- Turn on your phone's WiFi. This gives your phone an IP you can reach it at freely.
- Get to a command prompt on your device by using the PTerminal application from the Android Market. (adb shell does not seem to work with these instructions, telnetd does not start up)
- cd system
- cd bin
- netstat (get your phone's IP)
- telnet into your phone from your computer
You now have root! I verified this by remounting the /system partition as read/write and changing files around:
mount -oremount,rw /dev/block/mtdblock3 /system
That remounts the /system directory as read/write instead of read only. This can only be done as root.
As I suspected, changes to the /system directory can not be reverted by a hard reset; the /system directory is actually a YAFFS2 file system (system.img) that is supposed to be read only, and thus is not part of the recovery image. Don't play with it unless you know what you are doing. I moved some files around in /system and broke my Browser, so I performed a hard reset, but the Browser was still broken after a hard reset. Luckily I had tracked my changes and was able to revert what I had done manually.
- Incidentally, in the /system/bin directory there is a flash_image executable that changes the recovery.img used when you hard reset the device. I've noticed that I can run this without root access from a standard adb shell. Maybe we never needed to root the device after all... I think we can flash it without root access... I'm too scared to mess with that beyond that (I don't want to brick my phone!).
- There is no cp command, so you must use the dd command. To get a file from your computer to your phone, copy it to the SD card, and then use the root shell to copy it from the SD card to wherever you need.
- I've noticed that you must start up telnetd very quickly upon starting pterminal. If you wait too long, telnetd will not stay resident; it exits immediately. It looks as if there is some timing and security related issue here. I've also written a quick telnet client so I can set telnet into root on my phone, from my phone. This works fine. However, I have not been able to successfully launch telnetd from my own application (using Runtime.exec). I'm not sure what pTerminal is doing differently here.
- Kudos to SplasPood of Xda-developers for noticing this exploit.