Chapter 9: HTC ThunderBolt: A Tightly Locked Device

In this chapter:

• Information about the HTC ThunderBolt

• Rooting the HTC ThunderBolt

The HTC ThunderBolt was introduced to the Verizon LTE (4G) network as a 1 GHz Android device with 768 MB of internal memory. It was one of the first generation of devices to offer 4G speeds on the Verizon network.

The ThunderBolt was also one of the more locked-down HTC devices with multiple levels of security checks and encryption. The locked-down nature of the ThunderBolt was intended to keep the device well within the control of the OEM and carriers. However, the ThunderBolt was freed by a combination of the proven psneuter exploit and some new magic in the form of a downgrade firmware that could be rooted.

I have chosen to walk through rooting the ThunderBolt because it is one of the root processes that makes you feel very much as if you are hacking. The reality is that all of the hard work has been done by the developers, such as Scott Walker and Team AndIRC. However, using the exploit and skills you learned in Chapter 3, you will quickly realize you are doing real device hacking.

When released, the device was rumored to be “unbreakable”. The hacker community made short work of it anyway. The ThunderBolt went very quickly from being one of the most locked-down Android devices to joining the ranks of completely free Android devices. The walkthrough in this chapter examines each step of the process.

Root Methods Available

Most of the root methods for the ThunderBolt follow the walkthrough procedures with slight alterations for updated versions of the phone and changes that come with over-the-air updates from Verizon. It is extremely important that you do your homework on the XDA forum to determine which process is correct for your device version, HBOOT version and Android build.

This particular walkthrough is for the MR1/OTA Firmware 1.13.605.7 version. You can check your firmware version by navigating to Settings → About Phone.

The device-specific forum on XDA can be found at http://forum.xda-developers.com/forumdisplay.php?f=940. A good reference thread for this procedure is at http://forum.xda-developers.com/showthread.php?t=996616.

Some posts say that the method covered in this chapter is outdated. That is because an easier method is now available. The Revolutionary tool is covered in Chapter 7 and should be used if possible. The method discussed here is still appropriate and still works if the version of Android is the same as originally shipped on the device.

Resources Required for this Walkthrough

The following files can be downloaded from embedded links in http://forum.xda-developers.com/showthread.php?t=996616:

• the custom ROM upgrade utility, PG05IMG_downgrade.zip (MD5SUM: aae974054fc3aed275ba3596480ccd5b) 

• the BusyBox binary

• the exploit files, wpthis and psneuter

• the superuser (SU) binary

• the misc.img file (MD5SUM: c88dd947eb3b36eec90503a3525ae0de) for overwriting the eMMC

• the hbooteng.nb0 image file for replacing the HBOOT (MD5SUM: 6991368ee2deaf182048a3ed9d3c0fcb) (This is the developer version of HBOOT that gives access to more Fastboot commands.)

• the custom ROM upgrade utility PG05IMG_MR1_upgrade.zip (MD5SUM: 7960c7977c25b2c8759605be264843ea).

Place all of the files you download into a single folder on your PC. It will be helpful for you to access the files if you create the folder on the root of one of your PC’s hard disks, for example, D:ThunderboltRoot. Unzip the exploit files and the BusyBox and SU binaries into your folder.

Do not unzip the downgrade and upgrade zip files. They are ROM upgrade utility (RUU) files—signed firmware that will be used to downgrade your firmware and then upgrade after granting S-OFF to your device. It is extremely important that you do not unzip these files. Place the zip files in your folder.

Walkthrough

ADB has to be set up before you start this process. Refer to Appendix A for instructions on setting up and using ADB.

Read everything. Read the XDA threads. Charge your phone. You can brick your device if you do not follow these instructions correctly. You will void your warranty. You assume all responsibility.

Pushing Files to the Device

The first step is to push the exploit file, BusyBox and the exploit image to a part of the file system that is writeable without root access. You will use ADB to push the files and then change the permissions on the files so that they can be executed as binaries.

You will use the ADB shell in its non-interactive mode. When you practiced the chmod skill in Chapter 3, you used the ADB shell in interactive mode. In non-interactive mode, your command prompt does not change to $ after the first ADB shell command. Instead, the command is run on the device and you return to the PC command prompt.

1. Open a command prompt window on your PC and navigate to the folder in which you saved the files.

2. Run the following commands to push the files to the writeable portion of the file system:

adb push psneuter /data/local/

adb push busybox /data/local/

adb push misc.img /data/local/

3. Enter the following commands to change the permissions on the files:

adb shell chmod 777 /data/local/psneuter

adb shell chmod 777 /data/local/busybox

Gaining Temporary Root

The next step is to gain temporary root access. This is accomplished via an exploit in which ADB checks for the S-OFF and S-ON security flags for the connected device. Scott Walker has wrapped up this exploit into the psneuter utility you have just uploaded to your device.

