HTC Desire Z (Europe)
- Official Website: http://www.htc.com/www/product/desirez/overview.html
- Forums: http://forum.xda-developers.com/forumdisplay.php?f=756
T-Mobile G2 (USA)
- Official Website: http://www.htc.com/us/products/t-mobile-g2
- Forums: http://forum.xda-developers.com/forumdisplay.php?f=750
- Processor: Qualcomm® MSM7230, 800MHz
- Operating System: Google Android 2.2 (Froyo)
- 4GB eMMC (advertised as 4GB on G2, 1.5GB on DZ) (SKU: SDIN5C2-4G)
- 512 MB RAM
- MicroSD 2.0 Expansion slot
- Dimensions: 119mm(L) x 60.4mm(W) x 14.16mm(T)
- Weight: 180g with battery pack
- 3.7-inch WVGA 480 x 800
- Multitouch Panel
- Super-TFT LCD
- Bluetooth® 2.1 with EDR,A2DP,AVRCP
- Wi-Fi®: IEEE 802.11 b/g/n
- Micro USB Port
- Camera: 5 megapixel color with autofocus, LED flash, 720P 30fps recording
- Battery: 1300 mAh rechargeable Li-Ion battery
- GSM: 850/900/1800/1900 MHz
- WDCMA/UMTS: 900/1700¹/2100 MHz
- Data: CSD/GPRS/EDGE/UMTS/HSDPA/HSUPA
- HTC FastBoot
- HTC Sense UI²
- Qualcomm MSM7230 gpsOne with ZeroWait
- G Sensor
- Proximity Sensor
- Digital Compass
- Ambient Light Sensor
- FM Radio with RDS
- HTC Desire Z - http://pdadb.net/index.php?m=specs&id=2596&view=1&c=htc_desire_z_htc_vision
- Tmobile G2 - http://pdadb.net/index.php?m=specs&id=2476&view=1&c=t-mobile_g2_htc_vision
The Missing 2GB
11-12-10: The following is our best understanding of the issue at-present. Scotty2 says this is "99.9%" the issue and "the only explanation that makes sense."
What Missing 2GB?
Although marketing from T-Mobile claim the phone contains 4GB of internal storage (not including the removable micro-SD card), once the phone was released, users quickly noticed that only ~2GB appears to exist.
Several theories for the "missing" flash memory storage were proposed, including a possible "shadow" installation of the operating system being hidden somewhere, as well as a possible 2GB limitation of the card when in "byte" rather than "sector" mode. Still a third theory proposed that perhaps the extra 2GB were somewhere outside the normal block device where the Android kernel's flash controller couldn't find it.
Apparently, none of these theories were correct.
So where is the missing 2GB?
To answer this, it is first necessary to understand a bit about how internal flash cards, such as the Sandisk card (also known as an "emmc") on the HTC Vision, store information.
Luckily, Sandisk has provided a helpful video. Pay particular attention to the discussion of SLC (single-level cell) and MLC (multi-level cell) in Chapter 5.
In an SLC configuration, a single bit is packed into each memory cell. In a multi-level cell, you can fit 2, 3, 4 or more bits in each cell. You get a lot of capacity with more bits per cell, but at the expense of speed and reliability.
In trying to figure out where the missing 2gb went, scotty2 noticed that most of the Sandisk card's block device (that is, the part with Android on it) had been partitioned within the regular "User Data Area" as an "Enhanced User Data Area".
Note that when we talk about partitioning the emmc, we're not talking about regular MBR partitions like /dev/whatever. An emmc partition is a very low-level partition of the flash. Each emmc partition constitutes a full block device, which can then be further partitioned into a bootloader, /system, /data, etc.
The card's datasheet wasn't too clear about what the "Enhanced User Data Area" did that was so different from the regular User Data Area, although one thing was clear-- once its parameters was set, you couldn't "un-set" it. To quote the datasheet, the Enhanced User Data Area "can be programmed only once during the device life-cycle (one-time programmable)."
But why was the entire Sandisk partitioned in this special "Enhanced" User Data area? No one knew.
