3: In which I find the whore, and make her install a custom recovery
Code:
adb shell "cat /sdcard/flash_image > /data/flash_image"
adb shell "chmod 755 /data/flash_image"
adb shell "/data/flash_image recovery /sdcard/recovery.img"
After this you should be fully rooted with nand unlock.
I highly recommend going through Whitslack's Starting Over method to bring your software and radios up to date.
You're done.
Pity this only came to light a few days before people are going to be upgrading to a new OTA.
No, this will not work for anyone who updated to 2.2.
epic!!! 789
niice!
Nice Find!
At least now people can be rooted prior to the new OTA!
damn it!
___
Sweet! Wish I had that method starting out. Lol.
Sent from my PC36100 using XDA App
does this method really work??
BAttitude7689 said:
does this method really work??
Click to expand...
Click to collapse
Yes it does.
ok, so i have no idea how that works... care to go into it alittle bit more?
khshapiro said:
ok, so i have no idea how that works... care to go into it alittle bit more?
Click to expand...
Click to collapse
The init scripts chmod 777 mid.txt on boot (this means that anyone can do anything to the file basically). By removing the file and linking it to mtd1, the chmod now makes mtd1 accessible by everyone after a reboot, which means that you can go directly to toast's part2 which starts with flashing mtd-eng.img.
Incidentally it appears the droid eris guys have been using this flaw to their advantage for a while as well ;D.
So no, really? What is "root?"
You do fine work, sir
posting in a legendary thread
Couldn't you then just use wits "start over" method for part two to make the process even shorter?
netarchy said:
Part 1:
Code:
adb shell rm /data/local/rights/mid.txt
adb shell ln -s /dev/mtd/mtd1 /data/local/rights/mid.txt
adb reboot
Click to expand...
Click to collapse
What would be more interesting is for someone on the new OTA non-root to see if this exists in the Froyo release. I'll look around for a posting of the OTA update non-rooted and try it on my smashed phone. At least I won't care if that thing looses root.
Could we get a "The easiest 1.47.651.1 root method with nand unlock" for dummies? I have no clue what to do with this code.
You need to use an ADB shell for this using the Android SDK....
I tried to use the Evo-Recovery shell and received permission denied errors.
I am not a DEV by any means, and do not claim any credit for any of this. However, for people who need help, this may offer some assistance -- this is definitely the easiest root method out there.
1. Download and Install Android SDK - Learn Here
http://forum.xda-developers.com/showthread.php?t=694250
2. Open up a Command Prompt by holding windows button & pressing R or by pressing Run and typing CMD.
3. Navigate your way in DOS to the Android SDK folder, then to the Tools Folder
4. Then enter in the code in part 1. After each line press enter...the line will repeat below it.
5. Follow Toasts Part 2 -- Link: http://forum.xda-developers.com/showthread.php?t=701835 -- Video found here: http://www.youtube.com/watch?v=tUXTB0eydwE.
5A. Because you didn't do Toast's Part 1 of Root first (you used an exploit provided by the OP), you will NOT have a NAND Backup. Put the Custom ROM you want to load on your SD card, and after unlocking NAND protection and doing the wipes, load it from the custom recovery in lieu of restoring your NAND backup.
6. You're now rooted w/ NAND Unlocked!
7. I would then suggest going here, and running this so you have a fully rooted, stock ROM with all your radio/wimax up to date: http://forum.xda-developers.com/showthread.php?t=715915.
Anyone know if this method will work on an unrevoked3'd Evo? I am trying to acquire full root and I was going to use SimpleRoot today but if this will work...
Thank you for this! Question about number part 7. YOu suggest running the fully rooted stock 1.47.651.1 afterwards. Would it be a bad idea to Just run the fully rooted stock froyo 3.23.651.3 or even any other custom rom for that matter? i.e OMJ's EVO 2.2 Custom rom? Thanks
regulator207 said:
Couldn't you then just use wits "start over" method for part two to make the process even shorter?
Click to expand...
Click to collapse
No because you need the engineering hboot to flash it since it's not signed by HTC.
Should work on 1.32 or 1.47. Nice.
Someone should test if this still works in the new 2.2 update. Good chance it does.
damit!
justinisyoung said:
damn it!
___
Click to expand...
Click to collapse
Hey! That's what I was gonna say!
*******UPDATED 8/31/10 *******
This rooting method was adapted from regaw_leinad's method and toastcfh's method. By following these steps you will successfully downgrade your phone back to android 2.1 in order to gain root.
I don't trust unrevoked as I have had problems with it in the past.
I am not responsible for any damages to your phone.
special thanks to:
regaw_leinad
Sebastian Krahmer
Toastcfh
amon_ra
FILES YOU WILL NEED:
copy and paste into browser
Code:
sdx-downloads.com/sdx/evo/troot/eng-PC36IMG.zip
evo4g.me/downloads//count.php?target=evo-root.zip
files.androidspin.com/downloads.php?dir=amon_ra/RECOVERY/&file=recovery-RA-evo-v1.8.0.img
developer.android.com/sdk/index.html
You will need the Android SDK in order to communicate between your computer and your phone. Download it (last link above) and follow the setup instructions that it comes with.
Unzip the contents of the evo-root.zip and put all the files from it into the tools folder located in the android sdk folder.
Rename the eng-PC36IMG.zip to PC36IMG.zip and then put it the tools folder located in the android sdk folder. DO NOT UNZIP IT!
******* PC36IMG.zip md5sum~ fe8aba99893c766b8c4fd0a2734e4738 *******
Move the recovery-RA-evo-v1.8.0.img into the android sdk folder as well.
Make sure usb debugging is enabled on your device. To do so go to Settings > Applications > Development > and make sure the check box is checked.
Plug your phone into the computer. Select "Charge Only" from the notifications bar.
Open up terminal and navigate your way into the android sdk folder.
Code:
cd /
cd asdk
Push all the files onto your phone.
Code:
tools/adb push /asdk/tools/flash_image /sdcard/
tools/adb push /asdk/tools/rageagainstthecage-arm5.bin /data/local/tmp/
tools/adb push /asdk/tools/mtd-eng.img /sdcard/
tools/adb push /asdk/tools/PC36IMG.zip /sdcard/
tools/adb push /asdk/tools/recovery-RA-evo-v1.8.0.img /sdcard/
Note that the PC36IMG.zip will take longer than the other files to transfer to the sdcard because it is a large file.
Now we will make rageagainstthecage.bin executable.
Code:
tools/adb shell
chmod 0755 /data/local/tmp/rageagainstthecage-arm5.bin
You should see this (below) after it has made the change.
Code:
$
Now to use the rooted shell.
Code:
cd /data/local/tmp
./rageagainstthecage-arm5.bin
You will now see some text on your terminal screen describing the exploit.
Wait for the adb shell to finish the process. At this point it may or may not terminate the current shell session in terminal. If it does then it should look like this:
Code:
users-iMac:asdk user$
If it doesn't it will return to
Code:
$
in that case you need to exit the current session. To do so type
Code:
exit
Now we need initiate a new shell which should now have root permissions.
