[HBOOT 1.19/1.15 S-OFF] Downgrade HBOOT 1.19 and lower on HTC EVO 4G LTE

[Mac_Gyver]

~ ~ ~ CREDITS ~ ~ ~
HUGE thanks to everyone whose research and work aided us in discovering a way for downgrading from HBOOT 1.19/1.15 down to HBOOT 1.12!

I will do my best to mention all of the sources that were used here but please do forgive and let me know if I failed to mention you for your work.

• Fuses and the rest of Team Unlimited for their awesome original work on emmc_recover!
• closeone for starting work on the LiveCD HBOOT Downgrade Toolkit as soon as he heard the news! We're all looking forward to using this. :laugh:
• yarrimapirate for narrowing down the list of action steps that needed to be taken and proving for this method to work on HBOOT 1.19! He also did an awesome job consolidating and documenting the steps that needed to be taken, and posting an updated downgrade package.
• 18th.abn and niceppl for their work on HTC One X methods which inspired this.
  
• The great community of like-minded Android fans who posted thought provoking questions, suggestions, and their daring results. Thank you, everyone!!

WARNINGS AND DISCLAIMERS:​

• UNTIL FURTHER NOTICE, I'M WARNING EVERYONE THAT IS *ALREADY S-OFF* TO NOT TRY THIS METHOD!!!
  
• You are solely responsible for your own actions and the potential for permanently BRICKING your device.
• Do NOT attempt to hold anyone liable for the damages caused by your decision to use this information.
• RISK! RISK! RISK! THIS MAY NOT WORK AS EXPECTED RESULTING IN A BRICKED PHONE!
  
• Doing a soft-brick is part of this procedure; however, you run the risk of actually killing your phone if you don't have enough patience, time, and attention to detail.
• I can not stress enough how important it is to be very careful and read this whole post in order to see what the procedure entails and to gage your confidence in yourself and weigh the risks.
• Before you modify anything on your phone: BACKUP! You will not regret it.:good:
• Finally, only those brave and experienced enough should attempt these steps! Please understand that you could turn your phone into A PERMANENT BRICK.
• STOP and WAIT if you have any reservations on this, an easy-to-use solution is on the way. You've waited perhaps months, you can probably wait another week for a safer solution!
  

SOME EXPERIENCE NECESSARY

• THIS POST ASSUMES THAT YOU HAVE SOME PREVIOUS EXPERIENCE AND MODERATE UNDERSTANDING OF THE TERMS, TOOLS, METHODS, AND CONSEQUENCES OF INTENTIONALLY CORRUPTING AN eMMC PARTITION AND PUTTING YOUR PHONE IN QC DOWNLOAD MODE.
• THIS IS NOT A N00B-FRIENDLY GUIDE, SORRY!
• If you are new here, WELCOME!
  • Do have a look here to learn more about Android hacking.
  • Also, check out Don't Panic -- A must read for beginners, includes troubleshooting guide by om4.
    

Please DO NOT go onto Team Unlimited IRC for help with the downgrade!​

They can only assist you with the tools that they directly created and advertised as supported via Team Unlimited IRC. If you have questions regarding the downgrade method, please post here or on yarrimapirate's thread.
​

NOT ON SPRINT?
If you are NOT USING SPRINT, flashing HTC STOCK RUUs mentioned in this guide will revert you to the stock Sprint programming!​

~ ~ ~ U P D A T E S ~ ~ ~
October 31, 2012

NO-DOWNGRADE S-OFF for 1.19 and 1.15!
Team Unlimited has just given a word that they are about to release a NO-DOWNGRADE S-OFF for 1.19 and below.

:good::good::good:

Please see their post here.
​

HBOOT 1.15/1.19 downgrade tool (Linux)
yarrimapirate has created a dedicated thread for his new Linux-based downgrade tool. This is in beta testing as of October 21 but it appears to be very stable and successful.

Be careful and follow his instructions!

:good: :good: :good:

Please see his post HERE.
​

Hands-on downgrade for the tech savvy

yarrimapirate has proven for this to work on HBOOT 1.19. So now this means that both 1.15 and 1.19 can be downgraded! yarrimapirate also narrowed down the eMMC partition list to just one for the QC Download Mode. He kindly rewrote the directions and tweaked them to work with the newer discoveries.