Then tmzt found this. It's an article by Toshiba that suggests what's going on:
Those areas requiring better reliability are SLC or can be programmed as SLC. . . the Enhanced User Data Area, which may store, for example, system log files, are SLC. The User Data Area, which may store music, pictures, videos and other files is MLC. . . Each 1 bit configured as SLC results in 2 bits less of MLC. Theoretically an 8GB e-MMC device (densities are defined in MLC terms), could be configured virtually all as SLC and thus would be approximately 4GB. In most cases, it is more likely that the majority of the memory would be configured as MLC to support higher density.
You've probably figured out by now what's likely happened here. Assuming the Sandisk emmc works like Toshiba's, the 4GB flash has probably been, save for a few tiny partitions such as the radio, irreversibly configured to use SLC, rather than MLC. If so, the benefit is faster performance and perhaps greater stability (and more read/write cycles). But its capacity/density would be cut in half.
And that, my friends, may very well be where your 2GB has gone.
So To Conclude...
Assuming the above is a correct understanding of the issue, the following appears to be the case:
- The HTC vision has a 4GB firmware card
- It has been irreversibly partitioned to use a faster/more reliable configuration called SLC
- This has resulted in a practical capacity/density of ~2GB
Update: Initial investigations from over a month ago reported that T-Mobile attributed this issue to "creative partitioning": ("I called into T-Mobile Android support and was assured this number is correct, and that I do have the full 4GB storage on-board... there's just some "creative partitioning" going on.") This may correlate with the explanation provided above.
Bootup Key Sequences
Bootloader (HBOOT): Volume Down + power on
Fastboot: Touchpad button + Power
Reboot phone from within HBOOT or Fastboot: Power + Volume Down + Touchpad button
Show/Hide Log Text: Volume Up + Power
Navigate Menu: Volume Up/Down
Select Action: Power
November 2010 OTA Update
T-Mobile released an OTA update for the G2 on 3 November. It enables Wi-Fi calling as well as Wi-Fi tethering (with a T-Mobile tethering plan).
The OTA does not include a new hboot (hboot cannot be downgraded once upgraded), but does include a newer kernel, recovery, and radio image, all of which can be downgraded from this OTA to the shipping versions. #g2root now considers it safe to install the OTA.
Note that if you do decide to apply the OTA, and you've used paulobrien's Google Goggles remover, then you won't be able to cleanly install. You will have to reflash to the original ROM to update.
Rooting the G2
For anyone interested-- despite what the blogs are saying-- THERE IS NO "ROOTKIT" and THERE IS NO "RESTORE ON REBOOT". What *is* happening is that Android thinks it's writing to the eMMC (memory card), but it is not. What you are seeing as a successful write is just the cache. Here is proof. See below for what is actually going on, as well as a full method to defeat the protection.
We would like to be a model of openness as a stark contrast to HTC's and T-Mobile's closed attitudes. Allegiances to any particular teams or groups are far less important than a willingness to help, and all who want to help are welcome. Credit will always be given where it is due, so don't worry about anyone claiming your work as his own. Catch up on our current progress below and join us in IRC.
Update 11-9-10: The G2 now has perma-root via the "kernel module attack" described below. See below for instructions on enabling it. (If you are interested reading the history of the rooting of this phone, including how to build a kernel module for the phone, it is in the wiki's history.)
How To Get R/W Access (Permanent Root / "Permaroot")
- Disable Visionary auto-run or uninstall it completely
- Download files and put in /data/local
- Get temproot using rage
- Load the kernel module via "insmod" to enable one-time read-write on EMMC
- Flash ENG HBOOT to enable Permanent root.
- Push needed files for 'su' to the (now permanently writable) /system partition
Note: If you are not technically inclined, you may want to wait for the automated version to be released.
There's already a guide here for obtaining permanent root using VISIONary, but some folks in #G2ROOT are having issues with the way that VISIONary modifies parititons. VISIONary will need to be disabled or uninstalled so that it does not cause any adverse issues. Using rage directly is a bit cleaner, since you know exactly what it's going to touch at each step of the way.
