2015년 7월 19일 일요일

Using Linux to Install KitKat 4.4.4 on HTC Sensation with ICS 4.0.3

This post describes the steps I took to unlock the bootloader and get S-OFF (NAND flash memory security off) on my HTC Sensation so that I could install a custom ROM onto a phone that hasn't received Android updates since 2012.

1. Unlock the bootloader

This step is quite easy thanks to the HTCdev website and HTC's enlightened attitude toward modding. After creating an account at http://www.htcdev.com/ and logging in, click the Unlock Bootloader icon pictured below and press the green Get Started button when it appears.



Select your device from the drop-down menu and click the green button, Begin Unlock Bootloader. You will have to click through a waiver stating that unlocking the bootloader may void your warranty and then you have to click on two check boxes to give your consent. Once that's out of the way, you will be given instructions for booting into bootloader mode. On the HTC Sensation, you can achieve this by powering down and pressing Volume Down + Power Button at the same time to restart. For this to work, however, you need to make sure that fastboot is disabled in the Settings -> Battery menu in Android and also that USB Debugging mode is enabled in Settings -> Developer Options.

When the Android bootloader screen appears, using the Up/Down Volume button, navigate to Fastboot and press the power button.

Connect your HTC Sensation to your Linux machine via USB cable. On your phone's screen, select "Charge Only". It may take a few moments for your machine to recognize the phone. To verify that your Linux machine is detecting the Sensation correctly, run lsusb and you should see something like:

[archjun@latitude630 ~]$ lsusb
Bus 002 Device 006: ID 0bb4:0f87 HTC (High Tech Computer Corp.)
...

Once your phone detects it is connected via USB to another machine, the bootloader screen will show Fastboot USB. From HTCdev you can download a zipfile containing the fastboot binary, but since we're on Linux it is better to use your package manager to install the android-tools package (Archlinux) which includes adb (Android Debug Bridge), fastboot, and mkbootimg

On the command line type the following:

sudo fastboot oem get_identifier_token

This will return something like the following (I have replaced the 16-line unlock token with some invalid string):
...
(bootloader)
(bootloader) < Please cut following message >
(bootloader) <<<< Identifier Token Start >>>>
(bootloader) ABC123456ABA78987654321A1B2C3X5C
(bootloader) ABC123456ABA78987654321A1B2C3X5C
(bootloader) ABC123456ABA78987654321A1B2C3X5C
(bootloader) ABC123456ABA78987654321A1B2C3X5C
(bootloader) ABC123456ABA78987654321A1B2C3X5C
(bootloader) ABC123456ABA78987654321A1B2C3X5C
(bootloader) ABC123456ABA78987654321A1B2C3X5C
(bootloader) ABC123456ABA78987654321A1B2C3X5C
(bootloader) ABC123456ABA78987654321A1B2C3X5C
(bootloader) ABC123456ABA78987654321A1B2C3X5C
(bootloader) ABC123456ABA78987654321A1B2C3X5C
(bootloader) ABC123456ABA78987654321A1B2C3X5C
(bootloader) ABC123456ABA78987654321A1B2C3X5C
(bootloader) ABC123456ABA78987654321A1B2C3X5C
(bootloader) ABC123456ABA78987654321A1B2C3X5C
(bootloader) ABC123456ABA78987654321A1B2C3X5C
(bootloader) <<<<< Identifier Token End >>>>>
OKAY [  0.064s]
finished. total time: 0.064s

You will need to copy this into your favorite text editor and delete the string (bootloader) as well as the extra whitespace at the beginning of the line. You must also include the lines Identifier Token Start/End. A valid token will look like the following:

