Database Users

[MISC] Major news on SIM unlocking and radio S-OFF

This has been in progress for a while. If you follow the G2 forums, then you'll know that there have been big problems with G2 phones that have been unlocked via unlock codes, with those unlocked phones then not being able to find a network at all.
It looks like the guys on #G2ROOT have cracked S-OFF for radio. This is *not* the same as the current S-OFF that we have from HBOOT. Apparently it should help to prevent semi-bricking via incorrect flashing of older ROMs.
The article in the Wiki explains all. Documentation about the procedures should be coming soon. We will of course have to make sure it's fine on the DZ too :
http://forum.xda-developers.com/wik...Subsidy_Unlock.2C_SuperCID.2C_and_Radio_S-OFF

nice gives all those "bricked" g2's hope

Radio S-OFF is permanent S-OFF?
So no more warranty? Damn.
I'll stick to the stock ROM for a while with root, then HBOOT S-OFF, but never radio S-OFF.
I like warranty. Never know when you'll need it.

DanWilson said:
Radio S-OFF is permanent S-OFF?
So no more warranty? Damn.
I'll stick to the stock ROM for a while with root, then HBOOT S-OFF, but never radio S-OFF.
I like warranty. Never know when you'll need it.
Click to expand...
Click to collapse
I imagine it'll still be possible to reverse it. From a scan of the IRC logs (though of course I might have missed important stuff), it looks like you just need to write the correct data to the right area of a partition to get the radio S-OFF. So surely you can un-do that by writing the previous data ?

Documentation on this is now up, see http://forum.xda-developers.com/showthread.php?t=855764
Bear in mind that the instructions are for the G2 right now, so if you try this out on a DZ there's a high chance of a permanent brick ! But hopefully someone will sort out a verified method for the DZ soon

I would not advise people do this form of S-OFF unless they really need to anyway, its harder to come back from (if you did semi-brick) and holds more risks.

Lennyuk said:
I would not advise people do this form of S-OFF unless they really need to anyway, its harder to come back from (if you did semi-brick) and holds more risks.
Click to expand...
Click to collapse
But when an easier way to do it comes along (which is being worked on, I believe), a full S-OFF will be a lot safer, because then it won't be so easy to brick your phone by simply flashing an old RUU.

steviewevie said:
But when an easier way to do it comes along (which is being worked on, I believe), a full S-OFF will be a lot safer, because then it won't be so easy to brick your phone by simply flashing an old RUU.
Click to expand...
Click to collapse
people should not be flashing an old RUU anyway!
anyone who is silly enough to do that gets a brick for a reason.
Always either flash the latest ruu, or restore a nandroid of stock and flash an ota it offers, these are the safest ways.
You will get more bricks from people doing radio s-off than the s-off + ruu method gives.

Lennyuk said:
I would not advise people do this form of S-OFF unless they really need to anyway, its harder to come back from (if you did semi-brick) and holds more risks.
Click to expand...
Click to collapse
You're an ass-talker. You talk through your ass, blow hot air, and have no idea what you're talking about.
1) it is SAFER,
2) it is EASIER to come back from,
3) it is SAFER.
Why is it safer? Because it does NOT require writing the hboot or radio! You can blow p7 out and android will still boot, which means that you have the opportunity to fix it if something goes wrong.
A bad flash of the radio or hboot and you're dead.

For those who might not have seen it yet, there's now a fully documented procedure on how to do this to your DZ (and yes, it's been tested on the DZ too).
As has been said, this is a safer method to get S-OFF (letting you flash custom ROMs) than the previous method of putting on an engineering hboot.
See http://forum.xda-developers.com/showthread.php?t=857390

DanWilson said:
Radio S-OFF is permanent S-OFF?
So no more warranty? Damn.
I'll stick to the stock ROM for a while with root, then HBOOT S-OFF, but never radio S-OFF.
I like warranty. Never know when you'll need it.
Click to expand...
Click to collapse
all i do for warrenty with modded phones is feed 12-20 volts ( from a wall adapter) into the battery contacts and tost the main board and bring it back as dead they send me a new one no questions asked cause the phone is dead...even did this with a htc ppc6800 that i smashed the screen in and thay warrenteyed it no prob....this is on bell in canada....
666

I was following your discussion on bricking because of flashing ruus but for some reason it doesn't apply to me. I had an Asian WWE 1.34.707.5 (shipped with my phone) then I flashed it with Asian WWE 1.34.707.3 RUU and it didn't brick my phone.