You now use the ADB shell in its interactive mode (as you did in Chapter 3). In the middle of the process, your ADB shell may seem to freeze—this is expected and you will close your command prompt window as necessary and restart it to continue the process.

Root access using the psneuter exploit is very fragile. It will disappear if your device is rebooted. In fact, it can also be revoked by some device activities. Make sure your device is fully charged and follow only the steps here.

1. Enter the following command to enter the interactive mode of ADB shell: adb shell.

Your PC command prompt should be replaced by the $ prompt that signifies you are operating in the Android operating system with a low or “not root” access level.

2. Enter the following command to run the psneuter exploit: /data/local/psneuter

There will be a slight pause and one of two things may occur:

• You may be kicked out of the ADB shell and see the PC command prompt again.

• You may freeze at the command prompt and not be able to enter anything.

In either case, simply open a new command prompt window and continue from the next section. It is highly unlikely that you will need to run the psneuter exploit a second time. If you do not have temporary root (indicated by the # prompt in the ADB shell), reboot your phone and try the process again from the top.

Checking a File’s MD5 Signature

The BusyBox binary (see Chapter 3) contains many commands for the Android operating system, including a command that allows you to hash any file to check its MD5 signature.

When you download a file, you should hash the copy on the file system to verify that it is the correct size and no corruption has occurred. After you write the image file to the part of the file system set aside as storage for particular code, you again hash the data to verify that it was written correctly and with no corruption.

Writing the Temporary Bootloader

Now you will use the misc.img file you uploaded to overwrite a portion of the ThunderBolt’s file system. This will allow you to downgrade the firmware so you can upgrade to a rooted image.

Before you do something as destructive as overwriting a portion of the bootloader, you want to be very, very sure that the data you will be writing matches the known good exploit code. When the exploit was created, it was run through an MD5 hash procedure that generated a one-way hash code that can be used to verify the file whenever it is downloaded or moved.

The process for verifying the MD5 hash of a file is described in detail in Chapter 3. You must enter the following command at the # prompt of the ADB shell:

/data/local/busybox md5sum /data/local/misc.img

The output from the hash command should be c88dd947eb3b36eec90503a3525ae0de. If the output string deviates in any way from the expected string, you need to repeat the process of downloading the file and pushing it to the required location.

It is critical to check (and double-check) the MD5 hash here because you are writing to a section of memory with a powerful command. A mis-step or single faulty bit will be the absolute end game for the phone. That is rarely true for rooting procedures.

Once the hash string is identical to the expected string, you can write misc.img to its new home.

1. On the ADB shell command line, enter the following command (see Chapter 3 for more information about the dd command):

dd if=/data/local/misc.img of=/dev/block/mmcblk0p17

2. Verify the MD5 hash of what was copied by entering the following command:

/data/local/busybox md5sum /dev/block/mmcblk0p17

The MD5 hash output should match the following string exactly: c88dd947eb3b36eec90503a3525ae0de. If it does not match exactly, repeat these steps.

Downgrading the Firmware

In this step, you flash a signed version of the firmware earlier than the one with which your device shipped. As mentioned in Chapter 2, the bootloader looks for a specifically named file for updates to the device firmware. You copy the signed downgrade zip file to the device’s SD card using ADB commands.

1. In a command prompt window on your local PC, enter the following command to open the ADB shell in interactive mode: adb shell.

2. Enter the following command to rename the file:

adb push PG05IMG_downgrade.zip /sdcard/PG05IMG.zip

3. Enter the following command to verify the MD5 hash of the pushed file:

/data/local/busybox md5sum /sdcard/PG05IMG.zip

The MD5 hash output should match the following string exactly: aae974054fc3aed275ba3596480ccd5b. If it does not match exactly, repeat Step 2 and check it again. You may also want to download the file again. Do not unplug your phone or reboot it—if your phone is turned off or reboots at this point, it is likely to be permanently bricked. Just keep trying until the hash comes out correctly.

4. When the hash string matches, enter the following command:

adb reboot bootloader

5. When the white HBOOT bootloader screen shows up, use the volume up and down buttons to select the “bootloader” option and press the power button to select the bootloader. The bootloader locates the signed zip file and flashes it to your device.

6. When you are asked to upgrade, select the “yes” option. Get a cup of coffee and let it do its thing. The flash and reboot can take a long time.

