Android Root Access Gained Through PTerminal Application

by Chris Moor on

Members of the XDA Developers forum have found a way to gain root access to their Android G1 handsets using a loophole in the PTerminal application.

PTerminal is available for download from the Android Market and can apparently be used to start a telnet connection on your G1 which can then be accessed from your PC – giving you root access to the device.

According to forum member Koush, the instructions are as follows:

  1. Turn on your phone’s WiFi. This gives your phone an IP you can reach it at.
  2. Get to a command prompt on your device by using the PTerminal application from the Android Market. (adb shell does not seem to work with these instructions, telnetd does not start up)
  3. cd system
  4. cd bin
  5. telnetd
  6. netstat (get your phones IP)
  7. telnet into your phone’s IP from your PC
  8. you now have root!

Whether a new ‘over the air’ update fixes this potential bug remains to be seen, but it might be a good idea to disable OTA updates if you decide to test this method.

Please be aware this is for advanced users only, root access is hidden for a reason.

[via Link & Link]

» See more articles by Chris Moor


Categorized as Android Development

  • http://kunjan.net Kunjan

    The loop hole is not in the Pterminal app. The problem is with telnetd running as root.

    Each app in android has its own user. Telnetd is not a “standard” android aap. but a linux binary that runs outside of android ui.

    telnetd is owned by root, and hence runs as root. but since there is no authentication for the root user, it works as expected.

    I suspect it was left there for debugging, and probably used by the SDK also.

  • nick

    Wow, I’m sure this will be ‘corrected’ in the next update… to bad it can be very useful for exploring ones device. just if you turn on telnetd, make sure to turn it off before walking around in public

  • nick

    fun tidbit… you can use it to restart your phone with the ‘reboot’ command.

  • SplasPood

    When I first found telnetd and discovered what user it ran as I tried connecting to my phone’s ip over 3g…. alas it seems very filtered

    I posted this to xda originally hoping others will find cool uses for it, at least while it lasts. :) can’t wait!

  • Fnord

    As of 8am cst telnetd stops running on mine, and busybox’s telnetd will not run either. pTerminal doesn’t show any errors, but when trying a different port, ‘busybox telnet 127.0.0.1 5555′ errored with ‘socket: permission denied’.

    Oddly, while I did install today’s OTA update, I was able to use the telnetd trick for a few hours before this happened. I think a stealth update removed pTerminal’s networking privs.

    Should’ve installed an sdcard backdoor instead of messing with an arm cross compiler for dropbear =[

  • Fnord

    Okay, apparently it still works if you enter ‘telnetd’ 2 or 3 times really fast as suggested elsewhere. Time to backdoor this thing!

    Also, there is an alternate means of getting root that doesn’t require wifi.
    Step 1: Have a server or shell account that allows tunneling.
    Step 2: Download ConnectBot, ssh into step 1.
    Step 3: Make a Remote tunnel, remote port anything (like 12345), local: localhost:25
    Step 4: Spam telnetd really fast as stated above.
    Step 5: Login to shell account and telnet localhost 12345
    Step 6: Enjoy your root.

  • Zach

    I’m such a n00b I don’t understand all this shit I just know that I need “root access” to use the screenshot app I downloaded in the market.

    it shouldn’t be THIS difficult to do it (like I said, I’m a little inept at this), why couldn’t they just install it on the phone?!

  • Roy

    iv got n connection refused msg from telnet.. :(
    what should i do?

  • http://www.alanlupsha.com Alan

    Hi everyone,

    I’ve compiled a set of instructions of rooting which actually worked for me. I hope this helps someone:

    http://ww2.cs.fsu.edu/~lupsha/android/

    Alan

  • wensterretje

    Werk niet root G1 !!! Ik krijg telnetd permission denied . :( :(