[Q] Unroot for Warranty Repair

I need to send my Mytouch 4g in for repair due to an issue with "limited service" problems. Both T-Mobile and HTC said it is a rare problem and it needs to come in for repair.
My problem is that my phone is/has been rooted. I need to COMPLETELY UNROOT it before sending it in, or they will not repair/replace.
What can I do to completely unroot so they will not know that it was ever rooted?
I have run the unlockr method with the PD15IMG but Im not sure that is it. What else can do to see that it was rooted? Is there anything other than info in the bootloader? I turned the S-On again.
PS - the issue with my phone is when i put in my SIM card (under any rom, including stock) it comes back with a message saying "limited service" and i cannot do anything to fix it. If you have an answer for this too, that would be helpful.
Either way I dont want to lost this phone due to root/warranty problems.
Thanks ahead of time....

How did you root it? Did you use gfree and simunlock? Did you flash engineering hboot? Did you S-OFF? Did you flash custom images?
There are a lot of questions to answer in what to undo.
If you SIM/Super CID unlocked and radio S-OFF with gfree then you need to follow the instructions in the gfree thread on how to restore your part7 backup.
If you flashed the engineering hboot, again, follow info in the gfree thread on how to flash it back to stock.
Once you are back to normal hboot and S-ON, just loading the PD15IMG for the complete OTA (find the thread in the dev section) will factory wipe and clear the rest for you.

Thanks for the quick reply. I followed the unlockr method completely to gain root.
theunlockr.com/2010/12/10/how-to-gain-permanent-root-and-s-off-on-the-t-mobile-mytouch-4g-htc-glacier/
Then I installed Iced Glacier.
I also did their unroot method which includes flashing the PD15IMG and turning the S-On. Normally, should I receive an OTA after flashing this? Or is this THE updated image?
If is should expect an OTA, I will not get it. The reason i need to send the phone in is because i do not get service with the SIM card in. It reads "Limited service" "Emergency Calls Only". In this case, i would not recieve an OTA. Is there anything else I can do?
Thanks again.

http://forum.xda-developers.com/showthread.php?t=858996
Scroll down to "follow these steps to restore stock hboot (0.86.0000) and flash that back on if you have not already.
If you flashed the PD15IMG from this thread then it already has the OTA updated applied and you should be g2g.

Thank you very much. That is a huge help.
After updating the HBoot and flashing the PD15IMG we should be back to stock.
Is there any way after that HTC will see it as previously rooted?
I thought to myself that the hackers were smarter than the developers.... Im glad I was right.
Thanks again.
Sent from my HTC Glacier using XDA App

pnut22r said:
Is there any way after that HTC will see it as previously rooted?
Click to expand...
Click to collapse
With S-ON, a stock hboot, and a fresh flash of the OTA image -- no, not to my knowledge.

Ok so I am expecting to receive a replacement for the BAD SCREEN (inferior) issue. So preparing to get my phone to STOCK condition.
--------PRESENT STATE----------
Rooted - using http://forum.xda-developers.com/showthread.php?t=858021
S=OFF
Radio - 26.09.04.26
ROM - Nexus AOSP 1.2.7
Recovery - 3.0.2.4
----------STOCK STATE------------
Unroot - http://forum.xda-developers.com/showthread.php?t=924923
S=ON
Radio - 26.03.02.26 http://forum.xda-developers.com/showthread.php?t=1059347
Recovery - ????
Now I kind of know where I need to be at but I am not sure of the sequence of the steps. Also, how do I get back to stock recovery from Clockwork?
Is there a good check list of things to make sure before sending back the old phone?
thanks a lot.

for unroot
download stock rom from here http://forum.xda-developers.com/showthread.php?t=901477
rename it PD15IMG.zip and put it in the root of your sdcard not in a folder
go into hboot by powering off then hold VOL DOWN+POWER
then it will automatically check to find PD15IMG.zip when it ask for update click yes
wait for it to install done stock unroot

Thanks for your reponse. I was aware of that method and was planning on using it. Does that also take care of clockwork recovery and updated radio?