Enter the following:
Code:
tools/adb shell
and you will see you now have a
Code:
#
instead of
Code:
$
Now we need to flash the mdt-eng.img in order for it to let us install a custom recovery
Code:
adb shell
cat /sdcard/flash_image > /data/flash_image
chmod 755 /data/flash_image
/data/flash_image misc /sdcard/mtd-eng.img
That will flash your misc partition with Toast's mtd-eng.img
This should return you to
Code:
#
Now boot into hBoot
Code:
reboot bootloader
This will reboot your phone into hBoot. It will scan for the PC36IMG.img. When it asks yes or no, select yes.
It should then reflash your phone into the engineering build.
When it asks to reboot select yes.
You will need to flash custom recovery in order to be able to flash other custom roms or modifications. I use Amon_RA's recovery because it works great and has NEVER caused me any problems.
Now, open up terminal and get back into the android sdk folder
Code:
cd /
cd asdk
Since we have already pushed the recovery onto the sdcard we only need to flash the recovery onto the phone so that we can use it
Code:
adb shell
cat /sdcard/flash_image > /data/flash_image
chmod 755 /data/flash_image
/data/flash_image recovery /sdcard/recovery-RA-evo-v1.8.0.img
Now lets rename that PC36IMG.zip file again
Code:
mv /sdcard/PC36IMG.zip /sdcard/eng-PC36IMG.zip
that way your phone doesn't try to flash it when you go into recovery each time
And last but not least we need to boot into it to flash a custom rom
Code:
reboot recovery
Your phone should then reboot into Amon_RA's recovery and you may now head over to the dev forum to find your new favorite custom rom.
very nice! can anyone confirm this? my buddy wants me to root his 2.2 and i would like to try this.
To make life easier for some people add this to your post mate, and apply it yourself if you would like.
Here is how to add your sdk/tools directory to your .bash_profile file so you won't have to navigate to the folder each time.
Download this so you'll be able to see your hidden files http://www.mediafire.com/?diimft1ninn Run it, check "Show Hidden Files" then click Restart finder. Now, navigate to your home folder (/Users/UserName/) and see if there's a .bash_profile already there. If not, create with textedit.
Now add this to the file: export PATH=${PATH}:/Path/Of/Your/Sdk/Tools/Folder
Mine is /Users/bmxrider4444/Documents/Android/SDK/tools
Now do not save it as rich text. If yours is in rich text, click on "Format" in the menu bar, and click "make plain text". Now save it as .bash_profile and uncheck "if no extension is provided, use .txt".
Now you can go back to Ghost and uncheck "Show all hidden files" and restart finder again (special thanks to ajones7279 for these steps)
Enjoy!
Just as clarification as to what this does, it enables you to run adb commands and other commands without having to navigate to the /android/tools/ folder every time you want to run adb or whatever.
does this work?
seekis said:
At this point we need to push the recovery onto the sdcard
Code:
tools/adb push "location of recovery-RA-evo-v1.8.0.img" /sdcard/
Click to expand...
Click to collapse
This is great! Thanks for the guide - I am planning on rooting my Wife's EVO but have been waiting for an easier method than the other one posted. Question on the above where we write "location of recovery-ra-evo-v1.8.0.img". Is that the exact code, or should we be adding a directory or folder location into this line? I rooted my 2.1 EVO on my Mac a couple months ago and don't remember this step. Once again - very much appreciate the help.
One last question - would it make more sense to have a custom ROM already on your SD Card prior to rooting, so that you can flash it right after you flash AMON-RA for the first time? Probably doesn't matter but thought i'd ask.
^^ same question as above, plus one other n00b question - does this method unlock NAND?
[edit] I was not insinuating that randymac88 is a n00b; I, however, am
seekis said:
I don't trust unrevoked as I have had problems with it in the past.
I am not responsible for any damages to your phone.
Click to expand...
Click to collapse
Don't trust us with the unrevoked 3.x/unrevoked forever application combo that's worked for thousands of users without sideeffects on regaw's post?
You should note to everyone that your method will screw up their PRI, reverting it back to 1.34. By using unrevoked and unrevoked forever, you can keep 1.40.
randymac88 said:
This is great! Thanks for the guide - I am planning on rooting my Wife's EVO but have been waiting for an easier method than the other one posted. Question on the above where we write "location of recovery-ra-evo-v1.8.0.img". Is that the exact code, or should we be adding a directory or folder location into this line? I rooted my 2.1 EVO on my Mac a couple months ago and don't remember this step. Once again - very much appreciate the help.
One last question - would it make more sense to have a custom ROM already on your SD Card prior to rooting, so that you can flash it right after you flash AMON-RA for the first time? Probably doesn't matter but thought i'd ask.
Click to expand...
Click to collapse
Thats not the exact code no. I just put that as a place holder you are suppose to put in the location of where you have the recovery.img. For example, the exact command for me would be:
Code:
/Users/seekis/Downloads/recovery-ra-evo-v1.8.0.img
Don't trust us with the unrevoked 3.x/unrevoked forever application combo that's worked for thousands of users without sideeffects on regaw's post?
You should note to everyone that your method will screw up their PRI, reverting it back to 1.34. By using unrevoked and unrevoked forever, you can keep 1.40.
Click to expand...
Click to collapse
As far as using unrevoked, I stated that I, ME, MYSELF, has had issues with it. not that anybody else has. By all means go and use it if you would like. I will not. It is true that you will loose PRI 1.40, but seeing as how even after installing the OTA from HTC my phone still didn't update it to 1.40, I don't see the issue.
rsage said:
^^ same question as above, plus one other n00b question - does this method unlock NAND?
[edit] I was not insinuating that randymac88 is a n00b; I, however, am
Click to expand...
Click to collapse
i believe it does unlock nand seeing as how i adapted it from toasts method
Hey Seekis - question, I'm stuck here. I keep getting "permission denied", or "operation not permitted" when trying to make the exploit executable at this step:
chmod 0755 /data/local/tmp/rageagainstthecage-arm5.bin
Am I missing something? I've tried a million times and can't seem to get past this. I've successfully pushed all the files onto the sdcard.
I've also have had some trouble finding the exact root path to these files. I've been able to navigate, but I would think a lot of users would have some trouble.
Regardless, many thanks for getting this posted...
EDIT: I pushed the rageagainstthecage file to the sdcard by mistake. Will try again tomorrow.
ok i got rid of that step by moving the file into the android sdk and pushing it with all the other files
Okay now I appear to be in big trouble as I've just messed up my wife's phone, and its probably going to be unusable for a while until I get this figured out (assuming I do!).
I got through most of the process. I flashed the PC36IMG.zip file; however when it asked to reboot, it just dumped me back into the bootloader. Whenever I say reboot, it just takes me back to the bootloader. Pull the battery, same thing - bootloader. Yikes.
