Maybe this can help for rooting the new sbf - Defy General

1. How can I root my phone?
1.1 General information/Basic adb-commands
Rooting a phone enables you to do things, which normally aren't possible for the average user like:
- Removing apps which were preinstalled by the provider (like Orange, Vodafone, etc.). My Tattoo had Vodafone apps for buying music and other sh*t, which was installed on the system partition (to which a "normal" user has no rights to write to, including deleting).
The Tattoo was successfully rooted by a bunch of guys here, namely -bm-, mainfram3 and Coburn64 (maybe, I don't remember quite correctly ). Also the Tattoo was the first phone having a security mechanism hindering a user to mount the filesystems as read/write, which had to be overridden by remapping the read only memory region to a read/write one. This is done by the module Tattoo-hack.ko, also made by mainfram3. He also created the first boot.img, which enabled su directly from adb and loading Tattoo-hack directly from boot on.
A few words about adb:
ADB is a tool for communicating from the PC with the mobile phone. For this a service is running on the phone enabling the communication via Terminal Emulator. Here are the most useful adb-commands:
Code:
adb push localFileFromPC /path/on/mobilephone
-> pushes a file "localFileFromPC" to a specified location on the phone
adb pull /path/to/file pathFromPC
-> receives a file from the phone and stores it to "pathFromPC"
adb remount
-> This is only possible in custom ROMs, remounts the file system to r/w automatically
adb shell "command"
-> executes "command" and returns to the computer shell
adb shell
-> opens a shell session on the phone (from here on you have to be very careful! Also you can execute now normal linux commands like rm, mv, ls, chmod and so on, but not cp (this can done through busybox)). You will have to use this more often, so get used to it
1.2 Do I have to create a goldcard?
I read this question quite often. For rooting, you don't need it, but for SIM-locked phones you can't flash custom unbranded ROMs (I think).
A guide to create a goldcard follow this link: http://forum.xda-developers.com/show...88&postcount=1 (thanks to MiSSigNNo to this point)
1.3 Tools you need
A complete set of tools can be found here Feel free to mirror it:
http://rapidshare.com/files/403766494/Tattoo.rar.html
Mirror(s):
http://www.bild-ton.net/Tattoo.rar
http://www.megaupload.com/?d=CI9AW83F
This package contains:
- adb binaries for Windows (sorry Linux users )
- su (Please note: use the su-binary attached in this post, not the one in the archive!!!!!)
- m7 exploit
- Amon_RA recovery.img
- mainfram3 boot.img
- flash_image binary
- tattoo-hack.ko
1.4 The automated way
This method was created by maverixx and can be found here. This basically consists of a package doing everything you need by itself. It roots the phone and flashes maverixx recovery.img, which (no offense) I don't like as much as I like Amon_RA's one!). Just click the batchfile and it does the rest (you have to connect your phone via USB to your PC though ).
If you want to use the automated way, but flashing Amon_RA's recovery, just replace the recovery.img from maverixx' package with the recovery.img provided in my archive file (see 1.3 for the link).
In my time here I noticed quite a few users experiencing problems either with a fully functional su or with the recovery image not flashing certain update.zip packages. It seems to be a matter of luck.
1.5 The manual way (recommended by the author)
I personally like what is done when and how, that's why I recommend the manual way. So let's get down to business Let's see if you know all the adb-commands I wrote here:
1. Let's say you have everything unpacked into C:\Tattoo
2. In your terminal (on your PC) type:
- adb shell "mkdir /data/local/bin" (if it returns an error it means that the directory already exists, just proceed)
- adb push m7 /data/local/bin/
- adb push su /data/local/bin/
- adb push flash_image /data/local/bin/
- adb push tattoo-hack.ko /data/local/bin/
- adb push recovery.img /sdcard
- adb push boot.img /sdcard
3. We have every needed file on the phone now. Type now (we are still in your terminal):
- adb shell
$ cd /data/local/bin
$ chmod 766 m7 (I don't retain this step as mandatory, so if this process fails, just proceed)
$ while ./m7 ; do : ; done
lots of text until you see something like "wrote shell code", press enter 2 or 3 times enter to see:
#
4. Then perform this:
- # export LD_LIBRARY_PATH=/system/lib
- # export PATH=/system/bin
- # insmod ./tattoo-hack.ko
- # mount -o rw,remount /dev/block/mtdblock5 /data
- # mount -o rw,remount /dev/block/mtdblock3 /system
- # cat ./su > /system/bin/su
- # chmod 4755 /system/bin/su
- # chmod 755 ./flash_image
Questions?