- Disable auto-run or uninstall Visionary (I know I said this but it's important!)
- Android Terminal Emulator app
- G2TempRoot.zip (http://forum.xda-developers.com/showthread.php?t=797042) NOTE: only download the files! Don't follow these instructions yet
- vision-perm-root.zip (http://forum.xda-developers.com/showthread.php?t=833965) NOTE: again, just download the files from the thread.
In the commands to run below, $ or # represent the prompt and should NOT be entered as part of the commands.
ON YOUR PC: Unzip the G2TempRoot files to a folder. From a cmd window or terminal, navigate to that folder and execute these commands:
$ adb push su /sdcard/su $ adb push Superuser.apk /sdcard/Superuser.apk $ adb push rage /data/local/tmp/rage $ adb push busybox /data/local/tmp/busybox $ adb push root /data/local/tmp/root $ adb shell chmod 0755 /data/local/tmp/*
ON YOUR PHONE:
- Launch Terminal Emulator
- $ /data/local/tmp/rage
- Wait for the message: "Forked #### childs."
- Menu > Reset Term - Terminal Emulator will exit.
- Launch Terminal Emulator, it Force Closes. Launch a second time, and you'll have a root shell
- **NOTE**: in the original directions from the XDA thread, you are instructed to run the /data/local/tmp/root script here. DON'T do this
just yet. Leave the terminal window open.
ON YOUR PC: unzip the vision-perm-root.zip and navigate to that folder. There will be four files. You will need to push two of these to your phone- hboot-eng.img, and one of the wpthis-[..].ko files.
If you HAVE applied the OTA update, push wpthis-OTA.ko. If you HAVE NOT applied the OTA update, push wpthis-pre-OTA.ko.
$ adb push hboot-eng.img /data/local $ adb push wpthis-OTA.ko /data/local
ON YOUR PHONE: You should still have terminal emulator up, at a root prompt. Now run:
# insmod /data/local/wpthis-OTA.ko
You should see:
init_module 'wpthis-OTA.ko' failed (Function not implemented)
That means it worked. This next step is CRUCIAL. You must make sure that you are writing to the proper partition here or you could brick your phone. To be absolutely clear- the partition is mmcblk(zero)p(one)(eight)
dd if=/data/local/hboot-eng.img of=/dev/block/mmcblk0p18
You should see some messages indicating that it was written. Next, run:
This will lock in root, and give you 'su' access in the future. Next, run:
Now wait at least a minute, just to be safe. After waiting, reboot your phone using the power button. After it finishes starting up, launch terminal emulator, and type 'su'. You should get the prompt asking you to grant permissions. If you got the prompt, congratulations! You have permanent root!
Subsidy Unlock, SuperCID, and Radio S-OFF
One at a time. What is Subsidy Unlock and why do I want it?
When you buy your Vision phone from T-Mobile, sold as the "G2", your phone is locked to the phone company's network-- the carrier.
If you travel outside of the coverage area for your carrier, your phone will go into "roaming" mode, and you will be charged up the ass. Now, what can you do about this? You may wish to purchase a local, pre-paid SIM Card in the country in which you're traveling to make calls or perhaps to buy a few day's worth of Internet access. But if you try, you'll find your phone won't take foreign SIM cards.
Similarly, if you're a T-Mobile customer with a G2 and you wanted to use another phone network within the US that uses a GSM network, such as AT&T, you will be unable to use an AT&T SIM card in your phone. It just won't work.
Why won't your phone take non-T-Mobile Sim cards? Because it's been "locked" (or "SIM-locked" or "subsidy locked" or "carrier locked").
SIM-unlocking your phone will offer the benefit of allowing you to use your phone with other carriers.
NOTE: T-Mobile does offer an unlock code to its loyal customers who are traveling overseas. You can call them and request it. However, as the XDA-forums can attest, some people have had difficulty with their codes, causing the phone to be unable to establish a connection to ANY network.
We want to fix that.
Got it. Next-- what is this "SuperCID" thing?