I don't know how to get to the next step because I can't get into a booted rom in order to flash the amon-ra recovery. Am I totally effed? Can anyone help me here?
EDIT: Okay reflashed the PC36IMG.zip file, and it rebooted into the stock ROM. Onward! Phew!!
The wife's EVO is now fully rooted running Baked Snack 1.5 w/Netarchy's kernel. Touch and go there for a minute, but it all worked out. No 1.40 PRI, but I don't really care about that right now.
Woot! Thanks Seekis!!
do u have to push the pc36img with adb every time or will drag and drop work or copy and paste work?
FoxHound630 said:
do u have to push the pc36img with adb every time or will drag and drop work or copy and paste work?
Click to expand...
Click to collapse
You can mount the card on your system and copy paste it over as well, yes.
randymac88 said:
Okay now I appear to be in big trouble as I've just messed up my wife's phone, and its probably going to be unusable for a while until I get this figured out (assuming I do!).
I got through most of the process. I flashed the PC36IMG.zip file; however when it asked to reboot, it just dumped me back into the bootloader. Whenever I say reboot, it just takes me back to the bootloader. Pull the battery, same thing - bootloader. Yikes.
I don't know how to get to the next step because I can't get into a booted rom in order to flash the amon-ra recovery. Am I totally effed? Can anyone help me here?
EDIT: Okay reflashed the PC36IMG.zip file, and it rebooted into the stock ROM. Onward! Phew!!
Click to expand...
Click to collapse
Had the same issue. When i first booked into the bootloader i had to select recovery then flash PC36IMG.zip. Then boot loop. Then i went back into the bootloader and it automagically read in the PC36IMG.zip and flashed it, then i got stock 2.1 root. Just a few minutes of "oh crap"
I'm stuck. I got as far as flashing PC36IMG.zip, which was successful, as my phone now runs 2.1, but it doesn't appear I'm rooted. When I go back into the adb shell, I'm getting the $ prompt, and running
Code:
cat /sdcard/flash_image > /data/flash_image
gives me a permission denied error. Help!
atom_jack said:
I'm stuck. I got as far as flashing PC36IMG.zip, which was successful, as my phone now runs 2.1, but it doesn't appear I'm rooted. When I go back into the adb shell, I'm getting the $ prompt, and running
Code:
cat /sdcard/flash_image > /data/flash_image
gives me a permission denied error. Help!
Click to expand...
Click to collapse
i dont know what to tell you other than try again. this happened to me the first time through as well. i dont know why. i just started from the top and it worked the second time through.
seekis said:
i dont know what to tell you other than try again.
Click to expand...
Click to collapse
So after you flash PC36IMG.zip you should automatically get a root (#) prompt when going into the shell? ie, I'll have rooted 2.1 yes?
seekis said:
this happened to me the first time through as well. i dont know why. i just started from the top and it worked the second time through.
Click to expand...
Click to collapse
Aha. Ok, I will keep trying til it gives me a root shell, I guess. I also tried unrevoked3 but that didn't seem to work.
Success!! So, I stupidly assumed that all PC36IMG.zip's were the same, and was using the one from the original 2.2 PC thread. Once I got the correct one, voila!
You might want to post the md5 of the one you are using, so there's no confusion for others. Also, you missed a tiny step when you first start up hboot - you have to select fastboot for it to start scanning for PC36IMG.zip.
Thanks!
This tool is now deprecated. To root your Evo 4G running Gingerbread you will need to use the Revolutionary tool that can be found at http://www.revolutionary.io.
I'm sorry to do it but due to the ridiculous amount of people who are still asking for help rooting gingerbread, I will no longer be supporting this tool what so ever. Any further emails I receive about it will be deleted.
Click to expand...
Click to collapse
Click to expand...
Click to collapse
I am proud to present the HTC EVO Auto Root script! It took me awhile but I finally got it fully automated, it probably would have been easier using VB to write it but I wanted it to be readable by everybody. I don't have working scripts for Linux or Mac yet but for older phones you should be able to follow the Alternative Method and use the code included at the end of the post with minimal changes. If you are new to rooting the Evo you should check out the Rooting Information and Common Problems thread to familiarize yourself with some of the screens you will see. At times your phone may shows ominous looking icons that look bad but really aren't, at times like that it is important that you don't panic and do anything that could damage your phone.
This will make a backup of your WiMAX partition and the RSA keys that are stored on it; backing up your RSA keys separate is not necessary. It will save it in the AutoRoot folder so be sure not to delete it.
If you run into any problems please include the following information with your post: Any methods you have previously tried to root with, what it did last plus any error messages it may have given (if you can right click, select all and copy it from the terminal), and if you are in the bootloader we need to know what the top two lines say. Running this will create a log file named: autorootlog.txt. Please post this as well.
Any feedback no matter good or bad is appreciated! Let me know how it works for you.
Randy (randyshear on youtube) has made a great video of the process if you would like to get an idea of what to expect before hand. It is important to note that, depending on your phone, the process may be slightly more involved or require more or less time.
HTC EVO 4G ** ROOT AND NAND UNLOCK ** AUTOROOT V 2.2 ** HOW TO **
This has been confirmed working with:
Software versions 1.32, 1.36, 3.29, 3.30 & 3.70
hBoot Version .76, .93, .97, 2.02 & 2.10
Thanks go to
HTC for making the phone to begin with
Sebastian Khramer for his rageagainstthecage exploit
Toastcfh for his tutorial and all of his work on improving the Evo, a lot of this is borrowed from his previous work
Amon_RA for his recoveries and for his quick work creating a recovery compatible with the new NAND blocks
Calkulin for collecting all of the radios and update images
Whosdaman, Football and Sniper911 for sharing the RUUs with us
The Unrevoked Crew for all of their hard work on the Unrevoked Forever s-off tool
amoamare and Zikronix for all of their hard work on rooting phones with the 2.02 hboot
chris1683 for his Sprint Lovers ROM
Netarchy for all of the great kernels
A huge thanks goes out to Dan0412 who took the time to debug this for version 003 2.02 phones
Schnick1 and tauzins for their help with getting ADB to act right
Props go to RyanZA and anyone else who worked on the z4root app. I wouldn't have got 3.70 rooted as fast as I did if I didn't have their app to learn from.
You Will Need:
A windows machine
HTC Sync that can be found on Sprint's website. HTC Sync 2.0.35.exe
At least 1 GB of free space on your SD card
A full or close to full battery (your phone will not charge during part of this and if it dies you will be SOL, aka Bricked)
ADB debugging enabled (Settings > Applications > Development > ADB Debugging)
Your phone connected to your computer as Charge Only and HTC's Evo drivers / HTC Sync installed.
The AutoRoot.zip File that can be found in this post
[*]I highly recommend you have the appropriate RUU, or PC36IMG, downloaded before you start. It is always good to have and if something does not go as planned it can get your phone back up and running with minimal down time.
Click to expand...
