How to gain S-OFF on the HTC EVO 3D
I rallied for the longest time, saying that S-OFF on the HTC EVO 3D was not needed. Everything that S-OFF had required was pretty much doable with either software, or jumping through some hoops, but S-OFF was never really absolutely needed until the CyanogenMod 9+ based distros and their refusal to work with newer HBOOTs.
This led to me writing a couple of “oh wow, this looks neat, but I can’t run it” pieces, which lead to my decision today to sit down and plot out exactly the easiest steps required to obtain S-OFF on the EVO 3D without messing up your computer.
It should be noted that the good old days of the one-click S-OFF method are probably gone forever. Those exploit doors are locked down tight, and now only the EMMC recovery exploits are available. Unfortunately, these require jumping through a lot of hoops. While HTC says it doesn’t care if you root your phone, it does not want you to have the ability to easily walk to another carrier, replace the radios, or examine the phone too closely for backdoors.
For the following, you’re going to need a 32-bit Linux live CD. You can find the one I used here, or Andreas’s Yumi USB booting method here. Go ahead and play with this first – it won’t bite you, and when you’re stressing out over the S-OFF exploit, it’ll be good to know all the tools you are going to need are contained in the average live CD. For this, you’ll either require a blank DVD or a USB stick, and you’ll need to figure out how to make your computer boot off of it. Generally, most modern computers will boot off a CD or USB first, which is all you need.
You’re also going to need the EVO 3D to be running a stock rooted ROM. For me, I had the stock image from when I last HTCDev unlocked, so I just restored that. You can download an RUU containing a stock image, flash the phone, unlock it, and install SuperSU if you need to. Make sure the phone has a good battery, and is charged. You might be at this for a while and it’s not charging while it’s plugged in doing this exploit. I should also note that people have reported running other than stock rooted ROMs and this method working; however, if you manage to brick your device, the authors of the program will not help or feel bad for you if you don’t follow their instructions.
You’re also going to require a wire, as we’ll be doing something called the wire trick later. I used a bread twist tie and exposed the ends of the thing using a knife to cut away the paper. You can use any sort of wire you might want, as long as it will fit into the ground wire hole. The Unlimited.io site mentions you can strip a single wire out of a network cable, but for me I had bread handy. I’m also aware that you can use a paperclip to ground it out in some instances, but I have fat paperclips.
The following steps were done without the addition of any other sources of software than the Ubuntu live CD and what was available on unlimited.io, so all the tools you need should be available to you.
- Boot your live CD and choose “try it,” or whatever option is required to not install the OS. You do not want an OS installed over your normal OS. That would be bad.
- Open Firefox, or whichever browser is on your live CD. Navigate to unlimited.io, find and download the JuopunutBear S-OFF Public Beta for your phone. When the download is done, open the archive simply by clicking on the download bar, and choose to extract the files. For this example, I extracted the files to /tmp/rootit .
- You now need to change the permissions on three of the extracted files so that Ubuntu can run them. You’ll need to go into a terminal emulator, and we’re going to be in this window the rest of the time we’re doing this. For me, I clicked a button that said Ubuntu home, and a search bar appeared. I typed in “terminal” and was greeted with three different options. They all lead to the same thing essentially, so it shouldn’t matter which you choose – terminal, xterm, etc.
- Once in the terminal, I changed the current directory where I had unzipped my files using the command “cd /tmp/rootit” and then modified the permissions of three of the files so they could be executed by the command “chmod 755 ControlBear adb fastboot” followed by enter or return. It’s important that you make sure the C & B in ControlBear are uppercase or the command to make Ubuntu recognize it as a program you can run will not work.At this point we’ll diverge slightly from what I did, because I forgot to take the case off of the back of my EVO 3D. This led to me pulling the USB cable out to remove the case and having to restart later and thinking I had bricked the device. I hadn’t. You’re going to now remove the back plate of the EVO 3D exposing the battery and all the innards.
Before you go any further, you need to accept the risk that the data on your SD card may be lost. Mine wasn’t, but it’s possible. You should back that stuff up if it’s vitally important. Also, you should familiarize yourself with the contact points of your EVO 3D for the wire trick.
- There will be two holes in the top left of the phone. As far as I can tell, they’re connected, but if the hole you’re using fails, you’ll use the other one. Make sure the wire you’re using can fit in that hole comfortably. If there are problems doing that, you’re going to have problems doing the wire trick.Before you go any further, I should mention this took me 12 minutes from this point on to get the wire trick timing down. I finally started singing “I’m Gonna Be” by the Proclaimers (the “I would walk 500 miles” song,) in order to ensure I was timing the thing right, and I’m pretty sure I looked really really stupid doing so.
- At this point, the next thing you do could brick your phone. Please make sure you’ve read all of the piece on Unlimited.io. Also read the troubleshooting guide before you start because if you decide to give up and walk away you’ll need to know how to get your phone back into a running state, and that’s more difficult than just unplugging it.
- With the EVO 3D plugged in to the USB port on your computer directly (no hubs) you now need to run ControlBear as administrator. In terminal, type “sudo ./ControlBear”. This executes ControlBear with administrator rights.
- At this point you’ve decided to see how deep the rabbit hole goes, so there’s nothing to do but sit back and wait until it asks you to do the wire trick. That’s creating a link from the contact points to the ground point where your SD card mounts, releasing, and doing it again about 1.25-1.5 seconds later. The phone will flash, and the ControlBear will report it’s waiting.
- If you’re lucky, you’ll see something like the above. If your experience is like mine, you’ll see a message “Errorcode: 66732337 ErrorMsg: Still sober,” in which case you run ControlBear again and try the wire trick again. The timing is absurdly picky. It took me about ten minutes of trying to get the timing right. After the first time you run ControlBear, it goes a lot faster to the wire trick section, having prepped the phone for whatever it needs to do.
When my ordeal was complete, the phone shut off. I gave it a minute or two and it was still off. I pressed the power finally and was at a bootloader with S-OFF. I selected reboot and then the phone started acting normal again. The stock ROM rebooted once after starting up; I’m not sure what was up with that, but it settled into running fine afterward and a day later the phone is completely normal.
If you decide to give up, there are a few options to get your phone back into play, and they can be found on the troubleshooting guide. Make sure you read that section before you shut down your live CD; otherwise, you’ll be wasting time having to restart the whole shebang, re-download the exploit, re-chmod the files, etc.