First let's talk about what a "CID" is in the first place. CID, as best I can tell, stands for "Carrier IDentification" and it's a little number that restricts which software can be installed on a phone. The CID determines for example, that only an officially-signed T-Mobile radio can be installed on a T-Mobile phone. And it's why you can't flash a Vodafone ROM onto a Bell Desire Z.
It may be helpful to think of the CID as a kind of "region coding" like you find on DVDs, where a North American DVD can't be played in a European player. But if you hack your DVD player, you could switch it from a European player to a North American one. Or you might even hack it to play both.
You can do the same with phones. SuperCID is, as the name implies, a universal CID where the phone will accept any kind of firmware image from anyone.
Finally, what's Radio S-OFF and What Does It Mean to Me?
The "S" stands for "Security".
As scotty2 says, "s-off is the switch that says 'alright, do whatever you want to do - good luck!"
So here's how it works- normally when you boot up, HBOOT (the bootloader) says to the radio, "are you S-ON or S-OFF?" If the radio says "S-ON" then the bootloader WILL prevent you from using most of its commands, and WILL write protect system and recovery. If the radio says "S-OFF", then it will NOT prevent you from using most of its commands, and it will NOT write protect system and recovery.
Even phones that have been "permarooted" still have an S-ON radio.
But- you say, system and recovery haven't been protected since scotty2 figured out how to defeat the emmc protection... That's what permaroot is all about, isn't it?! So surely the radio must already be S-OFF!
Nope. You've had "Label" S-OFF. Not Radio S-OFF.
As scotty2 puts it, "[by patching HBOOT], we forge [messages to HBOOT] so it always looks like the radio says it's S-OFF." This works great so long as you've got a hacked HBOOT. But here's the problem-- people have been getting into trouble by flashing factory firmware over their rooted firmware. First thing it does before writing the ROM is overwrite their patched HBOOT. HBOOT turns on read-only mode on the recovery and /system, and the poor folks get locked out of their phones with the old firmware still there.
Having "real" radio S-OFF, scotty2 says, "will save people from almost-bricking-by-way-of-reflashing-factory-firmware." It also means you'll have unrestricted access to messing with your phone's radio. Although- he notes, the android kernel itself restricts your access to the radio partition. For your safety.
Unlock the Phone, Set SuperCID, and Turn Radio S-OFF
WARNING: You're backing up the radio partition, but be aware you are seriously messing with your phone here with a lot of potential for screwing things up. Do so at your own risk. The many authors of this guide assume no responsibility for any damage to your phone, health, general well-being, or anything else untoward with respect to these instructions or you following them. AN EASIER METHOD FOR DOING THIS IS FORTHCOMING, SO UNLESS YOU FEEL VERY COMFORTABLE WITH THINGS LIKE HEX-EDITORS (YES, YOU WILL NEED ONE), YOU ARE ADVISED TO WAIT. READ THE INSTRUCTIONS ALL THE WAY THROUGH TO MAKE SURE YOU AREN'T GONNA GET HALFWAY THROUGH BEFORE REALIZING YOU DON'T KNOW WHAT THE NEXT PART MEANS. NOTE THAT THESE INSTRUCTIONS ARE ORIENTED TOWARDS THE T-MOBILE G2 PHONE AND LINUX AND OS X USERS WITH THE TERMINAL. IF YOU HAVE WINDOWS, YOU'LL NEED TO DO THE WINDOWS COMMAND LINE EQUIVALENTS.
It is very advisable to install CLOCKWORK RECOVERY and create a NANDROID BACKUP after the perm-root and before the radio S-OFF
1. Permaroot your phone.
2. Make a backup of partition 7 of your phone, copy the image of partition 7 to your PC and modify it with a HEX-editor.
3. Use a custom kernel and the appropriate wp-this module to get rid of the write protection of the radio partitions
4. Push the modified partition 7 image back to the phone and copy it to the partition 7.
At this point, the @secu_flag is removed from your phone and your phone is S-OFF. You're done.
5. Optional step - Use the AT-command interpreter and run some AT-commands to verify the success.
6. Optional step - Switch back to your old kernel
Okay, let's begin!
