Related
After one week with a T-Mobile US version (32Mb) i want to thank you all for your job.
I mean that first thing when I got it I've installed SE 1.2 and unlocked it. Afterwards I was toying with TMO 4.00.16 ENG and also upgraded radio to 6.24.
Everythnig is smooth but ... I want to build my own ROM. I've set up the makerom on a linux box and i think i will follow this steps:
1. perl setup.sh nk.nbf (this one taken from the origina TMO distribution in the RUU directory) - on the linux box
2. dumprom -4 -d files -q nk.nbf - on the linux machine to get all files
3. perl fdf2reg.pl files/default.fdf cfg/default.reg - linux
4. tr -d "\0" <files/initobj.dat >cfg/initobj.txt - linux box
5. cp files/initdb.ini cfg/initdb.ini - linux box
6. delete all files & add all the files I want to add (all kind of software)
7. bash mkrom.sh out/out.nbf - to generate the file for the SD
Questions:
a) is it possible to remove some files from the original ROM and how (any additional steps required)
b) using ssnap for the addtitional software installed ... where shall i make the additions (in files and for registry) ?
Thanks for all your support.
Decebal
PS. Any XDA owner from Romania ?
Well this is just my second HTC device.. But has anybody ever wondered why information on creating HardSPL and stuff is seeded sparely? We're just waiting until olipro, cmonex (bless their work!!! ) or some other mod finishes the Hard-SPL.
If this is an illegal talk or something then just delete my thread..
I find this is an interesting topic.. So why not colaborate with each other and report status on this, so that we eventually could hack something together..? At least for the sake of interest.. I ever liked hacking embedded devices, but my knowledge in these things is not so good. Would like to dig more into this and solve this kind of mystery
I have found interesting bits of information at the following places:
http://wiki.xda-developers.com/index.php?pagename=Wizard_ROM_Layout
http://forum.xda-developers.com/showthread.php?t=334667
http://www.xs4all.nl/~itsme/projects/xda/tools.html
http://wiki.xda-developers.com/index.php?pagename=SPL%20Questions%3F
http://forum.xda-developers.com/showthread.php?t=501871
The first step seems to be extracting the stock SPL.. I read something about pmemmap, a tool to show the memory map of the phone and pmemdump, a tool to dump memory areas of the phone to disk.
This rises the question of how to find out the address, where the SPL lies in our LEOs and then how to dump it?
If there are any constructive comments on this, everybody is invited to add his thoughts here, or point out the right way
Update:
SPL seems to be dumped, credits go to cmonex. - Now it's time to investigate further steps. Currently looking into it.
Okay.. You can read the SPL from your LEOs with the following command:
pmemdump 0x8ff00000 0x80000 dump.bin
But i have attached it here for your convenience.
Update 2:
For all those people that are curious about the technical background behind SPL hacking i am giving an update of my research now (of course cmonex will finish that work, and she will do it good, but as you probably know, i want to get into that kind of stuff):
I managed to get an MFG SPL (the SPL that isn't shipped with stock ROMs and that is used by HTC to debug) now. This type of SPL is needed to do any further steps regarding flashing Hard-SPL.
This may not be complete or even correct, so if you have any information to add, please share it with us.
As far as i understood the rough procedure now would be to relocate the SPL and its .data section in RAM (that means all the data referenced by code) to a new address. This is needed because the address where the SPL and its data section lie now is protected by the MPU (Memory Protection Unit?), which is set up by the radio bootloader, which is running on another CPU (the ARM9). Every write there will lead to nowhere and as our SPL would execute, it would crash, because of missing data. This is why we need to relocate our SPL to a new address by changing all the hard coded references to data (such as strings etc.) in code.
I need someone to comment on the process of changing all the hard coded addresses to another one. I don't know how to do it yet.
If this is done and all code runs well (there could be further glitches, such as the NAND write/read issue - please comment on that) we would use JumpSPL to load our SPL in RAM into an unused address and execute it. This would give us all the tools needed for flashing HSPL.
I have attached a copy of the MFG SPL i obtained (if this is against any rules, please remove it) together with an analysis in IDA32, which i just made (for the lazy ones).
It would be nice, if we could get some further info here.
Btw.: I found this funky stuff on the PSAS forum. It is a tool that actually simulates an ARM processor and let's you step through the instructions. Really nice, if you want to understand what's going on.
If you want to flash another language ROM to your HTC device you can go here. Please don't use this thread for such requests. Let's keep it about SPL talking. Thanks
Thanks to share this information with the comunity.
Feel free to investigate and and have a go for it.
The itsme utils are extremely useful,
You could also read the posts from Pof, Des, jockeyw2001 regarding this subject.
After you got your SPL, you can read Jockyw2001's posts regarding bootloaders dissembling in IDA pro.
The actual patching of the SPL isn't the hardest part, Cmonex once told that the development of the Soft SPL was trickiest part.
Regards, and good luck.
EqX
Thank you.. I will have a go for it, when i have more time. It's over for today..
Very interesting thread. I would like to know how they are trying to hack the SPL. With due respect to Olinex, we rely on them but there must be also people around who can give a hand to accelerate the process. No ?
on a related note i tried to make my hd2 supercid without using QMAT so that i could flash wwe official rom...
i followed these steps and i got to Ad.7) part where i needed to run this command:
perl typhoonnbfdecode.pl -p cardid=<cardid> -p keys=tornado -p seclevel=0 -d goldcard.img
when i hit enter i get this message:
C:\itsutilsbin>perl typhoonnbfdecode.pl -p cardid=0085007b9394eb0000000000000000
00 -p keys=tornado -p seclevel=0 -d goldcard.img
Can't locate XdaDevelopers/NbfUtils.pm in @INC (@INC contains: C:/Perl/site/lib
C:/Perl/lib .) at typhoonnbfdecode.pl line 81.
BEGIN failed--compilation aborted at typhoonnbfdecode.pl line 81
if anybody can point me to the right direction or tell me what am i doing wrong i would be very grateful.
mr.vandalay said:
on a related note i tried to make my hd2 supercid without using QMAT so that i could flash wwe official rom...
i followed these steps and i got to Ad.7) part where i needed to run this command:
perl typhoonnbfdecode.pl -p cardid=<cardid> -p keys=tornado -p seclevel=0 -d goldcard.img
when i hit enter i get this message:
C:\itsutilsbin>perl typhoonnbfdecode.pl -p cardid=0085007b9394eb0000000000000000
00 -p keys=tornado -p seclevel=0 -d goldcard.img
Can't locate XdaDevelopers/NbfUtils.pm in @INC (@INC contains: C:/Perl/site/lib
C:/Perl/lib .) at typhoonnbfdecode.pl line 81.
BEGIN failed--compilation aborted at typhoonnbfdecode.pl line 81
if anybody can point me to the right direction or tell me what am i doing wrong i would be very grateful.
Click to expand...
Click to collapse
Did you install activeperl ?
yes , however now i see that packages Crypt-DES and XdaDevelopers-NbfUtils are not installed and i can't find them...
i select "all packages" but i can't find those two, and i tried by adding repositories but it doesn't download anything.
can i somehow add them manually?
mr.vandalay said:
yes , however now i see that packages Crypt-DES and XdaDevelopers-NbfUtils are not installed and i can't find them...
i select "all packages" but i can't find those two, and i tried by adding repositories but it doesn't download anything.
can i somehow add them manually?
Click to expand...
Click to collapse
You need to use the exact version of ActivePerl as stated on that page and you must use Windows.
You should also know that you cant use this goldcard image for your LEO with the typhoon option. This is for another HTC device.. If you look into that pl file you see that there is no entry for LEO. We need the LEO key.
I replied to your PM about dumping SPL 0x95000000
mr.vandalay said:
on a related note i tried to make my hd2 supercid without using QMAT so that i could flash wwe official rom...
i followed these steps and i got to Ad.7) part where i needed to run this command:
perl typhoonnbfdecode.pl -p cardid=<cardid> -p keys=tornado -p seclevel=0 -d goldcard.img
when i hit enter i get this message:
C:\itsutilsbin>perl typhoonnbfdecode.pl -p cardid=0085007b9394eb0000000000000000
00 -p keys=tornado -p seclevel=0 -d goldcard.img
Can't locate XdaDevelopers/NbfUtils.pm in @INC (@INC contains: C:/Perl/site/lib
C:/Perl/lib .) at typhoonnbfdecode.pl line 81.
