Database Info

The easiest 1.47.651.1 root+nand unlock you'll ever see without a gui (Updated)

Make sure your battery has a decent amount of charge in it, you don't want to run out of juice in the middle of this.
You will need to have the android sdk installed, as you will need to use the adb tool.
Windows users will need to install HTC Sync in order to get the usb driver for the phone installed.
Part 1: In which we find that the Evo spreads easier than a Thai whore during tourist season
Code:
adb shell "rm /data/local/rights/mid.txt"
adb shell "ln -s /dev/mtd/mtd1 /data/local/rights/mid.txt"
adb reboot
Part 2: In which we find that engineers have no personality, but they make one hell of a bootloader
Put the files from Toast's Part 2, for nand unlock onto the sdcard (PC36IMG.zip, mtd-eng.img, recovery.img, flash_image)
then (after making sure the sdcard is remounted to the phone if you used disk mode to xfer the files):
Code:
adb shell "cat /sdcard/flash_image > /data/local/rights/flash_image"
adb shell "chmod 755 /data/local/rights/flash_image"
adb shell "/data/local/rights/flash_image misc /sdcard/mtd-eng.img"
adb reboot bootloader
When asked if you want to update, say yes. Relax for a while, the update takes some time.
When the phone eventually boots back up:
Part 3: In which I find the whore, and make her install a custom recovery
Code:
adb shell "cat /sdcard/flash_image > /data/flash_image"
adb shell "chmod 755 /data/flash_image"
adb shell "/data/flash_image recovery /sdcard/recovery.img"
After this you should be fully rooted with nand unlock.
I highly recommend going through Whitslack's Starting Over method to bring your software and radios up to date.
You're done.
Pity this only came to light a few days before people are going to be upgrading to a new OTA.
No, this will not work for anyone who updated to 2.2.

epic!!! 789

niice!

Nice Find!
At least now people can be rooted prior to the new OTA!

damn it!
___

Sweet! Wish I had that method starting out. Lol.
Sent from my PC36100 using XDA App

does this method really work??

BAttitude7689 said:
does this method really work??
Click to expand...
Click to collapse
Yes it does.

ok, so i have no idea how that works... care to go into it alittle bit more?

khshapiro said:
ok, so i have no idea how that works... care to go into it alittle bit more?
Click to expand...
Click to collapse
The init scripts chmod 777 mid.txt on boot (this means that anyone can do anything to the file basically). By removing the file and linking it to mtd1, the chmod now makes mtd1 accessible by everyone after a reboot, which means that you can go directly to toast's part2 which starts with flashing mtd-eng.img.
Incidentally it appears the droid eris guys have been using this flaw to their advantage for a while as well ;D.

So no, really? What is "root?"
You do fine work, sir

posting in a legendary thread

Couldn't you then just use wits "start over" method for part two to make the process even shorter?

netarchy said:
Part 1:
Code:
adb shell rm /data/local/rights/mid.txt
adb shell ln -s /dev/mtd/mtd1 /data/local/rights/mid.txt
adb reboot
Click to expand...
Click to collapse
What would be more interesting is for someone on the new OTA non-root to see if this exists in the Froyo release. I'll look around for a posting of the OTA update non-rooted and try it on my smashed phone. At least I won't care if that thing looses root.

Could we get a "The easiest 1.47.651.1 root method with nand unlock" for dummies? I have no clue what to do with this code.

You need to use an ADB shell for this using the Android SDK....
I tried to use the Evo-Recovery shell and received permission denied errors.
I am not a DEV by any means, and do not claim any credit for any of this. However, for people who need help, this may offer some assistance -- this is definitely the easiest root method out there.
1. Download and Install Android SDK - Learn Here
http://forum.xda-developers.com/showthread.php?t=694250
2. Open up a Command Prompt by holding windows button & pressing R or by pressing Run and typing CMD.
3. Navigate your way in DOS to the Android SDK folder, then to the Tools Folder
4. Then enter in the code in part 1. After each line press enter...the line will repeat below it.
5. Follow Toasts Part 2 -- Link: http://forum.xda-developers.com/showthread.php?t=701835 -- Video found here: http://www.youtube.com/watch?v=tUXTB0eydwE.
5A. Because you didn't do Toast's Part 1 of Root first (you used an exploit provided by the OP), you will NOT have a NAND Backup. Put the Custom ROM you want to load on your SD card, and after unlocking NAND protection and doing the wipes, load it from the custom recovery in lieu of restoring your NAND backup.
6. You're now rooted w/ NAND Unlocked!
7. I would then suggest going here, and running this so you have a fully rooted, stock ROM with all your radio/wimax up to date: http://forum.xda-developers.com/showthread.php?t=715915.

Anyone know if this method will work on an unrevoked3'd Evo? I am trying to acquire full root and I was going to use SimpleRoot today but if this will work...

Thank you for this! Question about number part 7. YOu suggest running the fully rooted stock 1.47.651.1 afterwards. Would it be a bad idea to Just run the fully rooted stock froyo 3.23.651.3 or even any other custom rom for that matter? i.e OMJ's EVO 2.2 Custom rom? Thanks

regulator207 said:
Couldn't you then just use wits "start over" method for part two to make the process even shorter?
Click to expand...
Click to collapse
No because you need the engineering hboot to flash it since it's not signed by HTC.
Should work on 1.32 or 1.47. Nice.
Someone should test if this still works in the new 2.2 update. Good chance it does.

damit!
justinisyoung said:
damn it!
___
Click to expand...
Click to collapse
Hey! That's what I was gonna say!

[GUIDE] Stock to CM5 - Rogers 911 Patched Dream (UPDATED FOR CM6 RC3 in Second Post!)

