Database Users

OTA 2.2 Update With Root Made Easy

NOTE: For those of you that are looking to root thier Inc and already have the latest 2.2+ OTA released in November, these steps will not work. Changes have been made to the ROM so until a new root application has been developed by the unrEVOked team, I am afraid you are left with a stock phone. Sorry. If new updates come out, I will try to post them here.
NOTE: I have uploaded the 2.1 and 2.2 RUUs to Rapidshare and updated the links.
First, let me say that I did not come up with this nor did I create any of the tools. I am passing all this on in a single thread to let people know how update thier Droid Incredible to the OTA 2.2 and have root access if they have it in any of the following conditions:
1. Stock 2.1 without root or unrEVOked Forever
2. Stock 2.1 with root and no unrEVOked Forever
3. Stock 2.1 with root and unrEVOked Forever
4. Stock 2.2 without root and with unrEVOked Forever
5. Stock 2.2 without root and no unrEVOked Forever
6. Custom ROM with root and S-OFF
7. Getting free WiFi Tethering on 2.2
8. Removing unwanted preloaded applications.
NOTE: This may work with custom ROMs, but I have not verified it.
NOTE: SOME PEOPLE, INCLUDING ME HAVE HAD THE PROBLEM OF BEING STUCK IN HBOOT AFTER LOADING A ROM IMAGE. IF THIS HAPPENS TO YOU AFTER LOADING THE 2.1 OR 2.2 ROM, DO NOT PANIC, JUST REAPPLY THE ROM AND ALL WILL BE FINE. FOR SOME REASON THE ROM DOES NOT LOAD CORRECTLY ON THE FIRST TRY BUT DOES ON THE SECOND.
I am passing this on because I loaded the OTA 2.2 without unrEVOked forever loaded on my phone. What a mess. I tried everything (I thought) to try and downgrade it back to stock 2.1 but with no luck. If you do not know, unrEVOked3 cannot currently root a 2.2 updated Droid Incredable and if you have not used unrEVOked forever, you can not get clockworkmod recovery to reload on the phone. I tried the 2.1 RUU to downgrade, but never could get it to connect to the phone. I then tried to use the 2.1 PB31IMG.zip to load and the HBoot loader would just tell me that it was an older image and not load it. I thought I was hosed until the unrEVOked team breaks the code on the 2.2 HBoot loader until I got pointed in the right direction (sort of).
TNS201 pointed me to the following thread: http://forum.xda-developers.com/showthread.php?t=768295
I gave this a try and still could not downgrade my phone. I searched around and after much trial and error, I was able to put together the correct steps to downgrade my phone and then applied unrEVOked3, unrEVOked forever, the OTA 2.2 update, and then reroot the phone. Anyway, here is what I have come up with:
** NOTE: THIS WILL TOTALY WIPE YOUR PHONE CLEAN!!! BACKUP ANYTHING YOU WANT BACK ON THE PHONE!!! **
Condition 1
1. Go to the following link and follow the instructions: http://forum.xda-developers.com/showthread.php?t=709220 Only do the steps for getting ADB loaded on your computer!
This will get ADB loaded on your computer which you will need when doing customizations to the phone. It will also walk you through rooting your phone and doing a lot of other things. Good thread for us noobs.
2. Download unrEVOked Forever from here: http://unrevoked.com/rootwiki/doku.php/public/forever
3. Copy the file to the root of your sdcard.
4. Reboot your phone into clockworkmod recovery and load the unrEVOked Forever zip file. This will turn S to off and allow unsigned images to be loaded.
When you reboot your phone, you will have a fully rooted and S-OFF stock 2.1 Droid Incredible.
NOTE: If you are having troubles downloading the OTA 2.2 RUU, use this link to download the ROM. Just delete the "_2.2" from the file name and go straight to step 12. http://rapidshare.com/files/418523008/PB31IMG_2.2.zip
To load 2.2, do the following:
5. Download the OTA 2.2 RUU from here: http://rapidshare.com/files/418527589/RUU_Incredible_VERIZON_WWE_3.21.605.1_Radio_2.15.00.07.28_2k4k_NV_1.50_PRL58006_release_1433.exe
6. Connect your phone to your computer and ensure you have USB DEBUG turned on and CHARGE ONLY selected.
7. Run the RUU and update your phone to 2.2. If the RUU updates your phone, go on to step 15. If the RUU will not connect to your phone Go to step 8.
8. Start the RUU.
9. Go to your computers temp directory and locate the folder that contains the file rom.zip.
10. Once you locate this file, copy it to any folder (or your desktop).
11. Rename rom.zip to PB31IMG.zip
12. Copy PB31IMG.zip to the root of your phones sdcard.
13. Reboot your phone into HBoot. HBoot will load and then load PB31IMG.zip. This will take a while, so be patient.
14. Follow the instructions to have HBoot install PB31IMG.zip.
Whether you used the RUU or HBoot and PB31IMG.zip, at this point, you should have 2.2 loaded on your phone, but you will no longer have root. You will have S-OFF.
To regain root access, do the following:
15. Download clockworkmod recovery from here: http://downloads.unrevoked.com/forever/recovery/clockworkmod/PB31IMG.ZIP
16. Download the payload update from here: http://forum.xda-developers.com/attachment.php?attachmentid=388592&d=1282834695
17. Download superuser from here: http://dl.dropbox.com/u/6408470/su-releases/su-2.3.4-ef-signed.zip
18. Copy all three files to the root of the phones sdcard.
19. Reboot your phone into HBoot. HBoot will load and then load PB31IMG.zip.
20. Follow the instructions to have HBoot install PB31IMG.zip. Since the phone is still S-OFF, this will reload clockworkmod recovery on the phone.
21. Boot the phone into recovery and load the two zip files downloaded in steps 16 and 17. This will root the phone and reload superuser.
If all went well, when the phone reboots, it should now be loaded with 2.2 and have full root and S-OFF. Enjoy.
Condition 2
1. Do steps 2 through 21 under Condition 1.
Condition 3
1. Do steps 5 through 21 under Condition 1.
Condition 4
** NOTE: THIS ONE DOES NOT WIPE YOUR PHONE!! **
1. Do steps 15 through 21 under Condition 1.
Condition 5
This is a tuffer one and requires the phone to be downgraded to 2.1 before upgrading it back to 2.2. Anyway, here are the steps:
NOTE: YOU MUST USE THE 2.1 RUU I HAVE LINKED AND THE MTD0.IMG FILE I HAVE ATTACHED OR THIS MAY NOT WORK!!!
NOTE: If you are having troubles downloading the 2.1 RUU, use this link to download the ROM. Just delete the "_2.1" from the file name and go straight to step 5 after completing step 1 and 2 (skip step 3 and 4). http://rapidshare.com/files/418141003/PB31IMG_2.1.zip.html
1. Do steps 1 and 2 under Condition 1.
2. Download the attached zip file. It contains the files I had a hard time finding.
3. Download the 2.1 RUU file from here: http://rapidshare.com/files/418525132/RUU_Incredible_Verizon_WWE_1.22.605.2_Radio_1.00.03.04.06_hboot_0.79_.exe
4. Follow steps 8 through 11 under condition 1 to get a good copy of the 2.1 ROM.
5. Copy the 2.1 ROM to the c:\android-sdk-windows\tools folder.
6. Unzip the files downloaded in step 2 to the c:\android-sdk-windows\tools folder.
7. Copy the unrevoked-forever.zip to the c:\android-sdk-windows\tools folder.
Note: At this point, you should have the following files copied to your c:\android-sdk-windows\tools folder:
PB31IMG.zip (this is the 2.1 ROM)
unrevoked-forever.zip (will set S-OFF)
rageagainstthecage-arm5.bin (this is a root exploit - gives you temperary root)
mtd0.img (need to research this one)
flash_image (this flashes images)
7. Connect your phone to your computer and ensure you have USB DEBUG turned on and CHARGE ONLY selected.
8. Open a command promt window and change to the c:\android-sdk-windows\tools folder.
9. Enter adb push unrevoked-forever.zip /sdcard/ and then press enter.
10. Enter adb push flash_image /data/local/ and then press enter.
11. Enter adb push rageagainstthecage-arm5.bin /data/local/tmp/ and then press enter.
12. Enter adb push mtd0.img /sdcard/ and then press enter.
13. Enter adb push PB31IMG.zip /sdcard/ and then press enter.
14. Enter adb shell and then press enter.
15. Enter cd /data/local/tmp/ and then press enter.
16. Enter chmod 777 /data/local/tmp/rageagainstthecage-arm5.bin and then press enter.
17. Enter cd /data/local/ and then press enter.
18. Enter chmod 777 /data/local/flash_image and then press enter.
19. Enter cd /data/local/tmp/ and then press enter.
20. Enter ./rageagainstthecage-arm5.bin and then press enter. You will now see some text on your cmd prompt screen explaining the exploit. Wait for the adb shell to go away, and it will dump you into your windows command prompt again (no shell) should look something like this:
C:\android-sdk-windows\tools>
21. Enter adb shell and then press enter. You will see you now have a # instead of a $ prompt.
22. Enter cd /data/local and then press enter.
23. Enter ./flash_image misc /sdcard/mtd0.img and then press enter. This will flash your misc partition with Toast's mtd-eng.img and should return you to a # prompt.
24. Enter reboot bootloader and press enter.
25. HBoot will load. Select bootloader and HBoot will then load PB31IMG.zip.
26. Follow the instructions to have HBoot install PB31IMG.zip.
Once it is finished, select restart. You now are on the stock 2.1 build of Android. Now you can follow steps 3 through 21 under condition 1 and get your phone loaded back with 2.2 and have root and S-OFF.
Condition 6
1. Do steps 5 through 21 under Condition 1.
Condition 7
The following steps will allow you to use the 3G Mobile Hotspot that comes with the OTA 2.2 update and not have Verizon charge you for using it:
1. On your phone, bring up the dialer and dial ##778. This will load EPST.
2. Select EDIT.
3. Enter 000000 for the password.
4. Select SECURITY.
5. Select the username that has [email protected].
6. Edit the username to read [email protected] (delete "dun.").
7. Click the back button to return to the list.
8. Select M.IP DEFAULT PROFILE.
9. Repeat steps 5 and 6.
10. Click on MENU and select COMMIT.
At this point, your phone will reboot and you will be able to use the 3G Mobile Hotspot application to get free WiFi tethering. Enjoy.
Condition 8
I have so far found three options for removing the preloaded apps. They all require the phone to be rooted. Here they are:
1. The first way is to get Titanium Backup. You will also need to donate (as little as $3.99) to get full functionality of Titanium Backup, but it is well worth it. If you do not want to physically remove the application, you can use the FREEZE function and the application will be removed from the app list, but physically will still be on the phone. If you really want to get it off, you can uninstall and then deleted from the phone. All of this through a user interface that is pretty easy to use. By the way, it also does backups of apps and data.
2. Another option is to get Root Explorer. You have to pay for this one. It will let you mount the system folders on the phone as read/write and allow you to move and/or delete apps from the apps folder on the phone. This is a good app and worth having even if you do not use it to remove apps.
3. The final way is to use ADB and the command prompt to remove or move any application you do not want. This is tried and true, but combersome. You do not have to buy it, but there is no GUI to help you out.
My thanks to all the folks here on XDA that made it possible for us to release the possibilities of the Droid Incredable. As I stated above, I did not create the apps or the steps, I just put them together for others to use. I wish I could thank all the individuals that made this possible, but I did not get thier IDs, so in lew of an individual thank you, I am posting this group THANK YOU. Keep up the good work!

