0

24th February Updated and added rom download links, clarified USB driver setup for Desire Z and G2 20th April Added rooting guide and updated the tools package.

This guide has been made by taking partial and whole intercepts from various guides across the internet. Sources: Setherios extensive guide on XDA Forums

Disclaimer You are solely responsible for your actions (i.e. following this guide).
This guide has been tested to be working, so you dont have to worry. If you encounter problems XDA Developer Forums will surely have a solution for you.

Required files for this guide: DZ-G2 Downgrade-Rooting Tools , Link2

Password: strawmetal

Desire Z: Stock ROM , Link 2 , Link 3 , Link 4 G2: Stock ROM , Link 2 , Link 3 HTC Sync(only for Desire Z) or HTC USB Driver(either model)

Download the attached file. Extract and place the folder in your C drive as shown.

Right click on My Computer > Properties > Advanced/Advanced System Settings > Environment Variables Under System Variables click path and click edit. At the end of the line add a semi colon ; and type C:\platform-tools (of course without ) then click OK. o Now we need to install the USB drivers for your phone on your system. Just install the latest HTC Sync (only for Desire Z) or HTC USB Driver (either model). If you installed HTC Sync then connect your phone via USB and select HTC Sync option. Let the Sync application detect your phone. After it detects and connects to your phone successfully remove the USB from your phone. Now go to Add/Remove Programs and remove HTC Sync Software...

(CAUTION: do not uninstall other HTC driver software) . Your drivers should be
successfully set up. o On your phone, click Settings > Applications > Development and make sure USB Debugging is on. Now connect your phone in charge only mode. o Open Command Prompt from Run in start menu by typing "cmd" .Type the following into the command prompt window (hitting enter at the end of every line): > adb devices

You should see your device serial showing up. This means you are all set. If it doesnt show up then try reconnecting your phone and also try reinstalling the drivers. Charge only mode is compulsory

Note: Whenever you are typing the commands you do not need to type the characters in blue i.e., > $ #

1. Your sdcard should be inserted in your phone, you should be connected to your pc in charge only mode, and your sdcard should not be full (min 400MB free). 2. Run the following command to verify the exploit has access to what it needs. (Only the first line is the command. The second line should be the result returned if all goes well)

> adb shell cat /dev/msm_rotator

/dev/msm_rotator: invalid length 3. If you received the same message, you're good to continue on. If not... I'd recommend going back to #g2root and asking them. (I am just passing along the information after all) 4. Run the following commands > adb push fre3vo /data/local/tmp > adb shell $ chmod 777 /data/local/tmp/fre3vo $ /data/local/tmp/fre3vo -debug -start FAA90000 -end FFFFFFFF 5. After you enter that command, with luck you should see something similar to the last few lines in the following displayed. (It may take a minute or two. From what I can tell, this appears to be the quickest method as the exploit seems to be found in the latter regions.) Buffer offset: 00000000

Buffer size:

8192

Scanning region fb7b0000 Scanning region fb8a0000 Scanning region fb990000 Potential exploit area found at address fbb4d600:a00. Exploiting device

6. A. If the exploit works, you will be kicked out of ADB shell, proceed to Step #7
B. If the above does not work, and fails, you can try the following, and hopefully one will work, try the following (you must reboot your phone before you try another set): $ /data/local/tmp/fre3vo -debug -start 10000000 -end 1FFFFFFF $ /data/local/tmp/fre3vo -debug -start 20000000 -end 2FFFFFFF $ /data/local/tmp/fre3vo -debug -start 30000000 -end 3FFFFFFF $ /data/local/tmp/fre3vo -debug -start F0000000 -end FFFFFFFF $ /data/local/tmp/fre3vo -debug -start E0000000 -end EFFFFFFF

7. If you did get kicked out of adb shell, open it again. You should now see the lovely # instead of $, thus granting you temp root. Go ahead and exit out of shell to proceed to the next stage. > adb shell # exit

1. Enter the following commands. > adb push misc_version /data/local/tmp/misc_version > adb push flashgc /data/local/tmp/flashgc > adb shell chmod 777 /data/local/tmp/* > adb shell > cd /data/local/tmp # ./misc_version s 1.00.000.0 --set_version set. VERSION will be changed to: 1.00.000.0 Patching and backing up partition 17 # ./flashgc

Note: If you get the following error, please make sure your sdcard is inserted in
your phone and your phone is connected to the computer on Charge Only mode (not USB Storage) Error opening backup file. 2.

# sync

3. Double check and make sure everything looks good so far by running the following command (still in adb shell). # dd if=/dev/block/mmcblk0p17 bs=1 skip=160 count=10 1.00.000.010+0 records in 10+0 records out 10 bytes transferred in 0.001 secs (10000 bytes/sec) 4. Backup any data you require i.e. contacts, messages, calendar, images, videos, music.

If you have nothing to backup or dont care to back up anything, proceed directly to downgrading on the next page. 1. Run the following commands in your command prompt. > adb push su /data/local/tmp/ > adb push busybox /data/local/tmp/

> adb push fixsu.sh /data/local/tmp/

> adb install Superuser.apk > adb shell chmod 755 /data/local/tmp/fixsu.sh > adb shell /data/local/tmp/fixsu.sh 2. Download a backup application such as TitaniumBackup / MyBackupRoot. You can also use ES File Explorer to backup the apks of your apps onto your sdcard. Call Logs Backup & Restore and SMS Backup & Restore are other cool options. Make a backup.