BEGIN failed--compilation aborted at typhoonnbfdecode.pl line 81
if anybody can point me to the right direction or tell me what am i doing wrong i would be very grateful.
Click to expand...
Click to collapse
sorry this will never work on Leo. I can make the goldcard for you though (for a small donation)
Thanks a lot cmonex, for your PM, hope to flash my Holand device onto a WWE device to better understud.
just wondering, based on this, is it possible for me to flash my o2 branded device with the stock wwe rom?
Tung_meister said:
just wondering, based on this, is it possible for me to flash my o2 branded device with the stock wwe rom?
Click to expand...
Click to collapse
Yes, it should be
umh... I can't dump... I'm wondering ...why?
If I enter "pmemdump 0x95000000 0x80000 spl.nb" I get a 0bytes file, but if I don't enter the file name I'm seeing the errors that it gets.
Anyway, this is what I'm getting:
Code:
G:\itsutilsbin>pmemdump.exe 0x95000000 0x80000
ERROR: ITReadProcessMemory - Invalid access to memory location.
95000000: * * * * *
ERROR: ITReadProcessMemory - Invalid access to memory location.
ERROR: ITReadProcessMemory - Invalid access to memory location.
ERROR: ITReadProcessMemory - Invalid access to memory location.
ERROR: ITReadProcessMemory - Invalid access to memory location.
ERROR: ITReadProcessMemory - Invalid access to memory location.
ERROR: ITReadProcessMemory - Invalid access to memory location.
ERROR: ITReadProcessMemory - Invalid access to memory location.
Someone can help?
kholk said:
umh... I can't dump... I'm wondering ...why?
If I enter "pmemdump 0x95000000 0x80000 spl.nb" I get a 0bytes file, but if I don't enter the file name I'm seeing the errors that it gets.
Anyway, this is what I'm getting:
Someone can help?
Click to expand...
Click to collapse
You're not the only one. Currently working it out with cmonex.
just wanna say that cmonex helped me and i just flashed wwe rom on my german hd2
mr.vandalay said:
just wanna say that cmonex helped me and i just flashed wwe rom on my german hd2
Click to expand...
Click to collapse
Welcome to the club of dutch rom refugees
cmonex helped me and i just finish to flash my NEW WWE ROM.
Thank you mate.
To all who want to flash now, be in touch with this guy, he is going to help you really fast.
cidriver said:
cmonex helped me and i just finish to flash my NEW WWE ROM.
Thank you mate.
To all who want to flash now, be in touch with this guy, he is going to help you really fast.
Click to expand...
Click to collapse
She.. She's female!
Hi everybody! I bought some weeks ago a Shift and my first priority is to change the language from Italian to English. But before going ahead in flashing a new rom I thought it is wise to make a back-up of the original rom.
So in my attempt to dump the original italian rom of my Shift I've come to an error status I don't know how to overcome, therefore any help would be very much appreciated:
Following pof's How to dump HTC Shift ROM at
http://forum.xda-developers.com/showthread.php?t=382609
I downloaded itsutils, unzipped on the pc and placed all the itsutils files in the c:\users\HTC User folder, (as I just did not know how to change the path in cmd to go to the c root with the itsutil folder).
Further on, with the WinMob connected to Vista with USB Tool, I introduced the first command line for pdocread
pdocread.exe -w -d FLASHDR -b 0x800 -p Part00 0 0x31f000 Part00.raw
and I got the answer
Copying c:\users\HTC User\itsutils.dll to WCE:\Windows\itsutils.dll (which I think it's OK) and then
rapi reinitializing (is it normal?)
and then
ERROR: CeProcessConfig – r=002349d0 ce=00000002 le=00000000 hr=80070005
– Access is denied
I have no idea on what the cause of the error could be, probably I must have done something wrong and I am stuck at this first dump step.
Can somebody please help me further to get unstuck?
Thank you very much!
Are you connected using activesync?
Also, try this guide:
http://forum.xda-developers.com/showthread.php?t=427507
and use pdocread -l first.
thaihugo said:
Are you connected using activesync?
Also, try this guide:
http://forum.xda-developers.com/showthread.php?t=427507
and use pdocread -l first.
Click to expand...
Click to collapse
THANK YOU THAIHUGO for taking the glove of answering me on this dead forum, I really need help! I find it fantastic that you are still so active, maybe in time some other senior members will take again the challenge to support the newcomers.
Yes, WM was connected to Vista side using the USB Tool and the Windows Mobile Device Center.
Looking back, I think I opened cmd as user and not as admin (now I know how to do it), this might have been the mistake, I will try again this afternoon.
1. So far I understood that the main reading process is running under Vista using the command lines and the itsutils, which is ok.
Does it matter where the unzipped folder <itsutilsbin-20100324> is placed? I mean should it be placed obligatory in the root of the c:\ drive?
If YES, how do I do that in the cmd line, I mean change the directory? Normally the cmd screen opens to the folder c:\users\HTC User when starting as user and to c:\Windows\system32 when doing it as administrator. Is it wise to copy all the itsutils files to system 32?
Of all those itsutils files, which are the absolutely necessary files to do the dump? Are these pdocread.exe and itsutils.dll only? This is because I'd like to handle as less files as possible to the system 32 folder.
2. If I got this right, the link that you pointed to shows for the Raphael ROM how to do the dump entirely on the WM side and should be applicable to the Shift WM as well if not managing it from Vista side, is that what you were trying to say?
3. Is this way of dumping the rom covering also the radio part and the bootloader, I mean all the 4 raw files contain the whole initial memory of the WM?
Sorry to raise such beginners question, but I did not find these things explained in any of the Shift threads and without answers I cannot progress with this dump job and furtehr proceed with flashing a custom rom in English. I did search in the Shift forums and googles for answers, but maybe I did not use the right keywords.
Looking forward to receive the enlighting answers, thanks in advance!
Admin cmd mode should help yes.
1) it doesn't matter where your zip is. Just uncompress the files somewhere in a folder (c:\itsutils if you want), open you command line in admin mode, navigate from system32 folder to the itsutils folder and try again with the pdocread -l then the command from POF post.
2) do not use raphael numbers. I linked to the post for the general procedure. Proper numbers are in the POF post.
3) you will not have the radio, nor the bootloader. But you have to jump if you want to use custom roms. Bootloader is available somwhere, and radio also I think.
Still getting errors
thaihugo said:
Admin cmd mode should help yes.
1) it doesn't matter where your zip is. Just uncompress the files somewhere in a folder (c:\itsutils if you want), open you command line in admin mode, navigate from system32 folder to the itsutils folder and try again with the pdocread -l then the command from POF post.
Click to expand...
Click to collapse
Thank you again Thaihugo!
I gave it another try to pof's commands as you recommended this time first with pdocread -l and it doens't work, BUT I'm getting the similar error messages. While accessing cmd as administrator and running the cmd line from c:\itsutils:
pdocread.exe -l
rapi reinitializing
and then after about 35 sec
ERROR: CeProcessConfig – r=002349d0 ce=00000002 le=00000000 hr=80070005 – Access is denied
At different runs I got different addresses for r and ce, but the same for le and hr (no idea what those mean).
It doesn't change if launching as administrator or user.
I even downloaded a previous version of itsutils directly on the Vista computer and unzipped it with Total Commander and the result is the same.
Have also tried another command from pof with the same error result:
pmemdump.exe 0x8c000000 262144 SPL.nb
Of course the WM side was connected to Vista via USB Tool and I also checked if from the Vista side the WM folders were accessible.
I'm completely stuck, don't know what to do further, please help!!!
Thank you!
P.S. Have copied the itsutils.dll to the Windows folder in WM via e-mail, just like in the liberalization process in order to avoid copying it via Active sync (as recommended for Raphael). This time at the first run of the pdocread.exe I was asked to accept installing itsutils.dll on the WM side, which I did.
But I'm still getting the error messages when launching pdocread.exe -l, this time running very fast in a few seconds and after 4 turns it stops with the final message
ERROR loading itsutil.dll - probably denied by policy restrictions
Does it ring any bell to you?
My guess is that I have to relax the security policy on the WM side, but I don't know how.
I am amaized that nobody raised all these before.
I've finally done it! HowTo......
