Root [guide] How to manually downgrade and root inspire 4g or Desire HD

Discussion in 'Android Devices' started by scotty85, Jun 13, 2012.

  1. scotty85

    scotty85 Well-Known Member
    VIP Member

    Jul 25, 2010
    WARNING! do NOT use this guide if your desire HD or Inspire shipped with gingerbread. will work on devices running GB,as long as they shipped with froyo.

    first,let me explain that i do realize that this is old news. there are now tools,and other means of doing this,so practical value may be minimal. its mainly for fun. im sure there are others out there who enjoy entering things in a cmd window,and doing things "old skool" :)

    i also do believe it is good for folks to have some basic adb skills. i remember being overwhelmed at the thot of dowloading the sdk and getting it set up to use,and this is intented to simplyfiy that,as well as give some basic knowledge/skill about entering commands.

    this guide is for the folks that want to learn about manipulating your phone in cmd with adb and fastboot, and/or are like me and just enjoy it. :)

    first and foremost,i take no credit for the exploits,or most of the commands. bits of code were takin from various places,whom i will try and give credit for.

    i performed the process on an ATT branded inspire 4g,but i believe it should work on any branded inspire 4g or Desire HD(ACE). if anyone encounters a build that fre3vo fails to work on,please let us know.

    -special shout out to DHD master D-U-R-X for constantly dragging me into threads in the DHD and other forums(love it :D) and for giveing me some links that helped immensely figure out what to downgrade to,and some general info about ACE
    -drellisdee on xda for figuring out how to downgrade the htc merge to s-offable vzw firmware. check out his original thread here where a good chunk of the links,code,and files came from. i used this basic concept in this guide.
    -Scotty2 & Tmzt who wrote and developed the wpthis & gfree exploits for the G2
    -sele and the crew in the "rescue squad" on the thunderbolt forum for what i like to call the "mini-adb" concept.
    -whomever came up with the psneuter exploit
    -whomever came up with fre3vo,wich im finding to work on numerous devices(including merge and thunderbolt). when i find out who you are,ill add you.
    -CuBz for basic info and fre3vo commands
    -alpharev/unrevoked for everything they do for the root community

    and now,on to the info :)

    WARNING! this process will wipe your data
    1)download this file: 30387396024ec615b875dc01cc9806c3

    its a big downlod,as is contains the downgrade ruu,as well as adb/fastboot/md5sums utilities and all the exploits.

    also download your carriers most recent RUU,or the most recent unbranded RUU,if you wish to debrand.
    Shipped ROMs
    FileFactory Folder View - Ace

    2)install drivers
    use these,from revolutionary: htc drivers

    3)make a gold card
    this is neccessary in order to flash an unbranded RUU. you should be able to skip this step if your ACE happens to be unbranded allready.
    directions can be found here
    use the app goldcard helper from market. if you use it skip right to the step of "Go to this page and enter this new number into the SD Card Serial (CID) field" and enter the output of the sdcard cid for mmc2 into the goldcard generator site.

    i personally would just pick up a small spare sd to use for this. its not really worth the effort of backin up,transfering,etc. the contents of your current sd to make it into a gold card.

    after youre done,place the gold card into the phone. no real need to move stuff from your original sd card to the gold card,youll only need it this once.

    4)prepare to downgrade
    take the file and extract it if you need to. inside you will find another,same named folder. inside that folder you find a folder called "mini-adb_inspre". take this folder,and move it to your c drive on your computer,however you are comfortable. copy/paste,drag/drop,however is fine. you just want an unzipped mini-adb_inspire on your c drive.

    open a CMD window. on windows 7,click the start bubble,type "command" or "cmd" in the search box. this should open a small black window. may be same or similar for other windows versions.

    enable usb debugging in settings/apps/development. disable fastboot in settings/power. plug in your phone,and select charge only mode.

    now type in the cmd window,at the prompt: cd c:\mini-adb_inspire

    this should change your prompt to c:\mini-adb_inspire>

    5)downgrade with adb
    from this point forward,all commands will be in bold you can copy,then paste them into the cmd window,one at a time. blue are just additional info/comments,and should not be copy/pasted

