How To Gain S-OFF (Radio And Engineering) On HTC Desire HD


HTC Desire HDWe have previously featured a guide on how to root HTC Desire HD and now, we are continuing this series with this comprehensive guide on gaining the S-OFF flag on your phone to gain complete control over it. This is basically done by installing a custom bootloader to the phone that has the S flag set to off, allowing you to install a custom recovery image and thus, flash a custom ROM to your phone.

After you are done with following this guide, you should have an HTC Desire HD ready for installation of ClockworkMod recovery that lets you flash hundreds of custom ROMs to your device while having full read-write access to all its partitions.

Edit: Some users were experiencing problems with this guide in the temporary rooting phase. That was due to the old package not containing all the necessary files. We have updated the guide with those files and it should work flawlessly now.

Note: This guide will NOT work for the Telus Desire HD. If you are a Telus subscriber from Canada and have a Telus branded Desire HD, see our guide on how to gain S-OFF on Telus Desire HD instead.

Disclaimer: Please follow this guide at your own risk. AddictiveTips will not be liable if your device gets damaged or bricked during the process.

Gaining Radio S-OFF:

This method will get you the Radio S-OFF flag while SIM-unlocking it and setting up SuperCID, which means

  1. This method will root your phone for the process if it isn’t already rooted. If you just want to permanently root your phone, see our guide on how to permanently root HTC Desire HD instead.
  2. Make sure you have ADB installed on your computer. Also, if you have previously installed VISIONary on your phone in order to root it, uninstall it first before proceeding.
  3. Download Desire HD S-OFF Toolkit and unzip its contents to your computer.
  4. Enable USB Debugging on your phone from Settings > Applications > Development.
  5. Connect your phone to your computer via USB.
  6. Launch a Command Prompt/Terminal window on your computer, navigate to the folder where you extracted the files in Step 3 and enter the following commands:
    adb push su /sdcard/su
    adb push Superuser.apk /sdcard/Superuser.apk
    adb push rage /data/local/tmp/rage
    adb push busybox /data/local/tmp/busybox
    adb push root /data/local/tmp/root
    adb push gfree /data/local
    adb shell chmod 0755 /data/local/tmp/*
    adb shell chmod 777 /data/local/gfree
  7. Install Terminal Emulator app on your phone from the Android Market and launch it.
  8. Enter the following command in Terminal Emulator on your phone:
  9. In a while, you will see the output “Forked #### childs”. Now press ‘Menu’ and tap ‘Reset Term’ to exit Terminal Emulator.
  10. Launch Terminal Emulator again. You will notice that it force-closes. Don’t worry and just launch it again, and you should have a root shell indicated by the # prompt instead of $.
  11. Now enter the following commands in Terminal Emulator:
    /data/local/gfree -f

    If you get a ‘mkdir: /system/xbin already exists’ error during the process, ignore it and proceed.

  12. Wait patiently while the process finishes. Once it is complete, reboot your phone.

You should now have Radio S-OFF, SIM-unlock and SuperCID all set on your phone. If you just want to install ClockworkMod recovery and custom ROMs etc., you are all good to go and do not need to gain Engineering S-OFF. You may simply install ClockworkMod Recovery, find a custom ROM of your choice and flash it to your phone from recovery.

Gaining Engineering S-OFF:

You should attempt to gain Engineering S-OFF if and only if you want to gain absolute access to your Desire HD including the ability to flash a radio or edit all your phone’s partitions the way you want. If you are not absolutely sure what you are about to do, we recommend that you do NOT proceed.

  1. Make sure you have already gained radio S-OFF by following the above-mentioned steps.
  2. Download the Engineering HBoot for HTC Desire HD and extract the contents of the zip files.
  3. Enable USB debugging (if not already enabled) and connect your phone to the computer.
  4. On your computer, launch Command Prompt/Terminal, navigate to the folder where you extracted the files in Step 2 and enter these commands:
    adb push hboot-eng.img /data/local
  5. Finally, launch Terminal Emulator on your phone and enter these commands, being EXTREMELY careful not to make any mistake here:
    dd if=/data/local/hboot-eng.img of=/dev/block/mmcblk0p18

    Make sure to allow when Super User access is requested. Wait till the process is finished and you’re done!

You now have the Engineering S-OFF HBoot installed and with this, you have absolute control over your HTC Desire HD. You can now flash radios of your choice to your phone and have access to modify all its partitions as well as unbrick it in certain circumstances where no other method would revive your device.

