How To Gain S-OFF (Radio And Engineering) On HTC Desire HD
After you are done with following this guide, you should have an HTC Desire HD ready for installation of ClockworkMod recovery that lets you flash hundreds of custom ROMs to your device while having full read-write access to all its partitions.
Edit: Some users were experiencing problems with this guide in the temporary rooting phase. That was due to the old package not containing all the necessary files. We have updated the guide with those files and it should work flawlessly now.
Note: This guide will NOT work for the Telus Desire HD. If you are a Telus subscriber from Canada and have a Telus branded Desire HD, see our guide on how to gain S-OFF on Telus Desire HD instead.
Disclaimer: Please follow this guide at your own risk. AddictiveTips will not be liable if your device gets damaged or bricked during the process.
Gaining Radio S-OFF:
This method will get you the Radio S-OFF flag while SIM-unlocking it and setting up SuperCID, which means
- This method will root your phone for the process if it isn’t already rooted. If you just want to permanently root your phone, see our guide on how to permanently root HTC Desire HD instead.
- Make sure you have ADB installed on your computer. Also, if you have previously installed VISIONary on your phone in order to root it, uninstall it first before proceeding.
- Download (https://addictivetips.com/app/uploads/2011/03/DHD_S-OFF_Toolkit.zip) Desire HD S-OFF Toolkit and unzip its contents to your computer.
- Enable USB Debugging on your phone from Settings > Applications > Development.
- Connect your phone to your computer via USB.
- Launch a Command Prompt/Terminal window on your computer, navigate to the folder where you extracted the files in Step 3 and enter the following commands:
adb push su /sdcard/su adb push Superuser.apk /sdcard/Superuser.apk adb push rage /data/local/tmp/rage adb push busybox /data/local/tmp/busybox adb push root /data/local/tmp/root adb push gfree /data/local adb shell chmod 0755 /data/local/tmp/* adb shell chmod 777 /data/local/gfree
- Install Terminal Emulator app on your phone from the Android Market and launch it.
- Enter the following command in Terminal Emulator on your phone:
/data/local/tmp/rage
- In a while, you will see the output “Forked #### childs”. Now press ‘Menu’ and tap ‘Reset Term’ to exit Terminal Emulator.
- Launch Terminal Emulator again. You will notice that it force-closes. Don’t worry and just launch it again, and you should have a root shell indicated by the # prompt instead of $.
- Now enter the following commands in Terminal Emulator:
/data/local/gfree -f sync /data/local/tmp/root sync
If you get a ‘mkdir: /system/xbin already exists’ error during the process, ignore it and proceed.
- Wait patiently while the process finishes. Once it is complete, reboot your phone.
You should now have Radio S-OFF, SIM-unlock and SuperCID all set on your phone. If you just want to install ClockworkMod recovery and custom ROMs etc., you are all good to go and do not need to gain Engineering S-OFF. You may simply install ClockworkMod Recovery, find a custom ROM of your choice and flash it to your phone from recovery.
Gaining Engineering S-OFF:
You should attempt to gain Engineering S-OFF if and only if you want to gain absolute access to your Desire HD including the ability to flash a radio or edit all your phone’s partitions the way you want. If you are not absolutely sure what you are about to do, we recommend that you do NOT proceed.
- Make sure you have already gained radio S-OFF by following the above-mentioned steps.
- Download the Engineering HBoot for HTC Desire HD and extract the contents of the zip files.
- Enable USB debugging (if not already enabled) and connect your phone to the computer.
- On your computer, launch Command Prompt/Terminal, navigate to the folder where you extracted the files in Step 2 and enter these commands:
adb push hboot-eng.img /data/local
- Finally, launch Terminal Emulator on your phone and enter these commands, being EXTREMELY careful not to make any mistake here:
su dd if=/data/local/hboot-eng.img of=/dev/block/mmcblk0p18
Make sure to allow when Super User access is requested. Wait till the process is finished and you’re done!
You now have the Engineering S-OFF HBoot installed and with this, you have absolute control over your HTC Desire HD. You can now flash radios of your choice to your phone and have access to modify all its partitions as well as unbrick it in certain circumstances where no other method would revive your device.
