How do I Unroot and S-ON an HTC One M8

A friend has an AT&T HTC One (M8) and went down the S-OFF and root path without getting the preliminary backup files needed to go back to stock. Low and behold, there was an issue and he needed to return it for warranty service. Fortunately, this is a fairly straight forward process to do and the steps needed to unroot and S-On the HTC One (M8) back to stock are below. While these are specifically for the AT&T model, the steps are applicable to all HTC One M8 models.

Take your HTC One M8 back to stock with S-ON and a locked bootloader

Take your HTC One M8 back to stock with S-ON and a locked bootloader

Proceed with these steps at your own risk. I am providing these steps as a guide with the general assumption that you have some idea of how to get around Android and ADB. If you one-clicked your device, and are not comfortable with this, do not proceed.

This particular HTC One had been fully converted by both Carrier ID (CID) and ROM to the U.S. SIM unlocked model available directly from HTC. Since it was already rooted and had S-OFF, we can jump right into getting this back to stock. If your phone doesn’t have S-OFF, you need to get it there either with Firewater or Sunshine S-OFF before proceeding.

Couple of things before you start
1) Go into settings, under battery, and uncheck “fastboot” if it is selected. This allows you to reboot into the bootloader.
2) Ensure the drivers for ADB are installed and working.
3) Download the official RUU (preferred), or ROM.zip, or stock Nandroid backup that matches the base firmware for your phone.

The CID on this one had been changed to the HTC unlocked version, so we need to get this changed back over to AT&T. Skip this step if the CID is already correct. Power the HTC One M8 completely off, hold the volume down button, and press the power button for about a second. It will power back on in bootloader mode. Then plug-in your USB cable, select fastboot from the menu, and let the drivers load.

Refer to this list and use the command below to change the CID as appropriate.
AT&T: CWS__001
T-Mobile: T-MOB010
Verizon: VZW__001
Sprint: SPCS_001
HTC Unlocked: BS_US001
HTC Developer Edition: BS_US002

fastboot devices

This should return the device serial number. You will need to fix your ADB drivers if it returns anything else.

fastboot oem writecid CWS__001
fastboot reboot-bootloader

Once the HTC One M8 reboots into bootloader again, check that the CID is correct before proceeding with wiping your crack ROM flashing history and relocking your bootloader. If you have a nandroid backup, you will first need flash the rooted stock backup (boot, system, recovery, and data) using TWRP, CWM, or Philz (as appropriate) that corresponds with the base firmware on your device. If you are using an RUU, official or put together by a developer, you can move ahead.

Next, wipe any history of ROMS you have flashed while rooted. Use a root file explorer and navigate to the /devlog/recovery/ folder. Delete all the files you find in there.

After wiping your recovery logs, relock the bootloader. With HTC phones, relocking them via ADB sets a status flag of RE-LOCKED which is a sign that the phone’s firmware has been tampered. Instead of doing this through ADB, we are going to use the DD command in ADB shell with root permissions to write “0000” where the lock flag status is stored, essentially setting it back to having never been unlocked in the first place.

adb shell
su
echo -ne ‘\x00\x00\x00\x00’ | dd of=/dev/block/mmcblk0p2 bs=1 seek=33796
exit
adb reboot bootloader

Once the bootloader is locked, those that restored with a nandroid backup can boot into Android and unroot. If you are using an official RUU, which is a Windows executable, simply plug the phone in and run it, following the on-screen prompts to complete the process. If you have an unofficial ROM.zip, place it in the same folder as fastboot on your computer and use the steps below replacing ROM.zip with the name of the file.

fastboot oem rebootRUU
fastboot flash zip ROM.zip

If you get the error message “flush immediately” just repeat the commands to reflash the zip file.

After the RUU has run its course or you have restored the nandroid backup and unrooted, we need to do one last thing to tidy up which is taking the phone from S-OFF to S-ON and locking it to the specific firmware. Do not put the phone back to S-ON unless you are 100% certain you have the stock firmware on the phone, including the stock Android recovery, and the phone’s CID is correct.

fastboot oem writesecureflag 3
fastboot reboot-bootloader

Now, your bootloader screen should show ***LOCKED*** and S-ON. Reboot one last time into Android and the stock ROM will boot.

Loading Facebook Comments ...

Post Navigation