• After 15+ years, we've made a big change: Android Forums is now Early Bird Club. Learn more here.

Root [CDMA] No need to panic about 'locked' bootloader - HTC listened

novox77

Leeeroy Jennnkinnns!
Jul 7, 2010
3,964
3,257
UPDATE May 26:
HTC announces they will NOT lock the bootloader.
"There has been... | Facebook
"There has been overwhelmingly customer feedback that people want access to open bootloaders on HTC phones. I want you to know that we've listened. Today, I'm confirming we will no longer be locking the bootloaders on our devices. Thanks for your passion, support and patience," Peter Chou, CEO of HTC
Phandroid response:
Behold, the Power of the Android Community: HTC to Unlock Future Bootloaders

For those of you who did your part and made your voice heard, kudos! For those of you who plan to buy an HTC phone, congratulations! Almost feels like one of those one-punch knockout fights. It's over already? :) Good job, HTC. Way to set a good example for the entire industry.


Historical stuff made obsolete by the news above:

This post may be deprecated by news on how HTC has changed things.

For the latest update on this issue, please the post at -
http://androidforums.com/evo-3d-all...anic-about-locked-bootloader.html#post2725969

Posts immediately preceding and following that one may also shed some light on this.

~~~~~~~~The OP follows below, to be left in place until the issue is 100% resolved and clarified.


This thread applies to all existing HTC phones as of the date of this post.

Ever since mid-March, several sources online started to incite fear by reporting that someone discovered that the HTC Thunderbolt's bootloader was locked. Why would that be scary? Because we've all heard that Motorola's bootloaders are locked down, which severely limits how much you can do with a rooted phone, like flash custom ROMs. And Motorola has stated that it intends to do the same for all its future phones. Since the Thunderbolt's booloader is locked and signed, does this mean HTC is now headed down the same path?

No.

The first thing to understand is that the initial fear mongering was due to a huge lack of understanding about the nature of bootloaders. I'm going to explain it here in a clean thread and hope to counter all this misplaced concern for anyone looking for clarification.

What the authors of these reports failed to realize was that almost ALL phones' bootloaders come locked and signed. Always have. The Thunderbolt's bootloader security is no different than any of its HTC predecessors including the Droid Incredible, Evo 4G, and many others. They simply confused a "locked" bootloader to Motorola's bootloaders, which are also locked, but the key difference is the encryption layer that prevents the Moto bootloaders from being unlocked. There's a huge difference between being locked and being unlockable.

In a full root, one of the main objectives is to unlock the bootloader so you can flash custom ROMs. Here is a high-level overview of what happens during a full root:

1) find an exploit that tricks the phone in giving you temporary root privileges for that session. Typically some app has a vulnerability, and a root solution is available when a hacker finds an exploit.

2) Once a hacker has temp root, the superuser (su) binary is installed onto the system to make the root permanent. A user or app can simply call su to gain root privileges at will.

At this point, we've achieved a half-root. The phone is technically considered "root"ed. Now we move on to the juicy part of the root process: unlocking the bootloader.

3) The bootloader's stock firmware (HBOOT) can now be replaced with the pre-release Engineering version, which is a leaked HTC-signed image used when the phone firmware and OS was being developed. Since the image is properly signed, the bootloader accepts the firmware. The Engineering HBOOT comes with S-OFF, meaning it's unlocked by default (it makes sense that when the ROM is being developed, engineers wouldn't want to impose the lock on themselves). Once the bootloader is on the Engineering HBOOT, it is unlocked.

4) Now that the bootloader is unlocked (aka S-OFF, NAND unlocked), the factory recovery program is able to be replaced using the bootloader's fastboot flashing utility. Depending on the root method, you get either Clockworkmod or RA recovery, two widely available homebrew recovery programs.

5) with a custom recovery in place, you have the ability to flash images to various partitions that were previously protected by the bootloader, but now that the bootloader is unlocked, it essentially turns a blind eye to what the recovery image does.

Full root complete.


