As is customary with these kind of posts, some disclaimers:

  1. This could be dangerous.
  2. This should only be used if you know what you are doing.
  3. Although this technique should work for any currently shipping android phone, this specific APK will only work with phones that are compatible with cyanogen’s 1.4 recovery image.

Now, some credit:

  1. Zinx did all the work on this


Flashing your recovery image:

Although the exploit itself can be used to execute anything as root, the prepackaged APK is designed to flash your recovery image with an updated one that allows installing modified updates signed with a publicly available key The reason for this is pretty simple: It’s the easiest way to enable you to install some modified image. It also enables you to use nandroid to backup (and restore) your entire phone to your sd card, and basically gives you what you need to be one of the cool kids and install custom android roms at will

Install the APK

In your settings, under software, tell it to allow untrusted sources. (necessary since the APK isn’t available in the market) Then, from the browser on your phone download the “recovery flasher 0.1 APK” from here: http://ryebrye.com/files/flashrec.apk Install it… and open it up. 

Mirror Backup recovery flasher APK

I

  1. click on “backup recovery image”
  2. click on “Flash Cyanogen Recovery 1.4″

(in mine there is the option to restore my previous one since I already backed that thing up)

Test that it worked

Power your phone down. Reboot into “recovery mode”. On all phones I’m aware of, you do this by holding down “Home” and “Power” when turning it on. now  you see the option menu

From here, you can install any of the custom roms using the instructions above. I highly recommend you use the “nandroid backup” button at this point.

IF YOUR RECOVERY MODE SCREEN DOES NOT LOOK LIKE THE ONE ABOVE, OR DOESN’T HAVE ALL THOSE OPTIONS, DO NOT PROCEED – reboot and apply again.

Known issues:

  • It’s possible that your recovery.img will be replaced with the stock one if you reboot into the normal OS and not into the recovery mode. Android reflashes recovery.img with a stored file each time it boots. We aren’t currently replacing the file that it reflashes with – so your rooting is only temporary… if you have to reboot the phone to do something after doing a nandroid-backup.. etc. – be sure to reflash the recovery image using this app before rebooting back into the recovery image.
  • If your phone doesn’t work with cyanogen 1.4’s image (which I believe are 32A HTC Sapphires [Rogers HTC Magic, etc]) you should not use this as-is – see my instructions for those phones at the bottom.. If recovery fails to boot, you should be able to pull the battery and reboot into the normal phone and then open the recovery flasher app again and “restore” your backed up recovery.img – but no promises… This is all done at your own risk.
  • The exploit used (CVE-2009-2692) in this hack is already patched. The kernel was patched upstream on August 11th, so it is likely that an update will be pushed out from T-mobile VERY quickly to help prevent malicious people from using this same exploit.
  • Apologies in advance to anyone who has to work quickly and work hard to patch this exploit in the wild. (Although it should be noted that if you just shipped phones that weren’t neutered in the first place, it would save us all a lot of work and help us all be on the same team… but that’s a topic for another post.)

Original links:

If my blog goes down, these links are the original source for the files:
http://zenthought.org/content/project/flashrec

Mirrors:
http://g1files.webs.com/Zinx/android-root-20090816.tar.gz
http://g1files.webs.com/Zinx/flashrec-20090815.apk
http://g1files.webs.com/Zinx/flashrec-20090815.tar.gz

Update: More detailed instructions

I have personally used this apk on a T-mobile US G1 running stock CRC1, and a T-mobile myTouch 3g running stock software. Both of them worked flawlessly and were done in matter of seconds. I’ve seen a few threads with people making accusations that this is a trojan or that it doesn’t work… etc.

Regarding the possible ‘trojan’ nature

It’s wise to be skeptical. That’s why the source code is provided and has been since this post was first placed. If you want to be skeptical, that’s fine – download the source, inspect it, build it yourself, and apply it… You would be wise to rely on a brave friend to test it out and verify it works, but I would hold off on applying any security updates that come down the pipe if you want to use this method to get on the modified-image train (I’m almost positive the next update will close this hole)

What you get when you are done

When you are done, you just have the tools to flash modified builds. Because it will run on both HTC 32B Sapphires (T-mobile myTouch 3g, Google Ion, etc) and HTC Dreams (G1, ADP1, etc) I recommend using Cyanogen version 3.9.11.2 – which is an experimental build which has some cool donut features like device-wide searching (which is really really cool to use)

Once you get to the recovery console, first backup your phone using nandroid backup. This will help you in case you flash an image that for some reason doesn’t work – at least you can restore to what you have now. (boot back into recovery, and choose “restore from backup”)

To prepare for rooting, download this file: http://n0rp.chemlab.org/android/experimental/update-cm-3.9.11.2-signed.zip and put it on your sdcard at the root level (i.e. the very top of the sdcard – so if you are in a GUI desktop – just drag the zip file and drop it onto the icon of the sdcard and it will be at the root level)

BEFORE booting into recovery mode

  • Have a modified ROM ready to load of your choice. (i.e. the update-cm.3.9.11.2-signed.zip) on your SD card
  • Be prepared for the awesomeness you are about to unleash
  • Actually flash the recovery image using the recovery flasher apk and following the above instructions

To Boot into recovery mode

  1. Power down phone
  2. Hold down “Home” and “Power” simultaneously for a few seconds (you can release them once it turns on)
  3. Verify that the image matches my screenshot above

<(when I did the myTouch 3g, it seemed to hang for a second the first time I booted into the recovery mode... I pulled the battery and popped it back in and did the home+power thing again and it booted fine the second time. So if at first you don't succeed, don't be too scared)

When you reboot into recovery mode:

  1. backup your phone by hitting “nandroid backup”
  2. Wipe your data by saying “wipe data” (and press home button to confirm) DO NOT wipe your data unless you have nandroided, and already have the update.img loaded on your phone ready to apply!
  3. Update to cyanogen by saying “apply any zip from sd” – scroll to that update-cm-3.9.11.2-signed.zip and hit ok, press home button to confirm
  4. Reboot phone.
  5. be patient – rebooting after reflashing takes longer than a normal reboot.

Special note for Sapphire 32A users.

If you have a 32A sapphire, you can STILL use this app – but you have to download a different recovery image for your phone and put it on your sdcard first.

  1. Download the 32A version of the recovery.img from hereor here
  2. Copy that recovery img to your sdcard at the root level and call it “recovery.img”
  3. Open the “recovery flasher” app and backup your recovery.img
  4. In the text field type in “/sdcard/recovery.img”
  5. Hit “flash recovery”

Now you should be able to boot into the recovery mode. From there, you need to install a 32A version of a modified image, such as the ones in this thread on XDA-forums.

Special note for Hero users (and possibly others)

If you have a currently-shipping HTC Hero, you should try the “H” version of Amon_RA’s recovery image and use that the same as the sapphire 32A (see above for instructions – i.e. put the recovery.img on your sdcard)

If you have a phone other than the ones I’ve tested personally, you should try a few of the different recovery.img’s before giving up. As long as your phone has a modified recovery image available for it (and afaik all of them do), you should be able to use this method.

If you have some magical device that nobody else has hacked yet – get in touch with me and we can work on cooking up a custom recovery.img for your device and you can have the pleasure of being the first person in the world with a hacked whatever-it-is-you-have phone.