OK, I finally managed to dump the ROM thanks to the support of Thaihugo and the info in various threads on this forum (with credit to the authors), I have now the ROM and bootloader dump files, but not the radio rom.
There were several detailed steps important for beginners that were not included in POF's thread "How to dump HTC Shift ROM" at http://forum.xda-developers.com/showthread.php?t=382609 that prevented me to do the dump from the first go.
In order to spare other newcomers time, here they are:
-On the WinMob side change the Security Policies setting by installing a registry editor like PHM Registry Editor, TotalCommander, etc. (I used the cab files downloaded in Vista and moved to WinMob via the Windows Mobile Device Center);
Go to HKLM\Security\Policies\Policies and change the valuename '00001001' from dword:2 to dword:1. Save the change and soft reset your WM device.
If in doubt check this: http://forum.xda-developers.com/showthread.php?t=427507
Note: After finishing the dump operation do not forget to revert back to the initial dword:2 value
-Download itsutils from POF's site to Vista and unzip the package to a new folder "c:\itsutils".
-To be on the safe side disconnect all network connections (3G modem, wifi, BT, LAN) and all USB external devices.
-Connect the WinMob side of the liberated Shift to Vista using the USB Tool and check in the Windows Mobile Device Center that the folders and files of WinMob are indeed accessible from Vista
-Open the command line screen and go to the folder where you unzipped the itsutils tool by typing "cd c:\itsutils" (without the quotes).
-From within the folder itutils type the command "pdocread -l" (without the quotes).
At this point, with pdocread.exe started, go to the WinMob side and
you will find a message asking you to accept installing the itsutils.dll on the WM side, say Yes to it and wait until it is instelled.
Then go back to Vista side and carry on as described in POF's thread mentioned above by:
- using "pdocread.exe -l" to list the NAND PARTITIONS (which have to do also with the radio side as I understood from one of cmonex posts)
- using "pdocread.exe -w -d FLASHDR -b 0x800 -p Part00 0 0x31f000 Part00.raw" and the other 3 commnads to generate the 4 raw files in the same folder c:\itsutils; keep them for reconstructing the original ROM
- using "pmemdump.exe 0x8c000000 262144 SPL.nb" to dump the bootloader file to the same folder c:\itsutils; keep that too.
That's it for now.
I have to deal further with dumping the radio rom, but I don't know how to do it, I must search the forums.
A big THANK YOU to all who helped me!
I never dumped a Radio. I think the experts keep this as secret because it's quite dangerous. Isuggest you have a look at your radio version and try and fin the same radioin the forum already dumped.
Otherwise, there are roms for each radio, so you could just simply apply the one that works wth your radio. No phone call though if you don't use the right one.
thaihugo said:
I never dumped a Radio. I think the experts keep this as secret because it's quite dangerous. Isuggest you have a look at your radio version and try and fin the same radioin the forum already dumped.
Otherwise, there are roms for each radio, so you could just simply apply the one that works wth your radio. No phone call though if you don't use the right one.
Click to expand...
Click to collapse
Thank you again Thaihugo, it seems that you are the only senior left on duty on this dead forum....yet the counter shows 238 views of this thread. Hm, strange....Anyway, thank you for all the good hints given one way or another during the past days, I wouldn't have made it without it.
I got the message, I will not bother with dumping the Radio. I know that a particular Rom is matched with a certain radio. I will flash one of your roms, most probably Age of Reasons and the associated radio. I am not looking for tens of programs on the WM side, it is enough to have the basic things in English and instant-on. I will let you know!
hi.. after following the instructions on how to downgrade my phone, and obtain root, i have, and after i had my foryo rooted, i downloaded RUU_Vision_Gingerbread_S_HTC_WWE_2.42.405.2 because my original intent was to have a rooted gingerbread and it didn't make much sense to have roms provided by htc itself.
but now i see i don't have root, so oops, i guess i was wrong.
so do i have to go though the whole kaka procedure again, and then find a custom rom, because my end game, is to have as close as possible a rooted gingerbread as close as possible to the original HTC rom. where can i get one?
oh, and what's the difference between the asia and wwe? does any of them handle hebrew bidi writing correctly (without applying the patch?)
I think there is a way to root gingerbread, or you have to downgrade. At either rate, you want to get to a place where you can flash your own ROM. Having clockworkmod installed would be just fine.
Then you would take the stock gingerbread, extract and unzip it, add Superuser and su, make the boot insecure, repack it for flashing, flash via CWM, and presto- rooted stock gingerbread. If you want to build in hebrew bidi writing, you can add that too.
There might be a few rooted stock gingerbread roms out there, but it seems that the trend is toward cooked up versions, rather than stock.
AFAIK i don't there's a way to root gingerbreak, it's un-rootable, that's why i downgraded in the first place. i think i can do it again, question is:
where do i find the stock gingerbread rom? is it in the RUU exe? if so, how get it out from there, without installing it
second, how on earth would i do all the things you said (add su,make boot insecure,repack,flash cwm).
is there a guide out there for all there above?
I think there is a some software for windows that will allow you to extract the rom from the RUU. I don't use windows, so I don't know anything about it. I've seen some posts about it, so I can say it seems to involve using the RUU to almost install the ROM, but at the last minute, just stop and the ROM will be extracted into one of the temp directories. You just use the RUU to extract the rom, not install it.
As far as all those other steps, I think all the information is scattered about xda.
Here's some information about the insecure boot image. It's for the transformer, but it's essentially the same thing, except for the blob parts. You'll have to use something like splitbootimg or bootunpack, and mkbootimg (search for them) instead of blobunpack.
http://forum.xda-developers.com/showthread.php?t=1193737
This might be more helpful:
http://forum.xda-developers.com/showthread.php?t=1100189
As for the other parts, you can use some of the other updates and zip files as a guide to figure out how to unpack, mod them, and repack them. I think there might be a rom kitchen script that will do this too, but I can't speak to that either.
Sorry if this sounds so complex- it's not that bad once you've done it once. I have a rooted stock GB that I made this way from the GB update, but it's the US version. Let me know when you have the WWE version extracted.
ok, let's take it one step at a time, (maybe we'll make a guide out of it
i activated the but i never continued instead i used process explorer to find out which files it's holds, so i got the temp directory and extracted rom.zip a 260 mg file (containing various img files)
now what?
btw is this relavent? http://android-dls.com/wiki/index.php?title=HOWTO:_Unpack,_Edit,_and_Re-Pack_Boot_Images
yea, i've seen it is, but one issue is that where do i get the cpio and makebootfs, (if i need to compile stuff, this is where i stop, i allready downloaded the perl scripts, as well as GZIP
ok, so far so good.
That link is exactly what you need. You can use that info to unpack the boot.img and make it insecure "ro.secure=0" by editing the default.prop file in the ramdisk.
I think some of the links to the tools might not work, but these will work instead - https://github.com/AndroidRoot/BootTools
Use the guides to mod and then repack the ramdisk
put the kernel and the modded ramdisk back together with makebootimg. There might be some specific command lines and kernel addresses- the hdrboot tool will show you want they should be from the original boot.img
Also, could you upload the zip file or PM me a link? This would be a perfect project for a guide.
ok wait, which tools am i missing? i have a windows machine (ultimate 7 64 bit) and the boottools needs to be compiled, (i don't have developer studio installed just eclipse)
so far i have the following tools:
repack-bootimg.pl
unpack-bootimg.pl
split-bootimg.pl
cpio for windows
gzip
what zip file?
(i'm going to sleep now as i'm in israel,i will "boot" in 6 hrs, luckily i have a vacation tommorow, so i hope we'll have time to finish this.
I think you might need gunzip to extract the ramdisk. unzip might work, but I'm not sure with Windows.
The zip is the rom.zip which has the rom.
I seem to recall there being at least 2 rooted stock ROMs in the dev forum. I think the one I've used was posted by either suilmagic (may be siulmagic), or rmk40. Xboarder56 posted one some time ago, but he started stripping things out that I used, like QuickOffice. If nothing else, this finally drove me to use Titanium backup...
Sent from my HTC Vision using Tapatalk
Yeah, I guess a search would take some of the fun out of it....
http://forum.xda-developers.com/showthread.php?t=1169004
actually i DID google "rooted stock rom desire z"
but i could find anything for sure, that's why i posted this, is this rom appear in the developer list of roms linked in the downgrade wiki? because i couldn't find it there either, would be nice if it was added.