[via CyanogenMod Wiki]
I stuck at this point any soution ..??
adb: error: failed to copy ‘gfree’ to ‘/data/local/gfree’: remote Permission denied
gfree: 0 files pushed. 80.9 MB/s (722728 bytes in 0.009s)
Done, thank you! I was in “ace pvt ship s-off rl” and unable to flash radio or recovery. Now I gained eng s-off and everything is ok!
whoever made this post is an idiot! every god damn error in this tutorial was on my screen!!
Something strange happened. I used your guide to gain ENG-OFF on my Desire HD running stock 2.3.6 with some system apps removed. I already had S-OFF. When I rebooted the phone, it got stuck at the HTC bootscreen. I looked for a solution to this everywhere but couldn’t find one pronto. I restored from a Nandroid backup using CWM and it still got stuck at the HTC logo. I went inside recovery again and wiped data and cache and installed Paranoid Android’s 4.0.4 ROM from the SD Card. Got stuck on the Paranoid Android’s bootscreen. Went inside recovery again, wiped cache and data and rebooted the phone and it booted. Question is, is this method of turning Engineering Security off compatible with Gingerbread ROMs? If not, how can I get the stock HBOOT while running my custom ICS ROM? If that’s not possible, can I just revert to stock HBOOT even if that means going back to stock Gingerbread? If yes, how?
Did you flash the boot.img file? Extract it from the custom rom and flash it via ADB or Fastboot
I get error: device offline
My device is on Disk Drive mode though
Same problem as Robert. the Terminal emulator does not open after force close and the phone is as dead as a dodo. Pls help.
navigate means- in your computer go to the folder where you have extracted the files….. for eg. u extracted the files at d:\xyz folder but when you open the cmd then it opens in (XP)c:\doc and sett\ blah blah….. now navigate here means that you have to go to the D:\xyz in command prompt by typing d: and cd xyz(or whatever ur extracted folder is)
what is the meaning of navigate?
Excellent!
Followed your complete guide & no problems. Desire HD completely controllable 🙂
Thanks.
david plz tell me the meaning of navigate?
my software number is 1.72 if that makes any difference?
same problem as robert
pls help
Same….
Log:
D:\S-OFF toolkit>adb push su /sdcard/su
821 KB/s (26248 bytes in 0.031s)
D:\S-OFF toolkit>adb push Superuser.apk /sdcard/Superuser.apk
1733 KB/s (27688 bytes in 0.015s)
D:\S-OFF toolkit>adb push rage /data/local/tmp/rage
5 KB/s (5392 bytes in 1.000s)
D:\S-OFF toolkit>adb push busybox /data/local/tmp/busybox
2044 KB/s (1926944 bytes in 0.920s)
D:\S-OFF toolkit>adb push root /data/local/tmp/root
5 KB/s (575 bytes in 0.109s)
D:\S-OFF toolkit>adb push gfree /data/local
2262 KB/s (722728 bytes in 0.312s)
D:\S-OFF toolkit>adb shell chmod 0755 /data/local/tmp/*
D:\S-OFF toolkit>adb shell chmod 777 /data/local/gfree
D:\S-OFF toolkit>adb push su /sdcard/su
1643 KB/s (26248 bytes in 0.015s)
D:\S-OFF toolkit>adb push Superuser.apk /sdcard/Superuser.apk
1733 KB/s (27688 bytes in 0.015s)
D:\S-OFF toolkit>adb push rage /data/local/tmp/rage
337 KB/s (5392 bytes in 0.015s)
D:\S-OFF toolkit>adb push busybox /data/local/tmp/busybox
2622 KB/s (1926944 bytes in 0.717s)
D:\S-OFF toolkit>adb push root /data/local/tmp/root
17 KB/s (575 bytes in 0.031s)
D:\S-OFF toolkit>adb push gfree /data/local
2154 KB/s (722728 bytes in 0.327s)
D:\S-OFF toolkit>adb shell chmod 0755 /data/local/tmp/*
D:\S-OFF toolkit>adb shell chmod 777 /data/local/gfree
D:\S-OFF toolkit>adb shell /data/local/tmp/rage
[*] CVE-2010-EASY Android local root exploit (C) 2010 by 743C
[*] checking NPROC limit …
[+] RLIMIT_NPROC={4967, 4967}
[*] Searching for adb …
[+] Found adb as PID 1245
[*] Spawning children. Dont type anything and wait for reset!