Please note, this is NOT my own work. It's on the CM Wiki, but since so many people seem to not want to be bothered to read the damn wikis for their intended purpose, I'm going to be a ratbastard enabler and post the steps HERE in a thread, so next time someone goes to post to ask how, IF they use the search function they'll find THIS thread and not threadnaught this forum with questions about how to do it.
This has been tested and works 100%. I have not tried it for CM6, and I don't suggest anyone try it on a 911 patched Rogers Dream until CM6 is stable AND there's a proper kernel image for Dream/Magic 32A/32B. As usual, I hold no responsibility if this bricks your Dream. I have made ROMs for the Raphael, Rhodium, Topaz, and Kaiser, and am an expert on those devices but this is my first actual Android device that I've had for less than a week, and just rooted/flashed it today, so I am NOT an Android expert AT ALL.
Original Guide: Here!
(Note: This guide is for CM5)
Step 1) Download all of the required software. SDK, Fastboot, Exploid from DroidXRoot, SPL 1.33.2005, Amon_Ra Recovery for CM, CM5 Itself, Googleapps, and extra kernel for Rogers Dream.
Step 2) Install extract the SDK archive and rename it to 'sdk' for easier use. In Windows, extract to C:\sdk, linux ~/home/sdk, mac .. wherever you want. Extract the Fastboot.zip to the sdk/tools folder. Move exploid, SPL, and Recovery to sdk/tools for easier use with adb.
Step 3) On your Dream, go to Settings->Applications->Development and enable USB Debugging, and connect your Dream to your computer via USB cable.
Step 4) Enter your sdk/tools directory and type the following:
Code:
* adb push spl-signed.zip /sdcard/1_33_2005_spl.zip
* adb push update-cm5* /sdcard/update-cm5*
* adb push gapps-ds-ERE36B-signed.zip /sdcard/gapps-ds-ERE36B-signed.zip
* adb push bc-5.0.x-ebi1-signed.zip /sdcard/bc-5.0.x-ebi1-signed.zip
* adb push recovery-RA-dream-v1.7.0R-cyan.img /data/local
* adb push exploid /sqlite_stmt_journals
* adb shell chmod 777 /sqlite_stmt_journals/exploid
(*whatever your CM image is.)
Step 5) Running Exploid!
Code:
adb shell /sqlite_stmt_journals/exploid
should produce the following:
Code:
$ adb shell /sqlite_stmt_journals/exploid
[*] Android local root exploid (C) The Android Exploid Crew
[*] Modified by birdman for the DroidX
[+] Using basedir=/sqlite_stmt_journals, path=/sqlite_stmt_journals/exploid
[+] opening NETLINK_KOBJECT_UEVENT socket
[+] sending add message ...
[*] Try to invoke hotplug now, clicking at the wireless
[*] settings, plugin USB key etc.
[*] You succeeded if you find /system/bin/rootshell.
[*] GUI might hang/restart meanwhile so be patient.
Now unplug/replug USB cable to apply exploit. ROOOOOTED!
Step 6) Custom Recovery time!
Type the following:
Code:
adb shell
this will take you to a $ prompt (that's the shell.)
Code:
rootshell
this will ask for a password, which is 'secretlol' without quotes.
Now that you're at a root shell, type
Code:
chmod 666 /dev/mtd/mtd1
exit
Now you're back at the regular shell prompt, type:
Code:
flash_image recovery /data/local/recovery-RA-dream-v1.7.0R-cyan.img
If this gives a "mtd: read error at 0x00000000 (Out of memory)" error, it's okay, just type it again and it should work without the error. This is normal, do not panic.
Once this is complete, type
Code:
exit
and power down the phone. (long hold end key)
Step 7) SPL
Hold Home and press the End key to power up the Dream. At the recovery menu select
Code:
Flash Zip from SDCARD
and select the
Code:
1_33_2005_spl.zip
.
Now reboot by holding home+back. It will take you back to the recovery shell, and this is okay. This is actually what we want. Now, type
Code:
adb shell reboot bootloader
and watch the screen to verify that you see:
Code:
HBOOT: 1.33.2005
RADIO: 3.22.26.17
Now, run the following Fastboot commands:
Code:
fastboot erase system -w
fastboot erase boot
fastboot oem powerdown
Step 8) Flashing CM!
Press home+end to power up the phone in recovery mode, and select
Code:
Flash Zip from SDCARD
, Select your CM image, then
Code:
Flash Zip from SDCARD
and select gapps-ds-ERE36B-signed.zip, and finally
Code:
Flash Zip from SDCARD
and select bc-5.0.x-ebi1-signed.zip.
Once that is complete, home+back to reboot, and you're done. That's it. First CM boot may take 5-15 mins.

Reserved for updates
Click to expand...
Click to collapse
Time for the update!
CyanogenMod6rc3
EBI1 Kernel for CM6rc3
Google Apps, Mdpi Tiny for CM6
Use these the same way you would in the above steps for flashing CM5, obviously replacing the zip files from CM5 with the ones from CM6 during the adb push, and the flashing from zip in recovery console. This should work exactly the same as the above version, but the end result is that you'll have FroYo instead of Eclair.
I waited until RC3 for this update because, in my opinion, RC2 was a bit laggy and overall wasn't as stable.
Also note: This process will work for roms OTHER than CyanogenMod so long as they're either based on CM or have an EBI1 Kernel available. Make sure you use the correct EBI1 Kernel by checking what gapps version the Rom uses if it's CM-based but doesn't link to an EBI1 Kernel. For example, if it's gapps-mdpi-FRF91-3 then it's the CM6rc2 EBI1 Kernel you need.
Any questions? Post 'em here.

Thanks for posting this. I know some people got confused.

