HTC implemented security on their newer generation phones. This flag, called @secuflag, controls whether your phone has
it's NAND or flash unlocked. Most noticeably, S-ON (security on) will read-lock your /system and /recovery partition, to name a few. Also, secuflag controls whether zip files being flashed through recovery or fastboot, are signed by HTC.
The now notorious S-OFF (security off) will disable this NAND security.
Since we are unable to access the Radio NVRAM itself (where secuflag is stored), we turned our attention to HBOOT.
AlphaRev has patched HBOOT images for several phones, whereas the HTC Desire (GSM) was our first victim.
Warning: Make sure you have read all the warnings below before attempting to run this utility!
- HTC Desire GSM (Bravo), all hardware models (PVT4 too)
- HTC Legend GSM, HBOOT 1.0+ is NOT supported
- HTC myTouch 3G Slide (Espresso)
AlphaRev 1.8 is now deprecated software. If at all possible, use Revolutionary instead.
Supported device list for this is to be determined.
The only requirement right now is that the ROM you're running is rooted.
As techniques such as 'data2ext' have been popping up, these might disturb our finely-tuned flashing process.
Please revert to a rooted stock ROM if possible. Your /data partition is used for temporary storage of important files.
- 1.80: New HBOOTS released. Updated sizes in the table, PVT4 supported, added MISC partition flashing support.
- 1.80: Multi-device support, Legend GSM and Espresso GSM added to supported devices. Self-contained flashing method with on-screen UI, optional recoveries.
- 1.70: Internal testing release.
- 1.60: Internal testing release.
- 1.50: HBOOT updated. This now allows the use of 'fastboot erase' commands. Changes to allow for future multiple device support.
- 1.40: Splboot reworked (allows 1 bad block), Logic verified/changed to work on HTC Stock ROMs, rooted with unrEVOked.
- 1.32: Minor fix: fixed some permissions problems for some roms.
- 1.31: Feature added: More verbose output for splboot.
- 1.30: Major fix: Checks added for people with bad blocks on their HBOOT NAND flash. Verified and working. Also, fix for people with non-root ADB.
- 1.20: Fixed two bugs: Adjusted for ROMs that didn't have ADB rooted (OpenDesire?), also made splboot smaller for people with bad blocks on /boot.
- 1.10: Fixed a bug for busybox. We now push our own version, so need for it anymore! Just root is enough.
- 1.00: Initial Release.
The following patches were made:
- The radio security flag is ignored. HBOOT now always thinks the phone is S-OFF.
- Fastboot extended commands are enabled. This is similar to engineering HBOOTS, these allow you to use commands like 'fastboot flash system system.img' (flashing a system image), or 'fastboot boot boot.img' (downloading and directly booting a kernel image and ramdisk).
- ENG commands are patched in. These can be accessed through fastboot oem h. For advanced users only!
- Downgrade protection, these HBOOTs cannot be overwritten by an OTA or RUU, unless you flash a downgrader HBOOT first.
- Misc flashing. This allows you to un-usb-brick your phone by flashing the misc partition.
- SuperCID patched. These HBOOTs will never need a goldcard for flashing a RUU.
The below modified partition tables support ALL hardware models for Bravo. Including PVT4 newnand. Sizes have been adjusted to reflect their actual YAFFS2 'usable' storage space, versus the raw space that HBOOT lists. The version number has been updated to HBOOT 6.93.1002.If you are already S-OFF, you can get our newest patched HBOOTs from here. (without going through the entire procedure again).
Please read the entire table and pick the partition table with the correct sizes for your ROM. One easy way to switch partition tables, is to nandroid backup,
and verify that the sizes of your backup are indeed the ones listed in the table (or smaller), and restore after flashing hboot.
|Bravo Oxygen r2||100M||5M||332M||532e39f7b0e8cf9aff07d4556fe6d841||bravo_alphaspl-oxygenr2.img||PB99IMG_oxygenr2|
|Bravo CM7 r2||145M||5M||287M||0be8c68b41f3ab6dda4f772d6de50760||bravo_alphaspl-cm7r2.img||PB99IMG_cm7r2|
1) Nandroid backup in recovery.
2) Verify the MD5SUM of the file you downloaded against the one in the table.