[via CyanogenMod Wiki]

  • Pingback: Install MIUI Android 2.2.1 Froyo ROM On HTC Desire HD()

  • Sam

    There is an easy radio s-off tool available which does not require the use of terminal described in the third section of this guide:

  • Pingback: How To Permanently Root HTC Desire HD [Complete Guide]()

  • Pingback: How To Gain Radio & Engineering S-OFF On Telus HTC Desire HD()

  • macdre

    help please. terminal emulator says /data/tmp/root: not found when i type in the command.

    • Guide updated to include the missing files – my apologies for the inconvenience.

  • Khaled

    /data/local/tmp/gfree -f returuns module failed to power cycle eMMC

    any idea ?

    • Weird…worked flawlessly on our Desire HD. No idea what might be causing you that.

  • dan

    I am having trouble with rooting my HTC Desire HD. I am in Australia and this is basically what happened.

    1. I tried rooting the HTC Desire HD using VisionARY and everything appeared okay after the process.
    2. I installed the Terminal Emulator and entered ‘su’. It gave me permission and I got into the #drive.
    3. I now tried to gain S-OFF as I was aiming to flash Cyanogenmod, and apparently gaining S-OFF is a requirement to do this.
    4. I was told that VisionARy had to be uninstalled before proceeding. and I did
    5. I acquired ‘adb’ from the sdk from android developers. Everthing was fine. and the device is listed after typing “adb devices” in the terminal
    6. I unzipped the S-off kit for HTC DESire hd and followed all the prompt commands.
    7. Nothing happened.
    8. Now I tried to gain access to #drive via the terminal emulator and it denies.
    9. I even tried installing clockworkmod recovery and it fails..

    I did everything in the setup. But somehow my phone is “rooted” but not really…which probably causes all this problem.


  • Nuobus

    HI. I’m stuck @ step 6. What the hell do you mean with navigate to? Can you please explain this step?


  • Gerard

    Instead of installing Terminal Emulator, skip steps 7 to 10 and just use “adb shell”
    You can also just copy and paste all the text into command prompt

    adb push su /sdcard/su
    adb push Superuser.apk /sdcard/Superuser.apk
    adb push rage /data/local/tmp/rage
    adb push busybox /data/local/tmp/busybox
    adb push root /data/local/tmp/root
    adb push gfree /data/local
    adb shell chmod 0755 /data/local/tmp/*
    adb shell chmod 777 /data/local/gfree
    adb shell /data/local/tmp/rage
    adb shell /data/local/gfree -f
    adb shell sync
    adb shell /data/local/tmp/root
    adb shell sync

    Terminal Emulator always forced closed on me even before I ran any shell commands

  • robert

    i have a problem.. i get stuck with my htc at the point 10… i dont know what could i be doing wrong… i did everything correct even got the forked #### childs and everything… closed the aplication, opened it force closes.. and then when i try to open it again it wount open…. it just reeeeeeally slows my phone down and nothing eles… what could i do??? what am i doing wrong 🙁

  • robert

    my software number is 1.72 if that makes any difference?

    • nobody

      same problem as robert

      pls help

      • Chode


        D:\S-OFF toolkit>adb push su /sdcard/su
        821 KB/s (26248 bytes in 0.031s)

        D:\S-OFF toolkit>adb push Superuser.apk /sdcard/Superuser.apk
        1733 KB/s (27688 bytes in 0.015s)

        D:\S-OFF toolkit>adb push rage /data/local/tmp/rage
        5 KB/s (5392 bytes in 1.000s)

        D:\S-OFF toolkit>adb push busybox /data/local/tmp/busybox
        2044 KB/s (1926944 bytes in 0.920s)

        D:\S-OFF toolkit>adb push root /data/local/tmp/root
        5 KB/s (575 bytes in 0.109s)

        D:\S-OFF toolkit>adb push gfree /data/local
        2262 KB/s (722728 bytes in 0.312s)

        D:\S-OFF toolkit>adb shell chmod 0755 /data/local/tmp/*

        D:\S-OFF toolkit>adb shell chmod 777 /data/local/gfree

        D:\S-OFF toolkit>adb push su /sdcard/su
        1643 KB/s (26248 bytes in 0.015s)

        D:\S-OFF toolkit>adb push Superuser.apk /sdcard/Superuser.apk
        1733 KB/s (27688 bytes in 0.015s)

        D:\S-OFF toolkit>adb push rage /data/local/tmp/rage
        337 KB/s (5392 bytes in 0.015s)

        D:\S-OFF toolkit>adb push busybox /data/local/tmp/busybox
        2622 KB/s (1926944 bytes in 0.717s)

