Please remember to add a category to the bottom of each page that you create.
See categories help for further details, but most will probably be [[Category:HTC ModelName]].

Difference between revisions of "HTC Vision"

From XDA-Developers
Jump to: navigation, search
m (INSTALLING ENGINEERING HBOOT (DZ/G2/DHD) - OPTIONAL and UNNECESSARY!)
m (How To Get R/W Access (Permanent Root / "Permaroot"))
Line 189: Line 189:
 
# Make sure usb debugging is turned on on the  phone (Applications > Development, then enable USB debugging)
 
# Make sure usb debugging is turned on on the  phone (Applications > Development, then enable USB debugging)
  
In the commands to run below, $ or # represent the prompt and should NOT be entered as part of the commands.
+
In the commands to run below, "C:\", or "#", or "$" represent the prompt and should NOT be entered as part of the commands. If a "C:\" prompt is shown, then this shows the command being entered on your PC (Windows/Mac/Linux). A # or $ prompt indicates a command being run on the phone.
  
 
'''<big>TEMP ROOT</big>'''
 
'''<big>TEMP ROOT</big>'''
Line 196: Line 196:
  
 
<pre>
 
<pre>
$ adb push su /sdcard/su
+
C:\ adb push su /sdcard/su
$ adb push Superuser.apk /sdcard/Superuser.apk
+
C:\ adb push Superuser.apk /sdcard/Superuser.apk
$ adb push rage /data/local/tmp/rage
+
C:\ adb push rage /data/local/tmp/rage
$ adb push busybox /data/local/tmp/busybox
+
C:\ adb push busybox /data/local/tmp/busybox
$ adb push root /data/local/tmp/root
+
C:\ adb push root /data/local/tmp/root
$ adb shell chmod 0755 /data/local/tmp/*
+
C:\ adb shell chmod 0755 /data/local/tmp/*
 
</pre>
 
</pre>
  
Line 249: Line 249:
  
 
<pre>
 
<pre>
  $ adb push gfree /data/local
+
  C:\ adb push gfree /data/local
 
</pre>
 
</pre>
  
Line 297: Line 297:
  
 
<pre>
 
<pre>
  $ adb push gfree_verify /data/local
+
  C:\ adb push gfree_verify /data/local
 
</pre>
 
</pre>
  
Line 304: Line 304:
 
Open a shell using adb (ON YOUR PC):
 
Open a shell using adb (ON YOUR PC):
 
<pre>
 
<pre>
  $ adb shell
+
  C:\ adb shell
 
</pre>
 
</pre>
  

Revision as of 04:47, 6 January 2011

HTC Vision
{{{sortname}}}
HTC Vision.jpg
Model Number: See Page
Specification
Device Type: Phone
Manufacturer: HTC HTC-icon.png
Release Date: 06 OCT 2010]]
Operating System: Android Android-icon.jpg
Dimensions: 119.4 x 61 x 15.2 millimeters
Weight: 184.3 grams (battery included)
Chipset: Qualcomm® MSM7230, 800MHz
Display: 3.7-inch TFT-LCD flat touch-sensitive screen
Networks: GSM850, GSM900, GSM1800, GSM1900, HSDPA 1700, HSDPA 2100
Wifi: Not Known
Bluetooth: 2.1 with A2DP
NFC: Not Known
GPS: Yes, with A-GPS support
Video out: Not Known
Camera: 5 megapixel color with autofocus, LED flash
Secondary Camera: none
Internal Memory: ROM: RAM: SDRAM
Memory Card: microSD, up to 32GB, 8GB included
Battery: 1300 mAh Li-Ion
Additional Features: 3.5mm, multitouch


Intro

Internal Forum


HTC Desire Z (Europe)


T-Mobile G2 (USA)


Rumored CDMA versions


Specification

  • Processor: Qualcomm® MSM7230, 800MHz
  • Operating System: Google Android 2.2 (Froyo)
  • Memory:
    • 4GB eMMC (advertised as 4GB on G2, 1.5GB on DZ) (SKU: SDIN5C2-4G)
    • 512 MB RAM
    • MicroSD 2.0 Expansion slot
  • Dimensions: 119mm(L) x 60.4mm(W) x 14.16mm(T)
  • Weight: 180g with battery pack
  • Display:
    • 3.7-inch WVGA 480 x 800
    • Multitouch Panel
    • Super-TFT LCD
  • Connectivity:
    • Bluetooth® 2.1 with EDR,A2DP,AVRCP
    • Wi-Fi®: IEEE 802.11 b/g/n
    • Micro USB Port
  • Camera: 5 megapixel color with autofocus, LED flash, 720P 30fps recording
  • Battery: 1300 mAh rechargeable Li-Ion battery
  • Network:
    • GSM: 850/900/1800/1900 MHz
    • WDCMA/UMTS: 900/1700¹/2100 MHz
    • Data: CSD/GPRS/EDGE/UMTS/HSDPA/HSUPA
  • Misc:
    • HTC FastBoot
    • HTC Sense UI²
    • Qualcomm MSM7230 gpsOne with ZeroWait
    • G Sensor
    • Proximity Sensor
    • Digital Compass
    • Ambient Light Sensor
    • FM Radio with RDS

Detailed Specifications

The Missing 2GB

11-12-10: The following is our best understanding of the issue at-present. Scotty2 says this is "99.9%" the issue and "the only explanation that makes sense."

