Database Info

[ROOT] ROOT Status of Official Sprint 2.1 release RUU: YES! | 6/03

ROOT Status of RUU_Hero_C_Sprint_2.27.651.5_R_signed_release : YES
Update: Regaw finally made it for us all! More info here http://forum.xda-developers.com/showthread.php?t=694572
======================================================
I noticed that someone has mixed up the TEST RUU and the RELEASE RUU. However they are different. The test RUU has su file built inside, other than the release RUU!
I flashed RUU_Hero_C_Sprint_2.27.651.5_R_signed_release.exe and i love it very much.
This update is very great, except that I lose my root access. And I tried every method to get root back again but failed.
1. Using asroot2 to root - Failed
I followed the Sticky GUIDE "How to Root the Sprint CDMA Hero", but failed when running
Code:
/data/local/asroot2 /system/bin/sh
The process was killed.
I know the linux kernel changed to 2.6.29 with the update. Maybe that is the reason why asroot2 does not work.
2. Using flashrec to flash a custom recovery image and then get root - Failed
I installed FlashRec 1.1.3 from zenthought's website, but failed when I tried backingup my recovery image.
3.Using adb to push the su file into the phone - Failed
I dump the su file from damageless's rom and flipz's Fresh 2.1.1 rom. Then using adb to push it into /data/local/ and chmod it to 4777, but running failed. It just said "Permission Denied". However, i push a busybox file into /data/local/ and chmod it to 4777, the busybox command runs ok.
KeithKris pointed that Su doesn't work on /data because that directory is mounted nosuid.
4.Using fastboot to flash a custom recovery image and then get root - Failed
I reboot my phone into fastboot, then connect it to PC using USB. I tried this command "fastboot boot recovery-RA-heroc-v1.6.2.img" but faild, it said "downloading 'boot.img'... FAILED (remote: not allow)".
5.Trying to flash back to RUU_Hero_C_Sprint_2.20.651.1_signed_test.exe - Failed
It said "Error 140: BOOTLOADER Version Error!".
Although regaw_leinad has pointed that the md5s on both(release version and test version) hboots are the EXACT same.
b819083aa9fe456c5a5fbde4917980e2
and
b819083aa9fe456c5a5fbde4917980e2
Click to expand...
Click to collapse
Thanks regaw_leinad for your kind help.
Update: 6. the Volex method - Failed
this volex method is revealed here. Already tested by regaw that 2.1 patched it. It doesn't work.
======================================================
After all these failures, there seems to be at least two ways to get the root back. And regaw_leinad and other guys are working hard on them.
1. Try to make a new asroot2 to exploit the linux 2.6.29/android 2.1 on our cdma hero. Here is the source code of our asroot2 -- heroc 1.5 exploit tool.
2. Try to hack the RUU file (actually we mean the rom.zip in the RUU.exe) and make sure it will pass the Bootloader check and signature check(maybe md5?). Then we could flash a RUU with su built inside and get the root back.
If anyone knows something about how to pass the signature check(maybe md5?) or linux kernel exploit, please share your wisdom. Thank you.
This post will be updated every day until the way to root comes out.
Update: Thanks to the donators in this thread! I believe the devs will find the exploit method soon with your support!
======================================================
BTW: Never ever flash the official 2.1 release RUU.exe unless you know what you are doing. You won't get root access until the exploit method has been found. If you do love the official update, you may flash this damageless's rom dump from the official 2.1 release. And the radio dump from the official 2.1 release is here1 and here2 (thanks to damageless and flipz, and remember flashing radio at your own risk). The only difference between damageless's dump and official RUU's system part is that it has root and busybox and it removed some useless apks.

would it be more like fastboot boot /sdcard/recovery-RA-.........img?

justinisyoung said:
would it be more like fastboot boot /sdcard/recovery-RA-.........img?
Click to expand...
Click to collapse
I tried /sdcard/recovery....img again, faild. Because in this command the image file should be on the PC not on the phone.

1. Make sure you have the Android SDK installed. Read HERE for more info.
2. Download 4shared.com - online file sharing and storage - download flash_image.zip
3. Download 4shared.com - online file sharing and storage - download recovery-RA-heroc-v1.5.2.img
4. Unzip the first file, and place both in your Android SDK/tools folder.
5. Make sure USB debugging is ON
6. Connect your phone to the PC
7. Open the command window and navigate to the Android-sdk/tools folder on your computer.
8. At the prompt enter the following, one line at a time followed by enter
Code:
adb shell
su
mount -o remount,rw -t yaffs2 /dev/block/mtdblock3 /system
exit
exit
adb push flash_image /system/bin
adb push recovery-RA-heroc-v1.5.2.img /sdcard
adb shell
chmod 0755 /system/bin/flash_image
reboot
9. Your phone will reboot. When it is finished, back at your command window, once again enter
Code:
adb shell
su
cd /sdcard
flash_image recovery recovery-RA-heroc-v1.5.2.img
reboot recovery
10. With any luck, you'll have the recovery image back and can load custom 2.1 based ROMS again.
__________________

elhead17 said:
1. Make sure you have the Android SDK installed. Read HERE for more info.
2. Download 4shared.com - online file sharing and storage - download flash_image.zip
3. Download 4shared.com - online file sharing and storage - download recovery-RA-heroc-v1.5.2.img
4. Unzip the first file, and place both in your Android SDK/tools folder.
5. Make sure USB debugging is ON
6. Connect your phone to the PC
7. Open the command window and navigate to the Android-sdk/tools folder on your computer.
8. At the prompt enter the following, one line at a time followed by enter
Code:
adb shell
su
mount -o remount,rw -t yaffs2 /dev/block/mtdblock3 /system
exit
exit
adb push flash_image /system/bin
adb push recovery-RA-heroc-v1.5.2.img /sdcard
adb shell
chmod 0755 /system/bin/flash_image
reboot
9. Your phone will reboot. When it is finished, back at your command window, once again enter
Code:
adb shell
su
cd /sdcard
flash_image recovery recovery-RA-heroc-v1.5.2.img
reboot recovery
10. With any luck, you'll have the recovery image back and can load custom 2.1 based ROMS again.
__________________
Click to expand...
Click to collapse
Sorry dude, there is NO su file in this released version of RUU.
So you won't run su after adb shell

just a question but can you successfully run the testkeys release RUU on your phone?

I thought with new 2.1 update root access was removed and there was no way workaround to get root access. I might be wrong here.
You might want to try RUU back to 1.56 version and try to gain ROOT access and just flash ROM release by the dev's here which still give us ROOT access.
I'm not sure if it even possible to go back from 2.1 to 1.5 RUU. Maybe some with more knowleadge of RUU can chip in here.
In addition the RUU you flash is same one release by Devs here on their modify ROMs.

i dont think it is possible to ruu back to 1.5. i think a dev said something about hboot being updated so it needs a new way for root.

kashb91 said:
i dont think it is possible to ruu back to 1.5. i think a dev said something about hboot being updated so it needs a new way for root.
Click to expand...
Click to collapse
You are correct sir. There's no way to downgrade hboot (without root), just like why you can't run the 1.29 RUU if you ran the 1.56, or yours came with 1.56 on it.