<<<< Identifier Token Start >>>>
ABC123456ABA78987654321A1B2C3X5C
ABC123456ABA78987654321A1B2C3X5C
ABC123456ABA78987654321A1B2C3X5C
ABC123456ABA78987654321A1B2C3X5C
ABC123456ABA78987654321A1B2C3X5C
ABC123456ABA78987654321A1B2C3X5C
ABC123456ABA78987654321A1B2C3X5C
ABC123456ABA78987654321A1B2C3X5C
ABC123456ABA78987654321A1B2C3X5C
ABC123456ABA78987654321A1B2C3X5C
ABC123456ABA78987654321A1B2C3X5C
ABC123456ABA78987654321A1B2C3X5C
ABC123456ABA78987654321A1B2C3X5C
ABC123456ABA78987654321A1B2C3X5C
ABC123456ABA78987654321A1B2C3X5C

ABC123456ABA78987654321A1B2C3X5C
<<<<< Identifier Token End >>>>>

On the HTCdev site, there is a box titled My Identifier Token into which you should copy-paste in the same form as above.

Once you have pasted it into the window and pressed the green Submit button at the bottom of the page, you will be informed that the unlock token will be sent to you in an email attachment named Unlock_code.bin

Download this attachment to your machine, and from the download path run

sudo fastboot flash unlocktoken Unlock_code.bin

If all goes well, the console should output

unlock token check successfully

Your HTC Sensation will then display Unlock bootloader? on its screen:



Move to Yes using the Volume button on the left and then press the Power button.

Congratulations, you have now unlocked the stock bootloader on your HTC Sensation! Note that this erases everything on your SD card and all the data in the internal NAND memory.

In the next step, we will enable writing to the Sensation's internal NAND flash memory (i.e. get S-OFF / security off) so we can write a custom ROM to the phone.


2. Enable Writing to internal NAND Memory (S-OFF)

There are a variety of methods for disabling write protection on the internal memory, but if you have done an Over The Air (OTA) update provided by HTC to upgrade the Sensation to Android 4.0.3 Ice Cream Sandwich, the HBOOT bootloader is upgraded to version 1.27. As a result, you only have one method of disabling S-OFF, which involves something called the "wire trick". At first, I thought that this couldn't be correct, but disabling write protection requires, among other things, connecting one end of a wire to the ground port of the HTC Sensation, and the other end of the wire to the metal case of the SD Card slot:



I unfolded a paper clip and used it for the wire trick above.

I used the Juopunutbear S-OFF method described at the following link:

http://unlimited.io/juopunutbear.htm

Since we already unlocked the bootloader in Step 1 using the unlock token from HTCdev, all the user data is now wiped from the stock ICS Android installation. Once again you must turn off fastboot and enable USB Debugging as detailed in Step 1 above.

Now use a microUSB to USB cable to connect your HTC Sensation to a USB port on a Linux machine. As in Step 1 above, you can verify that your phone is detected by running lsusb and looking for PCI bus ID 0bb4:0f87.

Download the Juopunutbear S-OFF tarball for the HTC Sensation with ICS 4.0.3 from the following link:

http://unlimited.io/downloads/jb/pyramid/ControlBearRelease_pyramid_ICS_LINUX.tgz

Extract files from the tarball with

tar xvfz ControlBearRelease_pyramid_ICS_LINUX.tgz

This tarball contains the binary executables adb, fastboot, and ControlBear in addition to a variety of .img files. Although adb and fastboot should already be installed from the android-tools package, I suspect that the ControlBear program uses the versions of adb and fastboot extracted from the tarball (although I can't be sure, since I haven't been able to find a copy of the source for ControlBear).

The instructions from http://unlimited.io/juopunutbear.htm tell users to give rwx r-x r-x permissions to Controlbear with chmod 755 ControlBear and to run the ControlBear binary as root. I wish I could see exactly what steps this program takes to get S-OFF...