    (make sure there are no spaces in your cmd command/ruu name if you get an error when running it)
    it should spit out a few things,then a value of: c3d244a9f056e48ee3851a14ff52204c if you dont get this value,do not continue

    adb devices should return your serial number,indicating your connected
    adb push fre3vo /data/local/tmp
    adb shell chmod 777 /data/local/tmp/fre3vo
    adb shell /data/local/tmp/fre3vo -debug -start FBB00000 -end FFFFFFFF (if you fail to get temp root,try at least once to reboot the phone,and restart step 4)

    adb push misc_version /data/local/tmp
    adb shell chmod 777 /data/local/tmp/misc_version
    adb shell /data/local/tmp/misc_version -s 1.31.405.3

    adb reboot bootloader

    fastboot devices again,should return your serial number

    fastboot getvar mainver should return 1.31.405.3 if not,something went wrong,reboot and start over step 5

    fastboot getvar cid (will tell you y our stock CID. make ote of it if you think yuo may want to restore it later)

    fastboot oem rebootRUU should boot your phone to a black screen with htc in the center
    fastboot flash zip will flash the downgrade fimrware. it can take quite a while to push,and do the checks,so be patient. remember your goldcard must be in the phone,and if you get a cid failure/error,then your gold card was not made correctly. if you get a "cannot open" failure,make sure there are no spaces in the cmd command/ruu name.

    after the firmware flashes:
    fastboot reboot-bootloader should reboot you to the 0.85.0007 hboot of the 1.32.405.6 downgrade firmware

    fastboot reboot will reboot your phone

    6)s-off,superCID,simunlock with gfree

    once booted to the old firmware, skip the startup stuff,enable usb debugging. then:

    adb push psneuter /data/local/
    adb push busybox /data/local/
    adb push wpthis /data/local/
    adb push gfree /data/local/

    adb shell
    chmod 0755 /data/local/psneuter
    chmod 0755 /data/local/wpthis
    chmod 0755 /data/local/gfree
    /data/local/psneuter (to get temp root again)

    adb shell

    /data/local/wpthis (to disable emmc write protect)
    /data/local/gfree -f (this will supercid, simunlock, and s-off phone)

    exit to get back to your mini-adb_inspire> prompt

    adb reboot bootloader boot you to bootloader. verify s-off

    fastboot getvar all will output a few variables

    fastboot reboot to reboot your phone

    7)finishing up
    at this point you should run your carriers most recent,up to date ruu to get back on the most current firmware. this is important. you do not want to be running around on old,outdated radios and firmware. also,there are issuers with some ACE models not being compatible with the sound in the downgrade software. so dont freak out if your sound doesnt work on the downgrade. just flash your upgrade ruu and it will work again. :)

    you can root this firmware by:
    -install a recovery as a PD98IMG cwm-
    -flash superuser files in recovery superuser 3.0.7

    or,you can alternately flash a rom instead of flashing the root files. either way,its a good idea,IMO,to make a backup of your stock unrooted rom,in case you need it :)

