0

24th February Updated and added rom download links, clarified USB driver
setup for Desire Z and G2
20th April Added rooting guide and updated the tools package.
25th December Updated to include gfree 1.0 to make the process a little
easier. Also included multiple options for recovery for G2 and Desire Z.

This guide has been made by taking partial and whole intercepts from
various guides across the internet.
Sources: Setherios extensive guide on XDA Forums

Disclaimer
You are solely responsible for your actions (i.e. following this guide).
This guide has been tested to be working, so you dont have to worry.
If you encounter problems XDA Developer Forums will surely have a solution for you.

Required files for this guide:

DZ-G2 Downgrade-Rooting Tools , Link 2

Desire Z: Stock ROM , Link 2 , Link 3
G2: Stock ROM , Link 2 , Link 3
HTC Sync(only for Desire Z) or HTC USB Driver(either model)

Download the attached file. Extract and place the folder in your C drive as shown.

Right click on My Computer > Properties > Advanced/Advanced System Settings >
Environment Variables
Under System Variables click path and click edit.
At the end of the line add a semi colon ; and type C:\platform-tools (of course
without ) then click OK.
o Now we need to install the USB drivers for your phone on your system. Just install
the latest HTC Sync (only for Desire Z) or HTC USB Driver (either model). If you
installed HTC Sync then connect your phone via USB and select HTC Sync option.
Let the Sync application detect your phone. After it detects and connects to your
phone successfully remove the USB from your phone. Now go to Add/Remove
Programs and remove HTC Sync Software...

(CAUTION: do not uninstall other HTC driver software) . Your drivers should be
successfully set up.
o On your phone, click Settings > Applications > Development and make sure USB
Debugging is on. Now connect your phone in charge only mode.
o Open Command Prompt from Run in start menu by typing "cmd" .Type the
following into the command prompt window (hitting enter at the end of every line):
> adb devices

You should see your device serial showing up. This means you are all set.
If it doesnt show up then try reconnecting your phone and also try reinstalling the
drivers. Charge only mode is compulsory

Note: Whenever you are typing the commands you do not need to type the
characters in blue i.e., > $ #

1. Your sdcard should be inserted in your phone, you should be connected to

your pc in charge only mode, and your sdcard should not be full (min 400MB
free).
2. Run the following command to verify the exploit has access to what it needs.
(Only the first line is the command. The second line should be the result
returned if all goes well)

> adb shell cat /dev/msm_rotator

/dev/msm_rotator: invalid length
3. If you received the same message, you're good to continue on. If not... I'd
recommend going back to #g2root and asking them. (I am just passing along
the information after all)
4. Run the following commands
> adb push fre3vo /data/local/tmp
> adb shell
$ chmod 777 /data/local/tmp/fre3vo
$ /data/local/tmp/fre3vo -debug -start FAA90000 -end FFFFFFFF
5. After you enter that command, with luck you should see something similar to
the last few lines in the following displayed. (It may take a minute or two. From
what I can tell, this appears to be the quickest method as the exploit seems to
be found in the latter regions.)
Buffer offset:

00000000

Buffer size:

8192

Scanning region fb7b0000

Scanning region fb8a0000
Scanning region fb990000
Potential exploit area found at address fbb4d600:a00.
Exploiting device

6. A. If the exploit works, you will be kicked out of ADB shell, proceed to Step #7
B. If the above does not work, and fails, you can try the following, and hopefully
one will work, try the following (you must reboot your phone before you try
another set):
$ /data/local/tmp/fre3vo -debug -start 10000000 -end 1FFFFFFF
$ /data/local/tmp/fre3vo -debug -start 20000000 -end 2FFFFFFF
$ /data/local/tmp/fre3vo -debug -start 30000000 -end 3FFFFFFF
$ /data/local/tmp/fre3vo -debug -start F0000000 -end FFFFFFFF
$ /data/local/tmp/fre3vo -debug -start E0000000 -end EFFFFFFF

7. If you did get kicked out of adb shell, open it again. You should now see the
lovely # instead of $, thus granting you temp root. Go ahead and exit out of
shell to proceed to the next stage.
> adb shell
# exit

1. Enter the following commands.

> adb push misc_version /data/local/tmp/misc_version
> adb push flashgc /data/local/tmp/flashgc
> adb shell chmod 777 /data/local/tmp/*
> adb shell
> cd /data/local/tmp
# ./misc_version s 1.00.000.0
--set_version set. VERSION will be changed to: 1.00.000.0
Patching and backing up partition 17
# ./flashgc

Note: If you get the following error, please make sure your sdcard is inserted in
your phone and your phone is connected to the computer on Charge Only mode
(not USB Storage)
Error opening backup file.
2.

# sync

3. Double check and make sure everything looks good so far by running the following
command (still in adb shell).
# dd if=/dev/block/mmcblk0p17 bs=1 skip=160 count=10
1.00.000.010+0 records in
10+0 records out
10 bytes transferred in 0.001 secs (10000 bytes/sec)
4. Backup any data you require i.e. contacts, messages, calendar, images, videos,
music.

If you have nothing to backup or dont care to back up anything, proceed directly to
downgrading on the next page.
NOTE: This page is totally optional; also it doesnt work all the time. Feel free to skip this
page if it doesnt work.
1. Run the following commands in your command prompt.
> adb push su /data/local/tmp/
> adb push busybox /data/local/tmp/
> adb push fixsu.sh /data/local/tmp/
> adb install Superuser.apk
> adb shell chmod 755 /data/local/tmp/fixsu.sh
> adb shell /data/local/tmp/fixsu.sh
2. Download a backup application such as TitaniumBackup / MyBackupRoot. You can
also use ES File Explorer to backup the apks of your apps onto your sdcard.
Call Logs Backup & Restore and SMS Backup & Restore are other cool options.
Make a backup.

