How To Downgrade a Gingerbread T-Mobile G2 So It Can Be Rooted

So the latest official Gingerbread update for the T-Mobile G2 seemed to have broken the ability to get root access. That is until a few developers from XDA got a hold of it and managed to be able to gain temp root access and then downgrade the device so you can then permanently root it and load ROMs, etc. Here’s how.

Do this at your own risk, as always…

Thanks to agrabren, guhl, and cimer!
Here is the original log from them figuring out how to get temp root etc for your reference.

I. Setup ADB

1. Head to our How To Setup ADB procedure, follow it, and come back here once you can see a serial number at the end of that procedure.

II. Gain Temporary Root

1. Plug in your device via USB if it isn’t plugged in already.

2. Download the latest version of Fre3vo and then copy it to the AndroidSDK\Tools folder from the how to setup adb procedure (needs to be in the same folder that adb is located in, if yours is in platform-tools instead of tools, that is fine).

Fre3vo

3. Download the Misc Version file, and extract it. Then copy the extracted files to the AndroidSDK\Tools folder from the how to setup adb procedure (needs to be in the same folder that adb is located in, if yours is in platform-tools instead of tools, that is fine).

Misc Version

4. Open a command prompt on the computer by clicking on the Start menu and typing cmd and hitting enter in the search box.

5. Then type the following into command prompt with hitting enter at the end of each line:

cd c:\androidsdk\tools\     (we need to cd to the folder with adb in it, if your’s is in platform-tools and not tools, then type cd c:\androidsdk\platform-tools\)

adb push fre3vo /data/local/tmp

adb push misc_version /data/local/tmp/

chmod 777 /data/local/tmp/fre3vo

chmod 777 /data/local/tmp/misc_version

/data/local/tmp/fre3vo -debug

5. This should start scanning and looking for an exploit. If it gets to the end and doesn’t find anything, run that last line above again until it says it found an exploit. Once it finds it, LEAVE THIS COMMAND PROMPT OPEN and head to the next step.

III. Downgrade Misc Version

1. In the command prompt with the # symbol, type the following with hitting enter at the end of each line:

/data/local/tmp/misc_version -s 1.19.531.1

cd /data/local/tmp

chmod 777 misc_version

./misc_version -s 1.19.531.1

sync

dd if=/dev/block/mmcblk0p17 bs=1 skip=160 count=10

IV. Downgrade the ROM

1. Download the 2.2 ROM version for the T-Mobile G2 and then copy it to the AndroidSDK\Tools folder from the how to setup adb procedure (needs to be in the same folder that adb is located in, if yours is in platform-tools instead of tools, that is fine).

Original 1.19.531.1 ROM

2. Download Fastboot.exe and put it in the tools folder of your Android SDK with adb in it (could be platform-tools for you, just so long as it is the same folder that adb is in).

Fastboot (Under Get the Tools. Get the version for Windows)

3. Open a NEW command prompt window (leaving the original one open) and type the following into the new one with hitting enter at the end of each line:

adb reboot bootloader     (your device will reboot into bootloader mode and say fastboot usb on it, wait for it to do that)

fastboot oem rebootRUU     (your device will reboot to a black screen with an HTC logo, wait for it to do that)

fastboot flash zip PC10IMG.zip     (your device will flash the original ROM)

4. When it says repeat immediately, type the following with hitting enter at the end of the line (it’s the same line as above that is fine):

fastboot flash zip PC10IMG.zip

5. Ok, all done! Once that is done you should be on stock 2.2. If you want to root and load a ROM etc. Head to our How To Root the T-Mobile G2 and then to the next procedure linked at the bottom of that one, etc. Good luck!

 

61 thoughts on “How To Downgrade a Gingerbread T-Mobile G2 So It Can Be Rooted”

    1. Thanks michael for sending this in! Didn’t see a name or email to reply to in the form you sent so couldn’t let you know when it was up, glad you found it! Hope it helps some people!

