[Guide] TEMP-ROOT ANY Gingerbread build and downgrade to 1.32.405.6 [Updated July 30]

Search This thread

rohithksaj

Senior Member
Jun 28, 2011
1,350
269
kerala
am testing it on my 2.42...but i need help........

Whats CMD........sorry....I dont know that.................:confused:

and after this command

adb shell /data/local/tmp/fre3vo –debug*

I couldnt understand what to do next........................

sorry.......
 

descenpet

Senior Member
Dec 15, 2009
3,939
1,276
am testing it on my 2.42...but i need help........

Whats CMD........sorry....I dont know that.................:confused:

and after this command

adb shell /data/local/tmp/fre3vo –debug*

I couldnt understand what to do next........................

sorry.......
you are NOT supposed to type
adb shell /data/local/tmp/fre3vo –debug*

you are supposed to type one of these lines(try 1 by 1 until it works for u)
adb shell /data/local/tmp/fre3vo -debug -start 10000000 -end 1FFFFFFF
adb shell /data/local/tmp/fre3vo -debug -start 20000000 -end 2FFFFFFF
adb shell /data/local/tmp/fre3vo -debug -start 30000000 -end 3FFFFFFF
adb shell /data/local/tmp/fre3vo -debug -start F0000000 -end FFFFFFFF
adb shell /data/local/tmp/fre3vo -debug -start E0000000 -end EFFFFFFF
 
Last edited:

CuBz90

Senior Member
Sep 27, 2010
2,221
1,034
am testing it on my 2.42...but i need help........

Whats CMD........sorry....I dont know that.................:confused:

and after this command

adb shell /data/local/tmp/fre3vo –debug*

I couldnt understand what to do next........................

sorry.......

I am trying my best to make the guide easier to follow. If you have any problems, there are alot of people who can help :)
 

descenpet

Senior Member
Dec 15, 2009
3,939
1,276
I am trying my best to make the guide easier to follow. If you have any problems, there are alot of people who can help :)
adb shell /data/local/tmp/fre3vo –debug*
this was confusing some ppl, i was going to suggest it then you already changed it.. but now..
adb shell /data/local/tmp/fre3vo –debug /data/local/tmp/fre3vo -debug -start 10000000 -end 1FFFFFFF
 

CuBz90

Senior Member
Sep 27, 2010
2,221
1,034
adb shell /data/local/tmp/fre3vo –debug*
this was confusing some ppl, i was going to suggest it then you already changed it.. but now..
adb shell /data/local/tmp/fre3vo –debug /data/local/tmp/fre3vo -debug -start 10000000 -end 1FFFFFFF

Ye, I realised that some people would get confused
 

rohithksaj

Senior Member
Jun 28, 2011
1,350
269
kerala
adb shell /data/local/tmp/fre3vo

after this command.....it shows please wait........

is there any problem.....i hav been waiting for long ................
 

rohithksaj

Senior Member
Jun 28, 2011
1,350
269
kerala
I JUST CANT UNDERSTAND..........i was following the guide

adb push fre3vo /data/local/tmp
adb push misc_version /data/local/tmp
adb shell chmod 777 /data/local/tmp/fre3vo
adb shell chmod 777 /data/local/tmp/misc_version
adb shell /data/local/tmp/fre3vo********* this is the step made me to wait


adb shell /data/local/tmp/misc_version
 
Last edited:

Dashaiva

Senior Member
Oct 10, 2010
81
8
Ye, I realised that some people would get confused

Approx how long does it take for each of the blind scans? I'm using the Ace toolkit and it's been sitting here:

613 KB/s (9796 bytes in 0.015s)
15 KB/s (15837 bytes in 1.000s)
fre3vo by #teamwin
Please wait...
Attempting to modify ro.secure property..
fb_fix_screeninfo:
id: msmfb
smem_start: 802160640
smem_len: 3145728
type: 0
type_aux: 0
visual: 2
xpanstep: 0
ypanstep: 1
line_length: 1920
mmio_start: 0
accel: 0
fb_var_screeninfo:
xres: 480
yres: 800
xres_virtual: 480
yres_virtual: 1600
xoffset: 0
yoffset: 0
bits_per_pixel: 32
activate: 16
height: 106
width: 62
rotate: 0
grayscale: 0
nonstd: 0
accel_flags: 0
pixclock: 0
left_margin: 0
right_margin: 0
upper_margin: 0
lower_margin: 0
hsync_len: 0
vsync_len: 0
sync: 0
vmode: 0
Buffer offset: 00000000
Buffer size: 8192

