6 September 2010 Update

This page continues to be very popular among readers. The techniques described below rely upon a kernel bug that has long since been patched, but if you are able to downgrade your phone to an earlier version this process remains a very easy way to root your phone.

Amazon Wireless has some great deals on newer android phones (A Samsung Vibrant for as low as $39 is a pretty good deal – that phone hauls butt) – and they are all easily rootable too (well, not quite one-click easy, but still pretty easy). Just about any of the newer phones shipping with 2.1 or 2.2 will blow the doors off of the older phones that can be downgraded to work with this one-click root bug, so I would recommend checking them out at least to see what you can get for cheap these days. If any people actually buy phones from clicking that link, I’ll be motivated to write some more easy-to-follow instructions on how to root the newer phones on the market and possibly even work with Zinx on some more easy-to-use rooting tools.

Now, that being said – while you wait for your new phone to ship, there’s no harm in squeezing a bit more life out of an old phone or one that you just inherited from someone else upgrading to the latest and greatest… and for that – you can read on and use the techniques documented here.

As is customary with these kind of posts, some disclaimers:

  1. This could be dangerous.
  2. This should only be used if you know what you are doing.
  3. Although this technique will work for any currently shipping android phone, this specific APK will works easiest with phones that are compatible with cyanogen’s 1.4 recovery image for the HTC Dream/Magic (32B).. There are instructions posted below for how to download a recovery.img that will work for other phones to your SD card, and how to use this apk to root those phones as well – it’s just not one-click… it’s more like some typing and 1-click so it might take you 30 seconds longer to do)

Now, some credit:

  1. Zinx did all the work on this


UPDATE: The “Recovery Flasher” is no longer in the market. This is entirely understandable and we as a community have no real right to be upset about this (their market, their rules – and after inspecting it they determined that the app violates them). So… Consider yourself lucky if you were one of the several thousand people who got it before it was taken down – and if not… there are plenty of mirrors to get it from posted here. (Android by design allows you to install applications from a variety of locations – you aren’t locked down to just one provider like on some fruity phones). So please don’t have a knee-jerk reaction and get mad at Google for this – they are still very much hacker-friendly (just search the market for applications that only work on rooted phones and you’ll realize that they are pretty laissez-faire in the market).

Flashing your recovery image:

based on Android logo and a perverted sense of humor Although the exploit itself can be used to execute anything as root, the prepackaged APK is designed to flash your recovery image with an updated one that allows installing modified updates signed with a publicly available key The reason for this is pretty simple: It’s the easiest way to enable you to install some modified image. It also enables you to use nandroid to backup (and restore) your entire phone to your sd card, and basically gives you what you need to be one of the cool kids and install custom android roms at will

Install the APK


The application has been uploaded to the market, and that’s the fastest place to get it from. Open up the Market and search for “Recovery Flasher” and download it from there,

In your settings, under software, tell it to allow untrusted sources. (necessary since the APK isn’t available in the market). Then, from the browser on your phone download the “recovery flasher 0.1 APK” from here: http://g1files.webs.com/Zinx/flashrec-20090815.apk Install it… and open it up.

Download from one of these mirrors

It looks like this:

recovery flasher From here:

  1. click on “backup recovery image”
  2. click on “Flash Cyanogen Recovery 1.4″

(in mine there is the option to restore my previous one since I already backed that thing up)

Test that it worked

Power your phone down. Reboot into “recovery mode”. On all phones I’m aware of, you do this by holding down “Home” and “Power” when turning it on. When you see something like this:

cyanogen's recovery mode From here, you can install any of the custom roms using the instructions above. I highly recommend you use the “nandroid backup” button at this point.

IF YOUR RECOVERY MODE SCREEN DOES NOT LOOK LIKE THE ONE ABOVE, OR DOESN’T HAVE ALL THOSE OPTIONS, DO NOT PROCEED – reboot and apply again.

Known issues:

