General News

Root T-Mobile G1, myTouch 3G – Android Phone Hacking Guide

This Guide comes courtesy AndroidandMe. 

Preparing Your Phone For Root – Important Disclaimers

Before we begin to root your phone, let’s cover a few basics.
This guide is intended for US phones.  If you are in a country other than the United States, please visit the xda-developers forums for more information on rooting your Android device.

If you do not read and follow instructions, you will have trouble.  We are trying to make this guide as fool proof as possible, but if you do not follow instructions, you will have problems.  I suggest reading the entire guide before you start.  This way you can become familiar with the entire process.  Thankfully, most upgrade problems can be resolved by flashing the RC29 downgrade and starting over.
Make sure your battery is fully charged.  We do not want your phone to die out in the middle of an upgrade flash.  Go plug it in now while you read the rest of this guide.
Set aside at least 60 minutes to root your phone.  The entire process can be completed in about 30 minutes, but I suggest you plan on it taking longer.  We do not want you to get half-way through and then stop.  If you start the root process and do not complete it, you might be unable to use your device and make phone calls.
If you install a developers build of Android, you could be missing T-Mobile apps like MyFaves. You can still update your MyFaves online, but will be missing the app for now.  If this is a problem for you, then do not upgrade.  Also absent from the Android Developer Phone builds are several of the messaging clients like MSN, Yahoo, and AIM.  If you need these apps, there are many replacements available in the market. Update: This varies from rom to rom.  Read the release notes of the rom you choose to install.
You can download many of the required files directly to your phone, but I suggest using a PC.  You will be downloading several files with some as large as 40MB.  You could attempt this over 2G/3G but I do not recommend it.  Several users have complained of corrupt files from downloads over the air.  The quickest and safest method is to download all required files from a PC and then copy them over to your phone’s SD card.
The first time you root your phone, all data will be wiped when flashing a new Android build.  Any data you want to keep must first be backed up before you begin.  Most of the important information on your phone is synced with Google, but there are other things you might want to backup.  Call logs, SMS history, and phone settings are the most commonly backed up items.  Thankfully, there are several applications in the Android Market that can backup most data on your phone.  MyBackup from Rerware allows you to backup your data to your SD card or online.
Part of the manual root process suggest that you format your SD card.  After you have backed up data to your SD card, be sure to copy it all over to your PC before formatting.  If you have an extra microSDHC card, I suggest using the spare for the root process.  Also note it takes several minutes to format your micro SD card to the FAT32 file system, so I suggest using the smallest sized card to speed up the process.
After you root your phone, you will not receive system updates from T-Mobile.  Part of the root process blocks T-Mobile from applying updates to your phone.  This is done on purpose to prevent a future update from removing root access.  The good thing is you can manually update your phone to a new custom version of the operating system at the time of your choosing.  T-Mobile tends to roll out new updates over the span of several days, but when you have root you can apply the update as soon as its available.  Some custom roms have simplified future upgrades by releasing their own update applications like JF Updater and Cyanogen Updater.  See the end of this article for more information on keeping your phone up to date.
If you run non supported software, T-Mobile will not offer technical support for you.  This can be a make or break issue for some people.  Instead of turning to T-Mobile when you have problems, you will turn to the community for help.

Part 1. Replace your recovery image.

There are two methods you can use to replace your recovery image.  One is automatic and exposes a security hole in Android build CRC1 or lower.  The manual method takes longer, but it should be future proof and always work.  Read the description of each method before deciding which to use.  I suggest Method A for being the quickest.

Method A – Automatically replace your recovery image with FlashRec
The purpose of this method is to use a bluetooth security exploit that existed in Android build CRC1 or lower.  It downloads and installs the Cyanogen recovery image to your phone.  Using this method is preferred because it does not overwrite your radio and SPL file like the manual install method.  Future updates to Android are likely to block this hack, but you should always be able to revert to the official CRC1 build and gain access using this method.

  • Difficulty: Easy (1-click)
  • Works on US T-Mobile and myTouch 3G
  • Does not work on other HTC Magic (32A) phones
  • Time: 5 minutes
  • Required Equipment: T-Mobile G1 or myTouch 3G
  • Suggested Equipment:  SD card reader, extra microSD card, USB phone cable
  • Works with Android build CRC1 or lower. Go to Settings > About phone > Phone build
  • Replaces recovery image only.  Does not overwrite radio or SPL

A1. Download and install the 1-click root app flashrec-20090815.apk

First we need to download the application file that was created by Zinx.  This file is named flashrec-20090815.apk and can be located at Zen Thought or RyeBlog.  I suggest downloading the file on your PC to avoid corruption.  Copy the app to your SD card and install it using your favorite file manager like Astro or AppManager.
A2. Launch the FlashRec application and backup your current recovery image
Before you can flash a new recovery image, you must backup your original once first.  Press the large button that says “Backup Recovery Image”

A3. Flash the new Cyanogen recovery image
After backing up your recovery image, you
should see a message that says “Backed up”.  Now you should see the button “Flash Cyanogen Recovery 1.4? light up.  Click the button to perform the flash and do not touch your phone until you see “Flashed new recovery image.”  When you see the flashed image below it is ok to reboot your phone and check that the new recovery image loaded.