    1. Hello,

      It should but you will need a different Misc Version file and a different stock ROM… if you find ones that work, let us know and we’ll add them to this procedure. Good luck!

  1. i think i set the adb up correctly cus i got a device serial # but wen i try to push fre3vo i get a long path blah blah blah error…

    btw i tryed so many thing but never got the adb driver thing to work or anything like that till i found a command about killing then starting adb server…somehow thats the only way the device serical # pop up. is that why things r not working out for me or was that fine? pls help me its gettin out of hand.

      1. buuuuttt this is for 2.3.3 pretty much no root if ya got the 2.3.4 or maybe im just not looking in the right place all the guides are for 2.3.3 

  2. on second thought i got over that hump but now im on another hump…i get to these part:

        chmod 777 /data/local/tmp/fre3vo    chmod 777 /data/local/tmp/misc_version    /data/local/tmp/fre3vo -debugand it tells me “chmod is not recognized as an internal or external command, operable programor batch file.”what do i do?

    1. try typing “adb shell ” before those lines dont put the quotations though so it should be typed as “adb shell chmod 777 /data/local/tmp/fre3vo”

  3. I have a problemm on the third line on how to gain temp root I get “chmod is not recognized please help me I really want to root it and get this over with

  4. @72a2e1cd0d4eaa8eb4610659be66fe3b:disqus  txs  doode i tryed it but i didnt get anything bak after that…think it was coming out ok i just kept goin but wen i came to the part where is said to debug…boom 

    “the system cannot find the path specified”

    i wish someone cus try to post a video…mayb is it becuse im running on windows7?

  5. @twitter-260563375:disqus thx bro…it think it help but i also am not sure i was still doing the rite thing…there was no return on the command but wen i got to last part where it tells me to 

    /data/local/tmp/fre3vo -debug

    it just tells me the path cuddnt b found…did i do something wrong again?
    really wish someone cud post a video…btw doode your a huge help…again txs bro

  6. hi i dont know what im doing wrong i try the debug line alone and with adb shell but stay long time scanning region 3d000000… and dont do anything

  7. ok i go ahead but when is time of flashing the rom it said remote not allowed and when i hit it again stock sending the sending the zip

  8. I have a problem when I type in the last line on gaining temp root it dosent show the # sighn but it instead goes back to androidsdk/tools/ line…….any help plz

  9. i made it to the -debug step and it doesn’t really finish or anything like i can’t type anything more.. but i think it’s done. Then the instructions just randomly bring up a new cmd window which we should apparently have open already with a hash tag (#) in it..? and then start typing more extensions which probably require “adb shell” even though it doesn’t say that.. and the version s 1.1.531.9.1 or whatever isn’t displayed anywhere. …<tools/data/local/tmp doesn't exist. or even just the data folder for that matter.. even after it successfully pushes the files. so i'm just really confused and this new update fucked my entire phone up, it's the slowest mess ive ever seen. so i'm very frustrated. been searching for 4 hours how to do ANYTHING without it being rooted, which is impossible. ill even send money through paypal for someone that can give individual attention with results asap.
    regards.

  10. i get a problem that debug cant be found at the end of getting temp root plz help me i wana root my phone 

  11. ok guys i found a way to get out of this ….just follow this link http://forum.xda-developers.com/showthread.php?t=1178912 and when u get to the part after it says exploiting if it dosent show the # its ok just continue on …..im now out of gingerbread and am permanently rooted with 3.0 sense running 😀

  12. Ofelicisno0418

    I passed the exploiting portion thanks to nick grimm’s (/data/local/tmp/fre3vo -debug -start FBA90000 -end FFFFFFFF) but now im stuck because i didnt get the (#) symbol and when i type (adb shell /data/local/tmp/misc_version -s 1.19.531.1) it says permission denied.  Someone plz help!!

