On request I am reposting this in full, but please check out the original here first.
HTC tried to stop us. They made signed images, a signed kernel, and a signed recovery. They locked the memory. In short, the ThunderBolt is their most locked-down phone to date.
We fixed it for you. Unlike the root method we described yesterday, following the instructions below will provide S-OFF, remove signature checks, and unlock eMMC. Enjoy!
Rooting The ThunderBolt – Version 2
Pros
Root with read/write access to /system
Ability to downgrade and flash any RUU (i.e. signed firmware)
S-OFF
Fully unlocked bootloader
All ThunderBolts survived testing
Cons
Voids warranty
Could brick your phone if you aren’t careful
The method of rooting your Android device as described in the article herein is solely for enthusiasts and not for the faint of heart.
IT WILL WIPE YOUR DATA. IT WILL WIPE YOUR DATA. IT WILL WIPE YOUR DATA.
Android Police and Team AndIRC disclaim all liability for any harm that may befall your device, including, but not limited to: bricked phones, voided manufacturer warranties, exploding batteries, etc.
The instructions below assume you already have a strong familiarity with adb command lines – this is not for beginners.
Credits
Scotty2, jamezelle, jcase, and all of Team AndIRC
Testers, especially ProTekk and Trident
Thanks to scotty2 for WPThis
Busybox was pulled from a CyanogenMod ROM, source should be available here
psneuter was pulled from somewhere, credit to scotty2, source here
All firmware credit goes to 911sniper
Jaroslav from Android Police for editorial help
If I missed anyone in the credits, it was unintentional and I will fix it soon. Lots of people had their hands in on this project.
*** Please read the instructions in full before you attempt the process or head to IRC to ask questions. Also, make sure your battery is fully charged before taking the plunge. ***
Step 1
First, download these files:
RUU_Mecha_VERIZON_WWE_1.03.605.10_Radio_1.02.00.01 03_2r_NV_8k_1.37_9k_1.52_release_
165253 (md5sum : aae974054fc3aed275ba3596480ccd5b):
Multiupload mirror
GalaxySense mirror
DroidSite mirror
Mirrors for the package (contains busybox, wpthis, psneuter, su, readme.txt, misc.img, and hbooteng.nb0) (md5sum : 3b359efd76aac456ba7fb0d6972de3af):
Multiupload mirror
GalaxySense mirror
DroidSite mirror
Custom RUU mirrors (md5sum : aff07b8256628a175c40938d408fa16f):
Multiupload mirror
GalaxySense mirror
Step 2
Note that adb is required.
Push misc.img, busybox, and psnueter using the following commands:
Code:
adb push psneuter /data/local/
adb push busybox /data/local/
adb push misc.img /data/local/
adb shell chmod 777 /data/local/psneuter
adb shell chmod 777 /data/local/busybox
Step 3
This step will gain temp root and flash the custom misc.img. Run:
Now the shell should display "$".
Run:
Code:
/data/local/psneuter
You will now be kicked out of adb, and adb will restart as root. Let’s confirm the md5 of misc.img:
adb shell
At this point, the shell should display "#".
Run:
Code:
/data/local/busybox md5sum /data/local/misc.img
Output should be "c88dd947eb3b36eec90503a3525ae0de." If it’s anything else, re-download the file and try again.
Now let’s write misc.img:
Code:
dd if=/data/local/misc.img of=/dev/block/mmcblk0p17
exit
Step 4
Here you will rename the downgrade RUU as PG05IMG.zip and place it on your SD card. Then, run the following command:
Code:
adb reboot bootloader
Choose the bootloader option and press power; let the ROM flash. When asked to upgrade, choose yes. Don’t freak, it’s a long reboot.
Once done, reboot and delete PG05IMG.zip from your SD card.
Set up the two part exploit, to gain root and unlock MMC.
Code:
Push wpthis, busybox, and psnueter.
adb push psneuter /data/local/
adb push busybox /data/local/
adb push wpthis /data/local/
adb shell chmod 777 /data/local/psneuter
adb shell chmod 777 /data/local/busybox
adb shell chmod 777 /data/local/wpthis
Step 5
Next, enter the following commands:
Code:
adb shell
/data/local/psneuter
To unlock eMMC:
adb shell
/data/local/wpthis
exit
Step 6
Please pay attention – this is very important. This step involves a small chance of bricking if you mess up.
To push the eng bootloader:
Code:
adb push hbooteng.nb0 /data/local/
adb shell
/data/local/busybox md5sum /data/local/hbooteng.nb0
If the output does not match "6991368ee2deaf182048a3ed9d3c0fcb" exactly, stop, delete it, and re-download it. Otherwise, continue.
Now we will write the new bootloader.
Code:
dd if=/data/local/hbooteng.nb0 of=/dev/block/mmcblk0p18
Confirm proper write:
Code:
/data/local/busybox md5sum /dev/block/mmcblk0p18
If the output does not match "6991368ee2deaf182048a3ed9d3c0fcb," try again; if it still doesn’t work, seek help from chat.andirc.net in channel #thunderbolt.
DO NOT REBOOT.
Now, reboot your phone and put the custom RUU (PG05IMG.zip) on your SD card. Then flash it. This will upgrade you to release firmware with an S-OFF bootloader.
Next, run this command:
Code:
adb reboot bootloader
After it flashes, you will be running release firmware with S-OFF.
Step 7
Code:
Push SU, busybox, and psneuter.
adb push psneuter /data/local/
adb push busybox /data/local/
adb push su /data/local/
adb shell chmod 777 /data/local/psneuter
adb shell chmod 777 /data/local/busybox
To gain root:
Code:
adb shell
/data/local/psneuter
The following will remount /system and set up SU:
Code:
adb shell
mount -o remount,rw -t ext3 /dev/block/mmcblk0p25 /system
/data/local/busybox cp /data/local/su /system/xbin/su
chown 0:0 /system/xbin/su
chmod 6755 /system/xbin/su
Step 8
Install Superuser from the Market.
Reboot your phone. You should now have full root permissions.
Step 9
Finally, install ROM Manager and flash the ThunderBolt recovery.
If you have problems getting SU to work, a couple extra reboots will likely fix it. If you still have problems, come to the chat: irc.andirc.net #thunderbolt or use http://chat.andirc.net:9090/?channels=#thunderbolt.