Upload
sabbiram
View
164
Download
1
Tags:
Embed Size (px)
Citation preview
0
1
24th February – Updated and added rom download links, clarified USB driver
setup for Desire Z and G2
20th April – Added rooting guide and updated the tools package.
2
This guide has been made by taking partial and whole intercepts from
various guides across the internet.
Sources: Setherio’s extensive guide on XDA Forums
Disclaimer
You are solely responsible for your actions (i.e. following this guide).
This guide has been tested to be working, so you don’t have to worry.
If you encounter problems XDA Developer Forums will surely have a solution for you.
Required files for this guide:
DZ-G2 Downgrade-Rooting Tools , Link2
Password: strawmetal
Desire Z: Stock ROM , Link 2 , Link 3 , Link 4
G2: Stock ROM , Link 2 , Link 3
HTC Sync(only for Desire Z) or HTC USB Driver(either model)
3
Download the attached file. Extract and place the folder in your C drive as shown.
Right click on My Computer > Properties > Advanced/Advanced System Settings >
Environment Variables
Under “System Variables” click “path” and click “edit”.
At the end of the line add a semi colon “;” and type “C:\platform-tools” (of course
without “ ” ) then click OK.
o Now we need to install the USB drivers for your phone on your system. Just install
the latest HTC Sync (only for Desire Z) or HTC USB Driver (either model). If you
installed HTC Sync then connect your phone via USB and select HTC Sync option.
Let the Sync application detect your phone. After it detects and connects to your
phone successfully remove the USB from your phone. Now go to Add/Remove
Programs and remove HTC Sync Software...
4
(CAUTION: do not uninstall other HTC driver software) . Your drivers should be
successfully set up.
o On your phone, click Settings > Applications > Development and make sure USB
Debugging is on. Now connect your phone in charge only mode.
o Open Command Prompt from Run in start menu by typing "cmd" .Type the
following into the command prompt window (hitting enter at the end of every line):
You should see your device serial showing up. This means you are all set.
If it doesn’t show up then try reconnecting your phone and also try reinstalling the
drivers. Charge only mode is compulsory
Note: Whenever you are typing the commands you do not need to type the
characters in blue i.e., > $ #
> adb devices
5
1. Your sdcard should be inserted in your phone, you should be connected to
your pc in charge only mode, and your sdcard should not be full (min 400MB
free).
2. Run the following command to verify the exploit has access to what it needs.
(Only the first line is the command. The second line should be the result
returned if all goes well)
3. If you received the same message, you're good to continue on. If not... I'd
recommend going back to #g2root and asking them. (I am just passing along
the information after all)
4. Run the following commands
5. After you enter that command, with luck you should see something similar to
the last few lines in the following displayed. (It may take a minute or two. From
what I can tell, this appears to be the quickest method as the exploit seems to
be found in the latter regions.)
> adb shell cat /dev/msm_rotator
/dev/msm_rotator: invalid length
> adb push fre3vo /data/local/tmp
> adb shell
$ chmod 777 /data/local/tmp/fre3vo
$ /data/local/tmp/fre3vo -debug -start FAA90000 -end FFFFFFFF
Buffer offset: 00000000
Buffer size: 8192
Scanning region fb7b0000…
Scanning region fb8a0000…
Scanning region fb990000…
Potential exploit area found at address fbb4d600:a00.
Exploiting device…
6
6. A. If the exploit works, you will be kicked out of ADB shell, proceed to Step #7
B. If the above does not work, and fails, you can try the following, and hopefully
one will work, try the following (you must reboot your phone before you try
another set):
7. If you did get kicked out of adb shell, open it again. You should now see the
lovely # instead of $, thus granting you temp root. Go ahead and exit out of
shell to proceed to the next stage.
$ /data/local/tmp/fre3vo -debug -start 10000000 -end 1FFFFFFF
$ /data/local/tmp/fre3vo -debug -start 20000000 -end 2FFFFFFF
$ /data/local/tmp/fre3vo -debug -start 30000000 -end 3FFFFFFF
$ /data/local/tmp/fre3vo -debug -start F0000000 -end FFFFFFFF
$ /data/local/tmp/fre3vo -debug -start E0000000 -end EFFFFFFF
> adb shell
# exit
7
1. Enter the following commands.
Note: If you get the following error, please make sure your sdcard is inserted in
your phone and your phone is connected to the computer on Charge Only mode
(not USB Storage)
2.
3. Double check and make sure everything looks good so far by running the following
command (still in adb shell).
4. Backup any data you require i.e. contacts, messages, calendar, images, videos,
music.
> adb push misc_version /data/local/tmp/misc_version
> adb push flashgc /data/local/tmp/flashgc
> adb shell chmod 777 /data/local/tmp/*
> adb shell
> cd /data/local/tmp
# ./misc_version –s 1.00.000.0
--set_version set. VERSION will be changed to: 1.00.000.0
Patching and backing up partition 17…
# ./flashgc
Error opening backup file.
# sync
# dd if=/dev/block/mmcblk0p17 bs=1 skip=160 count=10
1.00.000.010+0 records in
10+0 records out
10 bytes transferred in 0.001 secs (10000 bytes/sec)
8
If you have nothing to backup or don’t care to back up anything, proceed directly to
downgrading on the next page.
1. Run the following commands in your command prompt.
2. Download a backup application such as TitaniumBackup / MyBackupRoot. You can
also use ES File Explorer to backup the apks of your apps onto your sdcard.
Call Logs Backup & Restore and SMS Backup & Restore are other cool options.
