At the time of this writing, you’re practically guaranteed to have a version of the Android build that removes the rooting system flaw. Because of this, we are in need of downgrading to a version that is suitable for allowing us to root our phones.

*NOTE – If you’re rooted, skip this entire post (you’ve already done this)!

Download the appropriate RC build image (referenced later as “build image”) based on your region:

You’ll need a new Recovery Image, which will give us root later on. For this we’re utilizing Cyanogen’s Recovery Image v1.4, which adds a slew of features that makes it easier and safer for you to flash and backup your phone. See the XDA thread for more details.

While that downloads, we need to prepare our SD Card to be read by the bootloader in a short bit.

  • Hook your phone up to your computer via your USB cable, and mount the SD Card via the notification on your phone. If this is your first time hooking up to your PC, give your OS a chance to recognize the device.
  • Format the newly found disk to fat32. This is suggested to be done in Windows since it’s native. Simply right-click on the disk under My Computer and click Format…; the rest should be obvious (rtfm).

Once your PC is done formatting your SD card and your image files have finished downloading, copy the file named DREAIMG.nbh from the build image zip file and copy it to your newly formatted SD card.
Also copy the other file; recovery.img.




Power off your phone, and turn it back on while holding the CAMERA button.

This brings you to the bootloader, which will launch your signed DREAIMG.nbh on the SD card.

Chicken out, or move on with the onscreen instructions.




Once you’re done, you’ll end up at the bootloader waiting for you to reboot; Press SEND + MENU + END – the new 3-Finger salute for ya! At this point, once you’ve booted into Android, you’ll be wondering what you just did.


What DID You do? Are you rooted yet?

If you’re following from the beginning of this tutorial, you just flashed a new system image that has a flaw allowing root access.

The flaw is that every keystroke is sent to a terminal in the background that has root privileges. I’m sure you can see why Google decided to remove this; but also see why we want to get it back.

And no, you’re not rooted yet. Don’t worry, just a few more things to do and you’re there.

  • Reboot your phone, and press ENTER on the keypad twice.
  • Type “telnetd” (without the quotes) and press ENTER again. This will start a telnet daemon for you to access with a client.


Go to the MarketPlace and download Terminal, and connect to localhost (should be default). You can use the QR barcode to direct you to the market.

If you time out when connecting, reboot the phone and retry without messing with anything else first.

Once you are in, we’re ready to ROOT your phone! Type the following commands to remount your system partition to write to it, flash the recovery partition with our new Recovery Image we copied, as well as copy the recovery partition to /system’s recovery system:

[sourcecode language=”bash”]
mount -o rw,remount -t yaffs2 /dev/block/mtdblock3 /system
cd sdcard
flash_image recovery recovery.img
cat recovery.img > /system/recovery.img
[/sourcecode]

W00T! You’re now rooted, but now we need a bootloader that will allow us to flash non-signed images, such as the latest Cyanogen, JesusFreke’s, or Haykuro’s ROMs.

Continue onto the next section to find out how to do so, as well as upgrade to other images!

Sources: