Develop Bugs

Downgrade Problems

Hello, I'm having a bit of an issue with the downgrade process. I'm following the instructions in this thread and after I've typed
./data/local/tmp/GingerBreak
Click to expand...
Click to collapse
I've been stuck on the following screen for 10-15 minutes -
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
Any ideas on how I proceed? Is this normal? The same question is asked in the thread I linked, but it doesn't seem to be answered in any great detail. My current firmware is 2.36.405.8.

El Presidente81 said:
Hello, I'm having a bit of an issue with the downgrade process. I'm following the instructions in this thread and after I've typed
I've been stuck on the following screen for 10-15 minutes -
Any ideas on how I proceed? Is this normal? The same question is asked in the thread I linked, but it doesn't seem to be answered in any great detail. My current firmware is 2.36.405.8.
Click to expand...
Click to collapse
have u checked if goldcard is needed for your device?

SERGI.3210 said:
have u checked if goldcard is needed for your device?
Click to expand...
Click to collapse
I presumed as I was using the 2.36.405.8 firmware, I wouldn't need to worry about a gold card?
Am I safe to disconnect my phone at the moment?

El Presidente81 said:
I presumed as I was using the 2.36.405.8 firmware, I wouldn't need to worry about a gold card?
Am I safe to disconnect my phone at the moment?
Click to expand...
Click to collapse
gold card is for branded devices,,,, if your phone is branded u need a gold card
also... u obtained temporary root? or stuck before obtain it? (temporary root its represented by a # symbol)

SERGI.3210 said:
gold card is for branded devices,,,, if your phone is branded u need a gold card
Click to expand...
Click to collapse
I'm not branded as I'm running the 2.36.405.8 firmware.

El Presidente81 said:
I'm not branded as I'm running the 2.36.405.8 firmware.
Click to expand...
Click to collapse
i´ve edited the`post#4... read the post....
there are branded phones with this firmware also... (2.xxx WEE OFICIAL RUU)

I don't believe I have temporary root as I never received the "#" sign.
The attached is what I was presented with before entering the "./data/local/tmp/GingerBreak" command. It didn't work the first time I tried (as you can see), so I waited a few minutes then tried again. That is when I was presented with the screenshot from my first post.
So you think despite the firmware I'm running and the fact I've had 2 OTA updates (1.32.405.6 -> 1.72.405.3 & 1.72.405.3 -> 2.36.405.8), I could actually be branded?
Also, given it doesn't appear to be doing anything at the moment, am I ok to disconnect?

El Presidente81 said:
I don't believe I have temporary root as I never received the "#" sign.
The attached is what I was presented with before entering the "./data/local/tmp/GingerBreak" command. It didn't work the first time I tried (as you can see), so I waited a few minutes then tried again. That is when I was presented with the screenshot from my first post.
So you think despite the firmware I'm running and the fact I've had 2 OTA updates (1.32.405.6 -> 1.72.405.3 & 1.72.405.3 -> 2.36.405.8), I could actually be branded?
Also, given it doesn't appear to be doing anything at the moment, am I ok to disconnect?
Click to expand...
Click to collapse
yes mate u can disconect without problems,,, u don´t did anything important in your device after all....
yes your device can be branded.... the updates have nothing to do...
if u have a sim free phone your handset is unbranded.
ok lets go with the trouble...
u checked if the downgrade file was downloaded correctly? try to download again the file.. maybe something went badly....
and u putted it into adb folder?
i deduce that u was entered correctly the codes:
Code:
adb push misc_version /data/local/tmp
adb push GingerBreak /data/local/tmp
adb shell chmod 777 /data/local/tmp/misc_version
adb shell chmod 777 /data/local/tmp/GingerBreak
adb shell
./data/local/tmp/GingerBreak

SERGI.3210 said:
yes mate u can disconect without problems,,, u don´t did anything important in your device after all....
Click to expand...
Click to collapse
Thanks.
SERGI.3210 said:
yes your device can be branded.... the updates have nothing to do...
if u have a sim free phone your handset is unbranded.
Click to expand...
Click to collapse
I'll try with my GF's SIM card in, if that works, then I'll know for sure if I'm unbranded.
SERGI.3210 said:
ok lets go with the trouble...
u checked if the downgrade file was downloaded correctly? try to download again the file.. maybe something went badly....
and u putted it into adb folder?
i deduce that u was entered correctly the codes:
Code:
adb push misc_version /data/local/tmp
adb push GingerBreak /data/local/tmp
adb shell chmod 777 /data/local/tmp/misc_version
adb shell chmod 777 /data/local/tmp/GingerBreak
adb shell
./data/local/tmp/GingerBreak
Click to expand...
Click to collapse
The MD5 of the PD98IMG.zip file checks out ok so I presume that's good. I don't know what the MD5 of the Downgrade_v2.zip file is so I can't confirm if that's downloaded correctly.
I appear to have followed the process to the letter, dropped the PD98IMG.zip onto the root of the SD Card, extracted the Downgrade_v2.zip to a folder on C:\ then navigated to that directory via the command prompt.
Does it look like I've done anything incorrectly from my screenshots? What about the first message I received when I entered "adb push misc_version /data/local/tmp", does that mean anything?
Really appreciate the help btw, thanks.

