Root How to downgrade and root 2.43.661.1 and up

[aswethinkweiz]

Below you will find exactly what you need and how to execute the commands to gain the downgrade and move forward with temp/perm root. For all I know this may work on all devices but I have only tested it on the Telus HTC desire HD. Thanks go out to http://therootofallevo.com and the post from agrabren. Don’t thank me thank him so if you find out that it works for you feel free to tweet @agrabren with the exploit address and device type so he can add it to known list for the next build of fre3vo

Requirements

• The latest version of HTC Sync installed (required for the phone’s drivers).
• The PD98IMG Stock ROM (Do NOT extract this zip file’s contents or rename it) SEE MY FIRST POST BELOW THIS FOR STOCK ROM DOWNLOAD
• A Gold Card for your phone. See our guide on how to make a Gold Card for HTC Desire HD.
• View attachment Downgrade v3.zip

Steps:

1. Place the PD98IMG file found in DOWNLOAD V3 zip in the root of you phones sd card
2. Enable USB debugging on your phone and place your phone on CHARGE ONLY.
3. Copy remainder of DOWNGRADE V3 folder to the c: drive on your computer
4. Open a command prompt with admin rights and change directories to the downgrade folder
5. Run the below commands one by one (be sure to press enter after each).


adb push fre3vo /data/local/tmp
adb push misc_version /data/local/tmp
adb shell chmod 777 /data/local/tmp/fre3vo
adb shell chmod 777 /data/local/tmp/misc_version
adb shell /data/local/tmp/fre3vo -debug -start F0000000 -end FFFFFFFF

If you get kicked back to your system command prompt, try "adb shell" and see if you get the magic '#'. If so you can now move forward with downgrading.

Run the below commands:

/data/local/tmp/misc_version -s 1.31.405.3 (I used this sw ver when I downloaded)
exit
adb reboot bootloader

Your phone should boot into its bootloader now. Once you see the white bootloader screen, press the power button once to automatically enter the bootloader and detect the PD98IMG.zip file.
You will see a blue progress bar while the file is being examined. Once the progress is complete, press the ‘volume up’ button to confirm that you want to install it.
Wait patiently while this stock ROM is installed and if some items are bypassed, don’t worry about it.
Once the installation is complete, press the ‘power’ button to restart your phone back into Android.
Your phone has now been downgraded to a rootable stock ROM and you can proceed further.
The rest is simple. Download visionary.apk and temp root and then perm root your phone. Everything else is up to you.

Good luck!

 

[aswethinkweiz]

Multiupload.com - upload your files to multiple file hosting sites!

Sorry for not including it. I could not get it to upload with my post. Try workaround out people. Drop me a line if needed. I have only tried it once and it worked on my Telus DHD.

Good luck

 

[D-U-R-X]

Nice one mate... Don't have a Telus DHD myself, but hope this works for everyone who does!!

 

[El Presidente]

Thank you. It would be nice if we could get someone with a Telus DHD to confirm this.

 

[adnansd]

is this will work with 2.42 build number?

 

[bigchrizzieboy]

Downloading...
Will give it an try later this week (need some time).
My Device: Desire HD (completly stock) 2.50.405.2, need more info?

 

[W@$T3]

i get stuck at "adb shell /data/local/tmp/fre3vo"
i wait until 15 minutes and nothing happens

 

[JSLEnterprises]

Fre3vo is based off the gingerbreak source and is for the evo 3D / Sensation, not to mention, was also discontinued, as it no longer worked after the first batch of updates were pushed to these devices.
The blind memory scan to find exploitable data is like what I had mention in one the 3 possible leads I was working with as mentioned in your previous thread.

I'll give your method a go just for the hell of it.

BTW, what was the hex address of the exploitable data from your run, since you and I have the same device (a9192) and were both 2.43.661.1, the address should be the same.

 

[splatterb0y]

DUDE! YOUR AWESOME!

