[GUIDE] Facepalm S-Off for HTC One S


  1. agentc13

    agentc13 Daleks Über Alles VIP Member

    This is a step-by-step guide to Facepalm S-Off for your HTC One S.

    First and foremost I got the information for all of this from this thread on xda. All credit goes to those folks (see specifics below), they put in a lot of time and hard work to get this to happen.

    Credits and terms:
    Exploit by beaups, full guide on xda, testing, and concept by jcase and beaups. Thanks to dsb9938 and dr_drache for support and testing. Thanks also to all of the regulars at teamandirc.

    If you found this useful, donating to the folks who made it possible is a very good idea. The links are as follows:
    beaups - m7forsoff@gmail.com - Donate
    jcase - jcase@cunninglogic.com - Donate
    dsb9938 - cubedrom@hotmail.com -Donate
    dr_drache - biomatrix@gmail.com - Donate

    You can also come by their irc channel for support or just to say thanks: #FacePalm http://chat.andirc.net:8080/?channels=facepalm

    DISCLAIMER:
    Please be careful!

    After S-Off, you can now have complete control of your phone. You can change whatever you want since its not doing ANY security checks at all. As such you have a much greater responsibility to know what your flashing and why, and that your files are 100% unmolested and uncorrupt.

    Please be aware that a bad bootloader or radio flash can and will brick your phone, possibly beyond recovery.

    You do not any longer have the S-On safety net of HTCdev.

    S-Off is awesome, I just want everyone to realize the the seriousness that goes along with this. Have fun flashing ROMs and splash screens, but be extremely cautious/careful with the important parts of your device.

    • Make sure you know what your flashing, and why
    • Make sure you have an md5 summer and use it.
    • If you just asked "What's an md5??" then check out this thread.
    • Make sure you are completely comfortable with all procedures for things you do.

    Last and not least, please ask any questions BEFORE your phone makes a short little buzz, shuts off, and won't come back on.

    I'm not trying to scare anyone into staying S-On, I just want everyone to use caution and have safe, happy flashing.


    You will need to have a working adb and fastboot environment for this, if you don't please see this post to set that up. This method will work on any operating system that supports adb and fastboot.

    Lastly, the work herein should not be stolen, repackaged, one clicked, bat’d, etc. soffbin3 is not GPL and may not be reused, integrated into other work, reposted, or redistributed without our permission. It was used here with permission from beaups.

    For this to work, you must be rooted and have SuperCID. If you try this process without superCID, it will not work, and you may have issues! If you do not already have root or SuperCID please see the following posts for instructions: http://androidforums.com/one-s-all-things-root/543328-how-unlock-bootloader-install-recovery-root-your-htc-one-s.html and http://androidforums.com/one-s-all-things-root/690970-guide-supercid.html.

    Once you have confirmed you have SuperCID, then it is time to get started with S-Off. Please read through this first so you understand it all before jumping in! Note: In the process/screenshots I used the working directory is C:\sdk-tools, if yours is different you will need to adjust accordingly.

    S-Off for your HTC One S:
    1.) Download the patcher and unzip it in your working directory:
    Dev-Host - soffbin3.zip Mirror Goo.im - soffbin3.zip

    2.) Find model id (open a terminal window or command prompt and leave open for further commands):
    [HIGH]adb shell getprop ro.aa.modelid[/HIGH]

    [​IMG]

    3.) Download zip that matches your model id and move it in your working directory (do not unzip it!): OneS PJ4010000-OneS.zip Dev-Host - PJ4010000-OneS.zip Mirror Goo.im Downloads - PJ4010000-OneS.zip

    4.) Enter the following:
    [HIGH]adb reboot bootloader[/HIGH]
    (wait for bootloader)

    [​IMG]

    5.) Enter the following:
    [HIGH]fastboot oem rebootRUU[/HIGH]
    (wait for black HTC Screen)

    [​IMG]

    6.) Enter the following:
    [HIGH]fastboot flash zip PJ4010000-OneS.zip[/HIGH]
    After a while, You should see the following error “FAILED (remote: 92 supercid! please flush image again immediately)”

    [​IMG]

    7.) Immediately issue the following command:
    [HIGH]fastboot oem boot[/HIGH]
    You may see some errors, just wait for the device to boot into Android (only now, you should be booted into Android with no eMMC write protection of any kind active).