What Missing 2GB?

Although marketing from T-Mobile claim the phone contains 4GB of internal storage (not including the removable micro-SD card), once the phone was released, users quickly noticed that only ~2GB appears to exist.

Several theories for the "missing" flash memory storage were proposed, including a possible "shadow" installation of the operating system being hidden somewhere, as well as a possible 2GB limitation of the card when in "byte" rather than "sector" mode. Still a third theory proposed that perhaps the extra 2GB were somewhere outside the normal block device where the Android kernel's flash controller couldn't find it.

Apparently, none of these theories were correct.

So where is the missing 2GB?

To answer this, it is first necessary to understand a bit about how internal flash cards, such as the Sandisk card (also known as an "emmc") on the HTC Vision, store information.

Luckily, Sandisk has provided a helpful video. Pay particular attention to the discussion of SLC (single-level cell) and MLC (multi-level cell) in Chapter 5.

In an SLC configuration, a single bit is packed into each memory cell. In a multi-level cell, you can fit 2, 3, 4 or more bits in each cell. You get a lot of capacity with more bits per cell, but at the expense of speed and reliability.

In trying to figure out where the missing 2gb went, scotty2 noticed that most of the Sandisk card's block device (that is, the part with Android on it) had been partitioned within the regular "User Data Area" as an "Enhanced User Data Area".

Note that when we talk about partitioning the emmc, we're not talking about regular MBR partitions like /dev/whatever. An emmc partition is a very low-level partition of the flash. Each emmc partition constitutes a full block device, which can then be further partitioned into a bootloader, /system, /data, etc.

The card's datasheet wasn't too clear about what the "Enhanced User Data Area" did that was so different from the regular User Data Area, although one thing was clear-- once its parameters was set, you couldn't "un-set" it. To quote the datasheet, the Enhanced User Data Area "can be programmed only once during the device life-cycle (one-time programmable)."

But why was the entire Sandisk partitioned in this special "Enhanced" User Data area? No one knew.

Then tmzt found this. It's an article by Toshiba that suggests what's going on:

Those areas requiring better reliability are SLC or can be programmed as SLC. . . the Enhanced User Data Area, which may store, for example, system log files, are SLC. The User Data Area, which may store music, pictures, videos and other files is MLC. . . Each 1 bit configured as SLC results in 2 bits less of MLC. Theoretically an 8GB e-MMC device (densities are defined in MLC terms), could be configured virtually all as SLC and thus would be approximately 4GB. In most cases, it is more likely that the majority of the memory would be configured as MLC to support higher density.

You've probably figured out by now what's likely happened here. Assuming the Sandisk emmc works like Toshiba's, the 4GB flash has probably been, save for a few tiny partitions such as the radio, irreversibly configured to use SLC, rather than MLC. If so, the benefit is faster performance and perhaps greater stability (and more read/write cycles). But its capacity/density would be cut in half.

And that, my friends, may very well be where your 2GB has gone.

So To Conclude...

Assuming the above is a correct understanding of the issue, the following appears to be the case:

  • The HTC vision has a 4GB firmware card
  • It has been irreversibly partitioned to use a faster/more reliable configuration called SLC
  • This has resulted in a practical capacity/density of ~2GB

Update: Initial investigations from over a month ago reported that T-Mobile attributed this issue to "creative partitioning": ("I called into T-Mobile Android support and was assured this number is correct, and that I do have the full 4GB storage on-board... there's just some "creative partitioning" going on.") This may correlate with the explanation provided above.

Update 12/6/10: A more technical discussion of this (with pictures) is here.

Bootup Key Sequences

Bootloader (HBOOT): Volume Down + power on

Fastboot: Touchpad button + Power

Reboot phone from within HBOOT or Fastboot: Power + Volume Down + Touchpad button

Navigating Recovery Mode

Show/Hide Log Text: Volume Up + Power

Navigate Menu: Volume Up/Down

Select Action: Power

November 2010 OTA Update

T-Mobile released an OTA update for the G2 on 3 November. It enables Wi-Fi calling as well as Wi-Fi tethering (with a T-Mobile tethering plan).

