root,s-off,simunlock,superCID htc merge

Last Updated:

  1. scotty85

    scotty85 Guides Guide

    try this:
    open your command window.
    cd c:\miniadb_merge
    adb shell
    rm /data/local/tmp/booms
    rm /data/local/tmp/sh

    then you should be at the miniadb_merge> prompt

    start the adb commands over from the beginning :)

    B Rich likes this.
  2. scotty85

    scotty85 Guides Guide

    well,the good news is that i was able to duplicate your situation. i ran zergrush twice,and it started rebooting like crazy :eek: pulled the battery and it powered on normally. tried to run zergrush again,and got the same error thats been hindering you.

    ran the above commands,then just ran /data/local/zergRush and it worked. found a froyo!sending zerglings,blah blah,lol.

    the first command may fail(it did for me) so dont let that discourage you. run the second,then run zergrush again.

    ive also got a verizon stock RUU and custom ruu now from backing up my system image,and i found a couple small errors in the guide(that i fixed) ill get the ruus uploaded,and copies of my sessions up soon. for now,im tired. :eek:

    Code (Text):
    1. c:\miniadb_merge>[COLOR="Red"]adb push zergRush /data/local/[/COLOR]
    2. 735 KB/s (23052 bytes in 0.030s)
    4. c:\miniadb_merge>[COLOR="red"]adb shell[/COLOR]
    5. $ [COLOR="red"]chmod 755 /data/local/zergRush[/COLOR]
    6. chmod 755 /data/local/zergRush
    7. $ [COLOR="red"]/data/local/zergRush[/COLOR]
    8. /data/local/zergRush
    10. [**] Zerg rush - Android 2.2/2.3 local root
    11. [**] (C) 2011 Revolutionary. All rights reserved.
    13. [**] Parts of code from Gingerbreak, (C) 2010-2011 The Android Exploid Crew.
    15. [-] Cannot copy boomsh.: Permission denied
    16. $ [COLOR="red"]rm /data/local/tmp/booms[/COLOR]
    17. rm /data/local/tmp/booms
    18. rm failed for /data/local/tmp/booms, No such file or directory
    19. $ [COLOR="red"]rm /data/local/tmp/sh[/COLOR]
    20. rm /data/local/tmp/sh
    21. $ [COLOR="red"]/data/local/zergRush[/COLOR]
    22. /data/local/zergRush
    24. [**] Zerg rush - Android 2.2/2.3 local root
    25. [**] (C) 2011 Revolutionary. All rights reserved.
    27. [**] Parts of code from Gingerbreak, (C) 2010-2011 The Android Exploid Crew.
    29. [+] Found a Froyo ! 0x00015108
    30. [*] Scooting ...
    31. [*] Sending 149 zerglings ...
    32. [+] Zerglings found a way to enter ! 0x10
    33. [+] Overseer found a path ! 0x00015108
    34. [*] Sending 149 zerglings ...
    35. [+] Zerglings caused crash (good news): 0x401219e4 0x006c
    36. [*] Researching Metabolic Boost ...
    37. [+] Speedlings on the go ! 0xafd1598f 0xafd1adb3
    38. [*] Sending 149 zerglings ...
    40. [+] Rush did it ! It's a GG, man !
    41. [+] Killing ADB and restarting as root... enjoy!
    43. c:\miniadb_merge>adb shell
    44. # exit
    45. exit
    B Rich and scary alien like this.
  3. scary alien

    scary alien not really so scary Moderator


    I'm sure you might already know this, but 1-click root apps like Z4root which uses the rageagainstthecage exploit work best when right after a fresh boot.

    I haven't followed or heard that this is also true of root apps that use the GingerBreak exploit (I've looked at the code for that...makes your head-spin), but I wonder if it would be more successful when run after a fresh boot, too.

    Just my two-cents ;).

    You're doing great stuff, by the way...I love reading your threads and seeing how helpful and informative you are!

    Thanks and cheers!
    scotty85 likes this.
  4. B Rich

    B Rich Member

    I'm gettin' so close here! I'm literally on the last step. It's the /data/local/psneuter line where I get the error "Failed to set prot mask (Inappropriate ioctl for device). And then I get the permission denied error when I try to do the adb shell.

    I also have 3 screen shots attached of my file setups (hoping I have everything right). I replaced the system file from that rom download and put it into the folder that is on the root directory. Yes, I know I have a couple of PD42IMG folders in there, but I wasn't sure where to put them exactly, so I figure why not name both places that and see if I get lucky, heh.