1.6 Problems and (hopefully good) solutions
Q: How do I execute my command line tool?
A: On your Windows host, go to Start->Run...->type "cmd"
Q: Where is my adb? When I type it in my shell it says that it was not found!
A: The adb binary is found in the archive I supplied above or in the Google SDK. As my archive-file is quite smaller than the Google SDK you should take mine. Let's suppose your adb binary is unpacked in C:\Tattoo, then type:
Code:
Your\Current\Location> cd C:\Tattoo
C:\Tattoo> adb <command>Q: adb says "error: device not found" when I try to launch the shell on the phone!
A: Connect the phone with the usb cable and make sure the sd card is not mounted as drive on your PC!!!
Q: When I want to copy something the phone returns that "cp" is not found! Also when I try to move a file, it says "cross-link device".
A: Well, copying from one partition to another is only possible either via busybox or via
Code:
cat file > /location/filename
Example:
cp /data/su /system/bin
is realized by typing
cat /data/su > /system/bin/suAlso make sure that system is r/w!!!
Q: flash_image returns write errors when flashing recovery/boot image!
A:
For boot: Try to redo the flash procedure
For recovery: Note that you can't flash the same recovery.img as the one already installed, so install another recovery.img first (like maverixx) and then Amon_RA's again. If it still doesn't work reboot, remount the partitions r/w, insmod tattoo-hack.ko and retry flashing.
Q: How can I unroot my device?
A: Just delete su from /system/xbin and restore the old boot.img. Alternatively see here for retrieving a stock ROM to flash it on your phone.
i hope someone try this i don't have time

Related

In case your "adb" doesn't see the device

Apparently, some firmwares seem to disable "adb" service on the Galaxy S.
So in case you run into this problem (adb unable to see the device) what you will need is to modify /default.prop on the SGS.
Here is what I had originally:
Code:
#
# ADDITIONAL_DEFAULT_PROPERTIES
#
ro.secure=1
ro.debuggable=0
persist.service.adb.enable=0
To enable ADB on SGS
1. Run on the device: setprop persist.service.adb.enable 1 to temporarily switch it on.
2. pull /default.props with adb and modify the "ro.secure=0" and "persist.service.adb.enable=1"
2. mount -o remount,rw rootfs /
3. push modified default.props back to /
It's what I'd need, but the guide it's not quite clear to me:
1. Run on the device, means on terminal emulator?
2. How to pull? And please, specify better what to change...
I assume the rest of commands must be issue on the device via terminal emulator...
Let me know and thanx so much!
details
In more detail:
1. Root your device (see FAQ sticky post)
2. Install shell emulator on the device
3. In shell emulator, enable ADB (not sure if you need to run "su" before that):
setprop persist.service.adb.enable 1
4. Now, you should be able to connect to the device with ADB (temporarily). If not, make sure your udev rules (for Linux: /etc/udev/rules.d/51-android.rules) are smth like:
SUBSYSTEM=="usb|usb_device", ATTRS{idVendor}=="04e8", MODE="0666"
5. To make the change permanent:
adb pull /default.props .
(this will copy default props to local directory)
6. Modify the two properties as follows:
ro.secure=0
persist.service.adb.enable=1
7. Re-mount the root filesystem on the device in read-write mode (requires "su" before that):
mount -o remount,rw rootfs /
8. Now overwrite the /default.props on the device with modified one:
adb push default.props /default.props

[HOWTO] manual rooting of Galaxy Tab (EURO)

This howto is for those people who are unable to root their Galaxy Tab using any of the automated procedures and do not suffer from CLPS (command-line-phobia-syndrome).
My story: After upgrading my EURO (GSM) Galaxy Tab to JM6 my persistent efforts to root the device using either the z4root or SuperOnClick methods have all been unsuccessful. z4root (v1.3.0) kept crashing at different stages, apparently depending on which and how many background apps were running. With SuperOneClick I never managed to get beyond the "changing permissions" stage.
Since both methods are basically wrappers of the rageagainstthecage application, I tried to perform the rooting procedure manually. Guess what, that worked without any problem and it is pretty easy to do.
The basic steps of the rooting process are:
1) use rageagainstthecage to get a temporary root shell
2) use the temporary root shell to copy three files to the read-only system partition the device
While I find the outlined procedure straightforward, you may not. Anyhow, try this at your own risk.
