HTC Thunderbolt Rooted!

Well, you had to know it would happen sooner or later. The HTC Thunderbolt, one of the most talked about, loved, and delayed phones we’ve seen to date, has been rooted. Credit for the process goes to:

  • Scotty2, jamezelle, jcase, and all of Team AndIRC
  • Testers, especially ProTekk and Trident
  • Thanks to scotty2 for WPThis
  • Busybox was pulled from a CyanogenMod ROM, source should be available here
  • psneuter was pulled from somewhere, credit to scotty2, source here
  • All firmware credit goes to 911sniper
  • Jaroslav from Android Police for editorial help
  • And many more great developers and testers

I’ll be the first to tell you that it’s not for the faint of heart. The rooting process requires ADB. A lot of ADB. It goes without saying, if you don’t know how to use ADB or do ADB commands, this root method is not for you. As always, rooting your device will void the warranty, so hack at your own risk.

It’s worth noting that the Thunderbolt is HTC’s most locked down device to date, with a signed kernel, signed recovery, and signed images, as well as locked memory. Basically, HTC put a good bit of effort into trying to hackproof this phone. Of course, they should have never underestimated the amazing hackers and developers of the Android community.

If you’re feeling brave (and maybe a bit lucky), you can try out the rooting procedure by following the steps below. Note that this process will give you S-OFF, unlock eMMC, and remove signature checks. In short, it gives you full root access. Have at it, and good luck! So, who’s going to try rooting their Thunderbolt? Anyone planning to wait until an easier method comes out? Sound off in the comments below!

Will you win this week?

We're in our third week of big prize pack giveaways. Will you win!

Source AndroidPolice

[spoiler show=”Rooting Steps”]*** Please read the instructions in full before you attempt the process or head to IRC to ask questions. Also, make sure your battery is fully charged before taking the plunge. *** 

Step 1

First, download these files:

Step 2

Note that adb is required.

Push misc.img, busybox, and psnueter using the following commands:

adb push psneuter /data/local/

adb push busybox /data/local/

adb push misc.img /data/local/

adb shell chmod 777 /data/local/psneuter

adb shell chmod 777 /data/local/busybox

Step 3

This step will gain temp root and flash the custom misc.img. Run:

adb shell

Now the shell should display “$”.



You will now be kicked out of adb, and adb will restart as root. Let’s confirm the md5 of misc.img:

adb shell

At this point, the shell should display “#”.


/data/local/busybox md5sum /data/local/misc.img

Output should be “c88dd947eb3b36eec90503a3525ae0de.” If it’s anything else, re-download the file and try again.

Now let’s write misc.img:

dd if=/data/local/misc.img of=/dev/block/mmcblk0p17


Step 4

Here you will rename the downgrade RUU as and place it on your SD card. Then, run the following command:

adb reboot bootloader

Choose the bootloader option and press power; let the ROM flash. When asked to upgrade, choose yes. Don’t freak, it’s a long reboot.

Once done, reboot and delete from your SD card.

Set up the two part exploit, to gain root and unlock MMC.

Push wpthis, busybox, and psnueter.

adb push psneuter /data/local/

adb push busybox /data/local/

adb push wpthis /data/local/

adb shell chmod 777 /data/local/psneuter

adb shell chmod 777 /data/local/busybox

adb shell chmod 777 /data/local/wpthis

Step 5

Next, enter the following commands:

adb shell


To unlock eMMC:

adb shell



Step 6

Please pay attention – this is very important. This step involves a small chance of bricking if you mess up.

To push the eng bootloader:

adb push hbooteng.nb0 /data/local/

adb shell

/data/local/busybox md5sum /data/local/hbooteng.nb0

If the output does not match “6991368ee2deaf182048a3ed9d3c0fcbexactly, stop, delete it, and re-download it. Otherwise, continue.

Now we will write the new bootloader.

dd if=/data/local/hbooteng.nb0 of=/dev/block/mmcblk0p18

Confirm proper write:

/data/local/busybox md5sum /dev/block/mmcblk0p18

If the output does not match “6991368ee2deaf182048a3ed9d3c0fcb,” try again; if it still doesn’t work, seek help from in channel #thunderbolt. DO NOT REBOOT.

Now, reboot your phone and put the custom RUU ( on your SD card. Then flash it. This will upgrade you to release firmware with an S-OFF bootloader.

Next, run this command:

adb reboot bootloader

After it flashes, you will be running release firmware with S-OFF.

Step 7

Push SU, busybox, and psneuter.

adb push psneuter /data/local/

adb push busybox /data/local/

adb push su /data/local/

adb shell chmod 777 /data/local/psneuter

adb shell chmod 777 /data/local/busybox

To gain root:

adb shell


The following will remount /system and set up SU:

adb shell

mount -o remount,rw -t ext3 /dev/block/mmcblk0p25 /system

/data/local/busybox cp /data/local/su /system/xbin/su

chown 0:0 /system/xbin/su

chmod 6755 /system/xbin/su

Step 8

Install Superuser from the Market.

Reboot your phone. You should now have full root permissions.

Step 9

Finally, install ROM Manager and flash the ThunderBolt recovery.

If you have problems getting SU to work, a couple extra reboots will likely fix it. If you still have problems, come to the chat: #thunderbolt or use


  • Thinking Im going to wait. I love the ‘Bolt so far but I will wait a while until I can delete the bloatware and some custom ROMs start coming out.

  • “If you’re feeling brave (and maybe a bit lucky), you can try out the rooting procedure by following the steps below.”

    OMG, who dare to wait to try after reading the notice ahead. What will happen if we are the ones in the unlucky case.

    • I meant that as a cautionary statement. Rooting a phone is often dangerous, because if you do something wrong, it could brick your phone. In retrospect, “lucky” wasn’t the best term to describe it. But you get the point. Root at your own risk.

  • Computechx

    I won’t even buy the Thunderbolt until there is at least a 3 step root.
    I’m really getting sick of the manufacturers locking down these phones.

  • Newclassy

    five finger  shoes I used the old water bottle trick. I filled up the bottle and I  had a hole in the bottom and I had my finger over the hole. As (Lennon) was vibram five fingers in the dugout  tying his shoes, I walked by him. I had purposely untied one of louis vuitton outlet my shoes and  looked down and said