The OTA does not include a new hboot (hboot cannot be downgraded once upgraded), but does include a newer kernel, recovery, and radio image, all of which can be downgraded from this OTA to the shipping versions. #g2root now considers it safe to install the OTA.

Note that if you do decide to apply the OTA, and you've used paulobrien's Google Goggles remover, then you won't be able to cleanly install. You will have to reflash to the original ROM to update.

Rooting the Vision (G2/DZ) and DHD

Introduction

We would like to be a model of openness as a stark contrast to HTC's and T-Mobile's closed attitudes. Allegiances to any particular teams or groups are far less important than a willingness to help, and all who want to help are welcome. Credit will always be given where it is due, so don't worry about anyone claiming your work as his or her own. Catch up on our current progress below and join us in IRC.

Update 12-1-10: A new way of "permarooting" by first temp rooting and then running gfree to turn radio s-off has been created by scotty2 and is the safer/recommended way to get permanent access to read-write.

How To Get R/W Access (Permanent Root / "Permaroot")

WARNING: Be aware that by following these instructions you are messing with your phone with potential for screwing things up. Do so at your own risk. The many authors of this guide assume no responsibility for any damage to your phone, health, general well-being, or anything else untoward with respect to these instructions or you following them.

12-1-10: THESE INSTRUCTIONS HAVE CHANGED RECENTLY. UNTIL THEY ARE BETTER TESTED, CONSIDER THEM "BETA" AND EXPERIMENTAL. USE AT YOUR OWN RISK.

Overview

  1. Disable Visionary auto-run or uninstall it completely.
  2. Download files and put in /data/local
  3. Get temp root using rage
  4. Run "gfree" to enable permanent read/write (radio S-OFF)
  5. Push needed files for 'su' to the (now permanently writable) /system partition
  6. Reboot
  7. OPTIONAL: Install an engineering bootloader. Only recommended after full phone backup.

Note: If you are not technically inclined, you may want to wait for an automated version to be released.

Procedure

There's already a guide here for obtaining permanent root using VISIONary, but some folks in #G2ROOT are having issues with the way that VISIONary can potentially write dirty cache pages back to flash. VISIONary will need to be disabled or uninstalled so that it does not cause any adverse issues. Using rage directly is a bit cleaner, since you know exactly what it's going to touch at each step of the way.

REQUIREMENTS

  1. Having the proper USB drivers installed - Windows USB Drivers for the Vision
  2. Disable auto-run or uninstall Visionary if you have it (I know I said this but it's important!)
  3. Android Terminal Emulator app
  4. adb (installed as part of the Android SDK.)
  5. gfree_temp-root.zip
  6. gfree_02.zip
  7. Make sure your phone's sdcard is mounted by your phone and not your computer when following these instructions. Also ensure that you have at least 5MB free on your sdcard.
  8. Make sure usb debugging is turned on on the phone (Applications > Development, then enable USB debugging)

In the commands to run below, "C:\", or "#", or "$" represent the prompt and should NOT be entered as part of the commands. If a "C:\" prompt is shown, then this shows the command being entered on your PC (Windows/Mac/Linux). A # or $ prompt indicates a command being run on the phone.

TEMP ROOT

ON YOUR PC: Unzip the gfree_temp-root.zip files to a folder. From a cmd window or terminal, navigate to that folder and execute these commands:

C:\ adb push su /sdcard/su
C:\ adb push Superuser.apk /sdcard/Superuser.apk
C:\ adb push rage /data/local/tmp/rage
C:\ adb push busybox /data/local/tmp/busybox
C:\ adb push root /data/local/tmp/root
C:\ adb shell chmod 0755 /data/local/tmp/*

ON YOUR PHONE:

  1. Launch Terminal Emulator
  2. $ /data/local/tmp/rage
  3. Wait for the message: "Forked #### childs."
  4. Menu > Reset Term - Terminal Emulator will exit.
  5. Launch Terminal Emulator, it Force Closes. Launch a second time, and you'll have a root shell
  6. **NOTE**: in the original directions from the XDA thread, you are instructed to run the /data/local/tmp/root script here. DON'T do this just yet. Leave the terminal window open.

PERMAROOT (using "gfree" + "root")

gfree version 0.02 and its options

Since the current version 0.02 gfree supports the following options:

gfree usage:
gfree [-h|-?|--help] [-v|--version] [-s|--secu_flag on|off]
	-h | -? | --help: display this message
	-v | --version: display program version
	-s | --secu_flag on|off: turn secu_flag on or off
	-c | --cid <CID>: set the CID to the 8-char long CID
	-S | --sim_unlock: remove the SIMLOCK

	-f | --free_all: same as --secu_flag off --sim_unlock --cid 11111111

In the following steps the -f will be used to mimic the behavior of the original gfree version that will do radio S-OFF, Super-CID and simunlock in one go.

