Tutorial: T-Mobile G1 RC30 to JFv1.31 (How to Root a Retail G1)

Jan 2, 2009

g1-rc30-jf13

* NOTICE *

IF YOU DON’T KNOW WHAT ROOT MEANS, OR YOU JUST WANT TO INSTALL “KEWL APPZ” THEN THIS TUTORIAL IS NOT FOR YOU.

DON’T COME CRYING TO ME (OR ANYONE ELSE) IF YOU BRICK YOUR PHONE!!
I CANNOT BE HELD RESPONSIBLE IN ANY WAY FOR ANY TYPE OF DAMAGE TO YOU OR YOUR PROPERTY IF YOU FOLLOW THESE INSTRUCTIONS, SINCE I AM JUST SUMMARIZING INFORMATION THAT IS FREELY AVAILABLE FROM OTHER SOURCES!
THERE ARE MANY WAYS THIS PROCESS COULD GO WRONG, SO YOU SHOULD NOT EVEN ATTEMPT IT IF YOU ARE NOT A SAVVY LINUX USER!!
THAT MEANS YOU SHOULD UNDERSTAND WHAT YOU ARE DOING, AND WHY, BEFORE YOU DO EACH STEP!!

Get a G1 with RC30. (If you are in the UK then I guess this would be RC8). If you are lucky enough to have an earlier software version then you can skip to step #11.
Mount your SD card in Windows and reformat it as FAT32. The HTC bootloader won’t be able to see the RC29 (or RC7) image otherwise. Make sure you back up all your files first!
Download the appropriate image (RC29 for USA or RC7 for UK) from http://koushikdutta.blurryfox.com/G1/DREAIMG-RC29.zip or http://koushikdutta.blurryfox.com/G1/DREAIMG-RC7.zip . This is a DOWNGRADE to the Android version that contains a root shell bug (this exploit just seems too easy). I got these files from the forum thread http://forum.xda-developers.com/showthread.php?t=442480.
Extract the DREAIMG.nbh file from the downloaded zip archive and copy it to your SD card (again, for me, this had to be formatted as FAT32, not just regular FAT which is the default). Don’t put it in a folder, just stick it directly on there.
Disconnect the SD card the right way (eject, unmount, or otherwise tell your OS you are unplugging it) to make sure the data gets written. If you used an SD card reader, put the SD card back in your phone.
Make sure your phone has a full battery, then turn it off. Turn it back on by holding down the CAMERA and POWER buttons. This should get you into the HTC bootloader (the funky red, green, and blue screen).
If everything was done correctly, the bootloader will detect the image. You’ll be taken to a different screen that asks you to press the POWER button to install the image. Do this, but beware, you will lose all your saved data on your phone (with the exception of things that are synced with Google’s servers, like contacts, calendar, Gmail, etc.).
Wait for the update to complete. The progress bar will fill up, then all the steps will say OK beside them, and finally, it will ask you to press the “action key” (I think this means click the trackball). DO NOT do anything until you see this message. The progress bar needs to DISAPPEAR, not just fill up.
You now have the stock RC29 installed. Take out the battery, put it back in, and turn on your phone. It should ask you to activate your Google account again – do this.
If everything worked so far, your phone will look like you just got it with the default home screen. Wait for it to sync your contacts if you like. Also, you might want to go to Settings -> About Phone and verify that it says RC29 (or RC7) at the bottom.
Go to Settings -> Applications and check the box for “Unknown Sources” to allow install of non-Market applications. Some sites say to use adb on your computer for the following steps, but doing it this way will make it so you don’t have to download adb or the Android SDK.
Open the Browser on your phone and point it at http://koushikdutta.blurryfox.com/G1/Telnet.apk . Install this application after it downloads (the Android Telnet Client, more information at http://www.koushikdutta.com/2008/11/android-telnet-client.html).
Back out to the home screen. Type <Enter>telnetd<Enter>. This should spawn telnetd as root (since someone left a root shell running with /dev/console as input… tsk tsk.) You may need to do this after a fresh restart of your phone, but it worked fine for me. This will open up a contact search – it doesn’t matter. After you press <Enter> the second time, back out of the contacts screen.
Open up the Telnet Client. The default settings (localhost, port 23) are what you want. Connect and you should see a black screen with a text entry box at the bottom.
Type id<Enter>. The phone should say something like uid=0(root) gid=0(root). If it does – congratulations, you got a root shell!
Now we need to remount /system as writeable, and create a root shell program. Type in the following commands exactly as they are here, and press <Enter> after each one:
```
mount -o rw,remount -t yaffs2 /dev/block/mtdblock3 /system
```
```
dd if=/system/bin/sh of=/system/bin/su
```
```
chmod 4755 /system/bin/su
```
17. Now you can get a root shell any time you want. This method is NOT SECURE and it will be fixed in the following steps. Download “Terminal Emulator” from the Android Market. Open it up and you should see a $ prompt. Type su<Enter> and the prompt should change to a # sign, meaning that you are now root. Back out of the terminal emulator – if that worked then you are set up for the next steps.
18. Download http://jf.nyquil.org/AndroidMod.zip (more information at the forum thread http://forum.xda-developers.com/showthread.php?t=443041 ). In this zip archive, there is a file called recovery_testkeys.img . Mount your SD card on the computer again, and extract that file to the SD card. Make sure you remove the USB cable after it’s done copying, or you won’t be able to get to the SD card from your phone. Don’t forget to disconnect safely.
19. Open up the Terminal Emulator that you downloaded from the market. I used Terminal Emulator as much as possible because doing all this stuff over Telnet is kind of a pain. Type the following commands exactly as they appear here, and press <Enter> after each one. Wait for the # prompt to reappear after each command before continuing. You should not see any error messages – if you did, something went wrong and you should stop. If you restarted your phone since you created /system/bin/su, you will need to run “mount -o rw,remount -t yaffs2 /dev/block/mtdblock3 /system” (as root) to give you write access to /system again.Anyway, here are the commands:
```
su
```
```
cd /system
```
```
cat /sdcard/recovery_testkeys.img > recovery.img
```
```
flash_image recovery recovery.img
```
[from JesusFreke - http://forum.xda-developers.com/showthread.php?t=443041 ] At this point, it’s probably a good idea to reboot the phone into recovery mode (turn it off, and hold HOME and POWER), and make sure it loads OK. Once it boots into recovery mode, press alt+L, and the next to top line of text should say something like “using test keys.” If it doesn’t, then you’re still using the original recovery image and you won’t be able to install the modded update. If the recovery image is corrupt somehow, it will throw you back into SPL mode (the multi-color bootloader screen). If that happens, just boot the phone normally, and reflash recovery image.
Press HOME and BACK together to reboot the phone normally (or just take out the battery). If everything worked so far, you can now install JesusFreke’s modified RC30 (or RC8) update that will let you keep root and close up those security holes like the mandatory root shell. Get that update from http://jf.nyquil.org/v1.31/JFv1.31_RC30.zip (USA) or http://jf.nyquil.org/v1.31/JFv1.31_RC8.zip (UK). You can also install the Android Dev Phone 1 image, but it is probably a little different and I haven’t tried it. Read more about these updates at http://forum.xda-evelopers.com/showthread.php?t=466174.
Take the zip file that you downloaded, and name it update.zip and put it in the root directory of the SD card. Turn off your phone and boot it into recovery mode again (hold down HOME and POWER). Press Alt+L and Alt+S to install the update. You should probably have a fully charged battery before you do this step. Again, read more about these updates and how to install them at http://forum.xda-developers.com/showthread.php?t=466174.
Wait for the update to finish, then reboot!