An encrypted bootloader means that the HBOOT image is cryptographically signed as opposed to an unencrypted signature. The only way to reproduce the encryption is with a very specific key, which is held by the manufacturer. Without the key, a custom HBOOT image cannot be signed in a way that the bootloader will accept it. So... no Eng HBOOT means S-ON remains (aka NAND locked, aka bootloader remains locked). Which means you can't ever have write access to key partitions of the filesystem that a custom kernel/ROM requires: /boot (kernel) and /system (Android OS). Furthermore, with Motorola bootloaders, there's something called an eFuse that checks to see if you've modified the bootloader. Assuming you do get the Eng HBOOT flashed, the eFuse may still kick in because of some checksum mismatch. Its job is to prevent the phone from booting into the OS when it detects that the bootloader has been tampered with.

So will the Evo 3D come with a locked and signed bootloader? Most likely. But does that mean anything of consequence? No. The Engineering HBOOT will be inevitably leaked, a hacker will discover a root exploit, and the Evo 3D will be fully rooted shortly after.

Is there a possibility that HTC starts encrypting their bootloaders like Motorola? Yes. But the Thunderbolt's bootloader is not a valid reason to think that HTC is considering this. In fact, HTC has done nothing to indicate it may suddenly decide to change its existing policies. So relax. Chances are very good that the Evo 3D will be rooted quickly with little fanfare.

Hopefully word of this thread gets around and can clear up all the FUD surrounding this issue.
 
A signed bootloader means that it requires its firmware (HBOOT) to be signed by a specific entity (in this case, HTC). It's just like a cashier checking your signature on the back of your credit card. Bootloader rejects the firmware image if it's not signed by the official source. All HTC bootloaders have required this signature. That's why if you take a look at any of the manual root procedures, you'll find that the Engineering HBOOT was a signed image. It's naturally signed by HTC because that's the firmware that was used while the phone was still under development. So it's a legitimate firmware; it just happens to be unlocked.

When 2.2 came to Evo 4G (a big deal back then because Evo would be the first phone to receive FroYo after Nexus One), a lot of people opted to flash the OTA update and give up their root. Some people did this intentionally, while others weren't aware they would lose their root.

People who lost their root had no way to get it back because the original exploit was specific to a vulnerability that existed in the 2.1 ROM, and it got fixed in 2.2.

So for what seemed to be an eternity (one month), people waited for hackers to find a NEW exploit in 2.2. Once they found it, people could root from 2.2*. And people still on 2.1 still had the option to root using the 2.1 exploit. Much later, unrEVOked came up with a universal root solution.

Sometimes, a root exploit can be found quickly. Sometimes it takes a while. Not really tied to the locked bootloader. For the bootloader to be unlocked, all you need is root access and a copy of an officially signed copy of the engineering HBOOT.

I'm making the assumption that the Eng. HBOOT is always leaked around the time the phone is launched, the the wait for a full root becomes just finding an exploit. If the reverse is true, then what you'll have is a half-root solution until someone can get a hold of the Eng. HBOOT, which is entirely possible.


*Technically, the root exploit for 2.2 was to downgrade you to 2.1, and from there, you could use the old exploits to root. Then, you would flash the rooted 2.2 stock ROM to get FroYo (which is what people should have done instead of accept an OTA update).
 
Upvote 0
Hi, I'm new to HTC phones and Sprint (or will be once the 3D is released), so please excuse my ignorance.

I have a Droid X, so I have the locked bootloader. But it really seems like a curse and a blessing. A curse because the phone isn't fully customizable. A blessing because no matter what we do to our phones, it is nearly impossible to brick it. We can always flash the latest OTA update at our bootloader and return it to complete stock.

So my question is, is this true with unlocked bootloaders? I see people screaming in various droid forums that they bricked their phones, which is as likely as being struck by lightning three times while in a bomb shelter. Are unlocked bootloaders equally unlikely to be bricked?
 
  • Like
Reactions: hondagal64
Upvote 0
Welcome to the forums!

You have an encrypted (in addition to locked) bootloader.

From what I've seen by visiting the many device forums here, bricking a phone is usually the result of someone rushing into root and not reading first before clicking away at the mouse. (And the majority of "bricked" complaints aren't really that, and get recovered - bricks are non-recoverable.) The typical case is someone attempting to use a rom or update intended for a different model of phone - or deciding that the instructions don't apply to them, they can just wing it and then ask the same questions in multiple forums without listening to replies.

Bricking is rare indeed for those that read and follow instructions to the T.
 