Hi, just had a read through the whole post.
And the reason your not getting # in adb shell is simply your not entering the command properly.
I will highlight your error
Code:
adb push GingerBreak /data/local/tmp
...
adb shell
./data/local/tmp/Ginger[COLOR="Red"][B]b[/B][/COLOR]reak
Notice you pushed GingerBreak, yet you try to execute Gingerbreak
In linux computing, file names that contain uppercase are completely different from file names that contain lower case.
FileExample.jpg is not the same as fileexample.jpg
Simply change the b to B in,
Code:
./data/local/tmp/Gingerbreak
to
Code:
./data/local/tmp/GingerBreak

Oops
Why would I get the first screenshot then? What exactly is that?
I'll give it a whirl later on tonight when the Mrs is at work.
I thank you both for your time.

Your first sceenshot can be indicative of a couple of issues. It seems linked to the Indian 2.37 firmware's inability to be rooted, hence the freeze at,
Code:
vold: 1226 GOT start: 0x00014360 GOT end: 0x000143a0
HTC could've issued a hot OTA to patch to root exploit, but I doubt that.
Have you tried a factory reset then trying again?

I'll try again, double checking all code is correct, if that fails, then I'll try a factory reset, then trying again.
All this trying and failing will do no damage to the phone will it?

Downgraded
Thank you for both replying.

Good to hear. You can enjoy custom ROMs now.

Hello
I am kinda habing the same problem. But what i get is this
c:\Tel backup\Downgrade>adb push misc_version /data/local/tmp
989 KB/s (0 bytes in 15837.000s)
c:\Tel backup\Downgrade>adb push GingerBreak /data/local/tmp
150 KB/s (0 bytes in 16830.000s)
c:\Tel backup\Downgrade>adb shell chmod 777 /data/local/tmp/misc_version
c:\Tel backup\Downgrade>adb shell chmod 777 /data/local/tmp/GingerBreak
c:\Tel backup\Downgrade>adb shell
$ ./data/local/tmp/GingerBreak
./data/local/tmp/GingerBreak
[**] Gingerbreak/Honeybomb -- android 2.[2,3], 3.0 softbreak
[**] (C) 2010-2011 The Android Exploid Crew. All rights reserved.
[**] Kudos to jenzi, the #brownpants-party, the Open Source folks,
[**] Zynamics for ARM skills and Onkel Budi
[**] donate to [email protected] if you like
[**] Exploit may take a while!
[+] Plain Gingerbread mode!
[+] Found system: 0xafd17fd5 strcmp: 0xafd38065
[+] Found PT_DYNAMIC of size 232 (29 entries)
[+] Found GOT: 0x00014360
[+] Using device /devices/platform/goldfish_mmc.0
[*] vold: 1227 GOT start: 0x00014360 GOT end: 0x000143a0
[*] vold: 1227 idx: -3072 fault addr: 0x000132b4
[+] fault address in range (0x000132b4,idx=-3072)
[+] Calculated idx: -2005
[-] sendmsg() failed?
[-] sendmsg() failed?
[-] sendmsg() failed?
[-] sendmsg() failed?
[-] sendmsg() failed?
[-] sendmsg() failed?
[-] sendmsg() failed?
Click to expand...
Click to collapse
My Device info is
Android Verison
2.3.3
Htc Sense version
2.1
Baseband verison
12.54.60.25U_26.09.04.11_M2
Kernel version
2.635.10-g0956377
[email protected] #1
Tue Mar 29 06:10:15 CST 2011
Build Number
2.36.468.10 CL 49203 Release-keys
Software number
2.36.468.10
Browser version
WebKit/533.1
It is not branded.
I assume it can be downgraded ?
And this is what i get after i rebooted the device and tried again,
c:\Tel backup\Downgrade>adb push misc_version /data/local/tmp
adb server is out of date. killing...
* daemon started successfully *
989 KB/s (0 bytes in 15837.000s)
c:\Tel backup\Downgrade>adb push GingerBreak /data/local/tmp
1051 KB/s (0 bytes in 16830.000s)
c:\Tel backup\Downgrade>adb shell chmod 777 /data/local/tmp/misc_version
c:\Tel backup\Downgrade>adb shell chmod 777 /data/local/tmp/GingerBreak
c:\Tel backup\Downgrade>adb shell
$ exit
exit
Click to expand...
Click to collapse

Try factory reseting your device. That is a known issue that sometimes crops up.

I factory defaulted the machine and did the started down grade and got an error saying CID incorrect.
What do i need to do now ?

El Presidente81 said:
Downgraded
Thank you for both replying.
Click to expand...
Click to collapse
What exactly did you do? Cause im stuck the exact same place:
vold: 1226 GOT start: 0x00014360 GOT end: 0x000143a0

[Q] Downgrade DHD

Hi guys Sorry to touble you with this n00b post, but i've searched everywhere and cannot find an answer.
I have a DHD with android 2.3.3 and sense 2.1. In order to install a custom rom I have to downgrade the phone.
I follow this guide: http://forum.xda-developers.com/showthread.php?t=905003
Of course, i use the Section 2b. As you can tell by the screenshot i've downloaded the misc_version and gingerbreak to my platform tools folder.
why cant i push? I've searched in astro. When i go into data, I cant find a folder named "local". Dont know if it should be there or if it is created when you type in cmd.
USB debugging is on, charge only. I've installed SDK according to this guide on cynogen wiki: http://wiki.cyanogenmod.com/index.php?title=Howto:_Install_the_Android_SDK
I followed the install guide exactly, but could not finish step 24. I dont have and exclamation mark over an unknown adb device. All i can relate to this in device manager is "my htc". I've installed HTCsync/usb drivers.
Can someone please help me?
/matekr

Not too sure, but a common problem is not having the HTC drivers? Have you installed HTC sync before to get all the correct drivers?

