Click this image to return to the front page.

HTC Dream/Google G1 Tricks

Last Update: July 12, 2014

  1. Introduction
  2. Useful Button Combinations
  3. Get Root
  4. Get Console
  5. Get Root Console


Basically, I want a computer in my hand. I want to be able to SSH into it, run servers on it, connect to WiFi access points and check my mail or read Wikipedia or use instant message networks and IRC software. Basic services that I currently use a laptop for.

I don't want to be saddled with contracts or call plans that cost me thousands of dollars over their entire lifespan, or shell out hundreds of dollars for a device that shatters when I drop it a couple of feet, or is abandoned by its manufactures and third-party software developers eighteen months later, or is part of a 'walled garden' ideology.
Which, unfortunately, eliminates the entire cell phone market - at least in terms of off-the-shelf hardware and software. 'Palmtop' computers were a thing in the late 1990's and early 2k's but with the explosion in the 'smart' phone market these system have all but vanished. (Not to mention that they were usually stupidly expensive.)

On the surface, Android seems like a great idea.
Open source Linux-based operating system, unified hardware design, an entire pantheon of supporting companies.
But the manufacturers stuck to their old tricks: locked down phones loaded with bloatware and development tools designed by committee.
Sadly, third-party support isn't much better. The mobile phone modding/hacking community is rife with dogma, poor spelling and worse sentence structure. I quickly became frustrated with nonsense instructions (some of which turned out to be true; try tapping the build number menu item seven times) and reposts of reposts of reposts (and each time the instructions in question become more garbled and less functional, like a big game of telephone where your handset is an expensive brick at the end).

The following are my explorations into the HTC Dream (aka the G1) phone, the first Android device released onto the market. I'll try to stick to the bare minimum and I'll do my best write everything out as clearly and completely as possible. No sketchy self-branded utilities, no pay-walls or involuntary donations, no six page essays that don't actually teach anything, no bullshit.

I went with the HTC Dream/Google G1 for a couple of reasons: ~$30 shipped on eBay, flip out mechanical keyboard (personal preference), and being literally the first Android phone in the wild there is a lot of information available for it, even today. The first revision of the OS also had a hilarious bug, which we'll exploit the hell out of in a second.

Quick note: This is a accurate record of what I did, based on my notes and recollection. It's entirely possible I missed a step or three so feel free to drop me a line if something doesn't work and you think I messed up somewhere. I'd love for this page to be accurate and useful and it's neither if something is incorrect.

Useful Button Combinations

TODO: Button diagram.

Get Root

  1. Check to see if phone is already running firmware 'RC29'/1.0 (first release of the Android OS):

    • Power on phone to any screen.

    • Pop out keyboard and press enter one or more times to make sure there is no random characters on the line.

    • Type 'reboot' and press enter.

    If the phone rebooted, you are running 'RC29'/1.0.

  2. If your phone is NOT running RC29, this is how you downgrade it:

    • Acquire a valid 'RC29'/1.0 firmware image.
      Sadly the stock firmware is no longer available directly from an official source. (Thanks a lot T-Mobile/Google.)
      Depending on your paranoia level you can acquire an appropriate image from a number of places. The CyanogenMods old wiki had an excellent page that listed all the various firmware releases for the HTC Dream, but for reasons unknown to me it appears that the administrators saw fit to delete the old wiki in the last few weeks (as of July 17 2014).
      Bitter snark aside, the new page does have a link to a copy of the stock firmware image.

      The file should be named DREAIMG.nbh; the file I'm using has an md5 sum of: 53840b90a0fe1bfab19fab8ef8fb9724.

    • Get a microSD card, any size. Make sure it's been formatted to the FAT32 filesystem, and copy the firmware image to the root of it (e.g. not in any folder/directory).

    • Make sure your phone is plugged into it's charger or has a fully charged battery.

    • Plug that microSD card into your phone and boot into self-test/bootloader mode. (Hold down the Camera button on the side and the Power button on the front at the same time until it powers up.)

    • The phone should boot into LCD test mode, and almost immediately switch to a gray screen with blue text.
      Text at the bottom should pop up: Press power button to start update and Press action button to cancel update image.
      Press the power (aka Call End/Hang Up) button.

    • You'll see a progress bar and the text Update in progress... pop up.
      Wait until the update finishes. When it is done you will see the text Update complete, UPDATE SUCCESS, press action key.
      At that point go ahead and press the Action key (trackball button).

    • The phone will drop back into LCD test mode. Reboot the phone (via the Call+Menu+Power button combo).
      And you're done!

  3. Here is what's going on: Turns out the first release of the firmware had the interesting bug(?) of executing everything that was typed into the keyboard as if it was being typed onto a command line with superuser privileges.
    I've never heard any explanation as to why this was the case, but its great for us since this gives us root access right out of the box.

    But wait, how does that help us? Sure, we can run stuff as root now but we can't see what we're typing or the results of commands. It would be really nice to have access to some kind of console.