I highly recommend people also look at the pre existing thread: http://forum.xda-developers.com/showthread.php?p=7306638#post7306638 if they have questions as that is where the q/a is at.

ezterry said:
I highly recommend people also look at the pre existing thread: http://forum.xda-developers.com/showthread.php?p=7306638#post7306638 if they have questions as that is where the q/a is at.
Click to expand...
Click to collapse
The difference is your thread is a vague shortened process that assumes people are going to follow all the links in your post and read through pages of comments to figure out the exact steps of your "simplified process", where my thread gives them a one-stop-shop from stock to a stable rom. You've linked to your thread, so now people who don't mind looking around then posting tons of questions have their place to go.
Tl;dr version: this thread is for the people who can barely be bothered to use the search function and want everything in one place, your thread is for "everyone else".
Sent from my HTC Dream using XDA App

agentfusion said:
The difference is your thread is a vague shortened process that assumes people are going to follow all the links in your post and read through pages of comments to figure out the exact steps of your "simplified process", where my thread gives them a one-stop-shop from stock to a stable rom. You've linked to your thread, so now people who don't mind looking around then posting tons of questions have their place to go.
Tl;dr version: this thread is for the people who can barely be bothered to use the search function and want everything in one place, your thread is for "everyone else".
Sent from my HTC Dream using XDA App
Click to expand...
Click to collapse
Don't worry I'm following this thread so *I* don't inadvertently support people who don't follow links.

It just sucks that people really are that lazy. Seriously. They waste more time typing a question that has been answered 20 times than it would take to search for the proper answer.
So yeah, thanks for posting a topic that has a lot of great information for those of us who aren't lazy, I do personally like yours and think it should be in the informative links sticky. I just wish I had found yours first while I was searching for my answers because it really is informative for those of us not afraid to read and not have things spoonfed to them.
Sent from my HTC Dream [CM5] with xda app.

Thanks for the How-To. It was very easy to follow.

AverageCanadian said:
Thanks for the How-To. It was very easy to follow.
Click to expand...
Click to collapse
No problem! Glad you found it useful. All of those steps now work for CM6, so I will be adding links for CM6rc3 later tonight
Sent from my HTC Dream using XDA App on CM6rc3

update bump.

Tks for the guide. Total newbie here and trying to root my HTC Dream.
Up to now, i fallowed WIKI loll to the letter, tho, when i try to download the EXPLOID, either from your link or the WIKI one, it pup's out as a TROJAN program Exploit.Linux.Lotoor.e !
Is it safe to get it or i shouldn't go there???
I'm stuck to this step now and not sure what to do
Tks for the info..

Wood's said:
Tks for the guide. Total newbie here and trying to root my HTC Dream.
Up to now, i fallowed WIKI loll to the letter, tho, when i try to download the EXPLOID, either from your link or the WIKI one, it pup's out as a TROJAN program Exploit.Linux.Lotoor.e !
Is it safe to get it or i shouldn't go there???
I'm stuck to this step now and not sure what to do
Tks for the info..
Click to expand...
Click to collapse
To the best of my knowledge, it comes up as a trojan because it's a rootkit for Android, which is based on Linux... so virus scanners will consider Exploid as a "virus/trojan" because using a rootkit on a linux machine is basically using a trojan to get root access, which is what you're doing to your phone.. you're using an exploit to get root access.

[Guide] How to gain root on 2.2 for Mac

*******UPDATED 8/31/10 *******
This rooting method was adapted from regaw_leinad's method and toastcfh's method. By following these steps you will successfully downgrade your phone back to android 2.1 in order to gain root.
I don't trust unrevoked as I have had problems with it in the past.

I am not responsible for any damages to your phone.
special thanks to:
regaw_leinad
Sebastian Krahmer
Toastcfh
amon_ra
FILES YOU WILL NEED:
copy and paste into browser
Code:
sdx-downloads.com/sdx/evo/troot/eng-PC36IMG.zip
evo4g.me/downloads//count.php?target=evo-root.zip
files.androidspin.com/downloads.php?dir=amon_ra/RECOVERY/&file=recovery-RA-evo-v1.8.0.img
developer.android.com/sdk/index.html
You will need the Android SDK in order to communicate between your computer and your phone. Download it (last link above) and follow the setup instructions that it comes with.
Unzip the contents of the evo-root.zip and put all the files from it into the tools folder located in the android sdk folder.
Rename the eng-PC36IMG.zip to PC36IMG.zip and then put it the tools folder located in the android sdk folder. DO NOT UNZIP IT!

******* PC36IMG.zip md5sum~ fe8aba99893c766b8c4fd0a2734e4738 *******
Move the recovery-RA-evo-v1.8.0.img into the android sdk folder as well.
Make sure usb debugging is enabled on your device. To do so go to Settings > Applications > Development > and make sure the check box is checked.
Plug your phone into the computer. Select "Charge Only" from the notifications bar.
Open up terminal and navigate your way into the android sdk folder.
Code:
cd /
cd asdk
Push all the files onto your phone.
Code:
tools/adb push /asdk/tools/flash_image /sdcard/
tools/adb push /asdk/tools/rageagainstthecage-arm5.bin /data/local/tmp/
tools/adb push /asdk/tools/mtd-eng.img /sdcard/
tools/adb push /asdk/tools/PC36IMG.zip /sdcard/
tools/adb push /asdk/tools/recovery-RA-evo-v1.8.0.img /sdcard/
Note that the PC36IMG.zip will take longer than the other files to transfer to the sdcard because it is a large file.

Now we will make rageagainstthecage.bin executable.
Code:
tools/adb shell
chmod 0755 /data/local/tmp/rageagainstthecage-arm5.bin
You should see this (below) after it has made the change.
Code:
$
Now to use the rooted shell.
Code:
cd /data/local/tmp
./rageagainstthecage-arm5.bin
You will now see some text on your terminal screen describing the exploit. 