Thanks, I have a question on condition 4
4. Stock 2.2 without root and with unrEVOked Forever
If I do the steps and since I am not loading RUU (I manually updated the offical OTA and have S-off) will this still wipe my phone clean? Looks like all I am doing is loading clockwork back on and load superuser..etc, that shouldn't wipe all the data right?

Scblacksunshine said:
Thanks, I have a question on condition 4
4. Stock 2.2 without root and with unrEVOked Forever
If I do the steps and since I am not loading RUU (I manually updated the offical OTA and have S-off) will this still wipe my phone clean? Looks like all I am doing is loading clockwork back on and load superuser..etc, that shouldn't wipe all the data right?
Click to expand...
Click to collapse
No, in the case of having 2.2 already loaded and S-OFF, you are correct, the phone will not get wiped. The steps will root the phone and load superuser back on.

confirmation
Can anyone confirm option 4 working??

RBurn said:
Can anyone confirm option 4 working??
Click to expand...
Click to collapse
Those are steps I used to get root back on my phone after I update to 2.2. As I stated, I messed up the first time and did not load unrEVOked forever and could not root the phone, so I had to downgrade to 2.1 first and then go through the rooting process. That time I made sure to load unrEVOKED forever. After that, all went well.
Sent from my HTC Incredible.

RBurn said:
Can anyone confirm option 4 working??
Click to expand...
Click to collapse
I did option 4 early this morning. Worked perfectly.
Thank-you to all involved.

Thanks for the write up =)
I am trying condition five and on step 18 and after running ./rageagainstthecage-arm5.bin it exectues so I move to step 18 and type adb shell but it remains, $ not root(#). Does anyone know if This has worked yet?

also Im running Ubuntu 10.04 if that makes a difference

adb shell
cd /data/local/tmp
chmod 0755 /data/local/tmp/rageagainstthecage-arm5.bin
cd /data/local
chmod 0755 /data/local/flash_image
cd /data/local/tmp
./rageagainstthecage-arm5.bin
This worked

PimpShit420 said:
adb shell
cd /data/local/tmp
chmod 0755 /data/local/tmp/rageagainstthecage-arm5.bin
cd /data/local
chmod 0755 /data/local/flash_image
cd /data/local/tmp
./rageagainstthecage-arm5.bin
This worked
Click to expand...
Click to collapse
I tried this and it did not work for me. It looked as if it did. It gave me the proper prompt, but on reboot, no root access. I had to use chmod 777 instead of chmod 0755.

PimpShit420 said:
Thanks for the write up =)
I am trying condition five and on step 18 and after running ./rageagainstthecage-arm5.bin it exectues so I move to step 18 and type adb shell but it remains, $ not root(#). Does anyone know if This has worked yet?
Click to expand...
Click to collapse
I made a mistake, the line should have had 777 after chmod, not 0755. I have updated the instructions. If other individuals that use 0755 instead of 777 get the above to work, let me know. I do not know what the difference is. All I know is 0755 did not work for me. I had to use 777. I think I will do some research on chmod.
Hope other individuals find this helpful.

well I got to root in the shell and everyting seemed to work up until I tried to flash the PB31IMG, is says the main version is older and just reboots

I dont know what the difference is but it could be we are running different OS, windows vs linux but I have no clue

PimpShit420 said:
well I got to root in the shell and everyting seemed to work up until I tried to flash the PB31IMG, is says the main version is older and just reboots
Click to expand...
Click to collapse
This is the problem I had. Try 777 instead of 0755 after each of the chmod commands. That is what worked for me.

you were right, the first time 0755 gave me root but did not let me flash the PB file, the second time 0755 didnt work, and 777 did but it still says update fail

chmod 0755 vs chmod 777
PimpShit420 said:
I dont know what the difference is but it could be we are running different OS, windows vs linux but I have no clue
Click to expand...
Click to collapse
Well, I looked the chmod 777 and chmod 0755 commands up. Both commands change the read/write state for a file. 0755 changes the permissions for a specific group and user. 777 changes the permissions for everyone. You can find an explanation here: http://ss64.com/bash/chmod.html
0755 did not work for me, but 777 did. I am going to keep the instructions as they are unless I get feedback that 0755 is working for other people. If I do, I will add them as an alternative.

PimpShit420 said:
you were right, the first time 0755 gave me root but did not let me flash the PB file, the second time 0755 didnt work, and 777 did but it still says update fail
Click to expand...
Click to collapse
Are you using 777 for each chmod command?
Also, I was reading through the steps and found an error with step 16. It said the following:
16. Enter chmod 777 /data/local/tmp/rageagainstthecage-arm5.bin and then press enter.
It should have said this:
16. Enter chmod 777 /data/local/rageagainstthecage-arm5.bin and then press enter.
I have updated the steps on post 1.

Thanks very much for this thread!
My phone was in Condition 3. Instructions worked for me!

BNG303 said:
Thanks very much for this thread!
My phone was in Condition 3. Instructions worked for me!
Click to expand...
Click to collapse
Your welcome. I am glad it helped.

bagery77 said:
I did option 4 early this morning. Worked perfectly.
Thank-you to all involved.
Click to expand...
Click to collapse
Glad this helped. I wanted to give everyone a one stop shop for updating and root for 2.2. Also hoped everyone would not have to go though all that I did.

