Related
Just a thread for the few USCC people here - I've tried to UL the bootloader using TMO instructions - no go. It will reboot into the bootloader but it asks for the unlock.bin key (fastboot oem unlock returns an unknown command error). So at least theirs that much
Phone will also boot into recovery, and I get the associated normal options there (clear, mount /system, wide device/cache, load update via ADB, load update via SD, view recovery logs, etc). Interesting thing happens when I select "run graphics test" from the recovery menu - it gives an error, then the "no command" icon, then multicolor circles rotating - but it says "erasing" then "installing system update" then goes back to the recovery menu. Not sure if it's normal, but it's interesting.
I'm not a dev or a software guy really, but would like to hear some thoughts on the USCC version...would love to have root like the TMO - especially since it will get into the fastboot menu. Wish I knew more so I could be more help.
Same I'd like to here more about this since the unlocked version comes with an unlocked bootloader. I think it's because the T-Mobile version got released first so they had the jump start, and the unlocked version took till the 11th to be released so it's like we're late.
Killah1994 said:
Same I'd like to here more about this since the unlocked version comes with an unlocked bootloader. I think it's because the T-Mobile version got released first so they had the jump start, and the unlocked version took till the 11th to be released so it's like we're late.
Click to expand...
Click to collapse
you are talking about three different devices lol.. apparently USCC v20 is locked like everyone else.. TMobile typically allows BL unlocks, not because it was out first? and the unlocked variant is obviously from LG and unlockable by default...
elliwigy said:
you are talking about three different devices lol.. apparently USCC v20 is locked like everyone else.. TMobile typically allows BL unlocks, not because it was out first? and the unlocked variant is obviously from LG and unlockable by default...
Click to expand...
Click to collapse
There you go, knew I was getting something mixed up.
us996 comes with an unlocked bootloader? what? I'm pretty sure mines locked like the rest...
Sent from my LG-US996 using Tapatalk
jayochs said:
us996 comes with an unlocked bootloader? what? I'm pretty sure mines locked like the rest...
Click to expand...
Click to collapse
if u read my previous post u can see i said the uscc BL is locked lol like everyone else
I seem to have a US996, but I got it early on. I believe it to be bootloader locked though, even though it's a developers device. I'm almost 100% sure it's the sim unlocked version as I tried a few sims and they worked. Anything I can do to help?
Abumarf said:
I seem to have a US996, but I got it early on. I believe it to be bootloader locked though, even though it's a developers device. I'm almost 100% sure it's the sim unlocked version as I tried a few sims and they worked. Anything I can do to help?
Click to expand...
Click to collapse
I recommended the officially unlocked variant of the V20 to @Abumarf believing he'd have no issues whatsoever in unlocking the bootloader. He purchased one off eBay before the phone was officially released and I believe it came with a user debug kernel. It seems similar to the engineering kernels for Samsung devices, as he has root access through the adb shell. Unlike the temporary root method that @me2151 had posted, it can survive reboots. Yet I'm surprised the fastboot command to unlock the bootloader returns with failure.
Ephemera said:
I recommended the officially unlocked variant of the V20 to @Abumarf believing he'd have no issues whatsoever in unlocking the bootloader. He purchased one off eBay before the phone was officially released and I believe it came with a user debug kernel. It seems similar to the engineering kernels for Samsung devices, as he has root access through the adb shell. Unlike the temporary root method that @me2151 had posted, it can survive reboots. Yet I'm surprised the fastboot command to unlock the bootloader returns with failure.
Click to expand...
Click to collapse
does he have a copy of the debug kernel? you can pm me a link if possible thatd be great so we can take a look at it.. if it is an eng kernel, it could potentially help to root other variants with locked BLs
---------- Post added at 02:41 AM ---------- Previous post was at 02:40 AM ----------
Ephemera said:
I recommended the officially unlocked variant of the V20 to @Abumarf believing he'd have no issues whatsoever in unlocking the bootloader. He purchased one off eBay before the phone was officially released and I believe it came with a user debug kernel. It seems similar to the engineering kernels for Samsung devices, as he has root access through the adb shell. Unlike the temporary root method that @me2151 had posted, it can survive reboots. Yet I'm surprised the fastboot command to unlock the bootloader returns with failure.
Click to expand...