    1. mine hangs at buffer size 8192 with nick grims and the one posted in instructions plzz help tried restarting multipale times

  13. I got the exploit but it is very unclear in the instructions when it goes to the next step and say to go with the command prompt with the # symbol… have tried several things… can’t figure out what the hell that means…

    1. Well.. I have done this over and over again, get to the exploit but dont get a # at the end of it all, therefore, I cannot continue… anyone know of another way to get this done? I screwed up and put the leaked 2.3.3 GB on not knowing i could have went straight for 2.3.4

  14. edwin rodriguez

    After “/data/local/tmp/fre3vo -debug” it starts scanning and gets stuck on ?Scanning region 3d000000…” any solution? please let me know

  15. When i try “adb push misc_version data/local/tmp/ it says cannot start no such file or directory and it is in there.

  16. Here is the missing step:
    EXTRACT THE FILES FROM misc_version.zip.

    IT WILL NOT READ THE FILES OUT OF THE ZIP FILE. THEY MUST BE EXTRACTED TO THE PERFORMANCE-TOOLS FOLDER.

  17. Ok so far i have not had any issues following this procedure, until the part where i need to type the chmod 777 stuff and i was stuck..then i read about putting adb shell in front and i got the first one done…but when i do the same for adb shell chmod 777 /data/local/tmp/misc_version i get an error… “unable to Chmod /data/local/tmp/misc_version : No such file or directory”

  18. I hope this will clarify the procedure for some.1: Collect the tools and materials; working SDK, fre3vo, misc-version, ROM images..In my linux environ, I have an alias pointing to adb, some might like to put a symlink in ~/bin.  This lets me use adb from the folders that hold my android exploits2: Push the materials to your phone       adb push fre3vo /data/local/tmp       adb push misc_version /data/local/tmp/3:  Run ‘adb shell’ and chmod  the utilities you just pushed       adb shell       chmod 777 /data/local/tmp/fre3vo       chmod 777 /data/local/tmp/misc_version4: At this point you use fre3vo to search for the exploit that will give you temp root.  I have a T-mobile G2 with Android version 2.3.4.  The “fre3vo -debug” command would lock up immediately, so I read the reference materials the Generous Contributor pointed us to at the top of his post, and following the link to the pastebin by Cimer I narrowed the search to the exact address at which the exploit for my phone is found.       /data/local/tmp/fre3vo -debug -start fba90000 -end FFFFFFFFI expect this number will work with the exact version of the rom I have at this moment, and any updates by T-mobile will probably break this command.  In that case one should look for updated versions of fre3vo, and extend the search range in increments to account for such changes.5: When the exploit is complete adb will exit.  When you return to the adb shell, you will see a “#” prompt.  This is as far as this comment will go.  There are still more steps to be done to get applications like Titanium Backup working.

  19. I hope this will clarify the procedure for some.

    1: Collect the tools and materials; working SDK, fre3vo, misc-version, ROM images..

    In my linux environ, I have an alias pointing to adb, some might like to put a symlink in ~/bin.  This lets me use adb from the folders that hold my android exploits

    2: Push the materials to your phone

    adb push fre3vo /data/local/tmp

    adb push misc_version /data/local/tmp/

    3:  Run ‘adb shell’ and chmod  the utilities you just pushed

    adb shell

    chmod 777 /data/local/tmp/fre3vo

    chmod 777 /data/local/tmp/misc_version

    4: At this point you use fre3vo to search for the exploit that will give you temp root.  I have a T-mobile G2 with Android version 2.3.4.  The “fre3vo -debug” command would lock up immediately, so I read the reference materials the Generous Contributor pointed us to at the top of his post, and following the link to the pastebin by Cimer I narrowed the search to the exact address at which the exploit for my phone is found.

    /data/local/tmp/fre3vo -debug -start fba90000 -end FFFFFFFF

    I expect this number will work with the exact version of the rom I have at this moment, and any updates by T-mobile will probably break this command.  In that case one should look for updated versions of fre3vo, and extend the search range in increments to account for such changes.

    5: When the exploit is complete adb will exit.  When you return to the adb shell, you will see a “#” prompt.  This is as far as this comment will go.  There are still more steps to be done to get applications like Titanium Backup working.