Click to collapse
IF YOU HAVE PREVIOUSLY TRIED ROOTING YOU MUST RESTORE FROM A RUU BEFORE RUNNING THIS. IT WILL NOT ROOT IT UNLESS YOU DO THIS.
Instructions:
This will try to back up your apps but it's not always able to, you will also lose all of your settings. Titanium Backup works well to save your apps however you will need to use z4root to temporarily root before you will be able to use it.
Download HTC Sync from Sprint's website here and install it. You may need to use the 'Repair' option for it to replace any old drivers.
Extract AutoRoot.zip into a folder that is easy to find and then open the folder.
Right click on 'AutoRoot.bat' and run it as Administrator.
Once it finds your phone it will start by checking out what kind of setup it uses and then attempt to get root access. If it fails usually it's from too many active apps or the phone being used, if so you will need to restart it before trying again. If you are using 3.70 it will let you know when it is running by blurring the screen.
When it is ready it will reboot your phone into the boot loader. Then, depending on your phones setup, it will either enter RUU mode and automatically flash the debugging firmware or give you instructions on how to flash it from the hBoot.
If you have to flash it manually just push Power to select "BOOTLOADER" and say Yes when it asks to flash the PC36IMG.zip. It will complain part of the way through about Boot Loader and/or radio errors and then skip them, this is normal. Once it finishes say No when asked to reboot and use the Vol Down button to highlight Recovery. Then press Power to select it.
If you are entering the Recovery your phone will show a Red Triangle with an Exclamation mark inside, at this point the script will take back over and attempt to flash Unrevoked Forever.
After it finishes flashing the engineering bootloader, or Unrevoked Forever, it will reboot into the bootloader and see if your NAND is unlocked. If so it will flash the Sprint Lovers ROM along with the Recovery and updated Radios. Afterward it may boot into the ROM and attempt to restore your Apps before finishing, try not to interrupt it until it tells you it has finished.
Once it's fully rooted and you have your phone set back up it's a good idea to make one more NANDroid with everything up to date. Then make one more backup of your WiMAX partition in case something happens to the first one.
Click to expand...
Click to collapse
If you have an older phone and don't want to flash Unrevoked Forever or Sprint Lovers w/ the radio updates you can have it skip them. It will just flash the engineering bootloader to unlock the NAND and then flash the recovery directly from there. You will need to update everything and flash a custom ROM on your own. This will only work if your phone has a version .9x hBoot.
Instructions for Quick method:
This will completely wipe your phone. If you would like to back up your apps you can use Titanium backup to save them. It also has an option to save the system files but this can result in a buggy ROM afterward.
Extract AutoRoot.zip into a folder that is easy to find.
Open a DOS prompt by running the OpenShell file.
Type 'autoroot quick' and press Enter
It will then flash the engineering bootloader and the recovery through fastboot. Once it is finished you can use the bootloader menu to boot into the recovery and make a NANDroid, flash a ROM, radios, etc.
Click to expand...
Click to collapse
Links:
Downloads
AutoRoot v2.5 - Full Root Zip (MD5: 5E1BF365F3B5479329896BD55C33678E)
AutoRoot v2.5 - Tools Only (MD5: 5DBA70A8CDD052A9908E4F43D6BBC669)
The following are the ROMs pulled out of the RUUs, you can flash them by renaming and putting it on your sd card or from your computer with fastboot using the included FlashZip script.
Sprint Evos (USA):
3.29.651.5_PC36IMG.zip (MD5: 2F5046C0FC6FE61114EBC53D5997B485)
3.30.651.2_PC36IMG.zip (MD5: 4A2CAB264244C79B2E2BE9E3CFE2B503)
3.70.651.1_PC36IMG.zip (MD5: 7056D42812AA5DF03FCC8DDDC2B64E85)
KDDI Evos (Japan):
1.05.970.1_PC36IMG.zip (MD5: 78F9E8BFEE705F34790A46C258268F02)
Sources
How to unlock Nand Protection ~ Part-2
RA-evo-v1.8.0 (a modified version is included)
RUU to restore 3.29.651.5
RUU to restore 3.30.651.2
RUU to restore 3.70.651.1 (Thanks to 911Sniper for the original mirror)
Sprint Lovers ROM (a modified version is included)
Click to expand...
Click to collapse
Changes for v2.5
Script now checks for Admin Priveledges and kills HTC Sync Services for Sync 3.05
Fixed issue recognizing build numbers
It will attempt to back up Apps now
Checks branding in order to recognize KDDI Evos
Unrevoked forever will now be retried if it doesn't get run the first try
Changed it so it will leave the phones in Fastboot mode if it fails
Recognizes ADB issues easier now
Changes for v2.4
Updated the ROM and Recovery
The working directory is now saved correctly when the path has a space in it
Fixed an error checking the firmware version that would cause the script to close
Made it more capable of recovering when the phone is in an unknown state
Fixed the SD card not being recognized with Eclair
Some parts will check for the 'daemon' error messages and will call to fix it
Made it so the MTD data is not saved unless it is recognized
The script will continue if it times out while waiting on Unrevoked Forever
The WiMAX partition is backed up through the ROM at the very beginning instead of through the Recovery
Changes for v2.3:
Updated the ROM, Recovery and Radios
The script will now recognize your phone at any point in the process and will continue where it left off
Fixed the FlashRecovery script and made it so you can choose what to flash, just put your PC36IMG of choice in the folder with it and let it do the work
Fixed the version checker so it doesn't get confused with custom ROMs anymore
Quick mode checks your hboot version from the ROM now so it won't even try if you have a new bootloader
It is much more tenacious going into the recovery, hopefully fixing the issue with ADB dropping out there
Fixed a bug where the MTD block sizes were not always being remembered correctly
Added more checks to make sure the phone is where it's supposed to be throughout the process
Made it try harder to get the recovery log so it doesn't get missed as much
Tweaked the timing some so it moves a little bit quicker and you only have to hit a button twice to exit instead of three times
Fixed the infinite loops so they are now 95% shorter
Changes for v2.2:
Updated the recovery to Amon RA's version 2.2.1
MTD information for each phone is saved in case it is restarted and unable to find out.
Fixed a bug where pre 3.xx ROMs were not being recognized correctly.
Phones are explicitly called by their serial number to prevent confusion if an emulator starts or another phone gets plugged in.
Unresponsive ADB daemons are killed to help prevent them for hanging or randomly restarting.
Changed autoroot.log to autorootlog.txt to make it easier to attach
Minor bug fixes.
Changes for v2.1:
Updated the recovery to Amon RA's version 2.2
Minor bug fixes
Changes for v2.0:
Added an app to give ADB root and keep it active in 3.70
Updated Sprint Lovers and Amon RA
Removed the two separate kernels/recoveries for new and old phones
Added a battery life check before flashing
Checks Firmware versions in both the ROM and hBoot
Checks that the Misc partition was flashed properly
Fixed all of the bugs with Quick root, it no longer flashes Sprint Lovers if you run it with S-OFF
It automatically restarts adbd where it would occasionally reset itself and get hung up
It also kills adbd when it finishes so you can move/delete it
Changed the bat that restarted adbd so it kills it instead
Added a bat to flash AmonRA through Fastboot with non-Eng hBoots
Added a bat to open a Cmd prompt already in the autoroot folder
Rewrote a good portion of the script and cleaned it up a lot
Made it more flexible so it doesn't get lost as easily
Plus more I forgot
Click to expand...