I got a root shell on my Desire HD (not Telus) with the newest Stock-Rom 2.50.405.2!

adb shell /data/local/tmp/fre3vo -debug -start F0000000 -end FFFFFFFF

was successful and dropped me to a root shell!
This is so awesome!

@OP: I love you for this!

A ROOTED DESIRE HD! YIIIIEAH!

Edit:
Downgraded with RUU now to 1.31.405.6. Everything went fine! Thank you a thousand times!

 

[aswethinkweiz]

Got issues let me know. I will try my best to help. This worked for me on my DHD with the software ver 2.43 less that a week ago. Fre3vo works I tell ya or I would not be rooted now. As you can see from my multiple other posts I was having issues trying to downgrade until I found this lil loophole. Wish I would have took screen shots to show my progress.

 

[satan66]

i get stuck at "adb shell /data/local/tmp/fre3vo"
i wait until 15 minutes and nothing happens

Same here

 

[JSLEnterprises]

adb shell /data/local/tmp/fre3vo
adb shell /data/local/tmp/misc_version

should be skipped, rather go directly to the memory scanning.

running these commands will simply return the same execution as gingerbreak; fre3vo will hang and not continue, misc_version just a permission denied error.


but even then, the memory scanning will freeze.
as mine did at address 102c0000 (no, it didnt find the exploit)

I'm even going off a fresh install of 2.43.661.1 (so as not to have it as controlled an environment as possible)

 

[max63094]

thank you, I have been waiting for this, going to try when I get home. My desire hd is having some software problems and I want to get off stock. Will do update after I try

 

[giusdk]

This is awesome, thanks!!
Wich stock rom should i go after for downgrading?

 

[JSLEnterprises]

Amended Command list from start to finish

You dont need to scan the first 3 sections of memory (as they contain non system data and no exploit can be found on them)


adb push fre3vo /data/local/tmp
adb push misc_version /data/local/tmp
adb shell chmod 777 /data/local/tmp/fre3vo
adb shell chmod 777 /data/local/tmp/misc_version
adb shell /data/local/tmp/fre3vo -debug -start F0000000 -end FFFFFFFF (may kill adb daemon)
adb shell /data/local/tmp/misc_version -s 1.32.405.8
adb reboot bootloader


Now it'll install the rom from the goldcard.



The memory scan confirms my one lead (problem was, gingerbreak didnt have the ability to scan the memory, hence that lead halted for me)
I knew that the data existed in a different area than what gingerbreak was targeting.

 

[JSLEnterprises]

This is awesome, thanks!!
Wich stock rom should i go after for downgrading?

you can use the 1.32.405.8 version of the PD98IMG that is linked to, but you can also use the 2.36.405.8 and then install gingerbreak to root afterwards then radio s-off and eng s-off with the one click tools.

 

[aswethinkweiz]

DUDE! YOUR AWESOME!

I got a root shell on my Desire HD (not Telus) with the newest Stock-Rom 2.50.405.2!

adb shell /data/local/tmp/fre3vo -debug -start F0000000 -end FFFFFFFF

was successful and dropped me to a root shell!
This is so awesome!

I love you for this!

A ROOTED DESIRE HD! YIIIIEAH!

Glad it worked for you. Stoked to hear it extends for further then just Telus. No thanks needed

 

[SsZzliMm]

Hi !

I entered the lines but I'm stuck at the following:
Buffer offset: 00000000
Buffer size: 8192

Now what ?

 

[W@$T3]

Hi !

I entered the lines but I'm stuck at the following:
Buffer offset: 00000000
Buffer size: 8192

Now what ?

same here..

 

[aswethinkweiz]

adb shell /data/local/tmp/fre3vo
adb shell /data/local/tmp/misc_version

should be skipped, rather go directly to the memory scanning.

running these commands will simply return the same execution as gingerbreak; fre3vo will hang and not continue, misc_version just a permission denied error.


but even then, the memory scanning will freeze.
as mine did at address 102c0000 (no, it didnt find the exploit)

I'm even going off a fresh install of 2.43.661.1 (so as not to have it as controlled an environment as possible)

When I came up with the workaround I ran it just as I did in the original post. No permissions errors what so ever on fresh 2.43. If your tip makes less work I'm with you.

