How get root access on the T-Mobile G1



  1. Turn on your phone's WiFi. This gives your phone an IP you can reach it at freely.
  2. Get to a command prompt on your device by using the PTerminal application from the Android Market. (adb shell does not seem to work with these instructions, telnetd does not start up)
  3. cd system
  4. cd bin
  5. telnetd
  6. netstat (get your phone's IP)
  7. telnet into your phone from your computer

You now have root! I verified this by remounting the /system partition as read/write and changing files around:

mount -oremount,rw /dev/block/mtdblock3 /system

That remounts the /system directory as read/write instead of read only. This can only be done as root.


As I suspected, changes to the /system directory can not be reverted by a hard reset; the /system directory is actually a YAFFS2 file system (system.img) that is supposed to be read only, and thus is not part of the recovery image. Don't play with it unless you know what you are doing. I moved some files around in /system and broke my Browser, so I performed a hard reset, but the Browser was still broken after a hard reset. Luckily I had tracked my changes and was able to revert what I had done manually.


  • Incidentally, in the /system/bin directory there is a flash_image executable that changes the recovery.img used when you hard reset the device. I've noticed that I can run this without root access from a standard adb shell. Maybe we never needed to root the device after all... I think we can flash it without root access... I'm too scared to mess with that beyond that (I don't want to brick my phone!).
  • There is no cp command, so you must use the dd command. To get a file from your computer to your phone, copy it to the SD card, and then use the root shell to copy it from the SD card to wherever you need.
  • I've noticed that you must start up telnetd very quickly upon starting pterminal. If you wait too long, telnetd will not stay resident; it exits immediately. It looks as if there is some timing and security related issue here. I've also written a quick telnet client so I can set telnet into root on my phone, from my phone. This works fine. However, I have not been able to successfully launch telnetd from my own application (using Runtime.exec). I'm not sure what pTerminal is doing differently here.
  • Kudos to SplasPood of Xda-developers for noticing this exploit.


Jim said...

See for an explanation of why this works.

Koush said...

Oh my... I restarted my phone and immediately in telnetd and pressed enter... then I started up pTerminal ran ps to check the process list. And there it was...

Anonymous said...

have you or do you know if it is possible to do serial port communication with the Gphone. I have some sensors that send data via bluetooth and I would like to have the Gphone get that data. I have not been able to find out what Bluetooth Serial Port Profile the phone has, or if there are other ways I can send data to the phone.

Anonymous said...

to copy telnetd for future access... start junkd in rc30

cat telnetd > junkd
chmod 755 junkd

Anonymous said...

Did this method with junkd really work?
I've tried something similar:
cat telnetd > roottelnetd
chmod 755 roottelnetd

Before the update to rc30 roottelnetd worked perfectly, but then the upgrade changed the user of telnetd and roottelnetd from shell:shell to root:shell. Now (in rc30) I can't start either program from the terminal emulator.


Koush said...

No, RC30 closed the keyboard console shell hole.
It also removes the root setuid from all executables on the phone.

To keep root, you need a custom build of RC 30.

Julie said...

any possibility I can get you to help me with rooting my G1? I cant seem to flash the recovery using the wiki info on the cm wiki site. i have firmware version 1.0 and stock radio and spl.

Thx for your time in advance~