How-to- Root, Hack, and Flashing your G1/Dream Read first!!

Search This thread

staulkor

Senior Member
Jan 12, 2007
259
32
Phoenix, AZ, USA
I have been poking around at this for a few hours now.

I have recompiled dropbear for arm and im trying to see if I can get it to work on here, but the problem is I cant find anything to change ownership of a file!

From looking at the other files in /system/bin that are executable in shell, it looks like they need to be root:shell. I put the dropbear binary on my sdcard (which is locked down with masks and a noexec flag. I am going to try remounting it). I copied dropbear from the sdcard to /system/bin and it automatically changes the permissions to root:root and read only for root. I chmod'd it to 4777, but its still root:root (obviousy) and I keep getting permission denied :(
 

staulkor

Senior Member
Jan 12, 2007
259
32
Phoenix, AZ, USA
Well I finally unmounted /sdcard manually. You have to kill mountd manually and then you can unmount it. Unfortunately, as soon as you try to remount it, mountd starts up again and enforces its mount parameters instead of mine :(

Also, I am looking through various startup scripts and the script is calling chown...so where the hell is it!
 

Darkrift

Senior Member
Oct 5, 2006
535
22
San Tan Valley, Arizona
I have been poking around at this for a few hours now.

I have recompiled dropbear for arm and im trying to see if I can get it to work on here, but the problem is I cant find anything to change ownership of a file!

From looking at the other files in /system/bin that are executable in shell, it looks like they need to be root:shell. I put the dropbear binary on my sdcard (which is locked down with masks and a noexec flag. I am going to try remounting it). I copied dropbear from the sdcard to /system/bin and it automatically changes the permissions to root:root and read only for root. I chmod'd it to 4777, but its still root:root (obviousy) and I keep getting permission denied :(

chown isnt there. not sure how the scripts get away with it, but check here for busybox (im taking ideas from #android and making little tutorials incase you were wondering about the links): http://android-dls.com/forum/index.php?f=15&p=422&rb_v=viewtopic#p422
You can use this method (at the end) to do 'cp -s busybox chown' and you will then have chown :) good luck and dont brick/break anything.
 

LGSilva

Senior Member
May 7, 2007
736
159
Doesn't the OS run all apps sandboxed?
So would you have to change more than permissions to make anything work?
 

staulkor

Senior Member
Jan 12, 2007
259
32
Phoenix, AZ, USA
chown isnt there. not sure how the scripts get away with it, but check here for busybox (im taking ideas from #android and making little tutorials incase you were wondering about the links): http://android-dls.com/forum/index.php?f=15&p=422&rb_v=viewtopic#p422
You can use this method (at the end) to do 'cp -s busybox chown' and you will then have chown :) good luck and dont brick/break anything.

Nice! I am trying this now.

And chown has to be there somewhere...why else would it call it. I guess we will learn eventually as we pick apart android more :p
 

LGSilva

Senior Member
May 7, 2007
736
159
Just a complement from my previous post:
“We wanted to sandbox every single application because you can’t trust any of them,” said Rich Cannings, a Google security engineer.
 

staulkor

Senior Member
Jan 12, 2007
259
32
Phoenix, AZ, USA
Just a complement from my previous post:
“We wanted to sandbox every single application because you can’t trust any of them,” said Rich Cannings, a Google security engineer.

I'm sure all the "real" applications that were intended to be used on Android, such as programs off the marketplace and other APKs, are in a sandbox environment. So far it looks like we are beyond that and are down to the core (or near core) of the OS.
 

staulkor

Senior Member
Jan 12, 2007
259
32
Phoenix, AZ, USA
Ok...FINALLY I am able to port apps to native C code for Android. It has only taken me many hours of my time and no sleep, but hey, its all for fun and glory (lol).

I have compiled dropbear and it IS working and running as a daemon. However, I can't actually connect to the SSH server yet. Netstat and ps reveals that is is in fact working:

netstat
Code:
tcp        0      0 0.0.0.0:22             0.0.0.0:*              LISTEN

ps
Code:
root     1013  1     1088  252   c00a62ec 0004cfe4 S dropbear

Im so close I can taste it :p I just have to figure out how to make dropbear listen on the correct interface. Im sure there is a setting in the config.h file for dropbear and a simple recompile will fix it.

When I do get it working, I will make a full diy on how to install it.
 

staulkor

Senior Member
Jan 12, 2007
259
32
Phoenix, AZ, USA
Got it working ;)

I can connect to the phone via ssh, however, it is asking for a username/password. The problem is there isn't a password for root (so I think) and there definitely isn't a password for the other accounts. So now that I got ssh up and running, I need to figure out how to actually log in and take advantage of this!

