unrevoked forever radio S-OFF/S-ON tool

unrevoked forever is a tool to set your Android phone's security level to S-OFF. The security level is a flag stored on the radio; when the flag is S-OFF, the bootloader (HBOOT) will no longer check the signatures of firmware images before flashing them. This allows custom firmware images to be uploaded, including unsigned boot, recovery, splash1, and hboot images (as well as official images that have been modified). When the system is S-OFF, the NAND flash memory protection is also reduced; this allows all partitions (including /system) to be written to while the operating system is booted.

The most substantial benefit of unrevoked forever is that the change is stored in the radio's NV memory; no ENG bootloader is necessary to continue to flash firmware images. Even if an “unrootable” OTA update is accepted, a device on which unrevoked forever has been run will still be able to reflash a custom recovery image.

We know you just want to install unrevoked forever. However, before you do, please read this section in its entirety. It contains important information to avoid bricking your phone.

We believe unrevoked forever to be safe for your phone. However, forever unlocks a few capabilities that make it substantially easier to cause (in some cases, permanent) damage. Here are a list of things to be aware of:

• As with all hacks to your phone's firmware, setting your phone S-OFF will void the warranty on your phone. Do not take your phone in for support until you have set your phone S-ON and removed all custom modifications. Damaging your phone by flashing a custom bootloader, or other unusual combinations of firmware, is not covered under warranty; although your carrier may not check to see if your phone was modified, please be honest.
• unrevoked forever allows you, among other things, to reflash the hboot partition on your phone. Doing so carries risk; a bad hboot flash can render the phone permanently unusable. Be cautious about where you accept updates from.
• When doing updates, be sure to flash all partitions at the same time. For instance, on Incredible, running a 0.92 hboot and a 2.15 radio with a 2.6.29 Linux kernel will result in the system becoming unusable until reflashed.
• When updating using an official OTA, update using an official recovery. See below for instructions.
• unrevoked forever comes with NO WARRANTY (express or implied), and NO GUARANTEE OF FITNESS for any particular task. Although we have attempted to minimize the risk the best we can, the authors disclaim any chance of damage to your phone. The entire risk of running unrevoked forever lies with you, the user.

At this time, the following devices are supported.

• HTC Droid Incredible, running radio baseband versions:
  • 1.00.03.04.06
  • 2.05.00.06.11
  • 2.07.00.07.16
  • 2.15.00.07.28
  • 2.15.00.09.01
• HTC EVO 4G, running radio baseband versions:
  • 1.36.00.04.02
  • 1.39.00.04.26
  • 2.05.00.06.10
  • 2.15.00.07.21
  • 2.15.00.07.28
  • 2.15.00.09.01
  • 2.15.00.11.19
• HTC CDMA Hero, running radio baseband versions (S-OFF only at this time, S-ON coming soon):
  • 1.04.01.09.21
  • 2.41.04.02.02
  • 2.42.01.04.23
  • 2.42.01.04.27
• HTC CDMA Desire, running radio baseband versions (S-OFF only at this time, S-ON coming soon):
  • 2.05.10.06.29
  • 2.05.10.08.11

You can determine your radio baseband version by holding the VOLUME DOWN key while powering on the phone.

We believe the mechanism behind unrevoked forever may work for other radios and devices, and will add support as radio images are made available to us.

Note that these radio basebands are only need to apply the update. Once the update is applied, you may freely switch to any radio, including one that is not listed. The unrevoked forever update works at the sub-radio level.

To install unrevoked forever on your phone, perform the following steps.

• If your phone does not already have a custom recovery, use unrevoked3 to root your phone.
  • The installation process cannot take place if the phone does not have a custom recovery installed.
• Download the most recent ''unrevoked-forever.zip'' to a temporary location on your computer.
• The update can be installed like any custom .zip file. Simply flash it from your custom recovery. Both Amon_RA and Clockworkmod Recoveries support custom .zip installs from the sdcard.
• Either select the option to install a .zip from your SD card, or apply it as an update.zip as follows:
• Place the update.zip file into the root of your SD card. You can do this with adb with the command: adb push unrevoked-forever.zip /sdcard/update.zip
• Reboot your phone into recovery mode. You can do this by removing your phone's battery, holding down the VOLUME DOWN button, and inserting the battery; at the menu, press VOLUME DOWN to highlight recovery, then press POWER to select it.

Did you read the important safety information above? Do so now before continuing.

• Select apply sdcard:update.zip from the menu.
• Press VOLUME DOWN until Yes is highlighted, then select it.
• Review the output to determine if there were any errors.
  • If messages beginning in E: appear, stop! If possible, join IRC for support.
• Restart the phone normally, then reboot the phone into the bootloader. This can be done by holding VOLUME DOWN while powering the system up. Observe at the top that S-OFF appears.
• Optional, but recommended: show your support (and your S-OFF bootloader) by flashing a custom splash screen!

In early versions of the Hero bootloader on S-OFF devices, neither S-OFF nor S-ON may be displayed. If you update to a later version of the bootloader, S-OFF will be displayed correctly.

• What is the difference between an ENG bootloader and unrevoked forever? Are there any disadvantages?
  This is a permanent patch; unrevoked forever works below the radio level. Thus, even if an update removes the ENG bootloader, a device that has run forever will remain S-OFF. It is possible for HTC to produce an update to remove this, but a carrier that distributes such an update would also break legitimate test phones, reverting them back to “release” phones.
  