F.A.I.L.
10chars

aside from people who "accidentally" installed RUU, The push to quickly root this release is probably low priority, first of all this phone is probably end of life, so the chances of it coming out of the factory with 2.1 on it are slim.
2nd I imagine when the Evo gets released this forum will become a ghost town as far as new development is concerned

gunnyman said:
aside from people who "accidentally" installed RUU, The push to quickly root this release is probably low priority, first of all this phone is probably end of life, so the chances of it coming out of the factory with 2.1 on it are slim.
2nd I imagine when the Evo gets released this forum will become a ghost town as far as new development is concerned
Click to expand...
Click to collapse
well, I'll be around here unless someone buys me an EVO &

It is actually possible to go back to 1.5 even if you used the RUU (well I should say the test RUU). I just did it yesterday so I could take my phone in for service. I'll post how I did it when I'm not mobile. Basically I created an update package to flash the old hboot then used a combination of the 2 main unroot threads. Ended up being able to use the sdcard method after flashing the misc.ing from the other method. I know probably doesn't make sense but I've got it all documented at home.

eme82 said:
It is actually possible to go back to 1.5 even if you used the RUU (well I should say the test RUU). I just did it yesterday so I could take my phone in for service. I'll post how I did it when I'm not mobile. Basically I created an update package to flash the old hboot then used a combination of the 2 main unroot threads. Ended up being able to use the sdcard method after flashing the misc.ing from the other method. I know probably doesn't make sense but I've got it all documented at home.
Click to expand...
Click to collapse
I can't WAIT to read how you did this! I have been dying to get back to original HBoot since I ran the first test RUU back in April.

gunnyman said:
aside from people who "accidentally" installed RUU, The push to quickly root this release is probably low priority, first of all this phone is probably end of life, so the chances of it coming out of the factory with 2.1 on it are slim.
2nd I imagine when the Evo gets released this forum will become a ghost town as far as new development is concerned
Click to expand...
Click to collapse
Well, if we are able to root this Sense 2.1 then theoretically the same root method may work on the Evo, thereby cutting down our wait for a rooted Evo. Just a thought.

chuckhriczko said:
Well, if we are able to root this Sense 2.1 then theoretically the same root method may work on the Evo, thereby cutting down our wait for a rooted Evo. Just a thought.
Click to expand...
Click to collapse
Very very good point I'm not getting an evo till its rooted anyway

chuckhriczko said:
Well, if we are able to root this Sense 2.1 then theoretically the same root method may work on the Evo, thereby cutting down our wait for a rooted Evo. Just a thought.
Click to expand...
Click to collapse
Possible, but I doubt it.
Chances are it's an entirely different kernel. My guess is the EVO gets a 2.6.30+ Kernel - It's hardware is completely different from ours. QUALCOM doesn't even make our chipset any more.

I updated to 2.1 using damage sprintupdate2.zip. I want to use wifi-tether now. Where can I find the version I need for this particular build? I looked on wifi-tether website, but it says the 2.1 compatible version is for Nexus One. Is there even a version for Eclair for the Hero?
Would build wireless_tether_2_0_2-pre9.apk for the N1 work?

zemerick said:
I updated to 2.1 using damage sprintupdate2.zip. I want to use wifi-tether now. Where can I find the version I need for this particular build? I looked on wifi-tether website, but it says the 2.1 compatible version is for Nexus One. Is there even a version for Eclair for the Hero?
Would build wireless_tether_2_0_2-pre9.apk for the N1 work?
Click to expand...
Click to collapse
I'm still using pre6 seems to be the one for the Hero.

zemerick said:
I updated to 2.1 using damage sprintupdate2.zip. I want to use wifi-tether now. Where can I find the version I need for this particular build? I looked on wifi-tether website, but it says the 2.1 compatible version is for Nexus One. Is there even a version for Eclair for the Hero?
Would build wireless_tether_2_0_2-pre9.apk for the N1 work?
Click to expand...
Click to collapse
Here's the link: http://code.google.com/p/android-wi...ireless_tether_1_60_htc.apk&can=2&q=HTC+Donut

[ROOT] ~~~ HTC EVO - Auto Root ~~~ v2.5 (4/25/11)(deprecated)

