How To Get R/W Access (Permanent Root / "Permaroot") using gfree v1.0
Having the proper USB drivers installed - HTC Sync including Windows USB Drivers for the Vision
Disable auto-run or uninstall Visionary if you have it (It's important!)
adb (installed as part of the Android SDK.) See this guide on how to install/setup adb on your PC.
The HTC Desire Z with a firmware version higher than 1.34, T-Mobile G2 with a firmware version higher than 1.22 and the Desire HD with a firmware version higher then 1.32 have to be downgraded before proceeding.
Downgrading HTC Desire Z, T-Mobile G2 and Desire HD
For the 1.XX firmware HTC Desire Z follow this guide Downgrade DZ till step 12 and then come back.
For the 1.XX firmware HTC Desire HD follow this guide Downgrade HD and then come back.
For the 2.XX firmware HTC Desire Z/Desire HD and T-Mobile G2 follow this guide GUIDE Downgrade G2 2.13.531.8 (2.3.3 T-Mobile Rom w/ S-ON) & DZ 2.3.3 w/ S-ON" and come back. The history can be found in this thread New exploit works with Gingerbread! and Desire Z users see this posting of the thread Desire Z explanation.
Please use your brain when following these postings / guides. Especially make sure that you use a PC10IMG.zip for your device!
1. Necessary files
psneuter psneuter.zip (md5sum 89c2dec8d72d87b4c669f44dd31c8d17)
gfree v1.0 gfree_10.zip (md5sum 0bc9fc22bda897c765b02066f8a3c83b)
root_psn root_psn.zip (md5sum c8fe38ef55eb8951def9ff17b2eb99c1)
Superuser package su-18.104.22.168-efgh.zip (md5sum 43d9a40b63e916635d5ad7ca32433fab)
1.1. engineering hboot
Download the appropriate HBOOT for your phone:
T-Mobile G2: vision.hboot-0.76.2000.zip / Mirror (md5sum 7669AE12DC2FAA10AE555A164980EFD0)
HTC Desire Z: vision.hboot-0.84.2000.zip / Mirrors in this thread (md5sum 2CE1BDD5E4C1119CCFCECB938710D742)
HTC Desire HD: ace_glacier.hboot-0.85.2007.zip (md5sum df4fd77f44993eb05a4732210d2eddc6)
Note that the md5sums are for the actual hboot img contained within the zip file, not the for the zip file itself. Note also that the dz, g2, and dhd each use their own version of the engineering boot, as the phones are partitioned differently. (If you have previously installed the wrong HBOOT for your phone, you may need to reflash everything after partition 18)
1.2. clockwork recovery
Download the appropriate clockwork recovery for your phone:
ClockworkMod Recovery 5.0:
T-Mobile G2 and HTC Desire Z: recovery-clockwork-22.214.171.124-vision.img (md5sum 87a428549440894dbe2f96dd5efc4fb5)
HTC Desire HD: recovery-clockwork-126.96.36.199-ace.img (md5sum b8d77b9352dcbb41839e45342ea35658)
ClockworkMod Recovery 5.8 (touch):
T-Mobile G2 and HTC Desire Z: recovery-clockwork-touch-188.8.131.52-vision.img (md5sum b21aa5a0d593b6ebce880be3316ff64a)
HTC Desire HD: recovery-clockwork-touch-184.108.40.206-ace.img (md5sum fd6abfbc459663455a25b88ca7d77442)
Rename the file to 'recovery-clockwork.img'.
2. Copy the files to the phone
Before you can adb as described below you need to enable debugging in the settings on the phone. In Settings go to "Applications -> Development" and check the "USB debugging" option.
Connect the phone to the USB of your PC. The phone will stay connected during the complete procedure.
Make sure that you do NOT turn on USB storage. There has to be a sdcard in the phone and it has to be mounted to the phone!
In the commands to run below, $ or # represent the prompt and should NOT be entered as part of the commands (in Windows this will be something like C:\> instead).
