1. Home
  2. Mobile

How To Gain S-OFF (Radio And Engineering) On HTC Desire HD

HTC Desire HDWe have previously featured a guide on how to root HTC Desire HD and now, we are continuing this series with this comprehensive guide on gaining the S-OFF flag on your phone to gain complete control over it. This is basically done by installing a custom bootloader to the phone that has the S flag set to off, allowing you to install a custom recovery image and thus, flash a custom ROM to your phone.

After you are done with following this guide, you should have an HTC Desire HD ready for installation of ClockworkMod recovery that lets you flash hundreds of custom ROMs to your device while having full read-write access to all its partitions.

Edit: Some users were experiencing problems with this guide in the temporary rooting phase. That was due to the old package not containing all the necessary files. We have updated the guide with those files and it should work flawlessly now.

Note: This guide will NOT work for the Telus Desire HD. If you are a Telus subscriber from Canada and have a Telus branded Desire HD, see our guide on how to gain S-OFF on Telus Desire HD instead.

Disclaimer: Please follow this guide at your own risk. AddictiveTips will not be liable if your device gets damaged or bricked during the process.

Gaining Radio S-OFF:

This method will get you the Radio S-OFF flag while SIM-unlocking it and setting up SuperCID, which means

  1. This method will root your phone for the process if it isn’t already rooted. If you just want to permanently root your phone, see our guide on how to permanently root HTC Desire HD instead.
  2. Make sure you have ADB installed on your computer. Also, if you have previously installed VISIONary on your phone in order to root it, uninstall it first before proceeding.
  3. Download Desire HD S-OFF Toolkit and unzip its contents to your computer.
  4. Enable USB Debugging on your phone from Settings > Applications > Development.
  5. Connect your phone to your computer via USB.
  6. Launch a Command Prompt/Terminal window on your computer, navigate to the folder where you extracted the files in Step 3 and enter the following commands:
    adb push su /sdcard/su
    adb push Superuser.apk /sdcard/Superuser.apk
    adb push rage /data/local/tmp/rage
    adb push busybox /data/local/tmp/busybox
    adb push root /data/local/tmp/root
    adb push gfree /data/local
    adb shell chmod 0755 /data/local/tmp/*
    adb shell chmod 777 /data/local/gfree
  7. Install Terminal Emulator app on your phone from the Android Market and launch it.
  8. Enter the following command in Terminal Emulator on your phone:
    /data/local/tmp/rage
  9. In a while, you will see the output “Forked #### childs”. Now press ‘Menu’ and tap ‘Reset Term’ to exit Terminal Emulator.
  10. Launch Terminal Emulator again. You will notice that it force-closes. Don’t worry and just launch it again, and you should have a root shell indicated by the # prompt instead of $.
  11. Now enter the following commands in Terminal Emulator:
    /data/local/gfree -f
    sync
    /data/local/tmp/root
    sync

    If you get a ‘mkdir: /system/xbin already exists’ error during the process, ignore it and proceed.

  12. Wait patiently while the process finishes. Once it is complete, reboot your phone.

You should now have Radio S-OFF, SIM-unlock and SuperCID all set on your phone. If you just want to install ClockworkMod recovery and custom ROMs etc., you are all good to go and do not need to gain Engineering S-OFF. You may simply install ClockworkMod Recovery, find a custom ROM of your choice and flash it to your phone from recovery.

Gaining Engineering S-OFF:

You should attempt to gain Engineering S-OFF if and only if you want to gain absolute access to your Desire HD including the ability to flash a radio or edit all your phone’s partitions the way you want. If you are not absolutely sure what you are about to do, we recommend that you do NOT proceed.

  1. Make sure you have already gained radio S-OFF by following the above-mentioned steps.
  2. Download the Engineering HBoot for HTC Desire HD and extract the contents of the zip files.
  3. Enable USB debugging (if not already enabled) and connect your phone to the computer.
  4. On your computer, launch Command Prompt/Terminal, navigate to the folder where you extracted the files in Step 2 and enter these commands:
    adb push hboot-eng.img /data/local
  5. Finally, launch Terminal Emulator on your phone and enter these commands, being EXTREMELY careful not to make any mistake here:
    su
    dd if=/data/local/hboot-eng.img of=/dev/block/mmcblk0p18

    Make sure to allow when Super User access is requested. Wait till the process is finished and you’re done!