This tool is now deprecated. To root your Evo 4G running Gingerbread you will need to use the Revolutionary tool that can be found at http://www.revolutionary.io.
I'm sorry to do it but due to the ridiculous amount of people who are still asking for help rooting gingerbread, I will no longer be supporting this tool what so ever. Any further emails I receive about it will be deleted.
Click to expand...
Click to collapse
Click to expand...
Click to collapse
I am proud to present the HTC EVO Auto Root script! It took me awhile but I finally got it fully automated, it probably would have been easier using VB to write it but I wanted it to be readable by everybody. I don't have working scripts for Linux or Mac yet but for older phones you should be able to follow the Alternative Method and use the code included at the end of the post with minimal changes. If you are new to rooting the Evo you should check out the Rooting Information and Common Problems thread to familiarize yourself with some of the screens you will see. At times your phone may shows ominous looking icons that look bad but really aren't, at times like that it is important that you don't panic and do anything that could damage your phone.
This will make a backup of your WiMAX partition and the RSA keys that are stored on it; backing up your RSA keys separate is not necessary. It will save it in the AutoRoot folder so be sure not to delete it.
If you run into any problems please include the following information with your post: Any methods you have previously tried to root with, what it did last plus any error messages it may have given (if you can right click, select all and copy it from the terminal), and if you are in the bootloader we need to know what the top two lines say. Running this will create a log file named: autorootlog.txt. Please post this as well.
Any feedback no matter good or bad is appreciated! Let me know how it works for you.
Randy (randyshear on youtube) has made a great video of the process if you would like to get an idea of what to expect before hand. It is important to note that, depending on your phone, the process may be slightly more involved or require more or less time.
HTC EVO 4G ** ROOT AND NAND UNLOCK ** AUTOROOT V 2.2 ** HOW TO **
This has been confirmed working with:
Software versions 1.32, 1.36, 3.29, 3.30 & 3.70
hBoot Version .76, .93, .97, 2.02 & 2.10
Thanks go to
HTC for making the phone to begin with
Sebastian Khramer for his rageagainstthecage exploit
Toastcfh for his tutorial and all of his work on improving the Evo, a lot of this is borrowed from his previous work
Amon_RA for his recoveries and for his quick work creating a recovery compatible with the new NAND blocks
Calkulin for collecting all of the radios and update images
Whosdaman, Football and Sniper911 for sharing the RUUs with us
The Unrevoked Crew for all of their hard work on the Unrevoked Forever s-off tool
amoamare and Zikronix for all of their hard work on rooting phones with the 2.02 hboot
chris1683 for his Sprint Lovers ROM
Netarchy for all of the great kernels
A huge thanks goes out to Dan0412 who took the time to debug this for version 003 2.02 phones
Schnick1 and tauzins for their help with getting ADB to act right
Props go to RyanZA and anyone else who worked on the z4root app. I wouldn't have got 3.70 rooted as fast as I did if I didn't have their app to learn from.
You Will Need:
A windows machine
HTC Sync that can be found on Sprint's website. HTC Sync 2.0.35.exe
At least 1 GB of free space on your SD card
A full or close to full battery (your phone will not charge during part of this and if it dies you will be SOL, aka Bricked)
ADB debugging enabled (Settings > Applications > Development > ADB Debugging)
Your phone connected to your computer as Charge Only and HTC's Evo drivers / HTC Sync installed.
The AutoRoot.zip File that can be found in this post
[*]I highly recommend you have the appropriate RUU, or PC36IMG, downloaded before you start. It is always good to have and if something does not go as planned it can get your phone back up and running with minimal down time.
Click to expand...
Click to collapse
IF YOU HAVE PREVIOUSLY TRIED ROOTING YOU MUST RESTORE FROM A RUU BEFORE RUNNING THIS. IT WILL NOT ROOT IT UNLESS YOU DO THIS.
Instructions:
This will try to back up your apps but it's not always able to, you will also lose all of your settings. Titanium Backup works well to save your apps however you will need to use z4root to temporarily root before you will be able to use it.
Download HTC Sync from Sprint's website here and install it. You may need to use the 'Repair' option for it to replace any old drivers.
Extract AutoRoot.zip into a folder that is easy to find and then open the folder.
Right click on 'AutoRoot.bat' and run it as Administrator.
Once it finds your phone it will start by checking out what kind of setup it uses and then attempt to get root access. If it fails usually it's from too many active apps or the phone being used, if so you will need to restart it before trying again. If you are using 3.70 it will let you know when it is running by blurring the screen.
When it is ready it will reboot your phone into the boot loader. Then, depending on your phones setup, it will either enter RUU mode and automatically flash the debugging firmware or give you instructions on how to flash it from the hBoot.
If you have to flash it manually just push Power to select "BOOTLOADER" and say Yes when it asks to flash the PC36IMG.zip. It will complain part of the way through about Boot Loader and/or radio errors and then skip them, this is normal. Once it finishes say No when asked to reboot and use the Vol Down button to highlight Recovery. Then press Power to select it.
If you are entering the Recovery your phone will show a Red Triangle with an Exclamation mark inside, at this point the script will take back over and attempt to flash Unrevoked Forever.
After it finishes flashing the engineering bootloader, or Unrevoked Forever, it will reboot into the bootloader and see if your NAND is unlocked. If so it will flash the Sprint Lovers ROM along with the Recovery and updated Radios. Afterward it may boot into the ROM and attempt to restore your Apps before finishing, try not to interrupt it until it tells you it has finished.
Once it's fully rooted and you have your phone set back up it's a good idea to make one more NANDroid with everything up to date. Then make one more backup of your WiMAX partition in case something happens to the first one.
Click to expand...
Click to collapse
If you have an older phone and don't want to flash Unrevoked Forever or Sprint Lovers w/ the radio updates you can have it skip them. It will just flash the engineering bootloader to unlock the NAND and then flash the recovery directly from there. You will need to update everything and flash a custom ROM on your own. This will only work if your phone has a version .9x hBoot.
Instructions for Quick method:
This will completely wipe your phone. If you would like to back up your apps you can use Titanium backup to save them. It also has an option to save the system files but this can result in a buggy ROM afterward.
Extract AutoRoot.zip into a folder that is easy to find.
Open a DOS prompt by running the OpenShell file.
Type 'autoroot quick' and press Enter
It will then flash the engineering bootloader and the recovery through fastboot. Once it is finished you can use the bootloader menu to boot into the recovery and make a NANDroid, flash a ROM, radios, etc.
Click to expand...
Click to collapse
Links:
Downloads
AutoRoot v2.5 - Full Root Zip (MD5: 5E1BF365F3B5479329896BD55C33678E)
AutoRoot v2.5 - Tools Only (MD5: 5DBA70A8CDD052A9908E4F43D6BBC669)
The following are the ROMs pulled out of the RUUs, you can flash them by renaming and putting it on your sd card or from your computer with fastboot using the included FlashZip script.
Sprint Evos (USA):
3.29.651.5_PC36IMG.zip (MD5: 2F5046C0FC6FE61114EBC53D5997B485)
3.30.651.2_PC36IMG.zip (MD5: 4A2CAB264244C79B2E2BE9E3CFE2B503)
3.70.651.1_PC36IMG.zip (MD5: 7056D42812AA5DF03FCC8DDDC2B64E85)
KDDI Evos (Japan):
1.05.970.1_PC36IMG.zip (MD5: 78F9E8BFEE705F34790A46C258268F02)
Sources
How to unlock Nand Protection ~ Part-2
RA-evo-v1.8.0 (a modified version is included)
RUU to restore 3.29.651.5
RUU to restore 3.30.651.2
RUU to restore 3.70.651.1 (Thanks to 911Sniper for the original mirror)
Sprint Lovers ROM (a modified version is included)
Click to expand...
Click to collapse
Changes for v2.5
Script now checks for Admin Priveledges and kills HTC Sync Services for Sync 3.05
Fixed issue recognizing build numbers
It will attempt to back up Apps now
Checks branding in order to recognize KDDI Evos
Unrevoked forever will now be retried if it doesn't get run the first try
Changed it so it will leave the phones in Fastboot mode if it fails
Recognizes ADB issues easier now
Changes for v2.4
Updated the ROM and Recovery
The working directory is now saved correctly when the path has a space in it
Fixed an error checking the firmware version that would cause the script to close
Made it more capable of recovering when the phone is in an unknown state
Fixed the SD card not being recognized with Eclair
Some parts will check for the 'daemon' error messages and will call to fix it
Made it so the MTD data is not saved unless it is recognized
The script will continue if it times out while waiting on Unrevoked Forever
The WiMAX partition is backed up through the ROM at the very beginning instead of through the Recovery
Changes for v2.3:
Updated the ROM, Recovery and Radios
The script will now recognize your phone at any point in the process and will continue where it left off
Fixed the FlashRecovery script and made it so you can choose what to flash, just put your PC36IMG of choice in the folder with it and let it do the work
Fixed the version checker so it doesn't get confused with custom ROMs anymore
Quick mode checks your hboot version from the ROM now so it won't even try if you have a new bootloader
It is much more tenacious going into the recovery, hopefully fixing the issue with ADB dropping out there
Fixed a bug where the MTD block sizes were not always being remembered correctly
Added more checks to make sure the phone is where it's supposed to be throughout the process
Made it try harder to get the recovery log so it doesn't get missed as much
Tweaked the timing some so it moves a little bit quicker and you only have to hit a button twice to exit instead of three times
Fixed the infinite loops so they are now 95% shorter
Changes for v2.2:
Updated the recovery to Amon RA's version 2.2.1
MTD information for each phone is saved in case it is restarted and unable to find out.
Fixed a bug where pre 3.xx ROMs were not being recognized correctly.
Phones are explicitly called by their serial number to prevent confusion if an emulator starts or another phone gets plugged in.
Unresponsive ADB daemons are killed to help prevent them for hanging or randomly restarting.
Changed autoroot.log to autorootlog.txt to make it easier to attach
Minor bug fixes.
Changes for v2.1:
Updated the recovery to Amon RA's version 2.2
Minor bug fixes
Changes for v2.0:
Added an app to give ADB root and keep it active in 3.70
Updated Sprint Lovers and Amon RA
Removed the two separate kernels/recoveries for new and old phones
Added a battery life check before flashing
Checks Firmware versions in both the ROM and hBoot
Checks that the Misc partition was flashed properly
Fixed all of the bugs with Quick root, it no longer flashes Sprint Lovers if you run it with S-OFF
It automatically restarts adbd where it would occasionally reset itself and get hung up
It also kills adbd when it finishes so you can move/delete it
Changed the bat that restarted adbd so it kills it instead
Added a bat to flash AmonRA through Fastboot with non-Eng hBoots
Added a bat to open a Cmd prompt already in the autoroot folder
Rewrote a good portion of the script and cleaned it up a lot
Made it more flexible so it doesn't get lost as easily
Plus more I forgot
Click to expand...
Click to collapse
Contents of v2.5 Include:
adb.exe
adb-linux
adb-mac
adbWinapi.dll
adbWinusbapi.dll
AutoRoot.bat
check.bat
fastboot.exe
fastboot-linux
fastboot-mac
FindPhone.bat
FlashZip.bat
OpenShell.bat
StartRecovery.bat
amon_ra_1.8-mod/
res/
....AutoRoot.apk
....autoroot.ini
....dump_image
....Escalate.vbs
....Escalater.bat
....EscSC.lnk
....exploid.com
....FindPhone.bat
....flash_image
....ini.cmd
....mtd-eng.img
....PC36IMG_UD.zip
....PC36IMG_AmonRA-v2.3-hausmod_revA.zip
....PC36IMG-SprintLovers-AmonRA_2.3-hausmod_revA.zip
....radios.zip
....rageagainstthecage-arm5.bin
....recovery-RA-v2.3-hausmod_revA.img
....URFSOff.zip
....URFSOn.zip
....WatchPhone.bat
Notes:
Recovery is recovery-RA-supersonic-v2.3 with Netarchy's 4.3.2 CFS NoHAVS NoSBC NoUV
radios.zip is EVO_Radio_2.15.00.11.19_WiMAX_27167_R01_PRI_NV_1.90_003
URFSOff.zip is the Unrevoked Forever S-OFF tool
URFSOn.zip is the Unrevoked Forever S-ON tool
Click to expand...
Click to collapse
As always, this will void your warranty and may possibly damage your phone. You and you alone are responsible for anything that you do. Everything contained in this thread is for informational purposes only.
Click to expand...
Click to collapse