    [​IMG]

    8.) Issue the following 3 commands to update the security partition with S-off flags (one command at a time!):

    [HIGH]adb push soffbin3 /data/local/tmp/
    adb shell chmod 744 /data/local/tmp/soffbin3
    adb shell su -c "/data/local/tmp/soffbin3"[/HIGH]
    (wait for a few seconds)

    9.) Enter the following:
    [HIGH]adb reboot bootloader[/HIGH]

    [​IMG]

    10.) You should now have S-Off!!!

    11.) ENJOY!!

    Thanks again to everyone who developed this method! All credit goes to those folks (see specifics below), they put in a lot of time and hard work to get this to happen.

    Credits and terms:
    Exploit by beaups, full guide on xda, testing, and concept by jcase and beaups. Thanks to dsb9938 and dr_drache for support and testing. Thanks also to all of the regulars at teamandirc.

    You can also come by their irc channel for support or just to say thanks: #FacePalm http://chat.andirc.net:8080/?channels=facepalm

    Advertisement
    cheekychops67 and scotty85 like this.
  2. razvan06

    razvan06 Well-Known Member

    I actually did this this morning, i even posted it...
    It worked for me without some steps. I think the .zip that they are telling you to install upgrades you to the last ver of bootloader and this is why it failed for me, but managed to get supercid after changing it to "HTC__001" and "the almighty" s-off !

    So .... after doing s-off i'm not really that excited about it bc i do not experiment any more, but still it's a good thing !



    P.S. : I can guarantee that the steps posted here will NOT brick your phone IF you pay ATTENTION to what they tell you !
    agentc13 likes this.
  3. agentc13

    agentc13 Daleks Über Alles VIP Member

    It doesn't change your bootloader.

    I was on 1.09 (and still am) for the whole process.
    scotty85 likes this.
  4. razvan06

    razvan06 Well-Known Member

    It was just a guess since the firmware that i tried to install failed... Who knows what went wrong..
  5. scotty85

    scotty85 Guides Guide

    i actually had the same thing happen :eek:

    PJ41010000 is the firmware portion of the european JB OTA. im not sure what what all factors are in order for this fluke to occur. it could be having disabled write protect from a previous failed attempt. during one of the attempts, PJ41010000 installed instead of failing with a 92 or 99 error,and while i watched in horror,i saw hboot 2.15 and the JB baseband being installed in the cmd window.

    it will only install hboot and radio,then fail with a "flush again" error message,wich i would not recomend doing. your current rom should still boot with hboot 2.15,it may not if you install the rest of the package as it contains a new boot image and recovery,among other things.

    if this accidentally happens to you dont stress too much about it,just keep working at s off,as achieving it is the only way to get away from hboot 2.15 and have RUUs you can run in the event of small disasters.

    just a couple tips:
    -be on viperrom 2.0 when you try this. alot of failures and fustrations(myself included) were finally overcome by simply flashing this rom.
    -if you get the 99 error instead of 92,try relocking,then reunlocking the bootloader. if it wont relock,power down,unplug,boot to hboot,select fastboot,replug. should work that time

    thanks ac13 for the great screenshots :smokingsomb:
    agentc13 likes this.
  6. razvan06

    razvan06 Well-Known Member

    I forgot to mention that i was on 2.15 before i did the "update" again, did not know exactly if i SHOULD or not.. so i did it ...once ...it failed after installing 2 parts and never tried again.
    After that i figured that S-OFF will fail... but it did not ! ..i'm just happy :D
  7. Altaone

    Altaone Well-Known Member

  8. scotty85

    scotty85 Guides Guide

    That is the 1 you need. The first post use to also contain zip files for the other phones.
  9. cicciocant

    cicciocant Active Member

    I post my experience.