Click to collapse
Contents of v2.5 Include:
adb.exe
adb-linux
adb-mac
adbWinapi.dll
adbWinusbapi.dll
AutoRoot.bat
check.bat
fastboot.exe
fastboot-linux
fastboot-mac
FindPhone.bat
FlashZip.bat
OpenShell.bat
StartRecovery.bat
amon_ra_1.8-mod/
res/
....AutoRoot.apk
....autoroot.ini
....dump_image
....Escalate.vbs
....Escalater.bat
....EscSC.lnk
....exploid.com
....FindPhone.bat
....flash_image
....ini.cmd
....mtd-eng.img
....PC36IMG_UD.zip
....PC36IMG_AmonRA-v2.3-hausmod_revA.zip
....PC36IMG-SprintLovers-AmonRA_2.3-hausmod_revA.zip
....radios.zip
....rageagainstthecage-arm5.bin
....recovery-RA-v2.3-hausmod_revA.img
....URFSOff.zip
....URFSOn.zip
....WatchPhone.bat
Notes:
Recovery is recovery-RA-supersonic-v2.3 with Netarchy's 4.3.2 CFS NoHAVS NoSBC NoUV
radios.zip is EVO_Radio_2.15.00.11.19_WiMAX_27167_R01_PRI_NV_1.90_003
URFSOff.zip is the Unrevoked Forever S-OFF tool
URFSOn.zip is the Unrevoked Forever S-ON tool
Click to expand...
Click to collapse
As always, this will void your warranty and may possibly damage your phone. You and you alone are responsible for anything that you do. Everything contained in this thread is for informational purposes only.
Click to expand...
Click to collapse
IMPORTANT: Everything contained in this post is meant for phones with the older bootloader. If you have hBoot version 2.02 or ROM version 3.30 you must use the above method.
Old Universal Root
(Scroll Down for Alternate Method)
You Will Need:
A windows machine and basic knowledge of DOS or a Linux/Mac box with a little bit of determination
At least 1 GB of free space on your SD card
A full or close to full battery
ADB debugging enabled (Settings > Applications > Development > ADB Debugging)
Your phone connected to your computer as Charge Only
The EVORoot.zip File that can be found in this post
Click to expand...
Click to collapse
Instructions:
Extract EVORoot.zip into a folder that is easy to find and go to that folder. Then copy the 'moveme' folder out of that one and on to your sdcard. Once it finishes copying unmount/eject the SD card through windows and change your phone back to Charge Only.
Double click on 'runexploit' and let it run. When it asks if you want to flash the hBoot push 'y' and then {enter}. If there are any errors follow the instructions given to try and resolve them. It will automatically reboot your phone once it is ready for it. If all you see is the prompt flashing press Ctrl+C or close the window to exit and re-run it as Administrator.
When the bootloader comes up push the Power button and you should see it start searching for updates. When it gets to PC36IMG.zip it will ask if you want to update with it, push Volume Up to say yes.
*DO NOT TURN OFF THE PHONE OR LET THE BATTERY DIE WHILE UPDATING*
When it's finished push the power button to select 'fastboot' and use the volume buttons to select the yellow 'reboot' button. Push power one more time to select it and reboot your phone. It should start up rooted and ready to go, however you will still need a custom Recovery so you can make NANDroid back-ups and flash an up to date ROM.
Once the phone starts back up run 'flashrecovery' through explorer. It will automatically flash and then reboot your phone into Amon_RA's recovery. When it reboots you should see green text on a black background, if you see a triangle with an exclamation mark then you still have the stock recovery and need to reboot and try again.
Use the volume buttons to select Backup/Restore then push Power to select it.
Select Nand backup and push power. This will make an exact copy of your phone as it is. If you get an error that says 'run mobile-nandroid...." make sure you have at least 3 or 400MB free on your memory card. You can use USB-MS toggle to mount your SD card if you need to make room or copy a ROM to your phone. The moveme folder can also be deleted from your SD card at this point and you can make copies or move the backup once it is complete. Just make sure you have one good backup before continuing.
The NANDroids are saved under 'nandroid/??????????/backupfolder-date-time/'. The folders need to be moved whole.
Return to previous menu, select Wipe, then have it Wipe data/factory reset, Wipe cache & Wipe dalvik-cache. If you get stuck in a bootloop try these steps again and try wiping the SD:ext partition as well.
Return, then go in Flash zip from sdcard. Once there flash the Radios. It is again very important not to interrupt or reset the phone while the radios are being flashed, although it will probably want to reboot before flashing can be finalized, just follow the instructions.
Once it is finished Return to the previous menu and select Power Off. Then hold down the vol down button while turning the phone back on.
It will boot back up into the bootloader, select No if it asks to update or reboot. From here select Recovery and it should go back to the black background with green text.
Select Flash zip from sdcard and Flash ROM-Supersonic_3.30....zip. If you have a different ROM you want to use you can flash another one instead.
Once it is finished Return to the main menu and have it Reboot system. Your phone should start up normally and ask to be set up, complete the set up like normal.
When you have it set up and are sure everything is working properly I would make one more NANDroid so you have a copy with the updated radios. At this point you can also flash another recovery and do anything else you would normally do. Just be sure to use unrevoked forever if you plan on using a different hBoot.
Click to expand...
Click to collapse
Links:
Downloads
EVORoot.zip
EVORoot.zip - No bootloader, ROM or Radio updates
eng-PC36IMG.zip mirror 1, mirror 2
The following are the ROMs pulled out of the RUUs and renamed, make sure you use the correct version for your phone but if you aren't able to find out start with the 3.29.
3.29.651.5_PC36IMG.zip
3.30.651.2_PC36IMG.zip
If you are having trouble flashing custom ROMs try using this kernel (Thanks to xxbabiboi228xx)
Stock kernel #17
Sources
How to unlock Nand Protection ~ Part-2
All EVO Radio, WiMAX, PRI & NV versions
RA-evo-v1.8.0
RUU to restore 3.29.651.5
RUU to restore 3.30.651.2
Click to expand...
Click to collapse
Contents Include:
adb.exe
adb-linux
adb-mac
adbWinapi.dll
adbWinusbapi.dll
exploid.com
flashboot.bat
flashrecovery.bat
runexploit.bat
moveme/
.....eng-PC36IMG.zip
.....evo_radios_wimax_pri_nv_3.30.zip
.....flash_image
.....mtd-eng.img
.....rageagainstthecage-arm5.bin
.....recovery-RA-evo-v1.8.0.img
.....SuperSonic_3.30.651.2_Rooted_BB_DeOdexed_Bash_ADP_BattPrcnt.zip
Click to expand...