[HOWTO] Getting root on your Thunderbolt from start to finish - Mac OS X

After having nearly hung myself trying to figure out the whole SDK thing, what the hey ADB was and all that jazz, I thought I would give the rest of the people out there a step by step guide on getting from stock to root in no time. If you follow this guide, you won't spend the hours I did on google, XDA and irc trying to get where I am. This stuff can be confusing, and I am only here to make it less so.
Disclaimer: If you destroy your phone, I take no responsibility for it. You are performing this at your own risk.
I take no credit for the root process itself, there are people much smarter than I who worked on this. I used the method outlined here by jcase. I am simply compiling this and making it easy for people (much like myself) who had no prior experience be able to have root.
jcase said:
Credits (from original post here)
Scotty2, jamezelle, jcase, and all of Team AndIRC
Testers, especially ProTekk and Trident
Thanks to scotty2 for WPThis
Busybox was pulled from a CyanogenMod ROM, source should be available here
psneuter was pulled from somewhere, credit to scotty2, source here
All firmware credit goes to 911sniper
Jaroslav from Android Police for editorial help
If I missed anyone in the credits, it was unintentional and I will fix it soon. Lots of people had their hands in on this project.
Original warnings, posted by jcase:
Pros
Root with read/write access to /system
Ability to downgrade and flash any RUU (i.e. signed firmware)
S-OFF
Fully unlocked bootloader
All ThunderBolts survived testing
Cons
Voids warranty
Could brick your phone if you aren’t careful
The method of rooting your Android device as described in the article herein is solely for enthusiasts and not for the faint of heart.
IT WILL WIPE YOUR DATA. IT WILL WIPE YOUR DATA. IT WILL WIPE YOUR DATA.
Android Police and Team AndIRC disclaim all liability for any harm that may befall your device, including, but not limited to: bricked phones, voided manufacturer warranties, exploding batteries, etc.
The instructions below assume you already have a strong familiarity with adb command lines – this is not for beginners.*
Click to expand...
Click to collapse
*I made this guide as seamless and easy as possible. I have tested this 4 times now with success each time. Just follow every step to a T and there will be no problems. The warning is there to tell you what could happen if you don't listen very well...
Step 1: Download the Android SDK
http://developer.android.com/sdk/index.html
Step 2: Get into the SDK
After downloading, you should have a package named android-sdk_r10-mac_x86.zip in your downloads folder. Unzip it and move it to your desktop, to make life easier on yourself.
*Stop here right now if you have no idea what terminal is... shame on you, also this might be slightly more technical than you thought. No worries, I am going to hold your hand through it all*
Step 3: Get ADB
You can search as hard as you want to in that SDK and you won't find ADB. It's not there, leave it to google to be smug and leave a "ADB's not here sucka!!" readme in the file... cheeky muppets. Regardless of my personal feelings, You need to get ahold of the ADB. Easy enough to do. Open the tools folder located in the android-sdk-mac_x86 folder. Click on "android" (it's right next to google's smug readme...), and wait until it pulls up the screen seen below.
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
Once you've gotten here, click "available packages" on the left and install Android SDK Platform-tools, revision 3. Let it go through it's process and click close. Now, go back to your android-sdk-mac_x86 and you'll have the folder titled "Platform-tools", open it and, TA-DA! You have adb, don't click it... you don't need to.
Step 4: Prepare your phone for rooting.
Make sure your phone is fully charged before beginning. Go to Menu>Settings>Applications>Developer> and turn on USB Debugging. I had my phone on Disk Drive the entire procedure, I'm not sure if it had any benefits other than convenience, but, granted, it helped.
Step 5. Setup terminal for ADB.
To this point, you haven't had to open terminal on your own. It is probably still open from when you installed the platform-tools folder from the android executable file. If it is, right click (control click) the terminal icon, click new window and then click basic. If you closed it haphazardly (shame on you!) you need to open it. It is located in your application folder, in another folder titled Utilities.
Once you get to the terminal screen, you should see a white box, with the name of your computer, followed by the place your currently "located." A ~ means you are in your home folder. For fun, type the following into your terminal window.
Code:
touch test_file.txt
Now, navigate to your home folder and there is a text file there for you. Pretty neat, eh?
Now, we need to navigate to adb. Go to your android-sdk-mac_x86 folder, open it. Now, go back to terminal, type cd and drag the folder Platform-tools to the terminal window. You should see a green dot with a plus sign in it, that means you can add the folder to the terminal window. It should read something like this:
Code:
cd /Users/Your Computer's Name/Downloads/android-sdk-mac_x86/platform-tools
If you moved the android-sdk-mac_x86 folder (Like I did) after downloading it, it will only be slightly different. (My folder was in my home folder, so it just says /users/my computer/android-sdk-mac_x86/platform-tools)
Once you do this, you are ready to begin.
Step 6: GAIN ROOT!!!!11!!
Take a moment, breathe, cry, caress your phone... No, it really isn't that bad. I am what many consider a hypochondriac, I say I am just more "down to earth."
Glass half empty, half full, etc. we begin. I've slightly modified these to make them usable for us Apple guys. (All that has been changed is the adding of a "./" to the beginning of ever adb.)
Step 1
First, download these files:
RUU_Mecha_VERIZON_WWE_1.03.605.10_Radio_1.02.00.0103_2r_NV_8k_1.37_9k_1.52_release_
165253 (md5sum : aae974054fc3aed275ba3596480ccd5b):
Multiupload mirror
GalaxySense mirror
DroidSite mirror
Mirrors for the package (contains busybox, wpthis, psneuter, su, readme.txt, misc.img, and hbooteng.nb0) (md5sum : 3b359efd76aac456ba7fb0d6972de3af):
Multiupload mirror
GalaxySense mirror
DroidSite mirror
Custom RUU mirrors (md5sum : aff07b8256628a175c40938d408fa16f):
Multiupload mirror
GalaxySense mirror
(Personally, I extracted the exploit.zip folder, and the RUU_MECHA to my platform-tools folder so I never had to cd anywhere. I strongly recommend you do the same. I put the Custom RUU [PG05IMG.zip] on my desktop, so I didn't get it confused later in the process)
Step 2
Note that adb is required.
Push misc.img, busybox, and psnueter using the following commands:
Code:
./adb push psneuter /data/local/
./adb push busybox /data/local/
./adb push misc.img /data/local/
./adb shell chmod 777 /data/local/psneuter
./adb shell chmod 777 /data/local/busybox
Step 3
This step will gain temp root and flash the custom misc.img. Run:
Code:
./adb shell
Now the shell should display "$".
Run:
Code:
/data/local/psneuter
You will now be kicked out of adb, and adb will restart as root. Let’s confirm the md5 of misc.img:
./adb shell
At this point, the shell should display "#".
Run:
Code:
/data/local/busybox md5sum /data/local/misc.img
Output should be "c88dd947eb3b36eec90503a3525ae0de." If it’s anything else, re-download the file and try again.
Now let’s write misc.img:
Code:
dd if=/data/local/misc.img of=/dev/block/mmcblk0p17
exit
Step 4
Here you will rename the downgrade RUU (RUU_Mecha_VERIZON_WWE_1.03.605.10_Radio_1.02.00.0103_2r_NV_8k_1.37_9k_1.52_release_165253_signed.zip) as PG05IMG.zip and place it on your SD card. Then, run the following command:
Code:
./adb reboot bootloader
Choose the bootloader option and press power; let the ROM flash. When asked to upgrade, choose yes. Don’t freak, it’s a long reboot.
Once done, reboot and delete PG05IMG.zip from your SD card.
**Make sure to Re-enable USB Debugging!!! (Menu>Settings>Applications>Development>USB debugging)**
Set up the two part exploit, to gain root and unlock MMC.
Code:
Push wpthis, busybox, and psnueter.
./adb push psneuter /data/local/
./adb push busybox /data/local/
./adb push wpthis /data/local/
./adb shell chmod 777 /data/local/psneuter
./adb shell chmod 777 /data/local/busybox
./adb shell chmod 777 /data/local/wpthis
Step 5
Next, enter the following commands:
Code:
./adb shell
/data/local/psneuter
To unlock eMMC:
./adb shell
/data/local/wpthis
exit
Step 6
Please pay attention – this is very important. This step involves a small chance of bricking if you mess up.
To push the eng bootloader:
Code:
./adb push hbooteng.nb0 /data/local/
./adb shell
/data/local/busybox md5sum /data/local/hbooteng.nb0
If the output does not match "6991368ee2deaf182048a3ed9d3c0fcb" exactly, stop, delete it, and re-download it. Otherwise, continue.
Now we will write the new bootloader.
Code:
dd if=/data/local/hbooteng.nb0 of=/dev/block/mmcblk0p18
Confirm proper write:
Code:
/data/local/busybox md5sum /dev/block/mmcblk0p18
If the output does not match "6991368ee2deaf182048a3ed9d3c0fcb," try again; if it still doesn’t work, seek help from chat.andirc.net in channel #thunderbolt.
DO NOT REBOOT.
Now, reboot your phone and put the custom RUU (PG05IMG.zip) on your SD card. Then flash it. This will upgrade you to release firmware with an S-OFF bootloader.
**Make sure to Re-enable USB Debugging!!! (Menu>Settings>Applications>Development>USB debugging)**
Next, run this command:
Code:
./adb reboot bootloader
After it flashes, you will be running release firmware with S-OFF.
Step 7
Code:
Push SU, busybox, and psneuter.
./adb push psneuter /data/local/
./adb push busybox /data/local/
./adb push su /data/local/
./adb shell chmod 777 /data/local/psneuter
./adb shell chmod 777 /data/local/busybox
To gain root:
Code:
./adb shell
/data/local/psneuter
The following will remount /system and set up SU:
Code:
./adb shell
mount -o remount,rw -t ext3 /dev/block/mmcblk0p25 /system
/data/local/busybox cp /data/local/su /system/xbin/su
chown 0:0 /system/xbin/su
chmod 6755 /system/xbin/su
Step 8
Install Superuser from the Market.
Reboot your phone. You should now have full root permissions.
Step 9
Finally, install ROM Manager from the market, enter ROM Manager and flash the ThunderBolt recovery.
If you have problems getting SU to work, a couple extra reboots will likely fix it. If you still have problems, come to the chat: irc.andirc.net #thunderbolt or use http://chat.andirc.net:9090/?channels=#thunderbolt.
And there you go. You now have root. That was fun right? The irc is absolutely invaluable if you are having any trouble. The people there are really helpful and knowledgable. They won't talk down to you, just try to help.
Again, thank you to the people who made this possible, You all are awesome. the work that had to be done to make this user friendly is beyond amazing.
If I missed anything, please let me know. I might have missed something, I haven't slept all night.

Quite the thorough walk through. Nice job!
Sent from my ADR6400L using Tapatalk

Looks like a nice walk-through.
I may suggest including all of your steps for configuring the SDK and then simply referencing the official root guide... because if that would get updated then you would have old instructions on this thread.
It is not that hard for people to type the ./ in front of every command...
Alternatively (and recommended), you could provide a more thorough guide and include instructions on adding the SDK platform-tools directory to the PATH environment variable. Once this is added, the user can use adb whenever they want, they do not have to change directories to the SDK! This also allow for using the command without needing the leading ./

I knew people would come in who knew something... You both are right. The problem I was having was the same many of my friends and people on here were having, they kept getting a -bash: adb: command not found. I am working on fixing my .bash_profile, but until I get that fixed, this tutorial is the best I've got.

IISiDeK1CKII said:
I knew people would come in who knew something... You both are right. The problem I was having was the same many of my friends and people on here were having, they kept getting a -bash: adb: command not found. I am working on fixing my .bash_profile, but until I get that fixed, this tutorial is the best I've got.
Click to expand...
Click to collapse
I am excited try try this, thank you so much for writing this up. I get very confused doing these things the first time and didn't realize you could do this on mac by adding the prefix in the commands. So, now that I know that, I am hoping to try it!
One question.....and this is a total newbie question, sorry..... In the steps that have several commands like this one:
Set up the two part exploit, to gain root and unlock MMC.
Code:
Push wpthis, busybox, and psnueter.
./adb push psneuter /data/local/
./adb push busybox /data/local/
./adb push wpthis /data/local/
./adb shell chmod 777 /data/local/psneuter
./adb shell chmod 777 /data/local/busybox
./adb shell chmod 777 /data/local/wpthis
Click to expand...
Click to collapse
Should the commands all be ran individually, or all at the same time just on their own lines? Like, can I just copy all six commands and paste them in just like this then hit enter? Or do I need to run them all one at a time?

gadsden said:
I am excited try try this, thank you so much for writing this up. I get very confused doing these things the first time and didn't realize you could do this on mac by adding the prefix in the commands. So, now that I know that, I am hoping to try it!
One question.....and this is a total newbie question, sorry..... In the steps that have several commands like this one:
Should the commands all be ran individually, or all at the same time just on their own lines? Like, can I just copy all six commands and paste them in just like this then hit enter? Or do I need to run them all one at a time?
Click to expand...
Click to collapse
You hit enter after each of those commands.

I'm AMAZED at how well this went! I'd been avoiding ADB on windows, plus avoiding all the 1-click options as they didn't work correctly on VMWare/WinXp on my Mac Pro. So, I saw this post and decided to take the leap.
THANK YOU!!!! My device is now rooted and working flawlessly.