[Q] AlpharevX and S-OFF

A little question about AlpharevX that I had on my mind for some time.
What I would love is the right answer and not thousand of people guessing it, so ideally, please refrain from answering if you are not sure.
XTC Clip gives us factory S-OFF, through the likely emulation of the official HTC SIM card with the relevant RSA keys. If you use the XTC clip, your phone becomes a 'dev' phone, totally unlocked as it was meant by HTC.
Now what about AlpharevX?
There are a lot of people talking about it making their phone S-OFF.
Now the question.
Is the AlpharevX S-OFF the same as the XTC Clip S-OFF, ie achieved by clearing the s58 security flag, OR is it just patching the HBOOT to make it think that S is OFF (like Alpharev 1.8 did), OR is it achieving this feat in some other way?
On the Alpharev 1.8 page, it says:
Since we are unable to access the Radio NVRAM itself (where secuflag is stored),
Click to expand...
Click to collapse
So this got me wondering.

It is a reversed engineerd bootloader that thinks that the secuflag is off. So nothing is changed in the radio, they just put a new hboot on your phone.
Alltough it is a reversed engineerd one, it does do everything that the standard htc hboot does. It does even more: there is the posibility to use fastboot, which is not possible with the factory bootloader. So making your phone s-off by the xtc clip will not allow you to use fastboot, flashing the one from alpharevx does.
Erwin

finally a clean and clear explanation thread, thanks erwinP.
i think i'm not the only one that wonder a simple thing: is s-off reversible?
almost everybody knows that flashing custom firmware invalidate the warranty, so, in case of problems (not necessarily due to the new firmware) is it possibile to revert the phone to its original state (original fw, original hboot, s-off) and send it back to htc?

Thanks Erwin.
So the phone is still S-ON, but does not care about it anymore. Sweet.
I was asking this because I was thinking that if I were a developer, I would have put some code in all sort of horrible places to check for this sort of bypass, a bit like in the first PS, where games stopped working if they detected a modchip.
But then if I were an HTC developper, I would have had total faith in HBOOT 1.000.1 being unbreakable, so I may not have bothered
In any case, how did they manage to get a custom HBOOT ? Does anyone know?
Is it signed ?

You're welcome! ;-)
It is of course not signed ;-) I've asked them, but they wouldn't say it, propably for the same reason as why unrEVOked keep there method secret untill htc has come up with an update that fixes the exploit. So I understand why they won't tell us and also, you do not ask for your grandmother's secret family recepy, do you ;-)
All we know is that they use a combination psneuter and gingerbreak to get a temproot, and than somehow manage to get pass the nand protection to replace the factory hboot by there hboot. Or at least, that is my interpretation of what I've read here on this forum somewhere
Erwin

metv said:
finally a clean and clear explanation thread, thanks erwinP.
i think i'm not the only one that wonder a simple thing: is s-off reversible?
almost everybody knows that flashing custom firmware invalidate the warranty, so, in case of problems (not necessarily due to the new firmware) is it possibile to revert the phone to its original state (original fw, original hboot, s-off) and send it back to htc?
Click to expand...
Click to collapse
Sorry I didn't see your question.
Once they have a way to replace the stock hboot by there one, there hboot can be easely replaced in the same way by the stock one, to get an s-off device again. They have already said somewhere that they will provide a way to revert the proces, just in case you have to bring your phone back in waranty. There are real genuises, aren't they ;-)
Erwin

Thanks for the clear explanation chaps.