IMPORTANT: Everything contained in this post is meant for phones with the older bootloader. If you have hBoot version 2.02 or ROM version 3.30 you must use the above method.
Old Universal Root
(Scroll Down for Alternate Method)
You Will Need:
A windows machine and basic knowledge of DOS or a Linux/Mac box with a little bit of determination
At least 1 GB of free space on your SD card
A full or close to full battery
ADB debugging enabled (Settings > Applications > Development > ADB Debugging)
Your phone connected to your computer as Charge Only
The EVORoot.zip File that can be found in this post
Click to expand...
Click to collapse
Instructions:
Extract EVORoot.zip into a folder that is easy to find and go to that folder. Then copy the 'moveme' folder out of that one and on to your sdcard. Once it finishes copying unmount/eject the SD card through windows and change your phone back to Charge Only.
Double click on 'runexploit' and let it run. When it asks if you want to flash the hBoot push 'y' and then {enter}. If there are any errors follow the instructions given to try and resolve them. It will automatically reboot your phone once it is ready for it. If all you see is the prompt flashing press Ctrl+C or close the window to exit and re-run it as Administrator.
When the bootloader comes up push the Power button and you should see it start searching for updates. When it gets to PC36IMG.zip it will ask if you want to update with it, push Volume Up to say yes.
*DO NOT TURN OFF THE PHONE OR LET THE BATTERY DIE WHILE UPDATING*
When it's finished push the power button to select 'fastboot' and use the volume buttons to select the yellow 'reboot' button. Push power one more time to select it and reboot your phone. It should start up rooted and ready to go, however you will still need a custom Recovery so you can make NANDroid back-ups and flash an up to date ROM.
Once the phone starts back up run 'flashrecovery' through explorer. It will automatically flash and then reboot your phone into Amon_RA's recovery. When it reboots you should see green text on a black background, if you see a triangle with an exclamation mark then you still have the stock recovery and need to reboot and try again.
Use the volume buttons to select Backup/Restore then push Power to select it.
Select Nand backup and push power. This will make an exact copy of your phone as it is. If you get an error that says 'run mobile-nandroid...." make sure you have at least 3 or 400MB free on your memory card. You can use USB-MS toggle to mount your SD card if you need to make room or copy a ROM to your phone. The moveme folder can also be deleted from your SD card at this point and you can make copies or move the backup once it is complete. Just make sure you have one good backup before continuing.
The NANDroids are saved under 'nandroid/??????????/backupfolder-date-time/'. The folders need to be moved whole.
Return to previous menu, select Wipe, then have it Wipe data/factory reset, Wipe cache & Wipe dalvik-cache. If you get stuck in a bootloop try these steps again and try wiping the SD:ext partition as well.
Return, then go in Flash zip from sdcard. Once there flash the Radios. It is again very important not to interrupt or reset the phone while the radios are being flashed, although it will probably want to reboot before flashing can be finalized, just follow the instructions.
Once it is finished Return to the previous menu and select Power Off. Then hold down the vol down button while turning the phone back on.
It will boot back up into the bootloader, select No if it asks to update or reboot. From here select Recovery and it should go back to the black background with green text.
Select Flash zip from sdcard and Flash ROM-Supersonic_3.30....zip. If you have a different ROM you want to use you can flash another one instead.
Once it is finished Return to the main menu and have it Reboot system. Your phone should start up normally and ask to be set up, complete the set up like normal.
When you have it set up and are sure everything is working properly I would make one more NANDroid so you have a copy with the updated radios. At this point you can also flash another recovery and do anything else you would normally do. Just be sure to use unrevoked forever if you plan on using a different hBoot.
Click to expand...
Click to collapse
Links:
Downloads
EVORoot.zip
EVORoot.zip - No bootloader, ROM or Radio updates
eng-PC36IMG.zip mirror 1, mirror 2
The following are the ROMs pulled out of the RUUs and renamed, make sure you use the correct version for your phone but if you aren't able to find out start with the 3.29.
3.29.651.5_PC36IMG.zip
3.30.651.2_PC36IMG.zip
If you are having trouble flashing custom ROMs try using this kernel (Thanks to xxbabiboi228xx)
Stock kernel #17
Sources
How to unlock Nand Protection ~ Part-2
All EVO Radio, WiMAX, PRI & NV versions
RA-evo-v1.8.0
RUU to restore 3.29.651.5
RUU to restore 3.30.651.2
Click to expand...
Click to collapse
Contents Include:
adb.exe
adb-linux
adb-mac
adbWinapi.dll
adbWinusbapi.dll
exploid.com
flashboot.bat
flashrecovery.bat
runexploit.bat
moveme/
.....eng-PC36IMG.zip
.....evo_radios_wimax_pri_nv_3.30.zip
.....flash_image
.....mtd-eng.img
.....rageagainstthecage-arm5.bin
.....recovery-RA-evo-v1.8.0.img
.....SuperSonic_3.30.651.2_Rooted_BB_DeOdexed_Bash_ADP_BattPrcnt.zip
Click to expand...
Click to collapse
Alternate method
If you already have the EVORoot.zip file you can download the scripts below without the boot/ROM/radio.
Instructions:
Extract EVORoot.zip into a folder that is easy to find such as C:\EVORoot. Then copy the 'moveme' folder out of that one and on to your sdcard.
Open up a DOS prompt and go to the EVORoot directory. eg. 'cd C:\EVORoot'.
type: runexploit {enter}
It will scroll a few lines saying that the ADB server will be reset and to run it on the desktop, this is normal. If it says Permission Denied check to make sure your phone is set to charge only and your sd card is not mounted as a hard disk.
type: adb shell {enter}
If you see '$' then type: "./data/local/tmp/rageagainstthecage-arm5.bin", without the quotation marks, and push enter. After a few seconds it should kick you out to the \> prompt.
If you see '#' then type: exit {enter}
type: flashboot {enter}
If you don't see any errors let it continue, if you do see an error push Ctrl+X to stop
Your phone will then reboot, when it comes back up the bootloader option should be highlight. Press the power button to select it. It should then search for a second and ask if you want to install the pc36img.zip, push Volume Up for Yes.
*DO NOT TURN OFF THE PHONE OR LET THE BATTERY DIE WHILE UPDATING*
When it's finished go into fastboot and select the yellow 'reboot' through the menu, it should start up rooted and ready to go however you will still need a custom Recovery so you can make NANDroid back-ups and flash an up to date ROM.
Once the phone starts up do step #4 to check for root (# prompt), if it is a '$' try typing 'su {enter}'. If that does not work use runexploit and then check again. Return to the DOS prompt once finished.
type: flashrecovery {enter}
Let it continue as long as there are no errors, otherwise Ctrl+X will stop it. If you run this more than once you can ignore the file not found errors from when it first starts. When the phone reboots you should see green text on a black background, if you see a triangle with an exclamation mark then you still have the stock recovery.
Use the volume buttons to select Backup/Restore then push Power to select it.
Select Nand backup and push power. This will make an exact copy of your phone as it is. If you get an error that says 'run mobile-nandroid...." make sure you have at least 3 or 400MB free on your memory card. You can use USB-MS toggle to mount your SD card if you need to make room or copy a ROM to your phone. The moveme folder can also be deleted from your SD card at this point and you can make copies or move the backup once it is complete. Just make sure you have one good backup before continuing.
The NANDroids are saved under 'nandroid/??????????/backupfolder-date-time/'. The folders need to be moved whole.
Return to previous menu, select Wipe, then have it Wipe data/factory reset, Wipe cache & Wipe dalvik-cache. If you get stuck in a bootloop try these steps again and try wiping the SD:ext partition as well.
Return, then go in Flash zip from sdcard. Select and Flash ROM-Supersonic_3.30....zip. If you have a different ROM you want to use you can flash that one instead.
Flash the Radios, it is again very important not to interrupt or reset the phone while the radios are being flashed. It will probably want to reboot itself afterward, just follow the instructions.
Once it is finished Return to the main menu and have it Reboot system. Your phone should start up normally and ask to be set up, complete the set up like normal.
Once you have it set up and are sure everything is working properly I would make one more NANDroid so you have a copy with the updated radios. At this point you can also flash another recovery and do anything else you would normally do. Just be sure to use unrevoked forever if you plan on using a different hBoot.
Click to expand...
Click to collapse
Links:
Downloads
EVORoot.zip
EVORoot.zip - No bootloader, ROM or Radio updates
eng-PC36IMG.zip mirror 1, mirror 2
Click to expand...
Click to collapse
Contents Include:
adb.exe
adb-linux
adb-mac
adbWinapi.dll
adbWinusbapi.dll
flashboot.bat
flashrecovery.bat
runexploit.bat
moveme/
.....eng-PC36IMG.zip
.....evo_radios_wimax_pri_nv_3.30.zip
.....flash_image
.....mtd-eng.img
.....rageagainstthecage-arm5.bin
.....recovery-RA-evo-v1.8.0.img
.....SuperSonic_3.30.651.2_Rooted_BB_DeOdexed_Bash_ADP_BattPrcnt.zip
Batch Files
runexploit.bat
Code:
adb shell "cat /sdcard/moveme/rageagainstthecage-arm5.bin > /data/local/tmp/rageagainstthecage-arm5.bin"
adb shell "chmod 0755 /data/local/tmp/rageagainstthecage-arm5.bin"
adb shell "./data/local/tmp/rageagainstthecage-arm5.bin"
flashboot.bat
Code:
adb shell "cat /sdcard/moveme/flash_image > /data/flash_image"
adb shell "chmod 755 /data/flash_image"
adb shell "/data/flash_image misc /sdcard/moveme/mtd-eng.img"
adb shell "mv /sdcard/moveme/eng-pc36img.zip /sdcard/pc36img.zip"
adb shell sync
adb reboot bootloader
flashrecovery.bat
Code:
adb shell "mv /sdcard/PC36IMG.zip /sdcard/moveme/eng-PC36IMG.zip"
adb shell "mv /sdcard/moveme/evo_radio_wimax_pri_nv_3.30.zip /sdcard/evo_radio_wimax_pri_nv_3.30.zip"
adb shell "mv /sdcard/moveme/SuperSonic_3.30.651.2_Rooted_BB_DeOdexed_Bash_ADP_BattPrcnt.zip /sdcard/ROM-SuperSonic_3.30.651.2_Rooted_BB_DeOdexed_Bash_ADP_BattPrcnt.zip"
adb shell "cat /sdcard/moveme/flash_image > /data/flash_image"
adb shell "chmod 755 /data/flash_image"
adb shell "/data/flash_image recovery /sdcard/moveme/recovery-RA-evo-v1.8.0.img"
adb shell sync
adb reboot recovery
Click to expand...
Click to collapse
This uses HTC's eng hBoot to unlock NAND protection so it is relatively safe, but, as always, this will void your warranty and may possibly damage your phone. You and you alone are responsible for anything that you do. This is for informational purposes only.
Click to expand...
Click to collapse