    Here is my code:

    Code (Text):
    1. Microsoft Windows [Version 6.1.7601]
    2. Copyright (c) 2009 Microsoft Corporation.  All rights reserved.
    4. C:\Users\Brian>cd c:\miniadb_merge
    6. c:\Miniadb_merge>adb shell
    7. $ rm /data/local/tmp/booms
    8. rm /data/local/tmp/booms
    9. rm failed for /data/local/tmp/booms, No such file or directory
    10. $ rm /data/local/tmp /sh
    11. rm /data/local/tmp /sh
    12. rm failed for /data/local/tmp, Is a directory
    13. $ exit
    14. exit
    16. c:\Miniadb_merge>adb devices
    17. List of devices attached
    18. SERIAL NUMBER HERE device
    20. c:\Miniadb_merge>adb push zergRush /data/local/
    21. 1407 KB/s (23060 bytes in 0.016s)
    23. c:\Miniadb_merge>adb shell
    24. $ chmod 755 /data/local/zergRush
    25. chmod 755 /data/local/zergRush
    26. $ /data/local/zergRush
    27. /data/local/zergRush
    29. [**] Zerg rush - Android 2.2/2.3 local root
    30. [**] (C) 2011 Revolutionary. All rights reserved.
    32. [**] Parts of code from Gingerbreak, (C) 2010-2011 The Android Exploid Crew.
    34. [-] Cannot copy boomsh.: Permission denied
    35. $ cd c:\miniadb_merge
    36. cd c:\miniadb_merge
    37. cd: can't cd to c:miniadb_merge
    38. $ adb shell
    39. adb shell
    40. adb: permission denied
    41. $ rm /data/local/tmp/booms
    42. rm /data/local/tmp/booms
    43. rm failed for /data/local/tmp/booms, No such file or directory
    44. $ rm /data/local/tmp/sh
    45. rm /data/local/tmp/sh
    46. $ exit
    47. exit
    49. c:\Miniadb_merge>cd c:\miniadb_merge
    51. c:\Miniadb_merge>adb devices
    52. List of devices attached
    53. HT15NM800494    device
    56. c:\Miniadb_merge>adb push zergRush /data/local/
    57. 1876 KB/s (23060 bytes in 0.012s)
    59. c:\Miniadb_merge>adb shell
    60. $ chmod 755 /data/local/zergRush
    61. chmod 755 /data/local/zergRush
    62. $ /data/local/zergRush
    63. /data/local/zergRush
    65. [**] Zerg rush - Android 2.2/2.3 local root
    66. [**] (C) 2011 Revolutionary. All rights reserved.
    68. [**] Parts of code from Gingerbreak, (C) 2010-2011 The Android Exploid Crew.
    70. [+] Found a GingerBread ! 0x00000118
    71. [*] Scooting ...
    72. [*] Sending 149 zerglings ...
    73. [+] Zerglings found a way to enter ! 0x10
    74. [+] Overseer found a path ! 0x000161e0
    75. [*] Sending 149 zerglings ...
    76. [+] Zerglings caused crash (good news): 0x401219c4 0x0054
    77. [*] Researching Metabolic Boost ...
    78. [+] Speedlings on the go ! 0xafd1997b 0xafd39a97
    79. [*] Popping 24 more zerglings
    80. [*] Sending 173 zerglings ...
    82. [+] Rush did it ! It's a GG, man !
    83. [+] Killing ADB and restarting as root... enjoy!
    85. c:\Miniadb_merge>adb push busybox /data/local
    86. 2051 KB/s (1062992 bytes in 0.506s)
    88. c:\Miniadb_merge>adb shell
    89. # chmod 0755 /data/local/busybox
    90. chmod 0755 /data/local/busybox
    91. # dd if=/dev/block/mmcblk0p17 of=/sdcard/misc-stock.img bs=4096
    92. dd if=/dev/block/mmcblk0p17 of=/sdcard/misc-stock.img bs=4096
    93. 64+0 records in
    94. 64+0 records out
    95. 262144 bytes transferred in 0.024 secs (10922666 bytes/sec)
    96. # /data/local/busybox md5sum /sdcard/misc-stock.img
    97. /data/local/busybox md5sum /sdcard/misc-stock.img
    98. f5c3a6a3d3a2644748e6d3004fd3bf12  /sdcard/misc-stock.img
    99. # /data/local/busybox md5sum /dev/block/mmcblk0p17
    100. /data/local/busybox md5sum /dev/block/mmcblk0p17
    101. f5c3a6a3d3a2644748e6d3004fd3bf12  /dev/block/mmcblk0p17
    102. # exit
    103. exit
    105. c:\Miniadb_merge>adb push misc-downgrade.img /sdcard/
    106. 2151 KB/s (262144 bytes in 0.119s)
    108. c:\Miniadb_merge>adb shell
    109. # dd if=/sdcard/misc-downgrade.img of=/dev/block/mmcblk0p17
    110. dd if=/sdcard/misc-downgrade.img of=/dev/block/mmcblk0p17
    111. 512+0 records in
    112. 512+0 records out
    113. 262144 bytes transferred in 0.176 secs (1489454 bytes/sec)
    114. # sync
    115. sync
    116. # adb reboot bootloader
    117. adb reboot bootloader
    118. adb: not found
    119. # adb reboot bootloader
    120. adb reboot bootloader
    121. adb: not found
    122. # sync
    123. sync
    124. #
    125. c:\Miniadb_merge>adb reboot bootloader
    127. c:\Miniadb_merge>adb push psneuter /data/local/
    128. 2042 KB/s (585731 bytes in 0.280s)
    130. c:\Miniadb_merge>adb push busybox /data/local/
    131. 2080 KB/s (1062992 bytes in 0.499s)
    133. c:\Miniadb_merge>adb push wpthis /data/local/
    134. 1986 KB/s (679475 bytes in 0.334s)
    136. c:\Miniadb_merge>adb push gfree /data/local/
    137. 1526 KB/s (134401 bytes in 0.086s)
    139. c:\Miniadb_merge>adb shell
    140. $ chmod 0755 /data/local/psneuter
    141. chmod 0755 /data/local/psneuter
    142. $ chmod 0755 /data/local/wpthis
    143. chmod 0755 /data/local/wpthis
    144. $ chmod 0755 /data/local/gfree
    145. chmod 0755 /data/local/gfree
    146. $ /data/local/psneuter
    147. /data/local/psneuter
    148. Failed to set prot mask (Inappropriate ioctl for device)
    149. $ adb shell
    150. adb shell
    151. adb: permission denied