Nice write up, I completely avoided the whole ADB setup subject, due to a lack of mac/windows knowledge. Glad the community can come through.
Can you please paste in my warnings, full credits and links to the GPL (this part if very important to us) sources if you are going to base this on our stuff. Just take them from the original post please.
~jcase

I ALWAYS had to put the
./
before adb so it would be "./adb" for anything that started with adb. I see you missed it a couple times and that concerns me. I followed the original tut by jcase and put ./adb instead of plain adb and everything worked perfect. Just my 2¢.

bmcclure937 said:
Looks like a nice walk-through.
I may suggest including all of your steps for configuring the SDK and then simply referencing the official root guide... because if that would get updated then you would have old instructions on this thread.
It is not that hard for people to type the ./ in front of every command...
Alternatively (and recommended), you could provide a more thorough guide and include instructions on adding the SDK platform-tools directory to the PATH environment variable. Once this is added, the user can use adb whenever they want, they do not have to change directories to the SDK! This also allow for using the command without needing the leading ./
Click to expand...
Click to collapse
I really didn't realize until today that I could just as easily perform a manual root on a mac as a windows machine. So, I am trying to learn about this, been doing a bunch of reading. I am interested in what you are mentioning about adding SDK platform-tools directory to the PATH environment. On a mac, what environment should I be using? I am a little confused about the options listed on the Andorid Developer website. It seems Eclipse is what everything is all about primarily, but I have no clue which one to use. Perhaps I ought to just not worry about all that right now and just follow these steps to root my TB? I'm not really after doing anything other than rooting and flashing ROMs, so is it really necessary to set all that up?
xCHPx said:
I ALWAYS had to put the
./
before adb so it would be "./adb" for anything that started with adb. I see you missed it a couple times and that concerns me. I followed the original tut by jcase and put ./adb instead of plain adb and everything worked perfect. Just my 2¢.
Click to expand...
Click to collapse
Regarding the ./ Are you saying that we need to use that in front of these commands even though it's not listed in the steps?
adb reboot bootloader
adb shell
Other than that, the steps in this post work, right? I have everything downloaded and got as far as getting ADB, but I don't want to go any further if this isn't really as comprehensive as its made out to be.

gadsden said:
Regarding the ./ Are you saying that we need to use that in front of these commands even though it's not listed in the steps?
adb reboot bootloader
adb shell
Click to expand...
Click to collapse
Yes otherwise i don't believe it will work.

Wow! I really didn't think this would get quite as much attention. I think I need to do some more solid work and clean this up a bit. Now, for the individual responses:
@Gadsden: You're very welcome. I kept thinking, this is impossible! But, with a little Red Hat experience and some awesome google skills, I got this.
@Jayhammy: You're welcome man. Enjoy!
@jcase: Of course I can. I never really thought this would gain so many views. There aren't words to explain how psyched I am to see you talking directly to me... lol, I will give full credit to everyone, as soon as I post this
@xCHPx: I posted this after a long night, with no sleep. I knew I would miss something. The cool thing about that is if you copy and pasted the command without ./ in front of it, it would simply not run. There is really no way to mess this up.
@gadsden (pt.2): Hypothetically speaking, you don't need to do ANYTHING other than what I've listed. If you decide to start developing themes, apps, etc. you'd have to worry about eclipse. I made a mistake on the two things listed there, every adb command must have ./ in front of it. I simply overlooked it when typing this up. There was a lot of stuff to be typed.

thanks for the walk-through!
i have 2 quick questions...
for say like this step:
./adb shell
/data/local/psneuter
To unlock eMMC:
./adb shell
/data/local/wpthis
exit
Click to expand...
Click to collapse
ur hitting enter after shell correct? the /data/... doesnt need a program command like ./adb before it correct? same with all other lines with no ./adb in front of them?
also for this:
Step 9
Finally, install ROM Manager and flash the ThunderBolt recovery.
Click to expand...
Click to collapse
im assuming ROM Manager is in market like Super User but i dont know what flash the Thunderbolt recovery means...could u explain that?
Thanks again!

yeah, I'll explain that in the post but also here. ROM Manager is a program available in the market. If you go to the market and type it in, you'll see it. It's a top hat with a gear behind it.
After you install ROM Manager, You need to touch the first item in the screen, Flash ClockworkMod Recovery. Then you will be good. I am going to update that now in the OP.

IISiDeK1CKII said:
yeah, I'll explain that in the post but also here. ROM Manager is a program available in the market. If you go to the market and type it in, you'll see it. It's a top hat with a gear behind it.
After you install ROM Manager, You need to touch the first item in the screen, Flash ClockworkMod Recovery. Then you will be good. I am going to update that now in the OP.
Click to expand...
Click to collapse
Funny, I had the same exact question. I posted it in the jcase discussion and got the answer there. Definitely put that in the OP, because first timers don't know these things!

gadsden said:
Funny, I had the same exact question. I posted it in the jcase discussion and got the answer there. Definitely put that in the OP, because first timers don't know these things!
Click to expand...
Click to collapse
Fixed it, I overlooked it. I guess I assumed that everyone knew what ROM Manager was... lol. I've been rooting since the Droid 1, so I've always been around people who know these things. Sorry for not clarifying though, I hope my new updated post is more concrete.

gadsden said:
I really didn't realize until today that I could just as easily perform a manual root on a mac as a windows machine. So, I am trying to learn about this, been doing a bunch of reading. I am interested in what you are mentioning about adding SDK platform-tools directory to the PATH environment. On a mac, what environment should I be using? I am a little confused about the options listed on the Andorid Developer website. It seems Eclipse is what everything is all about primarily, but I have no clue which one to use. Perhaps I ought to just not worry about all that right now and just follow these steps to root my TB? I'm not really after doing anything other than rooting and flashing ROMs, so is it really necessary to set all that up?
Click to expand...
Click to collapse
You can add the path of the SDK to your $PATH variable. This allows you to run ADB from any directory and not need the ./ in front of every single command.
From terminal, do the following:
Code:
ls -la
You should see a file called ".bash-profile within your home directory.
Edit this file and add the path of your SDK to the $PATH variable.
Code:
nano .bash-profile
Familiarize yourself with editing files in nano if you have not done this before. It is very simple. Once you have edited and saved the file... run this last command to check if the PATH variable now contains the new path.
Code:
echo $PATH
If you get lost or confused... Google is your friend! There is a lot of info on editing the PATH environment variable.
*Please Note* this is not needed for the guide but it does allow you to run ADB from any directory... and without leading ./ in front of all commands.

Thanks for this. I'm going to go to lunch and then get into this. How long did it take everyone to go through this?

bmcclure937 said:
You can add the path of the SDK to your $PATH variable. This allows you to run ADB from any directory and not need the ./ in front of every single command.
Click to expand...
Click to collapse
I've set my path up, and it works when I want it to... but this is easier to do (imho) without getting too far into command line. If I feel I could streamline this by doing such, then I will do so.
edit: And now it is broken again... back to troubleshooting... not quite sure wth I did...
@want a droid: The thing that will take the longest is downloading the files needed. Everything else will take you all of 30 minutes at most.

IISiDeK1CKII said:
yeah, I'll explain that in the post but also here. ROM Manager is a program available in the market. If you go to the market and type it in, you'll see it. It's a top hat with a gear behind it.
After you install ROM Manager, You need to touch the first item in the screen, Flash ClockworkMod Recovery. Then you will be good. I am going to update that now in the OP.
Click to expand...
Click to collapse
IISiDeK1CKII said:
Fixed it, I overlooked it. I guess I assumed that everyone knew what ROM Manager was... lol. I've been rooting since the Droid 1, so I've always been around people who know these things. Sorry for not clarifying though, I hope my new updated post is more concrete.
Click to expand...
Click to collapse
thanks man!
yea im coming from a BB so new to this stuff...i have a PC and im doing long way to learn...doesnt seem hard, simple terminal commands but just want to get everything rights...soon as i do it once, ill be good to go and help out others like u guys

[Root+ROM+RUU] This will root your TB and install BAMF 1.5nte and the leaked RUU.

All root credit still goes to AndIRC and crew. ​
Rooting The ThunderBolt – Updating The Radio – And Installing BAMF 1.5
From Adrynalyne: This totally awesome wtfomgroflbbq ungodly large PG05IMG.zip contains the latest of everything 1.13.605.7 has to offer plus engineering hboot for s-off, BAMF 1.5, BAMF 4.4.2 kernel, clockwork, and custom boot splash by gadget!
Pros
Root with read/write access to /system
Ability to downgrade and flash any RUU (i.e. signed firmware)
S-OFF
Fully unlocked bootloader
Latest RUU installed
BAMF 1.5nte installed
Cons
Voids warranty
Could brick your phone if you aren’t careful
Its an RUU, IT CAN BREAK YOSELF.....FOO!!!
Its an RUU, IT CAN BREAK YOSELF.....FOO!!!
Its an RUU, IT CAN BREAK YOSELF.....FOO!!!
The method of rooting your Android device as described in the article herein is solely for enthusiasts and not for the faint of heart.
IT WILL WIPE YOUR DATA. IT WILL WIPE YOUR DATA. IT WILL WIPE YOUR DATA.
Android Police and Team AndIRC and Adrynalyne disclaim all liability for any harm that may befall your device, including, but not limited to: bricked phones, voided manufacturer warranties, exploding batteries, etc.
The instructions below assume you already have a strong familiarity with adb command lines – this is not for beginners.
Credits
Adrynalyne for the Custom RUU, BAMF, and Kernel
Scotty2, jamezelle, jcase, and all of Team AndIRC
dsb9938 for writing this, testing, boot ani, and just being an overall great guy
Testers, especially ProTekk and Trident
Gadget for boot splash and ani
Thanks to scotty2 for WPThis
Busybox was pulled from a CyanogenMod ROM, source should be available here
psneuter was pulled from somewhere, credit to scotty2, source here
All firmware credit goes to 911sniper
If I missed anyone in the credits, it was unintentional and I will fix it soon. Lots of people had their hands in on this project.
Please read the instructions in full before you start. Also, make sure your battery is fully charged before taking the plunge.
Step 1
First, download these files:
RUU_Mecha_VERIZON_WWE_1.03.605.10_Radio_1.02.00.01 03_2r_NV_8k_1.37_9k_1.52_release_165253 (md5sum : aae974054fc3aed275ba3596480ccd5b) THIS IS THE DOWNGRADE RUU USED IN STEP 4:
Multiupload mirror
GalaxySense mirror
DroidSite mirror
Mirrors for the package (contains busybox, wpthis, psneuter, su, readme.txt, misc.img, and hbooteng.nb0) (md5sum : 3b359efd76aac456ba7fb0d6972de3af) THIS IS THE EXPLOITS FILE:
Multiupload mirror
GalaxySense mirror
DroidSite mirror
BAMF/Leaked RUU mirrors (md5sum : ede0dc842ab676080befe2ae01c74cd3) THIS IS THE CUSTOM RUU USED IN STEP 7:
Single Source
Step 2
Note that adb is required.
Push misc.img, busybox, and psnueter using the following commands:
Code:
adb push psneuter /data/local/
adb push busybox /data/local/
adb push misc.img /data/local/
adb shell chmod 777 /data/local/psneuter
adb shell chmod 777 /data/local/busybox
Step 3
This step will gain temp root and flash the custom misc.img. Run:
Code:
adb shell
Now the shell should display "$".
Run:
Code:
/data/local/psneuter
You will now be kicked out of adb, and adb will restart as root.
Let’s confirm the md5 of misc.img:
Code:
adb shell
At this point, the shell should display "#".
Now run:
Code:
/data/local/busybox md5sum /data/local/misc.img
Output should be "c88dd947eb3b36eec90503a3525ae0de." If it’s anything else, re-download the file and try again.
Now let’s write misc.img:
Code:
dd if=/data/local/misc.img of=/dev/block/mmcblk0p17
exit
Step 4
Here you will rename the downgrade RUU (RUU_Mecha_VERIZON_WWE_1.03.605.10_Radio_1.02.00.01 03_2r_NV_8k_1.37_9k_1.52_release_165253) as PG05IMG.zip and place it on your SD card (put the phone in drive mode and just copy it with your OS). Then, run the following command:
Code:
adb reboot bootloader
Choose the bootloader option and press power; let the ROM flash. When asked to upgrade, choose yes. Don’t freak, it’s a long reboot.
Once done, reboot and delete PG05IMG.zip from your SD card.
Step 5
Set up the two part exploit, to gain root and unlock MMC.
Push wpthis, busybox, and psnueter:
Code:
adb push psneuter /data/local/
adb push busybox /data/local/
adb push wpthis /data/local/
adb shell chmod 777 /data/local/psneuter
adb shell chmod 777 /data/local/busybox
adb shell chmod 777 /data/local/wpthis
Gain root (this will once again throw you out of adb):
Code:
adb shell
/data/local/psneuter
Unlock MMC:
Code:
adb shell
/data/local/wpthis
exit
Step 6
Please pay attention – this is very important. This step involves a small chance of bricking if you mess up.
To push the eng bootloader:
Code:
adb push hbooteng.nb0 /data/local/
adb shell
/data/local/busybox md5sum /data/local/hbooteng.nb0
If the output does not match "6991368ee2deaf182048a3ed9d3c0fcb" exactly, stop, delete it, and re-download it. Otherwise, continue.
Now we will write the new bootloader.
Code:
dd if=/data/local/hbooteng.nb0 of=/dev/block/mmcblk0p18
Confirm proper write:
Code:
/data/local/busybox md5sum /dev/block/mmcblk0p18
If the output does not match "6991368ee2deaf182048a3ed9d3c0fcb," try again; if it still doesn’t work, seek help from http://chat.andirc.net:9090/?channels=#root. DO NOT REBOOT.
Reboot.
Step 7
Now, put the custom leaked RUU (Adrynalyne.1.5.PG05IMG.zip) on your SD card by putting the phone in drive mode and copying it with your OS. Now rename it to PG05IMG.zip.
Then using an md5sum type program, check the md5sum and make sure it matches ede0dc842ab676080befe2ae01c74cd3, if it does not, redownload it. (Here is a free windows md5summer).
Next, run this command:
Code:
adb reboot bootloader
Choose the bootloader option and press power; let the ROM flash. When asked to upgrade, choose yes. Don’t freak, it’s a long reboot.
Once done, reboot and delete PG05IMG.zip from your SD card.
After it flashes, you will be running BAMF 1.5nte with S-OFF on the latest leaked RUU.
Please Note: One of the TP images will be bypassed while flashing, this is normal. Also, on first boot, there will be no boot sound, this is normal.
Please make a nand backup in Rom Manager after you go thorugh phone set up.
Rom Manager, SuperUser, and Titanium Backup are already installed.
ClockWork Recovery 3.0.2.5 is already installed.
If you have problems, come to the chat: irc.andirc.net #root or use http://chat.andirc.net:9090/?channels=#root.
.

