17 Nov

Voiding Warranties..again

Category:Hacking, Hardware, Howto's

– Disclaimer – I won’t be responsible for anything you do to your phone, voiding waranties, setting small cats on fire, or causing your local subway system to stop working -Disclaimer-

I recently got the HTC Desire Z. Slightly older, but it has the qwerty slider, which i wanted. Anyway, the HTC Sense UI default “shell” put on top of Android is great. By far better than the Samsung uh.. Touch Wiz thing. Smoother, and smarter. But i won’t get into that. What comes with Sense UI on this phone (and i’ll bet a lot of other HTC phones), is a bunch of applications. Applications that i didn’t need. So obivously i tried to remove some of those applications. Turns out, to remove apps like Facebook or Twitter (that i do not want on my phone), you have to have root. I didn’t find any smart way of getting rid of the apps without root, because it requires modification or removal of files that are in directories that are not world or group-writable.

So, after some internal debate between me and myself, i decided to root the phone. I quickly realized that the operation would not be as easy as on the Samsung, which has a fairly established and easy-to-use toolset for doing both rooting and rom management. Samsungs can also be exploited on pretty much any version of the OS.

However, on the HTC, i found that i had to first downgrade the firmware, so that i could use an exploit to gain root. And to make matters worse, this didn’t work on it’s own. I had to turn my microSD card into a “goldcard”, then do the downgrade, then the exploit to gain root, and then flash the new firmware on top. In this case, i ended up with Cyanogen Mod 7.1. again, since i had good experiences with it.

So, let’s go through the process that i had to go through. Reading a bunch of forums, i quickly got the picture that your mileage will vary. First of all, let’s start with what i had. I had the HTC Desire Z (known as the HTC Vision G2, i think, in the US). I had the latest firmware, which in this case meant uh.. Android 2.3.4 (or 2.3.5), called the HTC Sense version 2.1. Anyway, the latest version available through the HTC OTA update. The phone was bought October of this year.

I started out with the Cyanogen Mod instructions for downgrading the phone to an exploitable firmware version on this page. Or actually, i started out by installing the android sdk, but on arch linux it was as easy as installing android-sdk from the AUR. I use yaourt as a frontend, so i did a yaourt android-sdk. On a 64-bit system, i had to enable the multilibs repository, to get the necessary lib32 libraries.

I ran through the steps of  pushing fre3vo and misc_version on the phone, which went fine. I then did the chmods and the debug, which then got me a root shell on the phone temporarily. The next step has me setting the version for a misc_version, and then pushing the actual downgrade onto the phone. All good so far. Next step is to reboot the phone bootloader using adb (the android debugger). This also worked…. until i got a dreadful message. “CID incorrect! Upgrade fail!”. CID? Wtf? Okay. Step back for a moment and google this fucker.

Turns out certain phones need some finetuning to be able to downgrade, due to either..carrier lockin, or some branding put on the phone, or perhaps an unknown reason (maybe hardware or software revisions?). I found this thread on the Cyanogenmod forums, which helped me onwards. The thread describes my exact issue, though with a slightly different downgrade firmware than mine. In any case, i decided to give it a try. The process involves the creation of a “goldcard”, which is then used as a place to store the downgrade firmware. The goldcard is simply a microSD card, with the first few bytes overwritten with some new data.

The steps were basically:

  • Download the goldcard helper application from the Android market. The phone was still bootable and fully operational, as no downgrade had taken place, so i was able to download and install this.
  • Using the goldcard helper, get the reverse CID for your MMC2 card. That’s your microSD card. MMC0 is your internal memory and can’t be used for this, as far as i’ve read.
  • Taking the reverse CID for your microSD card from the program, input it into the goldcard page (a link is also in the application).
  • The site generates an image, which you will download
  • Download also a hex-editor, such as HxD
  • Take your microSD card out of your phone and put it into a memory card reader (i also read you can use your phone as the reader, but i used a Kingston reader instead), and open up the card from the HxD editor using the extra tab, then the open disk menu and under physical disk selected the removable disk which was the microSD card. Make sure that read-only is not checked when opening the microSD card.
  • Open up another tab by opening from the extra tab “open disk image”, and load the .img file that you got from the goldcard site. Also uncheck the read-only checkbox here. Use the default 512 byte sector size. You should now have two tabs open.
  • From the goldcard.img tab, do a select all, then copy. Go to the microSD tab, and select offsets 00000000 to 00000170 and from the edit menu do a “paste write”. This will paste the content of the goldcard.img, to the first offsets of the microSD card.
  • From the file menu, save what you’ve done. Accept / ignore all warnings.
  • Ok, now you have a gold card.

Proceed by copying over the downgrade image to the newly created goldcard. Continue with the CyanogenMod instructions.Following the instructions for the downgrade, you can safely redo all the steps to make sure. Once you are ready, reboot the bootloader again. You should now have great success, in the words of Borat. Navigate with the volume up and down keys, and select using the power or the navigation-touchpad thing-button. Select bootloader, then select fastboot. Confirm that you want to go ahead if necessary.

This will take a moment. You’ll then be downgraded to an earlier version of the firmware, which has a known exploit, allowing us to root the phone. The phone will (i think) reboot on it’s own, and give you an older looking Sense UI.

Continue with the rooting instructions here. Basically you are downloading and pushing onto the phone a bunch of packages that are needed. Then, you’re running the actual exploit which should find a register in the memory, which we will use to sneak in (i think this is a correct analysis of what goes on, though i’m no programmer). Remember to match those md5 sums listed in the instructions before going on.

After this you have a rooted phone, hopefully with clockwork recovery mod installed. You can now keep using the Sense UI thing (i’m not sure that it’ll OTA upgrade anymore?), or install Cyanogenmod, using these instructions. For some reason, i either failed some part, or something failed, but i didn’t have clockwork recovery mod installed after this process. No sign of CWM anywhere. So, i headed on to the market, and downloaded the thing from there. I was now ready to install Cyanogen, which went without incident.

Note, that if you can’t get into recovery mode using the restart into recovery (from the normal shutdown menu, after installing CWM), shut down the phone, and use Power, volume down and the navigation thing pressed all together.

Ok, so now i have Cyanogenmod 7.1.0 on my HTC Desire Z, with Android 2.3.7 on the bottom. Nice! Quadrant scores (yes yes, synthetic benchmarks..) went from 900 to about 1900 compared to the latest Sense UI. Phone feels snappy.

One thing to note was that market kept crashing! I was getting worried for a moment, but then i remembered the internet, found that thread, and fixed the problem. After downgrading, rooting and installing Cyanogen, i had the phone set to a language called English HD. I selected English US, and my problem was gone. So note this.

Winamp keeps crashing now, but it did that on the Sense UI side, so i doubt it has anything to do with Cyanogen. Version 1.2.6 is the latest as i’m writing this, and there is no later version available. The default media player, though, is pretty usable in any case, so i’m just using that for now.

Now, if i could just install this Cyanogen Nightly build… 🙂

Leave a Reply

Your email address will not be published. Required fields are marked *