broken chains from zayasbazan.blogspot.com labled for commercial reuse used in S-OFF pieceOver the weekend, S-OFF was achieved for most versions of the HTC One M8 in the form of Firewater S-OFF. I managed to get the security descriptor flag off on my Sprint device to test it, and it’s pretty simple if you’re already rooted and unlocked with HTCdev.

However, there are also methods for getting S-OFF that do not require giving HTC your phone’s information to unlock the bootloader, and that’s what’s cool about this particular set of exploits.

Firewater S-OFF is an Android executable that you download to a computer and push to your phone via ADB. A short set of commands, answering “Yes” on your computer when asked if you are willing to accept the risk, and about three to five minutes of walking away and letting the exploit do its thing are all you need.

For Firewater to run, you require root (which I already had). In the standard scenario, that would mean you would have had to unlock with HTCDev, which gives HTC your phone information. Fortunately, there’s a way around with a temp root exploit on some versions of the new M8 with an exploit called WeakSauce.

For those worried about getting in to too deep, WeakSauce is a program you can just tap and run, and if it works you’ve got root. The Firewater method involves not having a passcode unlock set on your phone, downloading a file, placing it in the directory where you keep your adb, and executing a few commands from a command or terminal window that’s not on the M8.

Prerequisites

  • A computer with ADB functioning.
  • An HTC One M8 in any state of root

Gaining S-OFF

Download Firewater.

If you’re not rooted, download WeakSauce.

Follow the instructions on the Firewater website, they may change from the ones listed below.

Profit

An overview of the Firewater process (use the website for instructions as they may change, this is just so you can see how little is involved in your end).

From the Firewater exploit guide:

  1. adb reboot       <–important!!!!
  2. adb wait-for-device push firewater /data/local/tmp
  3. adb shell
  4. chmod 755 /data/local/tmp/firewater
  5. su
  6. /data/local/tmp/firewater

If you’re wondering what each of these commands do, the breakdown is:

  1. Reboot your phone (guessing clears out any potential running junk).
  2. Wait for the phone to get to a state where it can accept commands, then take the file “firewater” and place it in the data/local/tmp directory on your phone.
  3. Connect to the phone to issue commands.
  4. Change how Android sees the firewater file you just placed on the device so that it can execute the program.
  5. Call superuser (you may need to answer yes or grant superuser to the terminal session on your phone).
  6. Run the exploit.

When you’re running this, you’ll see some text pop up informing you you could brick your phone and asking if you want to do it. I typed in “yes” from the computer, pressed enter, and roughly five minutes later I had an S-OFF phone. May have been less time, but it always feels like eternity.

It claimed it worked, there were no reboots, and I thought the thing had failed – but when I executed “adb reboot bootloader” there my phone sat in S-OFF state.

Keep in mind, these things probably void your warranty. There’s one person we’ve met in three years who claims he had a hardware issue unrelated to rooting in which a warranty fix was denied, but most people don’t seem to have any issues with physical warranty issues unrelated to rooting.

[Firewater S-OFF]