Click to collapse
Alternate method
If you already have the EVORoot.zip file you can download the scripts below without the boot/ROM/radio.
Instructions:
Extract EVORoot.zip into a folder that is easy to find such as C:\EVORoot. Then copy the 'moveme' folder out of that one and on to your sdcard.
Open up a DOS prompt and go to the EVORoot directory. eg. 'cd C:\EVORoot'.
type: runexploit {enter}
It will scroll a few lines saying that the ADB server will be reset and to run it on the desktop, this is normal. If it says Permission Denied check to make sure your phone is set to charge only and your sd card is not mounted as a hard disk.
type: adb shell {enter}
If you see '$' then type: "./data/local/tmp/rageagainstthecage-arm5.bin", without the quotation marks, and push enter. After a few seconds it should kick you out to the \> prompt.
If you see '#' then type: exit {enter}
type: flashboot {enter}
If you don't see any errors let it continue, if you do see an error push Ctrl+X to stop
Your phone will then reboot, when it comes back up the bootloader option should be highlight. Press the power button to select it. It should then search for a second and ask if you want to install the pc36img.zip, push Volume Up for Yes.
*DO NOT TURN OFF THE PHONE OR LET THE BATTERY DIE WHILE UPDATING*
When it's finished go into fastboot and select the yellow 'reboot' through the menu, it should start up rooted and ready to go however you will still need a custom Recovery so you can make NANDroid back-ups and flash an up to date ROM.
Once the phone starts up do step #4 to check for root (# prompt), if it is a '$' try typing 'su {enter}'. If that does not work use runexploit and then check again. Return to the DOS prompt once finished.
type: flashrecovery {enter}
Let it continue as long as there are no errors, otherwise Ctrl+X will stop it. If you run this more than once you can ignore the file not found errors from when it first starts. When the phone reboots you should see green text on a black background, if you see a triangle with an exclamation mark then you still have the stock recovery.
Use the volume buttons to select Backup/Restore then push Power to select it.
Select Nand backup and push power. This will make an exact copy of your phone as it is. If you get an error that says 'run mobile-nandroid...." make sure you have at least 3 or 400MB free on your memory card. You can use USB-MS toggle to mount your SD card if you need to make room or copy a ROM to your phone. The moveme folder can also be deleted from your SD card at this point and you can make copies or move the backup once it is complete. Just make sure you have one good backup before continuing.
The NANDroids are saved under 'nandroid/??????????/backupfolder-date-time/'. The folders need to be moved whole.
Return to previous menu, select Wipe, then have it Wipe data/factory reset, Wipe cache & Wipe dalvik-cache. If you get stuck in a bootloop try these steps again and try wiping the SD:ext partition as well.
Return, then go in Flash zip from sdcard. Select and Flash ROM-Supersonic_3.30....zip. If you have a different ROM you want to use you can flash that one instead.
Flash the Radios, it is again very important not to interrupt or reset the phone while the radios are being flashed. It will probably want to reboot itself afterward, just follow the instructions.
Once it is finished Return to the main menu and have it Reboot system. Your phone should start up normally and ask to be set up, complete the set up like normal.
Once you have it set up and are sure everything is working properly I would make one more NANDroid so you have a copy with the updated radios. At this point you can also flash another recovery and do anything else you would normally do. Just be sure to use unrevoked forever if you plan on using a different hBoot.
Click to expand...
Click to collapse
Links:
Downloads
EVORoot.zip
EVORoot.zip - No bootloader, ROM or Radio updates
eng-PC36IMG.zip mirror 1, mirror 2
Click to expand...
Click to collapse
Contents Include:
adb.exe
adb-linux
adb-mac
adbWinapi.dll
adbWinusbapi.dll
flashboot.bat
flashrecovery.bat
runexploit.bat
moveme/
.....eng-PC36IMG.zip
.....evo_radios_wimax_pri_nv_3.30.zip
.....flash_image
.....mtd-eng.img
.....rageagainstthecage-arm5.bin
.....recovery-RA-evo-v1.8.0.img
.....SuperSonic_3.30.651.2_Rooted_BB_DeOdexed_Bash_ADP_BattPrcnt.zip
Batch Files
runexploit.bat
Code:
adb shell "cat /sdcard/moveme/rageagainstthecage-arm5.bin > /data/local/tmp/rageagainstthecage-arm5.bin"
adb shell "chmod 0755 /data/local/tmp/rageagainstthecage-arm5.bin"
adb shell "./data/local/tmp/rageagainstthecage-arm5.bin"
flashboot.bat
Code:
adb shell "cat /sdcard/moveme/flash_image > /data/flash_image"
adb shell "chmod 755 /data/flash_image"
adb shell "/data/flash_image misc /sdcard/moveme/mtd-eng.img"
adb shell "mv /sdcard/moveme/eng-pc36img.zip /sdcard/pc36img.zip"
adb shell sync
adb reboot bootloader
flashrecovery.bat
Code:
adb shell "mv /sdcard/PC36IMG.zip /sdcard/moveme/eng-PC36IMG.zip"
adb shell "mv /sdcard/moveme/evo_radio_wimax_pri_nv_3.30.zip /sdcard/evo_radio_wimax_pri_nv_3.30.zip"
adb shell "mv /sdcard/moveme/SuperSonic_3.30.651.2_Rooted_BB_DeOdexed_Bash_ADP_BattPrcnt.zip /sdcard/ROM-SuperSonic_3.30.651.2_Rooted_BB_DeOdexed_Bash_ADP_BattPrcnt.zip"
adb shell "cat /sdcard/moveme/flash_image > /data/flash_image"
adb shell "chmod 755 /data/flash_image"
adb shell "/data/flash_image recovery /sdcard/moveme/recovery-RA-evo-v1.8.0.img"
adb shell sync
adb reboot recovery
Click to expand...
Click to collapse
This uses HTC's eng hBoot to unlock NAND protection so it is relatively safe, but, as always, this will void your warranty and may possibly damage your phone. You and you alone are responsible for anything that you do. This is for informational purposes only.
Click to expand...
Click to collapse
Here are linux and mac versions. You just need to get adb from somewhere (I don't think the packaged windows version will work).
If it's in your path, just change all of the "./adb" to "adb", or if you copy the executable to the same directory as these scripts, leave them as is.
Put them in the same directory, as the kit, and they should work.