No worries- I didn't actually search for it- I just paged through some of the dev sections.
I think you'll have flash it using CWM recovery.
great, i'm assuming CWM is Clockwork something?
Yup- look for the 3.x version. There was a 5.x, but i think it has some issues.
ok, so now, i must re-downgrade, root,
http://forum.xda-developers.com/wiki/ClockworkMod_Recovery
get rom manager, and ah... wait, what's the update.zip? is that actual image i need to place on the sdcard?
That wiki seems kinda old- I don't think the stock recovery will flash the update.zip
This is more up to date and specific for the G2/DZ:
http://forum.xda-developers.com/wiki/HTC_Vision#Rooting_the_Vision_.28G2.2FDZ.29_and_DHD
yea i've read that one (that's how i rooted in the first place.
isn't there a way to short ciruit this somehow and instead of pc10img have the update itself installed ? or is it because it's a an OTA, i have to do the whole thing?
looking at the image, i think i'm missing someting it looks like i can somehow use the scripts inside the image when i get temp_root (meaning i won't have to update the original image. am i wrong?
ok i've gone through the motions over and over, finally rooted it, have rom manager, clicked flash recovery, copied the zip file for rom i wanted to the root of sdcard, selected it rom manager, rebooted, now i selected apply update from sdcard,
now i see the hat signal and nothing happens, (i also selected backup rom and wipe cache and data)
i also noticed that i have install zip from sdcard, but i didnt' select it, how long should it take?
ok i FINALLY managed to install (it actually i pressed power button again and immdietly returned the cwm main menu, from then on, i chose reboot, i think it's moved on.
problem is, some things looked odd, for example the phone bar on the buttom, looks distorted, when i click on the application list i can only see half the list (meaning half the screen shows the list although i can scroll up and down the buttom half remains blank..
never mind it's ok now after re-boot..
btw i tried creating a batch file like so:
adb shell cat /dev/msm_rotator
rem expected output
rem /dev/msm_rotator: invalid length
pause
rem temp_root
rem adb push fre3vo /data/local/tmp
rem adb shell chmod 777 /data/local/tmp/fre3vo
rem adb shell /data/local/tmp/fre3vo -debug -start FAA90000 -end FFFFFFFF
echo wait for device to reconnect
pause
adb push misc_version /data/local/tmp/misc_version
adb shell chmod 777 /data/local/tmp/misc_version
adb shell /data/local/tmp/misc_version -s 1.00.000.0
adb shell sync
adb shell dd if=/dev/block/mmcblk0p17 bs=1 skip=160 count=10
rem expected output is:
rem 1.00.000.010+0 records in
rem 10+0 records out
rem 10 bytes transferred in 0.001 secs (10000 bytes/sec)
pause
rem downgrade
rem wget http://www59.multiupload.com:81/fil...118187CA1236F3BA6767A7/1.34.405.5_PC10IMG.zip
adb push 1.34.405.5_PC10IMG.zip /sdcard/PC10IMG.zip
adb reboot bootloader
but it didn't workout so much, don't know why it said something about it couldn't write recovery img file
Umm if you already rooted via the xda wiki then you should've had a bootloader that was engineering s-off right? Just saying because you could've flashed a custom rooted rom through bootloader and not had to re-root, that is unless the ruu applied an updated bootloader with s-on. Maybe boot into bootloader and see if the top line says PVT ENG S-OFF, worth a look anyway, could save you some headache
Sent from my Bulletproof G2
actually i'm haveing another headache a couple actually, for some reason, during the restore, it failed to download google maps among the gailion apps i downloaded, now i can't download no matter, i tried installing it manually, and it worked, but i can't see in the market.
the market on the web site says the application is not compatible.
also when i tried using anysoft keyboard and use the hebrew fonts, even though it installed i still couldn't get the keyboard.
right not i have no idea what's the state of my phone.
ATTENTION! this thread is OUTDATED
unrevoked has always been a finicky program,3.22 working fine for some,not so much for others.recent updates seemd to have made it even worse, i see alot of issue and fustration with it lately. as such, i do not recomend this method any longer.
IMO,at this time htcdev is the best way to root,downgrade,and achieve s-off. while it technically does void your warranty,and wipe your data,it has thus far at least proven to be reliable. i doubt may original droid incredibles have factory warranty left anyway it does not use unrevoked,or any otehr root tools or programs,just htcs own unlock(you can giggle loudly,or silently,as you use their unlock to achieve s-off
the original home of the hctdev method is here, on android forums.
it is also here: http://forum.xda-developers.com/showthread.php?t=1600904 but not as well supported since im not here as much.
_______________________________________________________________________________________________________________________
*outdated guide:
i wasnt sure if this should be here,or in development,so feel free to move it if you feel its in the weong spot. i cant take credit for any of this,i just took it all from different places and put it all here. unfortunately,i cant gaurantee that this will work for everyone. but several have succesfully downgraded and regained s-off.
its intended for someone who has no adb experinece,and is overwhelmed at the thot of downloading and installing the SDK. if your proficient at adb,your welcome to pull flash_image and mtd0 out,and place them in tools,platform tools,or wherever you usually push files from,rather than changing to the mini-adb_inc directory.
thots and feed back are welcome. ive had this guide up here on AF for a few days. ill try and provide support here as well,but please underdstand computer time is limited these days and i dont make it here as often. in otherwords,please help each other out
_______________________________________________________________________________________
PLEASE NOTE: this thread is for the original droid incredible. NOT the incredible 2(vivow) or incredible S(vivo)
for info on downgrading the inc 2 to .97 hboot so you can root with revolutionary,see this thread here in the inc 2 all things root subforum
if you DO have an original droid incredible,aka Inc 1,then procede
_________________________________________________________________
**********************************************************
_________________________________________________________________
READ THIS: i dont mean to sound like i dont want to be bothered with questions. however,folks are having basically the same issues thru-out the 600+ posts,so i can almost gauarntee if you have a prollem,it has been covered. please try and search for some answers before jumping to the end and posting. answering the same things over and over is just making the thread even longer and harder to search.
if you do have trouble and need to post questions about ADB commands,please provide a copy of your entire session in the command window along with the question. its usually pretty easy to see what went wrong when we can see the whole thing.
copy everything in the command window,and paste it into a code box by:
-right click in the command window,click mark.
-highlight everything in white. hit enter.
-then,in your "reply to thread" box here,click the "#" up top
-right click and "paste" everything between the
Code:
tags.
_________________________________________________________________
i cant take credit for any of this,i just took it all from different places and put it all here. unfortunately,i cant gaurantee that this will work for everyone. but several now have rooted 2.3.4,and 1 has succesfully downgraded and gained s-off.
its intended for someone who has no adb experinece,and is overwhelmed at the thot of downloading and installing the SDK. if your proficient at adb,your welcome to pull flash_image and mtd0 out,and place them in tools,platform tools,or wherever you usually push files from,rather than changing to the mini-adb_inc directory.
thots and feed back are welcome. there will prolly be several edits of this as i try to clarify it,and make it a lil better. but for now im tired and 5am comes early ;)
[B]first and foremost,giving proper credit to all that deserve it:[/B]
*alpharev and unrevoked for all they for the root community :cool:
-efizzle for getting the ball rolling in [URL="http://forum.xda-developers.com/showthread.php?t=1286223"]this thread[/URL] on xda by figuring out that an older version of unrevoked would get superuser access on 2.3.4
-iowabowtech for point me in the direction of [URL="http://forum.xda-developers.com/showthread.php?t=768295&highlight=ota"]this thread[/URL] that i collected the misc image,and parts of the guide. also for his support answering questions.
-sele and the crew in the "rescue squad" on [URL="http://api.viglink.com/api/click?format=go&drKey=1153&loc=http%3A%2F%2Fandroidforums.com%2Fthunderbolt-all-things-root%2F418539-thunderbolt-root-unroot-thread.html&v=1&libid=1318297929451&out=http%3A%2F%2Fwww.thunderboltforums.com%2F&ref=http%3A%2F%2Fandroidforums.com%2Fthunderbolt-all-things-root%2F&title=Thunderbolt%20Root%2FUnroot%20Thread%20-%20Android%20Forums&txt=HTC%20Thunderbolt%20Forum&jsonp=vglnk_jsonp_13182980284911"]the thunderbolt forum[/URL] for what i like to call the "mini-adb" concept.