Click to collapse
can you upload your aboot and kernel etc? if theyre eng or debug files im interested to check them out
---------- Post added at 02:41 AM ---------- Previous post was at 02:41 AM ----------
Abumarf said:
I seem to have a US996, but I got it early on. I believe it to be bootloader locked though, even though it's a developers device. I'm almost 100% sure it's the sim unlocked version as I tried a few sims and they worked. Anything I can do to help?
Click to expand...
Click to collapse
can you upload your aboot and kernel etc? if theyre eng or debug files im interested to check them out
@elliwigy I will most likely be selling the phone or handing it over to @Ephemera as I can't use it as a daily driver. We'll update you on what happens. If we do decide to sell, I'll see if we can extract and send them your way before we do.
Abumarf said:
@elliwigy I will most likely be selling the phone or handing it over to @Ephemera as I can't use it as a daily driver. We'll update you on what happens. If we do decide to sell, I'll see if we can extract and send them your way before we do.
Click to expand...
Click to collapse
hopefully you are able to as it shouldnt really take any time at all lol.. it would really help a lot of ppl out if it is in fact a debug kernel..
the root we have is a temp tcp root shell using a context we cant really do anything we need to do at all so it was pretty much a dead end so far
Abumarf said:
@elliwigy I will most likely be selling the phone or handing it over to @Ephemera as I can't use it as a daily driver. We'll update you on what happens. If we do decide to sell, I'll see if we can extract and send them your way before we do.
Click to expand...
Click to collapse
I will pay you for the debug files
I'm no developer or modder. I don't know too much about all that. I would rather not play with it, and that's the reason I'm selling it.
Abumarf said:
I'm no developer or modder. I don't know too much about all that. I would rather not play with it, and that's the reason I'm selling it.
Click to expand...
Click to collapse
you wont b doing anything to the phone.. if u have an adb root shell would just be copying a few files from the phone.. we can even tell you exactly what commands to use to make it easy.. we can invite you to a google hangout even so we can explain each step
Abumarf said:
I'm no developer or modder. I don't know too much about all that. I would rather not play with it, and that's the reason I'm selling it.
Click to expand...
Click to collapse
Whay are you asking for the phone?
I was looking to get what I spent for it, around $800
elliwigy said:
if u read my previous post u can see i said the uscc BL is locked lol like everyone else
Click to expand...
Click to collapse
yeah, the US cellular us996. it's different from the American unlocked us996. according to LG anyway, it lists it as two different phones.
I'm not on a US cellular one. I'm in an unlocked one with Verizon. the post above you said unlocked had unlocked bootloader. mines as unlocked as you get, and it doesn't have an unlocked bootloader.
Sent from my LG V20 US996
http://developer.lge.com/community/...nuId=38&contsTypeCode=QUE&prodTypeCode=MOBILE
Make yourselves heard. Let LG know we want the bootloader to be unlockable on the US996. I've talked to their live chat and they claim that they "didn't know people would want to unlock their bootloader". Show them we do.
Abumarf said:
I was looking to get what I spent for it, around $800
Click to expand...
Click to collapse
Ok if you download terminal emulator and type in get prop and send me the screen shots so i can verify it is indeed a debug kernel i will buy it from you but i would like to have proof of debug kernel
Sure, here it is: https://drive.google.com/file/d/0BwI6DTQJV37Ob1BwRkRab0xPRkk/view?usp=drivesdk
Also the phone is already up on Swappa
---------- Post added at 08:45 PM ---------- Previous post was at 08:36 PM ----------
@rickberg forgot to tag you
I have the Google Pixel on Verizon Android version 7.1.2 and Build Number NHG47Q with the latest August 5, 2017, security patch. Is it possible to unlock the bootloader and root? I purchased the Soft-Skip toolkit from mskip but have been unsuccessful trying to root and that thread doesn't have much action in it. I've read in a few other threads that it isn't possible to root with unlocking BL. So I'm confused and am wondering if any of you have other information.
No
Sent from my Pixel using XDA-Developers Legacy app
piperx said:
No
Sent from my Pixel using XDA-Developers Legacy app
Click to expand...
Click to collapse
haha, thought so.
Ever since I learned about the Google Pixel being unlocked and rooted with Verizon 7.1.1 version, I've been kicking myself for stupidly updating to 7.1.2. Well, it been a while and my phone is pressing me to update to 8.0. I've been searching for a temp root to edit the build.prop with no avail. My Question is after hesitating then giving kingroot one more shot for root access, is there a workaround for access? Here's what I have so far....
