Android Rooting in 1-click (limited time only… until it gets patched)

6 September 2010 Update

This page continues to be very popular among readers. The techniques described below rely upon a kernel bug that has long since been patched, but if you are able to downgrade your phone to an earlier version this process remains a very easy way to root your phone.

Amazon Wireless has some great deals on newer android phones (A Samsung Vibrant for as low as $39 is a pretty good deal – that phone hauls butt) – and they are all easily rootable too (well, not quite one-click easy, but still pretty easy). Just about any of the newer phones shipping with 2.1 or 2.2 will blow the doors off of the older phones that can be downgraded to work with this one-click root bug, so I would recommend checking them out at least to see what you can get for cheap these days. If any people actually buy phones from clicking that link, I’ll be motivated to write some more easy-to-follow instructions on how to root the newer phones on the market and possibly even work with Zinx on some more easy-to-use rooting tools.

Now, that being said – while you wait for your new phone to ship, there’s no harm in squeezing a bit more life out of an old phone or one that you just inherited from someone else upgrading to the latest and greatest… and for that – you can read on and use the techniques documented here.

As is customary with these kind of posts, some disclaimers:

  1. This could be dangerous.
  2. This should only be used if you know what you are doing.
  3. Although this technique will work for any currently shipping android phone, this specific APK will works easiest with phones that are compatible with cyanogen’s 1.4 recovery image for the HTC Dream/Magic (32B).. There are instructions posted below for how to download a recovery.img that will work for other phones to your SD card, and how to use this apk to root those phones as well – it’s just not one-click… it’s more like some typing and 1-click so it might take you 30 seconds longer to do)

Now, some credit:

  1. Zinx did all the work on this


[ad#Google Adsense-1]

UPDATE: The “Recovery Flasher” is no longer in the market. This is entirely understandable and we as a community have no real right to be upset about this (their market, their rules – and after inspecting it they determined that the app violates them). So… Consider yourself lucky if you were one of the several thousand people who got it before it was taken down – and if not… there are plenty of mirrors to get it from posted here. (Android by design allows you to install applications from a variety of locations – you aren’t locked down to just one provider like on some fruity phones). So please don’t have a knee-jerk reaction and get mad at Google for this – they are still very much hacker-friendly (just search the market for applications that only work on rooted phones and you’ll realize that they are pretty laissez-faire in the market).

Flashing your recovery image:

based on Android logo and a perverted sense of humor Although the exploit itself can be used to execute anything as root, the prepackaged APK is designed to flash your recovery image with an updated one that allows installing modified updates signed with a publicly available key The reason for this is pretty simple: It’s the easiest way to enable you to install some modified image. It also enables you to use nandroid to backup (and restore) your entire phone to your sd card, and basically gives you what you need to be one of the cool kids and install custom android roms at will

Install the APK


The application has been uploaded to the market, and that’s the fastest place to get it from. Open up the Market and search for “Recovery Flasher” and download it from there,

In your settings, under software, tell it to allow untrusted sources. (necessary since the APK isn’t available in the market). Then, from the browser on your phone download the “recovery flasher 0.1 APK” from here: http://g1files.webs.com/Zinx/flashrec-20090815.apk Install it… and open it up.

Download from one of these mirrors

It looks like this:

recovery flasher From here:

  1. click on “backup recovery image”
  2. click on “Flash Cyanogen Recovery 1.4″

(in mine there is the option to restore my previous one since I already backed that thing up)

Test that it worked

Power your phone down. Reboot into “recovery mode”. On all phones I’m aware of, you do this by holding down “Home” and “Power” when turning it on. When you see something like this:

cyanogen's recovery mode From here, you can install any of the custom roms using the instructions above. I highly recommend you use the “nandroid backup” button at this point.

IF YOUR RECOVERY MODE SCREEN DOES NOT LOOK LIKE THE ONE ABOVE, OR DOESN’T HAVE ALL THOSE OPTIONS, DO NOT PROCEED – reboot and apply again.