1. Permaroot your phone
See above for instructions on how to perm-root.
2. Backup partition 7
Create a backup of your partition 7. (Everyone has a different partition 7. So don't use someone else's)
Note that these instructions are oriented for Linux and OS X terminal users. If you have Windows, you'll need to do the equivalent.
So after you connect your phone to your computer, get your phone's shell on your computer's Terminal:
Then, in the phone's shell...
su dd if=/dev/block/mmcblk0p7 of=/sdcard/mmcblk0p7-ori.img
Exit the shell and copy the image to your PC. So on your PC...
mkdir p7 cd p7 adb pull /sdcard/mmcblk0p7-ori.img mmcblk0p7-ori.img
Make a copy of the image. So also on your computer...
cp mmcblk0p7-ori.img mmcblk0p7-new.img
(I think in Windows the command would be something like "copy mmcblk0p7-ori.img mmcblk0p7-new.img")
Hex-edit your copy of partition 7
Told you there'd be hex editing!
Linux users may want to use "bless" for the manual patches and "dd" for the bigger part. OS X users may consider using 0Xed for the hex editing and "dd" for the bigger part.
1. Turn on SuperCID.
Edit mmcblk0p7-new.img and change the string T-MOB010 at position 0x200 (decimal offset 512) to the string 11111111
2. Change to S-OFF by making the secu_flag=0:
Edit mmcblk0p7-new.img and change the byte 0x01 at 0xA00 (decimal offset 2560) to 0x00 (the 0x indicates a hexadecimal value)
3. Set the area 0x80000 to 0x82fff to all zero. So get rid of your hex editor, and lets just use dd on your computer's Terminal.
dd if=/dev/zero of=mmcblk0p7-new.img seek=524288 bs=1 count=196608 dd if=mmcblk0p7-ori.img of=mmcblk0p7-new.img bs=1 seek=720896 skip=720896
(Alternatively, if you don't have access to "dd" on your computer -- Windows computers for example may not have it-- you can also "adb push mmcblk0p7-new.img /sdcard/" back to your phone's sd card, and run the aforementioned dd commands from within the phone's shell. In that way, you'll use your phone's version of dd to zero out the range 0x80000 to 0x82fff. Remember to "adb pull /sdcard/mmcblk0p7-new.img mmcblk0p7-new.img" back to your computer before continuing work on it in your hex editor as instructed below.)
This will copy a bunch of zeros into the right place and then put the original stuff after it.
4. Back to the hex editor. Edit mmcblk0p7-new.img and set the 4 bytes at 0x80000 (decimal offset 524288) to (the hexadecimal values) 78 56 F3 C9 and set the 4 bytes at 0x807fc (decimal offset 526332) to (the hexadecimal values) 49 53 F4 7D
Save your work. That's it. Now we need to install the modified partition 7 back to the phone.
3. Use custom kernel and module to get rid of the write protection
To update the radio partition you will have to get around two forms of protection-- first is the kernel restrictions on writing to the radio partition. Then, there is the emmc firmware chip's read-only protection. (Permarooting removed the emmc's read-only protection from the /system, bootloader, and recovery. It didn't remove it from the radio partition.)
So, you will have to first install a special cyanogenmod-based kernel that disables the kernel protection for the radio partition. Then you'll also need a "wp-this" kernel module for this kernel that drops the emmc write protection.
The boot.img that contains the kernel can be found here: 
The wp-this module for this kernel is here 
Install the custom kernel from your computer using fastboot.
First boot your G2 into fastboot mode (press Power Button and the trackpad Button until the screen with the surfing androids appear and it says FASTBOOT or FASTBOOT USB in red).