    last and not least,here are what you should see in your cmd window:
    red are my copy/pasted inputs. blue are additional coments
    1) downgrade session
    Code (Text):
    1. Microsoft Windows [Version 6.1.7601]
    2. Copyright (c) 2009 Microsoft Corporation.  All rights reserved.
    4. C:\Users\Scott>[COLOR="Red"]cd c:\mini-adb_inspire[/COLOR]
    6. c:\mini-adb_inspire>[COLOR="red"]md5sums RUU_Ace_HTC_WWE_1.32.405.6_Radio_12.28b.60.140e_26.0
    9. MD5sums 1.2 freeware for Win9x/ME/NT/2000/XP+
    10. Copyright (C) 2001-2005 Jem Berkes -
    11. Type md5sums -h for help
    13. [Path] / filename                              MD5 sum
    14. -------------------------------------------------------------------------------
    15. [c:\mini-adb_inspire\]
    16. RUU_Ace_HTC_WWE_1.32.405.6_Radio_12.28... 100% c3d244a9f056e48ee3851a14ff52204c [COLOR="Blue"]<-must match[/COLOR]
    18. c:\mini-adb_inspire>[COLOR="Red"]adb devices[/COLOR]
    19. List of devices attached
    20. HTxxxxxxxxxx    device
    22. c:\mini-adb_inspire>[COLOR="red"]adb push fre3vo /data/local/tmp[/COLOR]
    23. 797 KB/s (9796 bytes in 0.012s)
    25. c:\mini-adb_inspire>[COLOR="red"]adb shell chmod 777 /data/local/tmp/fre3vo[/COLOR]
    27. c:\mini-adb_inspire>[COLOR="red"]adb shell /data/local/tmp/fre3vo -debug -start FBB00000 -end[/COLOR]
    28.  FFFFFFFF
    29. fre3vo by #teamwin
    30. Please wait...
    31. Attempting to modify property...
    32. fb_fix_screeninfo:
    33.   id: msmfb
    34.   smem_start: 802160640
    35.   smem_len: 3145728
    36.   type: 0
    37.   type_aux: 0
    38.   visual: 2
    39.   xpanstep: 0
    40.   ypanstep: 1
    41.   line_length: 1920
    42.   mmio_start: 0
    43.   accel: 0
    44. fb_var_screeninfo:
    45.   xres: 480
    46.   yres: 800
    47.   xres_virtual: 480
    48.   yres_virtual: 1600
    49.   xoffset: 0
    50.   yoffset: 0
    51.   bits_per_pixel: 32
    52.   activate: 16
    53.   height: 106
    54.   width: 62
    55.   rotate: 0
    56.   grayscale: 0
    57.   nonstd: 0
    58.   accel_flags: 0
    59.   pixclock: 0
    60.   left_margin: 0
    61.   right_margin: 0
    62.   upper_margin: 0
    63.   lower_margin: 0
    64.   hsync_len: 0
    65.   vsync_len: 0
    66.   sync: 0
    67.   vmode: 0
    68. Buffer offset:      00000000
    69. Buffer size:        8192
    70. Scanning region fbb00000...
    71. Potential exploit area found at address fbb6cc00:1400.
    72. Exploiting device...
    74. c:\mini-adb_inspire>[COLOR="red"]adb push misc_version /data/local/tmp[/COLOR]
    75. 1189 KB/s (15837 bytes in 0.013s)
    77. c:\mini-adb_inspire>[COLOR="red"]adb shell chmod 777 /data/local/tmp/misc_version[/COLOR]
    79. c:\mini-adb_inspire>[COLOR="red"]adb shell /data/local/tmp/misc_version -s 1.31.405.3[/COLOR]
    80. --set_version set. VERSION will be changed to: 1.31.405.3
    81. Patching and backing up partition 17...
    83. c:\mini-adb_inspire>[COLOR="red"]adb reboot bootloader[/COLOR]
    85. c:\mini-adb_inspire>[COLOR="red"]fastboot devices[/COLOR]
    86. HTxxxxxxxxxx    fastboot
    88. c:\mini-adb_inspire>[COLOR="red"]fastboot getvar mainver[/COLOR]
    89. mainver: 1.31.405.3 [COLOR="Blue"]<-must match[/COLOR]
    90. finished. total time: 0.001s
    92. c:\mini-adb_inspire>[COLOR="Red"]fastboot getvar cid[/COLOR]  [COLOR="Blue"](optional. do if you want to know your stock cid)[/COLOR]
    93. cid: CWS__001
    94. finished. total time: 0.000s
    96. c:\mini-adb_inspire>[COLOR="Red"]fastboot oem rebootRUU[/COLOR]
    97.                               ... OKAY [  0.167s]