Please follow either manual downgrade or fastboot downgrade.

Hope youve downloaded your respective rom i.e. Desire Z (or) G2. Do not use any other roms, you may brick your device. Use only roms that are compatible with your phone. 1. Rename your downloaded rom to

PC10IMG.zip (i.e. PCtenIMG.zip)

Note: Filename MUST be all uppercase except for the extension, and if file extensions are hidden, do not include ".zip") 2. Now connect your phone in USB storage and copy your PC10IMG.zip onto your sdcard. NOTE: Do not place it inside any folder. 3. Now change your connection type to Charge Only. The next process takes about 5-10 minutes so make sure your charge is not low else, plug into an outlet or your computer. 4. Type the following in your command prompt to reboot your phone into your bootloader. > adb reboot bootloader 5. After your phone has entered the bootloader, press the power button (works as select key, volume keys work as navigation keys). Your phone will now scan for your rom file and asks you to confirm the update (actually its a downgrade for you, we manipulated the version number remember?) DO NOT INTERRUPT THIS PROCESS. Your phone will reboot once or twice (completely normal). Once the process is complete it will ask you to press a key to reboot. Your phone will now reboot into your stock Froyo rom. Congratulations your downgrade is complete and you are free go ahead and root your phone permanently. There are many guides out there. You could even follow the guide on the next few pages sourced from xda wiki. Please avoid anything related to Visionary it has been known to brick phones.

10

Hope youve downloaded your respective rom i.e. Desire Z (or) G2. Do not use any other roms, you may brick your device. Use only roms that are compatible with your phone. 1. Rename your downloaded rom to include ".zip") 2. Now copy StockRom.zip into your platform-tools folder. Next type the following command to boot into the bootloader. > adb reboot bootloader 3. Make sure your device is recognized by typing the following command. If your device is recognized it should return a serial/model number. > fastboot devices 4. Type this and your phone should now reboot into a black screen with a grey/silver "HTC" logo on it.

StockRom.zip

Note: Filename MUST be exactly same, and if file extensions are hidden, do not

> fastboot oem rebootRUU

5. Next we flash the Stock Rom. This may take a few minutes as it transfers the file to the phone then attemps to update (downgrade). > fastboot flash zip StockRom.zip In rare cases the flash stops and the user gets a warning to repeat the flash immediately dont panic, just run the " fastboot flash zip StockRom.zip" (only this command, not the rebootRUU one) again and it will work. 6. When it finishes, wait a minute or two (just in case) then reboot your phone by typing: > fastboot reboot

Your phone will now reboot into your stock Froyo rom.Congratulations your downgrade is complete and you are free go ahead and root your phone permanently. There are many guides out there. You could even follow the guide on the next few pages sourced from xda wiki. Please avoid anything related to Visionary it has been known to brick phones.

11

Before we can continue you need to enable debugging in the settings on the phone. In Settings go to "Applications -> Development" and check the "USB debugging" option. Connect you phone via USB to your PC. Your phone should remain connected throughout the process. Make sure that your phone is NOT CONNECTED IN USB STORAGE and your sdcard is inserted in your phone and is mounted on the phone. There is a Readme.txt file in the platform-tools folder. Follow that and then enter the following commands taking care that you have typed correctly. > adb push psneuter /data/local/tmp/ > adb push gfree /data/local/tmp/ > adb push busybox /data/local/tmp/ > adb push hboot-eng.img /data/local/tmp/ > adb push root_psn /data/local/tmp/ > adb push su /sdcard/ > adb push Superuser.apk /sdcard/

> adb shell chmod 755 /data/local/tmp/*

Now you can choose either 4ext or clockwork for your recovery. So enter the following command accordingly. Choose only one. > adb push recovery-clockwork-5.0.2.7-vision.img /data/local/tmp/recovery.img or > adb push recovery-4ext-2.2.7.rc5-vision.img /data/local/tmp/recovery.img Now the following command is to get temporary root. > adb shell /data/local/tmp/psneuter > adb shell After the last command you should have a root shell in adb given by #. Now do not close the command/ terminal window.

12

Note the output of the next commands as MD5-1: # cd /data/local/tmp # ./busybox md5sum /dev/block/mmcblk0p18 Now execute the following command to install engineering hboot and recovery. # ./gfree f b hboot-eng.img y recovery.img # ./root_psn # sync Wait until # reappears. Note the output of the following command as MD5-2: # cd /data/local/tmp # ./busybox md5sum hboot-eng.img Note the output of the following command as MD5-3: # ./busybox md5sum /dev/block/mmcblk0p18 If MD5-3 matches with MD5-1 then gfree failed to powercycle your emmc chip. Either your software version is high and you did not downgrade. Try again or join #G2ROOT channel at www.webchat.freenode.net and ask for help. If MD5-3 does not match MD5-1 and MD5-3 does not match MD5-2 then DO NOT REBOOT and run to G2ROOT for help. If MD5-3 matches with MD5-2 then you are fine and type the next command to reboot and you are permanently rooted. # reboot

13