According to kingroot, it says "root successfully" however it also says "Notice: this model restricts ROOT authorization"
Looking at the OEM unlock from developer options, it's still greyed out.
Any help or solutions here?
ShadowWeasel said:
Ever since I learned about the Google Pixel being unlocked and rooted with Verizon 7.1.1 version, I've been kicking myself for stupidly updating to 7.1.2. Well, it been a while and my phone is pressing me to update to 8.0. I've been searching for a temp root to edit the build.prop with no avail. My Question is after hesitating then giving kingroot one more shot for root access, is there a workaround for access? Here's what I have so far....
According to kingroot, it says "root successfully" however it also says "Notice: this model restricts ROOT authorization"
Looking at the OEM unlock from developer options, it's still greyed out.
Any help or solutions here?
Click to expand...
Click to collapse
You don't have to have an unlocked bootloader in order to root. I've had plenty of Samsung's with root and no unlocked bootloader.
---------- Post added at 06:19 PM ---------- Previous post was at 06:04 PM ----------
Digital DJ said:
I have the Google Pixel on Verizon Android version 7.1.2 and Build Number NHG47Q with the latest August 5, 2017, security patch. Is it possible to unlock the bootloader and root? I purchased the Soft-Skip toolkit from mskip but have been unsuccessful trying to root and that thread doesn't have much action in it. I've read in a few other threads that it isn't possible to root with unlocking BL. So I'm confused and am wondering if any of you have other information.
Click to expand...
Click to collapse
In general an unlocked bootloader is not a prerequisite for root. I've had several phones with a locked bootloader but with root.
Tulsadiver said:
You don't have to have an unlocked bootloader in order to root. I've had plenty of Samsung's with root and no unlocked bootloader.
Click to expand...
Click to collapse
It claims to be rooted, but is not.... Any tips? I'm still trying both mobile and PC version. I'm kinda thinking of something between injecting thru ADB (not side loading) to finding out a way to decompile dePixel8 to make changes then recompile it to make it work. Only thing about the latter is it's years that I have done any type of actual programming and would like some steps from jcase or beaups.
---------- Post added at 02:15 AM ---------- Previous post was at 01:26 AM ----------
Here's everything I've done on rooting so far.... And supposedly kingroot apk is only way.
Others that failed includes kingroot (PC), iroot (both variants), kingoroot (both variants), skipsoft unified toolkit, Nexus root toolkit (don't ask, I leave myself open to possibilities), towelroot, z4root, pootroot, weaksauce, etc. (Even root methods as far back as to gingerbreak.)
One thing that is on my mind though is when you bring up the bootloader it shows it's being ran by Samsung?!? Any theories on that? I'm kinda leaning on looking backwards on how Samsung bootloader's were unlocked through ADB or fastboot. I remember back then there was a certain way of doing that, but my mind is moving so fast that I'm having a hard time remembering.
ShadowWeasel said:
It claims to be rooted, but is not.... Any tips? I'm still trying both mobile and PC version. I'm kinda thinking of something between injecting thru ADB (not side loading) to finding out a way to decompile dePixel8 to make changes then recompile it to make it work. Only thing about the latter is it's years that I have done any type of actual programming and would like some steps from jcase or beaups.
---------- Post added at 02:15 AM ---------- Previous post was at 01:26 AM ----------
Here's everything I've done on rooting so far.... And supposedly kingroot apk is only way.
Others that failed includes kingroot (PC), iroot (both variants), kingoroot (both variants), skipsoft unified toolkit, Nexus root toolkit (don't ask, I leave myself open to possibilities), towelroot, z4root, pootroot, weaksauce, etc. (Even root methods as far back as to gingerbreak.)
One thing that is on my mind though is when you bring up the bootloader it shows it's being ran by Samsung?!? Any theories on that? I'm kinda leaning on looking backwards on how Samsung bootloader's were unlocked through ADB or fastboot. I remember back then there was a certain way of doing that, but my mind is moving so fast that I'm having a hard time remembering.
Click to expand...
Click to collapse
I don't have any tips. Just trying to clear up a misunderstanding about bootloader and root.
