HTC pushed an Android 2.3.5 update to my Vodafone Australia-branded HTC Desire HD. There was no changelog, and along with the Android update it turns out I get a new version of HTC Sense (yay?) with all sorts of animations I can't turn off and extra bloat.
Great work HTC, you made the phone faster, then ruined it with more pointless animation. At least the "no window animations" setting used to work in the old version...
The new phone version is:
Model number: HTC Desire HD A9191 Android version: 2.3.5 HTC Sense version: 3.0 Software number: 22.214.171.124 Kernel version: 126.96.36.199-g931a37e htc-kernel@and18-2 #1 WEd Nov 9 14:04:03 CST 2011 Baseband version: 188.8.131.52U_26.14.04.28_M Build number: 184.108.40.206 CL200874 release-keys
(from "settings->about phone")
I'd love to downgrade it (rooting it if necessary to do so) then reflash it with a sensible firmware from Cyanogen etc. Unfortunately, Vodafone/HTC seem to have broken existing root methods on the device with the latest update. It's not like this is my phone that I purchased outright or anything, so why should I be able to do anything with it? GRR!.
IMPORTANT: IF YOU ARE CONSIDERING ROOTING AND REFLASHING YOUR PHONE, UNDERSTAND THAT IT WILL PROBABLY VOID ALL WARRANTIES AND MAY DESTROY YOUR PHONE IF YOU MAKE A MISTAKE OR IT DOESN'T WORK PROPERLY WITH YOUR MODEL! This is not a guide, it's just a report of what worked for me.
$ /data/local/tmp/psneuter /data/local/tmp/psneuter Failed to set prot mask (Inappropriate ioctl for device)
$ ./data/local/tmp/fre3vo ./data/local/tmp/fre3vo fre3vo by #teamwin Please wait... $
... never successfully getting root.
I've also tried the official HTC bootloader unlock tool for the Desire HD. It's been released for my Vodafone firmware version, so it should work, but it reports "unsupported firmware version". Sigh. Even if the bootloader unlock worked, I couldn't actually reflash the phone without temporary root access or a direct flashing tool that doesn't require using the phone to modify its own recovery partition.
So, what's a pissed-off phone owner to do?
Investigation suggests I may be able to directly reflash the device with tools called odin3 (a leaked Samsung android flashing tool) or the libusb-based Heimdall, but I'm having a hard time finding suitable images for the Desire HD, or much information about it. When I reboot my HD into what I think is download mode (bootloader menu -> recovery) heimdall can't see the device - whether I'm using the libusb drivers or the default drivers. Odin doesn't seem to see it either, and it looks like both are designed primarily for Samsung phones.
The long term solution is, as noted below, buy from a less closed and restrictive vendor. If I wanted a locked down device I would've bought an iPhone, it would've at least had more than a half day's battery life.
PS: The next person who posts a guide/walkthrough/howto without listing the version number of the latest firmware for which it is known to work is going to find themselves in a world of pain if I ever find them. The amount of stunningly bad writing on this topic is incredible.
UPDATE: A downgrade was successful with the AAHK (Advanced ACE Hack Kit), after which I could root the phone with
C:\Users\Craig\Downloads\Downgrade_v3\Downgrade>adb shell $ /data/local/tmp/fre3vo -debug -start FBB00000 -end FFFFFFFF /data/local/tmp/fre3vo -debug -start FBB00000 -end FFFFFFFF fre3vo by #teamwin Please wait... Attempting to modify ro.secure property... fb_fix_screeninfo: id: msmfb smem_start: 802160640 smem_len: 3145728 type: 0 type_aux: 0 visual: 2 xpanstep: 0 ypanstep: 1 line_length: 1920 mmio_start: 0 accel: 0 fb_var_screeninfo: xres: 480 yres: 800 xres_virtual: 480 yres_virtual: 1600 xoffset: 0 yoffset: 0 bits_per_pixel: 32 activate: 16 height: 106 width: 62 rotate: 0 grayscale: 0 nonstd: 0 accel_flags: 0 pixclock: 0 left_margin: 0 right_margin: 0 upper_margin: 0 lower_margin: 0 hsync_len: 0 vsync_len: 0 sync: 0 vmode: 0 Buffer offset: 00000000 Buffer size: 8192 Scanning region fbb00000... Potential exploit area found at address fbb7f800:1800. Exploiting device... C:\Users\Craig\Downloads\Downgrade_v3\Downgrade>adb shell #
Unfortunately, ClockworkMod Recovery doesn't seem to work, though it's theoretically now flashed onto the phone. The phone still boots into regular Android recovery. I suspect that AAHK hasn't successfully unlocked the bootloader to S-OFF, probably because gfree seems to fail:
# ./gfree -f ./gfree -f --secu_flag off set --cid set. CID will be changed to: 11111111 --sim_unlock. SIMLOCK will be removed Section header entry size: 40 Number of section headers: 44 Total section header table size: 1760 Section header file offset: 0x000138b4 (80052) Section index for section name string table: 41 String table offset: 0x000136fb (79611) Searching for .modinfo section... - Section: .modinfo -- offset: 0x00000a14 (2580) -- size: 0x000000cc (204) Kernel release: 220.127.116.11-gd2564fb New .modinfo section size: 204 Attempting to power cycle eMMC... Failed. Module failed to load: No such file or directory
UPDATE: It looks like the radio downgrade failed the first time around. Re-running AAHK successfully downgraded the radio and got me ClockworkMod recovery on reboot into recovery mode. Victory! CM install in progress.
UPDATE: CM 7 installed, but got into a reboot loop on startup. To fix this I rebooted back into clockworkmod recovery and used it to erase the cache and user data. A reboot then succeeded, dropping me into a clean Cyanogenmod install - without, of course, any of my data.
I then grabbed the latest Google Apps version, put it in the root of the SD card, and rebooted into recovery using Rom Manager's "reboot into recovery" mode, where I used "install zip from sdcard" to install the apps and did another "wipe data / factory reset".
After that, a reboot bought me into a Cyanogen environment with the Google apps, Market, etc. Phew!