Whew! Maybe I should have just gotten an iPhone – I hear they are a lot easier to crack!

Congratulations! If everything worked, you now have a rooted RC30 phone. All your applications and settings will be gone, but for me, a list of things I installed showed up in the Market under My Downloads after a minute, so I just went through and reinstalled everything I wanted.

Also, the modded RC30 has a cool Superuser Whitelist application, which alerts you whenever a program tries to gain root access on your phone. You can now do things like take screenshots (with Koushik Dutta’s “Screenshot” application), install Debian per Jay “Saurik” Freeman’s instructions, and maybe even write your own C/C++ programs for Android!

I hope I didn’t forget anything. Thanks to JesusFreke, Koushik Dutta, Saurik, and any others for all your hard work! I know this information is all available elsewhere but I thought it would be helpful to write everything up in one place with all the necessary details.

-James Nylen

Update: JesusFreke released v1.31 fixing a few minor things.

Posted by admin | Categories: Hacks | Tagged: JFv1.3, RC30, T-Mobile G1 |

Enjoyed this article? Subscribe to the full RSS Feed

Share with others

24 Responses so far | Have Your Say!

dfwgreg
January 4th, 2009 at 2:33 am #

Awesome writeup! Thanks to everyone who researched, documented, then summarized so well. After reading numerous posts and boards, this sequence did everything I needed in around 45 minutes (I typed slow and did a lot of double checking).
So cool to see the # # come up. I mainly wanted to tether again (like I could on Sprint) – so hopefully that will go as smoothly.
blahzay_blah
January 4th, 2009 at 4:32 am #

cool stuff mustve took a long time but u r da man and so r all the other contributors
Selcuk AKA XDVIPER
January 5th, 2009 at 2:01 am #

Thank you so much for all your work and everyones and the guys over at XDA. I’ve just finshed rooting it, and now its updating to RC30 as we speak. Thank you guys,,, WOWW IM FREE AGAIN!
Josh A
January 7th, 2009 at 10:43 pm #

Can you delete the files off of the sd card after the complete upgrade?
Charlie
January 10th, 2009 at 6:21 am #

WOW THNX A LOT!!!!!
david
January 11th, 2009 at 1:01 am #

THANK YOU! THANK YOU! THANK YOU!