Known issues:

  • EVERY TIME YOU REBOOT YOUR PHONE INTO NORMAL ANDROID IT UNDOES WHAT YOU JUST DID. Every time android boots, it reflashes the recovery partition with the default one from a file stored in your phone. For safety reasons, we are not replacing this file – just flashing the partition directly. So if you boot to recovery mode, then boot back into your normal mode, and then boot back into recovery mode – you will see a triangle with an exclamation point and only 3 options. DO NOT WIPE YOUR DATA IF YOU ONLY SEE 3 OPTIONS AND AN EXCLAMATION POINT If you only see three options, reboot your phone into normal android mode and re-run the “Recovery Flasher” application – and THEN boot into recovery mode and you will see all the options.
  • If your phone doesn’t work with cyanogen 1.4′s image (which I believe are 32A HTC Sapphires [Rogers HTC Magic, etc]) you should not use this as-is – see my instructions for those phones at the bottom.. If recovery fails to boot, you should be able to pull the battery and reboot into the normal phone and then open the recovery flasher app again and “restore” your backed up recovery.img – but no promises… This is all done at your own risk.
  • The exploit used (CVE-2009-2692) in this hack is already patched. The kernel was patched upstream on August 11th, so it is likely that an update will be pushed out from T-mobile VERY quickly to help prevent malicious people from using this same exploit.
  • Apologies in advance to anyone who has to work quickly and work hard to patch this exploit in the wild. (Although it should be noted that if you just shipped phones that weren’t neutered in the first place, it would save us all a lot of work and help us all be on the same team… but that’s a topic for another post.)

Original links:

If my blog goes down, these links are the original source for the files:
http://zenthought.org/content/project/flashrec

Mirrors:
http://g1files.webs.com/Zinx/android-root-20090816.tar.gz
http://g1files.webs.com/Zinx/flashrec-20090815.apk
http://g1files.webs.com/Zinx/flashrec-20090815.tar.gz
[ad#Google Adsense-1]

Update: More detailed instructions

I have personally used this apk on a T-mobile US G1 running stock CRC1, and a T-mobile myTouch 3g running stock software. Both of them worked flawlessly and were done in matter of seconds. I’ve seen a few threads with people making accusations that this is a trojan or that it doesn’t work… etc.

Regarding the possible ‘trojan’ nature

It’s wise to be skeptical. That’s why the source code is provided and has been since this post was first placed. If you want to be skeptical, that’s fine – download the source, inspect it, build it yourself, and apply it… You would be wise to rely on a brave friend to test it out and verify it works, but I would hold off on applying any security updates that come down the pipe if you want to use this method to get on the modified-image train (I’m almost positive the next update will close this hole)

By now there should be enough evidence to support the fact that this is not a malicious app – but you always have the right to remain skeptical

What you get when you are done

When you are done, you just have the tools to flash modified builds. Because it will run on both HTC 32B Sapphires (T-mobile myTouch 3g, Google Ion, etc) and HTC Dreams (G1, ADP1, etc) I recommend using Cyanogen version 3.9.11.2 – which is an experimental build which has some cool donut features like device-wide searching (which is really really cool to use)

Once you get to the recovery console, first backup your phone using nandroid backup. This will help you in case you flash an image that for some reason doesn’t work – at least you can restore to what you have now. (boot back into recovery, and choose “restore from backup”)

To prepare for rooting, download this file: http://n0rp.chemlab.org/android/experimental/update-cm-3.9.11.2-signed.zip and put it on your sdcard at the root level (i.e. the very top of the sdcard – so if you are in a GUI desktop – just drag the zip file and drop it onto the icon of the sdcard and it will be at the root level)

BEFORE booting into recovery mode

  • Have a modified ROM ready to load of your choice. (i.e. the update-cm.3.9.11.2-signed.zip) on your SD card
  • Be prepared for the awesomeness you are about to unleash
  • Actually flash the recovery image using the recovery flasher apk and following the above instructions

To Boot into recovery mode

  1. Power down phone
  2. Hold down “Home” and “Power” simultaneously for a few seconds (you can release them once it turns on)
  3. Verify that the image matches my screenshot above

When you reboot into recovery mode:

  1. backup your phone by hitting “nandroid backup”
  2. Wipe your data by saying “wipe data” (and press home button to confirm) DO NOT wipe your data unless you have nandroided, and already have the update.img loaded on your phone ready to apply!
  3. Update to cyanogen by saying “apply any zip from sd” – scroll to that update-cm-3.9.11.2-signed.zip and hit ok, press home button to confirm
  4. Reboot phone.
  5. be patient – rebooting after reflashing takes longer than a normal reboot.

Special note for Sapphire 32A users.

If you have a 32A sapphire, you can STILL use this app – but you have to download a different recovery image for your phone and put it on your sdcard first.

