Force Android RC 30 update on your T-Mobile G1 and keep root access!

This is starting to turn into a cat-and-mouse game akin to the the back-and-forths we’ve seen between Apple and the iPhone jailbreak underground community. This war has the underground scene always looking for new security exploits that will allow them to gain root access to their handset’s file-system. On the other side, the powers that be are always working to seal whatever security holes were used by the “jailbreak” community.

Google’s most recent move to thwart a nascent Android OS jailbreak uprising by rolling out a new Android OS update (RC30) that aimed to patch the security hole exploited by Android developers. The automatic, over-the-air (OTA) update was expected to essentially kill the Android OS jailbreak movement throughout the T-Mobile G1 fleet.

Today we’re seeing the jailbreak community’s counter-punch to Google’s left-hook. The ever driven developers over at XDA Developers have devised a method that allows G1 users to update their T-Mobile G1 to the latest Android OS RC30 build while still retaining access to the file-system root.

Poor Android in jail, he needs to be jailbroken!

Poor Android in jail, he needs to be jailbroken!

The updated Android jailbreak method mirrors the jailbreak solution currently available for the iPhone OS. By modifying the security checks that the handset performs during a firmware restore, jailbreak developers are able to load modified firmware update files. These modified update files udpate the handset’s firmware to the latest version while retaining particular desired functionality.

In this case, the Android development community has come up with a method that allows them to modify the Android OS’s recovery.img file, which in turn allows them to flash a modified version of Android OS build RC30 to a T-Mobile G1. The modified Android RC30 firmware brings with it all the benefits of the new firmware version while still allowing users to gain root access to the file-system.

If you haven’t yet updated your T-Mobile G1 to the new RC30 update, and you want to preserve root access, you’ll want to follow this G1 jailbreak tutorial.

After the break, that is…

This guide has been updated to reflect the latest modified RC30 file – RC30 v1.2.

Please note that this forced update method is to be used only by those that want to preserve the root access exploit. Applying the modified Android OS update file takes time and familiarity with command line. Once applied, you will have to manually update to any future Android OS updates - because of this, it’s not recommended that casual users with no need for root access jailbreak their G1′s.

  • First off, you’ll need to download two files to your desktop:
  • Download and install the Android Telnet Client from the Android Market
  • Download and install the Terminal Emulator app from the Android Market
  • Turn on WiFi and connect to your WiFi network
  • Now, go back to your downloaded files on your desktop
    • Decompress the file
    • Extract “recovery_testkeys.img” to your desktop
    • Rename “recovery_testkeys.img” to “recovery.img”
    • Rename the modified Android OS RC30 update file from “” to “”
  • Transfer the newly named “recovery.img” file and the newly named “” to your microSD card (you can use the microSD card that came with your G1)
    • Put microSD card in your G1 (if it’s not already in there)
  • Fire up “Terminal Emulator”
    • Type “cd system” and hit Enter
    • Type “cd bin” and hit Enter
    • Type “telnetd” and hit Enter
    • Type “netstat” and hit Enter
    • The IP address you want is listed on the same line as the word “Established”
    • Write down this IP address
    • Close Terminal Emulator (hit the “Home” button)
  • Fire up “Telnet”
  • In the IP address field (it should show “localhost”) enter the IP address you wrote down
    • Hit “Connect”
  • Now that you have root access, you’ll want to type in the following (hitting “Enter” at the end of each line):
    • mount -o rw,remount -t yaffs2 /dev/block/mtdblock2 /system
    • cat /sdcard/recovery.img > /data/local/recovery.img
    • cd /system
    • cat /sdcard/recovery.img > recovery.img
    • flash_image recovery recovery.img
  • Now turn off your phone
  • Restart the handset by holding down the “Power” and “Home” buttons simultaneously
  • When you see the triangle logo (you’ll know it when you see it), hold press “Alt” and “L” simultaneously
  • Ensure that you see “using test keys” along the top
  • Press “Alt” and “S” simultaneously
  • Follow the on-screen instructions
  • Press “Home” and “Back” buttons simultaneously when you’re done and ready to reboot
  • The G1 will reboot as it does its thing – let it do so.
  • You have now fully updated your T-Mobile G1 to Android OS RC30 with the root access exploit preserved – get at the root with the Terminal app.

