From Android

Easiest way to root shell

1. Reboot the phone
2. Open the keyboard
3. Type "telnetd" (without quotes)
4. Press enter

Then type "telnet <ip-address-of-phone>" from another machine.

Note that this is useful for an owner of a phone to get access to the device for her own entertainment, but is of no use for someone trying to write malware intended to get root access remotely, (since it requires physical access to actually type on the keyboard).

Alternatively, you can telnet in from the host machine over USB using the adb tool's port forwarding feature, e.g.:

adb forward tcp:9988 tcp:23  # 9988 is the local port number on the host
telnet localhost 9988

Why this works

These wonderful lines from /init.rc are the source of the fun:

## Daemon processes to be run by init.
##
service console /system/bin/sh
    console

You can see the source to init in system/core/init/init.c, but basically:

static char *console_name = "/dev/console";

Using a root shell, you can verify that cat /dev/console gets all input typed at the keyboard. So:

• /dev/console has everything you type
• init spawns /system/bin/sh as root with /dev/console as its input
• Therefore, everything you type gets executed as root!

Once more for clarity: There's a root shell using the console as stdin, so all input on the physical keyboard on the phone is being interpreted by that shell (regardless of what application is being displayed, and regardless of whether it is responding to those keyboard presses itself).

It won't be 100% reliable, because:

• Keys like Alt aren't mapped, so you can't type slashes.
• It's very easy to run a command like "cat" that will cause the shell to never return, which is why it's suggested to reboot the phone before the telnetd trick.