[*]
[*] If you like what we are doing you can send us PayPal money to
[*] 7-4-3-C@web.de so we can compensate time, effort and HW costs.
[*] If you are a company and feel like you profit from our work,
[*] we also accept donations > 1000 USD!
[*]
[*] adb connection will be reset. restart adb server on desktop and re-login.
D:\S-OFF toolkit>adb shell /data/local/gfree -f
–secu_flag off set
–cid set. CID will be changed to: 11111111
–sim_unlock. SIMLOCK will be removed
Section header entry size: 40
Number of section headers: 44
Total section header table size: 1760
Section header file offset: 0x00015398 (86936)
Section index for section name string table: 41
String table offset: 0x000151df (86495)
Searching for .modinfo section…
– Section[16]: .modinfo
— offset: 0x000011cc (4556)
— size: 0x000000c4 (196)
Kernel release: 2.6.35.10-g0956377
New .modinfo section size: 204
Attempting to power cycle eMMC… Failed.
Module returned an unknown code (Operation not permitted).
D:\S-OFF toolkit>adb shell sync
D:\S-OFF toolkit>adb shell /data/local/tmp/root
killall: rage: no process killed
mount: Operation not permitted
mkdir failed for /system/xbin, File exists
cp: can’t create ‘/system/xbin/busybox’: Read-only file system
Unable to chmod /system/xbin/busybox: No such file or directory
/data/local/tmp/root: /system/xbin/busybox: not found
cp: permission denied
cp: permission denied
Unable to chmod /system/bin/su: No such file or directory
mount: Operation not permitted
D:\S-OFF toolkit>adb shell sync
Ditto
The same for me. Can someone help, pleeeease!?
i have a problem.. i get stuck with my htc at the point 10… i dont know what could i be doing wrong… i did everything correct even got the forked #### childs and everything… closed the aplication, opened it force closes.. and then when i try to open it again it wount open…. it just reeeeeeally slows my phone down and nothing eles… what could i do??? what am i doing wrong 🙁
Instead of installing Terminal Emulator, skip steps 7 to 10 and just use “adb shell”
You can also just copy and paste all the text into command prompt
adb push su /sdcard/su
adb push Superuser.apk /sdcard/Superuser.apk
adb push rage /data/local/tmp/rage
adb push busybox /data/local/tmp/busybox
adb push root /data/local/tmp/root
adb push gfree /data/local
adb shell chmod 0755 /data/local/tmp/*
adb shell chmod 777 /data/local/gfree
adb shell /data/local/tmp/rage
adb shell /data/local/gfree -f
adb shell sync
adb shell /data/local/tmp/root
adb shell sync
Terminal Emulator always forced closed on me even before I ran any shell commands
HI. I’m stuck @ step 6. What the hell do you mean with navigate to? Can you please explain this step?
Cheers
I am having trouble with rooting my HTC Desire HD. I am in Australia and this is basically what happened.
1. I tried rooting the HTC Desire HD using VisionARY and everything appeared okay after the process.
2. I installed the Terminal Emulator and entered ‘su’. It gave me permission and I got into the #drive.
3. I now tried to gain S-OFF as I was aiming to flash Cyanogenmod, and apparently gaining S-OFF is a requirement to do this.
4. I was told that VisionARy had to be uninstalled before proceeding. and I did
5. I acquired ‘adb’ from the sdk from android developers. Everthing was fine. and the device is listed after typing “adb devices” in the terminal
6. I unzipped the S-off kit for HTC DESire hd and followed all the prompt commands.
7. Nothing happened.
8. Now I tried to gain access to #drive via the terminal emulator and it denies.
9. I even tried installing clockworkmod recovery and it fails..
I did everything in the setup. But somehow my phone is “rooted” but not really…which probably causes all this problem.
HELP???
thanks
dan
/data/local/tmp/gfree -f returuns module failed to power cycle eMMC
any idea ?
Weird…worked flawlessly on our Desire HD. No idea what might be causing you that.
help please. terminal emulator says /data/tmp/root: not found when i type in the command.
Guide updated to include the missing files – my apologies for the inconvenience.
There is an easy radio s-off tool available which does not require the use of terminal described in the third section of this guide:
http://igyaan.in/2011/01/how-to-root-htc-desire-hd-included-downgrade-from-1-72-405-3-to-1-32/