Root [FAQ] S-Off FAQ

[agentc13]

Since we now have S-Off for the HTC One S, I believe some people may have questions about it (what it is, how it helps us, etc). So the purpose of this thread is to answer as many of those as we can. Scotty85 wrote up an excellent guide (for the Evo 3d) here. I am borrowing from that so there is an easy to reference thread here in the One S section, but much of the info is pulled directly from that post and modified for info relating just to this device.

This will be a work in progress for a little while until I get everything straightened out. Please feel free to add or correct anything and I will update this.

 

[agentc13]

What exactly is S-Off?


The simple answer is "security-off" on the normal checks that the phone does before it allows you to change different partitions, or revert to an older software/firmware combination.

More specifically, what the S-Off procedure gives the device is a "Radio S-Off" by changing a setting in the radio NVRAM called the "secure flag" to "off". This method of S-Off is ideal, as it is below the radio level of the phone, and will remain no matter what other changes are made. Radios, hboots, etc. can all be changed and the radio secure flag will remain off.

RUU's can be run, OTA's accepted, etc. and the S-Off will stay, until it is purposely changed.

Other devices use a "patched" hboot, which is basically an hboot, that does not listen to the radio secure flag. The radio secure flag is still s-on, the patched hboot simply ignores it. These hboots can be further patched to prevent themselves from being overwritten, so the S-Off is not lost during an RUU or OTA. With older phones, this works fine until a new hboot is required for an OS upgrade. With the new devices (including the One S), this type of S-Off is not possible (or we would have had it a long time ago) due to the complex checks that the phone makes when it boots. If the S-On radio checks hboot and finds it to be unsigned, the phone is put into a "do not boot" mode that is only reversible by htc, becoming effectively a hard brick.

 

[agentc13]

How does S-Off differ from HTCdev unlock?

The key difference is that htcdev unlock only allows access to boot/system/recovery. The phone is still S-On, and still doing plenty of

• checks that prevent you from:
• changing firmware
• changing your splash screen
• going backwards in software/firmware build version numbers.

It also does not allow you to write the boot image from the recovery partition, as we all know that have flashed ROMs on S-On phones. Since the kernel lives in the boot image, the kernel can only be changed by:

1. Flashing it seperately via hboot or fastboot
2. Launching your recovery from fastboot.
3. Using TWRP2 recovery with a hboot version lower than 1.13.

 

[agentc13]

So what does s-off do for me??

• It makes ROM flashing and nandroid restoring ALOT easier by allowing the permanently installed recovery to write the boot imag. Making the PC no longer a required part of the flash/restore equation. You can now download a ROM right to your phone, move it to the root of your sdcard with a file manager, and boot to a recovery and flash it without a PC anywhere in sight.
• It alows changing of firmware, so you can theoretically run a "patched" or engnieering hboot, the advantages of will be discussed later (We do not currently have any of these available).
• It lets you upgrade your radio and related firmware without running a huge, signed, full RUU.
• It lets you go backwards in build numbers. This is handy because you can flash the latest leak and if its bad you can revert back to older software/firmware without issue.
• You can change your splash screen, which is not important functionally, but can be fun.
• You have the ability to add a patched or engineering hboot combined with the ability to run any RUU that exists which gives you a much greater opportunity to revive a "soft bricked" phone.
• You can also change your unlocked or relocked status back to locked which is good for warranty purposes.

 

[agentc13]

Can I get back to 100% stock?? (with S-On)???


Yes you can. Please see this thread here for more details.

(Thanks for the guide Scotty!)

 

[agentc13]

What is an engineering hboot?


An "eng" or "engineering" hboot is simply a bootloader that allows for extra fastboot commands. For most folks, 99% of these commands will never be used. The main commands that users of an eng hboot will use over a stock hboot are:

• fastboot flash which is used to flash recoveries, boot images, splash images, hboots, etc. Note: You can flash recovery.img and boot.img with htcdev unlock and without s-off, but you need s-off to flash some of the other things.
• fastboot boot which is used to boot(launch) an image directly into phones memory. Most common use of this is recovery. You can use it to get recovery running, without having to permanently flash it, thus leaving the stock one installed. This is good for users that want to receive OTAs,and don't use recovery much.

 

[agentc13]

What is a patched hboot?