Normally for usernames and passwords, they are kept in the /etc/passwd file. The passwords are obviously hashed, but it would show you if there is indeed a password or not so we don't waste our time brute forcing if it comes down to that.
 

humble

Senior Member
Dec 17, 2007
199
5
Samsung Galaxy Tab S8
Wow:eek: again, please sir keep us updated. and give us a walk through. You guy's Are about to make history:D keep up the good work(o yeah, and get some sleep):D
 

staulkor

Senior Member
Jan 12, 2007
259
32
Phoenix, AZ, USA
It's just too much fun. I cant go to sleep yet, but I probably will :/

I forgot to mention, /etc/passwd doesnt exist. That would make it too easy, hehe
 

dagentooboy

Senior Member
Feb 16, 2008
544
156
Kansas
so is there any way to do this over USB so we can tether through ssh? Or do I need to carry a wireless router everywhere to log in?
 

johnkzin

New member
Nov 5, 2008
1
0
San Jose, CA
I hope/wonder-if this will lead to lower level apps for Android, and how-to’s like:

1) how-to set up your Android Phone as a Wifi Router
2) how-to enable other bluetooth profiles (DUN, PAN, HID, BIP)
3) how-to set up symlinks for installing/storing your Android Market apps on your micro-SDHC card

And then apps that aren’t Dalvik based (ie. native binary based apps), and perhaps an apt-get like packaging system for native apps.

Hopefully someone can set up a better terminal emulator than pterminal (it’s great for what it is, but it’s not like running an OS X “Terminal”, nor an xterm … the terminal emulation code from ConnectBot would be ideal to use in place of pterminal’s interface).

However, this is rather outstanding news. Soon, perhaps, Android wont just be the most open phone platform, but it’ll be a genuine unix box in your pocket (that you can use directly as a unix box).

I wonder how long before there’s a Jabber server so you access the SMS/MMS capabilities from your laptop’s Jabber client … and a SIP server for the voice interface. Being able to do that via Wifi and/or USB would be absolutely lovely.
 

MrUfnb

Member
Oct 31, 2008
21
1
Confirmed on a UK G1

Build kila_uk-user 1.0 TC5-RC7 112931 ota-rel-keys,release keys

# mount -oremount,rw /dev/block/mtdblock3 /system
# ls
sqlite_stmt_journals
cache
blah
 

staulkor

Senior Member
Jan 12, 2007
259
32
Phoenix, AZ, USA
There are no password commands whatsoever. It isnt using standard linux password management. Yes, I could simply use passwd thats built into busybox, but I might risk bricking the phone.
 

goodwinm

Senior Member
Apr 19, 2006
85
14
Salem, OR
There are no password commands whatsoever. It isnt using standard linux password management. Yes, I could simply use passwd thats built into busybox, but I might risk bricking the phone.

I tried using passwd in busybox, got an error because of no /etc/passwd. So, why not make one? I can't so far tell that there are any passwords stored on the system anywhere...
 

Top Liked Posts

  • There are no posts matching your filters.
  • 8
    Why should you root your Dream/G1?

    Well, hopefully one of those reasons convinced you to get root access on your phone!


    Preparing to Get Root on your Phone
    Getting root on your phone involves exploiting a security hole that existed in an early version of Android. The versions with the security holes are known as RC19, RC28, and RC29 (or RC7 or lower for UK phones). As of RC30 (RC8 on UK), Google patched the security hole so that your phone can not be rooted (don't worry, we can still root it!).
    To check your version, go to the Home Screen, click your menu button, choose "Settings", and then click "About phone". You will then see the following screen:
    RC30.png


    If you have US-RC30/UK-RC8 or higher, you will first need to downgrade your phone to a previous version. (Skip these steps otherwise)
    1. Format your phone's SD card to FAT32 mode:
      • Hook your phone up to your computer using a USB cable and then wait for the notification to show up in your title bar of your phone.
      • Click the notification, and then click "Mount".
      • A new removable disk should show up on your computer. Right click it and select Format, and select FAT32 as the file system type.
    2. Download and unzip the RC29 or RC7 image file. Copy the DREAIMG.nbh file to the SD card. (RC29 for US, RC7 is for UK)
    3. Turn the device power off.
    4. Hold Camera button, and press Power button to entry boot loader mode. You should see a gray/white screen with instructions to flash your phone with the update on your SD card. If you don't see that, make sure you followed the instructions properly.
    5. As per the on-screen instructions, press the Power button to start upgrade procedure. DO NOT DO ANYTHING TO INTERRUPT THIS PROCESS.
    6. After it is finished, perform the restart your phone.