Root and a bunch of “cool” items I did not have before…..

Bow if I could get WinSCP/Putty to work I would be so happy…other than being able to connect to my N810 that is…….
isaac
January 12th, 2009 at 6:08 pm #

hi, at step 20 when shutdown and reoot with home/power key my phone turns on but does not get past the tmobile G1 screen
sayed
January 15th, 2009 at 3:42 am #

Hey thanks for all the help but I am having trouble in one part and I dont know how crucial it is. When I press home and Power button at the same time, i get a screen where it shows a Triangle with an Exclamation point inside and a phone underneath. should i be worried and what did i do wrong?
Ray
January 15th, 2009 at 8:51 pm #

Has anyone figured out how to tether?
Ray
January 15th, 2009 at 8:52 pm #

By the way the instructions were very helpful, and I am far from an expert, so thank you very much!
almondmendoza
January 18th, 2009 at 10:27 am #

thanks a lot, btw i have to change
mount -o rw,remount -t yaffs2 /dev/block/mtdblock3 /system
to
mount -r -w -o remount -t yaffs2 /dev/block/mtdblock3 /system to make it work while i was doing this.
Installing the original Dev Phone Image on Android : Almond Mendoza
January 18th, 2009 at 11:07 am #

[...] i had download, i had to fall back to the original or modified images, first i installed JFv1.31, installing back from rc29, and the problem i have is that i cannot synchronize my contacts thus i don’t know the [...]
Chris
January 18th, 2009 at 4:53 pm #

great.. everything works, but I was confused on when I was to delete the unwanted apps like amazon.
manuel
January 19th, 2009 at 1:27 am #

hey im having a lil bit of trouble here . maybe im just not doing it right but when you have to type in ” dd if=/system/bin/sh of=/system/bin/su ” and ” chmod 4755 /system/bin/su ” it seems to not work and i get a weird message saying can read but not write or some thing and the other says some thing else like i typed it in wrong but i even copy and pasted it so i would make sure it was correct , i followed the video on this 100% and im still having this problem can some one please help
Someone
January 19th, 2009 at 12:00 pm #

sayed,
You didn’t do anything wrong, that’s how the recovery bootloader looks. You then need to continue to follow the directions and hit “alt + L” which will show the text. Don’t worry if it says it can’t mount something, just continue with the directions to load the update.zip and you’ll be just fine.
Acid
January 19th, 2009 at 2:46 pm #

I did everything as listed and. when I go to update it says file not found so I’m stuck with rc29 but its OK T-Mobile is sending me a new phone
Terry Highfield
January 21st, 2009 at 5:46 am #

Hey thanks for all the help but I am having trouble in one part and I dont know how crucial it is. When I press home and Power button at the same time, i get a screen where it shows a Triangle with an Exclamation point inside and a phone underneath. should i be worried and what did i do wrong?

This is to be expected – press alt-L together as the article states.

Side: Thanks for this article James it was very helpful. Every step was very clearly written. I now have root access without experiencing any problems.

I reckomend to anyone that has root access to download the task manager fromt eh market place. It is very useful for closing unnecessary background apps.
paxku
January 21st, 2009 at 7:31 am #

Hi!

I followed your instructions and I succesfully installed the ADP1 version of JFv1.31.
I just had to wipe all the data (alt+w in the recovery screen).

Thanks a lot
Jhony
January 21st, 2009 at 3:31 pm #

woowww!!! easiest intruction here!!!! 10+
Carlos
February 26th, 2009 at 3:32 pm #

Awwwesome. Thanks for doin a great job.
voxluna
March 27th, 2009 at 12:45 am #

FYI: I got stuck at step 12, and couldn’t get the Telnet app to install from Koushik’s site… I eventually got around this by downloading it from the Market.

I think I now know the reason: according to this post at Luke Hutchison’s blog, “[B]ecause the .apk file is very small, if installing directly on the phone you must download the .apk over wifi, not over 3G, because a bug in the browser causes the file to get truncated a couple of kb short. The app installer in that case will say that it wants to replace “Android System”. Some info is here.”

Although he is referring to another app, this is exactly what happened to me with Telnet, and I suspect it’s the same problem. I thought I’d add this to the comments to help the next person who comes across it, or perhaps have it in the otherwise excellent instructions. I finally jailbroke my phone tonight using this.
TheZeroYear
April 2nd, 2009 at 12:03 pm #

Hey, you can download mybackup if you want to restore your settings and everything.

Thanks for the guide using telet! far better than modmyg’s guide(s)
chip0wa
April 14th, 2009 at 2:33 am #

Great instructions. Some links are dead, but between this and xda forums these instructions worked.
Jonathan (JohnSparta)
May 17th, 2009 at 12:50 am #

wow man thanks a lot, i though that was the end of my G1 thank u bro very useful info