If you are only interested in permanent root you only need radio S-OFF and then it is sufficient to use

 # ./gfree -s off

instead of

 # ./gfree -f

in the following commands.

And gfree can now also be used to set radio S-ON by using the "-s on" option and to change the CID back to the original value be using i.e. "-c T-MOB010" if you want or have to go back. In addition since version 0.03 gfree can also be used t just to remove the write protection from the emmc and remove the kernels write filter to the radion partitions by using the "-w" option. This is handy if you want to restore your partition 7 backup.

ON YOUR PC:

Unzip gfree_02.zip to a place on your computer. Navigate to where the files are on your computer, and type:

 C:\ adb push gfree /data/local

Gfree should now be in your phone at /data/local

ON YOUR PHONE:

You should still have terminal emulator up, at a root prompt from earlier.

Now run:

# cd /data/local
# chmod 777 gfree
# ./gfree -f
# sync

You now have read-write access to your /system, hboot, and recovery partitions. But you still need to "lock in" root, and give you 'su' access in the future. So just do:

 # /data/local/tmp/root
 # sync

Wait a few seconds for the changes to "take".

Now reboot your phone.

Congratulations! You're perma-rooted, radio S-OFF, and should have read-write access to your /system! But more than that, your phone should also be SIM-unlocked, so that you can use a SIM card from any carrier (T-Mobile, AT&T, Vodofone, etc.) See below for more info about that.

At this point you might consider downloading the 'Rom Manager app from the Android market and using it to install the Clockwork recovery and back up via the nandroid "backup" option should things go terribly wrong for you in the next (optional) step.

Also, gfree created a backup of your original partition 7 at /sdcard/part7backup-

VERIFY (using "gfree_verify")

Now you can try using a new SIM card to verify that it worked.

In addition you can use gfree_verify to verify the state of your locks.

Download gfree_verify.zip from gfree_verify_v01.zip

ON YOUR PC:

Unzip gfree_verify_v01.zip to a place on your computer. Navigate to where the file is on your computer, and type:

 C:\ adb push gfree_verify /data/local

gfree_verfiy should now be in your phone at /data/local

Open a shell using adb (ON YOUR PC):

 C:\ adb shell

Use this shell to run the gfree_verify (IN THE ADB SHELL ON YOUR PC).

# su
# cd /data/local
# chmod 777 gfree_verify
# stop ril-daemon
# ./gfree_verify

You should see the following output:

gfree verify_cid returned: 
@CID: 11111111

OK

gfree verify_secu_flag returned: 
@secu_flag: 0

OK

gfree verify_simlock returned: 
@SIMLOCK= 00

OK

Start the interface layer again (IN THE ADB SHELL ON YOUR PC) - (or reboot your phone):

start ril-daemon

Did it work? Here's what you're looking for:

@CID: 11111111 <--- this response means you have superCID!

@SIMLOCK= 00 <--- this means your simlock is off.

@secu_flag: 0 <--- this means your radio is S-OFF.

There are also OLDER, MANUAL instructions for verifying the state of the locks at below.

INSTALLING ENGINEERING HBOOT (DZ/G2/DHD) - OPTIONAL and UNNECESSARY!

Assuming you've backed up your phone with Clockwork's nandroid, you can install the engineering HBOOT (bootloader), which among other things allows you to use fastboot flash (or flashing-over-usb from your computer). This is unnecessary for most users but provides additional functionality for developers.

This is totally optional and dangerous - if the write to the phone partition fails the phone will be bricked. At the moment there is no cure for a phone that has been bricked by a failed hboot install.

First, if you haven't, connect your phone w/USB and download the appropriate HBOOT for your phone; you will need to unzip this file to extract the hboot image:

Note that the md5sums are for the actual hboot img contained within the zip file, not the for the zip file itself. Note also that the dz, g2, and dhd each use their own version of the engineering boot, as the phones are partitioned differently. (If you have previously installed the wrong HBOOT for your phone, you may need to reflash everything after partition 18).see: info about hboot

Then, from your computer:

$ adb push hboot-eng.img /data/local

Before transferring the image to the flash partition you should verify the md5sum of the file on your phone. Use the following command, the checksum should match the hboot image you downloaded for your platform. Here's an example, note how it matches the checksum for the DZ hboot.