Tamen said:
Not too sure, but a common problem is not having the HTC drivers? Have you installed HTC sync before to get all the correct drivers?
Click to expand...
Click to collapse
Yes I have As you can see in the screenshot ADB finds my phone, but cant push files.

matekr said:
Yes I have As you can see in the screenshot ADB finds my phone, but cant push files.
Click to expand...
Click to collapse
If your version is 2.37 there is no way you can downgrade your DHD. We can just hope for the devs to find a way to downgrade that version.

you have to be in the correct directory to be able to push the file. The command would go as follows:
cd c:\android-sdk-windows\platform-tools
then run the adb push command.
This is assuming that your sdk folder is in the root of C: If not just amend the command accordingly.
I would personally rename the sdk folder to just 'android' then move it to C: in which case the command would then be:
cd c:\android\platform-tools
Hope this helps you bud.

Agreed that was my mistake i wasn't in the correct folder and it drove me crazy for ages till i realised my stupid mistake!

jonpenn101 said:
Agreed that was my mistake i wasn't in the correct folder and it drove me crazy for ages till i realised my stupid mistake!
Click to expand...
Click to collapse
What a stupid mistake! Thanks for the help!

Sorry dude didn't check the screenshot -yeah I had that problem too, put the files in the folder you start adb in

I am trying to root my DHD (it's currently on the latest Gingerbread OTA update)
Can you confirm that you have rooted your DHD using this method? And what version was your DHD at when you attempted this?
Currently this is where I'm stuck at
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Users\Duy>cd Desktop
C:\Users\Duy\Desktop>cd Downgrade 2
C:\Users\Duy\Desktop\Downgrade 2>adb push misc_version /data/local/tmp
1405 KB/s (15837 bytes in 0.011s)
C:\Users\Duy\Desktop\Downgrade 2>adb push GingerBreak /data/local/tmp
1643 KB/s (16830 bytes in 0.010s)
C:\Users\Duy\Desktop\Downgrade 2>adb shell chmod 777 /data/local/tmp/misc_versio
n
C:\Users\Duy\Desktop\Downgrade 2>adb shell chmod 777 /data/local/tmp/GingerBreak
C:\Users\Duy\Desktop\Downgrade 2>adb shell
$ ./data/local/tmp/GingerBreak
./data/local/tmp/GingerBreak
[**] Gingerbreak/Honeybomb -- android 2.[2,3], 3.0 softbreak
[**] (C) 2010-2011 The Android Exploid Crew. All rights reserved.
[**] Kudos to jenzi, the #brownpants-party, the Open Source folks,
[**] Zynamics for ARM skills and Onkel Budi
[**] donate to [email protected] if you like
[**] Exploit may take a while!
[+] Plain Gingerbread mode!
[+] Found system: 0xafd17fd5 strcmp: 0xafd38065
[+] Found PT_DYNAMIC of size 232 (29 entries)
[+] Found GOT: 0x00014360
[+] Using device /devices/platform/goldfish_mmc.0
[*] vold: 1226 GOT start: 0x00014360 GOT end: 0x000143a0
I assume that rooting was unsuccessful then? Can anyone give me some tips? (I am quite new at this if you can't already tell, just got this phone not too long ago)
Thanks

duynguyenle said:
I am trying to root my DHD (it's currently on the latest Gingerbread OTA update)
Click to expand...
Click to collapse
Check your software number.
If it's on 2.37 or 2.42, the latest Gingerbread OTA update, it is NOT downgradeable as of this moment.

Zulmacher said:
Check your software number.
If it's on 2.37 or 2.42, the latest Gingerbread OTA update, it is NOT downgradeable as of this moment.
Click to expand...
Click to collapse
That's what I thought, oh well guess I'll wait till someone root it then. Thanks

Need assistance downgrading 2.36

Hello,
My DHD is running 2.3.3 Gingerbread with 2.36.771.14 Build Number.
It's a branded phone so I followed THIS guide on creating a Goldcard which I have now done.
My next step was to follow THIS precisely however I end up with a few errors in the CMD. I've moved the PD98IMG.zip file into the root of the SD Card unextracted, I've extracted the Download_v2.zip into the C:\ Drive on my computer.
This is what I input into the CMD:
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Users\NAME>CD/
C:\>CD Downgrade
C:\Downgrade>adb push misc_version /data/local/tmp
adb server is out of date. killing...
* daemon started successfully *
1718 KB/s (15837 bytes in 0.009s)
C:\Downgrade>adb push GingerBreak /data/local/tmp
1369 KB/s (16830 bytes in 0.012s)
C:\Downgrade>adb shell chmod 777 /data/local/tmp/misc_version
C:\Downgrade>adb shell chmod 777 /data/local/tmp/GingerBreak
C:\Downgrade>adb shell
$ ./data/local/tmp/GingerBreak
./data/local/tmp/GingerBreak
[**] Gingerbreak/Honeybomb -- android 2.[2,3], 3.0 softbreak
[**] (C) 2010-2011 The Android Exploid Crew. All rights reserved.
[**] Kudos to jenzi, the #brownpants-party, the Open Source folks,
[**] Zynamics for ARM skills and Onkel Budi
[**] donate to [email protected] if you like
[**] Exploit may take a while!
[+] Plain Gingerbread mode!
[+] Found PT_DYNAMIC of size 232 (29 entries)
[+] Found GOT: 0x00014360
[+] Using device /devices/platform/goldfish_mmc.0
[*] vold: 0000 GOT start: 0x00014360 GOT end: 0x000143a0
I've searched for a few days on how to resolve this issue, the only solutions that I've seen is to retry making a Goldcard and perform a factory reset and follow the steps again. I've done both and yet I still receive this error, can anybody point me in the right direction?