Wait for the adb shell to finish the process. At this point it may or may not terminate the current shell session in terminal. If it does then it should look like this:
Code:
users-iMac:asdk user$
If it doesn't it will return to
Code:
$
in that case you need to exit the current session. To do so type
Code:
exit

Now we need initiate a new shell which should now have root permissions.
Enter the following:
Code:
tools/adb shell
and you will see you now have a
Code:
#
instead of
Code:
$
Now we need to flash the mdt-eng.img in order for it to let us install a custom recovery
Code:
adb shell
cat /sdcard/flash_image > /data/flash_image
chmod 755 /data/flash_image
/data/flash_image misc /sdcard/mtd-eng.img
That will flash your misc partition with Toast's mtd-eng.img


This should return you to
Code:
#
Now boot into hBoot
Code:
reboot bootloader
This will reboot your phone into hBoot. It will scan for the PC36IMG.img. When it asks yes or no, select yes.
It should then reflash your phone into the engineering build.
When it asks to reboot select yes.
You will need to flash custom recovery in order to be able to flash other custom roms or modifications. I use Amon_RA's recovery because it works great and has NEVER caused me any problems.
Now, open up terminal and get back into the android sdk folder
Code:
cd /
cd asdk
Since we have already pushed the recovery onto the sdcard we only need to flash the recovery onto the phone so that we can use it
Code:
adb shell
cat /sdcard/flash_image > /data/flash_image
chmod 755 /data/flash_image
/data/flash_image recovery /sdcard/recovery-RA-evo-v1.8.0.img
Now lets rename that PC36IMG.zip file again
Code:
mv /sdcard/PC36IMG.zip /sdcard/eng-PC36IMG.zip
that way your phone doesn't try to flash it when you go into recovery each time
And last but not least we need to boot into it to flash a custom rom
Code:
reboot recovery
Your phone should then reboot into Amon_RA's recovery and you may now head over to the dev forum to find your new favorite custom rom.

very nice! can anyone confirm this? my buddy wants me to root his 2.2 and i would like to try this.

To make life easier for some people add this to your post mate, and apply it yourself if you would like.
Here is how to add your sdk/tools directory to your .bash_profile file so you won't have to navigate to the folder each time.
Download this so you'll be able to see your hidden files http://www.mediafire.com/?diimft1ninn Run it, check "Show Hidden Files" then click Restart finder. Now, navigate to your home folder (/Users/UserName/) and see if there's a .bash_profile already there. If not, create with textedit.
Now add this to the file: export PATH=${PATH}:/Path/Of/Your/Sdk/Tools/Folder
Mine is /Users/bmxrider4444/Documents/Android/SDK/tools
Now do not save it as rich text. If yours is in rich text, click on "Format" in the menu bar, and click "make plain text". Now save it as .bash_profile and uncheck "if no extension is provided, use .txt".
Now you can go back to Ghost and uncheck "Show all hidden files" and restart finder again (special thanks to ajones7279 for these steps)
Enjoy!
Just as clarification as to what this does, it enables you to run adb commands and other commands without having to navigate to the /android/tools/ folder every time you want to run adb or whatever.

does this work?

seekis said:
At this point we need to push the recovery onto the sdcard
Code:
tools/adb push "location of recovery-RA-evo-v1.8.0.img" /sdcard/
Click to expand...
Click to collapse
This is great! Thanks for the guide - I am planning on rooting my Wife's EVO but have been waiting for an easier method than the other one posted. Question on the above where we write "location of recovery-ra-evo-v1.8.0.img". Is that the exact code, or should we be adding a directory or folder location into this line? I rooted my 2.1 EVO on my Mac a couple months ago and don't remember this step. Once again - very much appreciate the help.
One last question - would it make more sense to have a custom ROM already on your SD Card prior to rooting, so that you can flash it right after you flash AMON-RA for the first time? Probably doesn't matter but thought i'd ask.

^^ same question as above, plus one other n00b question - does this method unlock NAND?
[edit] I was not insinuating that randymac88 is a n00b; I, however, am

seekis said:
I don't trust unrevoked as I have had problems with it in the past.

I am not responsible for any damages to your phone.
Click to expand...
Click to collapse
Don't trust us with the unrevoked 3.x/unrevoked forever application combo that's worked for thousands of users without sideeffects on regaw's post?
You should note to everyone that your method will screw up their PRI, reverting it back to 1.34. By using unrevoked and unrevoked forever, you can keep 1.40.

randymac88 said:
This is great! Thanks for the guide - I am planning on rooting my Wife's EVO but have been waiting for an easier method than the other one posted. Question on the above where we write "location of recovery-ra-evo-v1.8.0.img". Is that the exact code, or should we be adding a directory or folder location into this line? I rooted my 2.1 EVO on my Mac a couple months ago and don't remember this step. Once again - very much appreciate the help.
One last question - would it make more sense to have a custom ROM already on your SD Card prior to rooting, so that you can flash it right after you flash AMON-RA for the first time? Probably doesn't matter but thought i'd ask.
Click to expand...
Click to collapse
Thats not the exact code no. I just put that as a place holder you are suppose to put in the location of where you have the recovery.img. For example, the exact command for me would be:
Code:
/Users/seekis/Downloads/recovery-ra-evo-v1.8.0.img
Don't trust us with the unrevoked 3.x/unrevoked forever application combo that's worked for thousands of users without sideeffects on regaw's post?
You should note to everyone that your method will screw up their PRI, reverting it back to 1.34. By using unrevoked and unrevoked forever, you can keep 1.40.
Click to expand...
Click to collapse
As far as using unrevoked, I stated that I, ME, MYSELF, has had issues with it. not that anybody else has. By all means go and use it if you would like. I will not. It is true that you will loose PRI 1.40, but seeing as how even after installing the OTA from HTC my phone still didn't update it to 1.40, I don't see the issue.