Make sure you've downloaded fastboot onto your computer. It comes along with "adb" with the Android SDK
(note-- on the Mac, you may want to say "fastboot-mac" instead of "fastboot" below)
(On your PC)
fastboot erase boot fastboot flash boot boot-new.img
Reboot the phone into normal mode and copy the new image to the G2
4. Copy the modified partition 7 back to the phone
(On the PC)
adb push mmcblk0p7-new.img /sdcard/
Also copy the wp-this module-- you're about to use it.
adb push wpthis-cyanogen.ko /sdcard/
Now get a shell on the phone:
In the shell:
You should see "insmod: init_module '/sdcard/wpthis-cyanogen.ko' failed (Function not implemented)" as an answer - this means that it was OK.
Continue in the shell:
dd if=/sdcard/mmcblk0p7-new.img of=/dev/block/mmcblk0p7 sync
Wait a minute to make sure that the changes stick.
Reboot the phone.
If all went well, you did it! Here are some optional steps to make sure you did it right:
5. (OPTIONAL) Verify you did it right
To verify all went well, do this:
- Plug in your phone to your computer
- In the Terminal/command line, type this:
this puts you in the phone's shell. now it's a simple matter of the following:
(note the # is your prompt. Don't type the "#". The lines without the # are returned by the phone.)
# stop ril-daemon # cat /dev/smd0 & # echo -e 'ATE1\r' > /dev/smd0 0 # # echo -e 'ATV1\r' > /dev/smd0 OK # echo -e 'AT@CID?\r' > /dev/smd0 @CID: 11111111 OK echo -e 'AT@SIMLOCK?40\r' > /dev/smd0 # AT@SIMLOCK?40 @SIMLOCK= 00 OK #echo -e 'AT@SIMLOCK?AA\r' > /dev/smd0 AT@SIMLOCK?AA @secu_flag: 0 OK
It should look something like that anyway. It may look slightly different if you were typing while the computer was sending you back information. Alternatively, you could open two terminals that connect to your phone: one for sending command ( except for the cat /dev/smd0 & command which is used to read back data), the other just issue the remaining command "cat /dev/smd0" (remember to strip off the final & ).
Did it work? Here's what you're looking for:
@CID: 11111111 <--- this response means you have superCID! Congrats!
@SIMLOCK= 00 <--- this means your simlock is off. Mazel Tov!
@secu_flag: 0 <--- this means your radio is S-OFF. Hurrah!
6. (OPTIONAL) Go back to your original kernel
If you are experiencing problems with the Wifi or for other reasons you might want to go back to your stock kernel.
a) If you did a backup using nandroid before this procedure then just restore your backup the radio S-OFF is permanent.
b) If you did not do a backup and you have been using the stock kernel you can get it back from here  or the OTA-kernel if you did apply the OTA from here . Use the same procedure as in 3. to install boot.img (or boot-ota.img) instead of boot-new.img.
This is because the wifi driver is provided via a kernel module (bcm4329.ko, located in /system/lib/modules), which is bundled with a specific kernel and should match with the kernel version. Fortunately, there is only one kernel module located in /system/lib/modules, so changing a kernel only affects wifi related function.
Documentation and Sources
HTC Desire Z kernel source almost certainly T-Mobile G2 kernel source as well
XDA Discussion Thread #1
XDA Discussion Thread #2
Kinda unrelated, but here is HTC's response to their gpl violation.
Freenode IRC channels:
- #G2ROOT <- please familiarize yourself with this page and IntuitiveNipple's wiki before asking questions.
- #g2-chat <- please use this one for non-rooting related questions. People will jump all over you if you ask an offtopic question in #g2root
To catch up on what you may have missed:
- #G2ROOT IRC live log (updates on refresh)
- perhaps a better #G2root IRC log (multi-pages for readability)
- #G2-ROOT IRC log
[ROM]Vision_TMOUS_1.19.531.1_Radio_12.21.60.09b_26.02.0 1.15_M2 - http://forum.xda-developers.com/showthread.php?t=788489
[OTA] e4aaacea73af.OTA_Vision_TMUS_1.22.531.8-184.108.40.2061.1_release_signed.zip - http://forum.xda-developers.com/showpost.php?p=8978583&postcount=1
Cyanogenmod ROM -- a popular custom ROM for the Vision. Latest version is (at this writing) 6.1 RC3. But check the forums to make sure you get the latest.