Here are linux and mac versions. You just need to get adb from somewhere (I don't think the packaged windows version will work).
If it's in your path, just change all of the "./adb" to "adb", or if you copy the executable to the same directory as these scripts, leave them as is.
Put them in the same directory, as the kit, and they should work.
I haven't tested, but thought I would write them up quickly to help with mutli-os support.
runexploit.sh
Code:
#!/bin/bash
./adb shell "cat /sdcard/moveme/rageagainstthecage-arm5.bin > /data/local/tmp/rageagainstthecage-arm5.bin"
./adb shell "chmod 0755 /data/local/tmp/rageagainstthecage-arm5.bin"
./adb shell "./data/local/tmp/rageagainstthecage-arm5.bin"
flashboot.sh
Code:
#/bin/bash
./adb shell "cat /sdcard/moveme/flash_image > /data/flash_image"
./adb shell "chmod 755 /data/flash_image"
./adb shell "/data/flash_image misc /sdcard/moveme/mtd-eng.img"
./adb shell "mv /sdcard/moveme/eng-pc36img.zip /sdcard/pc36img.zip"
./adb shell sync
./adb reboot bootloader
flashrecovery.sh
Code:
#!/bin/bash
./adb shell "mv /sdcard/PC36IMG.zip /sdcard/moveme/eng-PC36IMG.zip"
./adb shell "mv /sdcard/moveme/evo_radio_wimax_pri_nv_3.30.zip /sdcard/evo_radio_wimax_pri_nv_3.30.zip"
./adb shell "mv /sdcard/moveme/SuperSonic_3.30.651.2_Rooted_BB_DeOdexed_Bash_ADP_BattPrcnt.zip /sdcard/ROM-SuperSonic_3.30.651.2_Rooted_BB_DeOdexed_Bash_ADP_BattPrcnt.zip"
./adb shell "cat /sdcard/moveme/flash_image > /data/flash_image"
./adb shell "chmod 755 /data/flash_image"
./adb shell "/data/flash_image recovery /sdcard/moveme/recovery-RA-evo-v1.8.0.img"
./adb shell sync
./adb reboot recovery

I'm getting a permission denied when I try to runexploit

Can you post an alternate mirror for the rootkit?

jacobzamarripa said:
I'm getting a permission denied when I try to runexploit
Click to expand...
Click to collapse
Do you have debugging enabled?

MJStephens said:
Do you have debugging enabled?
Click to expand...
Click to collapse
usb debugging. yes

jacobzamarripa said:
usb debugging. yes
Click to expand...
Click to collapse
Are you running cmd.exe as admin?

Do you guys have a youtube video of step by step for this? Because i cant even get past the third step

BrashL said:
Are you running cmd.exe as admin?
Click to expand...
Click to collapse
im not quite sure how. im on windows xp

jacobzamarripa said:
im not quite sure how. im on windows xp
Click to expand...
Click to collapse
Im pretty sure he just means that your on an user name on windows that has Master rights.

Bravo, bravo. You really outdid yourself on this hauss. What a fabulous tutorial for noobs. In my spare time, I would be happy to make a Mac version of this tutorial for you. I think the Mac part jut confuses people more. Seriously, great work. I will be referring people to this. Replaces the need to do 20 commands with like 4 homemade batch scripts. Pm me or email at [email protected] and I will build a Mac tutorial (giving you full credit of course)...

Confirm?
This looks and sounds awesome. I would LOVE a mac version of this and like to donate to good work
Can I get a confirmation from someone reporting success using this method?
I'd like to use this on a friends phone today but am a bit hesitant because it's so new.
thanks!

i will confirm that all the scripts work on thier own. i have no idea if hauss's batch scripts work. all the exploits are legit though. i will download and proofread. either way, it should work. i know hauss is experianced at rooting and stuff.

wait, huge file. does someone mind sending me everything except the pc36img.zip and eng-pc36img.zip? email is [email protected]

does anyone know if it will work on parallels on mac.

adb connection will be reset. restart adb server on desktop and re-login
I keep getting error message saying "adb connection will be reset. restart adb server on desktop and re-login"
--------------------------------------------
[*] CVE-2010-EASY Android local root exploit (C) 2010 by 743C
[*] checking NPROC limit ...
[+] RLIMIT_NPROC={3316, 3316}
[*] Searching for adb ...
[+] Found adb as PID 1400
[*] Spawning children. Dont type anything and wait for reset!
[*]
[*] If you like what we are doing you can send us PayPal money to
[*] [email protected] so we can compensate time, effort and HW costs.
[*] If you are a company and feel like you profit from our work,
[*] we also accept donations > 1000 USD!
[*]
[*] adb connection will be reset. restart adb server on desktop and re-login.

rukshmani said:
I keep getting error message saying "adb connection will be reset. restart adb server on desktop and re-login"
--------------------------------------------
[*] CVE-2010-EASY Android local root exploit (C) 2010 by 743C
[*] checking NPROC limit ...
[+] RLIMIT_NPROC={3316, 3316}
[*] Searching for adb ...
[+] Found adb as PID 1400
[*] Spawning children. Dont type anything and wait for reset!
[*]
[*] If you like what we are doing you can send us PayPal money to
[*] [email protected] so we can compensate time, effort and HW costs.
[*] If you are a company and feel like you profit from our work,
[*] we also accept donations > 1000 USD!
[*]
[*] adb connection will be reset. restart adb server on desktop and re-login.
Click to expand...
Click to collapse
Actually i kept getting this same message when i was on the adb server and was attempting to get to the recovery screeen on the phone. Do you by any chance have HBoot 2.2 on your evo?

