Monday, January 23, 2012

I've had it with HTC - thanks for the rescue, CyanogenMod + AAHK

HTC pushed an Android 2.3.5 update to my Vodafone Australia-branded HTC Desire HD. There was no changelog, and along with the Android update it turns out I get a new version of HTC Sense (yay?) with all sorts of animations I can't turn off and extra bloat.

Great work HTC, you made the phone faster, then ruined it with more pointless animation. At least the "no window animations" setting used to work in the old version...

The new phone version is:

Model number: HTC Desire HD A9191
Android version: 2.3.5
HTC Sense version: 3.0
Software number:
Kernel version: htc-kernel@and18-2 #1 WEd Nov 9 14:04:03 CST 2011
Baseband version:
Build number: CL200874 release-keys

(from "settings->about phone")

I'd love to downgrade it (rooting it if necessary to do so) then reflash it with a sensible firmware from Cyanogen etc. Unfortunately, Vodafone/HTC seem to have broken existing root methods on the device with the latest update. It's not like this is my phone that I purchased outright or anything, so why should I be able to do anything with it? GRR!.


psneuter reports:

$ /data/local/tmp/psneuter
Failed to set prot mask (Inappropriate ioctl for device)

Fre3vo reports:

$ ./data/local/tmp/fre3vo
fre3vo by #teamwin
Please wait...

... never successfully getting root.

I've also tried the official HTC bootloader unlock tool for the Desire HD. It's been released for my Vodafone firmware version, so it should work, but it reports "unsupported firmware version". Sigh. Even if the bootloader unlock worked, I couldn't actually reflash the phone without temporary root access or a direct flashing tool that doesn't require using the phone to modify its own recovery partition.

So, what's a pissed-off phone owner to do?

Investigation suggests I may be able to directly reflash the device with tools called odin3 (a leaked Samsung android flashing tool) or the libusb-based Heimdall, but I'm having a hard time finding suitable images for the Desire HD, or much information about it. When I reboot my HD into what I think is download mode (bootloader menu -> recovery) heimdall can't see the device - whether I'm using the libusb drivers or the default drivers. Odin doesn't seem to see it either, and it looks like both are designed primarily for Samsung phones.


The long term solution is, as noted below, buy from a less closed and restrictive vendor. If I wanted a locked down device I would've bought an iPhone, it would've at least had more than a half day's battery life.

PS: The next person who posts a guide/walkthrough/howto without listing the version number of the latest firmware for which it is known to work is going to find themselves in a world of pain if I ever find them. The amount of stunningly bad writing on this topic is incredible.

UPDATE: A downgrade was successful with the AAHK (Advanced ACE Hack Kit), after which I could root the phone with fre3vo:

C:\Users\Craig\Downloads\Downgrade_v3\Downgrade>adb shell
$ /data/local/tmp/fre3vo -debug -start FBB00000 -end FFFFFFFF
/data/local/tmp/fre3vo -debug -start FBB00000 -end FFFFFFFF
fre3vo by #teamwin
Please wait...
Attempting to modify property...
  id: msmfb
  smem_start: 802160640
  smem_len: 3145728
  type: 0
  type_aux: 0
  visual: 2
  xpanstep: 0
  ypanstep: 1
  line_length: 1920
  mmio_start: 0
  accel: 0
  xres: 480
  yres: 800
  xres_virtual: 480
  yres_virtual: 1600
  xoffset: 0
  yoffset: 0
  bits_per_pixel: 32
  activate: 16
  height: 106
  width: 62
  rotate: 0
  grayscale: 0
  nonstd: 0
  accel_flags: 0
  pixclock: 0
  left_margin: 0
  right_margin: 0
  upper_margin: 0
  lower_margin: 0
  hsync_len: 0
  vsync_len: 0
  sync: 0
  vmode: 0
Buffer offset:      00000000
Buffer size:        8192
Scanning region fbb00000...
Potential exploit area found at address fbb7f800:1800.
Exploiting device...