  • Like
Reactions: jerofld and novox77
Upvote 0
Thank you! I look forward to rooting and possibly ROM'ing whenever the 3D comes out. I've also learned the value of reading the instructions 2-3 times to make sure things are clear. But I always like how I had a fall back plan no matter what I did, because we couldn't tinker with the bootloader. Good to know HTC phones are as unlikely to be bricked as the Moto phones.
 
  • Like
Reactions: EarlyMon
Upvote 0
I'll second what EarlyMon said. The typical brick you read about is simply the user not knowing how to recover. The more you learn about the process, the more situations you'll learn how to recover from.

I got stuck in a boot loop yesterday trying out a ported ROM from an unreleased HTC phone yesterday. If I didn't know how to recover, I could claim my phone was bricked.

Rooting community is extremely active for HTC phones, so there will be a lot of people around here to help if you do end up in a weird state. Chances are, we've seen it before and can get you out of it. No fear! :)
 
Upvote 0
While I still maintain that locking/encrypting is stupid and pointless, until there's a reason to panic, I don't know why people are doing so. I believe the TBolt was the same way, and yes, while it was apparently "lucky" that they were able to root/unlock custom rom ability, who's to say that that won't just continue happening?

Anyway, I'll panic when there's a bit more to panic about, instead of just jumping way ahead to something that may be a complete non issue.
 
Upvote 0
Bummer – Latest HTC Sensation System Dump Reveals Signed Bootloader, Custom ROM Support Is In Danger | Android News, Reviews, Apps, Games, Phones, Tablets, Tips, Mods, Videos, Tutorials - Android Police

It does look like they are trying to lock down the current lineup of phones, but I really think this is carrier enforced not htc enforced.

As long as they want to force this issue, there will be people that are trying to work around it. All we have to do, as a community is make sure the people that get the work around get something out of it. Yes, that means donate.
 
  • Like
Reactions: EarlyMon
Upvote 0
If it's not carrier-enforced, then I'd love to know how Google got their Nexus S going on two carriers. Not being sarcastic.

And it's not even the locked that matters - the pain in the neck comes from the signed part (and evil with the Motorola encryption). As I mentioned earlier, even the Nexus is locked, you just unlock it with a simple command from adb.

If the carriers are ok with that with the Nexus why not with other phones?

Because the other phones have carrier bloatware locked in, maybe, I guess, and Google controls the updates.

Speaking of which - locked/signed as a carrier measure for QA is an emperor without clothes if Google gets to push updates without the carriers' involvement - and they do.

IMO - it's all baloney, is what it is.
 
Upvote 0
Because the other phones have carrier bloatware locked in, maybe, I guess, and Google controls the updates.

I'm sure manufacturer and carrier share the kickback from the companies producing the bloatware. Google simply doesn't want/need the kickback. Google only cares about the Android experience and mass adoption of the platform. If Google refuses the carrier kickback, the carrier has no leverage. Given that Android is so hot right now, no carrier would risk denying a Nexus phone in an attempt to leverage Google to allow crapware and impenetrable bootloaders.

So... HTC, Samsung, Motorola, et al sold out. As long as locking the bootloader has mimimal impact to sales, why not enjoy the extra kickback... That's what I think is their viewpoint, anyway.

I'm not sure what Motorola's intentions are with the uber security on the bootloader. I don't think it's about the carrier crapware. They just have this fundamental 'no hacking our hardware' policy. Surprised that Apple doesn't do the same on their iDevices.
 
  • Like
Reactions: RiverOfIce
Upvote 0
If it's not carrier-enforced, then I'd love to know how Google got their Nexus S going on two carriers. Not being sarcastic.

In my opinion, google undershoots the hardware specs on the nexus. They simply don't create a good enough phone to make it a wide seller. The hardware is simply not able to cut it in a world of 4.3" inch screens and dual core processors. Yes, you get a unlocked phone, but at a serous hardware hit.

Sprint is the only carrier that carries it in store. Which means if you never heard of it, you would not really have access to it. You can get it online and best buy, but for the normal person, they would look at the current hardware specs and just move on.

I really wanted to get the nexus s, but Samsung has been in a quality slump right now. If you get htc to build the nexus, like the original, I would really buy the phone in a heart beat.


But for the high end tech user, they will get the better hardware and root. For the average user, they would simply go with marketing and sells which will move away from the nexus.