    98. finished. total time: 0.168s
    100. c:\mini-adb_inspire>[COLOR="red"]fastboot flash zip[/COLOR] [COLOR="Blue"](if you get an error check for spaces)[/COLOR]
    101.      sending 'zip' (336097 KB)... OKAY [ 55.460s]
    102.                  writing 'zip'... INFOzip header checking...
    103. INFOshift signature_size for header checking...
    104. INFOzip info parsing...
    105. INFOchecking model ID...
    106. INFOchecking custom ID...
    107. INFOstart image[hboot] unzipping for pre-update check...
    108. INFOstart image[hboot] flushing...
    109. INFO[RUU]WP,hboot,0
    110. INFO[RUU]WP,hboot,100
    111. INFOstart image[radio] unzipping for pre-update...
    112. INFOstart image[radio] flushing...
    113. INFO[RUU]WP,radio,0
    114. INFO[RUU]WP,radio,6
    115. INFO[RUU]WP,radio,14
    116. INFO[RUU]WP,radio,19
    117. INFO[RUU]WP,radio,27
    118. INFO[RUU]WP,radio,36
    119. INFO[RUU]WP,radio,44
    120. INFO[RUU]WP,radio,100
    121. ...
    122. ...   [COLOR="blue"](many lines of similar [/COLOR]
    123. ...   [COLOR="blue"]removed for simplicity)[/COLOR]
    124. ...
    125. INFO[RUU]UZ,dzdata,0
    126. INFO[RUU]UZ,dzdata,100
    127. INFO[RUU]WP,dzdata,0
    128. INFO[RUU]WP,dzdata,100
    129. INFOstart image[rcdata] unzipping & flushing...
    130. INFO[RUU]UZ,rcdata,0
    131. INFO[RUU]WP,rcdata,0
    132. INFO[RUU]WP,rcdata,100
    133. OKAY [ 78.951s]
    134. finished. total time: 135.884s
    136. c:\mini-adb_inspire>[COLOR="Red"]fastboot reboot-bootloader[/COLOR]
    137.      rebooting into bootloader... OKAY [  0.155s] [COLOR="Blue"]will reboot to fastboot. verify 0.85.0007[/COLOR]
    138. finished. total time: 0.155s
    140. c:\mini-adb_inspire>[COLOR="red"]fastboot reboot[/COLOR]
    141.                      rebooting...
    142. finished. total time: 0.155s
    144. c:\miniadb_inspire>
    2)gfree session
    Code (Text):
    1. c:\mini-adb_inspire>[COLOR="Red"]adb push psneuter /data/local/[/COLOR]
    2. 1371 KB/s (585731 bytes in 0.417s)
    4. c:\mini-adb_inspire>[COLOR="red"]adb push busybox /data/local/[/COLOR]
    5. 1408 KB/s (1062992 bytes in 0.737s)
    7. c:\mini-adb_inspire>[COLOR="red"]adb push wpthis /data/local/[/COLOR]
    8. 1429 KB/s (679475 bytes in 0.464s)
    10. c:\mini-adb_inspire>[COLOR="red"]adb push gfree /data/local/[/COLOR]
    11. 1458 KB/s (134401 bytes in 0.090s)
    13. c:\mini-adb_inspire>[COLOR="red"]adb shell[/COLOR]
    14. $ [COLOR="red"]chmod 0755 /data/local/psneuter[/COLOR]
    15. chmod 0755 /data/local/psneuter
    16. $ [COLOR="red"]chmod 0755 /data/local/wpthis[/COLOR]
    17. chmod 0755 /data/local/wpthis
    18. $ [COLOR="red"]chmod 0755 /data/local/gfree[/COLOR]
    19. chmod 0755 /data/local/gfree
    20. $ [COLOR="red"]/data/local/psneuter[/COLOR]
    21. /data/local/psneuter
    22. property service neutered.
    23. killing adbd. (should restart in a second or two)
    25. c:\mini-adb_inspire>[COLOR="red"]adb shell[/COLOR]
    26. # [COLOR="red"]/data/local/wpthis[/COLOR]
    27. /data/local/wpthis
    28. Build: 25
    29. Section header entry size: 40
    30. Number of section headers: 45
    31. Total section header table size: 1800
    32. Section header file offset: 0x00014e90 (85648)
    33. Section index for section name string table: 42
    34. String table offset: 0x00014cc7 (85191)
    35. Searching for .modinfo section...
    36.  - Section[16]: .modinfo
    37.  -- offset: 0x00000f80 (3968)
    38.  -- size: 0x000000c4 (196)
    39. Kernel release:
    40. New .modinfo section size: 204
