Chapter 7: HTC EVO 3D: A Locked Device
In this chapter:
• Using the temporary root method
• Using the permanent root method
HTC phones have become developer- and hacker-friendly. HTC allows developers and enthusiasts to unlock their devices. You can find out more about HTC’s unlock method by browsing to http://htcdev.com/bootloader.
The EVO 3D was one of the first generation of smartphones based on a dual-core processor and running Android. The EVO 3D included a “glasses-free” 3D screen and camera. It shipped with Sense 3.0 and Android 2.3 (Gingerbread). It launched in the US on the Sprint network with access to Sprint’s 4G WiMAX network. The HTC Sensation had a similar specification, without the 3D capability, and launched on the T-Mobile network (and on similar 3G/UMTS networks worldwide).
The EVO 3D had a locked, signed bootloader and locked EMMC memory. It was considered to be one of the more locked-down devices released by HTC, but it was liberated a few weeks after its release.
The hacker community developed a temporary root method for the EVO 3D before there was a permanent solution that included S-OFF. After using the temporary root method, the EVO 3D file system would unroot itself and return to a factory state. A semi-permanent root method (known as a “perma-temp” method) gives root privileges until the device reboots. The permanent root solution discussed here removes S-ON and establishes permanent root access on the device.
The temporary root method uses Fre3vo and the permanent root method uses Revolutionary. This walkthrough covers both methods. The reason for covering both methods is to demonstrate the way temporary access was gained and to provide a way to do a full back up before using Revolutionary.
Obtaining Temporary Root
Temporary root was brought to the EVO 3D courtesy of TeamWin. The group developed Fre3vo, a temporary-root-acquiring tool that allows users access to a root shell on their devices. TeamWin is also responsible for a custom recovery and other EVO 3D-specific hacks and customizations.
You need the SDK installed, the ADB to be functioning and the phone to be in debug mode (see Appendix A). You need to download the Fre3vo file from the XDA forum (http://forum.xda-developers.com/showthread.php?t=1149998). The Fre3vo file is an exploit that creates temporary root access to the file system.
This method has you push a file to the file system, make it executable and execute it.
1. Download the Fre3vo file and place it in a folder created specifically for the exploit.
2. Open a command prompt window and navigate to your Fre3vo folder.
3. Enter the following command from the command line:
adb push fre3vo /data/local/tmp
The binary exploit is “fre3vo” with no extension. Linux-based operating systems (including Android) do not require files to have a certain extension to be executable.
4. Make the binary executable with the following command:
adb shell chmod 777 /data/local/tmp/fre3vo
5. Enter the ADB shell with the following command:
adb shell
6. Execute the fre3vo exploit with this command:
/data/local/tmp/fre3vo
The ADB shell is closed and you return to the PC prompt. You must re-enter the ADB shell to verify you have root access:
1. Enter the following command: adb shell.
2. Verify that the shell now has the hash (#) prompt, indicating root level access.
The root state obtained when using Fre3vo is temporary and disappears when the device is rebooted.
Using S-OFF and Permanent Root Requirements
The AlphaRev, TeamWin and UnRevoked hacker teams all worked together to create the Revolutionary tool, which sets S-OFF on the EVO 3D and other phones. Revolutionary is a “closed-source” tool, meaning that exactly how it does its magic is undisclosed. The claim from the developers is that this prevents the method from being patched, or blocked, by OEMs and carriers.
As the time of writing, the Revolutionary tool is in developer pre-release (beta) state and requires you to use a serial number. The serial number is retrieved from the Revolutionary website in the course of running the tool.
Before you start, you need to follow these steps:
1. Download Revolutionary from http://revolutionary.io. (You can leave the serial key retrieval form open or come back to it later by clicking on a download link again.)
2. Install and configure the SDK (see Appendix A).
3. Install the HTC developer drivers. (You can download them from the wiki at http://unrevoked.com/rootwiki/doku.php/public/revolutionary.)
4. Download the TeamWin flashable custom recovery (TWRP) from http://forum.xda-developers.com/showthread.php?t=1192077 (download the zip file not the image file).
5. Download the superuser flashable file (su-2.3.6.3-signed-efgh.zip) from Section 99 of http://forum.xda-developers.com/showthread.php?t=1192525.
Place all the required files in a folder by themselves to avoid confusion.
Here is a brief overview of the steps involved with getting S-OFF on the EVO 3D:
1. Verify that the HTC developer drivers are installed and that you have connectivity between the PC and the device.
2. (Optional) Back up all data (for example, using the temporary root method in the previous section).
3. Run the Revolutionary tool.
4. Flash the custom recovery.
5. Flash the superuser binary.
6. Install the SuperUser application.
7. Run a full system backup from the custom recovery.
The procedure outlined below is fairly safe and brick-proof. However, as with all hacking activities, you accept full responsibility and will void your warranty by running the Revolutionary tool.
Running the Revolutionary Tool
Revolutionary runs on your local machine and communicates with your phone via the USB cable. It does its magic via embedded commands encoded in the binary. You need to verify that you have ADB connectivity (see Appendix A for a refresher on using the adb devices command to test connectivity). There is a simplistic interface that runs as shown in Figure 7-1.
The utility will detect the device you have connected (it can be used with a number of HTC devices) and choose an appropriate S-OFF method.
The Revolutionary utility will then ask for a key based on your serial number. At time of writing, the Revolutionary utility is in beta test stage and requires a serial number generated by the Revolutionary website. The development team has said that when the key is publicly released, it will not require a beta key.