For over 5 minutes....
 

descenpet

Senior Member
Dec 15, 2009
3,939
1,276
I JUST CANT UNDERSTAND..........i was following the guide

adb push fre3vo /data/local/tmp
adb push misc_version /data/local/tmp
adb shell chmod 777 /data/local/tmp/fre3vo
adb shell chmod 777 /data/local/tmp/misc_version
adb shell /data/local/tmp/fre3vo********* this is the step made me to wait


adb shell /data/local/tmp/misc_version
what exactly did you type for that step?
 

rohithksaj

Senior Member
Jun 28, 2011
1,350
269
kerala
yah.... i got it...............

little tensed.....

i didnt type any.......i just pressed enter b4 reading next................

thanks for ur helping mind
 

JSLEnterprises

Senior Member
Apr 26, 2011
1,349
1,360
Buenos Aires
Approx how long does it take for each of the blind scans? I'm using the Ace toolkit and it's been sitting here:

613 KB/s (9796 bytes in 0.015s)
15 KB/s (15837 bytes in 1.000s)
fre3vo by #teamwin
Please wait...
Attempting to modify ro.secure property..
fb_fix_screeninfo:
....

... sync: 0
vmode: 0
Buffer offset: 00000000
Buffer size: 8192

For over 5 minutes....

Reboot your device, let it load up,
make sure debugging is enabled
and start from scratch

adb push fre3vo /data/local/tmp
adb push misc_version /data/local/tmp
adb shell chmod 777 /data/local/tmp/fre3vo
adb shell chmod 777 /data/local/tmp/misc_version
adb shell /data/local/tmp/fre3vo -debug -start FBB00000 -end FFFFFFFF

After the exploit is found, it may kill the adb process
disconnect your device, and plug it back in.
then continue...

adb shell /data/local/tmp/misc_version -s 1.32.405.6
adb reboot bootloader


note: I changed the hex address start since all but Volupia's device have found the exploit at either FBB6D400:C00, FBB6B000:1a00, or FBB80000:1000
The more addresses posted of a successful exploit can further decrease the target range thus speeding up the process.
 
Last edited:
  • Like
Reactions: aladin_din

Dashaiva

Senior Member
Oct 10, 2010
81
8
Reboot your device, let it load up,
make sure debugging is enabled
and start from scratch

adb push fre3vo /data/local/tmp
adb push misc_version /data/local/tmp
adb shell chmod 777 /data/local/tmp/fre3vo
adb shell chmod 777 /data/local/tmp/misc_version
adb shell /data/local/tmp/fre3vo -debug -start FBB00000 -end FFFFFFFF

After the exploit is found, it may kill the adb process
disconnect your device, and plug it back in.
then continue...

adb shell /data/local/tmp/misc_version -s 1.32.405.6
adb reboot bootloader


note: I changed the hex address start since all but Volupia's device have found the exploit at either FBB6D400:C00, FBB6B00:1a00, or FBB80000:1000
The more addresses posted of a successful exploit can further decrease the target range thus speeding up the process.

Fantastic, I did all of that line by line and it worked right away. Many thanks!
 

Top Liked Posts

  • There are no posts matching your filters.
  • 65
    I CAN NO LONGER PROVIDE SUPPORT, NOR UPDATE THIS POST ANY MORE, AS I NO LONGER HAVE TIME DUE TO MOST OF MY TIME BEING SPENT AT WORK! SORRY
    If you need help that would only take me a few seconds to answer, contact me on twitter @cubz90


    Here is a guide to Temproot and downgrade any HTC Desire HD Gingerbread Build
    This method has been confirmed working for all DHD Gingerbread builds!


    Please could you post the Exploit address when successfully rooted with fre3vo. Thanks

    Thanks go to:
    agrabren
    aswethinkweiz
    JSLEnterprises :)

    Please make sure you have the phone's drivers installed on the computer you are using, otherwise this will not work.


    2ldvnh2.gif


    Temp Root:

    1. Enable USB debugging on your phone and place your phone on CHARGE ONLY (If this doesn't work, try choosing 'HTC Sync' when connecting USB)
    2. Download the DHD Downgrade folder and extract it to the root of your hard drive (usually this is the "C:\" drive on your computer)
    3. Run the file named "RUN THIS FOR ROOT". A command prompt will open and will begin to do the adb steps for you.