---------- Post added at 07:32 PM ---------- Previous post was at 07:31 PM ----------
ShadowWeasel said:
It claims to be rooted, but is not.... Any tips? I'm still trying both mobile and PC version. I'm kinda thinking of something between injecting thru ADB (not side loading) to finding out a way to decompile dePixel8 to make changes then recompile it to make it work. Only thing about the latter is it's years that I have done any type of actual programming and would like some steps from jcase or beaups.
---------- Post added at 02:15 AM ---------- Previous post was at 01:26 AM ----------
Here's everything I've done on rooting so far.... And supposedly kingroot apk is only way.
Others that failed includes kingroot (PC), iroot (both variants), kingoroot (both variants), skipsoft unified toolkit, Nexus root toolkit (don't ask, I leave myself open to possibilities), towelroot, z4root, pootroot, weaksauce, etc. (Even root methods as far back as to gingerbreak.)
One thing that is on my mind though is when you bring up the bootloader it shows it's being ran by Samsung?!? Any theories on that? I'm kinda leaning on looking backwards on how Samsung bootloader's were unlocked through ADB or fastboot. I remember back then there was a certain way of doing that, but my mind is moving so fast that I'm having a hard time remembering.
Click to expand...
Click to collapse
I don't have any tips. Just trying to clear up a misunderstanding about a unlocked bootloader and root.
If I had the skills I think I would find someone with a pixel 2. Load an assembly language debugger and run the fastboot command that unlocks the pixel 2. If the same command could be injected into the pixels fastboot binary running on the phone you might trick it into unlocking just like the pixel 2.
Sent from my Pixel using Tapatalk
baknblack said:
If I had the skills I think I would find someone with a pixel 2. Load an assembly language debugger and run the fastboot command that unlocks the pixel 2. If the same command could be injected into the pixels fastboot binary running on the phone you might trick it into unlocking just like the pixel 2.
Click to expand...
Click to collapse
Assembly language debugger? Hmm. If this is true, wooden somebody had saved file and upload it to XDA? I'm getting curious now....
ShadowWeasel said:
Assembly language debugger? Hmm. If this is true, wooden somebody had saved file and upload it to XDA? I'm getting curious now....
Click to expand...
Click to collapse
Not many hackers are versed in assembly language. I've used it a few times over the years to patch an executable but, I had specific step by step instructions on how to do it. There are a lot of people around that know what they are doing but, I doubt we find them hanging around an android forum.
Sent from my Pixel using Tapatalk
baknblack said:
Not many hackers are versed in assembly language. I've used it a few times over the years to patch an executable but, I had specific step by step instructions on how to do it. There are a lot of people around that know what they are doing but, I doubt we find them hanging around an android forum.
Click to expand...
Click to collapse
I may check the deep web for some answers
Knowing or not knowing assembly won't help, you cannot modify the bootloader in any way when it's locked basically making this a fruitless effort.
Nick80835 said:
Knowing or not knowing assembly won't help, you cannot modify the bootloader in any way when it's locked basically making this a fruitless effort.
Click to expand...
Click to collapse
Don't need to modify the bootloader. Would just need to jump into the fastboot code in the same exact place with the same exact instruction that caused the rogue routine to run on the pixel 2. I would think it would be reasonable to assume the same coding bug that exists on the 2 might also be present in the other pixels. But, we'll never know unless someone with the knowledge were to try it.
Sent from my Pixel using Tapatalk
Tulsadiver said:
You don't have to have an unlocked bootloader in order to root. I've had plenty of Samsung's with root and no unlocked bootloader.
---------- Post added at 06:19 PM ---------- Previous post was at 06:04 PM ----------
In general an unlocked bootloader is not a prerequisite for root. I've had several phones with a locked bootloader but with root.
Click to expand...
Click to collapse
For the Pixel yes you do. You can't root without an unlocked bootloader
For what it's worth, it is relatively common any more, from what I hear, that an unlocked bootloader is required to root. The VS985 (Verizon) LG G3 was an exception in that the bootloader had an exploit that could be taken advantage of to effectively allow everything that an unlocked bootloader does. The HTC 10 is an exception in that you can just S-OFF and never unlock the bootloader and it's just as good if not better. There are always exceptions - when there are other avenues someone is clever enough to find, but as a rule going the other direction, if you can unlock the bootloader of a device, then you can usually easily root the device. As someone else said, on the Pixel, an unlocked bootloader has always been required to root.