What I am gonna do to go "Completely Stock" --Help me here people please--

So, after rooting with revolutionary tool, i gotta go back to stock for waranty purposes.
My stock version is an arabic one, so here is what I am gonna do,
1. Use a WWE froyo RUU.
2. Push hboot 1.0.0001 through ADB.
3. Run my locale version RUU (Arabic One) (Froyo) which will bring me to hboot 1.0.0002. --iHope--
Is this procedure right ?!
Please I need fast feedback in order to start doing it as I need to send my phone to waranty as soon as possible.
Thanks everyone!

Please refer to this thread
PS: First time I used that RUU my hboot was 0.8.x so I only had to run the .exe file WHILE THE PHONE WAS BOOTED INTO BOOTLOADER ( Hold Power Button>Reboot>Bootloader)
I re-rooted my phone soon after with Revolutionary but did not used any RUU.exe because I will not go stock yet.
If the RUU won't work while the phone is ON, just reboot it into Bootloader, that should do the trick.

after rooting my wildfire and testing many Roms and even going back to the original RUU, i can say that it will never be like the stock Rom

Thx guys for your effort,
but I know how to do all this, I am not that newbie!
I just wanted to know if the procedure is right, so I can be safe!
And I just did it, and I am done, smoothly with no problems!

Have you got your S-ON? I want to know because I want to unroot soon for warranty reasons and my phone was S-Off since I got it from Vodafone...

Dethox said:
Have you got your S-ON? I want to know because I want to unroot soon for warranty reasons and my phone was S-Off since I got it from Vodafone...
Click to expand...
Click to collapse
Yes I did, with hboot 1.0.0002 and COMPLETE stock, just as I got it from the factory!

Good to know that. I just remembered that my bootloader was unlocked when I bought the phone from Vodafone so I cannot get S-On back...
Nevertheless, I will try my luck soon. I just need to find the warranty sheet ) ....I lost it and cannot find it....lol

What does this mean exactly?

PermROOT said:
Hello Phateless do you remember me? lol I am always on diff name so ya.
But yes PD15IMG.zip is not the golden solution to everything. It all depends on how you originally rooted your MT4G as VISIONary+ (TempROOT) and root.sh (PermROOT). In that case your S=OFF security off flag is dependent on the eng hboot which was pushed to /dev/block/mmcblk0p18 during PermROOT.
Now since its not true security off once you have newer radio. You try to run PD15IMG.zip (Sense 2.2.1 Rom/Radio 26.03.02.26_M) after the first update which is stock hboot you would be locked due to it changing S=ON thus on next step it will fail due to the image being older than originally on which is currently flashed which would be the radio. In this case your in a point where you shouldn't be as you can be locked out and no way to reroot. which I am working on finding. This also goes for gfree radio s=off.
If you do want to go back download PD15IMG.zip (stock radio 26.03.02.26_M) and then flash it once that is done then you can revert back to stock rom/radio using standard PD15IMG.zip (Sense 2.2.1 Rom/Radio 26.03.02.26_M). Keep in mind unless the new PD15IMG.zip is out you can't revert it back if your locked out due to source being outdated than current image.
Click to expand...
Click to collapse
--------------------------
Found this post here in THE Bible. Trying to understand exactly what it means.
What is he saying here?
Can someone put this into noob terms please?
THANK!!!

I am not sure how to explain it furthermore as when I posted that it was clear to everyone, but ill try to simplify.
The original stock rom that came with our device was 2.2.1S and later we had GB2.3.X port and we mostly switched. Then came the radio rom which I hope I don't need to explain what the image does. So the standard stock radio that came with our device was 26.03.02.26_M. So later on as Panache came out we had leak to other radios which user could flash, thus changing it from stock radio to leaked radio. I hope it make sense up to there.
Now keep in mind we have 2 type of root meth as one is via TempROOT/PermROOT as I explained before via VISIONary+ which just push the eng_hboot and gives the illusion of S=OFF but the true security is not off as that is only done if you do the other rooting meth which is PermaROOT which disables the radio security completely.
Now the problem few users faced was when they flashed the leaked radio and they wanted to revert back to stock rom/radio via PD15IMG.zip for our MT4G (IDD15000). The installation would fail only for folks who had root via PermROOT as they never had true S=OFF thus once the eng_hboot is replaced with stock bootloader the security is disabled thus user can't complete the second part of the process which would be flashing the radio. So only solution was that they first revert back to stock radio or wait for newer radio because the source of the image inside PD15IMG.zip was older than the radio.img that was already flashed inside user's MT4G.
I hope it explains if not well IDK how to explain any better man :O

So if I'm understanding this all correctly, how I find out if this will affect me?
Where and what information should I provide you in order to find out if this will happen to me as well.
I'm getting ready to send my phone in for an exchange and was looking to flash PD15IMG.zip before doing this when I came across this post.
I rooted my phone with Visionary R14 and Terminal Emulator.
What other info do you need? Please let me know. Thank you.

At this point it wont affect you as thats obsolete due to TMoUS releasing newer stock rom/radio for our MT4G few months ago as Panache radio leak is older than the current stock rom/radio. As its GB2.3.4S which comes with the newest radio which is newer than any radio you flash. So the source of the PD15IMG.zip if you have the newest one then it will always be newer or equal to the radio.img already in device and it means in simple term it will flash the 2nd part. I hope it make sense as it should not affect anyone now. Even if it does all they have to do is run the current new PD15IMG.zip and it will fix the issue which user faced few months back.

nguyendqh said:
So if I'm understanding this all correctly, how I find out if this will affect me?
Where and what information should I provide you in order to find out if this will happen to me as well.
I'm getting ready to send my phone in for an exchange and was looking to flash PD15IMG.zip before doing this when I came across this post.
I rooted my phone with Visionary R14 and Terminal Emulator.
What other info do you need? Please let me know. Thank you.
Click to expand...
Click to collapse
If this is all about going back for an exchange, i recently did just this. Please see my post on the topic: http://forum.xda-developers.com/showthread.php?t=1241740
If all you did was the temproot/permaroot method via visionary+, and not the gfree method (gfree is actual s=off), then I believe some of the steps may be different. Specifically, you may be able to skip the whole bit about turning s=on again.
So which is it?

So rooted via Visionary R14 and being on Virtuous Unity (newest update)
I should be able to flash PD15IMG.zip from this link here: http://forum.xda-developers.com/showthread.php?t=863899
and have no problems yeah?
Sorry for all the questions. But yeah I'm only half to 75% following what you're saying.
I'm not advanced yet. =(
Thanks for the help again though.

Keep in mind PD15IMG.zip is the default system file for our device which is checked on the bootloader as our device ID is PD15000 thus getting the PD15IMG name. So PD15IMG.zip can be multi files as we have 2 of them 1 is 2.2.1 and newest one is 2.3.4 just look in the dev section you will find the newest PD15IMG.
http://forum.xda-developers.com/showthread.php?t=1059347
NEW-PD15IMG: PD15IMG_Glacier_Gingerbread_S_TMOUS_2.19.531.1_Radio_12.58.60.25_26.11.04.03_M_release_200756_signed

nicholasb said:
If this is all about going back for an exchange, i recently did just this. Please see my post on the topic: http://forum.xda-developers.com/showthread.php?t=1241740
If all you did was the temproot/permaroot method via visionary+, and not the gfree method (gfree is actual s=off), then I believe some of the steps may be different. Specifically, you may be able to skip the whole bit about turning s=on again.
So which is it?
Click to expand...
Click to collapse
I did not use the gfree method.

AggNA said:
Keep in mind PD15IMG.zip is the default system file for our device which is checked on the bootloader as our device ID is PD15000 thus getting the PD15IMG name. So PD15IMG.zip can be multi files as we have 2 of them 1 is 2.2.1 and newest one is 2.3.4 just look in the dev section you will find the newest PD15IMG.
http://forum.xda-developers.com/showthread.php?t=1059347
NEW-PD15IMG: PD15IMG_Glacier_Gingerbread_S_TMOUS_2.19.531.1_Radio_12.58.60.25_26.11.04.03_M_release_200756_signed
Click to expand...
Click to collapse
Thanks for all the help bro. I really really appreciate it.
Love all the help that the XDA community provides.

this guy definitely knows what he's talking about, provided help for me in the past