You now have the Engineering S-OFF HBoot installed and with this, you have absolute control over your HTC Desire HD. You can now flash radios of your choice to your phone and have access to modify all its partitions as well as unbrick it in certain circumstances where no other method would revive your device.

[via CyanogenMod Wiki]

29 Comments

  1. I stuck at this point any soution ..??

    adb: error: failed to copy ‘gfree’ to ‘/data/local/gfree’: remote Permission denied
    gfree: 0 files pushed. 80.9 MB/s (722728 bytes in 0.009s)

  2. Done, thank you! I was in “ace pvt ship s-off rl” and unable to flash radio or recovery. Now I gained eng s-off and everything is ok!

  3. Something strange happened. I used your guide to gain ENG-OFF on my Desire HD running stock 2.3.6 with some system apps removed. I already had S-OFF. When I rebooted the phone, it got stuck at the HTC bootscreen. I looked for a solution to this everywhere but couldn’t find one pronto. I restored from a Nandroid backup using CWM and it still got stuck at the HTC logo. I went inside recovery again and wiped data and cache and installed Paranoid Android’s 4.0.4 ROM from the SD Card. Got stuck on the Paranoid Android’s bootscreen. Went inside recovery again, wiped cache and data and rebooted the phone and it booted. Question is, is this method of turning Engineering Security off compatible with Gingerbread ROMs? If not, how can I get the stock HBOOT while running my custom ICS ROM? If that’s not possible, can I just revert to stock HBOOT even if that means going back to stock Gingerbread? If yes, how?

    • Did you flash the boot.img file? Extract it from the custom rom and flash it via ADB or Fastboot

  4. navigate means- in your computer go to the folder where you have extracted the files….. for eg. u extracted the files at d:\xyz folder but when you open the cmd then it opens in (XP)c:\doc and sett\ blah blah….. now navigate here means that you have to go to the D:\xyz in command prompt by typing d: and cd xyz(or whatever ur extracted folder is)

  5. Excellent!
    Followed your complete guide & no problems. Desire HD completely controllable 🙂
    Thanks.

    • Same….

      Log:
      D:\S-OFF toolkit>adb push su /sdcard/su
      821 KB/s (26248 bytes in 0.031s)

      D:\S-OFF toolkit>adb push Superuser.apk /sdcard/Superuser.apk
      1733 KB/s (27688 bytes in 0.015s)

      D:\S-OFF toolkit>adb push rage /data/local/tmp/rage
      5 KB/s (5392 bytes in 1.000s)

      D:\S-OFF toolkit>adb push busybox /data/local/tmp/busybox
      2044 KB/s (1926944 bytes in 0.920s)

      D:\S-OFF toolkit>adb push root /data/local/tmp/root
      5 KB/s (575 bytes in 0.109s)

      D:\S-OFF toolkit>adb push gfree /data/local
      2262 KB/s (722728 bytes in 0.312s)

      D:\S-OFF toolkit>adb shell chmod 0755 /data/local/tmp/*

      D:\S-OFF toolkit>adb shell chmod 777 /data/local/gfree

      D:\S-OFF toolkit>adb push su /sdcard/su
      1643 KB/s (26248 bytes in 0.015s)

      D:\S-OFF toolkit>adb push Superuser.apk /sdcard/Superuser.apk
      1733 KB/s (27688 bytes in 0.015s)

      D:\S-OFF toolkit>adb push rage /data/local/tmp/rage
      337 KB/s (5392 bytes in 0.015s)

      D:\S-OFF toolkit>adb push busybox /data/local/tmp/busybox
      2622 KB/s (1926944 bytes in 0.717s)

      D:\S-OFF toolkit>adb push root /data/local/tmp/root
      17 KB/s (575 bytes in 0.031s)

      D:\S-OFF toolkit>adb push gfree /data/local
      2154 KB/s (722728 bytes in 0.327s)

      D:\S-OFF toolkit>adb shell chmod 0755 /data/local/tmp/*

      D:\S-OFF toolkit>adb shell chmod 777 /data/local/gfree

      D:\S-OFF toolkit>adb shell /data/local/tmp/rage
      [*] CVE-2010-EASY Android local root exploit (C) 2010 by 743C