"omg, no one-click method!?"
jk, this will be a nice time-saver for those just getting their Thunderbolts. Great job compiling this all into one package!

Sweet!

Nice job! Gotta love how the Android community is always trying to help the non-tech savvy be awesome too.
Sent from a bit of awesomeness...

Great job this will come in handy if I decide to root the wifes phone. Mine has been rooted for a while now.

this isnt working so well for me... flashing the last part and boot failed and its stuck on mdm9k

lllboredlll said:
this isnt working so well for me... flashing the last part and boot failed and its stuck on mdm9k
Click to expand...
Click to collapse
Please post back and let us know how things work out after you get the new phone. Sorry you had to have what I think is a bad nand chip that wouldn't take a flash.
D

dsb9938 said:
Please post back and let us know how things work out after you get the new phone. Sorry you had to have what I think is a bad nand chip that wouldn't take a flash.
D
Click to expand...
Click to collapse
well just for the record ... i hold no one accountable but myself or vzw on this one.... what a weird experience.... all the flashing and modding i've done over the last 5 years or so and I kill this phone right out of the gate... it literally made it 2hrs 45 minutes before i had a funeral for it lol

lllboredlll said:
well just for the record ... i hold no one accountable but myself or vzw on this one.... what a weird experience.... all the flashing and modding i've done over the last 5 years or so and I kill this phone right out of the gate... it literally made it 2hrs 45 minutes before i had a funeral for it lol
Click to expand...
Click to collapse
Thanks. I think we did all we could. Happy to help with the new one.
Sent from my ThunderBAMF using the XDA app.

Thank you for this.. Made ROOTING my wife's phone a breeze!

[GUIDE] Downgrade G2 (2.3.X) & DZ (2.3.X) & mT4g (2.3.4) & DHD w/ S-ON to Stock Froyo