    41. Loading module... OK.
    42. Write protect disabled.
    43. Searching for mmc_blk_issue_rq symbol...
    44.  - Address: c02a9e00, type: t, name: mmc_blk_issue_rq, module: N/A
    45. Kernel map base: 0xc02a9000
    46. Kernel memory mapped to 0x40001000
    47. Searching for brq filter...
    48.  - Address: 0xc02a9e00 + 0x34c
    49.  - 0x2a000012 -> 0xea000012
    50. Done.
    51. # [COLOR="red"]/data/local/gfree -f[/COLOR]
    52. /data/local/gfree -f
    53. --secu_flag off set
    54. --cid set. CID will be changed to: 11111111
    55. --sim_unlock. SIMLOCK will be removed
    56. Section header entry size: 40
    57. Number of section headers: 44
    58. Total section header table size: 1760
    59. Section header file offset: 0x000138b4 (80052)
    60. Section index for section name string table: 41
    61. String table offset: 0x000136fb (79611)
    62. Searching for .modinfo section...
    63.  - Section[16]: .modinfo
    64.  -- offset: 0x00000a14 (2580)
    65.  -- size: 0x000000cc (204)
    66. Kernel release:
    67. New .modinfo section size: 204
    68. Attempting to power cycle eMMC... OK.
    69. Searching for mmc_blk_issue_rq symbol...
    70.  - Address: c02a9e00, type: t, name: mmc_blk_issue_rq, module: N/A
    71. Kernel map base: 0xc02a9000
    72. Kernel memory mapped to 0x40000000
    73. Searching for brq filter...
    74.  - Address: 0xc02a9e00 + 0x34c
    75.  - ***WARNING***: Found fuzzy match for brq filter, but conditional branch is
    76. . (0xea000012)
    77. Patching and backing up partition 7...
    78. patching secu_flag: 0
    79. Done.
    80. # [COLOR="red"]exit[/COLOR]
    81. exit
    83. c:\mini-adb_inspire>[COLOR="red"]adb reboot bootloader[/COLOR]
    85. c:\mini-adb_inspire>[COLOR="red"]fastboot getvar all[/COLOR]
    86. INFOversion: 0.5
    87. INFOversion-bootloader: 0.85.0007
    88. INFOversion-baseband:
    89. INFOversion-cpld: None
    90. INFOversion-microp: 0438
    91. INFOversion-main: 1.32.405.6
    92. INFOserialno: HT18LT211769
    93. INFOimei: 358920041110039
    94. INFOproduct: ace
    95. INFOplatform: HBOOT-7230
    96. INFOmodelid: PD9812000
    97. INFOcidnum: 11111111  [COLOR="Blue"]<-superCID[/COLOR]
    98. INFObattery-status: good
    99. INFObattery-voltage: 4196mV
    100. INFOpartition-layout: Generic
    101. INFOsecurity: off  [COLOR="Blue"]<- s-off[/COLOR]
    102. INFObuild-mode: SHIP
    103. INFOboot-mode: FASTBOOT
    104. INFOcommitno-bootloader: dirty-7eafc656
    105. INFOhbootpreupdate: 11
    106. INFOgencheckpt: 0
    107. all: Done!
    108. finished. total time: 0.024s
    110. c:\mini-adb_inspire>[COLOR="Red"]fastboot reboot[/COLOR]
    111.                      rebooting...
    112. finished. total time: 0.215s
    114. c:\mini-adb_inspire>



  2. scotty85

    scotty85 Well-Known Member
    VIP Member

    Jul 25, 2010
  3. scotty85

    scotty85 Well-Known Member
    VIP Member

    Jul 25, 2010
  4. dld9562

    dld9562 New Member

    Oct 27, 2013
    i ruined a htc inspire with the ace hack kit so im kinda leary about trying this
  5. scotty85

    scotty85 Well-Known Member
    VIP Member

    Jul 25, 2010
    The other guide is possibly a little safer,I'd prolly over this one. In order to use this you must be 110% certain the phone SHIPPED with froyo

    Don't do anything you're not comfortable with :)

    sorry for the vaugness earlier,i had nott realized this post was in the inspire forum :eek:

    this is the other thread i am refering to:

    just holler if you have questions :)

Share This Page