rsage said:
^^ same question as above, plus one other n00b question - does this method unlock NAND?
[edit] I was not insinuating that randymac88 is a n00b; I, however, am
Click to expand...
Click to collapse
i believe it does unlock nand seeing as how i adapted it from toasts method

Hey Seekis - question, I'm stuck here. I keep getting "permission denied", or "operation not permitted" when trying to make the exploit executable at this step:
chmod 0755 /data/local/tmp/rageagainstthecage-arm5.bin
Am I missing something? I've tried a million times and can't seem to get past this. I've successfully pushed all the files onto the sdcard.
I've also have had some trouble finding the exact root path to these files. I've been able to navigate, but I would think a lot of users would have some trouble.
Regardless, many thanks for getting this posted...
EDIT: I pushed the rageagainstthecage file to the sdcard by mistake. Will try again tomorrow.

ok i got rid of that step by moving the file into the android sdk and pushing it with all the other files

Okay now I appear to be in big trouble as I've just messed up my wife's phone, and its probably going to be unusable for a while until I get this figured out (assuming I do!).
I got through most of the process. I flashed the PC36IMG.zip file; however when it asked to reboot, it just dumped me back into the bootloader. Whenever I say reboot, it just takes me back to the bootloader. Pull the battery, same thing - bootloader. Yikes.
I don't know how to get to the next step because I can't get into a booted rom in order to flash the amon-ra recovery. Am I totally effed? Can anyone help me here?
EDIT: Okay reflashed the PC36IMG.zip file, and it rebooted into the stock ROM. Onward! Phew!!

The wife's EVO is now fully rooted running Baked Snack 1.5 w/Netarchy's kernel. Touch and go there for a minute, but it all worked out. No 1.40 PRI, but I don't really care about that right now.
Woot! Thanks Seekis!!

do u have to push the pc36img with adb every time or will drag and drop work or copy and paste work?

FoxHound630 said:
do u have to push the pc36img with adb every time or will drag and drop work or copy and paste work?
Click to expand...
Click to collapse
You can mount the card on your system and copy paste it over as well, yes.

randymac88 said:
Okay now I appear to be in big trouble as I've just messed up my wife's phone, and its probably going to be unusable for a while until I get this figured out (assuming I do!).
I got through most of the process. I flashed the PC36IMG.zip file; however when it asked to reboot, it just dumped me back into the bootloader. Whenever I say reboot, it just takes me back to the bootloader. Pull the battery, same thing - bootloader. Yikes.
I don't know how to get to the next step because I can't get into a booted rom in order to flash the amon-ra recovery. Am I totally effed? Can anyone help me here?
EDIT: Okay reflashed the PC36IMG.zip file, and it rebooted into the stock ROM. Onward! Phew!!
Click to expand...
Click to collapse
Had the same issue. When i first booked into the bootloader i had to select recovery then flash PC36IMG.zip. Then boot loop. Then i went back into the bootloader and it automagically read in the PC36IMG.zip and flashed it, then i got stock 2.1 root. Just a few minutes of "oh crap"

I'm stuck. I got as far as flashing PC36IMG.zip, which was successful, as my phone now runs 2.1, but it doesn't appear I'm rooted. When I go back into the adb shell, I'm getting the $ prompt, and running
Code:
cat /sdcard/flash_image > /data/flash_image
gives me a permission denied error. Help!

atom_jack said:
I'm stuck. I got as far as flashing PC36IMG.zip, which was successful, as my phone now runs 2.1, but it doesn't appear I'm rooted. When I go back into the adb shell, I'm getting the $ prompt, and running
Code:
cat /sdcard/flash_image > /data/flash_image
gives me a permission denied error. Help!
Click to expand...
Click to collapse
i dont know what to tell you other than try again. this happened to me the first time through as well. i dont know why. i just started from the top and it worked the second time through.

seekis said:
i dont know what to tell you other than try again.
Click to expand...
Click to collapse
So after you flash PC36IMG.zip you should automatically get a root (#) prompt when going into the shell? ie, I'll have rooted 2.1 yes?
seekis said:
this happened to me the first time through as well. i dont know why. i just started from the top and it worked the second time through.
Click to expand...
Click to collapse
Aha. Ok, I will keep trying til it gives me a root shell, I guess. I also tried unrevoked3 but that didn't seem to work.

Success!! So, I stupidly assumed that all PC36IMG.zip's were the same, and was using the one from the original 2.2 PC thread. Once I got the correct one, voila!
You might want to post the md5 of the one you are using, so there's no confusion for others. Also, you missed a tiny step when you first start up hboot - you have to select fastboot for it to start scanning for PC36IMG.zip.
Thanks!