Is this before or after you managed to downgrade using the goldcard?
If its after the downgrade to 2.36.405 or lower, use this...
http://driphter.com/index.php?topic=3867.0
You may not have to downgrade as Gingerbreak should work with your v2.36 as well (as its just the carrier modded 2.36. The .771 signifies the vendor's id#)
eg: Telus = 661, hence all telus builds are .661.x

Hi there thank you for your quick response,
I have not yet managed to downgrade at all, that is where my problem lies.
- I will try that guide out and let you know the result.

I followed that guide, however the RUU gives me an error:
"ERROR [140]: BOOTLOADER VERSION ERROR
The ROM Update Utility cannot update your Android Phone.
Please get the correct ROM Update Utility and try again."

TheRealKeyboardWarrior said:
I followed that guide, however the RUU gives me an error:
"ERROR [140]: BOOTLOADER VERSION ERROR
The ROM Update Utility cannot update your Android Phone.
Please get the correct ROM Update Utility and try again."
Click to expand...
Click to collapse
You're going to need to use the goldcard to downgrade first then, then you'll be able to root only after downgrading.
(Try this method: http://forum.xda-developers.com/showthread.php?t=1152233&page=7 to DOWNGRADE ONLY!)

That guide is for 2.37, I'm on 2.36.771.114 Build.

TheRealKeyboardWarrior said:
That guide is for 2.37, I'm on 2.36.771.114 Build.
Click to expand...
Click to collapse
it should still work. Either the bootloader will bypass the update to 2.37, or it will take. If it takes, then you can downgrade to 1.32 and root your device. If it doesnt, then it doesnt and you're still on 2.36.771.
So its either a win situation, or a loss of 10 minutes. lol

JSLEnterprises said:
it should still work. Either the bootloader will bypass the update to 2.37, or it will take. If it takes, then you can downgrade to 1.32 and root your device. If it doesnt, then it doesnt and you're still on 2.36.771.
Click to expand...
Click to collapse
Great, I'm halfway through the process as we speak. Thank you for your consistent help so far.

JSLEnterprises said:
it should still work. Either the bootloader will bypass the update to 2.37, or it will take. If it takes, then you can downgrade to 1.32 and root your device. If it doesnt, then it doesnt and you're still on 2.36.771.
So its either a win situation, or a loss of 10 minutes. lol
Click to expand...
Click to collapse
I am now rooted and have Radio-off. I will be flashing LeeRoid later today, thank you very much for all your help

N.P.
Recommendation: use the 2.36.405.8 ruu to update to that version and root it (unless you want to update your raidio using fastboot and shell commands)

how can i instal instal official froyo to my 2.3.3

i was able to download stock froyo from HTC but i don't know how to instal it in my 2.3.3 Gingerbread version.
also i don't understand this instructions attached to firmware
Please follow below command to download the official android toolchain: (arm-eabi-4.4.3)
git clone https://android.googlesource.com/platform/prebuilt
NOTE: the tool ¡¥git¡¦ will need to be installed first; for example, on Ubuntu, the installation command would be: apt-get install git
--Modify the .bashrc to add the toolchain path, like bellowing example:
PATH=/usr/local/share/toolchain-eabi-4.4.3/bin:$PATH

Are you rooted with s-off? If not you must do this first if you want to easily change between roms. actually to properly root and obtain true s-off one of the steps will be to downgrade to stock froyo, follow the xda or cyanogen wiki to get there
Sent from my HTC Vision using xda premium

demkantor said:
Are you rooted with s-off? If not you must do this first if you want to easily change between roms. actually to properly root and obtain true s-off one of the steps will be to downgrade to stock froyo, follow the xda or cyanogen wiki to get there
Sent from my HTC Vision using xda premium
Click to expand...
Click to collapse
i have tired to downgrade my htc vision but its not working please below is my cmd log
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\Documents and Settings\Patrolscsn>adb devices
List of devices attached
SH0B1RT02382 device
C:\Documents and Settings\Patrolscsn>adb shell cat /dev/msm_rotator
/dev/msm_rotator: invalid length
C:\Documents and Settings\Patrolscsn>adb push fre3vo /data/local/tmp
cannot stat 'fre3vo': No such file or directory
C:\Documents and Settings\Patrolscsn>adb shell
$ chmod 777 /data/local/tmp/fre3vo
chmod 777 /data/local/tmp/fre3vo
Unable to chmod /data/local/tmp/fre3vo: No such file or directory
$ /data/local/tmp/fre3vo -debug -start FAA90000 -end FFFFFFFF
/data/local/tmp/fre3vo -debug -start FAA90000 -end FFFFFFFF
/data/local/tmp/fre3vo: not found
$ /data/local/tmp/fre3vo -debug -start 10000000 -end 1FFFFFFF
/data/local/tmp/fre3vo -debug -start 10000000 -end 1FFFFFFF
/data/local/tmp/fre3vo: not found
$