Post updated -- v2.0
I believe the code to check for locked / unlocked state exists in all the v20 boot loader. To test this, I need some H918 volunteers that are willing to factory reset their phones / lock their boot loaders. Then use the patched LG UP to dump your phone before it ever boots up. So:
* Enter fastboot
* fastboot oem lock
* Get into download mode
* Load LG UP and dump your persist partition
* Get back into fastboot
* fastboot oem unlock
* Back to download mode
* Dump your persist partition again.
* MARK them
Zip both up and post them somewhere.
If we can figure out what flag gets set, and if the code to check for that flag exists, then we won't need the engineering aboot. Qualcomm sends reference implementations of the boot code to vendors (LG in this case). LG sends that reference implementation to the carriers. Some (T-Mobile) left the command to unlock the boot loader in aboot. Others (AT&T) removed ALL fastboot commands -- however, it looks like they didn't remove the check. So there is a chance that we could unlock our boot loaders without the need of fastboot -- just flash a modified persistent partition.
But WAIT! You need to be rooted in order to modify the persistent partition, so that would be pointless. You are mostly correct. If my theory is correct, AND we can get LAF flashing to work, we would no longer need the eng aboot. Imagine -- graphic glitch free boots
I am mainly concerned with this because I want to be able to upgrade my firmware. Eventually they may release firmware that is no longer compatible with the eng. aboot.
EDIT1: Yep, it has been verified that the check is there. However, the check isn't on the misc partition, it is on the persistent partition. I am still trying to work out exactly what gets set, but I know for a fact that the H910 aboot still has the check to see if the boot loader is unlocked -- it just doesn't have the ability to do so. I can't speak for other variants. I only have an H910 and H918.
-- Brian
runningnak3d said:
I believe the code to check for locked / unlocked state exists in all the v20 boot loader. To test this, I need some H918 volunteers that are willing to factory reset their phones / lock their boot loaders. Then use the patched LG UP to dump your phone before it ever boots up. So:
* Enter fastboot
* fastboot oem lock
* Get into download mode
* Load LG UP and dump your misc partition
* Get back into fastboot
* fastboot oem unlock
* Back to download mode
* Dump your misc partition again.
* MARK them
Zip both up and post them somewhere. I think it is probably just some flag on the misc partition. The misc partition also contains phone specific info (not your IMEI -- but still), so don't post them publicly.
If we can figure out what flag gets set, and if the code to check for that flag exists, then we won't need the engineering aboot. Qualcomm sends reference implementations of the boot code to vendors (LG in this case). LG sends that reference implementation to the carriers. Some (T-Mobile) left the command to unlock the boot loader in aboot. Others (AT&T) removed ALL fastboot commands -- however, it looks like they didn't remove the check. So there is a chance that we could unlock our boot loaders without the need of fastboot -- just flash a modified misc partition.
But WAIT! You need to be rooted in order to modify the misc partition, so that would be pointless. You are mostly correct. If my theory is correct, AND we can get LAF flashing to work, we would no longer need the eng aboot. Imagine -- graphic glitch free boots
I am mainly concerned with this because I want to be able to upgrade my firmware. Eventually they may release firmware that is no longer compatible with the eng. aboot.
-- Brian
Click to expand...
Click to collapse
Sadly I would help you myself but I'm rocking the h910
No biggie. Since I have both, I can do this myself -- it is just a PITA since I am going to have to go back to using my G4 since I need both V20s out of stock and my V10 is dead
But I think I have figured it out. Just have to test it. Since I don't have an easy way to write to the H910 (see the LAF post for how this WILL be easy), I am just going to test flashing the stock aboot along with my modified persist. If I am right, then my phone will boot. If I am wrong, then it will boot loop and I will have to flash the H915 KDZ and root the thing all over again.
Unfortunately, since a LOT of boot config data is read from the persist partition, it looks like there is a risk of bricking the phone here. Some of what I am looking at tells me that if something is wrong, aboot just falls back to a default state. But some of it looks like it could just power down the phone -- meaning NO download mode.