    Alternatively (If step 3 fails):

    1. Open a command prompt (right click "Run as Administrator" is using Vista or W7) and locate the downgrade folder (type "CD C:\DHDDowngrade" minus the quotes in CMD)
    2. Run the below commands (be sure to press enter after each line)


    adb push fre3vo /data/local/tmp
    adb shell chmod 777 /data/local/tmp/fre3vo
    adb shell /data/local/tmp/fre3vo -debug -start FBB00000 -end FFFFFFFF



    If the scan hangs, just reboot your DHD and start again.

    You may not get all the messages (due to flushing issues when we kill adb), but if you get kicked back to your system command prompt, try "adb shell"

    If you see '#' you successfully have temproot.

    2ldvnh2.gif


    If you want to use Titanium Backup, you must do the following:

    1. Download Busybox, su & fixsu.sh and Superuser.apk

    2. Run the following commands in CMD...

    adb push fixsu.sh /data/local/tmp
    adb push su /data/local/tmp
    adb push busybox /data/local/tmp
    adb shell chmod 777 /data/local/tmp/fixsu.sh
    adb shell chmod 777 /data/local/tmp/su
    adb shell chmod 777 /data/local/tmp/busybox

    3. Install Superuser.apk

    4. Install Titanium Backup from the Market

    5. Run the following commands in CMD:

    adb shell
    # cd /data/local/tmp
    # ./fixsu.sh

    If you see...
    rm failed for /system/bin/su Read-only file system
    ...ignore it

    You can now use Titanium to backup all User Apps + Data (You can backup System apps too)
    If you don't want to go any further than rooting, and just want temproot to remove bloatware, you can also use Titanium backup to do that.
    Temproot will be enabled until phone is rebooted.



    2ldvnh2.gif


    Downgrade:


    1. Create a goldcard:
    1. Format SDCard to FAT32

    2. Download Goldcard Helper from Android Market

    3. Open Goldcard Helper with the SDCard in the phone, and you will see the mmc2 reverse CID

    Note: Do not use the Copy feature in the app as this will copy the wrong CID!​

    Alternate to the Goldcard helper app:
    1. Open up a command prompt (Windows Key + R, type "CMD", press enter)
    2. connect your phone as "charge only" and have usb debugging enabled
    3. navigate the command prompt to the downgrade folder.
    4. Type the following command:
    adb shell cat /sys/class/mmc_host/mmc2/mmc2:*/cid
    5. Select and copy the cid

    4. Go to http://psas.revskills.de/?q=goldcard

    5. Enter your email address and the mmc2 reverse CID that is showing on the Goldcard Helper app then submit it

    6. The img file will be emailed to you, download and save it somewhere you will remember

    7. Download this hex editor - http://mh-nexus.de/en/downloads.php?product=HxD

    8. Open HxD hex editor on your computer by right-clicking it and clicking 'Run as Administrator'

    9. Mount your SD card to your computer, preferably using a card reader but you can use your phone as well

    10. Go to 'Extra' menu > 'Open Disk'. Select Removable Disk (which should be your SD card) under Physical Disk (and NOT logical disk), uncheck 'Open as Readonly' and click OK

    11. Go to the 'Extra' > 'Open Disk Image' and open the goldcard image downloaded in Step 6. . Select '512 (Hard disks/Floppy disks)' as the sector size when prompted and click OK

    12. In the goldcard image tab, go to 'Edit' > 'Select All' and then 'Edit' >'Copy'

    13. In the 'Removable Disk' tab, highlight offset (line) 00000000 to offset (line) 00000170 including the 00000170 line and go to 'Edit' menu > 'Paste Write'

    14. Click 'File' > 'Save' and accept any warning that you get

    2. Place the stock 1.32 PD98IMG.zip on the root of your SDcard/Goldcard

    4. Open the file in the folder named "RUN THIS FOR DOWNGRADE". The command prompt will opn and begin to do the adb steps for you.

    Alternatively (If step 4 fails):


    Run the below commands in CMD:


    adb push misc_version /data/local/tmp
    adb shell chmod 777 /data/local/tmp/misc_version
    adb shell /data/local/tmp/misc_version -s 1.31.405.3
    adb reboot bootloader

    5. You should see a white bootloader screen, press the power button to enter the bootloader and it should automatically start to detect the PD98IMG.zip file.
    6. You will see a blue progress bar on the right of the screen while the file is being checked. You should now be asked to confirm if you want to install this ROM, press 'Volume Up' to confirm. Wait patiently while the ROM is installed.
    7. Once the installation is complete, press the 'power' button to restart your phone.