Either you forgot to extract the files or you didnt put them in the same folder as adb
Sent from my HTC Vision using xda premium

kenanibeze said:
C:\Documents and Settings\Patrolscsn>adb push fre3vo /data/local/tmp
cannot stat 'fre3vo': No such file or directory
$
Click to expand...
Click to collapse
This is your first error message. All following commands fail because of this. You cannot simply continue when one step is executed with error. You have to fix it and then continue.
The reason for the error message is simple. There is no such file as 'fre3vo' in the directory ‘C:\Documents and Settings\Patrolscsn’. Copy the file 'fre3vo' in this directory or change current directory to one where the file is located. If you don’t know how, then you should probably stop trying to root your device.

the fre3vo is in the directory!!!!!
shared_ptr said:
This is your first error message. All following commands fail because of this. You cannot simply continue when one step is executed with error. You have to fix it and then continue.
The reason for the error message is simple. There is no such file as 'fre3vo' in the directory ‘C:\Documents and Settings\Patrolscsn’. Copy the file 'fre3vo' in this directory or change current directory to one where the file is located. If you don’t know how, then you should probably stop trying to root your device.
Click to expand...
Click to collapse
i have the fre3vo in the directory and i downloaded it from the link provided by xda

kenanibeze said:
i have the fre3vo in the directory and i downloaded it from the link provided by xda
Click to expand...
Click to collapse
Yes, the file fre3vo is in the directory:
C:\platform-tools
But your current directory is (the directory where you execute the commands):
C:\Documents and Settings\Patrolscsn
Execute this command to change your current directory:
cd C:\platform-tools
Good luck, you'll definitely need it

Hold shift and right click in the folder where fre3vo and fastboot.exe etc, then choose open command here
Now start from the begining
Sent from my HTC Vision using xda premium

shared_ptr said:
Yes, the file fre3vo is in the directory:
C:\platform-tools
But your current directory is (the directory where you execute the commands):
C:\Documents and Settings\Patrolscsn
Execute this command to change your current directory:
cd C:\platform-tools
Good luck, you'll definitely need it
Click to expand...
Click to collapse
Thanks so much for the tip, finally after two weeks of searching how to get the magical // sign, I got it I’m ever grateful.:victory:
Please I want to upgrade my HTC sense, but I have no idea which custom sense is good for htc desire Z (I would have preferred sense 4.0 but sense 3.0 looks ok) which one should I go for?
Also which of the custom rom of ICS is best for desire z :highfive:

kenanibeze said:
Thanks so much for the tip, finally after two weeks of searching how to get the magical // sign, I got it I’m ever grateful.:victory:
Please I want to upgrade my HTC sense, but I have no idea which custom sense is good for htc desire Z (I would have preferred sense 4.0 but sense 3.0 looks ok) which one should I go for?
Also which of the custom rom of ICS is best for desire z :highfive:
Click to expand...
Click to collapse
You’re welcome.
I’m not a big fan of Sense, but I would go for Sense 4, since it is more "lightweight" (consumes less storage and CPU) than Sense 3.x. You also have to distinguish between Sense 4.0 and Sense 4.0A which is even more lightweight.
Remember that our device has no official support from HTC, so all ICS ROMs are not perfect. You will notice some glitch here and there, but everything is getting better and better. Some ROMs are pretty stable thought, for example Andromadus Mimicry (which is based on Cyanogenmod 9.1). If you can live without Sense I would recommend you this ROM.
Here are some links to ROMs:
Cyanogenmod 9.1 - Andromadus Mimicry
Sense 4.0A - Gen.Y VisionX
Sense 4.0 - Ice Cream SENSEwich