$ md5sum /data/local/hboot-eng.img
2ce1bdd5e4c1119ccfcecb938710d742  /data/local/hboot-eng.img

This next step is CRUCIAL. You must make sure that you are writing to the proper partition here or you could brick your phone. To be absolutely clear- the partition is mmcblk(zero)p(one)(eight)

I'd recommend using an adb shell from your computer (with root privileges: just unlock your phone, run 'su' in adb shell, a window will pop up in your phone asking you to allow it to run, check for it to remember, then allow, the prompt in adb shell will change to '#') for the following command, as it will permit you to copy/paste it:

# dd if=/data/local/hboot-eng.img of=/dev/block/mmcblk0p18

That should do it. You can verify that you have the engineering HBOOT by restarting the phone into the bootloader and looking for "ENG" on the screen. (it should say something like "VISION PVT ENG S-OFF")

Good luck!

Note: If for some reason the phone gets stuck at boot (at the white HTC screen) don't panic. Go into recovery (ClockworkMod), format CACHE and reboot.

Subsidy Unlock, SuperCID, and Radio S-OFF

Background

One at a time. What is Subsidy Unlock and why do I want it?

When you buy your Vision phone from T-Mobile, sold as the "G2", your phone is locked to the phone company's network-- the carrier.

If you travel outside of the coverage area for your carrier, your phone will go into "roaming" mode, and you will be charged up the ass. Now, what can you do about this? You may wish to purchase a local, pre-paid SIM Card in the country in which you're traveling to make calls or perhaps to buy a few day's worth of Internet access. But if you try, you'll find your phone won't take foreign SIM cards.

Similarly, if you're a T-Mobile customer with a G2 and you wanted to use another phone network within the US that uses a GSM network, such as AT&T, you will be unable to use an AT&T SIM card in your phone. It just won't work.

Why won't your phone take non-T-Mobile Sim cards? Because it's been "locked" (or "SIM-locked" or "subsidy locked" or "carrier locked").

SIM-unlocking your phone will offer the benefit of allowing you to use your phone with other carriers.

NOTE: T-Mobile does offer an unlock code to its loyal customers who are traveling overseas. You can call them and request it. However, as the XDA-forums can attest, some people have had difficulty with their codes, causing the phone to be unable to establish a connection to ANY network.

We want to fix that.

Got it. Next-- what is this "SuperCID" thing?

First let's talk about what a "CID" is in the first place. CID, as best I can tell, stands for "Carrier IDentification" and it's a little number that restricts which software can be installed on a phone. The CID determines for example, that only an officially-signed T-Mobile radio can be installed on a T-Mobile phone. And it's why you can't flash a Vodafone ROM onto a Bell Desire Z.

It may be helpful to think of the CID as a kind of "region coding" like you find on DVDs, where a North American DVD can't be played in a European player. But if you hack your DVD player, you could switch it from a European player to a North American one. Or you might even hack it to play both.

You can do the same with phones. SuperCID is, as the name implies, a universal CID where the phone will accept any kind of firmware image from anyone.

Finally, what's Radio S-OFF and What Does It Mean to Me?

The "S" stands for "Security".

As scotty2 says, "s-off is the switch that says 'alright, do whatever you want to do - good luck!"

So here's how it works- normally when you boot up, HBOOT (the bootloader) says to the radio, "are you S-ON or S-OFF?" If the radio says "S-ON" then the bootloader WILL prevent you from using most of its commands, and WILL write protect system and recovery. If the radio says "S-OFF", then it will NOT prevent you from using most of its commands, and it will NOT write protect system and recovery.

Even phones that have been "permarooted" still have an S-ON radio.

But- you say, system and recovery haven't been protected since scotty2 figured out how to defeat the emmc protection... That's what permaroot is all about, isn't it?! So surely the radio must already be S-OFF!

Nope. You've had "Label" S-OFF. Not Radio S-OFF.

As scotty2 puts it, "[by patching HBOOT], we forge [messages to HBOOT] so it always looks like the radio says it's S-OFF." This works great so long as you've got a hacked HBOOT. But here's the problem-- people have been getting into trouble by flashing factory firmware over their rooted firmware. First thing it does before writing the ROM is overwrite their patched HBOOT. HBOOT turns on read-only mode on the recovery and /system, and the poor folks get locked out of their phones with the old firmware still there.

Having "real" radio S-OFF, scotty2 says, "will save people from almost-bricking-by-way-of-reflashing-factory-firmware." It also means you'll have unrestricted access to messing with your phone's radio. Although- he notes, the android kernel itself restricts your access to the radio partition. For your safety.

Unlock the Phone, Set SuperCID, and Turn Radio S-OFF

Now featuring scotty2's new method: gfree.

NOTE: If you have NOT permarooted your phone previously with the HBOOT/wpthis method, doing so using the new "gfree" method listed above in this wiki should have the added effect of sim-unlocking the phone, setting superCID and turning Radio S-OFF. In fact, it's the new method for permarooting. So if you haven't yet permarooted, look at those instructions.