{GUIDE} Perm-rooting the HTC EVO Shift!!! Recovery added

ok first off i would like to give many thanks to all the people that help test and figure out the easiest and most effective way of pulling this off.
Joeykrim (for his help with figuring out the easiest way of implementing this)
Toastcfh (for providing us with the eng spl without this we would be nowhere!!)
scotty2 and Guhl (for all the insight they have given me over the past couple of weeks)
preludedrew (for helping me with testing and of course the recovery he working so hard on right now)
riggsandroid and Cosine83 (for helping test things out)
Now on to the good stuff!!
Disclaimer
Please read each and every step in this guide and do them fully failure to do this exactly as it is layed out could result in a permanent brick as usual I am not responsible for anybody's failure to read directions.
Step 1
ok download this file and extract it to the root of your sdcard
www.thebcblends.com/shift/Shift-root.zip
Step 2
make sure you have adb properly setup on your computer before continuing
temp root using either visionary or z4root
open up command prompt and cd to your sdk platform-tools directory
then type adb shell then su
if you havent already u must press allow on your device to enable su perms
Step 3
check the md5sum of both of the files to make sure they match
Code:
md5sum /sdcard/Shift/hboot_orig.bin
Code:
md5sum /sdcard/Shift/hboot_eng.nb0
386c19451e8dd18f9b98fad6b11be4c0 hboot_orig.bin
60ec1006e6ec2e8acb370d6aad35b17e hboot_eng.nb0
if these do not match do not continue redownload the files then check the md5's again
Step 4
Flash the eng spl!!! (dangerous part)
make sure these commands are exact or you could risk bricking your phone!!!
now you should still be in adb shell with root permissions
runs this command and DO NOTT!! reboot till I tell you to
Code:
dd if=/sdcard/Shift/hboot_eng.nb0 of=/dev/block/mmcblk0p18
you just flashed the eng spl!!! now lets make sure it took
Step 5
Check the md5 of new flash hboot and restore if necessary
run this command to pull the newly flashed hboot to your sdcard
Code:
dd if=/dev/block/mmcblk0p18 of=/sdcard/Shift/hboot_check.nb0
now we check the md5 to see if it matches
Code:
md5sum /sdcard/Shift/hboot_check.nb0
it should read 60ec1006e6ec2e8acb370d6aad35b17e
if the md5sum matches then congratulations its safe to reboot!! you can skip the next bit and continue on to step 6
if you absolutely cannot get the eng hboot to flash right then run this to restore the stock hboot
Code:
dd if=/sdcard/Shift/hboot_orig.bin of=/dev/block/mmcblk0p18
then pull it to check md5
Code:
dd if=/dev/block/mmcblk0p18 of=/sdcard/Shift/hboot_check1.bin
then check the md5sum
Code:
md5sum /sdcard/Shift/hboot_check1.bin
it should read 386c19451e8dd18f9b98fad6b11be4c0
if it doesnt keep trying until it does but DO NOT!! reboot till it matches
Step 6
check hboot and perm root!!
ok now reboot your phone into bootloader
turn off phone and hold power+vol down till it boots into bootloader
look at the top and make sure it says s off
if so reboot the phone back into android
put the phone into airplane mode
temp root with visionary
after your temp rooted then attempt to perm root with visionary (haven't tested perm root with z4 yet)
your phone will reboot and you are now officially perm rooted any changes you make will now stick on reboot
Recovery is coming soon!!!!!!
​

Recovery
for now this recovery does not backup your wimax keys
we shall do that manually and store them in a safe place just in case
Backup Wimax Partitions
Code:
dd if=/dev/block/mmcblk0p25 of=/sdcard/Shift/wimax.bin
Code:
dd if=/dev/block/mmcblk0p30 of=/sdcard/Shift/udata_wimax.bin
Flash Recovery Image
download this zip and extract the img to wherever you please on your computer
recovery
if you do not already have fastboot setup get it
cd to wherever the recovery was placed
then power down your device and hold power+voldown at the same time till it loads the bootloader
click on the fastboot option
Code:
fastboot flash recovery recovery.img
now boot into recovery and see if it worked if so create a nandroid backup!!!​

reserved again!!!

you got thanks!

Thanks to everyone involved

worked like a charm thanks brah!

I am honored to have been able to witness this happening in front of my eyes in IRC.
Doing this now...once again, excellent work guys.

Thanks, first of all. Second, perhaps I should wait and see if something comes out later that doesn't look as intimidating as this. Yeah, some might say its easy and what are you crying about? I'm not going to dive in right this minute because I don't have confidence in my abilities with this yet.
Especially since I'm fighting keeping my eyes open. Me so sleepy. Maybe tomorrow I will be more with it.

no shame in that, better to feel comfortable than mess up your phone or something.

You guys are amazing. Kick ass job!

cant get past the check md5sum...its sayin no such file or directory

Worked like a charm! Thanks!! So much easier than what I had to do to root my hero originally or my girlfriend's evo. Thanks again!
Sent from my PG06100

Going to bed now, gonna spend my night off tomorrow rooting my Shift. A huge thank you to everyone involved, I wish I had the money to buy you all some coffee
Sent from my attic using a telegraph.

Worked like a charm

strauss0829 said:
cant get past the check md5sum...its sayin no such file or directory
Click to expand...
Click to collapse
Did you extract the zip to your sdcard?

Xodium said:
I am honored to have been able to witness this happening in front of my eyes in IRC.
Doing this now...once again, excellent work guys.
Click to expand...
Click to collapse
what was the irc channel?

Every day I check the forums hoping today will be the day that perm root is achieved, and now I finally find that its happened...and I'm drunk out of my mind, now I gotta wait til i'm sober tomorrow to give this a go. Thanks to everyone involved!! Its appreciated!

I wanna give out a Huge thanks to all that helped work on Root. My day has been made

great job, even i managed to get thru it

strauss0829 said:
cant get past the check md5sum...its sayin no such file or directory
Click to expand...
Click to collapse
try this:
Code:
busybox md5sum /sdcard/Shift/hboot_eng.nb0

Root vtab1008 honeycomb (masterkey)