Hi Noobe , yes unfortunately..am i SOL

rukshmani said:
i keep getting error message saying "adb connection will be reset. Restart adb server on desktop and re-login"
--------------------------------------------
[*] cve-2010-easy android local root exploit (c) 2010 by 743c
[*] checking nproc limit ...
[+] rlimit_nproc={3316, 3316}
[*] searching for adb ...
[+] found adb as pid 1400
[*] spawning children. Dont type anything and wait for reset!
[*]
[*] if you like what we are doing you can send us paypal money to
[*] [email protected] so we can compensate time, effort and hw costs.
[*] if you are a company and feel like you profit from our work,
[*] we also accept donations > 1000 usd!
[*]
[*] adb connection will be reset. Restart adb server on desktop and re-login.
Click to expand...
Click to collapse
this is not an error message! This means it is working! Just move on to the next step. If there is nothing that says the word error, there is probably no error!

ClockworkMod Recovery 4.0.0.9 for the T-Mobile myTouch 4G Slide (MoDaCo edition)

Cool! I got a myTouch 4G Slide!
Not cool! No ClockworkMod recovery!
Solution! Make my own.
You must have a 'S-OFF' device to install this recovery image!
Here is my unofficial MoDaCo build of ClockworkMod for the T-Mobile myTouch 4G Slide / aka HTC Doubleshot. In order to flash this recovery, you need to have temproot or permanent root via Fr3evo (grab from here, push to /data/local, run via ADB then reconnect after it drops your connection for root access). If you need ADB, you can grab it here.
You use this image at your own risk! Proceed with caution!
To install, simply...
Download the ClockworkMod image file from here
Copy the file to /data/local ('adb push doubleshot.clockworkmod.4.0.0.9.modaco.img /data/local')
Write the image to the recovery partition ('dd if=/data/local/doubleshot.clockworkmod.4.0.0.9.modaco.img of=/dev/block/mmcblk0p21')
Do a recovery reboot to test ('adb reboot recovery').
That's it!
P

paulobrien said:
Cool! I got a myTouch 4G Slide!
Not cool! No ClockworkMod recovery!
Solution! Make my own.
You must have a 'S-OFF' device to install this recovery image!
Here is my unofficial MoDaCo build of ClockworkMod for the T-Mobile myTouch 4G Slide / aka HTC Doubleshot. In order to flash this recovery, you need to have temproot or permanent root via Fr3evo (grab from here, push to /data/local, run via ADB then reconnect after it drops your connection for root access). If you need ADB, you can grab it here.
You use this image at your own risk! Proceed with caution!
To install, simply...
Download the ClockworkMod image file from here
Copy the file to /data/local ('adb push doubleshot.clockworkmod.4.0.0.9.modaco.img /data/local')
Write the image to the recovery partition ('dd if=/data/local/doubleshot.clockworkmod.4.0.0.9.modaco.img of=/dev/block/mmcblk0p21')
Do a recovery reboot to test ('adb reboot recovery').
That's it!
P
Click to expand...
Click to collapse
Thanks for this! Man I wish I had mine in my hands already! I'm gonna give this a shot as soon as it arrives
Sent from my demonSPEED Glacier

Mine is S-ON :O
raycaster3 said:
Thanks for this! Man I wish I had mine in my hands already! I'm gonna give this a shot as soon as it arrives
Sent from my demonSPEED Glacier
Click to expand...
Click to collapse

Revolution said:
Mine is S-ON :O
Click to expand...
Click to collapse
Boo! Damn
Sent from my HTC Glacier

So what does hboot do to /dev/block/mmcblk0p21 after the phone is turned back on if you temp root and dd it?

thank you!

paulobrien said:
Cool! I got a myTouch 4G Slide!
Not cool! No ClockworkMod recovery!
Solution! Make my own.
You must have a 'S-OFF' device to install this recovery image!
Here is my unofficial MoDaCo build of ClockworkMod for the T-Mobile myTouch 4G Slide / aka HTC Doubleshot. In order to flash this recovery, you need to have temproot or permanent root via Fr3evo (grab from here, push to /data/local, run via ADB then reconnect after it drops your connection for root access). If you need ADB, you can grab it here.
You use this image at your own risk! Proceed with caution!
To install, simply...
Download the ClockworkMod image file from here
Copy the file to /data/local ('adb push doubleshot.clockworkmod.4.0.0.9.modaco.img /data/local')
Write the image to the recovery partition ('dd if=/data/local/doubleshot.clockworkmod.4.0.0.9.modaco.img of=/dev/block/mmcblk0p21')
Do a recovery reboot to test ('adb reboot recovery').
That's it!
P
Click to expand...
Click to collapse
what does this means 'dd if=/data/local/doubleshot.clockworkmod.4.0.0.9.modaco.img of=/dev/block/mmcblk0p21'

That line of code just copies the recovery image from a directory on the phone to the special place where a recovey image is supposed to be.
Sent from my myTouch_4G_Slide using XDA App

michaelmab88 said:
That line of code just copies the recovery image from a directory on the phone to the special place where a recovey image is supposed to be.
Sent from my myTouch_4G_Slide using XDA App
Click to expand...
Click to collapse
My device is ship s-off can't use this methods.so i used sdcard flash succeeded. Thanks!

Crossing my fingers that someone finds a way to get S-off on these. I'm too spoiled with CM7, I forgot what it's like to have a "stock" phone that you can't delete unwanted apps, overclock, tweak, etc.
I think I might just box up the MTS4G and continue to use my G2 until true root is available.

Can we get an hboot dump from someone with S-off? Just curious if it's possible to flash that to hboot with temp root?

masker2011 said:
what does this means 'dd if=/data/local/doubleshot.clockworkmod.4.0.0.9.modaco.img of=/dev/block/mmcblk0p21'
Click to expand...
Click to collapse
Specifically this command is a raw linux command that would work on almost any machine. It's telling the dd utility to copy the img file to the /dev/ mount in the specific block mmcblk0p21.
Every partition is grouped into blocks. Usually 512kbytes but it could be something else.

Akujin said:
Can we get an hboot dump from someone with S-off? Just curious if it's possible to flash that to hboot with temp root?
Click to expand...
Click to collapse
Nope. See the 'Bounties!' thread.

cberbes said:
Crossing my fingers that someone finds a way to get S-off on these. I'm too spoiled with CM7, I forgot what it's like to have a "stock" phone that you can't delete unwanted apps, overclock, tweak, etc.
I think I might just box up the MTS4G and continue to use my G2 until true root is available.
Click to expand...
Click to collapse
Are you forgetting the fact that the MT4GS is also a Sense phone? While I like Sense, the option to use regular old Android should always be there (I'm looking at YOU, Motorola).