  For Droid Incredible users, this is the only way to obtain S-OFF access. However, the EVO 4G's ENG bootloader allows certain extended fastboot commands to be used. Currently, unrevoked forever does not enable these extended commands; however, the ENG bootloader can be used in conjunction with unrevoked forever to have permanent S-OFF access as well as access to the extended commands. For HTC Incredible users, our intent is to eventually bring our own ENG patched HBOOT to the Incredible.
  
  
• How can this be removed or undone if I need to take my phone in for service?
  Download the latest ''S-ON'' tool to a temporary location and follow the installation instructions above to run it. Once your phone is S-ON, you may lose root permanently if you install an official update
  
  
• If I've run an earlier version of unrevoked forever, do I need to run a later version when it comes out?
  No. The later versions contain updates for compatibility and stability, but contain the same S-OFF patch as earlier versions.
  
  
• How can I use S-OFF to recover from an unrooted update?
  S-OFF gives your device permanent NAND unlock in the booted system, and also disables HBOOT's signature checking on firmware zip files. So, even if you take a OTA that has not been rooted, you can simply flash a new recovery that allows you to install su, and use that to restore yourself to a fully rooted system. We have provided ClockworkMod and Amon-Ra recovery images for you to use for this purpose.
  
  
• How do I create a unsigned zip to flash in HBOOT?
  Download one of the example zip files (either the recovery or the splash zip files) appropriate for your platform, and extract the android-info.txt file from it. Zip the file that you wish to flash (usually named something like BOOT.IMG, SPLASH1.NB0, RECOVERY.IMG, …) up along with an appropriate android-info.txt into a file named either PB31IMG.ZIP (for Incredible) or PC36IMG.ZIP (for Evo), and place this file on the root of your SD card. Power the phone up while holding the VOLUME DOWN button, choose HBOOT, and press VOLUME UP when prompted to flash the image. Be careful – in this state, the phone will not prevent you from doing dumb things like flashing an invalid HBOOT!
  
  
• When I try to get into Fastboot by pressing VOLUME UP and booting the phone, my phone instead buzzes three times and acts dead. What happened?
  The S-OFF update also enables Qualcomm Diagnostics mode on your phone, which is entered by doing what you just did. You can exit this mode (and boot normally) by removing the battery and USB cable.
  
  
• Will you release the source code?
  At this time, we are not disclosing the vulnerability we have exploited to set the phone S-OFF.
  
  
• That doesn't seem fair! Android is about open source.
  In some senses, we agree; but at times, a tradeoff needs to be made. Releasing the source code for this, we believe, would compromise the greater ability to unlock devices like these in the future. Given the choice between sacrificing the liberty of running code on our handsets and the liberty of reading the code by which we unlock it, we feel that the millions of handsets are more important. It is unfortunate that we must make such a choice, and we look forward to the day in the future that no such decision need be made.
  
  
• I found this software useful, and I would like to donate to the team!
  Thank you for your support. At this time, the unrevoked team does not accept donations; but we highly encourage our users to donate to the Electronic Frontier Foundation. The EFF performs the important role of standing up for our digital liberties, including the liberties to reverse-engineer devices that we own. If you are able, please consider making a contribution to them so that they can continue to perform this valuable service.

If, like us, you are excited about having a phone that is all yours, you can flash a custom splash screen with our logo. To do so:

• Install unrevoked forever on your phone.
• Download either PB31IMG.zip for Incredible or PC36IMG.zip for EVO 4G.
• Place the appropriate file – with that exact file name! – on the root of your SD card.
• Reboot your device into HBOOT by removing the battery, pressing VOLUME DOWN, inserting the battery, and pressing POWER.
• When prompted Do you want to start update?, press VOLUME UP for Yes. When prompted again Do you want to reboot device?, press VOLUME UP for Yes.
• Congratulations! Your phone now has a sweet unrevoked splash screen.

If you wish to install a stock over-the-air update in the future (OTA), the safest way to do so is to install the recovery that originally shipped with your phone. To install an OTA:

• Install unrevoked forever on your phone.
• Download or create an appropriate PB31IMG.ZIP, PC36IMG.ZIP or HERCIMG.zip for your phone that contains the original recovery image.
  • We do not supply these images; since the recovery code is owned by HTC, we don't distribute it. You may be able to find these images on the XDA-Developers forums.
• From the phone operating system, install the over-the-air update.
• When the update is done installing, you will probably want to root it with a custom recovery. Download one of the following recovery restore images:
  • Amon-Ra recovery for EVO 4G
  • ClockworkMod recovery for EVO 4G
  • ClockworkMod recovery for Incredible
  • Amon-Ra recovery for CDMA Hero
• Place the appropriate file – with that exact file name! – on the root of your SD card.
• Reboot your device into HBOOT by removing the battery, pressing VOLUME DOWN, inserting the battery, and pressing POWER.
• When prompted Do you want to start update?, press VOLUME UP for Yes. When prompted again Do you want to reboot device?, press VOLUME UP for Yes.
• Your phone now has a custom recovery. To restore superuser access to your phone, you can apply any appropriate update.zip; such a file can likely be found here: Superuser App

unrevoked forever has been through the following versions:

• v1.0: initial release.
• v1.1: S-ON, additional radio support for EVO, support for CDMA Hero
• v1.2: Support for CDMA Desire
• v1.3: Additional radio support for EVO

unrevoked forever was brought to you by (in no particular order):

• Ryan Pearl
• Joshua Wise
• Eric Smaxwill
• Matthew Fogle
• Matt Mastracci

Hero support for unrevoked forever thanks to Dan Wager.