!!!UPDATE!!!!
Sorry I lost my root files. I still have the base code i used to make them. I am trying to work with @saurik to get vtab1008 working with the cydia impactor so that this process will be eaiser. sorry about not keeping up here.
The linux root is still working.
!!!!!!!!!!!!!!!!!!!!!!!!!!!
I was able to get the VTAB1008 HONEYCOMB ROOTED. This device is no longer doomed to a rootless existence.
ROOT AT YOUR OWN RISK! I AM IN NO WAY RESPONSIBLE IF THIS BREAKS SOMETHING.
----WINDOWS ROOT (This worked for me)----
!!Some people have had problems with 64 bit systems.!!
https://dl.dropboxusercontent.com/u/...nys Root.zip (restored by grnsl2)
Download the latest java sdk http://www.oracle.com/technetwork/java/javase/downloads/jdk7-downloads-1880260.html
(if it installs anywhere but C:\Program Files\Java\jdk1.7.0_45\bin\jdb change the path in the runme.bat)
Setup ADB
Follow instructions at http://www.google.com/url?sa=t&rct=...5IAx2Xg-VjGm5pQ&bvm=bv.57155469,d.cGU&cad=rja
for the inf file use the one in the skinnys root,zip
!!!THIS STEP IS VERY IMPORTANT ^ IF YOU ARE HAVING ISSUES YOU MAY HAVE NOT COMPLETED THIS STEP!!!
Run Exploit
open command prompt (windows 7 type cmd in start menu and press enter)
CD to location you extracted the zip
example: cd "C:\Users\skinny\Downloads\Skinnys Root"
type "runme.bat"
You will see a ton of data on the screen after a minute your tablet will show android.app.Activity
Paste the following into the shell (the prompt should have changed to look like >)
Code:
stop in android.os.MessageQueue.next()
Touch your tablets screen (the prompt should change to <1> main [1]
Paste the following into the shell
Code:
print java.lang.Runtime.getRuntime().exec("/system/bin/sh /data/local/tmp/rootme.sh")
Wait until you see something like Java.lang.Runtime.getRuntime().exec("/system/bin/sh /data/local/tmp/rootme.sh") = "Process[id=1265]"
Code:
exit
Press enter to reboot
----LINUX ROOT----
Get Linux on a live usb stick to run exploit (skip if you have a linux system)
Download 32bit kubuntu from http://www.kubuntu.org/getkubuntu/download
Get a thumbdrive at least 2 gig
Launch unetbootin
Select bubble next to diskimage
Choose ISO
Click on ...
Browse to the kubntu iso downloaded at A.
Set drive to your usb drive letter.
The next step will erase your thumb drive!!!!!
Click OK
Process will complete and ask you to reboot (reboot)
Select the thumbdrive at startup (i don't know what type of computer you are using but most systems you can press f8, f11, f12 or f2 tp get the boot prompt)
(For more information read this guide http://sourceforge.net/apps/trac/unetbootin/wiki/guide)
Select Default at the kubuntu boot prompt
Select Try Ubuntu
Get kubuntu linux setup for the exploit (skip if you already have android tools on linux)
Press alt+f2
Type "konsole" and press enter
Paste the following commands in.
Code:
sudo chown kubuntu:kubuntu /opt
mkdir /opt/exploit/
cd /opt/
wget http://dl.google.com/android/adt/adt-bundle-linux-x86-20131030.zip -O adt.zip
unzip adt.zip
mv adt-bundle-linux-x86-20131030/ adt/
echo 'export PATH=$PATH:/opt/adt/sdk/build-tools/android-4.4:/opt/adt/sdk/platform-tools' >> ~/.bashrc
source ~/.bashrc
sudo su -c "echo 'deb http://ppa.launchpad.net/webupd8team/java/ubuntu saucy main
deb-src http://ppa.launchpad.net/webupd8team/java/ubuntu saucy main' > /etc/apt/sources.list.d/oracle-java.list"
sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys EEA14886
sudo apt-get update
sudo apt-get -y install git
cd /opt/exploit/
sudo apt-get -y install oracle-java7-installer
Accept Java license agreement to install java 7
Run Exploit
Plug in your tablet
Enable debugging mode (Settings -> Applications -> Development -> USB debugging)
Paste the following commands in your linux console (if following steps use the konsole that you have been running commands in).
If you are not using /opt/adb/sdk for your android devlopemnt use your dir on the 3rd step
Code:
git clone [url]https://github.com/raymondhardy/mkbreak.git[/url]
wget 'http://goo.gl/Ox8qDx' -O Superuser-3.1.3-arm-signed.zip #thanks to @Munk0
unzip Superuser-3.1.3-arm-signed.zip
cp system/bin/su mkbreak/
cp system/app/Superuser.apk mkbreak/
cd mkbreak
./doit.sh /opt/adt/sdk
You will see a ton of data on the screen after a minute your tablet will show android.app.Activity
Paste the following into the shell (the prompt should have changed to look like >)
Code:
stop in android.os.MessageQueue.next()
Touch your tablets screen (the prompt should change to <1> main [1]
Paste the following into the shell
Code:
print java.lang.Runtime.getRuntime().exec("/system/bin/sh /data/local/tmp/rootme.sh")
Wait until you see something like Java.lang.Runtime.getRuntime().exec("/system/bin/sh /data/local/tmp/rootme.sh") = "Process[id=1265]"
Code:
exit
Press enter to reboot
If you get stuck at any part of this process please post a reply with information about the problem you are having.
PROOF OF ROOT
Thanks and credit goes out to.
robertmillan
Jay Freeman (saurik)
PoC by Pau Oliva
Vinogans for leading me to masterkey exploit

NICE!!! Any instruction changes for windows?

gnoober said:
NICE!!! Any instruction changes for windows?
Click to expand...
Click to collapse
Not yet i suspect someone will make a better root later on as of now this is linux only. This exploit uses of linux commands for injecting code into a system application to gain root.

I will be updating the first post later on with steps and screenshots on how to do this on a ubuntu live instance (I may even throw in a shell script so you run it and then wait forever while it does the setup and starts the root. I will see what i can do.)

skinnyquiver said:
I will be updating the first post later on with steps and screenshots on how to do this on a ubuntu live instance (I may even throw in a shell script so you run it and then wait forever while it does the setup and starts the root. I will see what i can do.)
Click to expand...
Click to collapse
Awesome! Nicely done! Guess I'm gonna have to dig out the VTab and give this a shot. Thinking it's gonna need a charge!
Sent from my LG Optimus G using Tapatalk

I updated the steps and re-rooted my tablet with them several times to verify that they worked. Let me know if they work for you
dandrumheller said:
Awesome! Nicely done! Guess I'm gonna have to dig out the VTab and give this a shot. Thinking it's gonna need a charge!
Sent from my LG Optimus G using Tapatalk
Click to expand...
Click to collapse

gnoober said:
NICE!!! Any instruction changes for windows?
Click to expand...
Click to collapse
Got this working on windows (does not look very pretty but it works.