WARNING: Be aware that by following these instructions you are messing with your phone with potential for screwing things up. Do so at your own risk. The many authors of this guide assume no responsibility for any damage to your phone, health, general well-being, or anything else untoward with respect to these instructions or you following them.

gfree and radio versions

gfree is known not to work for radio firmwares with higher versions then 26.03.02.xx

The reason for this is that HTC patched the hole that allowed scotty2 to power cycle the emmc chip to drop its write protection.

So if you installed a radio version with a higher version number the downgrade the radio firmware before using gfree.

gfree uses a dynamic in-memory patch of the kernel to remove the kernel's write protection of the radio settings partition.

gfree and kernel versions

gfree uses a dynamic in-memory patch of the kernel to remove the kernel's write protection of the radio settings partition.

So, for those of you who have permarooted the old HBOOT way and put on new kernels --The following kernel versions that are known NOT to work yet with gfree. If you have one of the following kernel versions on your phone install a different (stock, OTA or cyanogen) kernel before starting this procedure:

Kernel
Cyanogen kernel of release 6.1.1
pershoots 11/30 build
pershoot's 2.6.32.26 – OC-UV-NEON_FP (1.516GHZ)
2.6.32.26-cm-virtuous-v1.0 rmk@droid#1

It might well be that also other newer kernels to not work with gfree. So if you experience problems with this procedure (either the phone reboots during the process or the procedure completes correctly but the verify still shows that the phone is locked) then it is in general a very good idea to downgrade the kernel to an original stock kernel or even better to this kernel.

Okay. So we're assuming you've permarooted already. You might want to back up your phone with nandroid on the Clockwork recovery image first, just in case. Make sure you have USB Debugging turned on and at least 5MB on your sdcard.

Note: If you hanker to do it the longer, manual, harder, and more dangerous way, or are just curious what gfree does, see the wiki history for the old instructions.

No? Then let's begin.

1. Download gfree and verify sdcard is not mounted by your computer

You will need to download a program called gfree that will first copy partition 7 of the phone, then patch it, then reflash back to your phone. (verified to work with the g2 and desire z as well as the desire hd). (You will also need adb, which you can download as part of the Android SDK.)

Unzip gfree_02.zip to a place on your computer.

Make sure your computer is not mounting your phone's sdcard.

gfree version 0.02 and its options

Since the current version 0.02 gfree supports the following options:

gfree usage:
gfree [-h|-?|--help] [-v|--version] [-s|--secu_flag on|off]
	-h | -? | --help: display this message
	-v | --version: display program version
	-s | --secu_flag on|off: turn secu_flag on or off
	-c | --cid <CID>: set the CID to the 8-char long CID
	-S | --sim_unlock: remove the SIMLOCK

	-f | --free_all: same as --secu_flag off --sim_unlock --cid 11111111

In the following steps the -f will be used to mimic the behavior of the original gfree version that will do radio S-OFF, Super-CID and simunlock in one go.

But you can use the same procedure as below with different options to either just set one of these or to go back to radio S-ON and your original CIN

2. Run gfree on the phone

On your computer's terminal/command line, navigate to where the gfree file is, and then...

adb push gfree /data/local
adb shell

This copies gfree to your phone, then puts you in your phone's terminal. Then (IN THE ADB SHELL) do this:

su
cd /data/local
chmod 777 gfree
./gfree -f
sync

Wait a few moments for the sync to "take". Then reboot your phone. That's it!

gfree created a backup of your original partition 7 at /sdcard/part7backup-<time>.bin you might consider copying this to a safe location on your computer.

Now you can try using a new SIM card to verifiy that it worked. Also, if you had to flash a different kernel before running gfree, you may now reflash the kernel you originally had.

Here are some optional steps to make sure you did it right:

3. (OPTIONAL) Verify you did it right

There is a newer method to verify your success using gfree_verify -> see VERIFY using gfree_verify

To verify all went well, do this:

  1. Plug in your phone to your computer
  2. In the Terminal/command line, type this:

adb shell

this puts you in the phone's shell. now it's a simple matter of the following:

(note the # is your prompt. Don't type the "#". The lines without the # are returned by the phone.)

# su
# stop ril-daemon
# cat /dev/smd0 &
# echo -e 'ATE1\r' > /dev/smd0
0
#
# echo -e 'ATV1\r' > /dev/smd0
OK
# echo -e 'AT@CID?\r' > /dev/smd0
@CID: 11111111

OK
echo -e 'AT@SIMLOCK?40\r' > /dev/smd0
# AT@SIMLOCK?40
@SIMLOCK= 00

OK
#echo -e 'AT@SIMLOCK?AA\r' > /dev/smd0
 AT@SIMLOCK?AA
@secu_flag: 0

OK

It should look something like that anyway. It may look slightly different if you were typing while the computer was sending you back information. Alternatively, you could open two terminals that connect to your phone: one for sending command ( except for the cat /dev/smd0 & command which is used to read back data), the other just issue the remaining command "cat /dev/smd0" (remember to strip off the final & ).