  4. Fortunately, the official Android development tools provide a utility for that, called adb (Android Debug Bridge). Here is how to set it up:

    • Install the Android Debug Bridge utility.
      I'm running Fedora, so for me I just need to run the following: sudo yum install android-tools. That installs a number of utilities, including ADB.

    • Make sure your system recognizes the phone.
      Get a USB cable, plug in your phone and turn it on. On Fedora, something like the following should appear in your dmesg output:
      [14303.718026] usb 1-2: new high-speed USB device number 6 using ehci-pci
      [14303.846154] usb 1-2: New USB device found, idVendor=0bb4, idProduct=0c01
      [14303.846159] usb 1-2: New USB device strings: Mfr=3, Product=2, SerialNumber=1
      [14303.846162] usb 1-2: Product: Android Phone
      [14303.846165] usb 1-2: Manufacturer: HTC
      [14303.846167] usb 1-2: SerialNumber: [REDACTED]
      [14303.847347] usb-storage 1-2:1.0: USB Mass Storage device detected
      [14303.848131] scsi7 : usb-storage 1-2:1.0
      [14304.853192] scsi 7:0:0:0: Direct-Access HTC Android Phone 0100 PQ: 0 ANSI: 2
      [14304.855202] sd 7:0:0:0: Attached scsi generic sg6 type 0
      [14304.863301] sd 7:0:0:0: [sdf] Attached SCSI removable disk

    • Unplug the phone from your computer.
      Debug mode may still activate when it's plugged in, but this is what worked for me.

    • Enable ADB debug mode on the phone.
      I didn't want to link this phone to a Google account and I sure as hell don't have a call plan/contract with any phone company, but that makes it hard to get to the panel that lets us turn on ADB debug mode.
      Instead, we're going to make use of that keyboard/superuser bug I mentioned above to turn it on.

      When the phone is booted to the activation screen (or anywhere else), pop out the keyboard, press enter one or more times to clear the invisible command line of extraneous characters, and type in the following:
      setprop persist.service.adb.enable 1
      Press the enter key again, if you haven't already done so. Note that there will be no visible signs on the phone if the command worked.

    • Type in reboot followed by the enter key.

    • Wait until the phone fully boots, and plug the phone back in to your computer.
      The output of dmesg will be mostly identical to before, but note that the USB idProduct value for the device will have changed from 0c01 to 0c02.

    • Check to see if Android Debug Bridge utility can see the device.
      On the command line, type in adb devices. You'll probably see something like this:
      [carbon@localhost ~]$ adb devices
      * daemon not running. starting it now on port 5037 *
      * daemon started successfully *
      List of devices attached
      ???????????? no permissions

      If you see an empty list (i.e. no output after 'List of devices attached'), the system can't see your phone for some reason.
      If you see your devices serial number instead of a string of question marks, congrats! You device is ready to rock; jump over the udev rule step.

      If you don't see any output don't despair (yet).
      I've run into an issue where a phone that I downgraded to RC29 a week or two before trying to enable debug mode wouldn't show up in ADB, no matter how many times I tried to enable debug mode.
      The solution turned out to be to reflash the phone, then on the next boot immediately type in the ADB-enabling setprop command, and then immediately typing in reboot.
      On the next bootup the phone showed up in ADBs devices listing.
      It's worth pointing out that I tested this procedure both with SIM and microSD cards inserted and removed; doesn't appear to have an effect on the outcome.

    • Add udev rule to your system to make the device readable.
      (Note: You may be able to skip this step by running ADB as a superuser (i.e. sudo adb devices). Your mileage may vary and exercise caution when doing this.)

      I strongly recommend unplugging your phone and turning off the ADB server (via the adb kill-server command) before doing the following.
      Not 100% sure that it's needed, but it worked for me.

      1. Create a file in /etc/udev/rules.d/ called 51-android.rules

      2. In the file, add the following line:
        SUBSYSTEM=="usb", ATTR{idVendor}=="0bb4", MODE="0666", OWNER="[YOUR USERNAME HERE]"
        Be sure to insert your username into the appropriate location. Note that this command differs slightly from the official instructions provided by Google.

      3. Change the permissions of 51-android.rules like so:
        sudo chmod a+r 51-android.rules

      4. Reload udev rules.
        On Fedora, run: sudo udevadm control --reload-rules

    • Run adb devices again.
      You should see something like this now:
      [carbon@localhost ~]$ adb devices
      * daemon not running. starting it now on port 5037 *
      * daemon started successfully *
      List of devices attached
      [Device Serial Number] device

      With the devices serial number in the appropriate place, of course.

    • Run adb shell
      If you see a $ show up, congrats! You now have shell access to your device!
      Note that if you have multiple Android devices plugged in at once, you may need to tell ADB which one to use - consult the ADB usage information for the proper incantation.

    • (Optional) This is a great time to tweak the phone settings if desired.