Hey skinnyquiver, that is awesome... my vtab has already gained like 5mm of pure dust. However, i gonna digg it out these days, install stock recovery to update it to honeycomb finally and then reroot this thing...
Btw, the paragraph above windows instructions still says linux only...
_________________________
tapatalked from GalaxyS3

FadeFx said:
Hey skinnyquiver, that is awesome... my vtab has already gained like 5mm of pure dust. However, i gonna digg it out these days, install stock recovery to update it to honeycomb finally and then reroot this thing...
Btw, the paragraph above windows instructions still says linux only...
_________________________
tapatalked from GalaxyS3
Click to expand...
Click to collapse
try to root it with master key exploit I am talking about the the version .57 .. then before updating to honeycomb grab the update.zip the one that belong to honey comb ... try to do this

vinogans said:
try to root it with master key exploit I am talking about the the version .57 .. then before updating to honeycomb grab the update.zip the one that belong to honey comb ... try to do this
Click to expand...
Click to collapse
i am currently charging... my device is rooted with frozen updater, firmware is currently 1.9.56 so i am not sure what is the update path, will i get the honeycomb firmware immediately or do i have to update to .57 first?
_________________________
tapatalked from GalaxyS3

FadeFx said:
i am currently charging... my device is rooted with frozen updater, firmware is currently 1.9.56 so i am not sure what is the update path, will i get the honeycomb firmware immediately or do i have to update to .57 first?
_________________________
tapatalked from GalaxyS3
Click to expand...
Click to collapse
u will have to update to .57 then u will get honeycomb update ..

vinogans said:
u will have to update to .57 then u will get honeycomb update ..
Click to expand...
Click to collapse
Thats bad, but i will give that a try. However, i cant promise that i will succeede and it will take me some days as i am quite busy with my real life as well
_________________________
tapatalked from GalaxyS3

So it's certainly exciting to see root for this guy after owning it now for a couple of years.
I believe with root we'll be able to get rid of some bloat and stuff unneeded but I'm assuming we'll stay on Honeycomb.
I'd like to figure out what the real upside to this is.
Sent from my DROID RAZR HD using Tapatalk

grnsl2 said:
So it's certainly exciting to see root for this guy after owning it now for a couple of years.
I believe with root we'll be able to get rid of some bloat and stuff unneeded but I'm assuming we'll stay on Honeycomb.
I'd like to figure out what the real upside to this is.
Sent from my DROID RAZR HD using Tapatalk
Click to expand...
Click to collapse
You should be able to use this root with the 5.7 before going to honeycomb. This way you can have gingerbead rooted if your device came with the 5.7 update. I would like to get this running cm9 or cm10. The first problem with this is it will require a new kernal. I am going to be moving this weekend so it will be a while until I can get a build env to work on this. I plan on using this tablet to learn all about android rom making. Hope I don't brick it.

As Vizio has not released the kernel source I think we may want to look at using the xo-3 kernel.

Everything seems like it works, everything says 'success', but root checker is showing no root. I had force closes on the System UI before rebooting it a second time.
I tried it straight from a factory reset, just to be sure, same issue.I'm on 3.2.1 on this Vtab.
Not sure what is missing? Anything I should check?

unqualified said:
Everything seems like it works, everything says 'success', but root checker is showing no root. I had force closes on the System UI before rebooting it a second time.
I tried it straight from a factory reset, just to be sure, same issue.I'm on 3.2.1 on this Vtab.
Not sure what is missing? Anything I should check?
Click to expand...
Click to collapse
What os do u use? Check if adb is working
_________________________
tapatalked from GalaxyS3

unqualified said:
Everything seems like it works, everything says 'success', but root checker is showing no root. I had force closes on the System UI before rebooting it a second time.
I tried it straight from a factory reset, just to be sure, same issue.I'm on 3.2.1 on this Vtab.
Not sure what is missing? Anything I should check?
Click to expand...
Click to collapse
I had this problem also in the first time .. try to check if java is installed and working well .. try to check if ADB driver is identified on ur pc ..
I am thinking it is just a java problem .. did u type the commands in the shell " just wondering " this will not work if u didnt type the commands and follow the steps ..

vinogans said:
I had this problem also in the first time .. try to check if java is installed and working well .. try to check if ADB driver is identified on ur pc ..
I am thinking it is just a java problem .. did u type the commands in the shell " just wondering " this will not work if u didnt type the commands and follow the steps ..
Click to expand...
Click to collapse
Thanks for all the suggestions! I was surprised so many people responded on such a forgotten tablet.
I did enter the two commands in the shell (copied and pasted the exact commands) at the appropriate times, and they appeared to work.
I wasn't able to do the ADB setup exactly per the link on the OP, because my computer already recognizes the VTAB1008 under debugging mode, and runs ADB. If I try to uninstall and manually install the generic driver from the Skinny Root zip, it re-discovers and says the current driver is 'more current'. However, since 'adb devices' recognizes the vtab, and all the commands appear to be working, I should be good to go with ADB, right? Or is the generic driver from the Skinny Root zip file a critical component?
I also uninstalled Java SDK for x86 and re-installed for 64 just in case, but that didn't fix it.
Also tried disabling antivirus, no luck...
Is there a basic way to check whether java is working correctly? Or to read the java output as it is running the commands? Maybe something would show up there.
Thanks again

Do u see superuser app installed? If so, what does it output when you open it?
_________________________
tapatalked from GalaxyS3