How To : Root The HTC Thunderbolt And Unlock The Bootloader
Posted: Mon Mar 21, 2011 6:16 pm
Original Post
Original Post Date - 3/21/2011
The amazing hackers in the Android community took on the HTC Thunderbolt the minute it was released and stumbled upon some not-so-exciting news. It had been completely locked down like no other HTC device in history. While many were quick to yell at HTC, I’m pointing fingers at Verizon and will save further comment for another time. The good news is, Team AndIRC and Scotty2 weren’t about to be stopped and permanently rooted it while also unlocking the bootloader and providing S-OFF.
So who’s ready for some TBolt unlocking? Before you say yes, you need to be thoroughly warned. This requires adb, a mega-list of commands and is one of the most intense rooting procedures I’ve seen in a long time. You are essentially, flashing old system software, unlocking the bootloader, and then re-flashing the release software with S-OFF to open your phone up. Again, this is intense and should only be attempted by those familiar with adb.
*This is not for beginners.
*Fully charge your device before proceeding.
*Read the entire list of instructions at least once through.
*I have not attempted this, but our man Picolas has with success.
*Again, this is not for beginners. This could brick your phone.
Step 1
First, download these files:
RUU_Mecha_VERIZON_WWE_1.03.605.10_Radio_1.02.00.01 03_2r_NV_8k_1.37_9k_1.52_release_165253 (md5sum : aae974054fc3aed275ba3596480ccd5b):
Multiupload mirror
GalaxySense mirror
DroidSite mirror
Mirrors for the package (contains busybox, wpthis, psneuter, su, readme.txt, misc.img, and hbooteng.nb0) (md5sum : 3b359efd76aac456ba7fb0d6972de3af):
Multiupload mirror
GalaxySense mirror
DroidSite mirror
Custom RUU mirrors (md5sum : aff07b8256628a175c40938d408fa16f):
Multiupload mirror
GalaxySense mirror
Step 2
Note that adb is required.
Push misc.img, busybox, and psnueter using the following commands:
- Code: Select all
adb push psneuter /data/local/
adb push busybox /data/local/
adb push misc.img /data/local/
adb shell chmod 777 /data/local/psneuter
adb shell chmod 777 /data/local/busybox
Step 3
This step will gain temp root and flash the custom misc.img. Run:
- Code: Select all
adb shell
Now the shell should display “$”.
Run:
- Code: Select all
/data/local/psneuter
You will now be kicked out of adb, and adb will restart as root. Let’s confirm the md5 of misc.img:
- Code: Select all
adb shell
At this point, the shell should display “#”.
Run:
- Code: Select all
/data/local/busybox md5sum /data/local/misc.img
Output should be “c88dd947eb3b36eec90503a3525ae0de.” If it’s anything else, re-download the file and try again.
Now let’s write misc.img:
- Code: Select all
dd if=/data/local/misc.img of=/dev/block/mmcblk0p17
exit
Step 4
Here you will rename the downgrade RUU as PG05IMG.zip and place it on your SD card. Then, run the following command:
- Code: Select all
adb reboot bootloader
Choose the bootloader option and press power; let the ROM flash. When asked to upgrade, choose yes. Don’t freak, it’s a long reboot. Once done, reboot and delete PG05IMG.zip from your SD card.
Set up the two part exploit, to gain root and unlock MMC.
Push wpthis, busybox, and psnueter:
- Code: Select all
adb push psneuter /data/local/
adb push busybox /data/local/
adb push wpthis /data/local/
adb shell chmod 777 /data/local/psneuter
adb shell chmod 777 /data/local/busybox
adb shell chmod 777 /data/local/wpthis
Step 5
Next, enter the following commands:
- Code: Select all
adb shell
/data/local/psneuter
To unlock eMMC:
- Code: Select all
adb shell
/data/local/wpthis
exit
Step 6
Please pay attention – this is very important. This step involves a small chance of bricking if you mess up.
To push the eng bootloader:
- Code: Select all
adb push hbooteng.nb0 /data/local/
adb shell
/data/local/busybox md5sum /data/local/hbooteng.nb0
If the output does not match “6991368ee2deaf182048a3ed9d3c0fcb” exactly, stop, delete it, and re-download it. Otherwise, continue.
Now we will write the new bootloader.
- Code: Select all
dd if=/data/local/hbooteng.nb0 of=/dev/block/mmcblk0p18
Confirm proper write:
- Code: Select all
/data/local/busybox md5sum /dev/block/mmcblk0p18
If the output does not match “6991368ee2deaf182048a3ed9d3c0fcb,” try again; if it still doesn’t work, seek help from chat.andirc.net in channel #thunderbolt.
DO NOT REBOOT.
Now, reboot your phone and put the custom RUU (PG05IMG.zip) on your SD card. Then flash it. This will upgrade you to release firmware with an S-OFF bootloader.
Next, run this command:
- Code: Select all
adb reboot bootloader
After it flashes, you will be running release firmware with S-OFF.
Step 7
Push SU, busybox, and psneuter:
- Code: Select all
adb push psneuter /data/local/
adb push busybox /data/local/
adb push su /data/local/
adb shell chmod 777 /data/local/psneuter
adb shell chmod 777 /data/local/busybox
To gain root:
- Code: Select all
adb shell
/data/local/psneuter
The following will remount /system and set up SU:
- Code: Select all
adb shell
mount -o remount,rw -t ext3 /dev/block/mmcblk0p25 /system
/data/local/busybox cp /data/local/su /system/xbin/su
chown 0:0 /system/xbin/su
chmod 6755 /system/xbin/su
Step 8
Install Superuser fomr the Market
Reboot your phone. You should now have full root permissions.
Step 9
Finally, install ROM Manager and flash the ThunderBolt recovery.
If you have problems getting SU to work, a couple extra reboots will likely fix it. If you still have problems, come to the chat: irc.andirc.net #thunderbolt or use http://chat.andirc.net:9090/?channels=#thunderbolt.
And for those of you that have completed this, please leave any tips you can in the comments.