Stop and Verify:  Reboot your phone with the steps below to see if the new recovery image is loading correctly.

  • Power off your phone.
  • Press and hold the Home key and then power the phone back on.
  • You should be greeted by the new Cyanogen recovery image screen.

Method B – Manually downgrade your phone to RC29 to replace the recovery image
The purpose of this downgrade is to exploit a security hole that existed in one of the early builds of Android.  We will be flashing the file DREAIMG.nbh which performs a master reset of all software on your phone.  It will downgrade your radio, SPL, recovery image, and wipe everything.  This method has been tested on all current Android builds and should continue to work on future official releases.

  • Difficulty:  Hard (lots of important info you can learn using this method)
  • Time:  45 minutes
  • Works on US T-Mobile G1
  • Required Equipment:  T-Mobile G1
  • Suggested Equipment:  SD card reader, extra microSD card, USB phone cable
  • Should work on any Android version installed on a G1
  • Downgrades Radio, SPL, recovery image, and Rom

In order to apply updates to your phone, we must have a micro SD card formatted to the FAT32 file system.  As noted above, when you format your SD card, it will erase all data.  Most micro SDHC cards are already formatted for FAT32, but some are FAT16 and I suggest doing it if you run into problems.  Instructions for Windows users:

  • Hook your phone up to your PC using a USB cable.
  • Click the notification on your phone that says “USB Connected”.  Select the “Mount” option.
  • Once the device is mounted, you will see a removable disk show up on your computer.  Right click the device and select Format.
  • Pick FAT32 for the file system and click start.  Do not perform a quick format.
  • When the format is complete, you can disconnect your phone by clicking “safely remove hardware” like any other USB device.

Now that your SD card is formatted, we can start the downgrade process.
B1. Download  and flash the DREAIMG.nbh file: The first step of the manual install is to download the file DREAIMG.nbh.  You can find this file at Android Roms,, XDA WiKi, or search Google.  Some users have reported the DREAIMG.nbh file gets corrupted when downloading over 3G/Edge.  To avoid this just download the file to your PC and then copy it to the SD card.
After you download the file DREAIMG.nbh, place it in the root directory of your SD card.  This means the file is located in the main directory of your SD card and not in any folder.  Some of the sites might offer the file in a zip format, so make sure you unzip it first.  If the file DREAIMG.nbh is not in the root/main directory of your SD card, then the downgrade will fail.
Once the file DREAIMG.nbh is on your SD card, perform the following steps to downgrade your G1 to build RC29.

  • Power off your phone.
  • Press and hold the camera button then power the phone back on.
  • Wait for the NBH flash screen to load up all the way and press the Power button to begin the update.
  • When the downgrade completes it will prompt you to hit the action key (trackball) to continue.
  • After pressing the action key your phone should reboot and display a rainbow colored screen.  When you see the rainbow screen you can reboot your phone by pressing TALK+MENU+POWER.

Stop and Verify:  When the phone reboots, you should be greeted by a fresh install of Android.  Go through the setup process again for signing into your Google account.  You can double check that the downgrade was successful by checking your build number as explained earlier.  Press “Menu”, then “Settings”, and click “About Phone”.  Your version after the downgrade will read RC29.
B2. Replace the recovery image
Now that we are running RC29, we can exploit a known security hole to gain permanent root access.  This next step will replace your phone’s recovery image.  Once installed, the new recovery image will allow us to load any custom build of Android we want.  The recovery image is what essentially gives us root access because it allows us to flash Android builds that have root access turned on by default.
There are many recovery images we can install, but the most popular and widely used is Cyanogen’s Pimped Out Recovery Image.  We suggest this recovery image because it allows you to flash any zip files which makes it easier to keep multiple updates stored on your SD card at once.  Older recovery images forced you to rename the upgrade files as “” which sometimes caused confusing over what you were flashing.
Please note that Cyanogen frequently updates his recovery image so some of the examples below might have change.  We are using v1.4 as an example, but you can substitute a different number if you find this guide outdated.
We must install a Telnet client to gain permission to replace your phone’s recovery image.  Search the Android Market for Telnet and install it on your phone.  When the app is finished installing, it is time to open up a telnet session on your phone for the app to connect to.
Perform the following steps to start a telnet session:

    • Go to the home screen and open up your keyboard.

Hit enter, pause a second, then hit enter again.

  • Type “telnetd” in all lower case minus the quotes. Ignore the contact search that comes up.
  • Press enter again.