==== Prerequisites ====
I used Ubuntu 10.10 for this, but it should work on any other distro and on Windows just as well. Whatever OS you use, you need a working adb connection to your Galaxy Tab. Odin or Kies are of no use here.
You need the following binaries
* su
* busybox
* Superuser.apk
* rageagainstthecage
To get the all required files, simply download "SuperOneClickv1.5.5-ShortFuse.zip". That's what I used.
Get it here: http://forum.xda-developers.com/showthread.php?t=803682
Extract the contents of the ZIP, open a command-prompt on your computer and change to the directory where the extracted files are located.
Some advice if shell commands are not your regular cup of tea.
The following instructions show the shell commands. Some are executed on the host computer. Others are executed on the Galaxy Tab. You can differentiate between the two easily: All commands which start with "> " need to be executed in a shell on the host computer. Commands which are prefixed with "$ " are executed on the Galaxy Tab. In both case the ">" and the "$" must not be typed. If you copy+paste from this howto, make sure only to copy the commands and leave out the prompt.
==== Step 1: getting a temporary root shell ====
Copy the rageagainstthecage exploit to a temporary directory.
Code:
> adb push rageagainstthecage /data/local/tmp
263 KB/s (5392 bytes in 0.020s)
Change the file permissions and execute the exploit.
Code:
> adb shell
$ cd /data/local/tmp
$ chmod 777 rageagainstthecage
$ ./rageagainstthecage
[*] CVE-2010-EASY Android local root exploit (C) 2010 by 743C
(other output truncated)
Your shell session will be terminated which will throw you back to the regular command prompt of your host computer.
==== Step 2: restart adb server ====
Now stop and restart the adb server process.
Code:
> adb kill-server
> adb start-server
* daemon not running. starting it now *
* daemon started successfully *
Now reconnect to the Galaxy Tab again. Notice the '#' prompt. This means you have a temporary root shell now. We use this to execute some privileged commands which make the rooting permanent.
==== Step 3: making it permanent ====
First, make the system partition writeable. We need this to be able to copy su, busybox and Superuser.apk to the required locations. Then exit the android shell again.
Code:
> adb shell
# mount -o remount,rw -t rfs /dev/block/stl9 /system
# exit
Now we push busybox and su via adb. Then we install Superuser.apk.
Code:
> adb push busybox /system/bin
> adb push su /system/bin
> adb install Superuser.apk
The final steps are to change the file permissions for su and busybox and then remount the system partition as read-only again.
Code:
> adb shell
# chmod 4755 /system/bin/busybox
# chmod 4755 /system/bin/su
# mount -o remount,ro -t rfs /dev/block/stl9 /system
# exit
That should be all. Try a reboot and some apps which require root, like Titanium Backup. The Superuser.apk should popup a dialog requesting permission.
Hope this helps. Happy rooting.
[update]
This process worked for JMA and JMD as well.
"adb install" Superuser.apk instead of "adb push"
[/update]
It will help me !
Merci ;-)
Fantastic! This is just what I was looking for, thank you! I feel dumb now, because I started a thread of my own right as you posted this. You must just type faster than me
I ran a quick test, and it all looks good. One quick question actually. Why do you mount like this:
Code:
# mount -o remount,rw -t yaffs2 /dev/block/mtdblock3 /system
When most instructions for the Galaxy Tab have you doing something like this:
Code:
# mount -o remount,rw -t rfs /dev/block/stl9 /system
I'm not saying it is wrong, in fact, it actually worked for me. I'm just curious as to why it works like that? My understanding of mounting partitions and such in Linux is a little bit weak, so I like to indulge my curiousity by bugging fine people like yourself
Anyway, thanks again, this did exactly what I needed it to. Well done, I appreciate it.
DavidThompson256 said:
One quick question actually. Why do you mount like this:
Code:
# mount -o remount,rw -t yaffs2 /dev/block/mtdblock3 /system
When most instructions for the Galaxy Tab have you doing something like this:
Code:
# mount -o remount,rw -t rfs /dev/block/stl9 /system
I'm not saying it is wrong, in fact, it actually worked for me. I'm just curious as to why it works like that? My understanding of mounting partitions and such in Linux is a little bit weak, so I like to indulge my curiousity by bugging fine people like yourself
Click to expand...
