This post describes the steps I took to unlock the bootloader and get S-OFF (NAND flash memory security off) on my HTC Sensation so that I could install a custom ROM onto a phone that hasn't received Android updates since 2012.
1. Unlock the bootloader
This step is quite easy thanks to the HTCdev website and HTC's enlightened attitude toward modding. After creating an account at
http://www.htcdev.com/ and logging in, click the Unlock Bootloader icon pictured below and press the green
Get Started button when it appears.
Select your device from the drop-down menu and click the green button,
Begin Unlock Bootloader. You will have to click through a waiver stating that unlocking the bootloader may void your warranty and then you have to click on two check boxes to give your consent. Once that's out of the way, you will be given instructions for booting into bootloader mode. On the HTC Sensation, you can achieve this by powering down and pressing
Volume Down + Power Button at the same time to restart. For this to work, however, you need to make sure that
fastboot is disabled in the
Settings -> Battery menu in Android and also that
USB Debugging mode is enabled in
Settings -> Developer Options.
When the Android bootloader screen appears, using the Up/Down Volume button, navigate to
Fastboot and press the power button.
Connect your HTC Sensation to your Linux machine via USB cable. On your phone's screen, select "Charge Only". It may take a few moments for your machine to recognize the phone. To verify that your Linux machine is detecting the Sensation correctly, run
lsusb and you should see something like:
[archjun@latitude630 ~]$ lsusb
Bus 002 Device 006: ID 0bb4:0f87 HTC (High Tech Computer Corp.)
...
Once your phone detects it is connected via USB to another machine, the bootloader screen will show
Fastboot USB. From HTCdev you can download a zipfile containing the
fastboot binary, but since we're on Linux it is better to use your package manager to install the
android-tools package (Archlinux) which includes
adb (Android Debug Bridge),
fastboot, and
mkbootimg
On the command line type the following:
sudo fastboot oem get_identifier_token
This will return something like the following (I have replaced the 16-line unlock token with some invalid string):
...
(bootloader)
(bootloader) < Please cut following message >
(bootloader) <<<< Identifier Token Start >>>>
(bootloader) ABC123456ABA78987654321A1B2C3X5C
(bootloader) ABC123456ABA78987654321A1B2C3X5C
(bootloader) ABC123456ABA78987654321A1B2C3X5C
(bootloader) ABC123456ABA78987654321A1B2C3X5C
(bootloader) ABC123456ABA78987654321A1B2C3X5C
(bootloader) ABC123456ABA78987654321A1B2C3X5C
(bootloader) ABC123456ABA78987654321A1B2C3X5C
(bootloader) ABC123456ABA78987654321A1B2C3X5C
(bootloader) ABC123456ABA78987654321A1B2C3X5C
(bootloader) ABC123456ABA78987654321A1B2C3X5C
(bootloader) ABC123456ABA78987654321A1B2C3X5C
(bootloader) ABC123456ABA78987654321A1B2C3X5C
(bootloader) ABC123456ABA78987654321A1B2C3X5C
(bootloader) ABC123456ABA78987654321A1B2C3X5C
(bootloader) ABC123456ABA78987654321A1B2C3X5C
(bootloader) ABC123456ABA78987654321A1B2C3X5C
(bootloader) <<<<< Identifier Token End >>>>>
OKAY [ 0.064s]
finished. total time: 0.064s
You will need to copy this into your favorite text editor and delete the string
(bootloader) as well as the extra whitespace at the beginning of the line. You must also include the lines
Identifier Token Start/End. A valid token will look like the following:
<<<< Identifier Token Start >>>>
ABC123456ABA78987654321A1B2C3X5C
ABC123456ABA78987654321A1B2C3X5C
ABC123456ABA78987654321A1B2C3X5C
ABC123456ABA78987654321A1B2C3X5C
ABC123456ABA78987654321A1B2C3X5C
ABC123456ABA78987654321A1B2C3X5C
ABC123456ABA78987654321A1B2C3X5C
ABC123456ABA78987654321A1B2C3X5C
ABC123456ABA78987654321A1B2C3X5C
ABC123456ABA78987654321A1B2C3X5C
ABC123456ABA78987654321A1B2C3X5C
ABC123456ABA78987654321A1B2C3X5C
ABC123456ABA78987654321A1B2C3X5C
ABC123456ABA78987654321A1B2C3X5C
ABC123456ABA78987654321A1B2C3X5C
ABC123456ABA78987654321A1B2C3X5C
<<<<< Identifier Token End >>>>>
On the HTCdev site, there is a box titled
My Identifier Token into which you should copy-paste in the same form as above.