  1. Download the 32A version of the recovery.img from hereor here
  2. Copy that recovery img to your sdcard at the root level and call it “recovery.img”
  3. Open the “recovery flasher” app and backup your recovery.img
  4. In the text field type in “/sdcard/recovery.img”
  5. Hit “flash recovery”

Now you should be able to boot into the recovery mode. From there, you need to install a 32A version of a modified image, such as the ones in this thread on XDA-forums.

Special note for Hero users (and possibly others)

If you have a currently-shipping HTC Hero, you should try the “H” version of Amon_RA’s recovery image and use that the same as the sapphire 32A (see above for instructions – i.e. put the recovery.img on your sdcard)

If you have a phone other than the ones I’ve tested personally, you should try a few of the different recovery.img’s before giving up. As long as your phone has a modified recovery image available for it (and afaik all of them do), you should be able to use this method.

If you have some magical device that nobody else has hacked yet – get in touch with me and we can work on cooking up a custom recovery.img for your device and you can have the pleasure of being the first person in the world with a hacked whatever-it-is-you-have phone.

[ad#Google Adsense-1]

Troubleshooting Common Issues / FAQ:

  • When I try to run it, it says “Backup Failed” – it is possible that your SD Card is full, or that it is corrupted. The backup isn’t a crucial step – since we don’t replace the phone’s built-in backup, and if you want to bypass the backup step you can click on an invisible button directly to the right of the “backup” button which will skip this step. To be safe, you should try it again with a different SD card or after freeing some space on your SD card. (it’s not a lot of space that is required, only a few megs at the most)
  • When I reboot into recovery, I don’t see the options – I just see 3 options and an exclamation point. What most likely happened is you rebooted your phone into normal android mode at some point after flashing it initially, and android reflashed your recovery partition with the built-in backup that it has (it does this every time you boot). DO NOT WIPE YOUR DATA at this point (if you do, you will have to reprovision your phone and redownload the “Recovery Flasher” program – which isn’t a huge deal, but it will take you more time than you need to spend). You need to reboot into normal android mode and rerun the “Recovery Flasher” program – this time you only need to click on “Flash Cyanogen Recovery 1.4″ since you have already made a backup. After you do that, reboot into recovery mode (hold power + home button when turning phone one) and you will see all the options again
  • My Recovery mode doesn’t boot! Ah! (to be fair, this actually hasn’t happened yet – but I figured I’d post a response to it in case someone has this issue to save you some heartache) First thing to do is pull the battery and put it back in. Hold home + power again and try it a second time… just to be sure. If after a few tries it still doesn’t work – you may a 32A based Sapphire. Boot your phone up normally and it will be fine and dandy like it was before (we don’t do anything to your normal android os – just the recovery mode). You need to follow the instructions above (download the appropriate recovery.img to your sdcard and enter the text in the box – then hit flash image… etc). Post in the comments which recovery img you end up using when you get it to work to let others know. No permanent damage is done.
  • When I boot, all I see is a an android and it sits there FOREVER If it takes more than 10 minutes to reboot, you almost certainly forgot a key step. WIPING. Pull the battery out, and put it back in. Hold down “home” and “power” to reboot into recovery mode, and then select “wipe data/factory restore” and THEN apply your update.zip – this will almost certainly fix your problem.
  • What about warranty service? If you want to restore your phone to exactly the state it was in before you flashed on a modified image – use the nandroid restore function in the modified recovery image. You can test this out pretty easily to confirm it works by booting into recovery mode, then running “nandroid restore” and the booting back into your normal android OS – it should be unrooted and running stock software. (Of course, it should be obvious that in order to get BACK to the rooted version you’ll have to re-do everything you did… i.e. open the app, flash the backup, and reboot into recovery mode and flash the custom rom update). If by some chance your nandroid backup ever becomes corrupt, you can reflash on the original software if you get ahold of an official update.zip for your device and apply it (it will have to be resigned with the public testkeys first, but if you go to any of the popular android hacking forums someone will be able to easily help you do this.) If the phone has an NBH released for it, that will always restore it back to factory settings

Once you have rooted:

A class 6 micro SDHC card is a very fast memory card – much faster than the one that comes in the phone. When you get one of these, you can make use of various apps2sd tutorials. (Cyanogen will automatically use the sd card for your apps if you set up a partition on it – pretty nice)

Portions of this page are modifications based on work created and shared by Google and used according to terms described in the Creative Commons 3.0 Attribution License.