:good: :good: :good:

Please see his post HERE.
​

HBOOT LiveCD Downgrade Toolkit
closeone has kindly taken on the task of making a Downgrade LiveCD and posted an update on his HBoot Downgrade Toolkit. It's still in private testing stage but we expect to see the testing come to a closing and the Toolkit maturing into an easy-to-use solution.

:good: :good: :good:

Check it out here.​

~ ~ ~ ARCHIVE ~ ~ ~
ORIGINAL DOWNGRADE INSTRUCTIONS

Press SHOW CONTENT button to view the OP from October 11, 2012.​

SUMMARY:

• My immediate goal here is to get this information out regarding my successful downgrade from HBOOT 1.15/1.19 to 1.12 followed by LazyPanda S-OFF.
  

• This post will be initially rough. Check back in often.

• Do note that this was all done in Linux on Ubuntu 12.04.1 32-bit VM and Fedora 16 32-bit physical host. There is no reason that I used two different distros other than what was at hand. If you got skillz, you can do this all in a VM but beware of the pains when you are dealing with a device that changes USB modes very frequently during the flashing of eMMC

REQUIREMENTS:


STRONG RECOMMENDATIONS:

• Prior to starting this, a factory RUU restore to an HTC ROM that comes with and supports HBOOT 1.15. Some users chose to not bother with this and it seemed to work for them.
• After you do all of the steps and you get your device to boot from the softbrick on HBOOT 1.12, you will need to do another factory RUU restore to an HTC ROM with the version of the HBOOT that you are downgrading to. So since we are going to 1.12 HBOOT you need an HTC STOCK ROM with HBOOT 1.12 to flash all the other partitions into compliance. You don't want to have HBOOT 1.12 and all else that runs on 1.15! Plus, LazyPanda requires you to use a STOCK 1.13 ROM. Otherwise, you're gonna have a bad time...

ACTUAL REQUIREMENTS:

• HTCDev unlock OR a temp root method. This is needed to mess with eMMC.
• Install TWRP 2.+ recovery once you root.

OVERVIEW OF HOW THIS WORKS:

• Qualcomm Download [QHUSB-DLOAD] mode is what we need
  

This QHUSB-DLOAD mode is significant because it gives us a chance to flash to mmcblk0p12 (HBOOT partition) and restore the backed up mmcblk0p5 partition that came from YOUR EVO. The only partition that actually needs to be corrupt is mmcblk0p5 (alternatively p4 but that is not recommended by Fuses).

~~~ STUFF HERE IS A LITTLE OUT OF DATE AND ASKS YOU TO DO SOME UNNECESSARY STEPS. I WILL BE UPDATING THIS IN A BIT. IF YOU ABSOLUTELY CAN NOT WAIT FOR A LIVECD, YOU MAY WISH TO FOLLOW WHAT yarrimapirate MADE AT THE LINK TOWARD THE TOP. DO BEWARE ALL OF THE CONSEQUENCES! ~~~
​

Make sure to follow the instructions of the script closely and for the sake of you succeeding *** BACKUP *** the partition that you are about to corrupt! You will not be able to get your phone working again (a strong hunch here ) without the correct partitions!

Brick your phone by corrupting p5. Then go to the emmc_recover steps below to fix the brick from your backed up partitions and flash a signed HTC HBOOT 1.12.

Basically, you want to run emmc_recover and tell it to use a specific byte chunk size of 24576 (so far I had the best results with that chunk size) to flash all of the needed partitions. Be patient, this will be slow as the tool only has 7-8 seconds at a time to write to eMMC. Then the device acts as a USB modem. This is the chance to recover the intentionally corrupt partitions AND put a new, lower version HTC HBOOT! The greatest usability of this tool, thoughtfully written by Fuses, takes the painstaking calculations and memorizations for sector offsets out and just does it for you. Slowly but surely.​

Thanks to Fuses (got the latest source code from his Git repo), emmc_recover compiled on my Fedora box supports loading code to eMMC in increments, resuming at a sector at which the task was left off. I found that setting the chunk size to 24576 worked best at a cost of more time needed. I tried setting the value higher but that did not get the phone to post even after all partitions and HBOOT were flashed back, even HBOOT 1.15 did not POST. So stick with the 24576 byte chunk.




Commands to recover from the brick and downgrade hboot:

This is the order that I went by but theoretically it does not matter as long as you end with the HBOOT flash to sdb12 or sdc12 (maybe even sdd12 depending on your box).

The order I flashed in:
hboot_1.12.0000_signedbyaa.nb0, mmcblk0p5.

1. Plug in your phone already in Qualcomm Download Mode aka brick and in the terminal type

   sudo dmesg

   to see if qcserial ttyUSB0: Qualcomm USB modem converter now connected to ttyUSB0 comes up. If you see it, good. If not, run

   sudo modprobe qcserial

   and check

   dmesg

   again.
2. Make sure that all of your files are ready, backups specifically, binaries, and a . Open up 2 or more terminal tabs and run

   sudo modprobe -r qcserial

   in tab 2.
3. Now make a placeholder ttyUSB0 with

   sudo mknod /dev/ttyUSB0 c 188 0

   still in tab 2.
4. In tab 1, run but don't press enter too many times just yet, else the tool will complain.

   sudo ./emmc_recover_new -f hboot_1.12.0000_signedbyaa.nb0 -d /dev/sdb12 -c 24576

   in tab 2, after you are at the second 'press enter' prompt -- wait and jump into tab 2 to enable qcserial again with

   sudo modprobe qcserial

   .
5. Now you can hit enter in tab 1 to kick off the procedure and sit back. Once the HBOOT is done, do the magic partition 5 and cross your fingers :fingers-crossed:

   sudo ./emmc_recover_new -fmmcblk0p5 -d /dev/sdb5 -c 24576

6. By the time you flashed the mmcblk0p5 image file to sdb5 or sdc5, you will get a pleasant surprise when your phone does yet another reset and this time you will see the HTC logo on your phone Don't let the ROM fully load (but it shouldn't be too bad if you do) and reboot into the bootloader (Vol - & Power) and check out your hboot version!
7. Do the RUU restore to the ROM which contains HBOOT 1.12. As mentioned above, you don't want to be running HBOOT 1.12 with all the other bits of your phone expecting HBOOT 1.12.
   1. In the fastboot-usb, use your fastboot binary and run

      fastboot oem rebootRUU

      .
      
   2. Once you see the plain HTC logo on your phone, do the

      fastboot flash zip [ROM zip name here]

      . If you have a SuperCID you will see a warning about that, then you flash again and pre-ROM checks and flashed get done. You really know the rest for here.... I hope

From here on, the rest is up to you, my friends!

Report back if you decide to try this method and let us know if you get stumped.
​

FREQUENTLY ASKED QUESTIONS​

I am going to comb through the posts here and pick out relevant Q&A's to post here. Feel free to PM me anything that you think should be here.
​

If you did understand the risks of doing this and now you find yourself stuck, please post and let people know. Don't freak out and try not to call up your carrier for a replacement. Chances are there's a simple way out. Practice patience and give yourself plenty of time when doing complex things such as this.

If you find yourself waiting for LazyPanda to reboot and it has been more than the 30 second average, wait a couple of minutes and then you will have to do one of the things below.

1. The easiest is to just reboot your phone by hand and that should take care of it, <http://xdaforums.com/showpost.php?p=32773482&postcount=159>.
2. Use the official LP unbricker tool, <http://unlimited.io/lteunbricker.htm>.
   
3. Could be simpler than #2 but I haven't tried it for this purpose, <http://unlimited.io/qhsusbdload.htm>.
4. Also, check out post #2 in this <http://xdaforums.com/showpost.php?p=27974032&postcount=2>. Thanks to lowetax for the link.

For a more complete FAQ, please check out yarrimapirate's FAQ here.

​

 

[Mac_Gyver]

RESERVED

 

[joshuaw84]

Reserved for whomever Mac_Gyver so wishes to occupy this post.