  • EVERY TIME YOU REBOOT YOUR PHONE INTO NORMAL ANDROID IT UNDOES WHAT YOU JUST DID. Every time android boots, it reflashes the recovery partition with the default one from a file stored in your phone. For safety reasons, we are not replacing this file – just flashing the partition directly. So if you boot to recovery mode, then boot back into your normal mode, and then boot back into recovery mode – you will see a triangle with an exclamation point and only 3 options. DO NOT WIPE YOUR DATA IF YOU ONLY SEE 3 OPTIONS AND AN EXCLAMATION POINT If you only see three options, reboot your phone into normal android mode and re-run the “Recovery Flasher” application – and THEN boot into recovery mode and you will see all the options.
  • If your phone doesn’t work with cyanogen 1.4′s image (which I believe are 32A HTC Sapphires [Rogers HTC Magic, etc]) you should not use this as-is – see my instructions for those phones at the bottom.. If recovery fails to boot, you should be able to pull the battery and reboot into the normal phone and then open the recovery flasher app again and “restore” your backed up recovery.img – but no promises… This is all done at your own risk.
  • The exploit used (CVE-2009-2692) in this hack is already patched. The kernel was patched upstream on August 11th, so it is likely that an update will be pushed out from T-mobile VERY quickly to help prevent malicious people from using this same exploit.
  • Apologies in advance to anyone who has to work quickly and work hard to patch this exploit in the wild. (Although it should be noted that if you just shipped phones that weren’t neutered in the first place, it would save us all a lot of work and help us all be on the same team… but that’s a topic for another post.)

Original links:

If my blog goes down, these links are the original source for the files:
http://zenthought.org/content/project/flashrec

Mirrors:
http://g1files.webs.com/Zinx/android-root-20090816.tar.gz
http://g1files.webs.com/Zinx/flashrec-20090815.apk
http://g1files.webs.com/Zinx/flashrec-20090815.tar.gz


Update: More detailed instructions

I have personally used this apk on a T-mobile US G1 running stock CRC1, and a T-mobile myTouch 3g running stock software. Both of them worked flawlessly and were done in matter of seconds. I’ve seen a few threads with people making accusations that this is a trojan or that it doesn’t work… etc.

Regarding the possible ‘trojan’ nature

It’s wise to be skeptical. That’s why the source code is provided and has been since this post was first placed. If you want to be skeptical, that’s fine – download the source, inspect it, build it yourself, and apply it… You would be wise to rely on a brave friend to test it out and verify it works, but I would hold off on applying any security updates that come down the pipe if you want to use this method to get on the modified-image train (I’m almost positive the next update will close this hole)

By now there should be enough evidence to support the fact that this is not a malicious app – but you always have the right to remain skeptical

What you get when you are done

When you are done, you just have the tools to flash modified builds. Because it will run on both HTC 32B Sapphires (T-mobile myTouch 3g, Google Ion, etc) and HTC Dreams (G1, ADP1, etc) I recommend using Cyanogen version 3.9.11.2 – which is an experimental build which has some cool donut features like device-wide searching (which is really really cool to use)

Once you get to the recovery console, first backup your phone using nandroid backup. This will help you in case you flash an image that for some reason doesn’t work – at least you can restore to what you have now. (boot back into recovery, and choose “restore from backup”)

To prepare for rooting, download this file: http://n0rp.chemlab.org/android/experimental/update-cm-3.9.11.2-signed.zip and put it on your sdcard at the root level (i.e. the very top of the sdcard – so if you are in a GUI desktop – just drag the zip file and drop it onto the icon of the sdcard and it will be at the root level)

BEFORE booting into recovery mode

  • Have a modified ROM ready to load of your choice. (i.e. the update-cm.3.9.11.2-signed.zip) on your SD card
  • Be prepared for the awesomeness you are about to unleash
  • Actually flash the recovery image using the recovery flasher apk and following the above instructions

To Boot into recovery mode

  1. Power down phone
  2. Hold down “Home” and “Power” simultaneously for a few seconds (you can release them once it turns on)
  3. Verify that the image matches my screenshot above

When you reboot into recovery mode:

  1. backup your phone by hitting “nandroid backup”
  2. Wipe your data by saying “wipe data” (and press home button to confirm) DO NOT wipe your data unless you have nandroided, and already have the update.img loaded on your phone ready to apply!
  3. Update to cyanogen by saying “apply any zip from sd” – scroll to that update-cm-3.9.11.2-signed.zip and hit ok, press home button to confirm
  4. Reboot phone.
  5. be patient – rebooting after reflashing takes longer than a normal reboot.

Special note for Sapphire 32A users.

If you have a 32A sapphire, you can STILL use this app – but you have to download a different recovery image for your phone and put it on your sdcard first.

  1. Download the 32A version of the recovery.img from hereor here
  2. Copy that recovery img to your sdcard at the root level and call it “recovery.img”
  3. Open the “recovery flasher” app and backup your recovery.img
  4. In the text field type in “/sdcard/recovery.img”
  5. Hit “flash recovery”

Now you should be able to boot into the recovery mode. From there, you need to install a 32A version of a modified image, such as the ones in this thread on XDA-forums.