Figure 7-1: The Revolutionary S-OFF utility
To get your beta key:
1. Navigate to http://revolutionary.io.
2. Click the download button for your operating system.
3. Cancel the download window if you have already downloaded the utility.
4. The beta key form is now shown on the page.
5. Enter the serial number of your device as shown in the Revolutionary utility window.
6. Select your device and HBOOT version.
Your HBOOT version can be obtained by forcing the phone into bootloader mode with the command adb reboot bootloader. The HBOOT version is listed at the top of the white screened bootloader.
7. Click the “generate key” button and write down the beta key that is generated.
Now that you have the beta key, enter it into the Revolutionary utility window prompt (see Figure 7-2) and hit the Enter key.
Figure 7-2: Enter the beta key at the prompt
The Revolutionary utility starts its magic. The process takes a little time and your phone will flash and reboot four times. Each time, the Revolutionary utility will prompt you that it is rebooting your phone.
At the end of the process, the utility asks you if you would like to download and install the ClockworkMod recovery. Answer “No” to this prompt as you will be installing the TWRP recovery.
The Revolutionary utility is not always successful at flashing the ClockworkMod recovery. There is the possibility of ending up in a boot loop if you use it to flash ClockworkMod.
After the Revolutionary tool has completed, your EVO 3D will be S-OFF. However, to get full root access, you need to install the superuser binary and a tool to manage SuperUser requests. The easiest way to do this is to flash the SuperUser packages to the file system using a custom recovery.
Installing a Custom Recovery
There are two ways that the TWRP (or any recovery) can be written to the recovery partition:
• using Fastboot (see Chapter 3) to flash an image file to the recovery partition
• using the built-in bootloader by renaming the file to the expected update package name (in this case, PG86IMG.zip).
The first time I rooted an EVO 3D, I used the Fastboot command to flash the recovery. In haste and with a lack of caution, I flashed the recovery image to the boot partition. This made my phone only able to boot into recovery. In essence, I had a soft-bricked device that took me a full day of sweat and fear to fix. I eventually fixed the issue with a combination of ADB reboot commands and Fastboot.
The second method is described here as it is safer and less likely to cause issues. You use ADB to push the recovery flashable to the SD card and rename it. This will bypass possible issues with Windows Explorer changing the name and extension of the file.
To flash the TWRP custom recovery, follow these steps:
1. Open a command prompt window and navigate to the folder to which you downloaded the TWRP custom recovery file.
2. Use ADB to push the file to the SD card and change the name with this command:
adb push PG86IMG-twrp-shooter-1.0.3.zip /sdcard/PG86IMG.zip
3. Use ADB to reboot into the HBOOT with the following command:
adb reboot bootloader
4. When the white bootloader screen comes on your device, use the up and down volume buttons to select the bootloader option and press the power button to select. The bootloader scans for the zip file you pushed to the SD card and flashes it.
5. When the zip file has been flashed, use the up and down arrows to select the reboot option and select it with the power button. The device will reboot.
6. Remove any PG86IMG.zip file that remains on your SD card. You can do this with a file explorer, such as ES File Explorer, or using the following ADB commands:
adb shell
cd sdcard
rm PG86IMG.zip
Installing the Superuser Binary
Now you flash the SuperUser recovery binary using TWRP recovery. (If you did not download the superuser binary earlier, download su-2.3.6.3-signed-efgh.zip from Section 99 at http://forum.xda- developers.com/showthread.php?t=1192525.) You need to push the file to your SD card, reboot into recovery and then flash it from the recovery.
With your device on, connected and in debug mode, enter the following commands to copy the file to your SD card:
adb push su-2.3.6.3-signed.efgh.zip /sdcard/su-
2.3.6.3-signed.zip
adb reboot bootloader
You can type su and then tap the tab key to auto fill the rest of the long complex file names.
1. When the white bootloader appears, use the volume buttons to highlight bootloader and press the power button.
2. The bootloader runs a scan for update.zip files and then allows you to select the recovery option to boot into the TWRP recovery.
3. When the TWRP recovery boots, select the “Flash Zip” option using the power button.
4. Use the volume buttons to navigate to the superuser binary and select it with the power button. The TWRP recovery flashes the zip file’s contents and then reboots the device.
When the device reboots, the superuser binaries are in place and you are ready to move on to the next step.
Installing a SuperUser Application
Now that you have a custom recovery and the superuser binary in place, you need a way to handle root and root requests from applications and the Android operating system. ChainsDD, a developer of exceptional talent, has created a superuser management application known as SuperUser. You install ChainsDD’s SuperUser application to handle all superuser requests.
1. Search in Google Play for the “SuperUser” application from ChainsDD.
2. Download and install the SuperUser application. (You can purchase SuperUser Elite to thank ChainsDD for his excellent work in the Android hacker community. He works very hard to make this easy for us. For less than a cup of coffee, you can help ChainsDD continue his work for the hacker community.)
3. Run the SuperUser application on your EVO 3D. If the application detects a valid installation of SuperUser binaries, you will be fully rooted with S-OFF.
4. Reboot into TWRP to make a full backup of your file system.
At this point you can download ROMs with customizations and optimizations. Custom ROMs usually have carrier bloat removed and contain customizations to the firmware. Downloading ROMs from the XDA forum can be addictive. Check out one of the aggregate posts (such as http://forum.xda-developers.com/showthread.php?t=1192661) that keep track of the most popular ROMs and custom themes.