A "patched" hboot is simply a hboot that has been patched to provide some or all of the same commands as a real engineering hboot. They can be considered safer than a real eng hboot, since they are generally made of newer, more reliable hboot versions. Eng hboots have generally been around since prior to the phones release. A patched hboot also can block itself from being overwritten by other hboots, which can be a huge advantage on phones where the radio secure flag is actually "on" as the S-Off hboot will always remain, even if OTAs are taken, or RUUs run.

The thunderbolts revolutionary patched hboot is a prime example of a ship hboot patched for eng commands, and preventing itself from being over written.

 

[khanorak]

Hi. I am stuck in a problem

I have a rooted HOS S4 version, JB 4.1.1 Stock (Updated via OTA), Bootloader Unlocked, S-On, Custom Rec TWRP.

HBOOT is 2.15, Software version 3.16.666.9, AND ---- CID = BM_001 (Bell Mobility)----

- There's no RUU for the Carrier for JellyBean, Just an OTA which is 600MB + .

- Can I change CID to something else using moonshine S-OFF so that I can use other RUU's? Please guide me on this point.

- Maybe I just want to change the CID to make life easier and then S-ON back.

 

[scotty85]

Hi. I am stuck in a problem

I have a rooted HOS S4 version, JB 4.1.1 Stock (Updated via OTA), Bootloader Unlocked, S-On, Custom Rec TWRP.

HBOOT is 2.15, Software version 3.16.666.9, AND ---- CID = BM_001 (Bell Mobility)----

- There's no RUU for the Carrier for JellyBean, Just an OTA which is 600MB + .

- Can I change CID to something else using moonshine S-OFF so that I can use other RUU's? Please guide me on this point.

- Maybe I just want to change the CID to make life easier and then S-ON back.

if you can get s off,id keep it. you dont need to go back to s on to be stock.

you may not be able to change your cid first. if you can use moonshine to s off,you can chenge cid to run any ruu you wish. your modelid will prevent OTAs from working,as they are cid and mid specific. if you can find a variant that uses your mid,then you change cid,stay stock(and s off) and the phone will OTA and work like factory with no prollems.

hope that answers your questions

 

[dupek]

S=off can be fun too. Modify the text on hboot. In attachment photo. I put my name on top and change to S=ON. Actually, the phone is s=off.
Personalize boot splash with name, message or photo. A good deterrent to potential thief's. Multiboot as fun or testing a rom.

 

[scotty85]

S=off can be fun too. Modify the text on hboot. In attachment photo. I put my name on top and change to S=ON. Actually, the phone is s=off.
Personalize boot splash with name, message or photo. A good deterrent to potential thief's. Multiboot as fun or testing a rom.

be extremely cautions modding hboot with a text editor. if you change the offsets,or file size you will be left with a non booting phone.

i am in to personalizition as much as anyone,but i run a stock unlocked hboot. to me hboot modification is not worth the risk.

also,make sure you never turn s on while on your modded hboot,as it will not pass the signiture test other partitions do,and the result will be an unrecoverable dead phone

im not trying to criticize you,just want folks to realize the potential hazards.

 

[dupek]

I use RegawMOD found here http://forum.xda-developers.com/showthread.php?t=1786498. The phone is actually still S=off while the text saying that is s=ON. Just misinformation to potential thief. The text being edited at windows and then flash the hboot. Really harmless ( to some degree) but a lot of fun. You can post there message to HTC of what you really think about them and their security. Untill the s=off, I had the feeling that my phone belongs to HTC. Now my phone is really mine. Thanks.

 

[scotty85]

yes,im familiar with regawmods's bootloader tool. while is safer than hex-editing the file,still things can happen. heck,even flashing anothr stock hboot things can happen,im a pretty firm advocate of messing with critical parts of the device(like hboot and radios) as little as possible.

i understand that your phone is still s-off. what i meant,was,if you need to go to real s-on,make sure your on a stock hboot. dont make the mistake of thinking you can turn s on with your modded hboot in place. using the writesecureflag 3 command with an unsigned hboot will result in an unrecoverable non-booting device.

 

[dupek]

Thanks. For now, I have no need for S=ON, but if I ever do, I will put stock hboot. I think, that I like to mess with my phone a bit too much. My next "project" will be dual boot. Will see if I can find some info on it.