Special note for Hero users (and possibly others)

If you have a currently-shipping HTC Hero, you should try the “H” version of Amon_RA’s recovery image and use that the same as the sapphire 32A (see above for instructions – i.e. put the recovery.img on your sdcard)

If you have a phone other than the ones I’ve tested personally, you should try a few of the different recovery.img’s before giving up. As long as your phone has a modified recovery image available for it (and afaik all of them do), you should be able to use this method.

If you have some magical device that nobody else has hacked yet – get in touch with me and we can work on cooking up a custom recovery.img for your device and you can have the pleasure of being the first person in the world with a hacked whatever-it-is-you-have phone.

Troubleshooting Common Issues / FAQ:

  • When I try to run it, it says “Backup Failed” – it is possible that your SD Card is full, or that it is corrupted. The backup isn’t a crucial step – since we don’t replace the phone’s built-in backup, and if you want to bypass the backup step you can click on an invisible button directly to the right of the “backup” button which will skip this step. To be safe, you should try it again with a different SD card or after freeing some space on your SD card. (it’s not a lot of space that is required, only a few megs at the most)
  • When I reboot into recovery, I don’t see the options – I just see 3 options and an exclamation point. What most likely happened is you rebooted your phone into normal android mode at some point after flashing it initially, and android reflashed your recovery partition with the built-in backup that it has (it does this every time you boot). DO NOT WIPE YOUR DATA at this point (if you do, you will have to reprovision your phone and redownload the “Recovery Flasher” program – which isn’t a huge deal, but it will take you more time than you need to spend). You need to reboot into normal android mode and rerun the “Recovery Flasher” program – this time you only need to click on “Flash Cyanogen Recovery 1.4″ since you have already made a backup. After you do that, reboot into recovery mode (hold power + home button when turning phone one) and you will see all the options again
  • My Recovery mode doesn’t boot! Ah! (to be fair, this actually hasn’t happened yet – but I figured I’d post a response to it in case someone has this issue to save you some heartache) First thing to do is pull the battery and put it back in. Hold home + power again and try it a second time… just to be sure. If after a few tries it still doesn’t work – you may a 32A based Sapphire. Boot your phone up normally and it will be fine and dandy like it was before (we don’t do anything to your normal android os – just the recovery mode). You need to follow the instructions above (download the appropriate recovery.img to your sdcard and enter the text in the box – then hit flash image… etc). Post in the comments which recovery img you end up using when you get it to work to let others know. No permanent damage is done.
  • When I boot, all I see is a an android and it sits there FOREVER If it takes more than 10 minutes to reboot, you almost certainly forgot a key step. WIPING. Pull the battery out, and put it back in. Hold down “home” and “power” to reboot into recovery mode, and then select “wipe data/factory restore” and THEN apply your update.zip – this will almost certainly fix your problem.
  • What about warranty service? If you want to restore your phone to exactly the state it was in before you flashed on a modified image – use the nandroid restore function in the modified recovery image. You can test this out pretty easily to confirm it works by booting into recovery mode, then running “nandroid restore” and the booting back into your normal android OS – it should be unrooted and running stock software. (Of course, it should be obvious that in order to get BACK to the rooted version you’ll have to re-do everything you did… i.e. open the app, flash the backup, and reboot into recovery mode and flash the custom rom update). If by some chance your nandroid backup ever becomes corrupt, you can reflash on the original software if you get ahold of an official update.zip for your device and apply it (it will have to be resigned with the public testkeys first, but if you go to any of the popular android hacking forums someone will be able to easily help you do this.) If the phone has an NBH released for it, that will always restore it back to factory settings

Once you have rooted:

A class 6 micro SDHC card is a very fast memory card – much faster than the one that comes in the phone. When you get one of these, you can make use of various apps2sd tutorials. (Cyanogen will automatically use the sd card for your apps if you set up a partition on it – pretty nice)

Portions of this page are modifications based on work created and shared by Google and used according to terms described in the Creative Commons 3.0 Attribution License.

274 Comments to “Android Rooting in 1-click (limited time only… until it gets patched)”

  1. Big-O says:

    @ Mark
    Check out the advice I left for Armando

    @ Craig
    I’ve heard it can be done, but I tried and failed, I got an error message and had to Re-Boot and try something else. But again, I take no responsibility I’m a former noob who happens to have a lot of time on my hands recently, my job/ company went out of business (so I’ve spent days cramming info, ad tring to learn Android while looking for work online… lol)

    @ Kirk
    Once you use the recovery flasher APK, the recovery image it flashes should still be there so I doubt you’ll need to use it again, but on the off chance you go to recovery and you don’t see the custom recovery image, just reboot, run the app again to flash the recovery image and then when u go back to recovery it should be back.