is my phone bricked?
shared_ptr said:
You’re welcome.
I’m not a big fan of Sense, but I would go for Sense 4, since it is more "lightweight" (consumes less storage and CPU) than Sense 3.x. You also have to distinguish between Sense 4.0 and Sense 4.0A which is even more lightweight.
Remember that our device has no official support from HTC, so all ICS ROMs are not perfect. You will notice some glitch here and there, but everything is getting better and better. Some ROMs are pretty stable thought, for example Andromadus Mimicry (which is based on Cyanogenmod 9.1). If you can live without Sense I would recommend you this ROM.
Here are some links to ROMs:
Cyanogenmod 9.1 - Andromadus Mimicry
Sense 4.0A - Gen.Y VisionX
Sense 4.0 - Ice Cream SENSEwich
Click to expand...
Click to collapse
hello please i need your help i think i have screwed up my htc, i was trying to run the permanent root by strawmental, after running the sequence the phone could not boot again, it stuck at the white background with htc logo.
How can i boot it back to life.
The S is off
h.boot now is 0.76.2000 (PC1011000)
MICROP 0425
CID 11111111
OS 1.34.405.5
this is d cmd log of the permanent root
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\Documents and Settings\Patrolscsn>cd C:\platform-tools
C:\platform-tools>adb devices
List of devices attached
SH0B1RT02382 device
C:\platform-tools>adb push psneuter /data/local/tmp/
1453 KB/s (557962 bytes in 0.375s)
C:\platform-tools>adb push gfree /data/local/tmp/
1357 KB/s (716548 bytes in 0.515s)
C:\platform-tools>adb push busybox /data/local/tmp/
1468 KB/s (1926944 bytes in 1.281s)
C:\platform-tools>adb push hboot-eng.img /data/local/tmp/
1456 KB/s (1048576 bytes in 0.703s)
C:\platform-tools>adb push root_psn /data/local/tmp/
0 KB/s (564 bytes in 1.000s)
C:\platform-tools>adb push su /sdcard/
109 KB/s (26264 bytes in 0.234s)
C:\platform-tools>adb push Superuser.apk /sdcard/
1535 KB/s (196521 bytes in 0.125s)
C:\platform-tools>adb shell chmod 755 /data/local/tmp/*
C:\platform-tools>adb push recovery-clockwork-5.0.2.7-vision.img /data/local/tmp
/recovery.img
1479 KB/s (3739648 bytes in 2.468s)
C:\platform-tools>adb shell /data/local/tmp/psneuter
property service neutered.
killing adbd. (should restart in a second or two)
C:\platform-tools>adb shell
# cd /data/local/tmp
cd /data/local/tmp
# ./busybox md5sum /dev/block/mmcb1k0p18
./busybox md5sum /dev/block/mmcb1k0p18
md5sum: can't open '/dev/block/mmcb1k0p18': No such file or directory
# ./gfree -f -b hboot-eng.img -y recovery.img
./gfree -f -b hboot-eng.img -y recovery.img
--secu_flag off set
--cid set. CID will be changed to: 11111111
--sim_unlock. SIMLOCK will be removed
--hboot set. hboot image hboot-eng.img will be installed in partition 18
--recovery set. recovery image recovery.img will be installed in partition 21
Section header entry size: 40
Number of section headers: 44
Total section header table size: 1760
Section header file offset: 0x000138b4 (80052)
Section index for section name string table: 41
String table offset: 0x000136fb (79611)
Searching for .modinfo section...
- Section[16]: .modinfo
-- offset: 0x00000a14 (2580)
-- size: 0x000000cc (204)
Kernel release: 2.6.32.21-gd2764ed
New .modinfo section size: 204
Attempting to power cycle eMMC... OK.
Write protect was successfully disabled.
Searching for mmc_blk_issue_rq symbol...
- Address: c02a6a54, type: t, name: mmc_blk_issue_rq, module: N/A
Kernel map base: 0xc02a6000
Kernel memory mapped to 0x40002000
Searching for brq filter...
- Address: 0xc02a6a54 + 0x34c
- 0x2a000012 -> 0xea000012
Backing up current partition 18 and installing specified hboot image...
Backing up partition /dev/block/mmcblk0p18 to /sdcard/part18backup-315983571.bin
...
Writing image hboot-eng.img to partition /dev/block/mmcblk0p18 ...
Backing up current partition 21 and installing specified recovery image...
Backing up partition /dev/block/mmcblk0p21 to /sdcard/part21backup-315983571.bin
...
Writing image recovery.img to partition /dev/block/mmcblk0p21 ...
Backing up current partition 7 and patching it...
Backing up partition /dev/block/mmcblk0p7 to /sdcard/part7backup-315983571.bin .
..
patching secu_flag: 0
Done.
# ./root_psn
./root_psn
# sync
sync
# cd /data/local/tmp
cd /data/local/tmp
# ./busybox md5sum hboot-eng.img
./busybox md5sum hboot-eng.img
7669ae12dc2faa10ae555a164980efd0 hboot-eng.img
# ./busybox md5sum /dev/block/mmcb1k0p18
./busybox md5sum /dev/block/mmcb1k0p18
md5sum: can't open '/dev/block/mmcb1k0p18': No such file or directory
#

[XZ2c] temp root exploit via CVE-2020-0041 including magisk setup

temp root exploit for sony xperia XZ2/XZ2c/XZ2p/XZ3 with android 10 firmware​Get a root shell with still locked bootloader.
The main thread is located in xz2 forum section here.

j4nn said:
temp root exploit for sony xperia XZ2/XZ2c/XZ2p/XZ3 with android 10 firmware
Get a root shell with still locked bootloader.
The main thread is located in xz2 forum section here.
Click to expand...
Click to collapse
Great news! I just bought a used XZ2c without knowing your latest success. This is a very pleasant surprise!

Warning: "H8314_Proximus (Vfe) BE_1313-6147_52.1.A.0.618_R1C" is the last firmware available via XperiFirm that is a target for the exploit. Other firmware versions must be searched elsewhere. I downloaded this one before it is to late.

@SGH-i200, I can upload also H8314_Customized FR_1313-2468_52.1.A.0.618_R4C if you like. Or any other mentioned in the main thread.

implemented magisk setup from temproot
finally got magisk from temp root working including permission asking feature - released as tama-mroot.zip - get it here

j4nn said:
finally got magisk from temp root working including permission asking feature - released as tama-mroot.zip - get it here
Click to expand...
Click to collapse
Did it actually work, I am facing issue while accessing `/data/local/tmp` directory using adb
Code:
127|H8324:/data $ ls
ls
ls: .: Permission denied
1|H8324:/data $ ls -al
---------- Post added at 06:38 PM ---------- Previous post was at 06:27 PM ----------
ahzam said:
Did it actually work, I am facing issue while accessing `/data/local/tmp` directory using adb
Code:
127|H8324:/data $ ls
ls
ls: .: Permission denied
1|H8324:/data $ ls -al
Click to expand...
Click to collapse
I was able to copy the zip files from within the adb shell after copying the files to /sdcard/tmp location and then accessing /data/local/tmp

@ahzam, that's normal behaviour of standard adb shell user. You just need to 'adb push the-files /data/local/tmp' and within 'adb shell' just 'cd /data/local/tmp'.

j4nn said:
@ahzam, that's normal behaviour of standard adb shell user. You just need to 'adb push the-files /data/local/tmp' and within 'adb shell' just 'cd /data/local/tmp'.
Click to expand...
Click to collapse
Thanks, now the root is done, but it goes off with reboots, and trick to keep this on after reboot?
I was not able to install Xposed, and not able to run the rootcloak as well. This root is of little use I guess.