Unpack all the zip files to a directory on your PC. Open a terminal (or command window) on your PC and change the current directory to where the files are on your PC and execute these commands:
$ adb push psneuter /data/local/tmp/
$ adb push gfree /data/local/tmp/
$ adb push busybox /data/local/tmp/
$ adb push hboot-eng.img /data/local/tmp/
$ adb push root_psn /data/local/tmp/
$ adb push su /sdcard/
$ adb push Superuser.apk /sdcard/
$ adb shell chmod 755 /data/local/tmp/*
2. clockwork recovery for T-Mobile G2 and HTC Desire Z
To copy your clockwork recovery execute the following command in the terminal or command window
$ adb push recovery-clockwork.img /data/local/tmp/recovery.img
3. Temporary root
In the terminal (or command window) execute these commands:
$ adb shell /data/local/tmp/psneuter
$ adb shell
after the last command you should have a root shell in adb (this is indicated by a # prompt). Leave this terminal (or command window) that contains the root shell open.
4 S-OFF, root and its friends Super-CID, SIM-unlock, engineering hboot, clockwork recovery and root
In the following section we are trying to gain write access to the emmc by power cycling it.
We recommend to install the engineering hboot as part of the gfree procedure.
In the root shell (indicated by the #) that you got in the Temporary root section execute the following commands:
# cd /data/local/tmp
# ./gfree -f -b hboot-eng.img -y recovery.img
Wait a few seconds for the changes to "take".
4.1. Automatic gfree hboot verification
As it is very important that the hboot was installed correctly gfree calculates md5sums of the partition. It will calculate the following 3 checksums
md5sum #1 - checksum of partition 18 before the installation
md5sum #2 - checksum of the hboot image that should be installed
md5sum #3 - checksum of partition 18 after the installation
gfree will check the md5sums and give you a proper success or error message. The messages are explained in detail at gfree-wiki
The messages that you want to see are either:
md5sum #1 == md5sum #2 - the hboot image is already installed -> skipping installation
md5sum #3 == md5sum #2 - the hboot image was successfully installed -> OK!
If you get a different error message you should run for help at #G2ROOT on Freenode.
If you got one of the two success messages described above -> You are fine, Reboot your phone by executing the following command in the root shell (indicated by the #):
5. Verify the success of gfree
You can verify the success of gfree by using gfree_verify.
Download gfree_verify.zip from gfree_verify_v01.zip (md5sum 8e3535fd720d19fa0aec4eb711b897c4)
Unzip gfree_verify_v01.zip to a place on your PC.
Open a terminal (or command window) on your PC and change the current directory to where the files are on your PC and execute these commands:
$ adb push gfree_verify /data/local/tmp
$ adb shell chmod 755 /data/local/tmp/gfree_verify
$ adb shell
In this shell:
Remark: When you run su for the first time in the adb shell make sure the the screen of the phone is unlocked. Because when you enter the command the Superuser app will show up and ask you if you want to grant superuser access to app Unknown (2000).
Check the Remember check box and click allow.
# cd /data/local/tmp
# stop ril-daemon
You should see the following output:
gfree verify_cid returned:
gfree verify_secu_flag returned:
gfree verify_simlock returned:
Start the interface layer again (IN THE ADB SHELL ON YOUR PC):
# start ril-daemon
Did it work? Here's what you're looking for:
: 11111111 <--- this response means you have superCID!
= 00 <--- this means your simlock is off.
_flag: 0 <--- this means your radio is S-OFF.
6. Backup and cleanup
During the process gfree created backups of the partitions that it changed on your sdcard in /sdcard/
The files are called /sdcard/part7backup-.bin, part18backup-<time>.bin (if you installed hboot) and part21backup-<time>.bin. It is highly recommended that you copy these files to a save location on your PC and keep them!
You can delete the files in /data/local/tmp they are not needed anymore.
7. Next steps
Find a custom rom that you would like to install and install it using the clockwork recovery.
Enjoy the freedom of your phone.
If you like free phones and our work we would like to ask you to support the EFF.
Support the EFF