    @ Dennis
    You might need an app called, “Better Terminal” it’s in the market. And as for the Anti Theft Droid app FC it sounds like an app issue no so much a rom issue, try uninstalling and then reinstalling the app, I’m also running Cyanogen 4.0.4, and luv it, (I’m eagerly awaiting 4.2)

  2. James says:

    I have tried all the custom Recovery images on my T-Mobile G2 branded hero, and nothing seems to work.

    It will not boot into recovery mode at all. No matter what I try, it just seems to freeze at the G2 splash screen.

    Any ideas?

    Cheers.

  3. Big-O says:

    @ James
    I might have am idea or two on how to fix, but first…
    What radio do you have?
    What SLP do you have?
    Did you do the radio before the SPL (if you changed it)
    you mentioned it’s your G2 branded hero, do you have a G2 that you flashed Hero on? or do you have and actual Hero phone?
    Did this happen when you flashed Hero? or did you have Hero runnning and then chose to flash something else, and then got stuck.
    Last did you wipe before every flash?

    The more details the better, and the faster you post back, the faster I can help..

    Good Luck…

  4. Big-O says:

    I need somehelp, can anyone tell me what does this mean:

    mtd: read all-zero block at 0×00000000;
    skipping
    #

    I was trying to Flash the Amon Ra recovery image using this script:
    flash_image(space)recovery(space)/sdcard/recovery-rav1.2.1g.img
    The firt time I did it, it gave me a long line of script, I closed out and tryed again which is when I got:

    mtd: read all-zero block at 0×00000000;
    skipping
    #

  5. James says:

    @Big-o thanks for the help!

    It is a stock t-mobile branded G2 fresh from the store with the t-mobile G2 standard ROM on it. It has never been flashed successfully.

    The ONLY thing that has been done is to try using Recovery Flasher, i followed the instructions on this site to backup and then flash the recovery image. When rebooting the handset it freezes at the t-mob “G2 Touch” splash screen. I have also tried the Sapphire 32A recovery image and the one recommended for the Hero all no go.

    ok, so baseband is 63.18.55.06U_6.35.04.25
    Kernel is 2.6.27-a5504199
    Build is 1.76.110.6 146733 CL 47214
    Software version is 1.0.0.A6288

    I havent touched the “SLP” as far as i know!

    thanks again!

  6. Big-O says:

    @ James

    So just to be clear, you can still turn ur phone on and use it, your trouble is when u go into the recovery screen (that’s the screen u get when u turn on ur phone while holding power and home) that’s where u get stuck? I’m really surprised u didn’t see the CM Recovery image (the one with all the options) Well If this is the case its not that bad. Let’s get u root access first this time using an app called “Instant Root”, and then run “Recovery Flasher” again right after to get the recovery image flashed, I’m betting with Root Access already acquired your phone has no choice but to accept the recovery image, (this is not the case most of the time as “Recovery Flasher” worked great for me, but some phones are stubborn, lol) ok so download and install “Instant Root” all u do is install it, as installing it is what initiates it, its that simple. Then use Recovery Flasher to get the recovery image. Try this and let me know if this resolved ur issue. Also having root access first means as a last resort u can download terminal emulator from the market and try manually flashing the recovery image using code (worst comes to worst)….. if u want post ur Gtalk, and I’ll get back to you. Here’s the link:

    http://neilandtheresa.co.uk/Android/

    ~Omar

  7. Big-O says:

    @ Asheyna

    The exclamation point with the triangle and a graphic of the phone, is the original stock version of the recovery screen, if when u see it, you press “Alt and L” you will get the options. I’d recommend using this recovery screen your describing to do a wipe “Alt + W” (also known as a factory reset) when you get to the exclamation point with the triangle, press “Alt and L” to go into the options section of that recovery screen, and then press “Alt + W” to do the wipe. Then restart your phone and hopefully it’s not freezing on the Rogers screen anymore. Also, Watch this video and read the details in this step by step instructions for the one Click Root: http://theunlockr.com/2009/08/.....one-click/

  8. James says:

    @Big-O

    Thanks for the help so far, i have done the instant root and tried flashing the recovery image again using recoveryflasher but still just freezes at the G2 splash screen. I think maybe i need to run the commands in terminal manually or use fastboot to boot into the recovery image?

    links to easy guides for either of these things would be greatly received!

    my gtalk is jamescadman@gmail.com

    Thanks again!

  9. James says:

    @Big-o/All…

    I managed to get my Hero into recovery mode using a different recovery image. I used the instant root from above, and i downloaded the zip from from http://android.modaco.com/cont.....rmanently/ and extracted the “cm-her-recovery.img”.