Click to collapse
Thanks for pointing that out! Actually both the filesystem type and blockdevice name were totally wrong. Apparently the mount command ignores both parameters - at least when they are wrong.
I just verified this as self-punishment for not paying attention:
Code:
# mount
(...)
/dev/block/stl9 /system rfs ro,relatime,vfat,log_off,check=no,gid/uid/rwx,iocharset=utf8 0 0
(...)
/system is mounted read-only to /dev/block/stl9. This is the normal state of things.
Now I remount this without the fstype parameter and using a wrong blockdevice name:
Code:
# mount -o remount,rw /dev/block/xyz /system
# mount
(...)
/dev/block/stl9 /system rfs rw,relatime,vfat,llw,check=no,gid/uid/rwx,iocharset=utf8 0 0
(...)
Surprise, this actually remounts /system in read-write mode. This is why my original howto worked despite using the wrong parameters.
Thanks again. I corrected the HOWTO.
It works for me, but i get now error message: The application calendar save (proces com.android.providers.calendar) is unexpecly stopt. Try again. Forced closing
I had this also with SuperOneClick.
When i want to start the calender in the applications i get it also.
The application wil not run anymore.
How can i resolved this.
Thnx
leonreijnders said:
It works for me, but i get now error message: The application calendar save (proces com.android.providers.calendar) is unexpecly stopt. Try again. Forced closing
I had this also with SuperOneClick.
When i want to start the calender in the applications i get it also.
The application wil not run anymore.
How can i resolved this.
Thnx
Click to expand...
Click to collapse
That is strange. The result of the rooting process is just adding three files to the system partition. I find it hard to believe that this could lead to the problem you describe. However, while experimenting with z4root I had the the effect that there were many rageagainstthecage processes running in the background and the Galaxy Tab slowed down considerably. Perhaps there is something similar going on.
Have you tried rebooting after completing the rooting process?
Try shutting down the Tab completely.After rebooting get a shell on the Tab with "adb shell" and execute "ps". That shows the process list. If that looks normal, I would try a factory reset of the device. Which ROM version are you running?
BlackLevel: Thank you soooooooooo much... I don't get how to hit the Thanks Meter thing, but here is the old fashioned way. I used a MacBook to accomplish your perfect, step by step rooting of an AT&T Galaxy Tab i987. It helps that I'm more comfortable at the command line than with most GUI systems.
I could put this into a bash script, but that could be dangerous. People really need to look at whats happening with 'adb' and have some idea of what adb is for. I did renamed your 'adbmac' to 'adb', then I could cut and paste from your instructions except for adding ./ before the adb... ie. ./adb shell
Again, wonderful work at pulling this all together in one place.
Jeff
This guide worked perfectly! I love a nice quiet clean root and it doesn't get any better than this. You my friend deserve a cookie!
Hi Guys,
I flashed to JMA, rooted it with One Click Root, and everxthing seemdet to be okay, but activating OCLF failed....is there anybody with the same problem?
Jan
Thanks a lot !. It's clean and doesn't need a kies ...
Just a question : after reboot I have to use "su" after "adb shell" to become root.
Is there any way to be root directly after adb shell ?
And thanks again ...
Mike
mbaroukh said:
Just a question : after reboot I have to use "su" after "adb shell" to become root.
Is there any way to be root directly after adb shell ?
Click to expand...
Click to collapse
The reason is that "/sbin/adbd" (the adb daemon) is running as the shell user. It would need to run as root user instead. This requires changes to the initial ram disk where adbd the relevant settings are stored.
Dealing with "insufficient permissions for device"
Thanks, this worked for me.
One small thing: running from a Linux sustem (Ubuntu 9.04), to overcome a "insufficient permissions for device" problem, I had to put my Ubuntu terminal session into su mode and restart the ADB server -- cf. groups.google.com /group/android-discuss/browse_thread/thread/f85a795644e65b59?pli=1 :
[[
adb kill-server
sudo adb start-server
adb devices
]]
gklyne said:
One small thing: running from a Linux sustem (Ubuntu 9.04), to overcome a "insufficient permissions for device" problem, I had to put my Ubuntu terminal session into su mode and restart the ADB server -- cf. groups.google.com /group/android-discuss/browse_thread/thread/f85a795644e65b59?pli=1 :
[[
adb kill-server
sudo adb start-server
adb devices
]]
Click to expand...
