# TacoRoot - HTC Universal Root Exploit 12-30-2011



## jcase (Jun 7, 2011)

Tacoroot is a root exploit for HTC phones, to the best of my knowledge it covers their whole portfolio at this time.

TacoRoot may void your warranty. This is not an s-off/unlock, but a temporary root method - and an unstable one at that. Your phone will be unstable until the undo parameter is used, and may not fully boot. ADB, however, will come up as root. If this breaks your phone, it is your fault not our's.

Donations not required, but if you really want to you can find my donate app in signature or paypal on the left hand side of this post. Funds go for devices (for more lulzrooting), kick backs for my kids, and to charities of my choice.

https://market.andro...b=Cunning+Logic

This vulnerability was independently discovered by Justin Case (http://twitter.com/teamandirc) and Dan Rosenberg (https://twitter.com/#!/djrbliss). Unrevoked and (http://twitter.com/unrevoked) and AlphaRev (https://twitter.com/#!/alpharevx) were also aware of it as well. TacoRoot was written by Justin Case (jcase), with the help of Reid Holland (erishasnobattery).

TacoRoot is brought to you by TeamAndIRC, AndroidPolice and RootzWiki

https://github.com/C...gLogic/TacoRoot

This main purpose of TacoRoot is to allow downgrading on phones such as the myTouch 4g, which has no other working temp root and no means of unlocking.

Instructions are self explanatory
adb push tacoroot.bin /data/local/
adb shell chmod 755 /data/local/tacoroot.sh
adb shell /data/local/tacoroot.sh

This is the official support thread, however I am unable to provide support for every model phone.


----------



## phillyfisher (Jun 8, 2011)

First and foremost i want to thank you for the hard work it may have took to create this for the community.

I attempted this method 2x and was unable to achieve temp root. Here is a cut and paste of my terminal (MacOsX):

*new-host:~ jaxfisher$ /Users/jaxfisher/Desktop/dinc2/adb push /Users/jaxfisher/Desktop/dinc2/tacoroot.bin /data/local/*
*1581 KB/s (14475 bytes in 0.008s)*
*new-host:~ jaxfisher$ /Users/jaxfisher/Desktop/dinc2/adb shell chmod 755 /data/local/tacoroot.bin*
*new-host:~ jaxfisher$ /Users/jaxfisher/Desktop/dinc2/adb shell /data/local/tacoroot.bin*
*TacoRoot: HTC Edition v1*
*By Justin Case (jcase)*
*Presented by TeamAndIRC, RootzWiki and AndroidPolice*
*With great assistance from Reid Holland (Erishasnobattery)*
*----------*
*TacoRoot: HTC Edition v1 is based on a vulnerability independently discovered by*
*both Justin Case and Dan Rosenberg (Rosenberg fist). I believe unrevoked and*
*AlpahRev were also aware of it.*
*----------*
*Usage:*
*--recovery : For this exploit to work, you must have booted recovery at least once after your last factory reset.*
*--setup : Setup the phone for root, must be done before --root.*
*--root : Root the phone.*
*--undo : Remove TacoRoot.*

Once i completed this i went into my phone terminal emulator to see if could get SU and it was a no go. Am I doing something wrong?

My phone is a Dinc2 "unlocked" with S-on.


----------



## jcase (Jun 7, 2011)

Read the usage instructions, you ran it without any of the required parameters, so all it did was output the help section.

Also this does not install su, it starts adbD as root, and requires a completely stock phone.



phillyfisher said:


> First and foremost i want to thank you for the hard work it may have took to create this for the community.
> 
> I attempted this method 2x and was unable to achieve temp root. Here is a cut and paste of my terminal (MacOsX):
> 
> ...


----------



## phillyfisher (Jun 8, 2011)

jcase said:


> Read the usage instructions, you ran it without any of the required parameters, so all it did was output the help section.
> 
> Also this does not install su, it starts adbD as root, and requires a completely stock phone.


Thanks, I appreciate your response. Thank you again for your contributions to the community.

In the mean time, i found a way to gain root on my Dinc2 (it's unlocked with S-on). Probably easy for most... but glad i figured it out.

Thanks.


----------



## izzyace (Jan 1, 2012)

Ok I tried this method but got a boot loop. All i want to do is downgrade my OS version on my myTouch 4G Slide. Is it still possible to downgrade even though I get a bootloop?


----------



## jcase (Jun 7, 2011)

izzyace said:


> Ok I tried this method but got a boot loop. All i want to do is downgrade my OS version on my myTouch 4G Slide. Is it still possible to downgrade even though I get a bootloop?


As warned in OP it can cause phoen to be unstable, aka bootloop. However adb remains going the whole time, you can patch your MISC partition while its looping to allow the downgrade.


----------



## izzyace (Jan 1, 2012)

jcase said:


> As warned in OP it can cause phoen to be unstable, aka bootloop. However adb remains going the whole time, you can patch your MISC partition while its looping to allow the downgrade.


Ok, I'll try misc_version to see if I can actually downgrade. Thank you for your help.