@ahzam, hey, this is a temp root, so it is obvious you lose it with reboot.
Normally only adb shell is provided with an exploit. I have implemented a working start of magisk from the exploit including asking for su permission from apps.
That allows great use of the temp root vs plain temp root shell.
Not only that you may backup locked TA for eventual restore of drm keys.
You can permanently modify oem partition for debloat or ims support.
Or you can use backup apps that require root.
Or iptables based firewall is great too you know.
There may be many other working use cases, like ads removal, if implemented properly (system less-ly), not tested though.
Do you think that's little use? If someone is not allowed to BL unlock (or does not want to) it looks like it actually is something!

Is there any way I can get the customized de h8324 Image or knows how I could get it?
Sent from my iPhone using Tapatalk

If you can find it somewhere...
You may download H8324_Customized FR_1313-2469_52.1.A.0.618_R2C.zip and skip flashing oem*.sin if you are running a Customized DE android 10 fw already.
I can upload following versions:
H8116_Customized IBE_1313-3189_52.1.A.0.618_R3C
H8166_Customized FR_1313-2540_52.1.A.0.618_R4C
H8216_Customized UK_1313-4679_52.1.A.0.618_R5C
H8266_Customized FR_1313-2481_52.1.A.0.618_R4C
H8296_Customized TW_1313-6119_52.1.A.0.618_R4C
H8314_Customized FR_1313-2468_52.1.A.0.618_R4C
H8324_Customized FR_1313-2469_52.1.A.0.618_R2C
H8416_Customized IBE_1316-6423_52.1.A.0.618_R5C
H9436_Customized FR_1316-3076_52.1.A.0.618_R6C
H9493_Customized HK_1316-2331_52.1.A.0.532_R2C

Can I flash a oem from a newer android 10 version?
Sent from my iPhone using Tapatalk

j4nn said:
@ahzam, hey, this is a temp root, so it is obvious you lose it with reboot.
Normally only adb shell is provided with an exploit. I have implemented a working start of magisk from the exploit including asking for su permission from apps.
That allows great use of the temp root vs plain temp root shell.
Not only that you may backup locked TA for eventual restore of drm keys.
You can permanently modify oem partition for debloat or ims support.
Or you can use backup apps that require root.
Or iptables based firewall is great too you know.
There may be many other working use cases, like ads removal, if implemented properly (system less-ly), not tested though.
Do you think that's little use? If someone is not allowed to BL unlock (or does not want to) it looks like it actually is something!
Click to expand...
Click to collapse
Thank you @j4nn, looking for some more information, is there a way to run these scrips phone directly? I started using the firewall, but I had to connect to ADB to regain root.
I have been using some banking application, which after detecting root do not work, and that happens with this temp-root as well, is there a way to hide the root from these app. I tried to install rootcloak, but that didn't work. And final question, I have is how do I move an application Android Firewall for example to permanent app with root access if there is a way to do so.
I appreciate your help!!

@ahzam, that's right, the exploit needs to be run from adb. It would need to be extended to allow privilege escalation from an untrusted app context, i.e. to run it from a normal app / terminal emulator on the phone without use of adb. As it is temproot, you need to start it after each reboot.
Cannot help you with hiding, did not test that.
But I would assume magiskhide could eventually work. If it did not for some app, it may help to restart (and data erase) such app. Due to magisk started late from exploit instead of during boot, some modules may get started too late and therefore look like not working - restarting involved apps/services could help.
When an app asks for root, there is an option if it should be allowed once or permanently. Just select what you need. If you want to change that decision later, you can do that in magisk manager.

magiskpolicy is inaccessible or not found
Hi @j4nn! Thanks for giving me hope using my old H8324 XZ2c dual in a new way with temp root!
I followed your instructions and all worked so far. But now I´m stuck at the point where I want wo activate temp root and start magisk.
The command "./tama-mroot" works as expected but at the next step "./magisk-start.sh -1" I always get the error that the magiskpolicy is inaccessible or not found.
"root_by_cve-2020-0041:/data/local/tmp # ./magisk-start.sh -1
+ FRESH=false
+ '[' -1 '=' --fresh ']'
+ '[' ! -e /data/adb/magisk/busybox ']'
+ ./magiskpolicy --live --magisk 'allow dumpstate * * *'
./magisk-start.sh[33]: ./magiskpolicy: inaccessible or not found"
Maybe it´s easy to solve or I do something wrong but I´m a newbie at this and don´t find a mistake.
Do you have an idea what´s the problem?
Thanks in advance for your answer!
Also thanks @ferluna18 for the perfect guide to downgrade my XZ2c with locked bootloader to a FW that works with the temp root.

@Dom195, have you run the prepare step, with the unzip and magisk-setup.sh? That should make magiskpolicy available.