Click to collapse
Thanks for the feedback. On my Ubuntu 10.10 adb runs under my regular user-id (1000) and I do not have to use sudo or run the local adb server as root. That might be due to the way the udev rules are set up. Mine are rather unrestrictive and look like this:
Code:
$ cat /etc/udev/rules.d/51-android.rules
SUBSYSTEMS=="usb", SYSFS{idVendor}=="0bb4", MODE="0666"
SUBSYSTEMS=="usb", SYSFS{idVendor}=="04e8", MODE="0666"
How do yours look like?
Which is the more simple method for root of galaxy tab euro ?are there ?
the incredible said:
Which is the more simple method for root of galaxy tab euro ?are there ?
Click to expand...
Click to collapse
Try z4root or SuperOneClick. Both methods are wrappers of the rageagainstthecage exploit and try to automate the manual process outlined here.
This thread should be a sticky. Worked like a charm.
z4root is very simple method..thanks.
thanks to Germany...
I agree, this thread should be sticky. Finaly some sense in android devel section...
Thank you very much for your guide!
I followed all the instructions in your guide, everything seems fine until I try to push the busybox and su to my Galaxy Tab.
blacklevel said:
Now we push busybox and su via adb. Then we install Superuser.apk.
Code:
> adb push busybox /system/bin
> adb push su /system/bin
> adb install Superuser.apk
[/update]
Click to expand...
Click to collapse
I received an error: "failed to copy 'busybox' to '/system/bin/busybox' : No space left on device\"
the same error for the 'su' too
(No space left on device) is impossible, my tab is brand new sealed when i got it.
I have been trying the z4root and SuperOneClick procedure to root this tab but are all unsuccessful.
I am not sure if it is because of my tab needed a "NAND unlock" (I cannot find any guide about the NAND unlock) because I received this message when I tried to install busybox from the market.
Please help! My tab is carrier locked to Bell Canada, I really wanna to unlock it and root it~
Thanks!
gummo6869 said:
I received an error: "failed to copy 'busybox' to '/system/bin/busybox' : No space left on device\"
the same error for the 'su' too,
Click to expand...
Click to collapse
The `no space left on device` message indicates that the /system partition is still read-only. That means the mount command in step 3 was unsuccessful. Did you get any error message when you executed it?

[GUIDE] Installing stock kernel with ice glacier any

I recently came across a couple of threads in which it seems it was desirable (for some) to run the stock kernel, but with the ice glacier ROM. There were a couple of methods that I saw, neither of which seemed to work for me (one was an update kernel zip file package to be applied from recovery mode from the sdcard, and the other was more involved (see THISthread). The kernel provided in that thread is actually not the true STOCK kernel, as best as I can tell. It is likely equivalent, but uname -r still returns a Gr8gorilla lable.
So I decided to try the following method. First, if you have a nandroid/clockwork recovery backup of your device before installing ice, then you already have everything you need to revert to the stock kernel. Here is the procedure.
1) reboot phone into recovery
2) go into backup and restore
3) select advanced restore
4) select the very first backup set (the stock, probably first rooted one).
5) select restore boot partition
After this completes, you'll have ice but with stock kernel. However, your wireless will not work until you place the correct kernel module file corresponding to your kernel (bcm4329.ko) in the /system/lib/modules directory. In your nandroid backup set, there is a system.img file. Transfer this file to your computer, and use unyaffs to extract its contents and look for lib/modules/bcm4329.ko
6) while in recovery mode, make sure to mount /system
7) remove or rename the /system/lib/modules/bcm4329.ko file
8) adb push bcm4329.ko /system/lib/modules/bcm4329.ko
9) unmount /system from recovery, and reboot.
That's it. I tested this and ended up seeing:
Code:
Linux localhost 2.6.32.21-g899d047 #1 PREEMPT Tue Oct 26 16:10:01 CST 2010 armv7l GNU/Linux
and my wireless was working just fine. I have attached the wireless kernel module corresponding with stock kernel, and I have attached the boot.img from stock, in case you're reading this, and by some strange reason, you don't actually have an original backup.
I don't personally plan on running stock kernel, I just wanted to see if I _could_ if I wanted to.
Hope you find this useful.
Kambiz
One thing I noted btw, is that after doing this, when I did adb shell, it dropped me into a non-root shell by default, and I had to type "su" or "su - " to gain root. The other thing to note, is that the stock initrd, has the following default.prop entry:
ro.secure=1
whereas ice has:
ro.secure=0
What does this mean?! (besides double rainbow all the way across the sky)?