[GUIDE] Downgrade G2 (2.3.X) & DZ (2.3.X) & mT4g (2.3.4) & DHD w/ S-ON to Stock Froyo
This guide is written for anyone who has "Stock Gingerbread" and wants to downgrade their phone which originally had "Stock Froyo". The following is a list of phone models this guide is intended for and that are known to work:
Working Phone Models:
G2 (Vision)
Desire Z (Vision)
myTouch 4G (Glacier)
Desire HD (Ace)
It should also be noted, this guide WILL NOT work with the following:
myTouch 4G Slide (Doubleshot)
Desire HD (Ace) w/ Sense 3.x (a recent OTA update as patched this method).*
*See these threads for a fix for the Desire HD (Ace) w/ Sense 3.x:
[GUIDE] Downgrade from 3.13 (Sense 3.0) roms
Temp root on Desire HD (Ace) with Sense 3.x
Special Notes
If you have used HTCDEV unlock your phone, please visit the following guide prior to using this guide, otherwise you will not be able to downgrade.
[GUIDE] How to get root/flash custom roms with HTCDEV unlock written by Nipqer
strawmetal has been kind enough to make an amazing PDF for each of the various phone models this guide supports which may be easier to read and follow for some users. I highly recommend taking a look at these files, especially if you are finding yourself a little confused during this guide (as this guide is written for multiple devices though he has PDFs for each device individually).
STRAWMETAL's Downgrade From Gingerbread to Froyo Guides and Tools
HTC Desire Z-G2 Downgrade & Root *Recently Updated*
Table of Contents
Introduction
Gaining Temp Root
Changing Version Number to Allow Downgrade and Gaining SuperCID with a Goldcard
Temp-Rooting to Backup (*Optional*)
Downgrading
Manual Downgrade
Fastboot Downgrade
Sources
Troubleshooting
Change Log
Attachments
I) Introduction
This guide is written with the assumption that the user has previously used "adb". If you are unfamiliar with "adb" or do not even know what "adb" is, download the Android SDK (found at http://developer.android.com/sdk/index.html). There are a couple guides to help you get started setting up the Android SDK and understanding ADB. If you have not installed the Android SDK or you are unfamiliar with ADB, please take some time and read a couple guides to get a basic understanding of it.
[GUIDE] ADB Workshop and Guide for everyone
[HOW-TO] ADB for Dummies(How-To Learner's Guide)
How To Set Up ADB/USB Drivers for Android Devices
I - 1) Gaining Temp Root
Download the attached files, unzip them, and place the files in your platform-tools folder. To elaborate, place the fre3vo file inside of the View attachment fre3vo.zip file in your platform-tools folder and the misc_version file inside the View attachment misc_version_01.zip file in your platform-tools folder.
Make sure you have your sdcard inserted in your phone, and you are NOT in USB Storage Mode, and your sdcard is NOT FULL.
Run the following command to verify the exploit has access to what it needs. (Only the first line is the command. The second line should be the result returned if all goes well.)
Code:
[B]> adb shell cat /dev/msm_rotator[/B]
[I]/dev/msm_rotator: invalid length[/I]
If you received the same message, you're good to continue on. If not… refer to the troubleshooting section of the guide before you continue.
Run the following commands from your platform-tools directory.
Code:
[B]> adb push fre3vo /data/local/tmp
> adb shell
$ chmod 777 /data/local/tmp/fre3vo
$ /data/local/tmp/fre3vo -debug -start FAA90000 -end FFFFFFFF[/B]
After you enter that command, you should see something similar to the last few lines in the following displayed.
(It may take a minute or two. From what I can tell, this appears to be the quickest method as the exploit seems to be found in the latter regions.)
Code:
[I]Buffer offset: 00000000
Buffer size: 8192
Scanning region fb7b0000...
Scanning region fb8a0000...
Scanning region fb990000...
Scanning region fba90000...
Potential exploit area found at address fbb4d600:a00.
Exploiting device...[/I]
If the exploit works, you will be kicked out of ADB shell, proceed to Step #8.
If the above does not work, and fails, you can try the following, and hopefully one will work, try the following (you must reboot your phone before you try another set):
Code:
[B]$ /data/local/tmp/fre3vo -debug -start 10000000 -end 1FFFFFFF
$ /data/local/tmp/fre3vo -debug -start 20000000 -end 2FFFFFFF
$ /data/local/tmp/fre3vo -debug -start 30000000 -end 3FFFFFFF
$ /data/local/tmp/fre3vo -debug -start F0000000 -end FFFFFFFF
$ /data/local/tmp/fre3vo -debug -start E0000000 -end EFFFFFFF[/B]
If you did get kicked out of adb shell, open it again. You should now see # instead of $, thus granting you temp root. Go ahead and exit out of shell to proceed to the next stage.
Code:
[B]> adb shell
# exit[/B]
I - 2) Changing Version Number to Allow Downgrade and Gaining SuperCID with a Goldcard
If you followed the first portion of this, you should of unzipped View attachment misc_version_01.zip ad View attachment flashgc.zip in the platform-tools directory.
If you haven't done that yet, do that now and then run the following commands from your platform-tools directory.
Code:
[B]> adb push misc_version /data/local/tmp/misc_version
> adb push flashgc /data/local/tmp/flashgc
> adb shell chmod 777 /data/local/tmp/*
> adb shell
# cd /data/local/tmp
# ./misc_version -s 1.00.000.0[/B]
[I]--set_version set. VERSION will be changed to: 1.00.000.0
Patching and backing up partition 17...[/I]
[B]# ./flashgc[/B]
*Note: If you get the following error, please make sure your sdcard is inserted in your phone and is NOT mounted to your computer (ie: make sure you are NOT in USB Storage Mode). This is a fairly common error and/or oversight many people tend to miss. Please double check this before continuing.
Code:
Error opening backup file.
Code:
[B]# sync[/B]
Double check and make sure everything looks good so far by running the following command (still in adb shell).
Code:
[B]# dd if=/dev/block/mmcblk0p17 bs=1 skip=160 count=10[/B]
[I]1.00.000.010+0 records in
10+0 records out
10 bytes transferred in 0.001 secs (10000 bytes/sec)[/I]
BE SURE TO BACKUP ANY DATA!!!***
I - 3) Temp-Rooting to Backup
If you have nothing to back up or don't care to back anything up, proceed to the next section.
Credit goes to Nipqer from #g2root for providing me with this method.
Download the attached file: View attachment Vision-fre3vo-temp-root.zip
Extract the contents to your platform-tools directory.
Run the following commands in command prompt while in platform-tools directory:
Code:
> adb push su /data/local/tmp/
> adb push busybox /data/local/tmp/
> adb push fixsu.sh /data/local/tmp/
> adb install SuperUser.apk
> adb shell chmod 755 /data/local/tmp/fixsu.sh
> adb shell /data/local/tmp/fixsu.sh
Download a backing up application such as...
Titanium Backup
MyBackup Root
Make a backup!
I - 4) Downgrading
Download the Stock Rom for your device:
G2: PC10IMG_Vision_TMOUS_1.19.531.1_Radio_12.21.60.09b_26.02.01.15_M2_release_149459_signed.zip (Link not working last time I checked... hopefully it will come back up).
Mirrors:
Vision_G2_1.19.531.1_PC10IMG.zip (Working as of April 2023)
MD5: 531c08dc402e15577b947bf4cd22aec2
Desire Z: PC10IMG.zip
Mirrors:
PC10IMG.zip
Vision_DZ_1.34.405.5_PC10IMG.zip
Vision_DZ_1.34.405.5_PC10IMG.zip
MD5: 2ff42897cd27e0db425a2cf36c8bd078
myTouch 4G: PD15IMG.zip
Mirrors:
http://cmw.22aaf3.com/glacier/stock/1.17.531.2/PD15IMG.zip
http://goo-inside.me/ruu/glacier/fu....140e_26.03.02.26_M_release_155771_signed.zip
Glacier_mT4G_1.17.531.2_PD15IMG.zip
Glacier_mT4G_1.17.531.2_PD15IMG.zip
MD5: 49d07f0ee7de1765a6a84cb12fa53110
Desire HD: RUU_Ace_HTC_WWE_1.24.405.1_Radio_12.27.60.14b_26.02.00.29_M4_release_151852_signed.zip
Mirrors:
Ace_DHD_1.24.405.1_PD98IMG.zip
Ace_DHD_1.24.405.1_PD98IMG.zip
MD5: a107b30a4b397c9238ddc7f4571c2ee8
Follow either Manual Downgrade OR Fastboot Downgrade.
I - 4a) Manual Downgrade
Rename the downloaded rom to it's proper update name:
(Please note, the filenames MUST be all uppercase except for the extension, and if file extensions are hidden, do not include ".zip"):
G2: "PC10IMG.zip"
Desire Z: "PC10IMG.zip"
myTouch 4G: "PD15IMG.zip"
Desire HD: "PD98IMG.zip"
Place the zip file in the root of your sdcard.
Reboot your phone into bootloader by typing the following command:
Code:
[B]> adb reboot bootloader [/B]
After your phone has entered bootloader, press the power button. It will then scan for the associated rom file and ask you to update by pressing a key.
Press the key it requests to perform the update.
DO NOT INTERRUPT THIS PROCESS.
Your phone will reboot once or twice - this is completely normal.
This process will take roughly 5-10 minutes so make sure your phone is plugged in, either to an outlet or your computer.
Once the process is finished, it will ask you to reboot by pressing a key. Press the associated key and it will reboot into the Stock Froyo rom!
After booting into Android 2.2, DO NOT update the OTA that is around 70MB. That is the update to Gingerbread. There is one update that will come before that, that is a lot smaller in size, which is the WiFi-Calling update - that update is okay to install.
I - 4b) Fastboot Downgrade
Rename the downloaded stock rom "StockRom.zip" (if extensions are hidden, rename it "StockRom").
Place the downloaded stock rom zip file in your platform-tools directory.
Download the attached file View attachment fastboot.zip. In the zip archive there are three folders, "windows", "mac", and "linux".
Extract the file from the associated with your operating system and place it in platform-tools directory.
In command prompt, type the following command to reboot into bootloader:
Code:
[B]> adb reboot bootloader[/B]
Make sure your device is recognized by typing the following command.
Code:
[B]> fastboot devices[/B]
If you device is recognized, it should return a serial/model number.
Code:
[B]> fastboot oem rebootRUU[/B]
Your phone should now reboot into a black screen with a gray/silver "HTC" logo on it.
Next we flash the Stock Rom. This may take a few minutes as it transfers the file to the phone then attemps to update (downgrade).
Code:
[B]> fastboot flash zip StockRom.zip[/B]
In rare cases the flash stops and the user gets a warning to repeat the flash immediately - no panic, just run the "fastboot flash zip StockRom.zip" (only this command, not the rebootRUU one) again and it will work.
When it finishes, wait a minute or two (just in case) then reboot your phone by typing:
Code:
[B]> fastboot reboot[/B]
After booting into Android 2.2, DO NOT update the OTA that is around 70MB. That is the update to Gingerbread. There is one update that will come before that, that is a lot smaller in size, which is the WiFi-Calling update - that update is okay to install.
II) Sources:
#g2root: http://fishporn.ca/vision.gingerbread.root.html
Using fre3vo: http://therootofallevo.com/forums/viewtopic.php?f=6&t=120
[GUIDE] ADB Workshop and Guide for everyone
[HOW-TO] ADB for Dummies(How-To Learner's Guide)
How To Set Up ADB/USB Drivers for Android Devices
[ROM]Ace Test & Stock ROMS [RE-UPLOADED]
Instructions for flashgc
Temp-Root Backup Post by Nipqer
[GUIDE] How to get root/flash custom roms with HTCDEV unlock
flashgc by skorgon
Various Chats I've had with individuals.
If anyone needs further help and would prefer messaging me, feel free.
AIM: IgnorantNihilist
G-Talk: [email protected]
MSN: [email protected]
III) Troubleshooting
Cimer said:
[...] If [the downgrade] does not work, Right click your Command prompt, Select All, Right click again. Then go to pastebin.com, paste there, Scroll down, name it and hit submit. After that post the link here and we'll take a look at it.
EVERYONE: If you want a faster diagnostic please do this in advance and other people can see your mistakes.
Click to expand...
Click to collapse
You can also join the IRC channel #g2root on irc.freenode.net and ask questions in there. If you are unfamiliar with IRC, you can go to http://webchat.freenode.net and pick an alias, for channel type in #g2root and enter the reCAPTCHA and connect.
I wanted to give credit to specific individuals whom have helped write this guide, provided important feedback to further improve this guide, and/or in any other way further improved this guide. I think these invidiuals should be recognized, as if it were not for them, this would wouldn't be as elaborate, dynamic, and informative as it is. So a special thanks to, Cimer, strawmetal petarpLab, iDylan1357, asharma5290, guhl, pierre_ja, and skorgon from #g2root. And I would also like to recognize and give a major thanks to Nipqer whom offers a lot of support with constant responses helping assist those whom ask for help both in this thread as well as on IRC. And he is always making sure I keep this as updated as it can be.
IV) Change Log
2023/04/14
I'm no longer supporting this thread anymore however I will try to update it if someone messages me with an issue. I don't have time anymore unfortunately. I did however update the downgrade ROM for the G2. The link in the mirror is currently hosted on my google drive. If there's a problem let me know in a private message.
2013/06/14
Update ratherphallic.co.cc links to ratherphallic.tk. -Nipqer
2012/11/11
Made some minor changes (grammar, spelling, layout/format).
Added links to guides which fix the issue with Desire HD (Ace) w/ Sense 3.x
2012/05/22
Changed "fastboot" attachment to have 3 folders ("windows","linux",and "mac") each with "fastboot" in it instead of having "fastboot-linux", "fastboot-mac", and "fastboot-windows.exe".
Changed fastboot portion of guide to reflect change to attachment for easier usability.
2012/04/21
Updated strawmetal's PDF document for G2/Desire Z Downgrade.
Added link to strawmetal's tools used in his PDF Guide.
2012/03/07
Added a PDF file that strawmetal was kind enough to make for Vision users.
Added links to attached files in the guide where I reference them.
2012/02/03
Changed link to the Stock Vision (G2) Rom and added mirrors.
Changed link to the Stock Vision (Desire Z) Rom and added mirrors.
Added mirrors to the Stock Glacier (myTouch 4G) Rom.
Changed link to the Stock Ace (Desire HD) Rom and added mirrors.
2012/02/03
Added a guide to help individuals whom have used the "official" htcdev.com unlocker method.
2012/02/03
Fixed link for the G2, Desire Z, and Desire HD (thanks to repast & cmstlist.
2012/04/13
Possible exploit found for Desire HD updated to latest OTA update (which patched our current method).
2012/01/28
Fixed link for myTouch 4G as megaupload has been taken down. Also added mirrors for myTouch 4G Stock Rom.
2011/12/20
Clearified which phone models this guide is intended for as well as noting that the Doubleshot does not work.
Made note that a recent OTA patch for the Ace, giving it Sense 3.x, has patched this method and this method will no longer work on Ace models which have Sense 3.x
2011/12/17
Added new goldcard generator and simplified the guide.
2011/10/27
Changed the download link for the Desire HD.
Added MD5 checksums next to the rooms.
2011/10/26
Re-added the manual downgrade method due to people having issues with the fastboot method.
2011/10/23
Fixed a slightly error in code during the temp-root backup section. Had "adb install install Superuser.apk", replaced it with "adb install Superuser.apk"
2011/10/22
Added a method to be able to backup data prior to downgrading! (thanks to Nipqer from #g2root)
2011/10/20
Added Desire HD.
Changed the downgrading method to use fastboot rather than manually downgrading.
Added "Creating A Goldcard" method from http://www.thinkthinkdo.com/trac/project1/attachment/wiki/pierre_ja/flashgc_instructions
2011/08/26
Changed modified version number for each device to 1.00.000 as it is more universal and works for each one.
Made it more clear to extract the attached files and place them in the platform-tools directory for use.
2011/08/06
Added a couple links to ADB guide.
2011/08/05
Added myTouch 4G
Added link to an "adb" guide.
Changed title from "[GUIDE] Downgrade G2 2.13.531.8 (2.3.3 T-Mobile Rom w/ S-ON) & DZ 2.3.3 w/ S-ON" to "[GUIDE] Downgrade G2 (2.3.3) & DZ (2.3.3) & mT4g (2.3.4) w/ S-ON to Stock Froyo"
V) Attached Files
View attachment misc_version_01.zip
View attachment fre3vo.zip
View attachment fastboot.zip
View attachment Vision-fre3vo-temp-root.zip
View attachment flashgc.zip