Did it work? Here's what you're looking for:

@CID: 11111111 <--- this response means you have superCID! Congrats!

@SIMLOCK= 00 <--- this means your simlock is off. Mazel Tov!

@secu_flag: 0 <--- this means your radio is S-OFF. Hurrah!

References

Documentation and Sources

SanDisk iNAND e.MMC Datasheet - Verified correct datasheet as per IC markings from this post, "SanDisk SDIN5C2-4G 0352S0S07A"

4.4 eMMC Documentation - We believe this is the correct version, but for a possible SPI mode the 4.2 version is referenced below. Specifically, here are the parts applying to write protection.

4.2 eMMC Documentation

HTC Desire Z kernel source almost certainly T-Mobile G2 kernel source as well

HTC Wildfire kernel that has some MSM7x30 code in it

Code Aurora Forums (CAF) - More specifically, as it relates to the G2

Github of current modules

IntuitiveNipple's Vision site, containing ongoing analysis of HBOOT and RADIO images. Check in for HBOOT reverse engineering info

On XDA

XDA Discussion Thread #1

XDA Discussion Thread #2

Kinda unrelated, but here is HTC's response to their gpl violation.

IRC

Freenode IRC channels:

  • #G2ROOT <- please familiarize yourself with this page and IntuitiveNipple's wiki before asking questions.
  • #g2-chat <- please use this one for non-rooting related questions. People will jump all over you if you ask an offtopic question in #g2root
  • #G2-DEV

To catch up on what you may have missed:

Radio Partition Map

=================== partition info begin ===================
/boot/qcsbl_cfg type_id = 0X4D, start_sector = 0X00000001, size_in_sectors = 0X000003E8
/boot/qcsbl type_id = 0X45, start_sector = 0X000003E9, size_in_sectors = 0X00000080
/boot/oemsbl type_id = 0X46, start_sector = 0X00000469, size_in_sectors = 0X00002328
!~_(0.76.200 type_id = 0XFFFF, start_sector = 0X00002791, size_in_sectors = 0X00FFD870
/boot/modem type_id = 0X49, start_sector = 0X00002792, size_in_sectors = 0X0000EA60
/boot/adsp type_id = 0X50, start_sector = 0X000111F3, size_in_sectors = 0X000061A8
/boot/htc type_id = 0X51, start_sector = 0X0001739C, size_in_sectors = 0X00001000
/boot/rf_nv type_id = 0X52, start_sector = 0X0001839D, size_in_sectors = 0X00001800
/boot/nv_mfg type_id = 0X53, start_sector = 0X00019B9E, size_in_sectors = 0X00001000
/boot/cdma_user_data type_id = 0X54, start_sector = 0X0001AB9F, size_in_sectors = 0X00000800
/boot/rf_delta type_id = 0X56, start_sector = 0X0001B3A0, size_in_sectors = 0X00000800
/boot/reserved type_id = 0X55, start_sector = 0X0001BBA1, size_in_sectors = 0X0000445F
/boot/modem_fs1 type_id = 0X4A, start_sector = 0X00020001, size_in_sectors = 0X00001800
/boot/modem_fs2 type_id = 0X4B, start_sector = 0X00021802, size_in_sectors = 0X00001800
/boot/htc_data type_id = 0X74, start_sector = 0X00023003, size_in_sectors = 0X00000800
/boot/htc_reserved type_id = 0X75, start_sector = 0X00023804, size_in_sectors = 0X000045FB
/boot/misc type_id = 0X76, start_sector = 0X00027E00, size_in_sectors = 0X00000200
/boot/appsbl type_id = 0X47, start_sector = 0X00028001, size_in_sectors = 0X00000800
/boot/splash type_id = 0X34, start_sector = 0X00028802, size_in_sectors = 0X00000800
/boot/wifi type_id = 0X36, start_sector = 0X00029003, size_in_sectors = 0X00000A00
/boot/recovery type_id = 0X71, start_sector = 0X00029A04, size_in_sectors = 0X000043FA
/boot/apps type_id = 0X48, start_sector = 0X0002DDFF, size_in_sectors = 0X00002000
/boot/mfg type_id = 0X73, start_sector = 0X0002FE00, size_in_sectors = 0X00000200
/boot/misc2 type_id = 0X31, start_sector = 0X00030001, size_in_sectors = 0X00000200
/boot/system type_id = 0X83, start_sector = 0X00030202, size_in_sectors = 0X000CFDFD
/boot/system type_id = 0X83, start_sector = 0X00100000, size_in_sectors = 0X00299001
/boot/system type_id = 0X83, start_sector = 0X00399002, size_in_sectors = 0X00066667
/boot/devlog type_id = 0X19, start_sector = 0X003FF66A, size_in_sectors = 0X0000A000
!~_(0.76.200 type_id = 0XFFFFFFFF, start_sector = 0X00000000, size_in_sectors = 0X00000800
!~_(0.76.200 type_id = 0XFFFFFFFF, start_sector = 0X00000000, size_in_sectors = 0X00000800
=================== partition info end ===================