3) Flash HBOOT with your phone in fastboot mode (Back+POWER) -> 'fastboot flash hboot bravo_alphaspl.img' (change into the correct filename for the HBOOT you downloaded)
4) 'fastboot reboot-bootloader'
5) 'fastboot erase cache'
6) Boot recovery, wipe everything and restore.
If you downloaded Bravo Data++, please notice the /cache partition is too small to hold Radio flashes from recovery. You can however flash the radio just fine with 'fastboot flash radio radio.img'. Just extract the radio.img from the radio update.zip beforehand.
You can also download the corresponding PB99IMG zipfile, put it on your sdcard, and rename it to PB99IMG.zip. Then start the phone in HBOOT mode (VolDown+POWER) to flash the HBOOT without a PC. It is however still necessary to either restore your nandroid, or reflash your ROM after doing this. The partition LAYOUT has changed, the actual data still needs to be 'moved'.
Is there any risk involved?
Yes, there is. Flashing HBOOT will flash a critical part of your phone, if that gets corrupted, your phone WILL be bricked.
We do not accept any responsibility for bricked phones, even though we've attempted to make the actual flashing method as safe as possible.
If your phone no longer turns on anymore, please return to HTC for warranty purposes.
Should you still run this hack/program, you then hereby accept full responsibility.
Will this touch my currently running ROM?
We try to leave the current ROM and datastructures completely intact. It is, however, advised to ALWAYS nandroid backup your phone before you run this procedure.
You will then always have a correct/current backup to fall back on in case something breaks.
So how does this work?
The image provided is an ISO image. You can either burn that on CD, and boot it. Instructions will be provided when you run the CD.
The actual tool is packaged in a Linux livecd, to ensure maximum compatibility.
On a sidenote: yes, you should be able to run this in VMWare or Virtualbox, as long as you enable the USB device to be routed to the livecd running.
Will my phone stay S-OFF forever?
Yes and no. As soon as you decide to flash a stock RUU that has a HBOOT update in it, this hacked HBOOT will be overwritten.
You do have the option to remove the HBOOT update from the rom.zip inside the RUU. Since your phone no longer checks signatures, you could easily do that.
Also, you then still have the option to flash custom recovery, or different kernels using the fastboot functions described above (fastboot flash, et al).
Will this work on my SLCD device?
Yes. For Desire, we've patched HBOOT 0.93, which has AMOLED and SLCD support. Through model ID checking, we determine if your device is supported.
If you run this tool on a device that is unsupported, but that you think is likely to be supported soon, then Contact Us.
This is ONLY for submission of NEW devices. Support for existing devices goes ONLY, I repeat: ONLY through IRC. irc.freenode.net #alpharev
If you contact us through e-mail for anything other than the above, you WILL be ignored, so don't bother.
This is great, I'd like to donate for all your efforts!
That is very kind of you. We are setting up a device fund to be able to support newer generation HTC phones.
So in short, if you'd like to donate to our cause, you can do that from here:
Something went wrong! The livecd told me to get help!! Is my phone bricked?
First of all, leave your phone turned on and plugged in to USB. Your phone will most likely not be bricked, unless you REBOOT!
Before that happens, please contact an operator on irc.freenode.net , channel #alpharev , as instructed on the livecd.
The operators there should be able to provide you with some more hands-on help.
I don't like the splash1 screen you've installed! How can I change it?
The splash1 for AlphaRev is installed to show that the actual flashing process succeeded, but it also shows your support for our cause.
However, if you want to change it, you can just use 'fastboot flash splash1' to do that. You do need a valid Splash1 image to do so, which you can find instructions for that on XDA-Developers Forum.
You can download the stock splash1 screen for HTC Desire from here. Make sure you flash it with 'fastboot flash splash1 desire_stock_splash1.img'.
I installed a different splashscreen, but I've decided to revert back to your splashscreen to show my support! How?
You can download the AlphaRev splashscreens from here:
- IEF, project initiator and putting it all together.
- kmdm, HBOOT reverse engineering and patching.
- adam235, for working with us and several great ideas.
- All the pre-release testers that have ensured we've made it safe for the public!
- Everyone at unrevoked for providing support and information, but first and foremost for providing their NAND unlock!
This would not have been possible if it hadn't been for them!