Take the htc evo 3d and sell it rooted, you could not keep it on the shelves.
 
Upvote 0
This thread applies to all existing HTC phones as of the date of this post.

Ever since mid-March, several sources online started to incite fear by reporting that someone discovered that the HTC Thunderbolt's bootloader [....]

Hi there ^^. Thanks for the informative post, I've learnt a great deal about bootloaders and stuff from it :)..However, I'd like to ask so why many great names in the dev scene are reacting so badly to these sightings of signed bootloaders,kernels,radios and recoveries..people like Paul O'Brien, Cyanogen and several members of Teamdouche..I mean..maybe I misunderstood, but it seems to me that what you are saying is that what is happening is basically the same old post-Desire story, and once an exploit is found there will be a way to gain root and s-off without the need for xtc clips..free, easy and revertable (for warranty purposes and unlike the xtc clip way). I've read that the old exploits no longer work, that the Thunderbolt team got lucky because they managed to downgrade the phone to a vulnerable RUU, and the same thing cannot be done for the Desire S and Inc S because no such RUUs have surfaced..for now at least..so, again, why are "gurus" reacting so badly to this whole "signed" matter and not saying just "we need new exploits" if the situation were "all peachy"? I don't mean to challenge what you said, I am just sincerely curious and a bit confused..

(with "reacting so badly" I'm referring to many tweets available to anyone for reading, just to be precise)
 
Upvote 0
Just because a bootloader is simply locked and signed doesn't mean that it's easy to crack. And it's not really the bootloader that's the problem; it's the ROM: finding an exploit. There is a risk that a particular stock ROM comes without any vulnerabilities to achieve that "temp root" state I mentioned in the OP. I don't actually have much insight into the rooting histories of other HTC phones, but the process is the same. I'll share with you what happened on the Evo 4G:

First root exploit (toast's method) was found on 1.32.651.x. This was the ROM that was on the Evo when it was given away at Google IO last year. By the time the phone was made public, an OTA update was available: 1.47.651.x. This update fixed the original exploit, so people who had this version could no longer apply the old root method for unlocking the bootloader. Meanwhile, some rooted users on 1.32 accepted the 1.47 update, causing them to lose root, and in rare circumstances, they bricked their phone. That's when all the devs really pushed the message NOT to accept an OTA if you're rooted. Fortunately a NEW exploit was found quickly on 1.47, so the impact was minimal. Most people never had 1.32 to begin with, so they never experienced losing root to an OTA.

Froyo (3.26.651.x) was different. It was a tough nut to crack, and a lot of people got screwed thinking a root exploit would be found quickly. In the end (about a month's wait), they were able to downgrade people back to 2.1 so people could use either the 1.47 exploit. People who retained root on 1.47 had no issues flashing a rooted stock froyo ROM (which was available the same day the OTA came out, further emphasizing "don't accept OTA updates"). Later, unrevoked.com discovered a way to unlock the bootloader without needing the engineering HBOOT firmware.

Whether or not the unrevoked S-OFF method works on all HTC phones is up in the air. I suspect not, given the list of HTC phones unrevoked supports. Which means we're back to the traditional way of rooting: break in as su and then force the bootloader to accept a leaked engineering HBOOT. For the phones that currently still are locked, it could be a few things:

1) no root exploit has yet been discovered. give it time; there's almost always a hole somewhere. persistence pays off
2) no way to just flip the S-ON/OFF switch via unrevoked method
3) no engineering HBOOT has been leaked for the phone in question.

But I remember distinctly telling people not to unroot (flash OTA Froyo) lightly; there's always a chance the new version is hard to crack, and who knows how long you'll wait before a new root exploit is found. It could be that the Desire S and Inc S are just hard nuts to crack. And/or unlocked firmware hasn't been leaked yet.

I would think devs curse at locked and signed bootloaders out of principle; they think we shouldn't have to hack our way into hardware we purchased. I don't think they are saying that HTC is becoming MORE secure with how they lock things down. Post some example tweets if you have them.
 
Upvote 0

BEST TECH IN 2023

We've been tracking upcoming products and ranking the best tech since 2007. Thanks for trusting our opinion: we get rewarded through affiliate links that earn us a commission and we invite you to learn more about us.

Smartphones