----------



## YrrchSebor (Jun 24, 2011)

hi there, i know that TacoRoot itself does not install Su, but is it possible to use the root adb shell to push Su and/or Clockworkmod, and then remove TacoRoot so that the phone boots back up normally? or is the sole purpose of this to downgrade the phone?

thx in advance for any info, and thx for bringing this tool to the community.


----------



## Captain_Throwback (Sep 2, 2011)

This method is very useful. I was able to use this to temp root my EVO 4G with the latest unlockable bootloader from HTC (2.18), without having to use their method to unlock it! Very nice. Of course, I used the mtd.img from an old EVO engineering build, since I don't believe your universal one will work on my device. But I was able to downgrade my main version nonetheless, and then roll back my bootloader to an easily unlockable version (with unrEVOked).

Thanks for your work on this!


----------



## mrhoopty (Apr 2, 2012)

Hello I need some help I am trying to root a EVO 4G 2-3-5 2.18 I have done the HTC unlock and am trying the taco method and the first time it did not take. So I the second time this is what i get please help thanks alot. C:\android>adb push tacoroot.sh /data/local/
33 KB/s (2129 bytes in 0.062s)

C:\android>adb shell chmod 755 /data/local/tacoroot.sh

C:\android>adb shell /data/local/tacoroot.sh --setup
TacoRoot: HTC Edition v1
By Justin Case (jcase)
Presented by TeamAndIRC, RootzWiki and AndroidPolice
With great assistance from Reid Holland (Erishasnobattery)
----------
TacoRoot: HTC Edition v1 is based on a vulnerability independently discovered by

both Justin Case and Dan Rosenberg (Rosenberg first). I believe unrevoked and
AlpahRev were also aware of it.
----------
Usage:
--recovery : For this exploit to work, you must have booted recovery at least on
ce after your last factory reset.
--setup : Setup the phone for root, must be done before --root.
--root : Root the phone.
--undo : Remove TacoRoot.
----------
Rebooting into recovery, please press Volume+, Volume- and Power at the same tim
e, and reboot the system.
rm failed for /data/data/recovery/log, No such file or directory

C:\android>adb shell
$


----------



## jellybellys (Apr 3, 2012)

mrhoopty said:


> Hello I need some help I am trying to root a EVO 4G 2-3-5 2.18 I have done the HTC unlock and am trying the taco method and the first time it did not take. So I the second time this is what i get please help thanks alot. C:\android>adb push tacoroot.sh /data/local/
> 33 KB/s (2129 bytes in 0.062s)
> 
> C:\android>adb shell chmod 755 /data/local/tacoroot.sh
> ...


If you have done an HTC unlock... just flash clockworkmod, then flash the root zip thru clockworkmod.


----------



## Captain_Throwback (Sep 2, 2011)

jellybellys said:


> If you have done an HTC unlock... just flash clockworkmod, then flash the root zip thru clockworkmod.


Better yet, flash RA-supersonic. But yes, if you've already unlocked your bootloader, root is only two steps away:

- Flash a custom recovery (Amon_RA's recommended - all others are unreliable on the Supersonic)
- Flash Superuser

Done!

TacoRoot would be an alternative rooting method that would allow you to temp root and downgrade HBOOT to unlock your NAND with a previous method.


----------



## sleddriver (Apr 8, 2012)

I am having pretty good luck but at step 11, I get the # but the command prompt doesn't stay there. It jumps to the command prompt for my android directory (L:\android>). So, when I enter the next command, I get "_the system cannot find the path specified_". It won't stay on the # for the next command. Any thoughts?


----------



## McSplatt (Oct 16, 2011)

so... do you suppose i could use this in place of zergRush , still following subsequent script commands in the downgrade tool for dinc2?


----------



## McSplatt (Oct 16, 2011)

jellybellys said:


> If you have done an HTC unlock... just flash clockworkmod, then flash the root zip thru clockworkmod.


what root zip?


----------



## dmeadows013 (Sep 7, 2011)

TACOS!!!!!!!!

And taco quit...

Great job Jcase. Keep the good stuff coming 

Sent from my ADR6425LVW using Tapatalk 2


----------



## 6foot5nbad (Jan 30, 2013)

Jcase, I need your help dude.......I have a problem with an Evo I got from someone, it mostly gets stuck in a bootloop however I think as long as the battery is fully charged it'll stay on. Bootloader is unlocked however I'm not able to boot into recovery in fastboot after I -fastboot flash recovery recovery.XXXXX.img-. I've tried several time to either -fastboot reboot recovery- or use hboot to boot into recovery but the phone just bootloops....... I'm not able to RUU because its on the 5.0.7. and there is no such RUU. I came across shortydoggs guide on XDA on how to RUU 5.0.7 but it requires su "#" and since I can't boot into recovery I can't flash an su.zip. I then came across your guide and I'm focusing on the temproot method to get su "#" so I can continue with shortydoggs guide. The problem is I can't boot into recovery so I can't create a recovery log file which is what the exploit requires to gain temp root. so I was wondering if I can -adb push log file /data/data/recovery/- to use your exploit without actually having to boot into recovery to create it, and if so, would you happen to have a recovery log file I can use?


----------