Setting ro.secure=0 allows adb root functions to work.
My MyGlacier 4G MINE!!!
grankin01 said:
Setting ro.secure=0 allows the "adb remount" command to work.
My MyGlacier 4G MINE!!!
Click to expand...
Click to collapse
Right. That's what I thought. But I have to say, it seemed to work anyway, because I did:
$ su -
# mount -o remount,rw /system
and then
# cd /system/lib/modules
# mv bcm4329.ko bcm4329.ko.ice
# cp /sdcard/stock-bcm4329.ko bcm4329.ko
# chmod 644 bcm4329.ko
# cd /
# mount -o remount,ro /system
Then I rebooted, and the "stock" driver file that I just put in place was persistent. So I'm not sure if clockworkmod is doing something to ensure ro.secure=0 ... I'm not sure.
No, it means that "adb root" and "adb remount" and any of the other adb root functions will have root access to your device through Android Debug Bridge (adb) by default. My adb shell always comes up with a $ prompt and I have to "su" for root. Setting this to 0 should let you type "adb root" or " adb remount" from your command shell on your desktop and allow you a root prompt device shell or rw access to system without having to "su" or "mount -o remount,rw /dev/block/mmcblk0p25 /system".
My MyGlacier 4G MINE!!!
so this is the true stock kernel?
tiger013 said:
so this is the true stock kernel?
Click to expand...
Click to collapse
Yes. I made a clockworkmod backup (nandroid backup) after rooting my phone with visionary+, but didn't alter anything else. So once I overwrote everything with Ice Glacier, I still have stock (post OTA update to 2.2.1) kernel and wireless drivers. (attached to OP).
I don't know how to convert them to a flashable update.zip, but I was able to load them using the procedure above.
EDIT:
Notice that the output of "uname -a" when run from adb shell is:
Linux localhost 2.6.32.21-g899d047 #1 PREEMPT Tue Oct 26 16:10:01 CST 2010 armv7l GNU/Linux
The Gorilla kernels have EXTRAVERSION strings added (the kernel version follows after "Linux localhost" in that string)
thank you! I added it to my thread
thanks for this peeps

[Q] Infinite boot loop recovery - need to access /system

Hello,
I was browsing many topics for over 5 hours until I decided to ask this question so I hope it will not be obvious.
I'm having an Marvell PXA1920 CPU based Android 4.3 phone - Lenovo A788t.
It was rooted using some one-click application, so I did have access to superuser, SuperSU installed etc.
After some modifications done in /etc/permissions and rebooting, phone's entering an infinite loop.
All I need to do now is undo those changes, deleting those files and copying files from backup in another folder. However, for that I need access to /etc with /system remounted in rw mode.
I can access my phone using adb in "Product mode" (phone turned on with lower-volume button pressed), however it seems that from there I don't have root access, so:
I've tried following commands:
1. adb root
result: adbd cannot run as root in production builds
2. adb remount
result: remount failed: Operation not permitted
3. adb shell mount -o rw,remount /system
result: mount: Operation not permitted (in general, no matter what I'm trying to mount/remount)
4. adb shell su
result: the same as echo "su" - prints "su", but does not cause entering su
5. adb shell su -c 'mount -o rw,remount /system'
result: prints command, but does not execute proper action
6. adb shell busybox ...
result: causes the same as all above (operation not permitted)
It seems that phone doesn't support fastboot (adb reboot bootloader doesn't work)
I know that I can do hard reset, but I don't really want to lose all my data and configuration.
Is there anything else what I can do?
Thanks for help in advance

Complete Guide to Root, Downgrade and Upgrade HTC Desire Z

A link for all the necessary files in a platform-tools folder.zip:
Sorry, this forum doesn’t allow me to submit direct links.
h.t.t.p.w.w.w. dropbox.com/s/tk0v3aogwqhp5qn/platform-tools.zip?dl=0
Unzip and put the platform-tools folder on your C drive.
A part of this guide was made by steven-liesenborgs I have used that to make an all in one guide.
1. Create Temproot:
Go to start – windows accessories – open the command prompt. Connect the USB cable to your phone and connect to your pc (!! Make sure USB debugging is turned on your HTC and if asked for only charging or mass storage choose only charging!!) Now go back to the command prompt and type: (press enter after each line,)
cd c:\platform-tools
adb devices
Normally you will now see numbers and letters meaning your device is connected and recognized.