EDIT: Unless I am really missing something, I don't see why the G5 and G6 guys aren't trying to figure this out. Looking at the G5 (can't speak for the G6) the code is there as well to check for an unlocked boot loader. If that is the case for the G6 as well, then any model G5, V20, or G6 would be rootable. I must be missing something
-- Brian
runningnak3d said:
Post updated -- v2.0
I believe the code to check for locked / unlocked state exists in all the v20 boot loader. To test this, I need some H918 volunteers that are willing to factory reset their phones / lock their boot loaders. Then use the patched LG UP to dump your phone before it ever boots up. So:
* Enter fastboot
* fastboot oem lock
* Get into download mode
* Load LG UP and dump your persist partition
* Get back into fastboot
* fastboot oem unlock
* Back to download mode
* Dump your persist partition again.
* MARK them
Zip both up and post them somewhere.
If we can figure out what flag gets set, and if the code to check for that flag exists, then we won't need the engineering aboot. Qualcomm sends reference implementations of the boot code to vendors (LG in this case). LG sends that reference implementation to the carriers. Some (T-Mobile) left the command to unlock the boot loader in aboot. Others (AT&T) removed ALL fastboot commands -- however, it looks like they didn't remove the check. So there is a chance that we could unlock our boot loaders without the need of fastboot -- just flash a modified persistent partition.
But WAIT! You need to be rooted in order to modify the persistent partition, so that would be pointless. You are mostly correct. If my theory is correct, AND we can get LAF flashing to work, we would no longer need the eng aboot. Imagine -- graphic glitch free boots
I am mainly concerned with this because I want to be able to upgrade my firmware. Eventually they may release firmware that is no longer compatible with the eng. aboot.
EDIT1: Yep, it has been verified that the check is there. However, the check isn't on the misc partition, it is on the persistent partition. I am still trying to work out exactly what gets set, but I know for a fact that the H910 aboot still has the check to see if the boot loader is unlocked -- it just doesn't have the ability to do so. I can't speak for other variants. I only have an H910 and H918.
-- Brian
Click to expand...
Click to collapse
I have my bootloader already unlocked and if you type oem unlock again then it'll just say its already unlocked
---------- Post added at 07:18 PM ---------- Previous post was at 07:16 PM ----------
dudeawsome said:
I have my bootloader already unlocked and if you type oem unlock again then it'll just say its already unlocked
Click to expand...
Click to collapse
nevermind I miss read i could check this out later tonight if I have time
Update -- well, you know what you get if you dump the persistent partition from an H918 with an unlocked boot loader, and you flash it, along with the v10m stock aboot? An H910 with a unlocked boot loader.
So -- this theory checks out. The only thing holding this back is cracking the rest of the LAF protocol. Once that is done, and we can send partitions, we can send the proper persistent partition to unlock the boot loader, and then send over whatever else we want -- recovery, boot, etc...
Time for me to get back to looking at packet dumps.
Seriously, I can't be the only one that thought of this. If you guys know of a thread / threads from other LG phones (could even be older G3, G4), PLEASE let me know. I don't want to completely reinvent the wheel.
-- Brian
runningnak3d said:
Update -- well, you know what you get if you dump the persistent partition from an H918 with an unlocked boot loader, and you flash it, along with the v10m stock aboot? An H910 with a unlocked boot loader.
So -- this theory checks out. The only thing holding this back is cracking the rest of the LAF protocol. Once that is done, and we can send partitions, we can send the proper persistent partition to unlock the boot loader, and then send over whatever else we want -- recovery, boot, etc...
Time for me to get back to looking at packet dumps.
Seriously, I can't be the only one that thought of this. If you guys know of a thread / threads from other LG phones (could even be older G3, G4), PLEASE let me know. I don't want to completely reinvent the wheel.
-- Brian
Click to expand...
Click to collapse
I stumbled upon this wondered if it would be any help? because it has some options that seem maybe help
https://androidforums.com/threads/cwmr-ms323-cwm-6-0-5-0-for-lg-l70.862965/page-3
---------- Post added at 07:40 PM ---------- Previous post was at 07:36 PM ----------
dudeawsome said:
I stumbled upon this wondered if it would be any help? because it has some options that seem maybe help
https://androidforums.com/threads/cwmr-ms323-cwm-6-0-5-0-for-lg-l70.862965/page-3
Click to expand...
