HTC has done good things among the development community. With their new devices, they are offering to help guide you through the bootloader unlocking process via their website, HTCdev.com. However, they didn’t want to make it too easy. With newer phones, the HBoot locks the NAND partition, making it a challenge to flash anything beyond a modified stock ROM.
Have I lost you yet? Don’t worry, I will break this down into common sense terms. Trust me, I was just as intimidated at first. We will also examine a few workarounds to get you right back on the flash bandwagon.
Breaking It Down
HBoot, S-ON/S-OFF, Bootloader, and NAND are some terms we need to define before we delve into the process of flashing kernels and ROMs. Let’s start with the simple one. HBoot is the Bootloader and the Bootloader is the HBoot. These are just different names for the same thing. The HBoot is the software that tells your phone how to boot up, in what order things should load, and is very similar in process to a PC’s BIOS. Essentially, it’s the set of directions that gets things running.
HBoot indicates your phone's locked status.
S-ON and S-OFF are a bit more involved but are still simple in theory. S stands for security. So obviously, you now have Security-ON and Security-OFF. From my understanding, when HBoot loads up, it looks to see whether your phone is S-ON or S-OFF. S-ON means that the bootloader requires a signature (HTC’s thumbs up) and anything you do that doesn’t have that signature won’t work properly such as custom kernels and ROMs. S-OFF tells the bootloader (or HBoot) that the phone is completely unlocked and allows for you to write to most partitions on the phone. Basically, S-ON will only allow you limited access to the phone’s memory while S-OFF gives you full control.
This brings us to the NAND partition. In order to successfully flash custom kernels and ROMs, you have to write to the NAND partition. The NAND is a partition of flash memory inaccessible for S-ON locked devices. With the EVO 3D’s newer version of HBoot (version 1.50), there isn’t a way to achieve S-OFF (yet). Since developers are still working on that, we will need to turn to a few “cheats.” Essentially, I am going to explain how to get around these little security measures. Just keep in mind, you are doing this at your own risk. So don’t blame me if your phone becomes a $600 paperweight or if it steals your car, drives to Juárez, and joins a Mexican drug cartel.
Let’s Get Started
HTCdev.com has an in-depth unlocking process.
There are a few files you will need during this process (these downloads are also available from HTC’s development site). The first of them are:
Install them. HTC has created a comprehensive tutorial on their development website. Visit their bootloader unlocking page and follow the process. You will have to create an account and check off a few disclaimers. Obviously, they want you to know that if you’re phone burst into flames, they’re not responsible and reserve the right to charge you money to fix it. This is much like how General Electric will not replace your refrigerator for free if you decide to add a turbo charger and use it to cool your house.
If you’re like me, you may have noticed that there are a few bumps in the road. For example, they want you to download the SDK, run it, then browse through the file directories to grab three files, and put those files in a separate folder. I’ve already compiled those files. They are available here: Android EVO3D SDK Files. Hopefully, this will save you a few steps.
HTC wants to make sure you know the risks.
They’re going to make you bend over backwards to unlock this thing. You will have to run command prompt, submit tokens, wait for they’re magical email – and once you get it, you still won’t be done. The email will include the “unlock bootloader key file” and the second set of instructions. Download the key file into the same directory as your ADB.exe and Fastboot.exe. Follow the final steps and you’ll be done, with a nice semi-unlocked bootloader (again, the HBoot).
Root and Recovery
Ready for some more command prompt action? First, make sure your phone is in USB Debugging mode.
Go to Menu > Settings > Applications > Development and tick “USB Debugging.”
USB Debugging is found in Settings > Applications > Development
Download the following files and drop them in the same folder we’ve been using for everything:
What we’ve done there is taken those files we just downloaded and placed them on the phone’s SD Card. You could alternatively mount the SD Card and drag-and-drop them in.
Finally, enter this into the command prompt:
fastboot flash recovery recovery.img
You should now have TWRP recovery. Now we want to obtain root. While still in HBoot mode, use the volume down and up buttons to navigate to “Recovery.” Choose “Install Zip from SDcard” and find su-126.96.36.199.zip. Flash it and you’re now rooted with recovery installed. From here, we can flash a few ROMs that work with stock kernels. But we’re going to dig deeper and find a workaround so we can install whatever we want. Don’t you want to overclock? I do.
HBoot 1.50 Workaround #1
Flash Image GUI makes flashing a lot simpler.
This is an app-based flash method. Download “Flash Image GUI” made by joeykrim. You can find it on the Android market: Flash Image GUI. It now supports installing kernel images from within a ROM package. You can download a ROM with a custom kernel built in and flash it from within the app. Pretty convenient.
You’ll want to make sure that “Clear Dalvik” and “Clear Cache” are checked. I recommend making a full backup using recovery before flashing anything. (Boot into HBoot, choose Recovery, Nandroid, then make a backup).
After using the app to flash the kernel, it’ll ask to reboot. Select “No”, then power down your phone by removing the battery. Reinsert the battery and boot into the bootloader by holding volume down and power. This is usually a good point to clear the cache, data, and Dalvik; however, I didn’t, and everything seemed to work okay. Go into “Recovery” and “Install Zip.”
Select “Choose Zip To Flash” and find the file you just flashed with the Flash Image GUI app. Install it. The reason we have to flash it again here is because the app only flashes the kernel. This will flash the ROM as well. Reboot the phone and be patient. Flashing new ROMs usually takes a few minutes for it to boot up initially.
Once it boots up, you will have successfully flashed a kernel and ROM. This will give you the chance to overclock and play around with some advanced features that come with the custom ROMs.
HBoot 1.50 Workaround #2
You can flash recovery through command prompt.
This one requires a little more technical know-how. However, since we’ve been using command prompt a lot already, it shouldn’t be much more difficult.
With your phone still in “USB Debugging” mode, bring up the command prompt again. Enter the following command:
adb reboot bootloader
Once it boots back up into Fastboot, type in the following for the command prompt:
fastboot boot recovery.img
Now, just go through the process of clearing the data/cache/Dalvik and flash away. You will need to repeat these steps every time you want to flash a new kernel and ROM.
Will It Get Easier?
There are some developers currently working on unlocking the HBoot permanently for this phone. If and when that happens, you won’t have to go through this whole process. You will be able to boot up into recovery and flash whatever, whenever you want. Until that happens, you’re stuck using these methods to get around the S-ON. Until then, think of it as a walk down memory lane, back to a day when we all had to use command prompts to do even the most rudimentary tasks… such as unleashing the full power of our EVO 3D.