ROOT for AT&T 2.20 Firmware

**insanecrane** · 10-23-2012, 05:55 PM

We now have root available for those on the 2.20 firmware. This exploit is brought to you by djrbliss and all credit goes to him and the people HE credits in the following instructions/description. Even though he states it clearly I will state it again: USE THIS EXPLOIT AT YOUR OWN RISK. I NOR DJ ARE RESPONSIBLE IF YOUR PHONE BECOMES BRICKED BEYOND REPAIR.

DJ's PayPal link is at the bottom of this page. While you don't have to donate it would be appreciated if you did. I know that dj put in A LOT of time and effort into this to get it done.

I have successfully rooted the AT&T HTC One X running build 2.20.

In the previous build (1.85), S-ON was only partially enforced, so it was possible to modify the /system partition without having unlocked the bootloader, in order to install su and Superuser.apk. This was changed in build 2.20: full S-ON is now in effect. As a result, it is no longer possible to write to /system even after remounting it as writable, since the S-ON feature has NAND-locked the storage.

In other words, it's impossible have a "permanent root" on 2.20 in the traditional sense without unlocking the bootloader.

I have prepared an exploit that gains temporary root access by leveraging two vulnerabilities and uses these newly gained root privileges to overwrite the CID ("superCID"), so that it's possible to unlock the bootloader via HTC's website. I'm sorry if you'd prefer to not unlock your bootloader this way, but there are no other options for root access available.

===========
DISCLAIMER
===========

This exploit modifies the CID of your device. Doing so likely voids your warranty, and may be in violation of your contract with AT&T (I am not a lawyer). Additionally, while this exploit has been tested and has not been observed to cause any negative side effects in practice, I am in no way responsible if it turns your device into an expensive paperweight.

=============
INSTRUCTIONS
=============

1. Download the exploit from:

2. Extract the entire zip file.

3. Connect your device via USB, ensure you have the latest HTC USB drivers installed, and ensure USB debugging mode is enabled.

4. Double-click "run.bat".

5. Follow the instructions printed by the exploit. You will need to authorize two backup restorations during the exploit's execution.

6. If the exploit is successful, it will print "[+] Set CID!". If it does not print this, the exploit has failed, so please do not continue.

7. The exploit will automatically reboot into bootloader mode. Press enter after bootloader mode is finished booting, and the exploit will print your CID. If the exploit was successful, it should return "11111111" as your CID.

8. If your CID was successfully set, press enter to generate an unlock token.

9. Visit htcdev.com, navigate to the "Bootloader unlock" section, choose "All other supported models" from the drop-down menu, and provide the unlock token when asked.

10. After unlocking the bootloader, you can flash a custom recovery partition via fastboot, boot into recovery mode, and use a recovery ADB shell or install from an update.zip to install Superuser and su (I do not provide support for custom recoveries, but this is a straightforward process that other people can help with).

======
NOTES
======

I am not affiliated with any Android forum or group, including XDA - this is just where I've chosen to publish this exploit.

Portions of this exploit are similar in concept to the ADB backup/restore exploit published by Bin4ry, but the vulnerability used in this exploit is entirely distinct from Bin4ry's.

========
CREDITS
========

Thanks to Michael Coppola for pointing me at the vulnerable driver I leverage for the second phase of the exploit, and props for independently discovering the same vulnerability I used. Thanks to jcase and P3Droid for their continuing support - I owe you guys beers.

======
Paypal
======

**erwaso** · 10-23-2012, 08:49 PM

Friggin awesome

**riclondon14** · 10-25-2012, 02:10 PM

it doesnt work for me. i connect to the port 5037. then i get *dameon started successfully* an then nothing happens from there. plz help what am i doin wrong

**insanecrane** · 10-25-2012, 04:21 PM

Does it say waiting for device? I need a little more info in order to help you out.

**riclondon14** · 10-26-2012, 08:21 AM

no i didnt see that while running the .bat. what exactly do u need to know.

**insanecrane** · 10-26-2012, 04:56 PM

Make sure the phone is in usb debug mode and make sure its set to file transfer(this is what I had it set in and didn't try it in any other mode). After it starts on the port let it go and it should ask you to do a restore(after daemon starts it should continue fairly quickly).

**robbytommy** · 10-30-2012, 07:30 PM

I rooted at the 1.85 then my phone took the 2.20 update, I have partial root now. What do I need to do to root fully to the 2.20? Any help would be really appreciated, please.

**atomic_squid** · 11-17-2012, 10:49 AM

I've managed to change the CID and got the unlock token, but I'm having trouble with the dev tools the HTC site says you need. Where should I go for help with that, because right now, my phone is in a kind of limbo.

Sent from my HTC One X using Android Central Forums

**Magicman08** · 11-17-2012, 11:01 AM

you need to go to htcdev the website, and follow the directions *edit register, then goto unlock bootloader, and select the last choice "all other models" or the like and follow the directions

I cannot remember how this site is about linking, but there is a thread on xda with a tool I used to help me through a lot of it as well as reading the directions on how to do it from this thread. try looking for "HTC One X (Tegra3) All-In-One Toolkit V1.2.2"