Make a backup.
> adb push su /data/local/tmp/
> adb push busybox /data/local/tmp/
> adb push fixsu.sh /data/local/tmp/
> adb install Superuser.apk
> adb shell chmod 755 /data/local/tmp/fixsu.sh
> adb shell /data/local/tmp/fixsu.sh
9
Please follow either manual downgrade or fastboot downgrade.
Hope you’ve downloaded your respective rom i.e. Desire Z (or) G2. Do not use any other
roms, you may brick your device. Use only roms that are compatible with your phone.
1. Rename your downloaded rom to PC10IMG.zip (i.e. PCtenIMG.zip)
Note: Filename MUST be all uppercase except for the extension, and if file
extensions are hidden, do not include ".zip")
2. Now connect your phone in USB storage and copy your PC10IMG.zip onto your
sdcard. NOTE: Do not place it inside any folder.
3. Now change your connection type to Charge Only. The next process takes about
5-10 minutes so make sure your charge is not low else, plug into an outlet or your
computer.
4. Type the following in your command prompt to reboot your phone into your
bootloader.
5. After your phone has entered the bootloader, press the power button (works as
select key, volume keys work as navigation keys).
Your phone will now scan for your rom file and asks you to confirm the update
(actually it’s a downgrade for you, we manipulated the version number remember?)
DO NOT INTERRUPT THIS PROCESS. Your phone will reboot once or twice (completely
normal). Once the process is complete it will ask you to press a key to reboot. Your
phone will now reboot into your stock Froyo rom.
Congratulations your downgrade is complete and you are free go ahead and root your
phone permanently. There are many guides out there. You could even follow the guide
on the next few pages sourced from xda wiki. Please avoid anything related to Visionary
it has been known to brick phones.
> adb reboot bootloader
10
Hope you’ve downloaded your respective rom i.e. Desire Z (or) G2. Do not use any other
roms, you may brick your device. Use only roms that are compatible with your phone.
1. Rename your downloaded rom to StockRom.zip
Note: Filename MUST be exactly same, and if file extensions are hidden, do not
include ".zip")
2. Now copy StockRom.zip into your platform-tools folder. Next type the following
command to boot into the bootloader.
3. Make sure your device is recognized by typing the following command. If your
device is recognized it should return a serial/model number.
4. Type this and your phone should now reboot into a black screen with a grey/silver
"HTC" logo on it.
5. Next we flash the Stock Rom. This may take a few minutes as it transfers the file to
the phone then attemps to update (downgrade).
In rare cases the flash stops and the user gets a warning to repeat the flash
immediately don’t panic, just run the " fastboot flash zip StockRom.zip" (only this
command, not the rebootRUU one) again and it will work.
6. When it finishes, wait a minute or two (just in case) then reboot your phone by
typing:
Your phone will now reboot into your stock Froyo rom.Congratulations your downgrade
is complete and you are free go ahead and root your phone permanently. There are many
guides out there. You could even follow the guide on the next few pages sourced from
xda wiki. Please avoid anything related to Visionary it has been known to brick phones.
> adb reboot bootloader
> fastboot devices
> fastboot oem rebootRUU
> fastboot flash zip StockRom.zip
> fastboot reboot
11
Before we can continue you need to enable debugging in the settings on the phone. In
Settings go to "Applications -> Development" and check the "USB debugging" option.
Connect you phone via USB to your PC. Your phone should remain connected throughout
the process. Make sure that your phone is NOT CONNECTED IN USB STORAGE and your
sdcard is inserted in your phone and is mounted on the phone. There is a Readme.txt file
in the platform-tools folder. Follow that and then enter the following commands taking
care that you have typed correctly.
Now you can choose either 4ext or clockwork for your recovery. So enter the following
command accordingly. Choose only one.
Now the following command is to get temporary root.
After the last command you should have a root shell in adb given by #. Now do not close
the command/ terminal window.
> adb push psneuter /data/local/tmp/
> adb push gfree /data/local/tmp/
> adb push busybox /data/local/tmp/
> adb push hboot-eng.img /data/local/tmp/
> adb push root_psn /data/local/tmp/
> adb push su /sdcard/
> adb push Superuser.apk /sdcard/
> adb shell chmod 755 /data/local/tmp/*
> adb push recovery-clockwork-5.0.2.7-vision.img /data/local/tmp/recovery.img
or
> adb push recovery-4ext-2.2.7.rc5-vision.img /data/local/tmp/recovery.img
> adb shell /data/local/tmp/psneuter
> adb shell
12
Note the output of the next commands as MD5-1:
Now execute the following command to install engineering hboot and recovery.
Wait until # reappears. Note the output of the following command as MD5-2:
Note the output of the following command as MD5-3:
If MD5-3 matches with MD5-1 then gfree failed to powercycle your emmc chip. Either
your software version is high and you did not downgrade. Try again or join #G2ROOT
channel at www.webchat.freenode.net and ask for help.
If MD5-3 does not match MD5-1 and MD5-3 does not match MD5-2 then DO NOT
REBOOT and run to G2ROOT for help.
If MD5-3 matches with MD5-2 then you are fine and type the next command to reboot
and you are permanently rooted.
# cd /data/local/tmp
# ./busybox md5sum /dev/block/mmcblk0p18
# ./gfree –f –b hboot-eng.img –y recovery.img
# ./root_psn
# sync
# cd /data/local/tmp
# ./busybox md5sum hboot-eng.img
# ./busybox md5sum /dev/block/mmcblk0p18
# reboot
13