0

1

24th February – Updated and added rom download links, clarified USB driver

setup for Desire Z and G2

20th April – Added rooting guide and updated the tools package.

2

This guide has been made by taking partial and whole intercepts from

various guides across the internet.

Sources: Setherio’s extensive guide on XDA Forums

Disclaimer

You are solely responsible for your actions (i.e. following this guide).

This guide has been tested to be working, so you don’t have to worry.

If you encounter problems XDA Developer Forums will surely have a solution for you.

Required files for this guide:

DZ-G2 Downgrade-Rooting Tools , Link2

Password: strawmetal

Desire Z: Stock ROM , Link 2 , Link 3 , Link 4

G2: Stock ROM , Link 2 , Link 3

HTC Sync(only for Desire Z) or HTC USB Driver(either model)

3

Download the attached file. Extract and place the folder in your C drive as shown.

Right click on My Computer > Properties > Advanced/Advanced System Settings >

Environment Variables

Under “System Variables” click “path” and click “edit”.

At the end of the line add a semi colon “;” and type “C:\platform-tools” (of course

without “ ” ) then click OK.

o Now we need to install the USB drivers for your phone on your system. Just install

the latest HTC Sync (only for Desire Z) or HTC USB Driver (either model). If you

installed HTC Sync then connect your phone via USB and select HTC Sync option.

Let the Sync application detect your phone. After it detects and connects to your

phone successfully remove the USB from your phone. Now go to Add/Remove

Programs and remove HTC Sync Software...

4

(CAUTION: do not uninstall other HTC driver software) . Your drivers should be

successfully set up.

o On your phone, click Settings > Applications > Development and make sure USB

Debugging is on. Now connect your phone in charge only mode.

o Open Command Prompt from Run in start menu by typing "cmd" .Type the

following into the command prompt window (hitting enter at the end of every line):

You should see your device serial showing up. This means you are all set.

If it doesn’t show up then try reconnecting your phone and also try reinstalling the

drivers. Charge only mode is compulsory

Note: Whenever you are typing the commands you do not need to type the

characters in blue i.e., > $ #

> adb devices

5

1. Your sdcard should be inserted in your phone, you should be connected to

your pc in charge only mode, and your sdcard should not be full (min 400MB

free).

2. Run the following command to verify the exploit has access to what it needs.

(Only the first line is the command. The second line should be the result

returned if all goes well)

3. If you received the same message, you're good to continue on. If not... I'd

recommend going back to #g2root and asking them. (I am just passing along

the information after all)

4. Run the following commands

5. After you enter that command, with luck you should see something similar to

the last few lines in the following displayed. (It may take a minute or two. From

what I can tell, this appears to be the quickest method as the exploit seems to

be found in the latter regions.)

> adb shell cat /dev/msm_rotator

/dev/msm_rotator: invalid length

> adb push fre3vo /data/local/tmp

> adb shell

$ chmod 777 /data/local/tmp/fre3vo

$ /data/local/tmp/fre3vo -debug -start FAA90000 -end FFFFFFFF

Buffer offset: 00000000

Buffer size: 8192

Scanning region fb7b0000…

Scanning region fb8a0000…

Scanning region fb990000…

Potential exploit area found at address fbb4d600:a00.

Exploiting device…

6

6. A. If the exploit works, you will be kicked out of ADB shell, proceed to Step #7

B. If the above does not work, and fails, you can try the following, and hopefully

one will work, try the following (you must reboot your phone before you try

another set):

7. If you did get kicked out of adb shell, open it again. You should now see the

lovely # instead of $, thus granting you temp root. Go ahead and exit out of

shell to proceed to the next stage.

$ /data/local/tmp/fre3vo -debug -start 10000000 -end 1FFFFFFF

$ /data/local/tmp/fre3vo -debug -start 20000000 -end 2FFFFFFF

$ /data/local/tmp/fre3vo -debug -start 30000000 -end 3FFFFFFF

$ /data/local/tmp/fre3vo -debug -start F0000000 -end FFFFFFFF

$ /data/local/tmp/fre3vo -debug -start E0000000 -end EFFFFFFF

> adb shell

# exit

7

1. Enter the following commands.

Note: If you get the following error, please make sure your sdcard is inserted in

your phone and your phone is connected to the computer on Charge Only mode

(not USB Storage)

2.

3. Double check and make sure everything looks good so far by running the following

command (still in adb shell).

4. Backup any data you require i.e. contacts, messages, calendar, images, videos,

music.

> adb push misc_version /data/local/tmp/misc_version

> adb push flashgc /data/local/tmp/flashgc

> adb shell chmod 777 /data/local/tmp/*

> adb shell

> cd /data/local/tmp

# ./misc_version –s 1.00.000.0

--set_version set. VERSION will be changed to: 1.00.000.0

Patching and backing up partition 17…

# ./flashgc

Error opening backup file.

# sync

# dd if=/dev/block/mmcblk0p17 bs=1 skip=160 count=10

1.00.000.010+0 records in

10+0 records out

10 bytes transferred in 0.001 secs (10000 bytes/sec)

8

If you have nothing to backup or don’t care to back up anything, proceed directly to

downgrading on the next page.

1. Run the following commands in your command prompt.

2. Download a backup application such as TitaniumBackup / MyBackupRoot. You can

also use ES File Explorer to backup the apks of your apps onto your sdcard.

Call Logs Backup & Restore and SMS Backup & Restore are other cool options.

Make a backup.