HBOOT partition map

[merge_mfg]:(MERGEMFG, 10) block start=0, size=0 (0 KB)
[radio]:(OTHER, 4) block start=0, size=163840 (0 KB)
[merge_emmc]:(RAW, 4) block start=0, size=4194304 (655360 KB)
[fat]:(RAW, C00) block start=0, size=0 (0 KB)
[local]:(RAW, 0) block start=0, size=0 (0 KB)
[spcustom]:(RAW, 0) block start=0, size=0 (0 KB)
[microp]:(OTHER, 0) block start=0, size=0 (0 KB)
[cpld]:(OTHER, 0) block start=0, size=0 (0 KB)
[rcdata]:(OTHER, 0) block start=0, size=0 (0 KB)
[a1026]:(OTHER, 0) block start=0, size=0 (0 KB)
[tp]:(OTHER, 0) block start=0, size=0 (0 KB)
[wimax]:(RAW, 0) block start=0, size=0 (0 KB)
[nv]:(OTHER, 0) block start=0, size=0 (0 KB)
[htcdata]:(RAW, 7404) block start=143363, size=2048 (1233216 KB)
[radio_reserve]:(RAW, 7504) block start=145412, size=17915 (1661741 KB)
[dzsystem]:(DEZERO, 8) block start=197122, size=851453 (425726 KB)
[dzdata]:(DEZERO, 8) block start=1048576, size=2723841 (1361920 KB)
[misc]:(RAW, 7601) block start=163328, size=512 (256 KB)
[hboot]:(RAW, 4701) block start=163841, size=2048 (1024 KB)
[sp1]:(RAW, 3401) block start=165890, size=2048 (1024 KB)
[wifi]:(RAW, 3601) block start=167939, size=2560 (1280 KB)
[recovery]:(RAW, 7101) block start=170500, size=17402 (8701 KB)
[boot]:(RAW, 4801) block start=187903, size=8192 (4096 KB)
[mfg]:(RAW, 7301) block start=196096, size=512 (256 KB)
[misc2]:(RAW, 3101) block start=196609, size=512 (256 KB)
[system]:(EXT3, 8301) block start=197122, size=851453 (425726 KB)
[userdata]:(EXT3, 8301) block start=1048576, size=2723841 (1361920 KB)
[cache]:(EXT3, 8301) block start=3772418, size=419431 (209715 KB)
[devlog]:(EXT3, 1901) block start=4191850, size=40960 (20480 KB)

ROMs

Official

[ROM]Vision_TMOUS_1.19.531.1_Radio_12.21.60.09b_26.02.0 1.15_M2 - http://forum.xda-developers.com/showthread.php?t=788489

[OTA] e4aaacea73af.OTA_Vision_TMUS_1.22.531.8-1.1.19.531.1_release_signed.zip - http://forum.xda-developers.com/showpost.php?p=8978583&postcount=1

PC10IMG - http://shipped-roms.com/index.php?category=android&model=Vision

Custom

Cyanogenmod ROM -- a popular custom ROM for the Vision. Latest version is 6.1.1 But check the forums to make sure you get the latest.

Radios

Official

Returning to Stock

So what if I need to change it all back to stock for warranty purposes or something else?

Turning S-On

If you are returning your Vision to stock, you will want to flash your stock ROM and Recovery image before starting this, as root permissions and S-Off are required for both of those processes.

Remove Gfree (turn back S-On):

When you first ran Gfree, it automatically backed up your stock partition 7 (with S-On) and placed it on your microSD card as a file named part7-(something).bin and you will need to rename this file to: partition7-relock.img

Open up your ADB command prompt on your computer (with your phone plugged in) and type the following exactly as shown:

Code:

   adb shell
   su
   cd /data/local
   chmod 777 gfree
   ./gfree
   dd if=/sdcard/partition7-relock.img of=/dev/block/mmcblk0p7
   sync
   reboot bootloader


Your phone will reboot into bootloader. Look at the first line. The end should now say "S-On".