Now that a telnet session is open, we will connect to it from the phone.  Launch the telnet app and connect to localhost with the default port 23.  If you see any errors, it means the telnet session is not open.  Return to the previous instructions and try launching telnet again.
Type the following commands in bold into the telnet prompt and press enter after each command(notes are in parentheses).  Pressing enter after each command should return you to a blank prompt with the # symbol.

  1. mount -o rw,remount -t yaffs2 /dev/block/mtdblock3 /system (make the system folder writeable)
  2. cd sdcard (change directory to SD card)
  3. flash_image recovery cm-recovery-1.4.img (flashes recovery image with CM v1.4.  Replace cm-recovery file name if flashing a newer version)
  4. cat cm-recovery-1.4.img > /system/recovery.img (copies the cm-recovery image to your system directory)

Stop and Verify:  Reboot your phone with the steps below to see if the new recovery image is loading correctly.

  • Power off your phone.
  • Press and hold the Home key and then power the phone back on.
  • You should be greeted by the new Cyanogen recovery image screen.

B3. Upgrade the Radio Image to the latest version (Optional but suggested. G1 only.)
If you downgraded your G1 phone to RC29 using the DREAIMG.nbh method, your radio image was downgraded as well.  I suggest updating to the latest Radio Image so you can load the latest roms and flash a new SPL file.
The new radio image has been posted on HTC’s support website, Android Roms page, or Haykuro’s Sapphire Port page.  In order to apply the Radio update, we must download the file “”.
After the file is downloaded, it must be placed in the root directory of your SD card.  This means to place it in the main directory and not inside any folder.  When the radio image file is placed on your SD card perform the following steps:

  • Power off your phone.
  • Hold down the Home key and power the phone back on.
  • Select apply any zip from sd or press Alt+A
  • When prompted, hit Home to write the image file.
  • When the radio image is finished updating, it should reboot your phone to the recovery screen.  You can select reboot system now or press Home+Back .

Stop and Verify:  You can check the version of your radio image to make sure it updated.  Go to Settings > About Phone > Baseband version.  The version number should end in just like the original name of the update file.
B4. Flash the latest SPL file to free up more space on your phone (Optional. Experts Only. G1 only.)
Flashing a new secondary program loader(SPL) will rewrite your internal partition tables and free up more space on your phone.  This new SPL is required to load certain roms.  You must have the latest radio ( installed before flashing the new SPL.  If you do not have the latest radio loaded, flashing the new SPL can prevent your phone from booting.
Once again, this new SPL is only for:

  • Phone: US T-Mobile G1
  • Radio:
  • Recovery Image: Recovery Image that allows you to flash custom roms (Cyanogen)

Flashing a new SPL will rewrite all your partition tables and will delete all data from your phone.  The main reason people flash a new SPL is because it increases your system partition from 70 MB to 90 MB.

  1. Download the latest SPL(1.33.2005) from Haykuro’s Sapphire-port page.
  2. Copy the SPL file( to your SD card.
  3. Reboot your phone into recovery mode.  (Power off phone.  Press and hold Home key then press power)
  4. Wait for Cyanogen’s recovery image to load and select “apply any zip from sd”.  Flash the file.
  5. After flashing the SPL, you must flash a custom rom or your phone will not boot.

I’ve never had an issue flashing my SPL, but some people seem to have problems.  If you run into serious trouble you can visit the XDA forum post “Let’s fix that SPL“.

Part 2. Install Custom Android Build.

Now that the hard parts are over, we are ready to install a custom build of Android.  There are many to choose from and I will let you decide what to flash.  For daily use, I suggest using the latest stable release from Cyanogen.  For a complete list of ROM’s, visit the Android ROM Build Database.  Make sure you read the release notes of each build before you flash it.  Some builds are made for foreign HTC phones and will not work on US HTC models.  The myTouch 3G is referred to as a HTC Magic 32B. Some builds for the G1 also require the latest radio image and SPL file(see steps B3 and B4 above).  These builds should be considered experts only.
All rom files come in zip format.  Download the rom of your choice and place it in the root directory of you SD card.

  • Power off your phone.
  • Boot into recovery mode.  (Press and hold the Home key, then hit the power button).
  • Before you flash a rom file, perform a wipe.  Press Alt+W to wipe the data and cache folders.  You must wipe when going form different builds of Android.
  • Wait for the wipe to finish and the recovery  image to display again, then select “apply any zip from sd”.  Flash the zip file of your choice.
  • After flashing any zip you should be able to reboot your system and watch it load to the home screen.

After changing Android builds, it came take several minutes for the first boot.  If you phone hangs on the animated Android logo, this is because you did not perform a wipe.  If you are stuck in a boot loop, return to the recovery image and make sure you wipe.

Other Android Hacking Guides:

Manually partition SD card for Android Apps2SD
Install .apk Files on your Android phone

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.