Wow first guide. Nice! I hope this helps people who have 2.3.3 so they can stop asking how to downgrade
Sent from my HTC Vision using XDA App

Sweet, now I can finally get my phone replaced. Accidentally blew out my LED and was scared of asking for a new one for fear of being unable to root. Thanks for the peace of mind I'll be using this in a few days

Just some suggestions to avoid confusion when you run the command
Code:
adb shell cat /dev/msm_rotator
you should get the return of
Code:
/dev/msm_rotator: invalid length
you do not need to enter in this line.
Also after entering
Code:
/data/local/tmp/fre3vo -debug -start FAA90000 -end FFFFFFFF
or one like it and it fails (It should not) you need to reboot the phone between these attempts.
Thanks for writing the guide! We just posted the log lol
Late side note: I've recently read an article on how root exploits are not credited to their original inventors. Just letting everyone know that agrabren should be credited as well for his work with Fr3v0, and his willingness to help during the process

Thanks for the tips Cimer, I edited the post, hopefully that clarifies it a bit more.
I've been a quiet browser here on XDA for quite a while but I believe that was actually the first post I made =3 It took me a while to try to get it formatted... fluently / tried to make it easy to read and follow.
And hey, if it wasn't for you all posting the logs from #g2root, I would of never gotten my G2 back to being rooted. I think I had like 8 different pages open when I was doing it, reading the chat log, reviewing the pastebin data, et cetera. But it worked, after searching every day, the trick has been found.
On a side note, I picked the range "-start FAA90000 -end FFFFFFFF" because it appears that the exploit is most likely within that range. It was for yours "FBB47C00:1400", mine was "FBB4D600:A00", and a friend of mine was also an FBB*.

Does it work for the european desire Z ?

ilbeppez said:
Does it work for the european desire Z ?
Click to expand...
Click to collapse
Personally, I have no idea. I don't imagine it would hurt the phone any if you tried. I know you would have to change the version number (when using misc_version) to a different number, one that would be equivalent to the stock rom that came with the phone. As for the exploit itself, I don't see any harm it could do to try (though I'm no expert). Just be sure to reboot your phone after each attempt of using fre3vo.

ilbeppez said:
Does it work for the european desire Z ?
Click to expand...
Click to collapse
Give me a second, Guhl made a post about this...
http://forum.xda-developers.com/showpost.php?p=15825944&postcount=27
Should explain things for Desire Z users.

Cimer said:
Give me a second, Guhl made a post about this...
http://forum.xda-developers.com/showpost.php?p=15825944&postcount=27
Should explain things for Desire Z users.
Click to expand...
Click to collapse
Ok
thanks

Thank you. I have been searching for this.

Setherio, please divide a section for 2.3.3 DZ owners. the appropriate PC10IMG.zip for them is
http://www.multiupload.com/GH26HXLLES (md5 2ff42897cd27e0db425a2cf36c8bd078)
the mics_version command is: /data/local/tmp/misc_version -s 1.33.405.5
the push command is: adb push PC10IMG.zip /sdcard/

petarpLab said:
Setherio, please divide a section for 2.3.3 DZ owners. the appropriate PC10IMG.zip for them is
multiupload.com/GH26HXLLES (md5 2ff42897cd27e0db425a2cf36c8bd078)
the mics_version command is: /data/local/tmp/misc_version -s 1.33.405.5
the push command is: adb push PC10IMG.zip /sdcard/
Click to expand...
Click to collapse
Thanks for the information. I updated the guide.

thanks a lot

Incase anyone did not know already gfree is the best way to root after the downgrade...visionary bricks phones. You can find gfree in the xda wiki.
Sent from my HTC Vision using XDA App

Great guide. My first downgrade and I haven't bricked my phone
Thanks to all people that made it possible
Cimer said:
Incase anyone did not know already gfree is the best way to root after the downgrade...visionary bricks phones. You can find gfree in the xda wiki.
Sent from my HTC Vision using XDA App
Click to expand...
Click to collapse
So AMT is ok for rooting after downgrade?
This package contains:
- gfree
- gfree_verify
- Superuser
- Busybox
- flash_image
- psneuter
- root_psn
- misc_version
- GingerBreak APK
Click to expand...
Click to collapse

trzype said:
Great guide.
My first downgrade and I haven't bricked my phone
Thanks to all people that made it possible
Click to expand...
Click to collapse
Thank you Glad it helped you.
trzype said:
So AMT is ok for rooting after downgrade?
Click to expand...
Click to collapse
Yes. I downgraded and rooted, went ahead and installed Cyanogen nightly. As did a couple others I've talked to who have downgraded as well.

Used AMT. Got some error about 1.34 and "Double" but cliked Continue button anyway. Everything went fine.
Setherio said:
I downgraded and rooted, went ahead and installed Cyanogen nightly. As did a couple others I've talked to who have downgraded as well.
Click to expand...
Click to collapse
I'm going for Virtuous 2.0.0. Can't live without Sense UI
Thanks again

Should I rename the stock Rom to just PC10IMG before I push it to sd card or can I just put it on sd card before hand
Sent from my HTC Sensation 4G using XDA Premium App

Got it worked great thanks

Thank you so much worked like a charm - Peace

Please Help! Rooted then lost, and now anti-rollback is stopping me from going back!

Ok, so I got TWRP on the phone then I used Flash Fire to try and get Android 7 while maintaining custom recovery (and even was supposed to inject SuperSU. It went and did it's thing and on boot I saw SuperSU on phone so I thought hey I am good sweet. HA, Well open it and it said can't find binary, ut oh. I go to manually boot recovery and it wipes user data instead so I lost TWRP.
Well Ok, I thought. Let me LG UP the modified TOT and select refurb to just get me back to Marshmellow with TWRP and try again. YEAH RIGHT. Looks like the Android 7 update blows another qfuse and now LG UP just states anti rollback version is smaller than installed.
I WANT ROOT I PAID FOR THIS THING IN FULL WHY IS IT SOO HARD FOR MANUFACTURERS TO ALLOW ME ACCESS TO MY OWN HARDWARE. When I buy a computer with an OS they don't give me a user only level account and tell me it is for my own good. They allow me to do whatever I WANT because you know why I BOUGHT THE HARDWARE IN FULL AND the supreme court has said no subsidy locks allowed as when a user buys a device it is theirs not yours. I feel this is another version of a subsidy lock at the rate we are going and I can't wait until someone with the time and money sues an OEM and wins us the right to not jump through all these damn hoops to be allowed to do what we wish with the hardware we buy IN FULL NOW.
Ok, rant over, Anyone out there know of a way to root android 7 on the H830? I dunno if a dev could maybe mod up a 20a image so that we can LGUP it to the H830s that have Android 7 and need root.

@RealPariah here ya go follow this Thanks to @godfather123189 for finding these instructions:
i can confirm dirtycow worked for me to reflash twrp. you have to make sure to have the newest version of twrp.img. i was also able to root 20a with the newest supersu.zip.
i will try going back to 10j nandroid i had made before i upgraded to 20a
download all the files from here:
https://build.nethunter.com/android-tools/dirtycow/arm64/
and follow these instructions:
**pushing files**
adb push dirtycow /data/local/tmp
adb push recowvery-applypatch /data/local/tmp
adb push recowvery-app_process64 /data/local/tmp
adb push recowvery-run-as /data/local/tmp
adb push twrp.img /sdcard/twrp.img
**end pushing files**
1) adb shell
2) cd /data/local/tmp
3) chmod 0777 *
4) ./dirtycow /system/bin/applypatch recowvery-applypatch
"<wait for completion>"
5) ./dirtycow /system/bin/app_process64 recowvery-app_process64
"<wait for completion, your phone will look like it's crashing>"
6) exit
7) adb logcat -s recowvery
"<wait for it to tell you it was successful>"
8) CTRL+C
9) adb shell reboot recovery
"<wait for phone to boot up again, your recovery will be reflashed to stock>"
10) adb shell
11) getenforce
"<it should say Permissive, adjust source and build for your device!>"
12) cd /data/local/tmp
13) ./dirtycow /system/bin/run-as recowvery-run-as
14) run-as exec ./recowvery-applypatch boot
"<wait for it to flash your boot image this time>"
15) run-as su
16) dd if=/sdcard/twrp.img of=/dev/block/bootdevice/by-name/recovery

Well you arent alone. And I agree , I fully own my device and I think I should be able to do what ever the living F*&% I want with it .
Its only a question of time though,these guys are the best there are at cracking through companies 'efforts at locking us out of our own shiznat....in the meantime setup the stuff you can without ROOT (no Titanium Backup....*sniff) LOL.
Before long we'll wake up and see TWRP attached to the ROM like before and all will be well. Cheers

OK after 2 days of attempting this without even wrapping my head around the idea of how to access /data/local/temp without being rooted to begin with I hereby surrender :crying:
Thanks for posting this for dayum sure, I only wish I was a more proficient SDK user as to be able to utilize it.
I mean Im fully versed in the very basics of Fastboot/ADB as a long time Nexus user.Push,pull flashing recoveries and the other relatively easy stuff.But I cant get this worth a crap .....
Thanks guys