    This is my initial situation:

    [HIGH]C:\HTC\Data>fastboot getvar all
    (bootloader) version: 0.5
    (bootloader) version-bootloader: 2.15.0000
    (bootloader) version-baseband: 1.11.50.05.28
    (bootloader) version-cpld: None
    (bootloader) version-microp: None
    (bootloader) version-main: 3.16.161.9
    (bootloader) version-misc: PVT SHIP S-ON
    (bootloader) serialno: xxxxxxxxxxxxxxxxxxxxx
    (bootloader) imei: xxxxxxxxxxxxxxxxxxxxxx
    (bootloader) product: vle
    (bootloader) platform: HBOOT-8960
    (bootloader) modelid: PJ4010000
    (bootloader) cidnum: VODAP102
    (bootloader) battery-status: good
    (bootloader) battery-voltage: 3769mV
    (bootloader) partition-layout: Generic
    (bootloader) security: on
    (bootloader) build-mode: SHIP
    (bootloader) boot-mode: FASTBOOT
    (bootloader) commitno-bootloader: dirty-64bedd38
    (bootloader) hbootpreupdate: 11
    (bootloader) gencheckpt: 0[/HIGH]

    So I was just in jellybean ROM.

    I did SuperCID and S-OFF and all is ok.

    I returned to my CID VODAP102 and flashed thiis OTA: OTA_Ville_U_JB_45_S_Vodafone_UK_3.16.161.10-3.16.161.9_release_314595ks2c3r4s9728x22k

    Now I'm in this situation:

    [HIGH]C:\adb>fastboot getvar all
    (bootloader) version: 0.5
    (bootloader) version-bootloader: 2.15.0000
    (bootloader) version-baseband: 1.15.50.05.29
    (bootloader) version-cpld: None
    (bootloader) version-microp: None
    (bootloader) version-main: 3.16.161.10
    (bootloader) version-misc: PVT SHIP S-OFF
    (bootloader) serialno: xxxxxxxxxxxxx
    (bootloader) imei: xxxxxxxxxxxxxxx
    (bootloader) product: vle
    (bootloader) platform: HBOOT-8960
    (bootloader) modelid: PJ4010000
    (bootloader) cidnum: VODAP102
    (bootloader) battery-status: good
    (bootloader) battery-voltage: 3862mV
    (bootloader) partition-layout: Generic
    (bootloader) security: off
    (bootloader) build-mode: SHIP
    (bootloader) boot-mode: FASTBOOT
    (bootloader) commitno-bootloader: dirty-64bedd38
    (bootloader) hbootpreupdate: 11
    (bootloader) gencheckpt: 0
    all: Done![/HIGH]

    S-OFF is still present.
    Writecid is still possible.
  10. cheekychops67

    cheekychops67 New Member

    I was having difficulty with the last adb shell command for a while, the su command was not found, so I tried updating my path to /system/bin:/system/xbin. This made the command execute but the S-OFF was still unsuccessful.

    The final trick that made it work was executing the "su -c /data/local/tmp/soffbin3" command in a terminal window on the device itself.
    scotty85 likes this.
  11. Hello friends,
    does any one knows where to find S-off file for PJ4020000 model ?

    Thank you in advance !
  12. scotty85

    scotty85 Guides Guide

    wich file? soff.bin will be the same,and the other file just needs to be a signed file from htc. easiest place to find one would be firmware.zip from an OTAPkg.

    have you successfully superCIDed? lots of phones are now write protected,so that that part no longer works.

    if youve unlocked,added a recovery and superuser,you can also try rumrunner or firewater(you may also need to install a custom rom with an insecure kernel)

    http://rumrunner.us/

    firewater s-off
  13. Thanks for reply scotty.
    I'm pretty new with all this, so I'm still learning a lot of stuff.

    One I can say surely, I didn't superCIDed my One S, and I suppose it need to be done before S-off process, am I right ?

    Phone is unlocked, rooted.
  14. scotty85

    scotty85 Guides Guide

    supercid is neccessary for facepalm. it is NOT neccesary for the other 2 i linked :)
  15. Ok, but as far as I can see, I need to have my phone "live" with Android, and in my case - not possible :(
  16. scotty85

    scotty85 Guides Guide

    What do you mean live? Your phones are not on an active network? Or the phone is not booting?

    If the former,that does not matter,you can use WiFi for a data connection. If the latter,yes you will need the phone to boot.
  17. Unfortunately second one, phone is not booting.
    scotty85 likes this.
Loading...

Share This Page