    You have successfully downgraded to stock 1.32 :)

    2ldvnh2.gif


    How to Root 1.32:

    1. Download and install Visionary+ to your Desire HD
    2. Open Visionary+ and choose "Temproot now". The screen may go black and may become unresponsive, please allow it to finish.
    3. After temproot, choose "Attempt permroot now". This will attempt to permanently root your Desire HD. Your device should then reboot.
    4. After reboot, you should successfully be rooted.

    How to Radio S-Off & SimUnlock Your Desire HD - Thanks to jkoljo


    2ldvnh2.gif



    How to Flash recovery with ClockworkMod

    1. Search Android Market for a free app called 'ROM Manager'. Once found, install it.
    2. Once it has been installed, launch 'ROM Manager' on your phone.
    3. In ROM Manager, tap 'Flash ClockworkMod Recovery'. Tap on 'Desire HD' when it pops up.
    4. Be patient as ClockworkMod is installed, as it can take quite some time. Once it has finished , you have ClockworkMod recovery installed on your phone.

    You should now have stock 1.32, root, S-off, and CWM Recovery.
    You can now flash a ROM using Clockworkmod :)


    2ldvnh2.gif



    FAQs​

    Q. How do I run CMD?

    A. Windows Vista and 7 users: Press Start, type CMD. You should see CMD sppear, right click and 'Run as Administrator'. Windows XP users: Press Start, Press 'Run', type CMD, then click OK.



    Q. How do I enable USB Debugging?

    A. On your Desire HD go to Settings -> Applications -> Development -> Enable USB Debugging



    Q. Why do I keep getting CID error in bootloader?

    A. This is most often a problem with your goldcard. First make sure you have created a goldcard using the guide at the top of this post. If you have created a goldcard, format the SDCard using FAT32 and try again making sure you have followed each step very carefully. Also, make sure you have the .bin file on your SDCard after doing the adb steps.



    Q. When going into bootloader it says "no image or wrong image"

    A. This message will be displayed when files it is looking for cannot be found. Leave it to continue and it will update. If it displays this message after searching for PD98IMG.zip, then the file is damaged or you do not have it on your SDCard.



    Q. Do I have to disconnect the phone from the computer before booting into bootloader?

    A. Yes....Simplez ;)



    Q. I have tried many times to create the goldcard, but continue to get errors.

    A. This could be because you are continuously making mistakes, or your SDCard cannot be made into a goldcard, try another SDCard.


    More will be added when needed :)


    2ldvnh2.gif


    Please press Thanks :)

    2ldvnh2.gif
    3
    @cash, since you're a telus user, im pretty sure you're running 2.43.661.1
    just do the first set of addresses (F0000000 to FFFFFFFF)
    3
    Hi,

    I'm following the instructionc, my CMD seems to hang (already 20 minutes and counting...) Any idea? Already started over (emptied my SD card again and copied the ZIP file again)

    p.s. I'm also on the latest 2.50.405.2
    My computer is Windows 7 Enterprise (32 bit) and CMD is running as administator

    THX

    2ey8eut.png



    Reboot your device and run these commands.


    adb push fre3vo /data/local/tmp
    adb push misc_version /data/local/tmp
    adb shell chmod 777 /data/local/tmp/fre3vo
    adb shell chmod 777 /data/local/tmp/misc_version
    adb shell /data/local/tmp/fre3vo -debug -start F0000000 -end FFFFFFFF

    if scanning those offsets doesnt work, then 20000000 to 2FFFFFFF
    2
    Looking good...

    After running:
    "apb shell" i'm getting the #
    I guess it's rooted! Working great on my fully updated stock Desire HD (2.50.405.2)!

    now run
    adb shell /data/local/tmp/misc_version -s 1.32.405.6

    and reboot to bootloader to loadup the super exploitable image, so you can root, s-off, and eng s-off the device.

    then update to 2.36.405.8 and run gingerbreak, and reboot. you're updated and rooted.
    2
    Could you please explain the latest steps?:confused:

    Visit My thread here
    Once 1.32 has finished installing, start at step 2 and run through the visionary method to root radio & eng s-off

    then run the 2.36.405 ruu, install and run gingerbreak.
    reboot, and you're fully rooted on gingerbread.