    Then i went into recovery flasher and in the text box entered “/sdcard/cm-her-recovery.img” and clicked “Flash custom image”. When completed my handset went straight into recovery mode and i am now using the latest Modaco 2.2 hero ROM!

    Thanks for all your help, Big-O!

  10. Joe Smoe says:

    All, is this root process still valid? Did i miss the window?

  11. [...] by Zinx.  This file is named flashrec-20090815.apk and can be located at Zen Thought or RyeBlog.  I suggest downloading the file on your PC to avoid corruption.  Copy the app to your SD [...]

  12. [...] Get recovery flasher from Android Rooting in 1-click (limited time only… until it gets patched) [...]

  13. Buckz says:

    @RyeBrye
    TMOBILE G1 BUILD NUMBER DRC83
    SD CARD Total Space 0.95GB, Available Space 581MB

    I HAVE THE T-MOBLE G1 AND MY BACK UP FAILED AS WELL, IS IT STILL UNSAFE FOR ME TO USE THE HIDDEN BUTTON BECAUSE I DONT HAVE A HERO??, AND IF NOT IS IT BECAUSE I DONT HAVE ENOUGH SPACE?? SOMEONE PLEASE HELP!

  14. dragosh says:

    I was wondering if anybody can gimme a bit of help. I got
    sapphire pvt 32b ship s-on g
    hboot-1.33.0006 (sapp10000)(that’s perfect spl)
    I tried your method: I installed the .apk, i put the recovery.img and update.zip on the root of my card(tried more than 1 card). When I start the program I get:phone type is EBI0/32B. Clicking on backup recovery gives me an error: couldn’t run command. I tried flash recovery button and I get the same error: couldn’t run command.
    I tried before this method,creating a goldcard,I have 4 microsd cards, none of them seem to be compatible with goldcard. I am retty much at the end of my patience with this damn phone.
    Any help will be highly appreciated.I realy wouldn’t mind paying just to get this phone rooted again.I had it rooted but I somehow managed to flash this rubbish rom with the perfect spl on it.
    Thanks.
    Again I am willing to pay anybody if they can root this phone.

  15. Wil says:

    Sooo, I have read about 3000 forums, saw videos, etc. I found this site and was like man I would have to be an idiot not to be able to follow these step by step instructions. Well I downloaded the flashrec onto my g1 and it popped up fine. I press back up and it failed.. (So I did the side invisible button) pressed flash and it failed..So I am stuck..Help pleassse

  16. [...] was created by Zinx. This file is named flashrec-20090815.apk and can be located at Zen Thought or RyeBlog. I suggest downloading the file on your PC to avoid corruption. Copy the app to your SD card and [...]

  17. Cam says:

    Can someone post click-by-click, end-to-end, jargon-free instructions? While I’m a geek, and while I appreciate that a lot of work went into this, I find these instructions to be really confusing.

    Less explanation, more clicky, please. “1. Click this, see this. 2. Click this, see this., etc…”

  18. Frida Escante says:

    Hey I just want to know if this is still safe to do, I have a G1 and Im not sure about doing this, can someone please tell me if this will affect my phone in a bad way at all, would it still be working as it was before rooting? THANKS

  19. Bendik says:

    RyeBrye and Zinx, thanks for making this app and ! My quest for root is finally over. Managed to get “partially” root with instantroot a while ago, but my device havent been completely rooted until now.

    My device: HTC Magic 32A with perfect SPL(?!)

    I had initially problems rooting with the above mentioned method aswell, since it failed the backup part. Didnt notice about the “invisible” key before tonight :) After some tries I managed to flash the Amon Ra 1.7.0H to recovery. I had to free a lot of mem on my internal memory before I managed to flash. So if anyone gets the flash error I suggest freeing space! It worked for me.

    Froyo tastes so much better!
    Again, Thanks a lot!

  20. sean says:

    so i tried all of this, and after skipping the backup, because it failed, then hit the flash button, and it said flash failed. any ideas? i have a 16gb sd card with about 14gb free, so its not full, and doubt its corrupt. i also wanted to run cyanogen 6.1.0 (for a htc hero cdma), how i do that instead of 1.4? thanks in advance.

  21. Michael B says:

    can this work on a my touch 4, I want to get rid of apps that are just sitting there and were installed with the operating system (not the ones I installed). But if it’s not going to work for my phone and will lose the 4g connection, flash, and flash player I need to know if it’s worth it.

    Also if it isnt can you tell me if there are any apps that will uninstall those unwanted apps from my phone without touching the root acccess?

  22. nerdnic says:

    NEED HELPplease!! got to where im suppose to back recovery image, but then it says back failed

Leave a Reply

You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>