HTC Sensation

From Segfault
Jump to navigation Jump to search


S-Off[1] means that the NAND portion of the device is unlocked and can be written to. Most phones are S-On to prevent messing around with the internal NAND memory. To get permanent root access to the phone, we must achieve S-Off. To check the status of our HTC Sensation, we go into HBOOT:

  • Turn off phone, perhaps even take the battery out (and put it back in)
  • Press and hold "Volume Down" and turn on the phone again, HBOOT should come up. There we can see if S-On or S-Off is active.

We can achieve S-Off with one of the following options:


Go to and follow the instructions:

  1. Select device
  2. Click on "Begin Unlock Bootloader"
  3. Confirm, Proceed to Unlock Instructions
  4. Remove and reinsert the battery.
  5. Press and hold "Volume Down" and press "Power" to start the device into HBOOT.
  6. Select "Fastboot and boot the device.
  7. Connect the device to the computer via a USB cable
  8. Download Fastboot binary (Mac)
    1. unzip
    2. chmod +x fastboot-mac
    3. ./fastboot-mac oem get_identifier_token

  1. Download Revolutionary for your operating system (Windows, Linux)
    1. Windows users will have to install the HTC USB drivers:
      1. HTC USB TETHERING DRIVER (01.17.2012). This might also be included in the HTC Sync Manager package.
      2. HTCDriver from
  2. Execute...



TWRP[2] is pretty stable from what I can tell (and also supports encrypted devices), let's install it via fastboot:

$ md5sum openrecovery-twrp-
e305489436076d3945465086186b01d5  openrecovery-twrp-

$ adb reboot bootloader 
$ fastboot flash recovery openrecovery-twrp-

Now reboot into recovery and TWRP should be installed.


While there are several recovery images out there, the HTC Sensation had success with the 4EXT Recovery image. We have to download[3]. To flash the image via fastboot, download just the and verify its checksum:

MD5 ( = 959efe1ed21a2173ba857e6f7cb9198f

Unzip and flash:

$ unzip -d 4ext
$ md5 4ext/recovery.img
MD5 (4ext/recovery.img) = 8e756b40c3183abf90ec6479d2c5e775

$ fastboot flash recovery 4ext/recovery.img
sending 'recovery' (6116 KB)...
OKAY [  1.514s]
writing 'recovery'...
OKAY [  9.191s]
finished. total time: 10.705s

Since the phone is still in its bootloader, choose "Recovery" to boot into the new recovery partition.


Getting root usually requires S-Off and differs from the Android version.

Android 4.0

For Android 4.0 (ICS) there is a guide[4] to gain root access. The process in short:

MD5(  0371e59a14e7d86593988501e94af6fe
MD5(Superuser.apk)=               65bd72996c68f289c5fa0b81f0874127
MD5(adb.exe)=                     8a1c5cd46f8662f6162e4ec7ba4b13b8
MD5(busybox)=                     4eaf08d657fa5ebb5175765fbf36588d
MD5(su)=                          d1a9de9724c662a50a9a128e48b1fb37

Extract the package, disregard the *.dll files. There's a root.bat command file included - for Linux and MacOS you can use Both need a working adb binary to function. When using, the rooting process looked like this:

$ unzip
$ cd root-sensation-windows/

$ sh /path/to/adb
* daemon not running. starting it now on port 5037 *
* daemon started successfully *
List of devices attached
HT12AA345678    device


rm failed for /data/local/installbusybox, No such file or directory
rm failed for /data/local/installbusybox2, No such file or directory
rm failed for /data/local/root, No such file or directory
rm failed for /data/local/root2, No such file or directory
rm failed for /data/local/sysro, No such file or directory
rm failed for /data/local/sysro2, No such file or directory
rm failed for /data/local/sysrw, No such file or directory
rm failed for /data/local/sysrw2, No such file or directory
rm failed for /data/local/unroot, No such file or directory
rm failed for /data/local/unroot2, No such file or directory
rm failed for /data/local/busybox, No such file or directory
rm failed for /data/local/su, No such file or directory
rm failed for /data/local/Superuser.apk, No such file or directory
4266 KB/s (837916 bytes in 0.191s)
3361 KB/s (22364 bytes in 0.006s)
3566 KB/s (843503 bytes in 0.230s)
rm failed for /data/local.prop, No such file or directory

After the first reboot, the phone came a somewhat disturbing state. The background was gone, only the upper status bar was displayed, but it would not react to any swipes and could not be unlocked or used. I even went so far and rebooted the phone myself, taking the battery out and booted it again - but the phone came back in the same strange state. Plugged the phone in again to USB, and pressed ENTER:


Phone came back again, this time it looked "normal". Pressed ENTER again:


And this was it, now the phone was rooted.