Please follow either manual downgrade or fastboot downgrade.

Hope youve downloaded your respective rom i.e. Desire Z (or) G2. Do not use any other
roms, you may brick your device. Use only roms that are compatible with your phone.
1. Rename your downloaded rom to

PC10IMG.zip (i.e. PCtenIMG.zip)

Note: Filename MUST be all uppercase except for the extension, and if file
extensions are hidden, do not include ".zip")
2. Now connect your phone in USB storage and copy your PC10IMG.zip onto your
sdcard. NOTE: Do not place it inside any folder.
3. Now change your connection type to Charge Only. The next process takes about
5-10 minutes so make sure your charge is not low else, plug into an outlet or your
computer.
4. Type the following in your command prompt to reboot your phone into your
bootloader.
> adb reboot bootloader
5. After your phone has entered the bootloader, press the power button (works as
select key, volume keys work as navigation keys).
Your phone will now scan for your rom file and asks you to confirm the update
(actually its a downgrade for you, we manipulated the version number remember?)
DO NOT INTERRUPT THIS PROCESS. Your phone will reboot once or twice (completely
normal). Once the process is complete it will ask you to press a key to reboot. Your
phone will now reboot into your stock Froyo rom.
Congratulations your downgrade is complete and you are free go ahead and root your
phone permanently. There are many guides out there. You could even follow the guide
on the next few pages sourced from xda wiki. Please avoid anything related to Visionary
it has been known to brick phones.

10

Hope youve downloaded your respective rom i.e. Desire Z (or) G2. Do not use any other
roms, you may brick your device. Use only roms that are compatible with your phone.
1. Rename your downloaded rom to

StockRom.zip

Note: Filename MUST be exactly same, and if file extensions are hidden, do not
include ".zip")
2. Now copy StockRom.zip into your platform-tools folder. Next type the following
command to boot into the bootloader.
> adb reboot bootloader
3. Make sure your device is recognized by typing the following command. If your
device is recognized it should return a serial/model number.
> fastboot devices
4. Type this and your phone should now reboot into a black screen with a grey/silver
"HTC" logo on it.

> fastboot oem rebootRUU

5. Next we flash the Stock Rom. This may take a few minutes as it transfers the file to
the phone then attemps to update (downgrade).
> fastboot flash zip StockRom.zip
In rare cases the flash stops and the user gets a warning to repeat the flash
immediately dont panic, just run the " fastboot flash zip StockRom.zip" (only this
command, not the rebootRUU one) again and it will work.
6. When it finishes, wait a minute or two (just in case) then reboot your phone by
typing:
> fastboot reboot

Your phone will now reboot into your stock Froyo rom.Congratulations your downgrade
is complete and you are free go ahead and root your phone permanently. There are many
guides out there. You could even follow the guide on the next few pages sourced from
xda wiki. Please avoid anything related to Visionary it has been known to brick phones.

11

Before we can continue you need to enable debugging in the settings on the phone. In
Settings go to "Applications -> Development" and check the "USB debugging" option.
Connect you phone via USB to your PC. Your phone should remain connected throughout
the process. Make sure that your phone is NOT CONNECTED IN USB STORAGE and your
sdcard is inserted in your phone and is mounted on the phone. There is a Readme.txt file
in the platform-tools folder. Follow that and then enter the following commands taking
care that you have typed correctly.
> adb push psneuter /data/local/tmp/
> adb push gfree /data/local/tmp/
> adb push busybox /data/local/tmp/
> adb push hboot-eng.img /data/local/tmp/
> adb push root_psn /data/local/tmp/
> adb push su /sdcard/
> adb push Superuser.apk /sdcard/

> adb shell chmod 755 /data/local/tmp/*

Now you can choose either 4ext or clockwork for your recovery. So enter the following
command accordingly. Choose only one.
> adb push recovery-clockwork-5.0.2.7-vision.img /data/local/tmp/recovery.img
or
> adb push recovery-4ext-2.2.7.rc5-vision.img /data/local/tmp/recovery.img
or
> adb push recovery-clockwork-touch-5.8.1.0-vision.img /data/local/tmp/recovery.img
or
> adb push recovery-4ext-touch-v1.0.0.5-rc9-vision.img /data/local/tmp/recovery.img
I personally recommend the last one. i.e, 4ext touch.

12

Now the following command is to get temporary root.

> adb shell /data/local/tmp/psneuter
> adb shell
After the last command you should have a root shell in adb given by #. Now do not close
the command/ terminal window.

Note the output of the next commands:

# cd /data/local/tmp
# ./gfree f b hboot-eng.img y recovery.img
As it is very important that the hboot was installed correctly, gfree calculates md5sums
of the partitions. It will calculate the following three checksums.
md5sum #1 checksum of partition 18 before the installation.
md5sum #2 checksum of the hboot image that should be installed to partition 18
md5sum #3 checksum of partition 18 after the installation.
The messages that you what to see are either/or:
md5sum #1 == md5sum #2 hboot image is already installed.. skipping.
md5sum #3 == md5sum #2 hboot image was successfully installed.
If you get a different error message the DO NOT REBOOT. Join #G2ROOT on Freenode
and ask for help stating your phone model and all the methods / procedure you
followed. You might have to wait for sometime until someone replies to your query.
If you didnt get any error then you may proceed with the next commands.
# ./root_psn
# sync
# reboot

13