Again, you run a very real possibility of bricking your T-Mobile G1 by updating it yourself. Making sure your battery is fully charged and that you disconnect the G1 from your computer before updating will help ensure a smooth update. Should things go awry, however, you’re on your own. (T-Mobile will likely help you out, but it’s not going to be a fun or speedy process)

[Via: XDA]

  • chris

    Uh, so what if I want to make it so I can just get ota updates again, even if I lose root? Actually, this process didn’ work as an update, but now because of the switched update source I can’t even get otas. Is there a command to undo this change? Anyone?

  • Gary

    yes, you will need the recovery.img from an original RC30 and retrace your steps on flashing the recovery.img back to the “REAL” recovery…its a simple process..

  • Will Park

    Right you are, Gary. Guide is updated to include instructions on how to restore OTA update capability.

  • Martin Leventon

    It is tempting but only because T-mobile UK doesn’t seem to want to push anything over RC8 to my G1. My settings says I am on RC8 and I got a update OTA last Friday.

  • LeeLaa000

    um… i don’t get it :/

  • Ethan

    I followed your instruction, and found I can’t start telnetd after the update. Anything wrong?


  • Shawn

    Can somebody update the link, It’s broken…

  • Michael

    I need a employee password and user id so i can get service i just got a G1 today and cant use it when i was 17 i made a bill that will take me years to pay off so for the mean time i could really use the help if someone dont wanna give me the info maybe they could do it for me

    PLEASE HELP!!!!!!!!!!!

  • Amol

    do I need T-mobile SIM to do this update process or there is some work around for this???

  • thedown_side

    “Michael says: I need a employee password and user id so i can get service”

    Your kidding right? If not, please let us know what your smoking… some of us might like some too.

    Keep it REAL
    the down side

  • tom

    this didnt work for me if i do a factory reset will i get the regualar updates please respond or will i still be stuck with r29

  • rojjas

    This erase the memory of the movil as I return to a restore point

  • Dan

    got the same issue; I had root access RC 29, but noot after upgrading to RC30 with these instructions.
    Needless to sa, the Tether did not work with or without root access.

  • Bryan Russell

    lmao… whatever is in his pipe is deadly!

  • Chris

    Hi could someone please help me? i have root access on my G1 this i know as i rolled back to rc7 from rc9, i can connect to telnet, i can use my G1 as a tether and access the internet, however i cant get the phone to read the new recovery image or update,zip file, please be patient as i explain, i have root on the phone after following the guide, how ever when i come to flashing the update from the sdcard all it ever says is “no such file or directory? i have checked and re-checked that the recovery_image.img is on my sd card, and i have changed the name of the Jfv1.1 etc to, i can imput the following in telnet and in terminal emulator :
    * mount -o rw,remount -t yaffs2 /dev/block/mtdblock2 /system

    but when i imput the rest below it just says NO SUCH FILE OR DIRECTORY??? I HAVE FORMATTED THE SD CARD TO FAT 32, CAN ANYONE HELP PLEASE?
    * cat /sdcard/recovery.img > /data/local/recovery.img
    * cd /system
    * cat /sdcard/recovery.img > recovery.img
    * flash_image recovery recovery.img

  • winstorm

    does rooting ur phone help u to send music through bluetooth and get moving text messeges or what? if not how thin? does anyone know?

  • sultan

    the link is broken, please update it!

  • haziq

    can any 1 tell me by doing this process we can jailbreak our carrier as i can jailbreak iphone but doing this is difficult if it can jail break my carrier than i do this process

Back to top ▴