    Attached Files:

    • 3.jpg
      File size:
      126.2 KB
    • 4.jpg
      File size:
      186.6 KB
    • 5.jpg
      File size:
      176.3 KB
  5. scotty85

    scotty85 Guides Guide

    thanks,scary,i had a great teacher(you) :D
    B Rich and scary alien like this.
  6. scotty85

    scotty85 Guides Guide

    ok... you are doing a great job with the adb commands,you just have a little confusion about what were doing. it may help if i give a more detailed explanation of what the process is actually doing.

    we are using an exploit called "gfree" to turn the secure flagin the radio from "on" to "off",unlocking the sim card,and setting the carrier ID to "superCID" of 111111. the supercid will let you flash vzw,usc,or alltell firmware without the use of a gold card,unlocking the sim will let you use it on gsm networks(it has gsm and cdma radios,being a world phone).

    setting the secure flag off changes the s-on to s-off in your hboot screen,and is what were after as far as rooting the phone. this means the phone is not doing any security checks,and we can now flash a custom recovery(or a custom ruu containing a custom recovery) that we can use to flash the files to have root access.

    unfortunately,gfree does not work on the current carrier firmwares. we have to downgrade to an old firmware in order to use the gfree exploit. this is what step "5)downgrade with adb" is doing. we rewrite part of the software that prevents us from going backwards in firmware versions,so we can flash the old vzw firmware. since youre on usc,its also important here that your gold card is working,as it will allow you to flash the vzw firmware that isnt designed for your usc branded phone ;)

    at the end of step 5,youll boot to fastboot,push power to select bootloader,and hopefully it will flash the old vzw firmware,wich is this in the files you downloaded: VZW leak 1.23.605.1

    youll let the phone flash this firmware,then boot it back up. once its booted,youll do the adb commands in step "6) gain simunlock,s-off,and superCID". when the gfree command is entered correctly,all these things will happen and you can cheer,pass out cigars,and open a bottle of wine :D the one little commnad /data/local/gfree -f does it,everything to that point is in preparation. but,everything up to that had to work.

    step "7)upgrade and root" is simply flashing your previous firmware back to the phone,just this time with a custom recovery that you can use to flash the "merge_su_eng_toolkit",wich will give you root access.

    verizon folks needed to copy and mess with their system image because there is not a publically available ruu for me to modify for them to use.

    you,on usc have the luxury of not messing with that. :) i assume you chose usc gingerbread for your upgrade ruu- you dont have to mess with it at all.

