1. Are you ready for the Galaxy S20? Here is everything we know so far!

How to downgrade and root 2.43.661.1 and up

Discussion in 'Android Devices' started by aswethinkweiz, Jul 25, 2011.

  1. aswethinkweiz

    aswethinkweiz Newbie
    Thread Starter

    Below you will find exactly what you need and how to execute the commands to gain the downgrade and move forward with temp/perm root. For all I know this may work on all devices but I have only tested it on the Telus HTC desire HD. Thanks go out to http://therootofallevo.com and the post from agrabren. Don’t thank me thank him so if you find out that it works for you feel free to tweet @agrabren with the exploit address and device type so he can add it to known list for the next build of fre3vo


    • The latest version of HTC Sync installed (required for the phone’s drivers).
    • The PD98IMG Stock ROM (Do NOT extract this zip file’s contents or rename it) SEE MY FIRST POST BELOW THIS FOR STOCK ROM DOWNLOAD
    • A Gold Card for your phone. See our guide on how to make a Gold Card for HTC Desire HD.
    • View attachment Downgrade v3.zip

    1. Place the PD98IMG file found in DOWNLOAD V3 zip in the root of you phones sd card
    2. Enable USB debugging on your phone and place your phone on CHARGE ONLY.
    3. Copy remainder of DOWNGRADE V3 folder to the c: drive on your computer
    4. Open a command prompt with admin rights and change directories to the downgrade folder
    5. Run the below commands one by one (be sure to press enter after each).

    adb push fre3vo /data/local/tmp
    adb push misc_version /data/local/tmp
    adb shell chmod 777 /data/local/tmp/fre3vo
    adb shell chmod 777 /data/local/tmp/misc_version
    adb shell /data/local/tmp/fre3vo -debug -start F0000000 -end FFFFFFFF

    If you get kicked back to your system command prompt, try "adb shell" and see if you get the magic '#'. If so you can now move forward with downgrading.

    Run the below commands:

    /data/local/tmp/misc_version -s 1.31.405.3 (I used this sw ver when I downloaded)
    adb reboot bootloader

    Your phone should boot into its bootloader now. Once you see the white bootloader screen, press the power button once to automatically enter the bootloader and detect the PD98IMG.zip file.
    You will see a blue progress bar while the file is being examined. Once the progress is complete, press the ‘volume up’ button to confirm that you want to install it.
    Wait patiently while this stock ROM is installed and if some items are bypassed, don’t worry about it.
    Once the installation is complete, press the ‘power’ button to restart your phone back into Android.
    Your phone has now been downgraded to a rootable stock ROM and you can proceed further.
    The rest is simple. Download visionary.apk and temp root and then perm root your phone. Everything else is up to you.

    Good luck!

    holmesie456, gecata, wiggmond and 9 others like this.
  2. aswethinkweiz

    aswethinkweiz Newbie
    Thread Starter

  3. D-U-R-X

    D-U-R-X turbo drinker

    Nice one mate... Don't have a Telus DHD myself, but hope this works for everyone who does!!
  4. El Presidente

    El Presidente Beware The Milky Pirate!
    VIP Member

    Thank you. It would be nice if we could get someone with a Telus DHD to confirm this.
  5. adnansd

    adnansd Lurker

    is this will work with 2.42 build number?
  6. Downloading...
    Will give it an try later this week (need some time).
    My Device: Desire HD (completly stock) 2.50.405.2, need more info?
  7. W@$T3

    W@$T3 Lurker

    i get stuck at "adb shell /data/local/tmp/fre3vo"
    i wait until 15 minutes and nothing happens
  8. Fre3vo is based off the gingerbreak source and is for the evo 3D / Sensation, not to mention, was also discontinued, as it no longer worked after the first batch of updates were pushed to these devices.
    The blind memory scan to find exploitable data is like what I had mention in one the 3 possible leads I was working with as mentioned in your previous thread.

    I'll give your method a go just for the hell of it.

    BTW, what was the hex address of the exploitable data from your run, since you and I have the same device (a9192) and were both 2.43.661.1, the address should be the same.
  9. splatterb0y

    splatterb0y Lurker


    I got a root shell on my Desire HD (not Telus) with the newest Stock-Rom 2.50.405.2!

    1. adb shell /data/local/tmp/fre3vo -debug -start F0000000 -end FFFFFFFF
    was successful and dropped me to a root shell!
    This is so awesome!

    @OP: I love you for this!