-rooter28 for testing and keeping me updated as he made progress. hopefully he will stop in and help answer questions :)
-mkreiger for fearlessly jumping in to be the second official tester
-lovejess for finding a mac download for unrevoked 3.22
-gkinsella2 for contributing the mac specific instructions
-whomever origianlly came up with the images and guide linked above. if i can figure out who this was,ill add you in later.
*special thanks to sdrawcab for his invaluable support in helping answer questions and prollems
-prolly more,im sure there will be several edits of this.
1)[B][I]download these files[/I][/B],and save them somewhere you can easily find them:
[U]unrevoked 3.22[/U] [url=http://www.multiupload.com/WMGYYGL97Z]unrevoked 3.22[/url]
[U]mirror:[/U] [URL="https://www.box.net/shared/8e3nb5l5lnjjuh6vbqt7"]unrevoked 3.22 mirror[/URL]
md5: [COLOR="red"]5760fbe8ed6d44752e78433252f2d5b2[/COLOR]
[U]unrevokeds modified usb drivers[/U] [url=http://unrevoked.com/rootwiki/doku.php/public/windows_hboot_driver_install]public:windows_hboot_driver_install [RootWiki][/url]
[U]mini-adb_inc[/U](contains misc image,flash image,and some basic adb tools)[url=http://www.multiupload.com/0G635MCZS2]Multiupload.com - upload your files to multiple file hosting sites![/url]
md5: [COLOR="red"]a793cc0142e1cd18f60849894bbc47cd[/COLOR]
[U]mirror:[/U][url]http://www.mediafire.com/?o6c4kq4wyccuom5[/url]
mirror md5: [COLOR="Red"]7c5211686a20b558ccd660c782f82e2b[/COLOR]
[I]*clockwork and zergrush included in mirror[/I]
[U]PB31IMG for 2.2[/U] (2.2 downgrade) [url=http://www.mediafire.com/?uvha2u2pv3xp8d5]PB31IMG.zip[/url]
[U]mirror:[/U] [url]http://pvillecomp.com/?page_id=22[/url]
md5: [COLOR="red"]31bb1611a0fa8197d447c0438426717e[/COLOR]
[U]clockwork 5.0.2.0[/U] [url=http://www.multiupload.com/FGEU9VPGKF]Multiupload.com - upload your files to multiple file hosting sites![/url]
[U]mirror:[/U][url]http://pvillecomp.com/?page_id=28[/url]
md5: [COLOR="Red"]e8ac35ddc1c37000bb0852d1f380b5bb[/COLOR]
**make sure to check the md5 sums match those listed!**
if you dont have an md5 sum verifier on your PC,there are many out there for free. heres an example: [url=http://www.md5summer.org/]Home of the MD5summer[/url]
2)[B][I]root with unrevoked 3.22[/I][/B]
-go to settings/applications and [U]uncheck[/U] "fastboot". having this checked will prevent you from getting to hboot via power/vol down.
-open the recovery-clockwork-5.0.2.0-inc_PB31IMG download. extract it first if you need to. inside there is an image called "recovery-clockwork-5.0.2.0-inc". right click on this image,then click "copy". navigate to a directory you can easily find it,then right click in that directory,then "paste". alternatively,you can drag it from the extracted folder to a convienient spot(i personally like to drag files around,but its fine either way).
-use your md5 summer to verify the md5 of just the image,not the whole .zip. it should be: [COLOR="Red"]ea382ca5809cb872d0582aa22741d592[/COLOR]
-install the drivers as described on unrevokeds page above.
-unplug your phone.
-extract the contents of the unrevoked 3.22 .zip. open the folder, right click on "reflash" and run as administrator if possible.
-click on "file" in the corner of the relfash window
-click custom recovery
-navigate to,and select your "recovery-clockwork-5.0.2.0-inc" image and select it. at the bottom of your reflash app window, it should now say "recovery:custom" and "waiting for device"
-make sure usb debugging is checked ON in settings/applications/development.
-plug in your phone and place it in charge only mode. assuming you installed the drivers correctly,unrevoked 3.22 will start. let it do its thing. it will reboot a couple of times. when its finished,it may leave you on a blank screen. if this is the case,pull the battery and reboot.
-you [I]should[/I] now have the superuser app in your app drawer. if so,go to settings/applications/manage apps/superuser and clear data. test that superuser is working and granting permissions by downloading rom manager,and using it to flash the newest clockwork recovery. alternatively,download and run a "root checker" or any of your favorite "root only" apps and make sure they work.
-once you get "successfully flashed clockwork recovery" boot to it and make a backup,since downgrading to get s-off [U]WILL[/U] wipe all your data. boot back into the operating system.
*[I]special note to slcd users[/I]: this version of unrevoked is installig an old, non-compatible version of clockwork,so you will just see a black screen if you do not install newer clockwork as described above.
-if you plan to install a custom rom after downgrading,now is a good time to download titaium backup,and its pro key(WELL worth the $$) and do a batch backup of all your user apps and app data(no system data)
*at this point,you could just enjoy root access without doing anything else. if all you care about is using a couple of root only apps,and deleting some bloatware,you can remain rooted and s-on if youd like. id personally reccomend to downgrade and become s-off in case future OTAs knock out your root access.
3)[B][I]prepare to downgrad[/I]e[/B]
-extract the mini-adb_inc .zip. place the extracted folder on the root of your c drive. it comtains mtd0,flash_image,and some adb tools.
-place the 2.2 downgrade on the root of your sd card,and verify it is named "PB31IMG". now is a good time to verify that your SD card is formatted "FAT32" by right clicking on the drive that is your phones sd card,then click "properties". if you find your card is formated anything else,youll have to re-format it. start by backing up all files to your PC as reformatting [U]WILL[/U] wipe it clean. using your PC,do a full format to FAT32. you can then transfer the files back. *this is important-as your phone will not find the downgrade PB31IMG unless your card is formatted to FAT 32,and the file is correctly named.
[U]special notes on hboot flashing PB31IMG files[/U] a common issue folks are having is the PB31IMG is not being found by hboot.
*there are only 2 reasons a PB31IMG is not found on the root of the sd card:
a)not named correctly. the phone muse see exactly "PB31IMG.zip". due to the way windows automatically adds and hides file extensions,it is usually correct to name the file "PB31IMG" with windows. common errors are for the file to be named "PB31IMG.zip.zip" after manually tying in the ".zip". on rarer occasions,it may not be adding/hiding the file extension,resulting in the file actually beening seen by the phone as "PB31IMG" :eek: [I]check your file with a file manager on your phone[/I] and see how its seeing it.
b)sd card not formatted FAT32. if it is plain FAT or anything else,PB31IMG is invisible. on rare occasion,i have seen claims that a bad sd card,or card that needs reformatted(even tho it may be FAT32) will have the same affect.
*this has been addressed [U]several[/U] times in the thread,skim thru it for more information.
4)[B][I]downgrade with adb[/I][/B]. make sure your phone is charged to 100% before starting.
-on windows 7,click the start bubble and type "command" in the search box. this should open a small black command window. from this point forward,all code will be in [B]bold[/B] so you know what lines to copy and paste(or type,if you really want to type them all in). additional comments will be blue,and should not be copy/pasted. please note that each line is one command. copy/paste it into the prompt in your command window,and push enter. one line at a time.
at the end of the post,is a copy of my session,to show what the outputs of the entered lines should look like. hopefully,its a little less scary when you know that youre getting the right responses to the things you enter.
-make sure phone is plugged in and usb debugging checked on,in charge only mode
-at the promt in your command window:
[B]cd c:mini-adb_inc [/B] [COLOR="Blue"]this should change your command promt to "mini-adb_inc",indicating youre using that directory.[/COLOR]
[B]adb devices[/B] [COLOR="blue"]this should output your phones serial number,indicating its recognized[/COLOR]
[B]md5sums mtd0.img [/B] [COLOR="blue"]it should output a few things.at the end you should see this number 34307be744275f1db1dd16af04c37839
[/COLOR]
[B]md5sums flash_image[/B] [COLOR="blue"]again,it will output some things,then you should see this number: 0098a7dd6600b55fac34fc6645be5d7a[/COLOR]
[COLOR="Red"]*both those numbers must match exactly. if they do then you can procede.
