ADB recovery hack

This hack, if executed successfully, should allow you to deploy an unsigned to a device running a current (Android 2.1+) version of recovery.

This hack is for power users only right now, and is not as simple as unrevoked is. We are working on expanding the race window. Before you start, back up your phone. There has been at least one case where a user has had to RUU their phone because of an issue with the superuser APK. These instructions were designed for users who are familiar with Linux; users who have not had Linux experience before should wait.

Launching ADB in recovery

Currently, we don't know how it happens, but sometimes ADB starts while the system is booting in recovery. (We believe it to be a race condition at present.)

  • On the host, run adb shell in a loop.
    • On Linux, syntax will be something like while true; do adb shell; done
  • Repeatedly reboot your device into recovery mode (if it comes up normally, adb reboot recovery).
    • If the shell repeatedly says error: device not found when in recovery mode, press vol-up and power at the same time, then reboot and try again.
    • If the shell repeatedly says - exec '/system/bin/sh' failed: No such file or directory (2) -, then ADB is running in recovery mode; congratulations.

Alternate Method (Credit: Binny)

  • Start from the !triangle screen
  1. Hit Power and volume up
  2. Hit reboot and pop out sdcard
  3. Wait for the white HTC Incredible screen then type
    adb reboot recovery

    until it reboots

  4. Wait for the white HTC Incredible screen again
  5. Soon as you see flicker on screen pop in sdcard
  6. Wait for the !triangle screen and type
    adb devices
  • If you see device listed with (recovery) next to it, follow the instructions below. If not, start at step 1 again.

I just got ADB running in recovery mode! Now what?

  • Read through all the steps first first. It's not long, but there are some timing-sensitive parts. (Also, the steps must be performed in order!)
  • Download the following three files:
  • Press volume-up and power at the same time
    • A menu should appear.
  • Select by pressing power.
    • It should fail.
  • On the host, run adb push busybox /sdcard/busybox
  • On the host, run adb push /sdcard/
  • On the host, prepare at your command prompt but do not press enter: adb push /sdcard/
  • Select at the menu again by pressing power. Approximately half a second after it starts, press enter to run the second command!
    • If the timing was right, it should verify the legitimate update, but update with our hack, printing a message like “unrEVOked for Incredible”.
    • The device will stay in recovery mode; do not reboot it until you are done making changes to the /system partition!
  • Congratulations! You now have a barebones rooted Incredible. Look in the post-hack tasks below for other things you might want to do before you reboot.

Post-hack tasks

While still in recovery.

Some things you may wish to do:

  • If CityID bothers you:
    [email protected]$ adb shell
    $ su
    # /system/bin/rm /system/app/CityID.apk

    All gone!

Outside of recovery.

  • Wifi Tether:
    • Download fw_bcm4329.bin and place it in /sdcard/android.tether
      • Create the android.tether directory:
        [email protected]$ adb shell
        $ su
        # mkdir /sdcard/android.tether
      • Push the file:
        [email protected]$ adb push fw_bcm4329.bin /sdcard/android.tether
    • Install the Android Wifi Tether application from the Market or use the QR code below for convenience :)
  • If you appreciate this work and feel the urge to donate to someone, please donate to the EFF. (That link will associate your donation with our team; if there is another team you've been meaning to donate in honor of, though, we're not picky – we're happy for any donations to get to the EFF, even if they don't help send us to DEF CON!)
public/adb_in_recovery.txt · Last modified: 2010/06/19 23:53 by ejhart
Recent changes RSS feed Donate Powered by PHP Valid XHTML 1.0 Valid CSS Driven by DokuWiki