      [*] checking NPROC limit …
      [+] RLIMIT_NPROC={4967, 4967}
      [*] Searching for adb …
      [+] Found adb as PID 1245
      [*] Spawning children. Dont type anything and wait for reset!
      [*]
      [*] If you like what we are doing you can send us PayPal money to
      [*] 7-4-3-C@web.de so we can compensate time, effort and HW costs.
      [*] If you are a company and feel like you profit from our work,
      [*] we also accept donations > 1000 USD!
      [*]
      [*] adb connection will be reset. restart adb server on desktop and re-login.

      D:\S-OFF toolkit>adb shell /data/local/gfree -f
      –secu_flag off set
      –cid set. CID will be changed to: 11111111
      –sim_unlock. SIMLOCK will be removed
      Section header entry size: 40
      Number of section headers: 44
      Total section header table size: 1760
      Section header file offset: 0x00015398 (86936)
      Section index for section name string table: 41
      String table offset: 0x000151df (86495)
      Searching for .modinfo section…
      – Section[16]: .modinfo
      — offset: 0x000011cc (4556)
      — size: 0x000000c4 (196)
      Kernel release: 2.6.35.10-g0956377
      New .modinfo section size: 204
      Attempting to power cycle eMMC… Failed.
      Module returned an unknown code (Operation not permitted).

      D:\S-OFF toolkit>adb shell sync

      D:\S-OFF toolkit>adb shell /data/local/tmp/root
      killall: rage: no process killed
      mount: Operation not permitted
      mkdir failed for /system/xbin, File exists
      cp: can’t create ‘/system/xbin/busybox’: Read-only file system
      Unable to chmod /system/xbin/busybox: No such file or directory
      /data/local/tmp/root: /system/xbin/busybox: not found
      cp: permission denied
      cp: permission denied
      Unable to chmod /system/bin/su: No such file or directory
      mount: Operation not permitted

      D:\S-OFF toolkit>adb shell sync

  6. i have a problem.. i get stuck with my htc at the point 10… i dont know what could i be doing wrong… i did everything correct even got the forked #### childs and everything… closed the aplication, opened it force closes.. and then when i try to open it again it wount open…. it just reeeeeeally slows my phone down and nothing eles… what could i do??? what am i doing wrong 🙁

  7. Instead of installing Terminal Emulator, skip steps 7 to 10 and just use “adb shell”
    You can also just copy and paste all the text into command prompt

    adb push su /sdcard/su
    adb push Superuser.apk /sdcard/Superuser.apk
    adb push rage /data/local/tmp/rage
    adb push busybox /data/local/tmp/busybox
    adb push root /data/local/tmp/root
    adb push gfree /data/local
    adb shell chmod 0755 /data/local/tmp/*
    adb shell chmod 777 /data/local/gfree
    adb shell /data/local/tmp/rage
    adb shell /data/local/gfree -f
    adb shell sync
    adb shell /data/local/tmp/root
    adb shell sync

    Terminal Emulator always forced closed on me even before I ran any shell commands

  8. I am having trouble with rooting my HTC Desire HD. I am in Australia and this is basically what happened.

    1. I tried rooting the HTC Desire HD using VisionARY and everything appeared okay after the process.
    2. I installed the Terminal Emulator and entered ‘su’. It gave me permission and I got into the #drive.
    3. I now tried to gain S-OFF as I was aiming to flash Cyanogenmod, and apparently gaining S-OFF is a requirement to do this.
    4. I was told that VisionARy had to be uninstalled before proceeding. and I did
    5. I acquired ‘adb’ from the sdk from android developers. Everthing was fine. and the device is listed after typing “adb devices” in the terminal
    6. I unzipped the S-off kit for HTC DESire hd and followed all the prompt commands.
    7. Nothing happened.
    8. Now I tried to gain access to #drive via the terminal emulator and it denies.
    9. I even tried installing clockworkmod recovery and it fails..

    I did everything in the setup. But somehow my phone is “rooted” but not really…which probably causes all this problem.
    HELP???

    thanks
    dan

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.