Type: (in windows 10 you can select and use ctrl-c ctrl-v)
adb push fre3vo /data/local/tmp
adb shell
chmod 777 /data/local/tmp/fre3vo
/data/local/tmp/fre3vo -debug -start FAA90000 -end FFFFFFFF
Now you get normally something like the following lines (this may take 2 min)
Buffer offset: 00000000
Buffer size: 8192
Scanning region fb7b0000…
Scanning region fb8a0000…
Scanning region fb990000…
Scanning region fba90000…
Potential exploit area found at address fbb4d600:a00.
Exploiting device…
I f it Works you will see that $ has dissapeared, otherwise try one of the next lines below (!!restart your mobile for each attempt!!)
/data/local/tmp/fre3vo -debug -start 10000000 -end 1FFFFFFFF
/data/local/tmp/fre3vo -debug -start 20000000 -end 2FFFFFFF
/data/local/tmp/fre3vo -debug -start 30000000 -end 3FFFFFFF
/data/local/tmp/fre3vo -debug -start F0000000 -end FFFFFFFF
/data/local/tmp/fre3vo -debug -start E0000000 -end EFFFFFFF
When $ has dissapeared type:
adb shell
Now you will see # instead off $ which means succes. Now type:
exit
2. Change version to downgrade and get superCID and Goldcard
Type:
adb push misc_version /data/local/tmp/misc_version
adb push flashgc /data/local/tmp/flashgc
adb shell chmod 777 /data/local/tmp/*
adb shell
cd /data/local/tmp
./misc_version -s 1.00.000.0
Now you get:
–set_version set. VERSION will be changed to:1.00.000.0
Patching and backing up partition 17…
Then type:
./flashgc
(!! In case of an error message like below, check if you did select charge only in settings menu !!)
Error opening backup file.
If everything worked type:
sync
You can check if everything is fine, type:
dd if=/dev/block/mmcblk0p17 bs=1 skip=160count=10
1.00.000.010+0 records in
10+0 records out
10 bytes transferred in 0.001 secs (10000 bytes/sec)
BACK-UP everything now
3. Temp root and backup
Type:
Exit
adb push su /data/local/tmp/
adb push busybox /data/local/tmp/
adb push fixsu.sh /data/local/tmp/
adb install SuperUser.apk
adb shell chmod 755 /data/local/tmp/fixsu.sh
adb shell/data/local/tmp/fixsu.sh
Backup your data with a backup program on your phone, Rom Manager, Titanium Backup of My backup root for instance.
4. Downgrade to Froyo:
You will need a Rom which you can find following link below :
(There is a rom included the platform-tools.zip from Dropbox, renamed to PC10IMG.zip ready to use, continue to 4a at once) Remember, this is a shipped EU rom, if you need another you can download and find it at same domain from link below or h.t.t..p androidruu.com
h.t.t.p shipped-roms.com/index.php?catcegory=android&model;=Vision
RUU_Vision_HTC_WWE_1.34.405.5_Radio_12.28b.60.140e_26.03.02.26_M_release_155556_signed.exe
Download this .exe and activate it as administrator wait till you the first screen, don’t do anything just leave it there.
Click on Start>Run and type %temp%. Then click OK. Look for the newest folder in the temp folder. Double-click on it. (Appdata/local files/temp from user administrator) Open the last folder made (organize!) it will have a name like {4AD69632-45A1-41DE-} Search in that directory for a rom which the update utility did create there. Copy the rom to the platform-tools folder. Close the HTC Android Rom Update Utility, you don’t need it anymore. Change the name of the rom in PC10IMG.zip. Be aware if you can see extensions or not and you didn’t create a .zip.zip file. Check it with right click on it and see properties.
4a
Now copy the PC10IMG.zip to the root of SD card. Take off the USB cable and check in phone your settings, charge only, USB and accept software 3thparty. Restart the Desire. For some reason this goes smoother as turning power off. When the screen goes dark push volume down and power button at same time till you get in the boot menu. Click power button one time and the HTC will search for a file, and start to check the PC10IMG.zip. This will take 1 or two minutes . Now you get a choice to upgrade yes or no select yes with the Volume up or down button and activate the choice with the power button. You HTC will now downgrade to Froyo Android 2.2 firmware 1.34.405.5.
