Rooting a Vodafone Branded HTC Desire Z including Engineering Hboot and Clockwork via Goldcard (SuperCID) + CyanogenMod

24 July 2011 at 19:55

This howto is based on a chat session between Guhl and me on channel #G2ROOT @ irc.freenode just about two weeks ago. I will try to explain how to remove the branding of your Vodafone HTC Desire Z to be able to install the latest Release of CyanogenMod. My device have had firmware version installed which is known not to be "rootable". In order to install the latest CyanogeMod ROM I had to downgrade the firmware (<=1.34).

Please note, that I take no responsibility if you brick your device! All data on your device will be irrecoverable lost! I highly recommend to read all instructions carefully before proceeding with each step. If you have questions of any kind don't hesitate to give me a message via jabber ( or simply leave your comment to this article.

Before you begin you'll need to have the Android SDK installed, including it's platform-tools. On more information on how to install the SDK including all necessary components simply follow this guide.

You will also have to manipulate your udev setup for your device to be recognized probably. Follow this guide or simply copy the following ruleset and re-plug your device afterwards:

$ cat /etc/udev/rules.d/00_external.rules;
SUBSYSTEMS=="usb", ATTRS{idVendor}=="0bb4", ATTRS{idProduct}=="0ff9", MODE="0666", OWNER="bungart" #Normal g2
SUBSYSTEMS=="usb", ATTRS{idVendor}=="0bb4", ATTRS{idProduct}=="0c91", MODE="0666", OWNER="bungart" #Debug & Recovery g2
SUBSYSTEMS=="usb", ATTRS{idVendor}=="0bb4", ATTRS{idProduct}=="0fff", MODE="0666", OWNER="bungart" #Fastboot g2

Now make sure that your device is plugged in via USB. Use the shell functionality of the adb binary to receive the CID (Carrier ID) of the device. You can find the adb binary within the "platform-tools" directory of the android sdk. If you followed the SDK guide accordingly you should have the platform-tools directory in your $PATH variable. This means that you can simply type "adb" without the need to specify the absolute path to the binary.

Enable USB Debugging: You will have to enable the USB debugging feature which is located under "Settings -> Applications -> USB debugging" before you will be able to connect your device with the SDK. After enabling the debugging mode you can simply use adb devices to check for available devices.

$ adb devices;
* daemon not running. starting it now on port 5037 *
* daemon started successfully *
List of devices attached 
HT0BFRT01366	device

$ adb shell 'cat /sys/class/mmc_host/mmc2/mmc2:*/cid';

Good! Now point your browser to this URL ( and paste your CID into the designated fill-in field and click the submit button. Use the resulting CID to request a so called "Gold Card Image" from The image size is < 512B and will be send to you via email so be sure to provide a valid email address!

The gold card image is needed to gain "SuperCID" access. With it you will be able to replace the branded firmware with a regular one from stock.

  • If you haven't done it yet you might want to do a complete backup of your data before proceeding! (E.g. use Titanium Backup for this)
  • Insert a SD card to your CARD Reader. We're going to overwrite it's boot sector so it's strongly adviced that you use a dedicated SD card without any important data on it.
  • You can identify the respective block device by using "dmesg | tail" right after insertion of the SD card since there is only one hard drive installed (sda, sdb, sdc, sd...)
  • I will use "/dev/sdb" to be my block device (replace it everytime it's mentioned with the one you've identified!)
  • Attention: As a regular user you should normally unplug any additional mass storage devices like external hard drives, usb memory sticks, smartphones and such. This way you avoid overwriting one of these instead of the sd card. Also take note that the block device /dev/sda is most likely considered to be your system's hard drive. If you accidentally overwrite it's boot sector also the partition table will be gone! (Newer versions of cfdisk can now also seek and restore lost partitions!)
  • Okay, you have been warned, so if you think that you're all set just go on and copy the gold card image to your SD card:

Preparing your SD CARD:
  • Create MSDOS partition table
  • Create first partition of type "b" -> FAT32

$ sudo cfdisk /dev/sdb;

If you haven't got a recent version of cfdisk (>=1.2.4) you will have to create the filesystem by hand:

$ sudo mkfs.vfat -F 32 -n gcard /dev/sdb1;

Okay, now copy the gold card image:

$ sudo dd if=../path/to/your/gc.img of=/dev/sdb bs=512 count=1;

Okay, it's time for some action now :> Download all the files listed below to your current working directory:

Source: G2 Downgrade Firmware to 1.34.707.3
Now push the misc_version and psneuter binaries to a temporary working directory on the device. By using the psneuter binary you will gain temporary root access to your device. With the second binary named misc_version you will then set the new firmware version in order to downgrade. Further you will have to reboot the device - simply use the tools given by the SDK -> "adb reboot bootloader".

$ adb push psneuter /data/local/tmp;
$ adb push misc_version /data/local/tmp;
$ adb shell chmod 777 /data/local/tmp/{psneuter,misc_version};
$ adb shell /data/local/tmp/psneuter;
$ adb shell '/data/local/tmp/misc_version -s 1.34.707.3';
$ adb reboot bootloader;

For the downgrade we won't rely on the HBOOT provided firmware 1.82. Instead we will use the ROM UPDATE UTILITY (RUU) via fastboot. For that to work you'll have to download the fastboot binary first and make it executable:

$ wget -c;
$ chmod +x fastboot;

Attention: If you encounter any problems with the next step you should head over for the #g2root channel on irc.freenode and remember not to disconnect or turn off your device!

Reboot the device and select "fastboot" from the the menu. The bootloader should now yell "FASTBOOT USB" in red if the device is connected properly - if it does just start the RUU and flash the new firmware image:

$ adb reboot bootloader;
$ ./fastboot oem rebootRUU;
$ ./fastboot flash zip;

[.. zzZZzzZz .. Get yourself some coffee! ..]

$ ./fastboot reboot;

If everything works out fine you should now be seeing a shiny HTC logo during boot. After the device has successfully booted you will have to turn back on USB Debugging. Now you're free to install the Engineering Hboot, Clockwork Recovery. First of all you need to get all of the necessary stuff mentioned below: Source: Root, S-OFF, the ClockworkMod Recovery & the Engineering HBoot
Unpack all zip files into the same directory where you have placed the psneuter and busybox binaries. Finally re-create the temporary upload directory and push all necessary binaries to the device:

$ adb shell mkdir /data/local/tmp/;
$ adb push busybox /data/local/tmp/;
$ adb push gfree /data/local/tmp/;
$ adb push hboot-eng.img /data/local/tmp/;
$ adb push psneuter /data/local/tmp/;
$ adb push recovery-clockwork- /data/local/tmp/recovery.img;
$ adb push root_psn /data/local/tmp/;
$ adb shell "/data/local/tmp/psneuter";

Okay, you're almost done, now it's time to flash the HBOOT and Clockwork Recovery images:

$ adb shell;
# cd /data/local/tmp/;
# ./busybox md5sum hboot-eng.img;
# ./gfree -f -b hboot-eng.img -y recovery.img;
# ./busybox md5sum /dev/block/mmcblk0p18;
# exit;

That's it, you're done! Now your phone has HBOOT and Clockwork Recovery installed. The only thing missing is Cyanogenmod which you can install via Clockwork Recovery or alternatively via fastboot. Follow this instructions to install the latest build. It also covers the installation of Google-Apps.

Many thanks to Guhl from #g2root @ irc.freenode for bailing me out ;)

So long...

Jan, aka. tuxaddicted