[/COLOR]
[B]adb push flash_image /data/local/[/B]
[B]adb push mtd0.img /sdcard/[/B]
[B]adb shell[/B] [COLOR="Blue"]your prompt should change to a #. if it changes to a $,then type[/COLOR] [B]su[/B] [COLOR="blue"]note your phone may pop up a message asking you to allow permissions the first time you do this. if it does check "always" and touch "allow" on the superuser request on the phone screen.[/COLOR]
[B]cd /data/local[/B]
[B]chmod 0755 /data/local/flash_image[/B]
[B]cd /data/local[/B]
[B]./flash_image misc /sdcard/mtd0.img[/B]
[COLOR="blue"]you can now downgrade back to 2.2,so you can run "unrevoked forever" to regain s-off[/COLOR]
[B]exit[/B] [COLOR="Blue"]to get out of your adb shell,and back to the "mini-adb_inc" prompt[/COLOR]
[B]adb reboot bootloader[/B] [COLOR="blue"]this will boot your phone to "fastboot" select "bootloader" with the power button.[/COLOR]
hopefully what you will see now,is a blue status bar as your phone finds the PB31IMG,unpacks it,checks it,then asks if youd like to update. select yes to update with the volume up rocker. if youve never installed a full ruu in hboot,it will take a few minutes,so dont panic. place the phone gently down somewhere where it wont fall and spit out the battery. let it do its thing. push power to reboot when prompted.
let the phone fully boot,then place in disk drive mode and immediately delete PB31IMG from your sd card,as it will interefere with running unrevoked forever.
*[I][U]special note:[/U][/I] if your phone does not fully boot after running PB31IMG,dont panic. its happened to quite a few users,for some reason. simply pull your battery,boot to hboot via power/volume down and run PB31IMG again.
download unrevoked forever from here: [url=http://www.unrevoked.com/recovery/]unrevoked3 recovery reflash tool, v3.32[/url]
run it as you did the previous version. before plugging in your phone,make sure "disable phone security is checked" in the file menu. this time,it will root you,and turn the secure flag off on your radio. this is good,as it will allow you to always flash things that werent signed and approved by htc. you can flash new radios and recoveries,and flash any ruu you wish. the secure flag is in the radio,so running ruus or even accepting OTAs will not over-ride it. you will always stay s-off.
[I][U]*unrevoked 3.32 note:[/U][/I] if you check the "disable phone security" box as described above,and unrevoked still fails to turn s-off,you are not lost.[U]simply flash the s-off tool in recovery[/U]. you can find it here: [url=http://unrevoked.com/rootwiki/doku.php/public/forever]public:forever [RootWiki][/url]
if you wish to return to where you were,sign into google,download rom manger,flash the latest clockwork recovery. boot to recovery,then restore the back you made before we started.
optionally,you can now install the custom rom of your choice,along with a new recovery and radio if you desire. :)
and heres what you will see when entering the commands(the red are my copy/paste's):
[CODE]Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:UsersScott>[COLOR="Red"]cd c:mini-adb_inc[/COLOR]
c:mini-adb_inc>[COLOR="red"]adb devices[/COLOR]
List of devices attached
HT07DHJ02777 device
c:mini-adb_inc>[COLOR="red"]md5sums mtd0.img[/COLOR]
MD5sums 1.2 freeware for Win9x/ME/NT/2000/XP+
Copyright (C) 2001-2005 Jem Berkes - http://www.pc-tools.net/
Type md5sums -h for help
[Path] / filename MD5 sum
-------------------------------------------------------------------------------
[c:mini-adb_inc]
mtd0.img 34307be744275f1db1dd16af04c37839
c:mini-adb_inc>[COLOR="red"]md5sums flash_image[/COLOR]
MD5sums 1.2 freeware for Win9x/ME/NT/2000/XP+
Copyright (C) 2001-2005 Jem Berkes - http://www.pc-tools.net/
Type md5sums -h for help
[Path] / filename MD5 sum
-------------------------------------------------------------------------------
[c:mini-adb_inc]
flash_image 0098a7dd6600b55fac34fc6645be5d7a
c:mini-adb_inc>[COLOR="red"]adb push flash_image /data/local/[/COLOR]
1547 KB/s (76044 bytes in 0.048s)
c:mini-adb_inc>[COLOR="red"]adb push mtd0.img /sdcard/[/COLOR]
1662 KB/s (655360 bytes in 0.385s)
c:mini-adb_inc>[COLOR="red"]adb shell[/COLOR]
$ [COLOR="red"]su[/COLOR]
su
# [COLOR="red"]cd /data/local[/COLOR]
cd /data/local
# [COLOR="red"]chmod 0755 /data/local/flash_image[/COLOR]
chmod 0755 /data/local/flash_image
# [COLOR="red"]cd /data/local[/COLOR]
cd /data/local
# [COLOR="red"]./flash_image misc /sdcard/mtd0.img[/COLOR]
./flash_image misc /sdcard/mtd0.img
# [COLOR="red"]exit[/COLOR]
exit
$ [COLOR="red"]exit[/COLOR]
exit
c:mini-adb_inc>[COLOR="red"]adb reboot bootloader[/COLOR]
c:mini-adb_inc>
other info:
-unrevoked 3.22 for mac can be found here: http://downloads.unrevoked.com/recovery/3.22/Reflash.dmg at this point youre on your own converting the adb commands. if someone wants to translate,or make a mac adb guide,ill gladly add it in
-until we put together a mac specific guide,directions for modifying the rest of it to work on a mac are found in post #629,here: http://androidforums.com/incredible...-3-4-root-downgrade-s-off-13.html#post3623666 courtesy of gkinsella2. mac users(and everyone else ) make sure to click the thanks button on his post!
______________________________________________________________________________________
*last and not least,this is a direct copy/paste of the AF thread,so any references to pages numbers are references to THAT thread on AF
the zergRoot method
this is for folks who for whatever reason,unrevoked 3.22 does not work to get them root access.
this could also be used if youve got a replacement device thats not setup,and you could care less about installing a recovery. this still requires unrevokeds drivers to be set up,so you can root with unrevoked 3.32 after downgrading,but otherwise,it prolly is a lil quicker since you dont need to download and run unrevoked 3.22.
alternately,use this if you just like ADB if your proficient in adb,feel free to remove the images from mini-adb_inc,and place them and the zergRush tool into whatever folder you typically push files from.
like above,this is intended for someone whose never installed ADB or entered command lines before.
1)download these files,and save them somewhere you can easily find them:
unrevokeds modified usb drivers public:windows_hboot_driver_install [RootWiki]
mini-adb_inc(contains misc image,flash image,and some basic adb tools)Multiupload.com - upload your files to multiple file hosting sites!
md5: a793cc0142e1cd18f60849894bbc47cd
PB31IMG for 2.2 PB31IMG.zip
md5: 31bb1611a0fa8197d447c0438426717e
zergRush tool from xda: Revolutionary - zergRush local root 2.2/2.3 - xda-developers
md5: 12c52b97e75e73595b325c03610b3380
**make sure to check the md5 sums match those listed!**
if you dont have an md5 sum verifier on your PC,there are many out there for free. heres an example: Home of the MD5summer
3)prepare to downgrade
-extract the mini-adb_inc .zip. place the extracted folder on the root of your c\ drive. it comtains mtd0,flash_image,and some adb tools.
-extract zergRush.zip. take the image inside,and either copy/paste or drag it into your mini-adb_inc folder
-place the PB31IMG of 2.2 on the root of your sd card. rename PB31IMG. now is a good time to verify that your SD card is formatted "FAT32" by right clicking on the drive that is your phones sd card,then click "properties". if you find your card is formated anything else,youll have to re-format it. start by backing up all files to your PC as reformatting WILL wipe it clean. using your PC,do a full format to FAT32. you can then transfer the files back. *this is important-as your phone will not find the downgrade PB31IMG unless your card is formatted to FAT 32,and the file is correctly named.
4)downgrade with adb. make sure your phone is charged to 100% before starting.