Click to collapse
https://www.google.com/url?sa=t&rct...63389/&usg=AFQjCNGsxS7hf5mbfA1yzAo37_Bkx5FRYw
---------- Post added at 07:42 PM ---------- Previous post was at 07:40 PM ----------
https://forum.xda-developers.com/android/general/unbrick-lg-model-download-recovery-t3060184
---------- Post added at 07:47 PM ---------- Previous post was at 07:42 PM ----------
https://forum.xda-developers.com/android/software-hacking/tool-lg-download-mode-laf-t3285946
---------- Post added at 07:48 PM ---------- Previous post was at 07:47 PM ----------
https://forum.xda-developers.com/android/software-hacking/tool-lg-download-mode-laf-t3285946
---------- Post added at 07:50 PM ---------- Previous post was at 07:48 PM ----------
here is an older g3 root method it uses download mode thought it might be useful to check out
https://forum.xda-developers.com/lg-g3/general/guide-root-method-lg-devices-t3129197
The second to the last link is from the guy that I linked to. That is exactly what I am trying to do, only updated for newer LG phones. The principal is the same, however they have added more security since then -- but not enough.
If they were to completely remove the ability to unlock the boot loader, and they forced OTA updates. There would be no rooting -- period. Let me rephrase that. Rooting would require physical access to the CPU, and even then they could lock that down. I was around back in the days of hacking DirecTV, and the security they have in place on Qualcomm CPUs is still fairly weak. However, they have the ability to completely lock it down. I won't go into details in case someone gets an idea.
Right now, with the V20, any model (except the H918) can run firmware from any other model. That is kind of unheard of. I have no idea who was asleep at the wheel and said: "Aww screw it -- just use the same key for all of them!", but that has opened up a world of possibilities for us.
OK -- got of on a tangent. This whole exercise of unlocking the boot loader doesn't really help US much since we have the engineering aboot, and the H918 has fastboot oem unlock. However, maybe we can get some others to help, since this would apply the the G5, and the G6 and probably the V30 as well.
-- Brian
runningnak3d said:
The second to the last link is from the guy that I linked to. That is exactly what I am trying to do, only updated for newer LG phones. The principal is the same, however they have added more security since then -- but not enough.
If they were to completely remove the ability to unlock the boot loader, and they forced OTA updates. There would be no rooting -- period. Let me rephrase that. Rooting would require physical access to the CPU, and even then they could lock that down. I was around back in the days of hacking DirecTV, and the security they have in place on Qualcomm CPUs is still fairly weak. However, they have the ability to completely lock it down. I won't go into details in case someone gets an idea.
Right now, with the V20, any model (except the H918) can run firmware from any other model. That is kind of unheard of. I have no idea who was asleep at the wheel and said: "Aww screw it -- just use the same key for all of them!", but that has opened up a world of possibilities for us.
OK -- got of on a tangent. This whole exercise of unlocking the boot loader doesn't really help US much since we have the engineering aboot, and the H918 has fastboot oem unlock. However, maybe we can get some others to help, since this would apply the the G5, and the G6 and probably the V30 as well.
-- Brian
Click to expand...
Click to collapse
oh okay i see
Any hope for this? Do you need testers? I got my replacement 918 yesterday and if I can't root this thing I might just return it.
@justthefacts Since you have a fresh phone, I really need a couple of things:
Setup this USB sniffer for Windows: link. I have never done raw USB capture in Windows. I run a VM and capture through Linux with usbmon, but reading the docs, it looks very straight forward.
Enable sniffing before doing the following:
1 - Download the patched LG UP and dump your phone BEFORE unlocking the boot loader.
2 - Unlock your boot loader, and then dump your phone again.
I will discuss with you in private about the files.
I have an H918, but I am on a mix of 10p and 10j, because I want to keep root -- of course, so doing this myself isn't possible or reliable. Need a naked / fresh / 10p phone.
Next, I need a packet sniff of a full flash of the 10p KDZ. It will be HUGE since it will contain all the data that is sent, but I can deal with that if you can.
Zip it up, and post it someplace. Again, I would do this myself, but then I would be stuck on 10p.
If you need any help, or can't do it, let me know.
Root is completely possible if I can get some help from some people. This isn't a maybe, or I think it is possible -- it just requires more info on the LAF protocol so that a transfer can be started.
-- Brian
I won't be in front of a computer till sometime tonight at around 7 pm Pacific time. I'll get started then and will get in touch with questions.
This check you're talking about makes me think of something that happened with my recent G5.
It's the euro variant which can unlock. I did so, and... "removed"
But when the phone rebooted, I got the message "Your phone is corrupt, blah blah something" (won't boot), so I though ah damn. Then I got into LAF and flashed the latest KDZ, and whaddayouknow, it boot's again.