    Rooting your RC29 or lower phone:
    On RC29 phones and lower, anything you type into your keyboard is also being run in a hidden console with root permissions. More information regarding that at the bottom of this post. But, to get root access, do the following:

    Instructions:
    1. Download recovery.img or the new version by Amon recovery-RA-dream-v1.5.2.img and copy it to your SD card (see the previous instructions on how to copy from your computer to your Phone's SD card).
    2. Download the Hard SPL and copy the zip file to the SD card.
    3. All files must be on the root of your SD card.
    4. Restart your phone. Wait for your phone to start up fully and show the home screen.
    5. After your phone starts up, hit the enter key twice, type "telnetd" and press enter. (Yes, it will start up a contact search, don't worry. Just type it.)
    6. Download an Android "Telnet" application from the Market and connect to localhost.
    7. If you connect successfully, you will have a root prompt "#".
    8. Type the following into Telnet (these commands will give you root access easier in the future):
      • mount -o rw,remount -t yaffs2 /dev/block/mtdblock3 /system
      • cd sdcard
      • flash_image recovery recovery.img
      • cat recovery.img > /system/recovery.img
    Now you have root!

    What To Do Now That You Have Root
    Now that you have root, you will want to apply "Hard SPL" to your phone. HardSPL is what will allow you to apply flash images from other regions (like UK on US phones, and vice versa), create full backups of your phone, install the latest build from the Android source, and usually resurrect your phone if it is "bricked". You have already downloaded the file to your SD card, so now you can apply it.

    1. Power off your phone.
    2. Start up in recovery mode by holding home and pressing power.
    3. You will now enter recovery mode. You should see an exclamation.
    4. If you do not see a menu on screen, press Alt-L to show the menu.
    5. Press Alt-S to apply the update from the SD card.
    6. After the update is complete, hold Home and press Back to restart.

    And now, the last step! You are still running an old version of Android, but you want to upgrade to the latest and greatest update! You can do this, and not lose root by downloading modified versions of the updates.

    First, choose a modified image from the list below:

    ADP1.1: (md5: bacc58302e0b239d66c7bcc8db6c434b)
    http://jf.odiness.com/v1.41/JFv1.41_ADP1.1_BuildEnvironment.tar.gz
    http://android-dls.com/forum/index.php?f=24&t=241&rb_v=viewtopic
    http://andblogs.net/2009/01/jesusfrekes-14-images-are-out/

    RC33: (md5: f24b6c237775147cb4bc42efc2393973)
    http://jf.odiness.com/v1.41/JFv1.41_RC33_BuildEnvironment.tar.gz
    http://android-dls.com/forum/index.php?f=24&t=241&rb_v=viewtopic
    http://andblogs.net/2009/02/new-rc33-based-images-from-jesusfreke/

    RC8: (md5: de2d0d34adbb4015ee3aa5e4e7ca3c07)
    http://jf.odiness.com/v1.41/JFv1.41_RC8_BuildEnvironment.tar.gz
    http://android-dls.com/forum/index.php?f=24&t=241&rb_v=viewtopic
    http://andblogs.net/2009/01/jesusfrekes-14-images-are-out/


    1. Download the image.
    2. Rename it to update.zip.
    3. Copy it to your phone's SD card.
    4. Turn your phone off.
    5. Start up in recovery mode by holding Home and pressing Power.
    6. Press alt-W to wipe your device. (You need to do this, or the device may hang at the flashing Android screen)
    7. Press alt-S to apply the update.

    And that's it! Remember to check the links up top to learn how to use root to do the advanced things I mentioned.
    3
    Rooting, Hacking, and Flashing your G1/Dream

    Reserved for future posting
    1
    I have att, I cannot get to the home screen because I do not have a t-mobile data plan so my gmail gets rejected.

    Read this thread http://androidcommunity.com/forums/f41/how-to-use-your-g1-on-at-and-t-without-a-data-plan-8735/
    1
    try this: http://files.lucidrem.us/jf/ROOT/g1_root.txt

    i made some abbreviated directions that some people have found very useful

    So, I have a Dev Phone1, and stupidly let it apply an OTA update to 1.5. It appears that this (of course) didn't use the rooted version, so here I sit with a Dev phone that's not rooted on version 1.5. My question is does this procedure work with 1.5? My thoughts are to use this to downgrade it to a rooted version of RC33, then get JF's 1.5 build.

    Sound about right?
    1
    dream_devphone-userdebug 1.5 crb21 147201 test-keys



    can i root??????

    you are already 'rooted'
    you just need to read http://xdaforums.com/showthread.php?t=831139