In the bounty thread it had been noted that that there is no on board charging circuit on the phone and that if certain factors do not exist in recovery then the phone can not charge.
I was wondering if this has affected you, out you have already compensated for this. If you have that issue resolved it may be of help to nbetcher and others looking to give us s-off.
Sent from my myTouch_4G_Slide using XDA Premium App

I can't use the command dd if=/data/local/doubleshot.clockworkmod.4.0.0.9.modaco.img of=/dev/block/mmcblk0p21
Whats the fix for that?

electro_chef said:
I can't use the command dd if=/data/local/doubleshot.clockworkmod.4.0.0.9.modaco.img of=/dev/block/mmcblk0p21
Whats the fix for that?
Click to expand...
Click to collapse
Did you elevate yourself to root first?
If you're not sure. At the android prompt type su [enter]
Now you're root and can run anything.

masker2011 said:
what does this means 'dd if=/data/local/doubleshot.clockworkmod.4.0.0.9.modaco.img of=/dev/block/mmcblk0p21'
Click to expand...
Click to collapse
This line isn't working.
Is there a missing "ADB" or "ADB SHELL" that's supposed to go in front of the dd?
Or is this command supposed to be executed on the device itself?

jdmarko said:
This line isn't working.
Is there a missing "ADB" or "ADB SHELL" that's supposed to go in front of the dd?
Or is this command supposed to be executed on the device itself?
Click to expand...
Click to collapse
I believe its suppose to be executed on the device, however if the device doesn't have root, than its useless.
You can use fastboot to flash it.

I'm getting the same charging issue as everyone else.
If the phone is off, and you plug the charger in, the LED will light up. But the phone will not charge, it will freeze, and you must do a battery pull to get it to boot from that point.
Any idea for the fix?

[GUIDE][S-ON] How to downgrade chacha to lower firmware version

This guide will explain how to downgrade chacha from higher RUU version to lower RUU version. Even HBoot downgrade is possible. Mine, I successfully downgraded from HBoot 1.05 to 1.04.
Usually this error msg appears if you try to downgrade your firmware ‘Main Version is Older’, the guide will help solve this.
The guide is based on thread http://forum.xda-developers.com/showthread.php?p=10757949#post10757949
This is not my actual work, I searched thru the forums when I wanted to downgrade my chacha from RUU_Chacha_HTC_Europe_1.33.401.1_Radio_47.17.35.3033H_7.48.35.14_2_release_204385_signed to RUU_Chacha_hTC_Asia_WWE_1.21.707.2_Radio_47.14.35.3030H_7.47.35.17_release_197518_signed and created this guide.
My device is carrier unlocked, S-ON and this method will work on S-ON devices.
Note: Before you proceed, I accept no responsibility if you brick your phone. Do it on your own risk!!!
Things you need
I assume you already have android SDK and HTC sync installed in your system
1) Flash_Image – http://www.android-hilfe.de/attachments/root-hacking-modding-fuer-htc-desire/8835d1275662657-how-rebrand-o2-desire-fertig-flash_image.zip
2) HEX Editor - http://mh-nexus.de/en/downloads.php?product=HxD
3) A gold card – search thru the forums if you need to create one.
Step 1: Achieve temp adb shell root
You can achieve temp adb shell root using zergRush method, if you don’t know how, your can see this thread http://forum.xda-developers.com/showthread.php?t=1296916 or simplest way is to use the batch file created by qzfive http://forum.xda-developers.com/showthread.php?t=1319386
Step 2: copy the mtd0 file to sdcard.
Open command prompt, change your directory to ADB directory (usually the folder where ADB.exe resides).
In the command prompt type, adb shell
You should see ‘#’ at the prompt, if you see ‘$’ then you didn’t achieved temp root, redo step-1.
In the command prompt type
cat /dev/mtd/mtd0 > /sdcard/misc.img
Step 3: now change the USB connection type to ‘disk drive’ and copy the ‘misc.img’ to your pc or laptop. Use HxD as administrator and open ‘misc.img’
Step 4: The current version number can be located at 11th line, change it to the version number of RUU you want to downgrade to. I have changed mine from 1.33.401.1 to 1.25.709.1 and save. Be sure to back up the file before any updates.
Step 5:
copy the flash_image (which you downloaded at the start) and misc.img back to your root of sdcard
Step 6: change the USB connection type to ‘charge only’ and execute the below commands in the adb shell
cat /sdcard/flash_image > /data/flash_image
chmod 755 /data/flash_image
/data/flash_image misc /sdcard/misc.img
Step 7:
Copy the rom.zip from RUU which you wanted to flash to the root of the goldcard and rename to PH06IMG.zip. Power off the phone, insert goldcard to the phone – press volume down + power on, the phone will flash the rom.

I'm quite happy to see that this ChaCha section is getting more and more used. This goes straight to the ChaCha guide that I made. Congratulations!

Thank you, i was trying my luck for s-off as in this forum http://forum.xda-developers.com/showthread.php?t=1317960 so downgraded my phone. and unfortunately no s-off!

Ok, this could be modified with a s-off hboot in the zip to achieve s-off, I'm sure of it. Anyone have an engineering s-off Hboot around?

It wouldn't work - if you modify a signed HTC .zip, the bootloader won't take it if it's S-ON

@#$%. I do feel this is is the start of an exploitable loophole. Now how to use it is the key.

as qzfive said, if the rom.zip in RUU is modified it cannot be flashed, i tried to modify the rom.zip using zip utility to change the CID information once, but the flashing was not successful. Believe HTC uses some special technique to build the zip
if any one can direct to information on building RUU may be we can give it a try

ajeevlal said:
as qzfive said, if the rom.zip in RUU is modified it cannot be flashed, i tried to modify the rom.zip using zip utility to change the CID information once, but the flashing was not successful. Believe HTC uses some special technique to build the zip
if any one can direct to information on building RUU may be we can give it a try
Click to expand...
Click to collapse
It has a digiotal signature that you are modifying by packing it with a normal zip program. Instead, use 7zip this way:
- extract the files you want to edit
- edit them (for text editor use notepad++ as others like normal notepad\word\wordpad are creating unneeded newline chars)
- open the zip with 7zip again and drag and drop the files you want to replace into 7zip.

Alex C. said:
It has a digiotal signature that you are modifying by packing it with a normal zip program. Instead, use 7zip this way:
- extract the files you want to edit
- edit them (for text editor use notepad++ as others like normal notepad\word\wordpad are creating unneeded newline chars)
- open the zip with 7zip again and drag and drop the files you want to replace into 7zip.
Click to expand...
Click to collapse
I'm guessing it's only possible to modify the CID of the .zip this way? I got an idea of replacing recovery.img in the zip to a CWM.img, guessing it wouldn't work?
EDIT: I pulled the rom.zip from the 1.33.401.1 RUU and it wouldn't let me put my modified android-info.txt back into the .zip, 7zip gave me a "Not implemented/Operation not supported" error :/

qzfive said:
I'm guessing it's only possible to modify the CID of the .zip this way? I got an idea of replacing recovery.img in the zip to a CWM.img, guessing it wouldn't work?
EDIT: I pulled the rom.zip from the 1.33.401.1 RUU and it wouldn't let me put my modified android-info.txt back into the .zip, 7zip gave me a "Not implemented/Operation not supported" error :/
Click to expand...
Click to collapse
7zip said "Not implemented"? Weird.. So you are simply using drag and drop, eh?

As a side note, remove the first 256 bytes of the file, which is the RSA signature (for example using HxD) to get a "proper" zip file. All modifications of the file will invalidate the signature anyway, you won't be able to flash it unless you're S-OFF or through an exploit.

Yup, Drag and Drop gives the error "Not Implemented", and clicking the Add icon gives the error "Operation is not supported"
Funnily enough, WinRAR says "C:\Users\James\Desktop\PH06IMG.zip: The archive is corrupt" when trying to add files to it
I'm guessing HTC made their .zips pretty secure then :/

xdbg said:
As a side note, remove the first 256 bytes of the file, which is the RSA signature (for example using HxD) to get a "proper" zip file. All modifications of the file will invalidate the signature anyway, you won't be able to flash it unless you're S-OFF or through an exploit.
Click to expand...
Click to collapse
I've edited with 7zip and the signature was not invalidated. The files were then flashed.

do i have to buy xtc clip to get gold card or what ?
cause i cant find any other way to do it

Search on Google: gold card creator. You can also search "gold card" on XDA.