    Reposted with nice formatting

    1. hey im not to smart when it comes to this stuff is it easy or should i just pay someone that knows more about it then i do? what would you do and if you mess up when doin it will i make the phone garbage?

  20. Previously I refined my notes to get temp root.  Today I’ll make it repeatable, and make the temp root system wide with a modified ‘su’, and busybox for good measure.  This is based in part on Nipqer’s post last month, but I’ll elaborate more.
    From your host terminal run fre3vo:
    adb shell /data/local/tmp/fre3vo -debug -start fb000000 -end FFFFFFFF
    I’ve noticed that the address of the exploit changes with each reboot.  This would be attributed to the code being relocatable.  If it does not find the exploit lower the start value.
    Now when you go to the ‘adb shell’ you will have the magical ‘#’ prompt.  What follows is what I’ve put into the shell script fixsu.sh

    cd /data/local/tmp/

    /system/bin/mount -o remount,rw /dev/block/mmcblk0p25 /system

    ./busybox echo “root::0:0:root:/data/local:/system/bin/sh” > /system/etc/passwd
    chmod 0666 /system/etc/passwd

    ./busybox echo “root::0:” > /system/etc/group
    chmod 0666 /system/etc/group

    ./busybox –install -s /system/xbin/

    /system/bin/rm /system/bin/su 2>/dev/null
    /system/bin/rm /system/xbin/su 2>/dev/null

    ./busybox cp /data/local/tmp/su /system/bin/su

    ln -s /system/bin/su /system/xbin/su

    PATH=”/sbin:/vendor/bin:/system/sbin:/system/xbin:/system/bin”

    This is still just a temp root because we are prevented from writing the changes to /system to the flash drive.  By the numbers this will remount /system read-write, add /etc/passwd amnd /etc/group, install busybox to /ststem/xbin, and place the modified su in /system/bin.  The last line puts /system/xbin before /system/bin on the path.  It’s only useful when you run fixsu.sh locally on the phone.  It does not become system wide.
    Now I need only run these two commands from my computer and the phone will be temp rooted

    adb shell /data/local/tmp/fre3vo -debug -start fb000000 -end FFFFFFFF
    adb shell /data/local/tmp/fixsu.sh

  21. I completed all of the steps and my phone is on the “black screen with an HTC logo”, and the the install of 2.2 is complete. I don’t want to harm my phone in anyway so I need to confirm if I should manually reboot my phone from this point to move forward!

    Please advise.

    Cheers!

  22. The Fastboot download link “Fastboot (Under Get the Tools. Get the version for Windows)” is not working, i cant find the file anywhere on the site? Could someone post a new link?

  23. i keep getting this every time i try to downgrade:
    C:\Program Files (x86)\Android\android-sdk\platform-tools>adb reboot bootloader

    C:\Program Files (x86)\Android\android-sdk\platform-tools>fastboot oem rebootRUU


    (bootloader) erase sector 196609 ~ 197120 (512)
    OKAY [ 0.499s]
    finished. total time: 0.499s

    C:\Program Files (x86)\Android\android-sdk\platform-tools>fastboot flash zip PC1
    0IMG.zip
    error: cannot load ‘PC10IMG.zip’

    C:\Program Files (x86)\Android\android-sdk\platform-tools>fastboot flash zip PC1
    0IMG.zip
    sending ‘zip’ (126272 KB)…
    OKAY [ 21.434s]
    writing ‘zip’…
    (bootloader) adopting the signature contained in this image…
    (bootloader) signature checking…
    (bootloader) zip header checking…
    (bootloader) zip info parsing…
    (bootloader) checking model ID…
    (bootloader) checking custom ID…
    (bootloader) checking main version…
    FAILED (remote: 43 main version check fail)
    finished. total time: 47.752s

    C:\Program Files (x86)\Android\android-sdk\platform-tools>

  24. Karim Soumahoro

    how long is the exploit search supposed to be? when i get to the end of part II the last line on the command prompt says “buffer size 8192” and it stops ther i’ve been waiting for an hour with no breakthrough…

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.