        D:\S-OFF toolkit>adb push root /data/local/tmp/root
        17 KB/s (575 bytes in 0.031s)

        D:\S-OFF toolkit>adb push gfree /data/local
        2154 KB/s (722728 bytes in 0.327s)

        D:\S-OFF toolkit>adb shell chmod 0755 /data/local/tmp/*

        D:\S-OFF toolkit>adb shell chmod 777 /data/local/gfree

        D:\S-OFF toolkit>adb shell /data/local/tmp/rage
        [*] CVE-2010-EASY Android local root exploit (C) 2010 by 743C

        [*] checking NPROC limit …
        [+] RLIMIT_NPROC={4967, 4967}
        [*] Searching for adb …
        [+] Found adb as PID 1245
        [*] Spawning children. Dont type anything and wait for reset!
        [*] If you like what we are doing you can send us PayPal money to
        [*] so we can compensate time, effort and HW costs.
        [*] If you are a company and feel like you profit from our work,
        [*] we also accept donations > 1000 USD!
        [*] adb connection will be reset. restart adb server on desktop and re-login.

        D:\S-OFF toolkit>adb shell /data/local/gfree -f
        –secu_flag off set
        –cid set. CID will be changed to: 11111111
        –sim_unlock. SIMLOCK will be removed
        Section header entry size: 40
        Number of section headers: 44
        Total section header table size: 1760
        Section header file offset: 0x00015398 (86936)
        Section index for section name string table: 41
        String table offset: 0x000151df (86495)
        Searching for .modinfo section…
        – Section[16]: .modinfo
        — offset: 0x000011cc (4556)
        — size: 0x000000c4 (196)
        Kernel release:
        New .modinfo section size: 204
        Attempting to power cycle eMMC… Failed.
        Module returned an unknown code (Operation not permitted).

        D:\S-OFF toolkit>adb shell sync

        D:\S-OFF toolkit>adb shell /data/local/tmp/root
        killall: rage: no process killed
        mount: Operation not permitted
        mkdir failed for /system/xbin, File exists
        cp: can’t create ‘/system/xbin/busybox’: Read-only file system
        Unable to chmod /system/xbin/busybox: No such file or directory
        /data/local/tmp/root: /system/xbin/busybox: not found
        cp: permission denied
        cp: permission denied
        Unable to chmod /system/bin/su: No such file or directory
        mount: Operation not permitted

        D:\S-OFF toolkit>adb shell sync

        • Kancha


        • Sanna

          The same for me. Can someone help, pleeeease!?

  • Pingback: How To ENG S-OFF HTC Desire HD In One Click()

  • David Unlimbo

    Followed your complete guide & no problems. Desire HD completely controllable 🙂

    • sunny

      david plz tell me the meaning of navigate?

  • sunny

    what is the meaning of navigate?

  • Jayesh

    navigate means- in your computer go to the folder where you have extracted the files….. for eg. u extracted the files at d:\xyz folder but when you open the cmd then it opens in (XP)c:\doc and sett\ blah blah….. now navigate here means that you have to go to the D:\xyz in command prompt by typing d: and cd xyz(or whatever ur extracted folder is)

  • Nanda

    Same problem as Robert. the Terminal emulator does not open after force close and the phone is as dead as a dodo. Pls help.

  • Jack

    I get error: device offline 
    My device is on Disk Drive mode though

  • Input_Output

    Something strange happened. I used your guide to gain ENG-OFF on my Desire HD running stock 2.3.6 with some system apps removed. I already had S-OFF. When I rebooted the phone, it got stuck at the HTC bootscreen. I looked for a solution to this everywhere but couldn’t find one pronto. I restored from a Nandroid backup using CWM and it still got stuck at the HTC logo. I went inside recovery again and wiped data and cache and installed Paranoid Android’s 4.0.4 ROM from the SD Card. Got stuck on the Paranoid Android’s bootscreen. Went inside recovery again, wiped cache and data and rebooted the phone and it booted. Question is, is this method of turning Engineering Security off compatible with Gingerbread ROMs? If not, how can I get the stock HBOOT while running my custom ICS ROM? If that’s not possible, can I just revert to stock HBOOT even if that means going back to stock Gingerbread? If yes, how?

    • Kromander

      Did you flash the boot.img file? Extract it from the custom rom and flash it via ADB or Fastboot

  • gamerzx

    whoever made this post is an idiot! every god damn error in this tutorial was on my screen!!

  • JoeCondor

    Done, thank you! I was in “ace pvt ship s-off rl” and unable to flash radio or recovery. Now I gained eng s-off and everything is ok!