5. Root and Superuser to upgrade
Every file you need is already included in the platform-tools.zip from Dropbox
Source: .h.t.t.p.w.w.w. desire.tode.cz/how-to-root-htc-desire-z-g2-vision
Connect the HTC Desire Z to the computer via USB.
Make sure USB debugging is enabled on the HTC Desire Z by checking Settings » Applications » Development » USB debugging.
On the computer, go back to command prompt an type:
adb push busybox /data/local/tmp/
adb push gfree /data/local/tmp/
adb push hboot-eng.img /data/local/tmp/
adb push psneuter /data/local/tmp/
adb push recovery-clockwork-3.0.2.4-vision.img /data/local/tmp/recovery.img
adb push root_psn /data/local/tmp/
adb push su /sdcard/
adb push Superuser.apk /sdcard/
adb shell
chmod 755 /data/local/tmp/*
/data/local/tmp/psneuter
NOTE: You will drop out of the shell after this command to platform-tools folder, type:
adb shell
cd /data/local/tmp
./gfree -f -b hboot-eng.img -y recovery.img
As it is very important that the hboot was installed correctly gfree calculates md5sums of the partition. It will calculate the following 3 checksums
md5sum #1 - checksum of partition 18 before the installation
md5sum #2 - checksum of the hboot image that should be installed
md5sum #3 - checksum of partition 18 after the installation
The messages that you what to see are either/or
md5sum #1 == md5sum #2 – the hboot image is already installed -> skipping installation
md5sum #3 == md5sum #2 – the hboot image was successfully installed -> OK!
If you get a different error message then DO NOT REBOOT. Check everything again and try again
If gfree worked correctly continue with, type:
./root_psn
sync
reboot
The HTC Desire Z is now rooted with S-OFF, the Engineering HBoot & the ClockworkMod Recovery.
6. Install a new Rom
This is a tricky part since most roms will just fail to install, at least on shipped models, the roms from Guhl99 (XDA Forums)do the job. There is an interesting part to these roms also, which I Like. You really should check his work out.
In case you prefer a Cyanogenmod version 10.1 Guhl99 made one also you can find it via XDA forums, in the platform-tools folder there is a working Cyanogenmod 10.1 cm-10.1-20140309-UNOFFICIAL-vision.zip in case you don’t like spoofing. If you do like it, check out Guhl99 his work which you should do anyway in case of HTC Desire 7.
In your platform-tools folder select AndromadusAOSP4.2-vision-pff-16062013.zip an AOS Android4.2.2 and gapps-jb-20130301-signed.zip (they are already present in the platform-tools.zip from Dropbox)
Copy them to the root of your SD card, download Rom Manager from link below and install it:
If you can’t download it because your SD is occupied release the USB cable from your phone.
h.t.t.p.w.w.w. apk4fun.com/apk/2119/
Open Rom Manager, select Recovery Setup and activate the 2th ClockworkMod option, select as option the 3x version. Go back and select now the 1th ClockworkMod option and activate it to flash, it will ask for permission which you grant. Now Clockworkmod has root acces as Superuser. Go back to main menu from Rom Manager and select Fix Permissions. Now, check if everything in your Phone settings is still correct. Charge only, USB debugging, allow unknow installs etc. Take the USB cable out of your Phone. In Rom Manager menu select Reboot to Recovery and activate it, no need to push buttons this time the HTC wil go to Rom Manager bootmenu automatic by restart after showing the HTC start screen first.
7. Rom Manager Bootmenu
Another part which need some attention to proceed. In this menu the Volume up and down button are used to scroll. The power button is used to get to out of a submenu. The Photo button, on right lower side is used to activate the selection. With this knowledge in mind it is easy to navigate and delete Factory Settings, then Cache and under advanced menu the Dalvik Cache. Return to main menu pressing the Power button and select install zip from SD. Select ROMAndromadusAOSP4.2-vision-pff-16062013.zip and activate it with Photo button. The Desire will now install AOS Android 4.2.2. When it is finished select Install a zip from SD again and this time select gapps-jb-20130301-signed.zip and install it. When ready select reboot in Rom Manager and the HTC will restart, which will take some minutes, and it will run now on Android 4.2.2. Connect the HTC to USB Cable and copy the 3 files from platform-tools/PFF folder to your SD. Use a file manager on your HTC to search and install them to play with spoofing.
Now you are ready: This rare quality phone with qwerty keyboard will be at your service for some years more.
Still works! Thanks!

Categories

Resources