There are many ways[5] to restore the phone to its original ROM. In any case, we'll need the actual ROM image (aka RUU or ROM Upgrade Utility[6]), in our case:

SHA-1: cd03e3e5d4cc08712cb44295f745a1380caf0049
SHA-1: a19865b9248e5612dd8fa4770de051b3392424c9

For the Fastboot and SDCard method, we will need the file included in the RUU. Since the RUU is an We will need a Windows executable, we'd need a Windows system for this:

  1. Start the RUU and continue just until the actual update process.
  2. Go to %TEMP% in your home directory, e.g. c:\documents and settings\alice\local settings\temp\
    1. There should be a rather cryptic named directory, like {18abb736-d55c-4fa4-a3e5-7c78512fa924} containing (amongst other files) a file called
  3. Copy to a safe place and name it
  4. If we just wanted to extract the, we can close the RUU utility now. Otherwise, continue with #RUU.


The phone can be restored to its original ROM via fastboot. As we have alread obtained the, let's verify if our CID (CustomerID) is included in the ROM.

Boot the device into the bootloader, either via Volume-Down & Power or via adb:

adb reboot bootloader

Once in bootloader, we can do:

$ fastboot devices
HT12AA345678    fastboot

$ fastboot getvar cid
cid: T-MOB010

This is our CID. Let's see if this CID is included in the ROM:

$ unzip -p android-info.txt
modelid: PG5810000
cidnum: T-MOB010
mainver: 3.32.531.14

If the CID was not included, we have downloaded the wrong RUU. If we still want to use this ROM, we have two options:

  • Append our CID to android-info.txt in or
  • Write the SuperCID to the device via fastboot oem writecid 11111111.

OK, in our case the device's CID was included in android-info.txt and we can continue. As our device is still in the bootloader:

$ fastboot erase cache
erasing 'cache'...
OKAY [  3.326s]
finished. total time: 3.327s

Reboot into a specia RUU mode:

$ fastboot oem rebootRUU
(bootloader) Start Verify: 0
(bootloader) Start Verify: 0
(bootloader) erase sector 130560 ~ 131071 (512)
OKAY [  3.307s]
finished. total time: 3.307s

After 30 seconds or so the phone should be black with a white HTC logo in the center and the actual installation can begin:

$ fastboot flash zip
sending 'zip' (441916 KB)...
OKAY [ 60.492s]
writing 'zip'...
(bootloader) zip header checking...
(bootloader) shift signature_size for header checking...
(bootloader) zip info parsing...
(bootloader) checking model ID...
(bootloader) checking custom ID...
(bootloader) start image[hboot] unzipping for pre-update check...
(bootloader) start image[hboot] unzipping & flushing...
(bootloader) [RUU]UZ,hboot,100
(bootloader) [RUU]WP,hboot,100
(bootloader) start image[boot] unzipping & flushing...
(bootloader) start image[recovery] unzipping & flushing...
(bootloader) start image[system] unzipping & flushing...
(bootloader) start image[sp1] unzipping & flushing...
(bootloader) start image[dzdata] unzipping & flushing...
(bootloader) start image[sbl1] unzipping & flushing...
(bootloader) start image[sbl2] unzipping & flushing...
(bootloader) start image[sbl3] unzipping & flushing...
(bootloader) start image[tz] unzipping & flushing...
(bootloader) start image[rpm] unzipping & flushing...
(bootloader) start image[adsp] unzipping & flushing...
(bootloader) start image[pg2fs_spcustom] unzipping & flushing...
(bootloader) start image[radio] unzipping & flushing...
(bootloader) start image[rcdata] unzipping & flushing...
(bootloader) [RUU]UZ,rcdata,0
(bootloader) [RUU]WP,rcdata,0
OKAY [339.791s]
finished. total time: 400.283s

Now the phone needs to be rebooted. In our case the progress bar on the phone was "almost finished" and did not advance any more. After a few minutes I decided to boot anyway:

fastboot reboot

Now the phone should be back to its stock ROM.


