This method is majorly out of date. Generally, every update breaks the current root method, and a new one must be found. By now, this is 3-4 cycles old. Please check XDA-Developers forums or unrevoked for alternate (and current) methods.

This one is sure to make plenty of people happy: it looks like there's finally a root method for the latest EVO OTA. The method was discovered by XDA-Devs user Dan Wager and is based on Sebastian Krahmer's Droid 2 root - although this seems to achieve root by downgrading to Android 2.1 and flashing unrevoked. Just like the Droid 2 root, the method is new and thus still pretty complex:

Make sure your phone is unplugged from your computer until I tell you to plug it in!
If you already have the Android SDK and HTC Sync set up on your computer, skip to Step 4 now


Step 1: Download the Android SDK here

Step 2: Extract the Android SDK zip. Move the contents of the extracted zip to C:\
Your Android tools folder path should now be C:\android-sdk-windows\tools

Step 3: Download HTC Sync 2.0.40 here
Run the installer. Move on once installed. If reboot is required, do so and then move on.

Download my

It contains a few files necessary to root the EVO.
Unzip the contents of the zip to your android sdk tools folder.

Download the
Place this zip in your tools folder as well, as a zip, not extracted.

Download this (This is the same as running an RUU, so it will delete all of your user data when we use it later in the guide, so backup everything you want to save on your phone first)

Put this zip in your sdk tools folder as well, as a zip, not extracted.

After unzipping the contents of to your android sdk tools folder and placing the and in the folder, move on.

Step 4: Make sure USB Debugging is ON (checked) on your EVO. Go to Settings > Applications > Development > and make sure it is checked.

Step 5: Plug your phone into the computer via USB, Make sure that the connection type in the Notification Pull-Down Bar is "Charge Only", not "Disk Drive" or else this won't work.
If your computer asks you to restart after the new drivers were installed, do that now.

Once ready, type these commands in cmd prompt from your adb tools directory.


adb push /sdcard/
adb push flash_image /data/local/
adb push rageagainstthecage-arm5.bin /data/local/tmp/
adb push mtd-eng.img /sdcard/
adb push /sdcard/

now we chmod a few things


adb shell
chmod 0755 /data/local/tmp/rageagainstthecage-arm5.bin
chmod 0755 /data/local/flash_image

Ok now for the root shell.

On your phone, go to Settings > Wireless & Networks

After you do these next 2 commands, start toggling Airplane Mode over and over until you achieve the desired results mention in a few steps.

(still in adb shell)


cd /data/local/tmp



(This is where you start toggling airplane mode)

You will now see some text on your cmd prompt screen explaining the exploit.

Wait for the adb shell to go away, and it will dump you into your windows command prompt again (no shell) should look something like this:


If it dumps you to a $ instead, repeat those 2 commands again, toggling airplane mode again.

Once that dumps you out of the shell, type


adb shell

and you will see you now have a



instead of



now type


cd /data/local
./flash_image misc /sdcard/mtd-eng.img

that will flash your misc partition with Toast's mtd-eng.img.

after that, you need to type


reboot bootloader

Remember how you pushed that huge to your sdcard earlier? This is where that comes in handy. Once you booted into hboot, Select "bootloader" with your volume up/down buttons and hit the power button. Let it sit for a little bit while it loads the This can take up to 5 minutes. When it finally asks if you want to apply this zip, choose YES. (Remember, this is the same as running an RUU, so it will delete all of your user data).

Once it is finished, select restart. You now are on the stock 2.1 build of Android.

Next step, mount your sdcard on your computer, and delete the from it. This is because the next step requires using hboot, and you don't want to sit and wait while it loads up again, just for you to say "no" to the install. Please follow this step, for it saves 5-10 minutes of waiting ahead.

I worked extensively with Matt Mastracci, so this rooting guide will use the unrevoked method to root 2.1. This is what worked for me testing on my brother's EVO, so if you do end up trying something else to root 2.1 with, PLEASE do not post it here or ask questions, for I will only support the unrevoked team.

Now open up your web browser on your computer and navigate to

Click on the little EVO picture, and then on unrevoked3. Go here for more info on unrevoked3.

Choose the correct operating system to download for. Once downloaded, run the program on your computer. Make sure your EVO is plugged in with USB DEBUGGING ON! Do not touch your phone while this process is going. It will reboot to the bootloader, and pause for a little while and then do some reboots.

As soon as it is booted into recovery, you are done with that.

Next in recovery go to


Flash zip from sdcard

and choose the


This will flash the unrevoked forever hboot unlock. You are now completely rooted. You can now reboot to recovery and flash a custom rom, or reboot into the rom and accept the OTA update. Even if you accept the OTA update, you will still have the s-off flag from unrevoked forever, so you can flash a custom recovery from the bootloader using


 fastboot flash recovery /sdcard/recovery.img

assuming that you are booted in the bootloader and have the recovery image on your sdcard as recovery.img.

I am sorry if this is a little confusing, but I had to get this out tonight. I will update this as best as I can tomorrow. Thanks again for all of your patience tonight!

Dan Wager

[Update] Important step mentioned by a commenter (and unrevoked): make sure you uninstall HTC Sync before running unrevoked.

Yea, it's a doozy - probably not something a novice rooter wants to try. A much simpler method should be coming soon though, as a lot of the commands can probably be automated with a relatively basic batch file.

The source files and original post can be found at the source link below. If anyone takes the dive, be sure to let us know how it goes in the comments below.

[Source: XDA-Devs]