[Guide] Root your G1 phone!
1. Get a G1 with RC30. (If you are in the UK then I guess this would be RC8). If you are lucky enough to have an earlier software version then you can skip to step #11.
2. Mount your SD card in Windows and reformat it as FAT32. The HTC bootloader won’t be able to see the RC29 (or RC7) image otherwise. Make sure you back up all your files first!
3. Download the appropriate image (RC29 for USA or RC7 for UK) from
http://koushikdutta.blurryfox.com/G1/DREAIMG-RC29.zip or
http://koushikdutta.blurryfox.com/G1/DREAIMG-RC7.zip . This is a DOWNGRADE to the Android version that contains a root shell bug (this exploit just seems too easy). I got these files from the forum thread
http://forum.xda-developers.com/showthread.php?t=442480.
4. Extract the DREAIMG.nbh file from the downloaded zip archive and copy it to your SD card (again, for me, this had to be formatted as FAT32, not just regular FAT which is the default). Don’t put it in a folder, just stick it directly on there.
5. Disconnect the SD card the right way (eject, unmount, or otherwise tell your OS you are unplugging it) to make sure the data gets written. If you used an SD card reader, put the SD card back in your phone.
6. Make sure your phone has a full battery, then turn it off. Turn it back on by holding down the CAMERA and POWER buttons. This should get you into the HTC bootloader (the funky red, green, and blue screen).
7. If everything was done correctly, the bootloader will detect the image. You’ll be taken to a different screen that asks you to press the POWER button to install the image. Do this, but beware, you will lose all your saved data on your phone (with the exception of things that are synced with Google’s servers, like contacts, calendar, Gmail, etc.).
8. Wait for the update to complete. The progress bar will fill up, then all the steps will say OK beside them, and finally, it will ask you to press the “action key” (I think this means click the trackball). DO NOT do anything until you see this message. The progress bar needs to DISAPPEAR, not just fill up.
9. You now have the stock RC29 installed. Take out the battery, put it back in, and turn on your phone. It should ask you to activate your Google account again - do this.
10. If everything worked so far, your phone will look like you just got it with the default home screen. Wait for it to sync your contacts if you like. Also, you might want to go to Settings -> About Phone and verify that it says RC29 (or RC7) at the bottom.
11. Go to Settings -> Applications and check the box for “Unknown Sources” to allow install of non-Market applications. Some sites say to use adb on your computer for the following steps, but doing it this way will make it so you don’t have to download adb or the Android SDK.
12. Open the Browser on your phone and point it at
http://koushikdutta.blurryfox.com/G1/Telnet.apk . Install this application after it downloads (the Android Telnet Client, more information at
http://www.koushikdutta.com/2008/11/and ... lient.html).
13. Back out to the home screen. Type <Enter>telnetd<Enter>. This should spawn telnetd as root (since someone left a root shell running with /dev/console as input… tsk tsk.) You may need to do this after a fresh restart of your phone, but it worked fine for me. This will open up a contact search - it doesn’t matter. After you press <Enter> the second time, back out of the contacts screen.
14. Open up the Telnet Client. The default settings (localhost, port 23) are what you want. Connect and you should see a black screen with a text entry box at the bottom.
15. Type id<Enter>. The phone should say something like uid=0(root) gid=0(root). If it does - congratulations, you got a root shell!
16. Now we need to remount /system as writeable, and create a root shell program. Type in the following commands exactly as they are here, and press <Enter> after each one:
mount -o rw,remount -t yaffs2 /dev/block/mtdblock3 /system
dd if=/system/bin/sh of=/system/bin/su
chmod 4755 /system/bin/su
17. 17. Now you can get a root shell any time you want. This method is NOT SECURE and it will be fixed in the following steps. Download “Terminal Emulator” from the Android Market. Open it up and you should see a $ prompt. Type su<Enter> and the prompt should change to a # sign, meaning that you are now root. Back out of the terminal emulator - if that worked then you are set up for the next steps.
18. 18. Download
http://jf.nyquil.org/AndroidMod.zip (more information at the forum thread
http://forum.xda-developers.com/showthread.php?t=443041 ). In this zip archive, there is a file called recovery_testkeys.img . Mount your SD card on the computer again, and extract that file to the SD card. Make sure you remove the USB cable after it’s done copying, or you won’t be able to get to the SD card from your phone. Don’t forget to disconnect safely.
19. 19. Open up the Terminal Emulator that you downloaded from the market. I used Terminal Emulator as much as possible because doing all this stuff over Telnet is kind of a pain. Type the following commands exactly as they appear here, and press <Enter> after each one. Wait for the # prompt to reappear after each command before continuing. You should not see any error messages - if you did, something went wrong and you should stop. If you restarted your phone since you created /system/bin/su, you will need to run “mount -o rw,remount -t yaffs2 /dev/block/mtdblock3 /system” (as root) to give you write access to /system again.Anyway, here are the commands:
su
cd /system
cat /sdcard/recovery_testkeys.img > recovery.img
flash_image recovery recovery.img
20. [from JesusFreke -
http://forum.xda-developers.com/showthread.php?t=443041 ] At this point, it’s probably a good idea to reboot the phone into recovery mode (turn it off, and hold HOME and POWER), and make sure it loads OK. Once it boots into recovery mode, press alt+L, and the next to top line of text should say something like “using test keys.” If it doesn’t, then you’re still using the original recovery image and you won’t be able to install the modded update. If the recovery image is corrupt somehow, it will throw you back into SPL mode (the multi-color bootloader screen). If that happens, just boot the phone normally, and reflash recovery image.
21. Press HOME and BACK together to reboot the phone normally (or just take out the battery). If everything worked so far, you can now install JesusFreke’s modified RC30 (or RC8) update that will let you keep root and close up those security holes like the mandatory root shell. Get that update from
http://jf.nyquil.org/v1.31/JFv1.31_RC30.zip (USA) or
http://jf.nyquil.org/v1.31/JFv1.31_RC8.zip (UK). You can also install the Android Dev Phone 1 image, but it is probably a little different and I haven’t tried it. Read more about these updates at
http://forum.xda-evelopers.com/showthread.php?t=466174.
22. Take the zip file that you downloaded, and name it update.zip and put it in the root directory of the SD card. Turn off your phone and boot it into recovery mode again (hold down HOME and POWER). Press Alt+L and Alt+S to install the update. You should probably have a fully charged battery before you do this step. Again, read more about these updates and how to install them at
http://forum.xda-developers.com/showthread.php?t=466174.
23. Wait for the update to finish, then reboot!
Whew! Maybe I should have just gotten an iPhone - I hear they are a lot easier to crack!
Congratulations! If everything worked, you now have a rooted RC30 phone. All your applications and settings will be gone, but for me, a list of things I installed showed up in the Market under My Downloads after a minute, so I just went through and reinstalled everything I wanted.
Also, the modded RC30 has a cool Superuser Whitelist application, which alerts you whenever a program tries to gain root access on your phone. You can now do things like take screenshots (with Koushik Dutta’s “Screenshot” application), install Debian per Jay “Saurik” Freeman’s instructions, and maybe even write your own C/C++ programs for Android!
I hope I didn’t forget anything. Thanks to JesusFreke, Koushik Dutta, Saurik, and any others for all your hard work! I know this information is all available elsewhere but I thought it would be helpful to write everything up in one place with all the necessary details.
-James Nylen
http://www.webnetta.com/2009/01/02/t-mo ... -to-jfv13/