Once you have pasted it into the window and pressed the green Submit button at the bottom of the page, you will be informed that the unlock token will be sent to you in an email attachment named
Unlock_code.bin
Download this attachment to your machine, and from the download path run
sudo fastboot flash unlocktoken Unlock_code.bin
If all goes well, the console should output
unlock token check successfully
Your HTC Sensation will then display
Unlock bootloader? on its screen:
Move to Yes using the Volume button on the left and then press the Power button.
Congratulations, you have now unlocked the stock bootloader on your HTC Sensation! Note that this erases everything on your SD card and all the data in the internal NAND memory.
In the next step, we will enable writing to the Sensation's internal NAND flash memory (i.e. get
S-OFF / security off) so we can write a custom ROM to the phone.
2. Enable Writing to internal NAND Memory (S-OFF)
There are a variety of methods for disabling write protection on the internal memory, but if you have done an Over The Air (OTA) update provided by HTC to upgrade the Sensation to Android 4.0.3 Ice Cream Sandwich, the HBOOT bootloader is upgraded to version 1.27. As a result, you only have one method of disabling S-OFF, which involves something called the "wire trick". At first, I thought that this couldn't be correct, but disabling write protection requires, among other things, connecting one end of a wire to the ground port of the HTC Sensation, and the other end of the wire to the metal case of the SD Card slot:
I unfolded a paper clip and used it for the wire trick above.
I used the Juopunutbear S-OFF method described at the following link:
http://unlimited.io/juopunutbear.htm
Since we already unlocked the bootloader in Step 1 using the unlock token from HTCdev, all the user data is now wiped from the stock ICS Android installation. Once again you must turn off
fastboot and enable
USB Debugging as detailed in Step 1 above.
Now use a microUSB to USB cable to connect your HTC Sensation to a USB port on a Linux machine. As in Step 1 above, you can verify that your phone is detected by running
lsusb and looking for PCI bus ID
0bb4:0f87.
Download the Juopunutbear S-OFF tarball for the HTC Sensation with ICS 4.0.3 from the following link:
http://unlimited.io/downloads/jb/pyramid/ControlBearRelease_pyramid_ICS_LINUX.tgz
Extract files from the tarball with
tar xvfz ControlBearRelease_pyramid_ICS_LINUX.tgz
This tarball contains the binary executables
adb,
fastboot, and
ControlBear in addition to a variety of .img files. Although
adb and
fastboot should already be installed from the
android-tools package, I suspect that the
ControlBear program uses the versions of
adb and
fastboot extracted from the tarball (although I can't be sure, since I haven't been able to find a copy of the source for
ControlBear).
The instructions from http://unlimited.io/juopunutbear.htm tell users to give
rwx r-x r-x permissions to
Controlbear with
chmod 755 ControlBear and to run the
ControlBear binary as root. I wish I could see exactly what steps this program takes to get
S-OFF...
ControlBear will tell you when it is time to do the wire trick. While you are waiting to get the go-ahead, initially insert one end of a paper clip into the ground port on the right, and when the terminal tells you to do the wire trick, tap the other end of the paper clip to the metal casing of the SD Card slot for a little more than one second, wait one second, and then repeat. You may have to run
ControlBear several times before you execute the wire trick perfectly. If you have problems, refer to the
ControlBear troubleshooting FAQ for more info:
http://unlimited.io/jbtroubleshooting.htm
If
ControlBear succeeds, you will get the following message:
...