-on windows 7,click the start bubble and type "command" in the search box. this should open a small black command window. from this point forward,all code will be in bold so you know what lines to copy and paste(or type,if you really want to type them all in). additional comments will be blue,and should not be copy/pasted. please note that each line is one command. copy/paste it into the prompt in your command window,and push enter. one line at a time.
at the end of the post,is a copy of my session,to show what the outputs of the entered lines should look like. hopefully,its a little less scary when you know that youre getting the right responses to the things you enter.
-make sure phone is plugged in and usb debugging checked on in charge only mode
-at the promt in your command window:
cd c:\mini-adb_inc this should change your command promt to "mini-adb_inc",indicating youre using that directory.
adb devices this should output your phones serial number,indicating its recognized
md5sums mtd0.img it should output a few things.at the end you should see this number 34307be744275f1db1dd16af04c37839
md5sums flash_image again,it will output some things,then you should see this number: 0098a7dd6600b55fac34fc6645be5d7a
md5sums zergRush again,output stuff, then this number: 3cf8a3fbceb667121d91f4ef1a66684c
*all those numbers must match exactly. if they do then you can procede.
adb push zergRush /data/local/
adb shell this will change your promt to a $
chmod 755 /data/local/zergRush
/data/local/zergRush
this will cause zergRush to start,and it shoudl say "found a gingerbread!" followed by a bunch of other funny stuff.
last thing it says will be: Killing ADB and restarting as root... enjoy!
you should then be returned to your "mini-adb_inc>" prompt
adb push flash_image /data/local/
adb push mtd0.img /sdcard/
adb shell your prompt should change to a #
cd /data/local
chmod 0755 /data/local/flash_image
cd /data/local
./flash_image misc /sdcard/mtd0.img
you can now downgrade back to 2.2,so you can run "unrevoked forever" to regain s-off
exit to get out of your adb shell,and back to the "mini-adb_inc" prompt
adb reboot bootloader this will boot your phone to "fastboot" select "bootloader" with the power button.
hopefully what you will see now,is a blue status bar as your phone finds the PB31IMG,unpacks it,checks it,then asks if youd like to update. select yes to update with the volume up rocker. if youve never installed a full ruu in hboot,it will take a few minutes,so dont panic. place the phone gently down somewhere where it wont fall and spit out the battery. let it do its thing. push power to reboot when prompted.
let the phone fully boot,then place in disk drive mode and immediately delete PB31IMG from your sd card,as it will interefere with running unrevoked forever.
download unrevoked forever from here: unrevoked3 recovery reflash tool, v3.32
run unrevoked(extract the contents,right click on "reflash",run as adminstrator if possible). this time,it will root you,and turn the secure flag off on your radio. this is good,as it will allow you to always flash things that werent signed and approved by htc. you can flash new radios and recoveries,and flash any ruu you wish. the secure flag is in the radio,so running ruus or even accepting OTAs will not over-ride it. you will always stay s-off.
and heres what you should see when entering the commands(my copy/pastes are in red):
Code:
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Users\Scott>[COLOR="Red"]cd c:\mini-adb_inc[/COLOR]
c:\mini-adb_inc>[COLOR="red"]adb devices[/COLOR]
* daemon not running. starting it now *
* daemon started successfully *
List of devices attached
HT117HJ00242 device
c:\mini-adb_inc>[COLOR="red"]md5sums mtd0.img[/COLOR]
MD5sums 1.2 freeware for Win9x/ME/NT/2000/XP+
Copyright (C) 2001-2005 Jem Berkes - http://www.pc-tools.net/
Type md5sums -h for help
[Path] / filename MD5 sum
-------------------------------------------------------------------------------
[c:\mini-adb_inc\]
mtd0.img 34307be744275f1db1dd16af04c37839
c:\mini-adb_inc>[COLOR="red"]md5sums flash_image[/COLOR]
MD5sums 1.2 freeware for Win9x/ME/NT/2000/XP+
Copyright (C) 2001-2005 Jem Berkes - http://www.pc-tools.net/
Type md5sums -h for help
[Path] / filename MD5 sum
-------------------------------------------------------------------------------
[c:\mini-adb_inc\]
flash_image 0098a7dd6600b55fac34fc6645be5d7a
c:\mini-adb_inc>[COLOR="red"]md5sums zergRush[/COLOR]
MD5sums 1.2 freeware for Win9x/ME/NT/2000/XP+
Copyright (C) 2001-2005 Jem Berkes - http://www.pc-tools.net/
Type md5sums -h for help
[Path] / filename MD5 sum
-------------------------------------------------------------------------------
[c:\mini-adb_inc\]
zergRush 3cf8a3fbceb667121d91f4ef1a66684c
c:\mini-adb_inc>[COLOR="red"]adb push zergRush /data/local/[/COLOR]
1150 KB/s (21215 bytes in 0.018s)
c:\mini-adb_inc>[COLOR="red"]adb shell[/COLOR]
$ [COLOR="red"]chmod 755 /data/local/zergRush[/COLOR]
chmod 755 /data/local/zergRush
$ [COLOR="red"]/data/local/zergRush[/COLOR]
/data/local/zergRush
[**] Zerg rush - Android 2.2/2.3 local root
[**] (C) 2011 Revolutionary. All rights reserved.
[**] Parts of code from Gingerbreak, (C) 2010-2011 The Android Exploid Crew.
[+] Found a GingerBread ! 0x00015108
[*] Scooting ...
[*] Sending 149 zerglings ...
[+] Zerglings found a way to enter ! 0x10
[*] Sending 149 zerglings ...
[+] Zerglings caused crash (good news): 0x401219e4 0x006c
[*] Researching Metabolic Boost ...
[+] Speedlings on the go ! 0xafd158bf 0xafd1ace3
[*] Sending 149 zerglings ...
[+] Rush did it ! It's a GG, man !
[+] Killing ADB and restarting as root... enjoy!
c:\mini-adb_inc>[COLOR="red"]adb push flash_image /data/local/[/COLOR]
1547 KB/s (76044 bytes in 0.048s)
c:\mini-adb_inc>[COLOR="red"]adb push mtd0.img /sdcard/[/COLOR]
1017 KB/s (655360 bytes in 0.629s)
c:\mini-adb_inc>[COLOR="red"]adb shell[/COLOR]
# [COLOR="red"]cd /data/local[/COLOR]
cd /data/local
# [COLOR="red"]chmod 0755 /data/local/flash_image[/COLOR]
chmod 0755 /data/local/flash_image
# [COLOR="red"]cd /data/local[/COLOR]
cd /data/local
# [COLOR="red"]./flash_image misc /sdcard/mtd0.img[/COLOR]
./flash_image misc /sdcard/mtd0.img
#[COLOR="red"] exit[/COLOR]
exit
c:\mini-adb_inc>[COLOR="red"]adb reboot bootloader[/COLOR]
c:\mini-adb_inc>
edit:apparently the zergRush tool has changed. ive included the new md5s,so hopefully there wont be any more confusion like the old md5s caused earlier. be aware of this,however, in case they do change again. you are right to be cautious if it doesnt match,so ill do my best to keep up with it.
This does work, but god I wish it was all ADB it was all so easy before unrevoked it didn't work the first time it gave me SU and root but no s-off then unrevoked would not run again due to new firmware. I did full downgrade to 2.2 and followed all directions ADB is so simple but unrevoked took 2 hours of just missing around to get s-off which included flashing 2.2 in hboot again starting over, running what I could run again in ADB without the gingerbreak since I was now on froyo, it was mostly just repushing the files and binary. But after all that unrevoked ran and gained root and s-off. Worst root I have ever done but people its all about making smart decisions before you do it if you make a mistake and get stuck, get help or trouble shoot but use you head before you battery pull and make sure you read before you hit anything.
If I helped you in any way please use the thank you button
sorry you had such issue with unrevoked. usually thats the easy part most folks are confused by adb and running commnads and wish it was all automated!
just a couple things that may help folks in the future:
-if you dont want to fool with unrevoked 3.22 in 3.2.4 use the "zergRoot"method in post 2. its all adb up to the downgrade. once you get to this point,you could easily roll yourself all the way back to the shipping firmware(assuming amoled screen) if you wanted,and then use an adb method(if one exists,im not that flamiliar with the inc). you dont have to go back to 2.2. i just picked that cause most folks are familiar with it,and with using unrevoked 3.32 to root/s-off it
-there have been a few complaints of unrevoked not giving s-off on 2.2. before you start,make sure "disable phone security" is checked in the file menu. if s-off still fails,but gives you root and a recovery,its worked for everyone thus far to just run the "forever" .zip in recovery,no real need to reflash the 2.2 ruu and run unrevoked multiple times.