Jonathanpeyton said:
OK after 2 days of attempting this without even wrapping my head around the idea of how to access /data/local/temp without being rooted to begin with I hereby surrender :crying:
Thanks for posting this for dayum sure, I only wish I was a more proficient SDK user as to be able to utilize it.
I mean Im fully versed in the very basics of Fastboot/ADB as a long time Nexus user.Push,pull flashing recoveries and the other relatively easy stuff.But I cant get this worth a crap .....
Thanks guys
Click to expand...
Click to collapse
I struggled with it at first I would be glad to assist I'm not at home but when I get home and can access my desktop I would be glad to try to explain it better.
---------- Post added at 06:45 AM ---------- Previous post was at 06:12 AM ----------
Jonathanpeyton said:
OK after 2 days of attempting this without even wrapping my head around the idea of how to access /data/local/temp without being rooted to begin with I hereby surrender :crying:
Thanks for posting this for dayum sure, I only wish I was a more proficient SDK user as to be able to utilize it.
I mean Im fully versed in the very basics of Fastboot/ADB as a long time Nexus user.Push,pull flashing recoveries and the other relatively easy stuff.But I cant get this worth a crap .....
Thanks guys
Click to expand...
Click to collapse
OK here goes my best attempt at explaining it, you need to have your phone turned on with Android debugging turned on as well plug your phone into the pc and then accept the request from adb to access the device. Then start running the adb commands starting with the ones under ***pushing files*** then start following the steps 1-16. Let me know if you have any more questions or something you don't understand. Hopefully this was helpful. P.S. I also had all of the downloaded files inside my adb folder and opened the command window from that folder.

shaneg79 said:
@RealPariah here ya go follow this Thanks to @godfather123189 for finding these instructions:
i can confirm dirtycow worked for me to reflash twrp. you have to make sure to have the newest version of twrp.img. i was also able to root 20a with the newest supersu.zip.
i will try going back to 10j nandroid i had made before i upgraded to 20a
download all the files from here:
https://build.nethunter.com/android-tools/dirtycow/arm64/
and follow these instructions:
**pushing files**
adb push dirtycow /data/local/tmp
adb push recowvery-applypatch /data/local/tmp
adb push recowvery-app_process64 /data/local/tmp
adb push recowvery-run-as /data/local/tmp
adb push twrp.img /sdcard/twrp.img
**end pushing files**
1) adb shell
2) cd /data/local/tmp
3) chmod 0777 *
4) ./dirtycow /system/bin/applypatch recowvery-applypatch
"<wait for completion>"
5) ./dirtycow /system/bin/app_process64 recowvery-app_process64
"<wait for completion, your phone will look like it's crashing>"
6) exit
7) adb logcat -s recowvery
"<wait for it to tell you it was successful>"
8) CTRL+C
9) adb shell reboot recovery
"<wait for phone to boot up again, your recovery will be reflashed to stock>"
10) adb shell
11) getenforce
"<it should say Permissive, adjust source and build for your device!>"
12) cd /data/local/tmp
13) ./dirtycow /system/bin/run-as recowvery-run-as
14) run-as exec ./recowvery-applypatch boot
"<wait for it to flash your boot image this time>"
15) run-as su
16) dd if=/sdcard/twrp.img of=/dev/block/bootdevice/by-name/recovery
Click to expand...
Click to collapse
This worked great! Thank you! After TWRP was flashed via steps above I just followed the video I linked below from the 8:20 mark and formatted data and then flashed dmverify encrypt and super su (both downloads in vid) and now I'm back to rooted on 7.0 nougat with TWRP and supersu!
Go dirtycow!

Thank you shaneG79 and Genardas this made all the difference!
so An Instruction List ,a Thoughtfully Worded Explanation and You Tube Video are worth a 1000 words

shaneg79 said:
I struggled with it at first I would be glad to assist I'm not at home but when I get home and can access my desktop I would be glad to try to explain it better.
---------- Post added at 06:45 AM ---------- Previous post was at 06:12 AM ----------
OK here goes my best attempt at explaining it, you need to have your phone turned on with Android debugging turned on as well plug your phone into the pc and then accept the request from adb to access the device. Then start running the adb commands starting with the ones under ***pushing files*** then start following the steps 1-16. Let me know if you have any more questions or something you don't understand. Hopefully this was helpful. P.S. I also had all of the downloaded files inside my adb folder and opened the command window from that folder.
Click to expand...
Click to collapse
Any Idea why Im still getting a "permission denied" affter my chmod 0777* here?
1) adb shell
2) cd /data/local/tmp
3) chmod 0777 *
4) ./dirtycow /system/bin/applypatch recowvery-applypatch
"<wait for completion>"
that seems to throw it all out of wack..

Jonathanpeyton said:
Any Idea why Im still getting a "permission denied" affter my chmod 0777* here?
1) adb shell
2) cd /data/local/tmp
3) chmod 0777 *
4) ./dirtycow /system/bin/applypatch recowvery-applypatch
"<wait for completion>"
that seems to throw it all out of wack..
Click to expand...
Click to collapse
I think there may be a space between the last 7 and the * I can't be sure though because I copy and pasted it into the adb window

shaneg79 said:
I think there may be a space between the last 7 and the * I can't be sure though because I copy and pasted it into the adb window
Click to expand...
Click to collapse
I think you may be right,and as I am copy pasting now Ive been been able to get past it.
I still was able to get root last night with it but was denied access to data in the end so I had to go back.Thank you!

when you finally get to "adb shell reboot recovery" did yours boot to the Firmware Update page? or to something else....mine repeatedly goes to Firmware update then of course isnt seen by adb anymore and no recovery is ever flashed I dont think..

Jonathanpeyton said:
when you finally get to "adb shell reboot recovery" did yours boot to the Firmware Update page? or to something else....mine repeatedly goes to Firmware update then of course isnt seen by adb anymore and no recovery is ever flashed I dont think..
Click to expand...
Click to collapse
No mine rebooted and I finished the rest of the steps I would try going through the steps again and copy and paste everything into adb window. I think in order for twrp to be flashed you have to finish all 16 steps.

shaneg79 said:
No mine rebooted and I finished the rest of the steps I would try going through the steps again and copy and paste everything into adb window. I think in order for twrp to be flashed you have to finish all 16 steps.
Click to expand...
Click to collapse
Roger will do thank you!

nah its no good.No matter what it will only go to that Firmware page.All the commands are correct.It must be something in my setup itself.
I had wondererd am I supposed to leave the cable in for the entirety of the 16 steps (which I have done)?

Jonathanpeyton said:
nah its no good.No matter what it will only go to that Firmware page.All the commands are correct.It must be something in my setup itself.
I had wondererd am I supposed to leave the cable in for the entirety of the 16 steps (which I have done)?
Click to expand...
Click to collapse
Yes I did, you might try using lg up and reflashing 20a and then trying again.

OK I went full on fresh as possible all installs.
Uninstalled reinstalled all drivers/ utils (Uppercut,LGUP ect.)
Copied all instructions to a separate file to ease copying
all before taking your advice (which I thought sounded like the right direction to go) and reflashing 20a.KMZ in LGUP.
Still the result is the same,step 9 (reboot to recovery) leads only to the Firmware Update screen ~~~~~> https://drive.google.com/open?id=0B03a0JRwWhkwX1RQdmlSRmh5c0U AND https://drive.google.com/open?id=0B03a0JRwWhkwT0lMNEViNGIxWkE
Also I want to mention, when I try to directly copy the chmod as is (0777 *) I get a permission denied so Ive been changing it to 0777* (no space between the asterisk [regex] and the last 7) which seems to work as I am able to continue entering code....
man and I thought Samsung devices were a pain to root lol.
Thanks so much for all the help so far Im usually not this much trouble....

Jonathanpeyton said:
OK I went full on fresh as possible all installs.
Uninstalled reinstalled all drivers/ utils (Uppercut,LGUP ect.)
Copied all instructions to a separate file to ease copying
all before taking your advice (which I thought sounded like the right direction to go) and reflashing 20a.KMZ in LGUP.
Still the result is the same,step 9 (reboot to recovery) leads only to the Firmware Update screen ~~~~~> https://drive.google.com/open?id=0B03a0JRwWhkwX1RQdmlSRmh5c0U AND https://drive.google.com/open?id=0B03a0JRwWhkwT0lMNEViNGIxWkE
Also I want to mention, when I try to directly copy the chmod as is (0777 *) I get a permission denied so Ive been changing it to 0777* (no space between the asterisk [regex] and the last 7) which seems to work as I am able to continue entering code....
man and I thought Samsung devices were a pain to root lol.
Thanks so much for all the help so far Im usually not this much trouble....
Click to expand...
Click to collapse
You're not being any trouble I just wish I knew why yours isn't working correctly

ok update..... I used the devices internal settings to do a factory reset then reinstalled 20a.THAT made it to where I am now able to grant the proper permissions to /data/local/tmp.However,I still wind up at the Firmware Update page after >adb shell reboot recovery instead of the recovery screen or just a reboot....but I guess its small progress.

shaneg79 said:
@RealPariah here ya go follow this Thanks to @godfather123189 for finding these instructions:
i can confirm dirtycow worked for me to reflash twrp. you have to make sure to have the newest version of twrp.img. i was also able to root 20a with the newest supersu.zip.
i will try going back to 10j nandroid i had made before i upgraded to 20a
download all the files from here:
https://build.nethunter.com/android-tools/dirtycow/arm64/
and follow these instructions:
**pushing files**
adb push dirtycow /data/local/tmp
adb push recowvery-applypatch /data/local/tmp
adb push recowvery-app_process64 /data/local/tmp
adb push recowvery-run-as /data/local/tmp
adb push twrp.img /sdcard/twrp.img
**end pushing files**
1) adb shell
2) cd /data/local/tmp
3) chmod 0777 *
4) ./dirtycow /system/bin/applypatch recowvery-applypatch
"<wait for completion>"
5) ./dirtycow /system/bin/app_process64 recowvery-app_process64
"<wait for completion, your phone will look like it's crashing>"
6) exit
7) adb logcat -s recowvery
"<wait for it to tell you it was successful>"
8) CTRL+C
9) adb shell reboot recovery
"<wait for phone to boot up again, your recovery will be reflashed to stock>"
10) adb shell
11) getenforce
"<it should say Permissive, adjust source and build for your device!>"
12) cd /data/local/tmp
13) ./dirtycow /system/bin/run-as recowvery-run-as
14) run-as exec ./recowvery-applypatch boot
"<wait for it to flash your boot image this time>"
15) run-as su
16) dd if=/sdcard/twrp.img of=/dev/block/bootdevice/by-name/recovery
Click to expand...
Click to collapse
Thank you so much... And whom ever is behind this I anyway... One word... Genius... Simply Genius.. Well that was 2 words

Accidental double post see next post, my bad...
Accidental double post