simpler android rooting

[ link: simple-rooting-g1 | tags: android g1 | updated: Tue, 22 Sep 2009 11:18:23 ]

I've previously written about how to root an android phone, and mentioned that there was a better way which I had not tried yet. Well, I did try it today.

The procedure written by Zinx from ZenThought exploits a recently found bug in the Linux kernel (see CVE-2009-2692).

WARNING: this may very well brick your phone! Read all the instructions here, and the links I provide. If you're still not discouraged, continue on :)

UPDATE 20090904: The flashrec tool now supports 32a and 32b CPUs. Read the flashrec project page for details. See my other post titled: the dreaded process of rooting Rogers Dream.

The exploit code is a fun read and I encourage the geeks to go and get flashrec-20090815.tar.gz and read it.

For the rest of you, here are the steps to use it:

on a freshly network-unlocked Tmobile G1...
point your browser at flashrec-1.1-20090904.apk, or a shorter version of the url http://2tu.us/rhg
follow the procedure to allow untrusted package sources
run the app
backup your current recovery image
download the new recovery image
install the new recovery image
now reboot the phone to recovery mode; you can do either:
- regular shutdown, and power up with HOME key held, or
- adb shell reboot recovery

... and now you can install any rom you want.

NOTE: if you boot the Tmobile firmware now, it will reflash the original recovery image; should this happen just run the flashrec app again.

To install the latest CyanogenMod, you'll need to download...

for Tmobile G1 get these files:
- ota-radio-2_22_19_26I.zip
- update-cm-4.0.4-signed.zip

copy both to the SD card. If you have the Android Debug Bridge (or adb) working you can just run:

# adb push ota-radio-2_22_19_26I.zip /sdcard/ota-radio-2_22_19_26I.zip
# adb push update-cm-4.0.4-signed.zip /sdcard/update-cm-4.0.4-signed.zip

On first rooting you need to wipe to factory defaults
- reboot with HOME + BACK keys.
  
  ... wait ...
- select Alt-W or wipe data/factory reset
- reboot with HOME + BACK keys.
  
  ... wait a long time ...
- if you come back to the recovery menu, reboot with HOME + BACK keys again.
  
  ... now, wait some more ...

On the first boot (and it will reboot several times) it will take under 5 minutes. Be patient. During this first long boot the phone is initializing the apps.

Where did fastboot go?

If you install using this method you will have the nice recovery image, and a nice image to run, but you will still have the original Tmobile G1 SPL (the bootloader). If you want fastboot you will need to install the HardSPL bootloader separately.

It is important to reemphasize the importance of what will happen if this doesn't work... you will brick your phone. Go to this page, read it, and decide if what you're doing is fine with you.

The procedure is as follows:

download splhard1_update_signed.zip
put it on the sdcard (maybe with adb push)
reboot holding HOME
select Alt-A and flash with the splhard1_update_signed.zip file
power down
boot holding BACK button

You now have fastboot...

# fastboot devices
HT123XY45678        fastboot

Yey!

Bart's Blog

About

I am an embedded Linux software developer and consultant operating under Jukie Networks Inc in Ottawa, Canada.