    hopefully that helps clear things up a lil for you. :)
    B Rich likes this.
  7. scotty85

    scotty85 Guides Guide

    from what i can gather,you have not booted into the downgrade firmware(vzw 1.23.605.1). psneuter no longer works on gingerbread to gain root access,so thats why youre getting the failed error.

    all you need to do is basically un-do everything you did with the system images,lol.

    prior to doing step 5,you needed to have taken the "VZW leak 1.23.605.1",put it on your GOLD CARD,and renamed it PD42IMG. put the gold card in your phone,if its not allready in there. your phone needs to see "",may want to check it with astro file manager,or scary aliens AFV(wich you can also use to verify its md5 sum :D) and make sure thats how it is.

    windows likes to add,and hide,file extentsions,so if youre using windows, simply naming the file "PD42IMG" should result in the phone seeing it as ""

    youll also want to make sure your gold card is formatted FAT32. if its FAT,or anything else,the file is basically invisible to the phone :eek:

    so these 3 things are all needed to downgrade:
    1) VZW leak 1.23.605.1 renamed "" on your gold card
    2) gold card formatted FAT32
    3) gold card made correctly

    unfortunately,you cant really test #3,that i know of. just hope that it works when you get to that step. #1 and #2,however,you may save yourself alot of headache by verifying them now,before starting the adb process again.

    so if youre a little confused after reading all that,heres what you need to do:
    1)undo all the system image moves you made. if you cant really remember what you moved where,just delete VZW leak 1.23.605.1 and your upgrade ruu and redownload them both

    2)basically start over at the 2nd part of step 4,making sure to do the checks i described above,so the downgrade will flash.

    3)just ignore the part of backing up your system image. i.e.,omit this line: dd if=/dev/block/mmcblk0p25 of=/sdcard/system.img bs=4096 now that i have a vzw system image,ill be removing it and tweaking the guide a lil.

    hang in there,youll get it :)

    got some thanksgiving family shenanigans to attend,later this evening ill try and get the guide reworked to be easier for the vzw folks,and get some copies of my sessions put up so folks can see what should happen when the commands are entered.
    B Rich likes this.
  8. B Rich

    B Rich Member

    Man I really appreciate all of your help scotty, that's awfully nice of you to help me out and walk me through all of this. However, I have Turkey Day festivities for most of the day so I won't be giving this another stab until probably tonight. I will most definitely be posting back with my findings though :D
    scotty85 likes this.
  9. scotty85

    scotty85 Guides Guide

    guide tweaked a lil,no longer needed for vzw folks to back up their system image and create their own custom RUUs.

    added copies of my sessions,hopefully seeing the outputs helps.

    updated miniadb_merge to now include the updated zergRush. tested on 2.2 and 2.3.4

    vzw custom and stock RUUs are uploading... will add links when finished :)

    edit: verizon links added :)
    B Rich likes this.
  10. B Rich

    B Rich Member

    Just wanted to say I got the root working 100% now. Had some hiccups along the way but we got everything figured out. Scotty is an AWESOME guy and I couldn't have done it without him or this tutorial.

    Thanks again!
    scotty85 likes this.
  11. B Rich

    B Rich Member

    Screenie for proof :p

    scotty85 likes this.
  12. scotty85

    scotty85 Guides Guide

    glad i could help. screenie looks good :cool:
  13. chill0398

    chill0398 Active Member

    Okay first off this was my first ever attempt to root a phone. Probably why a made such a rookie mistake like this. Any who, I managed to get perm root with the VZW custom ruu only to realize that it caused me to lose service with Bluegrass Wirless who is my carrier. Then I restarted to try another one of the custom ruu and reformated my gold card, losing my stock misc image and all my stock back-up. Can anyone please help? How do I get service back on my phone.
  14. scotty85

    scotty85 Guides Guide

    What did the boot animation look like wen you turned the phone on? Did it have any other carrier references? Alltel,USC,vzw,etc...