@j4nn Yes, I did it.
But when I typed "chmod 755 tama-mroot magisk-setup.sh magisk-start.sh" in the adb shell I got no reaction. Unfortunately my skill are far too low to understand what this command exactly is for. But in another comment I saw in the code that there also was no reaction. Therefore I didn´t see a problem with that. I looked at it once again, compared it with my cmd and on my phone it doesn´t seem to unzip the magisk-v20.4.zip file.
I just did it again. Do you see any mistake here?:
"D:\Downloads>adb push tama-mroot.zip Magisk-v20.4.zip /data/local/tmp
tama-mroot.zip: 1 file pushed, 0 skipped. 0.3 MB/s (21355 bytes in 0.064s)
Magisk-v20.4.zip: 1 file pushed, 0 ski...d. 24.9 MB/s (5942417 bytes in 0.228s)
2 files pushed, 0 skipped. 18.2 MB/s (5963772 bytes in 0.313s)
D:\Downloads>adb shell
H8324:/ $ cd /data/local/tmp
H8324:/data/local/tmp $ unzip tama-mroot.zip
Archive: tama-mroot.zip
replace magisk-start.sh? [y]es, [n]o, [A]ll, [N]one: y
inflating: magisk-start.sh
replace magisk-setup.sh? [y]es, [n]o, [A]ll, [N]one: y
inflating: magisk-setup.sh
replace tama-mroot? [y]es, [n]o, [A]ll, [N]one: y
inflating: tama-mroot
H8324:/data/local/tmp $ chmod 755 tama-mroot magisk-setup.sh magisk-start.sh
H8324:/data/local/tmp $ ./magisk-setup.sh
+ '[' '' '=' --cleanup ']'
+ ZIPFILE=Magisk-v20.4.zip
+ '[' ! -d magisk ']'
H8324:/data/local/tmp $ ls
Magisk-v20.4.zip magisk-setup.sh magisk-v20.4.zip tama-mroot
magisk magisk-start.sh magiskpolicy tama-mroot.zip
H8324:/data/local/tmp $ "
Thanks in advance!

@Dom195, it looks ok, so continue with next steps...

@j4nn: I continued and again got the info that magiskpolicy is inaccessible or not found when using command "./magisk-start.sh -1". See attached:
"D:\Downloads>adb devices
List of devices attached
BH900A5ZBZ device
D:\Downloads>adb shell
H8324:/ $ cd data/local/tmp
H8324:/data/local/tmp $ ls
Magisk-v20.4.zip magisk-setup.sh magisk-v20.4.zip tama-mroot
magisk magisk-start.sh magiskpolicy tama-mroot.zip
H8324:/data/local/tmp $ ./tama-mroot
[+] Detected H8324-52.1.A.0.618 target
[+] Mapped 200000
[+] selinux_enforcing before exploit: 1
[+] pipe file: 0xffffffd1a9589f00
[+] file epitem at ffffffd1c9535e80
[+] Reallocating content of 'write8_inode' with controlled data......[DONE]
[+] Overwriting 0xffffffd1a9589f20 with 0xffffffd1c9535ed0...[DONE]
[+] Write done, should have arbitrary read now.
[+] file operations: ffffff9a6621ebf8
[+] kernel base: ffffff9a65080000
[+] Reallocating content of 'write8_selinux' with controlled data........[DONE]
[+] Overwriting 0xffffff9a6748f000 with 0x0...[DONE]
[+] init_cred: ffffff9a6722fcd0
[+] memstart_addr: 0xffffffef40000000
[+] First level entry: 13093e003 -> next table at ffffffd1f093e000
[+] Second level entry: 12f2ab003 -> next table at ffffffd1ef2ab000
[+] sysctl_table_root = ffffff9a6725c710
[+] Reallocating content of 'write8_sysctl' with controlled data..............[D
ONE]
[+] Overwriting 0xffffffd2316ae468 with 0xffffffd1da891000...[DONE]
[+] Injected sysctl node!
[+] Node write8_inode, pid 30891, kaddr ffffffd20b528900
[+] Replaced sendmmsg dangling reference
[+] Replaced sendmmsg dangling reference
[+] Replaced sendmmsg dangling reference
[+] Node write8_selinux, pid 30971, kaddr ffffffd1c5da4e00
[+] Replaced sendmmsg dangling reference
[+] Replaced sendmmsg dangling reference
[+] Replaced sendmmsg dangling reference
[+] Node write8_sysctl, pid 31023, kaddr ffffffd1a16d3180
[+] Replaced sendmmsg dangling reference
[+] Replaced sendmmsg dangling reference
[+] Replaced sendmmsg dangling reference
[+] Cleaned up sendmsg threads
[+] epitem.next = ffffffd1a9589f20
[+] epitem.prev = ffffffd1a9589fd8
[+] Launching privileged shell
root_by_cve-2020-0041:/data/local/tmp # ./magisk-start.sh -1
+ FRESH=false
+ '[' -1 '=' --fresh ']'
+ '[' ! -e /data/adb/magisk/busybox ']'
+ FRESH=true
+ ./magiskpolicy --live --magisk 'allow dumpstate * * *'
./magisk-start.sh[33]: ./magiskpolicy: inaccessible or not found
127|root_by_cve-2020-0041:/data/local/tmp #"
Do you see an error here which I don´t see?

@Dom195, hmm, that's strange, looks good to me.
Could you please try it again and when you get a root shell running the exploit, try following before starting magisk-setup.sh:
Code:
pwd
ls -lZ ./magiskpolicy
ls -lZ ./magisk/magiskinit64
id
id -Z
groups
cat ./magiskpolicy > /dev/null
cat ./magisk/magiskinit64 > /dev/null