Ok, you know the drill : all those tips, tricks and hacks can and will eventually blow up your phone, so don't do it at home.
Anyways.
I finally got my hands on a real device, for a change ! Looks a lot like the emulator, except that you can put it in your pocket for real. I am lucky enough to have a phone with a low enough RC number, so the root trick described here works. Apparently, it's becoming more and more difficult to find a “root-friendly” phone, so you might as well get a Dev Phone 1 from Google (I wish I had, anyways).
Adb is a pretty neat program. You can use it to access the phone or the emulator in the same way. So getting a shell on the G1 is as easy as plugging the USB cable in the phone and typing :
adb shell
Of course, you'll only get a uid of 2000 and not many permissions. The cool thing with the root bug is that it allows you to launch telnetd as root. Once this is done, just type :
adb forward tcp:4444 tcp:23 telnet localhost 4444
And voila, a root shell !
Transfering stuff is done with adb push or pull. There is a catch though : adb push as the same low permissions as adb shell, and most transfer attempts will end up with “permission denied”.
The only partition that has write permission is /sdcard. Of course, /sdcard is mounted noexec. To transfer stuff, you can either log in as root and change the permissions on the partitions, or remount them. Or you can send things to /sdcard, and then log in as root and move them around. Except that mv will fail because it can't do a cross device link. cp is nowhere to be found. What's left ?
dd if=/sdcard/hello of=/data/hello
Update Seems like you can write to /data/local, which is mounted with exec permission.
The phone kernel seems to have been compiled with module support turned on.
Discussion