    Is this a GSM or a cdma carrier? I've not heard of them...
  15. chill0398

    chill0398 Active Member

    Not 100% on this but I think its cdma. Bluegrass is a small company in south central Kentucky, that uses Verizon towers while roaming and in return Verizon uses Bluegrass's towers within there small coverage area which is why I thought the Verizon ruu would work. Btw the guide was great though and really easy to follow. Even for a nub muffin like me.
  16. chill0398

    chill0398 Active Member

    Also my sister owns the exact same phone with the exact same carrier is there some way I can restore my phone to stock using hers or if I go through the process up to right b4 you flash the exploitable firmware and then use her stock misc-image can I continue through the process normally?
  17. scotty85

    scotty85 Guides Guide

    this process does not change the meid,min,esn,or any other essential part of the phone,so there isnt really any reason that it shouldnt still work. is there a sim card in the phone?

    my first instincts are that the service is dependent on the sim card,and that maybe doing the process with it in,damaged the sim.

    if you do find a sim card,you can stick it in the other phone and see if your service works on it. that would tell us definatively that something happened during the process.

    failing that,i can definately give you some directions to copy the system and boot images so you can restore the firmware that was on the phone,but again,i dont *think* it matters. ive run all the ruus on my vzw merge and its worked just fine.

    are you near a wifi source to see if wifi works?

    if you could,please tell me the software version number,the baseband number,and the hboot number of your sisters working phone. that may help tell what ruu youd need to use. :)
  18. chill0398

    chill0398 Active Member

    That actually makes a lot of since because I have heard that Bluegrass is dependent on their sim cards and I did use the one in my phone to make my gold card. I really appreciate the help, I will post the info from my sisters phone as soon as I can. We live in the same town but not with one another so it may be a few days.
  19. chill0398

    chill0398 Active Member

    I also found this post Bluegrass Cellular doesn't use a SIM (subscriber information module) card. It uses CDMA technology which does not require a SIM card. Your phone may have a slot for a SIM card if it is a worldphone so that if it was used outside of the US, a SIM card would be put into it. However, if you want to get a new phone, you will need to get one directly from Bluegrass. Another carrier's phone won't work with your wireless number. The unlocked phones are GSM phones and they won't work with Bluegrass service. Just get a new phone from your carrier. That's really your only choice. If someone tried to sell you a phone that was flashed to Bluegrass, that may work, but you run the risk of it not working fully or not being able to access the internet, for example. I hope this helps.
  20. scotty85

    scotty85 Guides Guide

    it does tell us that bluegrass isnt using GSM networks,they are using CDMA.

    again,while the process did, flash vzw firmware,we havent change any part of your phone that makes it a bluegrass device(mainly the ESN,MIN,or MEID),so it should still work just fine. if you look in settings/about phone is your phone number still listed?

    you also might double check in settings/wireless + networks/mobile networks/prefered network and make sure its set to CDMA. if it accidentally got set to GSM or global,that would make it not connect to the towers.

    if you have a number to program/activate devices,go ahead and call that(for example,verizon is *228)
  21. chill0398

    chill0398 Active Member

    I can connect to a wifi connection and to clerify what exactly is wrong is I have service indicated up in the right hand corner of my phone but when I try to send a message it fails to send and gives me Cause code : 64 and Error Class : 2. Sorry for all the post and bothering you.
  22. chill0398

    chill0398 Active Member

    Nope my number is missing but it is set to CDMA.
  23. chill0398

    chill0398 Active Member

    I also called Bluegrass activation number and it directed me to Verizon wireless customer support.
  24. scotty85

    scotty85 Guides Guide

    oh wow... i cant imagine what happened. :confused: you are not bothering me,and i must apologize to you,since we had no idea something like this could happen. :eek:

    i will give you some commands to run on your sisters phone. youll have to run zergrush to get temp root,then run a couple commands to back up her system,boot,and recovery images.

    then,if you could upload them to multiupload( - upload your files to multiple file hosting sites!) ill download them and put you together an ruu,then upload it for you to download. i can tell you how to modify it,but it may help other folks in the future for me to have it as well. plus id feel better flashing it on my phone before giving it to you,just in case ;)

    before we can do that,however,i do still need to know the info above,so we can back up other partitions if needed and not mix-n match too much.

    im pretty sure you could call right now and have them re-activate it,but they may ask you for a firmware number(wich will be wrong since youre on vzw firmware),and possibly to do a factory reset(wich youll have to do manually in recovery since youre not running the stock recovery now). if you want to deal with that,and see what happens you can... but if you want well get you back to 100% stock before doing it to minimize hassle and alerting them to possible warranty voiding ;)
  25. chill0398

    chill0398 Active Member

    Oh wow so if I get you that info you can make a custom rom that will work with bluegrass and root my phone. Will it fix the missing number problem as well? Or do I still need to restore it to factory and restart? I called my sister and got the info you need: software version number - 2.05.557.3, the baseband number - 12.39w.80.14u_1.08.00.0320, and the hboot number - 0.88.0000

Share This Page