ControlBear will tell you when it is time to do the wire trick. While you are waiting to get the go-ahead, initially insert one end of a paper clip into the ground port on the right, and when the terminal tells you to do the wire trick, tap the other end of the paper clip to the metal casing of the SD Card slot for a little more than one second, wait one second, and then repeat. You may have to run ControlBear several times before you execute the wire trick perfectly. If you have problems, refer to the ControlBear troubleshooting FAQ for more info:

http://unlimited.io/jbtroubleshooting.htm

If ControlBear succeeds, you will get the following message:

...
SUCCESS - Buddies and Beer
Checking alcohol level......
Seems to be just right.....
Let's take one more......
Aaaah, nice sunny day!!
Rebooting.......
Waiting device....
Found device... Please wait...
Rebooting bootloader.......
Waiting device....
Fastboot detected
JuopunutBear S-OFF success

ControlBear will then prompt you whether or not you want to install a custom HBOOT bootloader. If you do install the custom HBOOT, when you restart your phone, you will see that S-OFF is enabled but find that the bootloader is LOCKED again. I suspect that if you don't install the custom Juopunutbear bootloader, the HBOOT 1.27 which we unlocked in Step 1 using the token from HTCdev will remain unlocked (but I haven't tested this yet on my Sensation).

Although some tutorials on the Internet claim that as long as you have S-OFF enabled, it doesn't matter if the bootloader is locked or not, this was not the case for me. I had to repeat the Step 1 process once more to unlock the Juopunutbear custom bootloader before I could proceed to the next step.


3. Install a Custom Recovery Bootloader - TWRP

Through trial-and-error, I found that recent builds of Team Win Recovery Project (TWRP) for the HTC Sensation are capable of installing newer Android versions like KitKat 4.4.4 and Lollipop 5.0+. Although ClockWork Mod (CWM) recovery is very popular on Android forums, the latest version available for the HTC Sensation at this link is below version 6.

Unfortunately, CWM Recovery below version 6.0.4.5 is not capable of installing Android KitKat.

This isn't a problem as TWRP has recent builds for the HTC Sensation at the following link:

https://twrp.me/devices/htcsensation.html

Instead of installing TWRP from the Google Play Store, simply download the image file from the following link (which is also listed on the TWRP HTC Sensation page):

https://dl.twrp.me/pyramid/

Select the most recent version, which as of July 19, 2015 is twrp-2.8.6.0-pyramid.img

Once you have downloaded the TWRP image, you will use adb to install TWRP as the new recovery bootloader. As explained in Step 1 above, make sure fastboot is disabled and that USB Debugging is enabled. Connect the HTC Sensation to your Linux machine's USB port and enter the following in a terminal:

sudo adb reboot bootloader

In your terminal, make sure you are in the same PATH to which you downloaded twrp-2.8.6.0-pyramid.img

When you get to the bootloader screen, you can now flash TWRP to your phone:

sudo fastboot flash recovery twrp-2.8.6.0-pyramid.img


4. Copy an Android KitKat Image to the phone's sdcard

Because the HTC Sensation only has 768 MB RAM and 1024 MB internal NAND memory, I deliberately chose the minimal Android distribution SlimKat. I've heard that the dual-core HTC Sensation feels sluggish on Android Lollipop 5.0, so I downloaded SlimKat's Slim-pyramid-4.4.4.build.9.0-OFFICIAL-8305.zip KitKat image. The nice thing about TWRP is that you can install Android from .zip instead of .img files, so it is unnecessary to extract files from the zip archive.

To send the KitKat image file to the HTC Sensation, use the adb push command:

sudo adb push Slim-pyramid-4.4.4.build.9.0-OFFICIAL-8305.zip /storage/sdcard0


5. Install Custom KitKat Image using TWRP

Now reboot into recovery mode, which should bring up TWRP:

sudo adb reboot recovery

Alternately, you could manually power off the Sensation, and then press the Volume Down and Power buttons simultaneously at boot to enter recovery mode.

Before you install the custom KitKat ROM, you must first flush the Dalvik cache. From the TWRP menu, tap Wipe and make sure Dalvik Cache is checked. As for why it is a good idea to wipe this cache, refer to this post from Stack Exchange.

Next, from the TWRP main menu, select Install and when it prompts you to Select Zip to Install, navigate to the path on the sdcard (/storage/sdcard0) where you saved the KitKat .zip file.

Once this process finishes, you will have an HTC Sensation running Android 4.4.4!