 

[JSLEnterprises]

Uploading different PD98IMG.zip
and 2 batch commands to make it easier for everyone to downgrade (To eliminate problems and confusion)

 

[aswethinkweiz]

Hi !

I entered the lines but I'm stuck at the following:
Buffer offset: 00000000
Buffer size: 8192

Now what ?

never saw that one. Try the next line. Worst case start over

 

[SsZzliMm]

never saw that one. Try the next line. Worst case start over

Every line has the same result:

Buffer offset: 00000000
Buffer size: 8192

... and stuck, nothing happens.

See step by step:

adb push fre3vo /data/local/tmp
adb push misc_version /data/local/tmp
adb shell chmod 777 /data/local/tmp/fre3vo
adb shell chmod 777 /data/local/tmp/misc_version
adb shell /data/local/tmp/fre3vo -debug -start F0000000 -end FFFFFFFF
fre3vo by #teamwin
Please wait...
Attempting to modify ro.secure property...
fb_fix_screeninfo:
id: msmfb
smem_start: 802160640
smem_len: 3145728
type: 0
type_aux: 0
visual: 2
xpanstep: 0
ypanstep: 1
line_length: 1920
mmio_start: 0
accel: 0
fb_var_screeninfo:
xres: 480
yres: 800
xres_virtual: 480
yres_virtual: 1600
xoffset: 0
yoffset: 0
bits_per_pixel: 32
activate: 16
height: 106
width: 62
rotate: 0
grayscale: 0
nonstd: 0
accel_flags: 0
pixclock: 0
left_margin: 0
right_margin: 0
upper_margin: 0
lower_margin: 0
hsync_len: 0
vsync_len: 0
sync: 0
vmode: 0
Buffer offset: 00000000
Buffer size: 8192

 

[giusdk]

you can use the 1.32.405.8 version of the PD98IMG that is linked to, but you can also use the 2.36.405.8 and then install gingerbreak to root afterwards then radio s-off and eng s-off with the one click tools.

Thank you..
But i am stucked at the:
adb shell /data/local/tmp/fre3vo

it just hangs.. could it be the connection from the pc to the phone?

if i open htc sync, my phone can't be detected, and i can not remember that i ever could detect it..

 

[giusdk]

Every line has the same result:

Buffer offset: 00000000
Buffer size: 8192

... and stuck, nothing happens.

See step by step:

adb push fre3vo /data/local/tmp
adb push misc_version /data/local/tmp
adb shell chmod 777 /data/local/tmp/fre3vo
adb shell chmod 777 /data/local/tmp/misc_version
adb shell /data/local/tmp/fre3vo -debug -start F0000000 -end FFFFFFFF
fre3vo by #teamwin
Please wait...
Attempting to modify ro.secure property...
fb_fix_screeninfo:
id: msmfb
smem_start: 802160640
smem_len: 3145728
type: 0
type_aux: 0
visual: 2
xpanstep: 0
ypanstep: 1
line_length: 1920
mmio_start: 0
accel: 0
fb_var_screeninfo:
xres: 480
yres: 800
xres_virtual: 480
yres_virtual: 1600
xoffset: 0
yoffset: 0
bits_per_pixel: 32
activate: 16
height: 106
width: 62
rotate: 0
grayscale: 0
nonstd: 0
accel_flags: 0
pixclock: 0
left_margin: 0
right_margin: 0
upper_margin: 0
lower_margin: 0
hsync_len: 0
vsync_len: 0
sync: 0
vmode: 0
Buffer offset: 00000000
Buffer size: 8192

If you restart your phone and connects it to the pc, and choose to Sync, and then opens the HTC Sync program on your computer.. Does your phone show?

Mine doesn't.. I got the same problem as you.

But when i connect it as a external hard drive, it recognizes and i can work on the SD Card..