7. When it’s done, select the “reboot” option and allow it to reboot.

When the phone has rebooted, use a file explorer (such as ES File Explorer) to locate PG05IMG.zip on your SD card and delete it. This is important as you will later place another signed firmware there for flashing to upgrade the firmware.

Gaining Temporary Root to Unlock the MMC

You are going to follow almost the same procedure as you did earlier when pushing files to the device. Then you will run the two-part exploit to gain temporary root and unlock the MMC.

1. In your PC command prompt window, make sure that you are in the folder to which you extracted all the ThunderBolt exploit files.

2. Run the following commands:

adb push psneuter /data/local/

adb push busybox /data/local/

adb push wpthis /data/local/

adb shell chmod 777 /data/local/psneuter

adb shell chmod 777 /data/local/busybox

adb shell chmod 777 /data/local/wpthis

3. Run the follow commands to get temporary root:

adb shell

/data/local/psneuter

Remember this exploit throws you out of ADB shell, so don’t panic. Simply reopen the ADB shell and continue with the following step.

4. Run the MMC unlock:

/data/local/wpthis

exit

Rewriting the Bootloader

First you push the HBOOT to the file system and verify the MD5 hash. Then you write the file to the MMC and verify the MD5 hash. This is the single most critical moment of this process. If you do not get an exact hash from the MD5SUM command you must rewrite until you get the correct MD5 hash.

If this part of the procedure is done incorrectly, you can completely brick your phone. Go slowly, read ahead and don’t panic.

1. In your PC command prompt window, make sure that you are in the folder to which you extracted all the ThunderBolt files.

2. Enter the following command to push the file to your device:

adb push hbooteng.nb0 /data/local/

3. Open the ADB shell and check the file’s hash value using the following commands:

adb shell

/data/local/busybox md5sum

/data/local/hbooteng.nb0

4. Look carefully at the output. It must match the following string: 6991368ee2deaf182048a3ed9d3c0fcb.

If the output of the MD5SUM command does not match the string exactly, you must download the file again.

5. From the ADB shell’s # prompt, enter the following command to write the new bootloader:

dd if=/data/local/hbooteng.nb0

of=/dev/block/mmcblk0p18

6. When that process completes, you need to verify the MD5 hash of what ended up in the MMC memory block. At the ADB shell prompt, enter the following command:

/data/local/busybox md5sum /dev/block/mmcblk0p18

The MD5 hash output should match the following string exactly: 6991368ee2deaf182048a3ed9d3c0fcb. If it does not match exactly, repeat Step 5. Do not unplug your phone or reboot it—if your phone is turned off or reboots at this point, it is likely to be permanently bricked.

7. When the hash string matches, enter the following commands to leave the ADB shell and reboot your device:

exit

adb reboot

Upgrading the Firmware

Now you use ADB to copy the upgrade zip file to your SD card and allow the new bootloader to write it to your device.

1. Make sure you have a PC command prompt window open and are in the folder where you placed the signed zip file.

2. Enter the following command to push the file to your SD card:

adb push PG05IMG_MR1_upgrade.zip

/sdcard/PG05IMG.zip

3. Because we only acquired temporary root earlier, we must push the BusyBox binary to the device as well:

adb push busybox /data/local/

4. Verify that the upgrade RUU firmware matches the MD5SUM hash for the file (7960c7977c25b2c8759605be264843ea):

adb shell

/data/local/busybox md5sum /sdcard/PG05IMG.zip

If the hash strings do not match, download the upgrade zip file and push it to the SD card again until they do match.

5. Once the file is correctly written to your SD card, you can let the new bootloader write the new firmware:

exit

adb reboot bootloader

When the white HBOOT screen boots up, use the volume and power buttons to select the “bootloader” option. The bootloader will check for PG05IMG.zip and flash it. Again when asked to upgrade, select “yes” and go for a cup of coffee—it can take a while. When the flashing is completed, reboot the device and remove PG05IMG.zip from your SD card.

At this point you are running a device that is S-OFF—it has the security flag off and is running release (as opposed to developer) firmware.

Download SuperUser.apk from Google Play by searching for the SuperUser application. You can also purchase and install RomManager to have access to custom recoveries and custom ROM firmware for flashing.

If you were to accept a download pushed over the air (OTA) from your carrier, you would be very likely to undo all of your hard work: it will unroot and remove the custom firmware. It is best not to accept OTA updates. However, if you install a custom ROM, you are unlikely to see OTA updates, as most ROMs block them. Most custom ROMs release their own updates based on the OTAs.