-last and not least unrevoked is not ever going to give s-off in the 2.3.4(unless they release a new version for 2.3.4),as is uses an unsupported baseband,thats why the 2.2 downgrade is needed. folks that have no intention of backing up or returning to 2.3.4 and are fairly savy like the poster above,id strongy encourage to just use directions in post 2,its a lil quicker to not have to mess with unrevoked 3.22. its mainly included for the folks that want to make a nandroid or run tibu prior to the downgrade(plus zergRoot hadnt come out yet,when i originally put this together )
once your back on 2.2 you could even just use z4root to get get root access,install rom manager and clockwork,then flash the forever patch. once you can downgrade,there are alot of ways to skin the cat
Worked after a few tries!
Thanks Scotty for this writeup. I thought for a minute that things wouldn't work, but a third try proved fruitful.
Here's a few tips that I can add to things.
Things failed for me at the restore 2.2 part - HBOOT would not recognize the zip file as correct.
I am on a Win XP machine... Format the sd card to fat 32 using something other than Windows - I used a little program called "fat32format.exe". Windows seems to have a problem formatting sd cards correctly, so that could have been it.
Once I made sure the sd card was formatted, I put the 2.2 zip (PB31IMG) back on the sd card and started over using the zergRush method.
If you have tried this before, you will have to remove two directories from the /data/local/tmp directory. These are sh and boomsh. Thanks to ieftm in this forum for this tidbit of info.
If your zergRush is giving you problems stating:
[-] Cannot copy boomsh.: Permission denied
Then use this method to fix as I stated in paragraph above: remove sh and boomsh
Once these directories were removed and the zergRush was completed, the downgrade commenced just as described.
Side note - Unrevoked 3.32 installed Unrevoked forever automatically onto my DInc, so there was no reason to do the additional forever installation. You may have the same results.
For anyone else that can't seem to get things working, the search is your friend. It took me a while of hacking away at things, but eventually they all turned up roses...
Good Luck!
problems install roms
I have a problen,I can't install a Rom error e: can't open/sdcard/primexl3d.zip, why?
saosinalm:
First off, that's the wrong name for the downgrade zip according to the instructions that scotty posted above. Make sure the file is titled correctly and follow his instructions from beginning to end. I believe when mine succeeded my file title was "PB31IMG.zip" but in his instructions he leaves off the ".zip" at the end.
If there is an error in the process, you will have to start over from about step 3. You can't just start back from where you left off if you reboot the phone. Make sure you check your MD5's once you download, then you won't have to go back over that step.
I found the zergRush method easier, but I am more comfortable with adb...
I would suggest re-reading the instructions and following closely - he walks you through things really well.
I have one question....
Why root a phone? I had my phone rooted and honestly it was a complete waste of time. NONE of the Roms I downloaded ever worked properly, the apps never worked, and it was nothing but trouble for me. My phone always "force close" my apps too. No offense to the developers I just didn't see a benefit.
Am I wrong?
epescina:
That's really best answered differently depending on the type of person you are. If you like to play around and experiment with things or like learning how things work, maybe this works for you. Some people do it to get a custom look that no one else has, some do it to try and get better performance out of their phone that may have been bloated with apps out of the factory, and others are learning about developing apps and programming with it. Every person is different. Maybe it's just not for you, but others on this board can't live without it. To each his (her) own...
saosinalm said:
I have a problen,I can't install a Rom error e: can't open/sdcard/primexl3d.zip, why?
Click to expand...
Click to collapse
what are you trying to do exactly? no part of this guide requires you to flash a rom. so if youre tryingto root,be more specific what youre having trouble with, and if this is just a general question about flashing roms,you might do some research and/or post a new thread where more people will see it
epescina said:
I have one question....
Why root a phone? I had my phone rooted and honestly it was a complete waste of time. NONE of the Roms I downloaded ever worked properly, the apps never worked, and it was nothing but trouble for me. My phone always "force close" my apps too. No offense to the developers I just didn't see a benefit.
Am I wrong?
Click to expand...
Click to collapse
i personally have the opposite experience. while there are a couple minor issues with the rom that i run,i feel my phone is faster and more pleasureable after root. i love htc phones,but hate htc sense,so i root mainly root so i can run AOSP based firmware.
but as was said,to each his(her) own
scotty1223 said:
i personally have the opposite experience. while there are a couple minor issues with the rom that i run,i feel my phone is faster and more pleasureable after root. i love htc phones,but hate htc sense,so i root mainly root so i can run AOSP based firmware.
but as was said,to each his(her) own
Click to expand...
Click to collapse
I too hate the HTC Sense and wish I could change the overall layout of my phone. When I did load a new ROM that changed the layout it always seemed to be screwed up for one reason or another.
For example the lastest rom (Cyanogen) I absolutely loved but it didn't have market and I never could find out how to load it!
scotty1223 said:
i personally have the opposite experience. while there are a couple minor issues with the rom that i run,i feel my phone is faster and more pleasureable after root. i love htc phones,but hate htc sense,so i root mainly root so i can run AOSP based firmware.
but as was said,to each his(her) own
Click to expand...
Click to collapse
Couple of quick questions (which might appear silly):
"place the PB31IMG of 2.2 on the root of your sd card. rename PB31IMG"
#1) What do we rename "PB31IMG.zip" to? The directions simply state to rename it.
#2) Move it to the root of the external sdcard or internal sdcard?
tia, and I hope these questions weren't too ridiculous.
kjy2010 said:
Couple of quick questions (which might appear silly):
"place the PB31IMG of 2.2 on the root of your sd card. rename PB31IMG"
#1) What do we rename "PB31IMG.zip" to? The directions simply state to rename it.
#2) Move it to the root of the external sdcard or internal sdcard?
tia, and I hope these questions weren't too ridiculous.
Click to expand...
Click to collapse
It should be named PB31IMG.zip
It all depends how you rename it, if you use your pc it may not show the.zip extension if you have "show extensions" turned off. So on your pc it may just say PB31IMG even though it is really a zip. Sometimes when extensions are off people end up naming it PB31IMG.zip.zip wich will not work. It is best to have your pc show extensions you can do that by going to controll pannel / folder options / view tab uncheck hide extensions for known file types.
cmlusco said:
It should be named PB31IMG.zip
It all depends how you rename it, if you use your pc it may not show the.zip extension if you have "show extensions" turned off. So on your pc it may just say PB31IMG even though it is really a zip. Sometimes when extensions are off people end up naming it PB31IMG.zip.zip wich will not work.
Click to expand...
Click to collapse
wow lol ok, that just seems common sense, but I guess you never know who your audience is
Which sdcard should the file be on?
kjy2010 said:
wow lol ok, that just seems common sense, but I guess you never know who your audience is
Which sdcard should the file be on?
Click to expand...
Click to collapse
It should be on the removable sd not the internal storage if thats what you were asking.
cmlusco said:
It should be on the removable sd not the internal storage if thats what you were asking.
Click to expand...
Click to collapse
thanks again, just making certain. going for my third try now!
---------- Post added at 01:20 PM ---------- Previous post was at 01:14 PM ----------
I'm getting an unmatched number on zergRush
"md5sums zergRush again,output stuff, then this number: 795275fb9c41ebd5b9fe7ab19108c52b"
I get "4bf71b766a9603fa7db98e71e3f3b470"
??
It states:
"*all those numbers must match exactly. if they do then you can procede."
What do you do if they don't match?
Sorry for the n00b questions, been dealing with nothing but HC since June.
I would try redownloading and then check it again. If its still wrong i would contact the op scotty and ask him, as he is the one who provided the original md5.
cmlusco said:
I would try redownloading and then check it again. If its still wrong i would contact the op scotty and ask him, as he is the one who provided the original md5.
Click to expand...
Click to collapse
thanks, d/l it three times already what a PITA
I get a md5 of
3cf8a3fbceb667121d91f4ef1a66684c
for the zergrush file in the zip and.
12c52b97e75e73595b325c03610b3380
for the zip it self, different than both of your guys.
Edit. I believe that the zergrush file has been updated since this post to include more phones so that is probably why the md5 is different.