I haven't tested, but thought I would write them up quickly to help with mutli-os support.
runexploit.sh
Code:
#!/bin/bash
./adb shell "cat /sdcard/moveme/rageagainstthecage-arm5.bin > /data/local/tmp/rageagainstthecage-arm5.bin"
./adb shell "chmod 0755 /data/local/tmp/rageagainstthecage-arm5.bin"
./adb shell "./data/local/tmp/rageagainstthecage-arm5.bin"
flashboot.sh
Code:
#/bin/bash
./adb shell "cat /sdcard/moveme/flash_image > /data/flash_image"
./adb shell "chmod 755 /data/flash_image"
./adb shell "/data/flash_image misc /sdcard/moveme/mtd-eng.img"
./adb shell "mv /sdcard/moveme/eng-pc36img.zip /sdcard/pc36img.zip"
./adb shell sync
./adb reboot bootloader
flashrecovery.sh
Code:
#!/bin/bash
./adb shell "mv /sdcard/PC36IMG.zip /sdcard/moveme/eng-PC36IMG.zip"
./adb shell "mv /sdcard/moveme/evo_radio_wimax_pri_nv_3.30.zip /sdcard/evo_radio_wimax_pri_nv_3.30.zip"
./adb shell "mv /sdcard/moveme/SuperSonic_3.30.651.2_Rooted_BB_DeOdexed_Bash_ADP_BattPrcnt.zip /sdcard/ROM-SuperSonic_3.30.651.2_Rooted_BB_DeOdexed_Bash_ADP_BattPrcnt.zip"
./adb shell "cat /sdcard/moveme/flash_image > /data/flash_image"
./adb shell "chmod 755 /data/flash_image"
./adb shell "/data/flash_image recovery /sdcard/moveme/recovery-RA-evo-v1.8.0.img"
./adb shell sync
./adb reboot recovery
I'm getting a permission denied when I try to runexploit
Can you post an alternate mirror for the rootkit?
jacobzamarripa said:
I'm getting a permission denied when I try to runexploit
Click to expand...
Click to collapse
Do you have debugging enabled?
MJStephens said:
Do you have debugging enabled?
Click to expand...
Click to collapse
usb debugging. yes
jacobzamarripa said:
usb debugging. yes
Click to expand...
Click to collapse
Are you running cmd.exe as admin?
Do you guys have a youtube video of step by step for this? Because i cant even get past the third step
BrashL said:
Are you running cmd.exe as admin?
Click to expand...
Click to collapse
im not quite sure how. im on windows xp
jacobzamarripa said:
im not quite sure how. im on windows xp
Click to expand...
Click to collapse
Im pretty sure he just means that your on an user name on windows that has Master rights.
Bravo, bravo. You really outdid yourself on this hauss. What a fabulous tutorial for noobs. In my spare time, I would be happy to make a Mac version of this tutorial for you. I think the Mac part jut confuses people more. Seriously, great work. I will be referring people to this. Replaces the need to do 20 commands with like 4 homemade batch scripts. Pm me or email at [email protected] and I will build a Mac tutorial (giving you full credit of course)...
Confirm?
This looks and sounds awesome. I would LOVE a mac version of this and like to donate to good work
Can I get a confirmation from someone reporting success using this method?
I'd like to use this on a friends phone today but am a bit hesitant because it's so new.
thanks!
i will confirm that all the scripts work on thier own. i have no idea if hauss's batch scripts work. all the exploits are legit though. i will download and proofread. either way, it should work. i know hauss is experianced at rooting and stuff.
wait, huge file. does someone mind sending me everything except the pc36img.zip and eng-pc36img.zip? email is [email protected]
does anyone know if it will work on parallels on mac.
adb connection will be reset. restart adb server on desktop and re-login
I keep getting error message saying "adb connection will be reset. restart adb server on desktop and re-login"
--------------------------------------------
[*] CVE-2010-EASY Android local root exploit (C) 2010 by 743C
[*] checking NPROC limit ...
[+] RLIMIT_NPROC={3316, 3316}
[*] Searching for adb ...
[+] Found adb as PID 1400
[*] Spawning children. Dont type anything and wait for reset!
[*]
[*] If you like what we are doing you can send us PayPal money to
[*] [email protected] so we can compensate time, effort and HW costs.
[*] If you are a company and feel like you profit from our work,
[*] we also accept donations > 1000 USD!
[*]
[*] adb connection will be reset. restart adb server on desktop and re-login.
rukshmani said:
I keep getting error message saying "adb connection will be reset. restart adb server on desktop and re-login"
--------------------------------------------
[*] CVE-2010-EASY Android local root exploit (C) 2010 by 743C
[*] checking NPROC limit ...
[+] RLIMIT_NPROC={3316, 3316}
[*] Searching for adb ...
[+] Found adb as PID 1400
[*] Spawning children. Dont type anything and wait for reset!
[*]
[*] If you like what we are doing you can send us PayPal money to
[*] [email protected] so we can compensate time, effort and HW costs.
[*] If you are a company and feel like you profit from our work,
[*] we also accept donations > 1000 USD!
[*]
[*] adb connection will be reset. restart adb server on desktop and re-login.
Click to expand...
Click to collapse
Actually i kept getting this same message when i was on the adb server and was attempting to get to the recovery screeen on the phone. Do you by any chance have HBoot 2.2 on your evo?
Hi Noobe , yes unfortunately..am i SOL
rukshmani said:
i keep getting error message saying "adb connection will be reset. Restart adb server on desktop and re-login"
--------------------------------------------
[*] cve-2010-easy android local root exploit (c) 2010 by 743c
[*] checking nproc limit ...
[+] rlimit_nproc={3316, 3316}
[*] searching for adb ...
[+] found adb as pid 1400
[*] spawning children. Dont type anything and wait for reset!
[*]
[*] if you like what we are doing you can send us paypal money to
[*] [email protected] so we can compensate time, effort and hw costs.
[*] if you are a company and feel like you profit from our work,
[*] we also accept donations > 1000 usd!
[*]
[*] adb connection will be reset. Restart adb server on desktop and re-login.
Click to expand...
Click to collapse
this is not an error message! This means it is working! Just move on to the next step. If there is nothing that says the word error, there is probably no error!
I take no credit whatsoever for obtaining root or anything development related.
I simply took BCNice20's instructions and added more detail for less experienced users. In fact I copied most of this directly from his thread and added more detail.
I take absolutely no responsibility for your phone if you brick it, if it melts, if it sleeps with your wife, or if it burns your house down.
Proceed at your own risk.
If you need to get started with the SDK and ADB start here
Step 1
Temp root your device using Visionary or Z4 (I prefer Visionary)
If you are already temp rooted skip this step
Step 2
Download the file linked at this address http://www.thebcblends.com/shift/Shift-root.zip
Extract the contents to the root of your SD card.
If you are having trouble extracting download 7-Zip
Once installed connect your phone to your computer as a disk drive
right click on the shift-root.zip, select extract here, then use the dropdown to locate your device, more specifically your SD card
Once you have extracted the file to the root of your sd card change your connection type back to charge only
Step 3
If you have followed my other thread you already have adb working
Open the cmd prompt and paste the following
Code:
cd C:\AndroidSDK\platform-tools
hit enter
type
Code:
adb shell
hit enter
you will see this
Code:
$
no type
Code:
su
hit enter
Superuser will prompt you to click allow on your phone. Click it quickly to allow permissions!
Now you will see
Code:
#
you have root permissions.
