simpler android rooting

I’ve previously written about [how to root an android phone]{rooting-g1}, and mentioned that there was a better way which I had not tried yet. Well, I did try it today.

The procedure written by Zinx from ZenThought exploits a recently found bug in the Linux kernel (see CVE-2009-2692).

WARNING: this may very well brick your phone! Read all the instructions here, and the links I provide. If you’re still not discouraged, continue on :)

UPDATE 20090904: The flashrec tool now supports 32a and 32b CPUs. Read the flashrec project page for details. See my other post titled: [the dreaded process of rooting Rogers Dream]{rooting-rogers-dream}.

The exploit code is a fun read and I encourage the geeks to go and get flashrec-20090815.tar.gz and read it.

For the rest of you, here are the steps to use it:

• on a freshly network-unlocked Tmobile G1…
• point your browser at flashrec-1.1-20090904.apk, or a shorter version of the url http://2tu.us/rhg
• follow the procedure to allow untrusted package sources
• run the app
• backup your current recovery image
• download the new recovery image
• install the new recovery image
• now reboot the phone to recovery mode; you can do either:
  • regular shutdown, and power up with HOME key held, or
  • adb shell reboot recovery

… and now you can install any rom you want.

NOTE: if you boot the Tmobile firmware now, it will reflash the original recovery image; should this happen just run the flashrec app again.

To install the latest CyanogenMod, you’ll need to download…

• for Tmobile G1 get these files:
  • ota-radio-2_22_19_26I.zip
  • update-cm-4.0.4-signed.zip

copy both to the SD card. If you have the Android Debug Bridge (or adb) working you can just run:

# adb push ota-radio-2_22_19_26I.zip /sdcard/ota-radio-2_22_19_26I.zip
# adb push update-cm-4.0.4-signed.zip /sdcard/update-cm-4.0.4-signed.zip

From the Android system recovery screen (power up with HOME key held).

(note, you can use the rolly-ball to manuver the menu and push the ball to select options)

• Flashing for Tmobile G1…

  • select Alt-A or apply any zip from sd

  • select ota-radio-2_22_19_26I.zip

    … wait …

  • select Alt-A or apply any zip from sd

  • select update-cm-4.0.4-signed.zip

• On first rooting you need to wipe to factory defaults

  • reboot with HOME + BACK keys.

    … wait …

  • select Alt-W or wipe data/factory reset

  • reboot with HOME + BACK keys.

    … wait a long time …

  • if you come back to the recovery menu, reboot with HOME + BACK keys again.

    … now, wait some more …

On the first boot (and it will reboot several times) it will take under 5 minutes. Be patient. During this first long boot the phone is initializing the apps.

Where did fastboot go?⌗

If you install using this method you will have the nice recovery image, and a nice image to run, but you will still have the original Tmobile G1 SPL (the bootloader). If you want fastboot you will need to install the HardSPL bootloader separately.

It is important to reemphasize the importance of what will happen if this doesn’t work… you will brick your phone. Go to this page, read it, and decide if what you’re doing is fine with you.

The procedure is as follows:

• download splhard1_update_signed.zip
• put it on the sdcard (maybe with adb push)
• reboot holding HOME
• select Alt-A and flash with the splhard1_update_signed.zip file
• power down
• boot holding BACK button

You now have fastboot…

# fastboot devices
HT123XY45678        fastboot

Yey!