    Downgraded with RUU now to 1.31.405.6. Everything went fine! Thank you a thousand times!
  10. aswethinkweiz

    aswethinkweiz Newbie
    Thread Starter

    Got issues let me know. I will try my best to help. This worked for me on my DHD with the software ver 2.43 less that a week ago. Fre3vo works I tell ya or I would not be rooted now. As you can see from my multiple other posts I was having issues trying to downgrade until I found this lil loophole. Wish I would have took screen shots to show my progress.
  11. satan66

    satan66 Lurker

    Same here:mad:
  12. adb shell /data/local/tmp/fre3vo
    adb shell /data/local/tmp/misc_version

    should be skipped, rather go directly to the memory scanning.

    running these commands will simply return the same execution as gingerbreak; fre3vo will hang and not continue, misc_version just a permission denied error.

    but even then, the memory scanning will freeze.
    as mine did at address 102c0000 (no, it didnt find the exploit)

    I'm even going off a fresh install of 2.43.661.1 (so as not to have it as controlled an environment as possible)
  13. max63094

    max63094 Newbie

    thank you, I have been waiting for this, going to try when I get home. My desire hd is having some software problems and I want to get off stock. Will do update after I try
  14. giusdk

    giusdk Lurker

    This is awesome, thanks!!
    Wich stock rom should i go after for downgrading?
  15. Amended Command list from start to finish

    You dont need to scan the first 3 sections of memory (as they contain non system data and no exploit can be found on them)

    adb push fre3vo /data/local/tmp
    adb push misc_version /data/local/tmp
    adb shell chmod 777 /data/local/tmp/fre3vo
    adb shell chmod 777 /data/local/tmp/misc_version
    adb shell /data/local/tmp/fre3vo -debug -start F0000000 -end FFFFFFFF (may kill adb daemon)
    adb shell /data/local/tmp/misc_version -s 1.32.405.8
    adb reboot bootloader

    Now it'll install the rom from the goldcard.

    The memory scan confirms my one lead (problem was, gingerbreak didnt have the ability to scan the memory, hence that lead halted for me)
    I knew that the data existed in a different area than what gingerbreak was targeting.
  16. you can use the 1.32.405.8 version of the PD98IMG that is linked to, but you can also use the 2.36.405.8 and then install gingerbreak to root afterwards then radio s-off and eng s-off with the one click tools.
    aswethinkweiz likes this.
  17. aswethinkweiz

    aswethinkweiz Newbie
    Thread Starter

    Glad it worked for you. Stoked to hear it extends for further then just Telus. No thanks needed :D
  18. SsZzliMm

    SsZzliMm Newbie

    Hi !

    I entered the lines but I'm stuck at the following:
    Buffer offset: 00000000
    Buffer size: 8192

    Now what ?
  19. W@$T3

    W@$T3 Lurker

    same here..
  20. aswethinkweiz

    aswethinkweiz Newbie
    Thread Starter

    When I came up with the workaround I ran it just as I did in the original post. No permissions errors what so ever on fresh 2.43. If your tip makes less work I'm with you.
  21. Uploading different PD98IMG.zip
    and 2 batch commands to make it easier for everyone to downgrade (To eliminate problems and confusion)
    W@$T3 likes this.
  22. aswethinkweiz

    aswethinkweiz Newbie
    Thread Starter

    never saw that one. Try the next line. Worst case start over
  23. SsZzliMm

    SsZzliMm Newbie

    Every line has the same result:

    Buffer offset: 00000000
    Buffer size: 8192

    ... and stuck, nothing happens.

    See step by step:

    adb push fre3vo /data/local/tmp
    adb push misc_version /data/local/tmp
    adb shell chmod 777 /data/local/tmp/fre3vo
    adb shell chmod 777 /data/local/tmp/misc_version
    adb shell /data/local/tmp/fre3vo -debug -start F0000000 -end FFFFFFFF
    fre3vo by #teamwin
    Please wait...
    Attempting to modify ro.secure property...
    id: msmfb
    smem_start: 802160640
    smem_len: 3145728
    type: 0
    type_aux: 0
    visual: 2
    xpanstep: 0
    ypanstep: 1
    line_length: 1920
    mmio_start: 0
    accel: 0
    xres: 480
    yres: 800
    xres_virtual: 480
    yres_virtual: 1600
    xoffset: 0
    yoffset: 0
    bits_per_pixel: 32
    activate: 16
    height: 106
    width: 62
    rotate: 0
    grayscale: 0
    nonstd: 0
    accel_flags: 0
    pixclock: 0
    left_margin: 0
    right_margin: 0
    upper_margin: 0
    lower_margin: 0
    hsync_len: 0
    vsync_len: 0
    sync: 0
    vmode: 0
    Buffer offset: 00000000
    Buffer size: 8192
  24. giusdk

    giusdk Lurker

    Thank you..
    But i am stucked at the:
    adb shell /data/local/tmp/fre3vo

    it just hangs.. could it be the connection from the pc to the phone?

    if i open htc sync, my phone can't be detected, and i can not remember that i ever could detect it..
  25. giusdk

    giusdk Lurker

    If you restart your phone and connects it to the pc, and choose to Sync, and then opens the HTC Sync program on your computer.. Does your phone show?

    Mine doesn't.. I got the same problem as you.

    But when i connect it as a external hard drive, it recognizes and i can work on the SD Card..

HTC Desire HD Forum

The HTC Desire HD release date was October 2010. Features and Specs include a 4.3" inch screen, 8MP camera, 768GB RAM, Snapdragon S2 processor, and 1230mAh battery.

October 2010
Release Date

Share This Page