When the Droid DNA was first announced, we were all surprised to find that the bootloader was unlockable at HTCdev.com. Because of this, the device actually got root, recovery, and custom kernel days before the official release. Unfortunately, by the time the device became available in retail channels, Verizon pulled the plug  and it was no longer unlocked through official means.

Thankfully, there's another way (isn't there always?). The softmod below will effectively change the carrier information, allowing it to once again be unlocked via HTC's official tool.

Before we get started, special thanks to Sean Beaupre, who stepped in at the last minute and made this release possible. I was unable to release one of the original exploits due to a conflict of interest, and Sean provided a working replacement that we could release.

What you need:

  • Modern ADB that supports backup/restore (ICS and up)
  • 1GB free space on your phone


With all the requisites taken care of, let's get started.

Disclaimer: Android Police isn't responsible for any harm to your device - proceed at your own risk.

Unzip DNA_TeamAndIRC.zip. Put runme.sh, CIDGen.apk, and backup.ab in the directory with adb.

Check the README.txt before continuing!

adb install CIDGen.apk

Run the CIDGen app from your phone and follow the directions on the app. Then ensure the /sdcard/CIDBLOCK.img file exists on your phone with the following command:

adb shell ls -l /sdcard/CIDBLOCK.img

If CIDBLOCK.img does not exist after running the app, do NOT proceed. Try re-running CIDGen.apk on your phone again, then re-run the above command to verify CIDBLOCK.img's existence.

If it does exist, continue with these commands:

adb push runme.sh /data/local/tmp/

adb shell chmod 755 /data/local/tmp/runme.sh

adb shell /data/local/tmp/runme.sh

This process will loop forever and give out lots of "No such file" or "link failed" errors, so just leave it running for now.

In a second terminal/command prompt use adb to restore the modified backup. After running this command the phone will ask for your permission to restore the file, so go ahead and allow it.

adb restore backup.ab

After the restore is finished you will need to stop the runme.sh script in the first terminal (use control+c or just close the window).

From this point forward, you're past the point of no return. Do not continue if you will not be able to follow the instructions 100%, as rebooting or powering down the phone at the wrong time will brick the device. Ensure your phone has at least 50% battery life remaining before continuing.

adb shell rm /data/data/com.htc.usage/files/exploit/*

adb shell mv /data/DxDrm /data/DxDrm_org

adb shell mkdir /data/DxDrm

adb shell ln -s /dev/block/mmcblk0p5 /data/DxDrm/DxSecureDB

adb reboot

adb wait-for-device

Now repeat the first exploit:

adb shell /data/local/tmp/runme.sh

This process will also loop forever and give out lots of "No such file" or "link failed" errors - again, just leave it running.

In a second terminal/command prompt use adb to restore the modified backup. After running this command the phone will ask for your permission to restore the file - just like before, go ahead and allow it.

adb restore backup.ab

After the restore is done you will need to stop the runme.sh script in the first terminal (use control+c or just close the window).

adb shell mv /data/DxDrm /data/DxDrm_trash

adb shell dd if=/sdcard/CIDBLOCK.img of=/dev/block/mmcblk0p5

adb reboot

You can now unlock using HTCDev.com - simply select "All other supported models" for your phone type. Finally, for recovery and root following unlock please visit the HTC Droid DNA forums on RootzWiki. The support thread for the unlock can be found here.

If you would like to further support developments of roots and unlocks, donations for test devices, (& brick replacements) can be made to here.


  • Original development: jcase
  • Awesome saver of the day: Sean Beaupre
  • Crash test dummy: dsb9938 (I bricked his phone making this!)
  • Artem and all @AndroidPolice for putting up with my nonsense.
  • Special thanks to Fuses for recommending a better target, and the numerous testers that let me play with their new phones.
Justin Case
Justin Case is a 30yr old father of four. He has an ever changing array of Android devices, and an eye for mobile security.
  • aaron

    not an exclusive, but good write up.

    • Gabriel Forgie

      Yeah this was released exclusively to AP and RootzWiki.

    • http://twitter.com/TeamAndIRC Justin Case

      Considering I authored both the exploit and the article, yes it is

      • jonathan3579

        I was following your thread on XDA so I'm glad to see this got released. I might go and pick up the device today and make the most of the GSM unlocked capabilities.

  • MatthewMarion

    Hey. Jcase. You're awesome.

  • http://scribblepeople.net Mike

    2012 is a good year, people understand boot loaders more now

  • Worm

    Thank you, JCase for all your hard work! You're awesome.

  • Nene

    I unlocked my device and now i have root... sweet!!!!.

  • AAA

    Just in case, how to relock it?

    • http://twitter.com/TeamAndIRC Justin Case

      if you relock, it will say relock in the bootloader. fastboot oem lock

  • cy_n_ic

    Justin time for the holiday season! Sorry couldnt help mysepf ;p

  • http://www.facebook.com/profile.php?id=1449197535 David Gigato

    Thank you Justin case

    • Vu Viet Anh

      I see what you did there...