> adb push su /data/local/tmp/

> adb push busybox /data/local/tmp/

> adb push fixsu.sh /data/local/tmp/

> adb install Superuser.apk

> adb shell chmod 755 /data/local/tmp/fixsu.sh

> adb shell /data/local/tmp/fixsu.sh

9

Please follow either manual downgrade or fastboot downgrade.

Hope you’ve downloaded your respective rom i.e. Desire Z (or) G2. Do not use any other

roms, you may brick your device. Use only roms that are compatible with your phone.

1. Rename your downloaded rom to PC10IMG.zip (i.e. PCtenIMG.zip)

Note: Filename MUST be all uppercase except for the extension, and if file

extensions are hidden, do not include ".zip")

2. Now connect your phone in USB storage and copy your PC10IMG.zip onto your

sdcard. NOTE: Do not place it inside any folder.

3. Now change your connection type to Charge Only. The next process takes about

5-10 minutes so make sure your charge is not low else, plug into an outlet or your

computer.

4. Type the following in your command prompt to reboot your phone into your

bootloader.

5. After your phone has entered the bootloader, press the power button (works as

select key, volume keys work as navigation keys).

Your phone will now scan for your rom file and asks you to confirm the update

(actually it’s a downgrade for you, we manipulated the version number remember?)

DO NOT INTERRUPT THIS PROCESS. Your phone will reboot once or twice (completely

normal). Once the process is complete it will ask you to press a key to reboot. Your

phone will now reboot into your stock Froyo rom.

Congratulations your downgrade is complete and you are free go ahead and root your

phone permanently. There are many guides out there. You could even follow the guide

on the next few pages sourced from xda wiki. Please avoid anything related to Visionary

it has been known to brick phones.

> adb reboot bootloader

10

Hope you’ve downloaded your respective rom i.e. Desire Z (or) G2. Do not use any other

roms, you may brick your device. Use only roms that are compatible with your phone.

1. Rename your downloaded rom to StockRom.zip

Note: Filename MUST be exactly same, and if file extensions are hidden, do not

include ".zip")

2. Now copy StockRom.zip into your platform-tools folder. Next type the following

command to boot into the bootloader.

3. Make sure your device is recognized by typing the following command. If your

device is recognized it should return a serial/model number.

4. Type this and your phone should now reboot into a black screen with a grey/silver

"HTC" logo on it.

5. Next we flash the Stock Rom. This may take a few minutes as it transfers the file to

the phone then attemps to update (downgrade).

In rare cases the flash stops and the user gets a warning to repeat the flash

immediately don’t panic, just run the " fastboot flash zip StockRom.zip" (only this

command, not the rebootRUU one) again and it will work.

6. When it finishes, wait a minute or two (just in case) then reboot your phone by

typing:

Your phone will now reboot into your stock Froyo rom.Congratulations your downgrade

is complete and you are free go ahead and root your phone permanently. There are many

guides out there. You could even follow the guide on the next few pages sourced from

xda wiki. Please avoid anything related to Visionary it has been known to brick phones.

> adb reboot bootloader

> fastboot devices

> fastboot oem rebootRUU

> fastboot flash zip StockRom.zip

> fastboot reboot

11

Before we can continue you need to enable debugging in the settings on the phone. In

Settings go to "Applications -> Development" and check the "USB debugging" option.

Connect you phone via USB to your PC. Your phone should remain connected throughout

the process. Make sure that your phone is NOT CONNECTED IN USB STORAGE and your

sdcard is inserted in your phone and is mounted on the phone. There is a Readme.txt file

in the platform-tools folder. Follow that and then enter the following commands taking

care that you have typed correctly.

Now you can choose either 4ext or clockwork for your recovery. So enter the following

command accordingly. Choose only one.

Now the following command is to get temporary root.

After the last command you should have a root shell in adb given by #. Now do not close

the command/ terminal window.

> adb push psneuter /data/local/tmp/

> adb push gfree /data/local/tmp/

> adb push busybox /data/local/tmp/

> adb push hboot-eng.img /data/local/tmp/

> adb push root_psn /data/local/tmp/

> adb push su /sdcard/

> adb push Superuser.apk /sdcard/

> adb shell chmod 755 /data/local/tmp/*

> adb push recovery-clockwork-5.0.2.7-vision.img /data/local/tmp/recovery.img

or

> adb push recovery-4ext-2.2.7.rc5-vision.img /data/local/tmp/recovery.img

> adb shell /data/local/tmp/psneuter

> adb shell

12

Note the output of the next commands as MD5-1:

Now execute the following command to install engineering hboot and recovery.

Wait until # reappears. Note the output of the following command as MD5-2:

Note the output of the following command as MD5-3:

If MD5-3 matches with MD5-1 then gfree failed to powercycle your emmc chip. Either

your software version is high and you did not downgrade. Try again or join #G2ROOT

channel at www.webchat.freenode.net and ask for help.

If MD5-3 does not match MD5-1 and MD5-3 does not match MD5-2 then DO NOT

REBOOT and run to G2ROOT for help.

If MD5-3 matches with MD5-2 then you are fine and type the next command to reboot

and you are permanently rooted.

# cd /data/local/tmp

# ./busybox md5sum /dev/block/mmcblk0p18

# ./gfree –f –b hboot-eng.img –y recovery.img

# ./root_psn

# sync

# cd /data/local/tmp

# ./busybox md5sum hboot-eng.img

# ./busybox md5sum /dev/block/mmcblk0p18

# reboot

13