  1. Copy to the root of your SD card and name it
  2. Restart your phone into bootloader, possibly via:
adb reboot bootloader

The phone should reboot and load This will take a couple of minutes.


Since the RUU is a Windows executable, we will need a working Windows operating system.

  1. Connect the phone to the Windows system
  2. Execute the RUU executable file on the computer and follow its instructions. Afterwards, the device should be back to its original ROM.

Sometimes this method fails, e.g. while trying to connect to the phone. It may stall at "Waiting for bootloader..." or it may be stuck with a black screen displaying only the HTC logo. Eventually the RUU will time out and will display an Error 170: USB connection error.

Running the RUU again (and leaving everything as-is) seems to help...sometimes. The same goes for "re-installing HTC Sync". If this method fails, try the Fastboot or SDcard [7] method above.


To enable S-ON afterwards, do the following, via ADB:

adb reboot-bootloader
fastboot oem writesecureflag 3
fastboot reboot-bootloader

After this has been done, S-ON should appear on the bootloader screen.


After gaining S-Off, custom mods can be loaded onto the phone. The HTC Sensation Android Roms website[8] lists popular and updated ROMs for the HTC Sensation.

Codename Lungo

As of 2014, Codename Lungo[9] is still being updated[10] for the HTC Sensation. Installation is pretty straightfoward, via adb sideload:

adb reboot recovery

On the phone, select Wipe Dalvik Cache and Wipe Cache, then Swipe to Start Sideload. Now push the checksum and the update image to the phone:

adb push /sdcard/        # So that TWRP can verify the checksum
adb sideload                             # MD5: 0fc646dac3899c1e72aa8c30bbb587f3

Reboot the phone. Important: do not connect to WiFi yet! We have to install Google Apps first. And Codename Lungo brings its own version of gapps[11]:

adb push /mnt/sdcard/
adb push /mnt/sdcard/         # MD5: 86270afcb0c920ee8fa433de09bdc6a5
adb reboot recovery

Install gapps from the SD card, reboot again. Now it's safe to connect to WiFi networks. Additionally more add-ons[12] can be installed, but this did not work here for whatever reason.


The most popular would be CyanogenMod. However, for the HTC Sensation[13] the last release was a nightly for CM10[14] (Android 4.1.2).

To install CyanogenMod on the HTC Sensation, the following needs to be done:

  • Download a CyanogenMod release, verify its checksum
  • Download the Google Apps packages (if needed), verify its checksum
  • Transfer the .zip files to the phone, possibly in /mnt/sdcard
  • Boot into the bootlader
adb reboot bootloader
  • On the phone, select Recovery
  • Select Wipe data/factory reset
  • Select Install from SDCard
  • Choose the CyanogenMod .zip file and complete the installation.
  • If needed, do the same for the Google Apps .zip file and possible other packages.
  • Select Reboot now

The phone should reboot into CyanogenMod now.


At one point I tried to look at the Virtuous ROM series[15] which comes as plain Android (AOSP) and without "HTC Sense", but I haven't installed it yet.


This particular HTC Sensation had a lock SIM network lock for T-Mobile. When inserting a foreign SIM card, a "network unlock code" was required before the SIM card could be used. T-Mobile has a special procedure[16] to unlock their phones, which can be timesome or even impossible[16].

With the HTC Sensation, the SIM unlock code can be found on the device itself. After rooting the device, use ADB to connect to the phone, then:

root@android:/ # strings -n 8 /dev/block/mmcblk0p6
2011/01/01              => date (?)
12345678                => unlock code
123456789123456         => IMEI

The SIM network unlock code should be right above the IMEI. If it's not and instead a date is displayed, the unlock code is probably not stored on the device.


Corrupt ZIP since upgrade to Gingerbread on Nexus One

$ unzip -t 
file #1 (mmsfiles/PART_1308645759757):
         mismatch between local and central GPF bit 11 ("UTF-8"),
         continuing with central flag (IsUTF8 = 0)
    testing: mmsfiles/PART_1308645759757   OK