      • http://www.facebook.com/profile.php?id=1449197535 David Gigato

        dont get what u said

        • http://www.facebook.com/profile.php?id=100001056662990 Laarree Miiller

          He thought you were joking... Just In Case

  • user

    Can you relock or is this a perm effect?

    • user

      Saw the answer in the comments.
      So does this mean that warranty is completely voided?

      • http://twitter.com/MBHays Mike

        It's technically voided, but if it's hardware faults then HTC will likely repair the phone.

  • Champlification

    adb shell mkdir /data/DxDrm results in permission denied?

    • http://twitter.com/TeamAndIRC Justin Case

      Then the restore update didnt finish, some windows users are having issues with the adb server being killed, Working on it now, not sure if its a bug in windows, or a bug in the windows version of adb.

      • James

        what if i run through linux? any issue with this?

    • http://www.facebook.com/TheSystemsEngineer Edwin Castillo

      I kept getting adb server is out of date. killing... until I realized that I was running "HTC Sync Manager". Once I killed it, I never saw the out of date or permission denied message.

  • http://profiles.google.com/tomthebomb67212 tom courtney

    noob question, what benefit does this provide over a locked bootloader?

    • SetiroN

      The possibility to run unsigned ROMs and kernels, i.e. get rid of the sense plague and get on with cyanogenmod.

  • Dominic

    Justin, had errors both times with adb restore backup.ab. First time, permission denied and then the second time it didn't ACK. What gives?

  • The Steven Park
  • DroidModderX

    Here is a Video Guide that I put together for anyone that is interested in a visual aid. http://www.youtube.com/watch?v=e2ZBIMNlA3w&list=UU1J4DKcJXENzC-FkyMU6dow&index=3&feature=plcp

  • http://twitter.com/fendee1 gregory davis

    Its great you guys got this far, but HTC verizon will never release ril like on the thunderbolt to full cm10 or a full Google phone, will see.

    • sgtguthrie

      No non nexus device ever gets ril released. The Thunderbolt was just special, a bitch, and a stepchild. You won't have that problem on this device ;-)

    • http://twitter.com/TeamAndIRC Justin Case

      Why would HTC do that? No OEMs have that as a policy.

  • Chris G

    Soo, call me a noob, an idiot, because i am an idiot that is for sure. But if by chance, I unplugged and turned off my phone prior to doing that last and final step (The three-line script) having bricked my phone. I am just out of luck, right?

  • docgreg

    This worked perfectly. Thanks so much!

  • Jason Ivins

    Thanks Jcase!

  • deh2002

    Sweet, just got my DNA today, my first phone on Verizon. Of course I'm keeping a line open on att also in case some future greatness comes their way

  • Onyx Black

    Hey Jcase i was a mid trying your bootloader exploit for the htc droid dna when i ran into this right after the restore part. any tips ?

    C:android-sdk-windowsplatform-tools>adb shell rm /data/data/com.htc.usage/file


    rm failed for /data/data/com.htc.usage/files/exploit/*, No such file or directory

  • craized

    You are absolutely wonderful for doing this. Procedure was flawless.

  • http://twitter.com/arzvi arzvi

    Thanks. worked perfectly

  • wrestech

    when i went to the adb restore backup.ab command i would say it cannot connect for backup ?????

  • aditya

    Hey I live in india. If i buy this phone on verizone and unlock the bootloader, will i be able to use it over any GS band in here...???

    • anon

      This phone is GSM unlocked out of the box, it has nothing to do with unlocking bootloader.
      The phone will work with any GSM network. (FYI you need a micro-sim card)

  • n00b00n

    A n00b question:

    Is it safe to perform all these steps from 64-bit Ubuntu or correctly 64-bit adb and fastboot ?

  • http://www.facebook.com/people/Jeremy-Carnes/100000999394701 Jeremy Carnes

    Well great... I made it to "Now repeat the first exploit" and ran the "adb restore backup.ab" confirmed data restore on the phn and walked away and my computer decided to reboot to install updates. Now the device will not power on. Any suggestions?

  • Pinchloaf

    When the "No such file" is running and I run "adb restore backup.ab" and I hit restore on the phone the"No such file" stop running and the restore doesn't seem to do anything. Ideas?

  • jason

    I was hoping this worked with the HTC J Butterfly? I get error "Incompatible device! Exciting!" When launching CIDGen.

  • Gerardo

    can i use custom backup.ab? with all my apps?

  • andreww3834

    I unlocked my HTC with an unlock code, found it easier this way http://www.unlockscodes.com/imei/23/84/Unlock-HTC- follow this link if you want to unlock by code

  • http://www.facebook.com/michael.steely.1 Michael Steely

    I have done this numerous times and it does fine all the way to the exploit part then it starts saying access denied....can someone please help me I want nothing more than to root my droid DNA

  • propcworld

    is this still working?

  • propcworld

    will this still work?

  • Prateek Jadhwani

    adb shell rm /data/data/com.htc.usage/files/exploit/*

    the above step says Permission Denied

    Not just this one.. all the following steps after that

    • Bdog21

      i get the same thing...anybody know what to do about this?

    • sean m

      Any help on this?

  • hashim

    after exploit i try to unlock bootloader it gives error 160.. MID NOT ALLOWED... help please