Just found this on the Sprint community.
download the attached asroot2.zip and unzip it (can't upload something with no extension. Plus, I didn't want to risk binary data getting corrupt somehow.
adb push asroot2 /data/local/
adb shell chmod 0755 /data/local/asroot2
$ /data/local/asroot2 /system/bin/sh
[+] Using newer pipe_inode_info layout
SUCCESS: Enjoy the shell.
Edit: I was able to remount /system as rw, and chmod it 777 and then use adb push to push a dummy file to /system!!!
I remember reading someplace about changing the owner of shell? or something so that it always runs as root? I know there's a simple step missing her to give everything root access to the phone... anybody know off the top of their head?
Edit: here's how to get SU to run!!!
while you're root (after doing the above) do this:
mount -o remount,rw -t yaffs2 /dev/block/mtdblock3 /system
cat sh > su
chmod 4755 su
Now... you can exit out of the shell, adb shell again... you're regular user. su and you're root!
So... should we chmod 4755 sh and then we're always root? What about setting adbd to run as root?