sent from my LTEvo

 

[om4]

Finally someone has successfully downgraded. Now I owe my gf $200, this is roughly the process she had thought of but wanted to use my phone instead of hers. She is bricked both our 3d's so I was completely against her even trying. Whoops... She's never gonna let this go

 

[bog3nator]

so you are saying I can officially downgrade my ota updated 1.15 hboot with s-on to a 1..12 so I can get s-off and I can update my radios

That is what I assume he is saying, right now though it looks pretty risking going by all the warnings

sent from my Mean ass EVO

 

[om4]

You intentionally bricked the phone and rebuild the partitions? Elaborate, this could cost me $200

 

[P.Mobile]

i already have s-off but thats some good ishh rite there.. :good:

 

[William]

Looks like you took some risks Mac. Way to go soldier!

*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=
The U.S government wouldn't lie to us....would they?
*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=

---------- Post added at 04:31 AM ---------- Previous post was at 04:30 AM ----------

Finally someone has successfully downgraded. Now I owe my gf $200, this is roughly the process she had thought of but wanted to use my phone instead of hers. She is bricked both our 3d's so I was completely against her even trying. Whoops... She's never gonna let this go

Lol!

*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=
The U.S government wouldn't lie to us....would they?
*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=

 

[Mac_Gyver]

Finally someone has successfully downgraded. Now I owe my gf $200, this is roughly the process she had thought of but wanted to use my phone instead of hers. She is bricked both our 3d's so I was completely against her even trying. Whoops... She's never gonna let this go

I thought I was screwed too because I could not do anything with QXDM or QPST to get the phone into any sort of a boot cycle. This is where emmc_recover saved the day Since I knew that I screwed up by flashing the 4,5,6,13,26 partitions that belonged to One X, I knew that I just needed to get the originals back to fix the brick. What I got was a bit better

 

[Rxpert]

Sucks for people who didnt listen and took the OTA to 1.19....

 

[Mac_Gyver]

You intentionally bricked the phone and rebuild the partitions? Elaborate, this could cost me $200

I was actually intending to see if I could get the unlock method from One X to work on Evo LTE, since they are pretty similar. I haven't had the inclination to put my phone through the whole cycle again now that I finally got S-OFF but I might

 

[om4]

Yeah this is exactly what she told me had to be done to downgrade but she was missing how to brick and destroy all the partitions, I bet her $200 that she was wrong, she even hijacked my account to try and talk devs into doing it. I'd say she came close to convincing xhausx to do it. She couldn't use my phone and didn't want to use hers so she was willing to use other people, and she can be pretty evil. Now if everyone will excuse me I must bend over for her.... This is gonna hurt considering I'm broke as it is

 

[Mac_Gyver]

Sucks for people who didnt listen and took the OTA to 1.19....

Not to get anyone's hopes up (lol this whole post kinda is but I do stand by what it did for me) but maybe 1.19 would also work... :fingers-crossed:

 

[Mac_Gyver]

Yeah this is exactly what she told me had to be done to downgrade but she was missing how to brick and destroy all the partitions, I bet her $200 that she was wrong, she even hijacked my account to try and talk devs into doing it. I'd say she came close to convincing xhausx to do it. She couldn't use my phone and didn't want to use hers so she was willing to use other people, and she can be pretty evil. Now if everyone will excuse me I must bend over for her.... This is gonna hurt considering I'm broke as it is

haha, sucks man. But technically we are only messing up EMMC partitions 4,5,6,13,26 Does that keep you your bet?

It might be that only 26 or 13 and 26 need to be messed up then cryptographic checks fail and hboot is not executed. I do think that the SBL1-3 gets loaded and yet it will accept a bootloader that is lower version as long as HTC RSA keys check out. Just a theory.

 

[pspunderground]

Oh ****, haven't seen something so elaborate in years. I'm on 1.15, and if something easier (or Windoze compatible) comes up, I'm jumping on it.I need the new radios!

 

[Ladicx]

AWESOME way to have balls bro lol. :thumbup: def gonna let this dev a bit. I know some genius is going to turn this into a program, script, noob friendly version.

Super pumped and glad I stayed on 1.15

Sent from my EVO using Xparent Blue Tapatalk 2

 

[sullivan7221]

Wow! Nice work man! I'll be watching the progress for sure! *fingers crossed*

Sent from my EVO using xda premium

 

[om4]

Her reaction is oh it counts m**********r pay me, I'm going over how she didn't quite actually figure out how to purposely brick it and she says it's because I wouldn't let her try but her overall theory was sound

 

[ScottHW]

This is brilliant. 5* rated and Thanks'd

From what I am reading, it was a lucky accident?!? Regardless, it's great to hear that HBOOT can be downgraded.

One thing I wasn't clear about: are you
1) forcing the LazyPanda HBOOT 1.12.2222 directly onto the phone, or
2) downgrading to stock HBOOT 1.12.0000 and then running through the FeedPanda process?

 

[sslbaron]

Sucks for people who didnt listen and took the OTA to 1.19....

I'd be one of those. I didn't take the OTA, but I did ruu it to the latest update on Monday. I figured since no exploit had been found yet, that it was safe to assume that none was going to be found. Well, who's the ass now! lol

It figures. I am glad that progress has been made though. Good work :thumbup:

Sent from my EVO LTE using xda app