SUCCESS - Buddies and Beer
Checking alcohol level......
Seems to be just right.....
Let's take one more......
Aaaah, nice sunny day!!
Rebooting.......
Waiting device....
Found device... Please wait...
Rebooting bootloader.......
Waiting device....
Fastboot detected
JuopunutBear S-OFF success
ControlBear will then prompt you whether or not you want to install a custom
HBOOT bootloader. If you
do install the custom HBOOT, when you restart your phone, you will see that
S-OFF is enabled but find that the bootloader is
LOCKED again. I suspect that if you don't install the custom Juopunutbear bootloader, the HBOOT 1.27 which we unlocked in Step 1 using the token from HTCdev will remain unlocked (but I haven't tested this yet on my Sensation).
Although some tutorials on the Internet claim that as long as you have
S-OFF enabled, it doesn't matter if the bootloader is locked or not, this was not the case for me.
I had to repeat the Step 1 process once more to unlock the Juopunutbear custom bootloader before I could proceed to the next step.
3. Install a Custom Recovery Bootloader - TWRP
Through trial-and-error, I found that recent builds of Team Win Recovery Project (TWRP) for the HTC Sensation are capable of installing newer Android versions like KitKat 4.4.4 and Lollipop 5.0+. Although ClockWork Mod (CWM) recovery is very popular on Android forums, the latest version available for the HTC Sensation at
this link is below version 6.
Unfortunately,
CWM Recovery below version 6.0.4.5 is not capable of installing Android KitKat.
This isn't a problem as TWRP has recent builds for the HTC Sensation at the following link:
https://twrp.me/devices/htcsensation.html
Instead of installing TWRP from the Google Play Store, simply download the image file from the following link (which is also listed on the TWRP HTC Sensation page):
https://dl.twrp.me/pyramid/
Select the most recent version, which as of July 19, 2015 is
twrp-2.8.6.0-pyramid.img
Once you have downloaded the TWRP image, you will use
adb to install TWRP as the new recovery bootloader. As explained in Step 1 above, make sure
fastboot is disabled and that
USB Debugging is enabled. Connect the HTC Sensation to your Linux machine's USB port and enter the following in a terminal:
sudo adb reboot bootloader
In your terminal, make sure you are in the same
PATH to which you downloaded
twrp-2.8.6.0-pyramid.img
When you get to the bootloader screen, you can now flash TWRP to your phone:
sudo fastboot flash recovery twrp-2.8.6.0-pyramid.img
4. Copy an Android KitKat Image to the phone's sdcard
Because the HTC Sensation only has 768 MB RAM and 1024 MB internal NAND memory, I deliberately chose the minimal Android distribution
SlimKat. I've heard that the dual-core HTC Sensation feels sluggish on Android Lollipop 5.0, so I downloaded SlimKat's
Slim-pyramid-4.4.4.build.9.0-OFFICIAL-8305.zip KitKat image. The nice thing about TWRP is that you can install Android from
.zip instead of
.img files, so it is unnecessary to extract files from the zip archive.
To send the KitKat image file to the HTC Sensation, use the
adb push command:
sudo adb push Slim-pyramid-4.4.4.build.9.0-OFFICIAL-8305.zip /storage/sdcard0
5. Install Custom KitKat Image using TWRP
Now reboot into recovery mode, which should bring up TWRP:
sudo adb reboot recovery
Alternately, you could manually power off the Sensation, and then press the
Volume Down and
Power buttons simultaneously at boot to enter recovery mode.
Before you install the custom KitKat ROM, you must first flush the Dalvik cache. From the TWRP menu, tap Wipe and make sure
Dalvik Cache is checked. As for why it is a good idea to wipe this cache, refer to
this post from Stack Exchange.
Next, from the TWRP main menu, select
Install and when it prompts you to
Select Zip to Install, navigate to the path on the sdcard (
/storage/sdcard0) where you saved the KitKat
.zip file.
Once this process finishes, you will have an HTC Sensation running Android 4.4.4!