Step 4
Verifying md5sum
Make sure you copy and paste this exactly
Code:
md5sum /sdcard/Shift/hboot_orig.bin
then hit enter
Your result should look like this 386c19451e8dd18f9b98fad6b11be4c0 hboot_orig.bin make sure the numbers match. You may have some extra path in front of hboot_orig.bin.
Next copy and paste this exactly
Code:
md5sum /sdcard/Shift/hboot_eng.nb0
then hit enter
Your result should look like this 60ec1006e6ec2e8acb370d6aad35b17e hboot_eng.nb0 make sure the numbers match. You may have some extra path in front of hboot_eng.nbo.
If these do not match do not proceed. Delete the file placed on the root of your sd card and repeat step 2 and redownload.
Step 5
Now we're going to flash the eng spl. This is where the unpleasant things can happen.
Make sure you are in adb shell with superuser(root) permission. This was explained in Step 3.
If you are not in adb shell with root permissions then do not proceed. Do not pass go, do not collect $200.
Now DO NOT REBOOT until you are instructed to do so!!
Now paste this exactly into cmd prompt
Code:
dd if=/sdcard/Shift/hboot_eng.nb0 of=/dev/block/mmcblk0p18
and hit enter
You have flashed the eng spl. Now we will make sure it flashed properly.
Step 6
Check the md5 of new flash hboot and restore if necessary
run this command to pull the newly flashed hboot to your sdcard
type
Code:
dd if=/dev/block/mmcblk0p18 of=/sdcard/Shift/hboot_check.nb0
in the command prompt and hit enter
now we check the md5 to see if it matches
Enter
Code:
md5sum /sdcard/Shift/hboot_check.nb0
in the command prompt and hit enter
it should read 60ec1006e6ec2e8acb370d6aad35b17e
if the md5sum matches then congratulations its safe to reboot!! you can skip the next bit and continue on to step 7
if you absolutely cannot get the eng hboot to flash right then run this to restore the stock hboot
Type
Code:
dd if=/sdcard/Shift/hboot_orig.bin of=/dev/block/mmcblk0p18
in the command prompt and hit enter
then pull it to check md5
Type
Code:
dd if=/dev/block/mmcblk0p18 of=/sdcard/Shift/hboot_check1.bin
in the command prompt and hit enter
then check the md5sum
Type
Code:
md5sum /sdcard/Shift/hboot_check1.bin
in the cmd prompt then hit enter
it should read 386c19451e8dd18f9b98fad6b11be4c0
if it doesnt keep trying until it does but DO NOT!! reboot till it matches
Step 7
check hboot and perm root!!
ok now reboot your phone into bootloader
turn off phone and hold power+vol down till it boots into bootloader
look at the top and make sure it says s off
if so reboot the phone back into android
put the phone into airplane mode
Go to setting, applications, manage applications and uninstall superuser
Next temp root with visionary
after you are temp rooted then attempt to perm root with visionary
your phone will reboot and you are now officially perm rooted any changes you make will now stick on reboot
**Edit Recovery Added**
Download ROM Manager from the Market. (Pay for the donate version!)
Open ROM Manger and install recovery.
Im having problems on the CMD prompt. On the command line Im getting C:\users\Dizidi> instead of C:\>. Did I miss a step somewhere?
dizidi said:
Im having problems on the CMD prompt. On the command line Im getting C:\users\Dizidi> instead of C:\>. Did I miss a step somewhere?
Click to expand...
Click to collapse
Nope, that's sounds right.
Next you'll want to
Code:
cd C:\AndroidSDK\platform-tools
dizidi said:
Im having problems on the CMD prompt. On the command line Im getting C:\users\Dizidi> instead of C:\>. Did I miss a step somewhere?
Click to expand...
Click to collapse
You may want to learn some basic DOS commands first. See:
http://www.lsi.upc.edu/~robert/teaching/foninf/doshelp.html#chdir
dizidi said:
Im having problems on the CMD prompt. On the command line Im getting C:\users\Dizidi> instead of C:\>. Did I miss a step somewhere?
Click to expand...
Click to collapse
Type cd\ to get to the c:
The command prompt just started out in your user directory. You can just do the cd\Android......... stuff. Using cd\ it doesn't matter which directory you're in when you start.
Sent from my HTC EVO Shift 4G using XDA App.
Im such a noob, thanks guys. forgot to type in "cd".
Good Job typing this up!
Although I have rooted many phones before through adb it is helpful to see it wrighting in simple English
Thought I'd add that I needed to download an app like BusyBox in order to get md5sum to work.
Getting a lot of PM's for help so I'm bumping this back to page one
Any quick instructions for the 2nd part of that post, installing recovery?
tcd2004 said:
Any quick instructions for the 2nd part of that post, installing recovery?
Click to expand...
Click to collapse
First follow BCNice's instructions for backing up your Wimax Keys. You need to be in adb shell, then paste and enter. That easy!
After that place this file on the root of your sd card.
Disconnect from the computer then power down your shift.
Enter the bootloader by pressing power and volume down. The bootloader should recognize the zip and flash it automatically. Select yes to reboot when prompted.
Connect to your computer and remove the zip from your sd card.
If you want to verify your recovery is now working power down and turn back on by pressing power and holding the volume down button. You should now be looking at Clockwork Recovery.
BrandoKC said:
Enter the bootloader by pressing power and volume down. The bootloader should recognize the zip and flash it automatically. Select yes to reboot when prompted.
Click to expand...
Click to collapse
I'm not sure why, but I cannot for the life of me get this to work.
SD Checking...
Loading PG06IMG.zip
No Image!
idaed said:
I'm not sure why, but I cannot for the life of me get this to work.
SD Checking...
Loading PG06IMG.zip
No Image!
Click to expand...
Click to collapse
Delete the file off of your SD card and follow the instructions included in the Wiki Just download the fastboot file linked in the wiki and put it in the same folder you put adb in.
Thank for this guide!!!!!!!!!!!!!!!
I am now rooted . Thank you BrandoKC. I know you copied the instructions from bcnice20 ( Thank you bcnice20), but you dumbed it down enough for me to get brave. I'm a total noob to Android. It was a bit nerve racking, but I got it on the first shot. Thanks to everyone. Now it's time to OC my Shift .
Is there a video guide to root my shift?
HTC Evo Shift 4G
Thans for the more detailed guide! I'm now permarooted in under an hour
Sent from my PG06100 using XDA App
for some reason.. whenever I do temp root with visionary or z4... It says its rooting.. then my phone "restarts" does the sprint 4g slaph screen and gets stuck on the big 4G logo...
I ran visionary when I first got the shift(temp root to run titanium backup) but now it's not working. anyone know why?
Uninstall superuser, reboot, rerun Visionary
Sent from my PG06100 using XDA Premium App
BrandoKC said:
Uninstall superuser, reboot, rerun Visionary
Sent from my PG06100 using XDA Premium App
Click to expand...
Click to collapse
ah, gotcha. will try thanks.