C:\Users\Craig\Downloads\Downgrade_v3\Downgrade>adb shell

Unfortunately, ClockworkMod Recovery doesn't seem to work, though it's theoretically now flashed onto the phone. The phone still boots into regular Android recovery. I suspect that AAHK hasn't successfully unlocked the bootloader to S-OFF, probably because gfree seems to fail:

# ./gfree -f
./gfree -f
--secu_flag off set
--cid set. CID will be changed to: 11111111
--sim_unlock. SIMLOCK will be removed
Section header entry size: 40
Number of section headers: 44
Total section header table size: 1760
Section header file offset: 0x000138b4 (80052)
Section index for section name string table: 41
String table offset: 0x000136fb (79611)
Searching for .modinfo section...
 - Section[16]: .modinfo
 -- offset: 0x00000a14 (2580)
 -- size: 0x000000cc (204)
Kernel release:
New .modinfo section size: 204
Attempting to power cycle eMMC... Failed.
Module failed to load: No such file or directory

UPDATE: It looks like the radio downgrade failed the first time around. Re-running AAHK successfully downgraded the radio and got me ClockworkMod recovery on reboot into recovery mode. Victory! CM install in progress.

UPDATE: CM 7 installed, but got into a reboot loop on startup. To fix this I rebooted back into clockworkmod recovery and used it to erase the cache and user data. A reboot then succeeded, dropping me into a clean Cyanogenmod install - without, of course, any of my data.

I then grabbed the latest Google Apps version, put it in the root of the SD card, and rebooted into recovery using Rom Manager's "reboot into recovery" mode, where I used "install zip from sdcard" to install the apps and did another "wipe data / factory reset".

After that, a reboot bought me into a Cyanogen environment with the Google apps, Market, etc. Phew!


  1. Buy a Nexus series phone next time, so that you don't have to put up with any telco bullshit?

  2. Replies
    1. Heh, the OpenMoko folks tried that, and they've had endless hours of "fun"...

      Phones are the ultimate hobbyist-hostile device, what with all the regulatory requirements.

  3. Hi, I am not getting "Scanning region fbb00000...Potential exploit area found at address fbb7f800:1800.
    Exploiting device..." . It is struck after getting "Buffer size: 8192". Any clue on this.

    1. Reboot the phone and try again. I saw this several times and a reboot took care of it.

      From what I understand, exploit doesn't always work, it's dependent on details of how the phone's memory layout works out.

  4. I gather from your post that you managed to successfully root your phone with the AAHK is this correct?
    I have the Same phone model with the same software version you listed and I am very keen to root my phone but I'm a total noob.

  5. Define "Noob". Do you have a basic familiarity with command-line interfaces? If so, you should be ok.

    DO NOT ATTEMPT TO ROOT OR RE-FLASH YOUR PHONE UNLESS YOU CAN HANDLE THE POSSIBILITY THAT IT MIGHT BE PERMANENTLY DESTROYED. If you cannot be without your phone and cannot afford to replace it, do not attempt to root or re-flash it. There is always a risk.

    It seems to be fairly hard to bollix up an Android phone re-flash so long as you don't do anything dumb like use the wrong phone firmware. Even then with ClockworkMod it's probably recoverable. Nonetheless, you should always proceed on the assumption that each attempt might destroy your phone.

  6. Sound advice, i plan to be well read before i attempt it.

    If by command line interfaces you mean like MS Dos then i have used them before and know what they are but im not savy on them in any way.
    The stuff i have read so far has been slightly more general ie the AAHK was with reference to the HTC inspire and the Desire but talked about different software versions than im using.
    Fortunately you have listed the same model with same software so i figure you will be a good person to take advice from.

    It sounds like from your post that you used the AAHK but had a few issues like the reboot loop. Were these unexpected reactions from the phone or is it a common problem?

  7. Here! Here! I've had an absolute gutful of Vodafail and will *never* be aligning myself with them again: not only is their service useless in relation to coverage, but the handsets they sell are so full of rubbish they are rendered far less useful! HTC should be ashamed of themselves for allowing this and I've been turned off their handsets as a result... Nothing for it but to revert to buying handsets from a reliable online retailer without the ties and locks to a specific network.


Captchas suck. Bots suck more. Sorry.