It worked Thanks....

what to do if i cant get adb shell root?
zergRush doesnt work saying Hellions with blue flames
the 2nd link is dead, and i guess its based on the same exploit
all i need is to flash europe 1.33.401.1 on top of 1.57.707.2
s-on

aZzz.bZzz said:
what to do if i cant get adb shell root?
zergRush doesnt work saying Hellions with blue flames
the 2nd link is dead, and i guess its based on the same exploit
all i need is to flash europe 1.33.401.1 on top of 1.57.707.2
s-on
Click to expand...
Click to collapse
facing similar issue... ok got adb shell working (already rooted) but failed at last command and says not enough memory ... card empty and phone got abt 80mb free.
my phone is s-on, and factory unlocked. Do i still need goldcard? read reviews long time ago that unlocked phone dont need that, only branded one need goldcard.
wish the xtc clip were cheaper ...

thank you , you were right it just wants a post on my wall.
I am sorry for the off topic but is there any easy tutorial how to Sim Carrier unlock MY HTC chacha S-ON, if there is one ?

I have USA Version CHACHA , with firmware 1.60.xxx
Really downgrade firmware? And do S-OFF?
With gold card not have downgrade

[TOOL] Goldcard img creator

INTRODUCTION
As the Revskills site has been taken down (aparently for good) and thanks to Gene Poole (for provinding the .exe file that does all the magic), I have wrote a simple script that creates the goldcard.img file.
INSTRUCTIONS
As usual, you need:
Drivers installed in the PC.
adb, fastboot, and such commands running in the PC (if you don't have then download this folder (https://dl.dropboxusercontent.com/u/30674730/adb.rar) and extract its contents in the golcard tool folder)
Follow on screen instructions.
Make sure that you check on what MMC is your sdcard ID located. So far, Desire HD/Inspire 4G is on MMC2 but do not have information on other devices.
If you follow the instructions after running the tools, the goldcard.img file will be created in the tools folder. Then, patch the sdcard using the Simple Goldcard Tool included in the tools folder.
ACKNOWLEDGEMENTS
Many thanks to Gene Poole from creating the .exe file that creates the img file.
nelify - For posting the Simple Goldcard Tool that I am inlcuding in here to patch the sdcard
As usual the guys from the Hack Kit support IRC channel for teaching me about scripting and android and being so patient with me.
DOWNLOADS
http://d-h.st/VMw

Thx for your work, but it doesnt seem to work. After creating the image the tool says "It doesnt seem to be a valid Goldcardimage:
Get CID works, but the used and reversed CID seems to be another.
Furthermore I dont understand, how the GC.cmd can create a Goldcardimage without knowing the correct CID. It dont asks for that!?

tito_puente said:
Thx for your work, but it doesnt seem to work. After creating the image the tool says "It doesnt seem to be a valid Goldcardimage:
Get CID works, but the used and reversed CID seems to be another.
Furthermore I dont understand, how the GC.cmd can create a Goldcardimage without knowing the correct CID. It dont asks for that!?
Click to expand...
Click to collapse
The script finds the cid in the code. Of course it depends on the phone you have. The DHD or Inspire 4g have cid located in mmc2. If you choose the wrong mmc July get the wrong cid number.
Sent from my ASUS Transformer Pad TF700T using xda app-developers app

it doesn't create the .img
plz help
Microsoft Windows [Έκδοση 6.1.7601]
Πνευματικά δικαιώματα (c) 2009 Microsoft Corporation. Με επιφύλαξη κάθε νόμιμου
δικαιώματος.
C:\Users\PriestJohn>cd c:\android
c:\Android>C:\Android\GC.cmd
***WELCOME TO THE GOLDCARD IMAGE CREATOR***
This tool is possible thanks to Gene Poole, so thank him for letting you impro
ve your device
Checking connected devices
adb server is out of date. killing...
* daemon started successfully *
List of devices attached
HT0B4RX03962 device
starting menu
******************************************************
Choose the correct MMC for your device:
1. MMC0
2. MMC1
3. MMC2 (Desire HD/Inspire 4G)
4. Quit
*******************************************************
[Make your choice]3
Creating goldcard
Usage: tools\gcard.exe -c <sdcardid> [-r] -o <outputfile>
Options:
-h This help menu.
-c <sdcardid> Specify the SD Card Serial ID (required).
-r Specifies that <sdcardid> is already reversed.
-o <outputfile> Specify the output file (required).
Goldcard has been created in the tool folder. Now patch the sdcard using this Si
mple Goldcard Tool included in the tools folder
Πιέστε ένα πλήκτρο για συνέχεια. . .
Click to expand...
Click to collapse

Thanks but no thanks. I just bricked my Wildfire S by attempting to create a gold card using your tools.
Edit: I got it working! And successfully created a gold card! My issue was that ADB was not recognizing my device. My solution was to flash an old nandroid that had presumably had USB Debugging Enabled. I then proceeded to run the cmd file but without any luck, I was unable to properly get a gold image.
My check to see if ADB was talking to my device was:
Code:
adb devices
Once I confirmed that my device was being read on my PC, I ran SimpleGoldCard.exe and successfully got the CID for the SD Card. I then manually ran gcard.exe in terminal, and used the command:
Code:
gcard -c *CID* -r -o "C:/Gold Card/gold.img"
Success! I pulled out the SD card from the device, attached it to my computer via a card reader, and then ran SimpleGoldCard.exe again, completing the process.
I required the Gold Card due to calibration to attach an aftermarket digitizer to an HTC Wildfire S. I was unable to get past #7: https://sites.google.com/site/repairlinks/htc/htc-wildfire-s-calibration without a gold card.
Thanks for sharing this, it worked for me, and I got the digitizer fully calibrated on my Wildfire S!

BuffMcBigHuge said:
Thanks but no thanks. I just bricked my Wildfire S by attempting to create a gold card using your tools.
Click to expand...
Click to collapse
There's no way to brick a device getting the cid of the sdcard. This tool does not flash anything at all. So, unless you have proof what you are saying makes no sense
Sent from my GT-N7100 using xda app-developers app

glevitan said:
There's no way to brick a device getting the cid of the sdcard. This tool does not flash anything at all. So, unless you have proof what you are saying makes no sense
Sent from my GT-N7100 using xda app-developers app
Click to expand...
Click to collapse
Yes my mistake! I figured something went wrong, as the device was not responding after running the script. I was getting a flashing red notification light, and I wasn't able to load the bootloader. I found out it was due to a low battery. I suppose the battery does not charge while in the bootloader or fastboot menu? I almost tossed the phone in the garbage, but I still had hope!
Sent from my HTC One using Tapatalk 4 Beta

model id incorrect
glevitan said:
INTRODUCTION
As the Revskills site has been taken down (aparently for good) and thanks to Gene Poole (for provinding the .exe file that does all the magic), I have wrote a simple script that creates the goldcard.img file.
INSTRUCTIONS
As usual, you need:
Drivers installed in the PC.
adb, fastboot, and such commands running in the PC (if you don't have then download this folder (https://dl.dropboxusercontent.com/u/30674730/adb.rar) and extract its contents in the golcard tool folder)
Follow on screen instructions.
Make sure that you check on what MMC is your sdcard ID located. So far, Desire HD/Inspire 4G is on MMC2 but do not have information on other devices.
If you follow the instructions after running the tools, the goldcard.img file will be created in the tools folder. Then, patch the sdcard using the Simple Goldcard Tool included in the tools folder.
ACKNOWLEDGEMENTS
Many thanks to Gene Poole from creating the .exe file that creates the img file.
nelify - For posting the Simple Goldcard Tool that I am inlcuding in here to patch the sdcard
As usual the guys from the Hack Kit support IRC channel for teaching me about scripting and android and being so patient with me.
DOWNLOADS
http://d-h.st/VMw
Click to expand...
Click to collapse
i have inspire 4g which model id i found from "fastboot getvar all" is 4 x
but i think it should be PD981....LIKE THAT
WHAT IS WRONG IN MY PHONE

now, how to create a goldcard since the website is down?
its always great when people provide things working...

http://psas.revskills.de/?q=goldcard - it doesn't work