But now the bootloader is locked, and because what I did, it can't be unlocked again.
So I was thinking there must be some checking of the validity of unlock key in relation to imei and device id, or something.
Or maybe it was simply the act of writing the nv area with qpst, who knows...
@askermk2000 When you say that it was unlockable. Did you have to get the unlock.bin from LG, or was it unlockable via fastboot? Either way, once this is completely figured out, you will be able to unlock your phone again.
LG has PI**ED me off something fierce, and I am going to put all my effort into making them wish that they hadn't been complete idiots. I love learning, but having to reverse engineer my phone -- let me say that again -- *MY PHONE*, just so that I can run what I want, how I want, is just freaking absurd. So, since I do have to spend this effort -- I am going to make sure that they will have to go to OTA updates in order to lock their future phones down.
I would be just as mad if I bought a PC from HP, or Dell, and I couldn't install Linux on it. Not for any technical reason, just because they didn't want me to. Phones are no different. On the above mentioned PCs, you can go into UEFI and turn off secure boot. I want that same that to be EASILY possible on any phone that I buy. I don't mean just unlocking the boot loader. I mean being able to change the boot loader as well. Why? Because it is MY phone.
Also, please send me the complete details of what you did in a PM. I need to know what partitions you changed....
-- Brian
Hi, I have a spare v20. I can help you with anything as I dont use the phone at all. Just send me any files you want me use and I'll do it no problem. I promise I won't give any headaches I have been rooting and flashing my phones for over a decade
Hallo I have the lg v20 h918 7.0 10p can it be rooted?
xXCoolGuYXx said:
Hallo I have the lg v20 h918 7.0 10p can it be rooted?
Click to expand...
Click to collapse
Dude I just answered your question for the past 15 min... Not cool to be spamming around in the forums for something that was clearly explained. Peace out!
storm68 said:
Dude I just answered your question for the past 15 min... Not cool to be spamming around in the forums for something that was clearly explained. Peace out!
Click to expand...
Click to collapse
What's spamming just didn't know which one to put it in sorry
xXCoolGuYXx said:
Hallo I have the lg v20 h918 7.0 10p can it be rooted?
Click to expand...
Click to collapse
10P can't be rooted, it also can't be rolled back
Sent from my LG V20 using XDA Labs
BROKEN1981 said:
10P can't be rooted, it also can't be rolled back
Click to expand...
Click to collapse
Dang that sucks but thanks though .
---------- Post added at 11:55 PM ---------- Previous post was at 11:49 PM ----------
BROKEN1981 said:
10P can't be rooted, it also can't be rolled back
Click to expand...
Click to collapse
But I read on google it can be rooted can you look at this for me to see if I'm reading this right
https://www.androidinfotech.com/2017/08/lg-v20-t-mobile-h91810p.html
---------- Post added 16th October 2017 at 12:00 AM ---------- Previous post was 15th October 2017 at 11:55 PM ----------
BROKEN1981 said:
10P can't be rooted, it also can't be rolled back
Click to expand...
Click to collapse
Will the dirty cow way work?
xXCoolGuYXx said:
Dang that sucks but thanks though .
---------- Post added at 11:55 PM ---------- Previous post was at 11:49 PM ----------
But I read on google it can be rooted can you look at this for me to see if I'm reading this right
https://www.androidinfotech.com/2017/08/lg-v20-t-mobile-h91810p.html
---------- Post added 16th October 2017 at 12:00 AM ---------- Previous post was 15th October 2017 at 11:55 PM ----------
Will the dirty cow way work?
Click to expand...
Click to collapse
The answer is still no.
I have an option to get new phone with contract reneval. I like devices with strange "additions", thats why I had Moto Z3 Play before. And now I'm thinking about Velvet coz of it's Dual Screen.
However I need root for few apps I use (some for my own usage, some work related).
Do You believe that there will be a way to root Velvet in the nearest feature? Or ever?
I'm more asking if You believe there will be a way to fash Magisk patched kernel.
I know that nonflagship LG device doesnt even have an option to unlock bootoloader nd even the flagships (V60?) have blocked fastboot command, so unlocking does nothing...
https://developer.lge.com/resource/mobile/RetrieveBootloader.dev?categoryId=CTULRS0703
Sad to see this after I chose something else...
Still, as I read about other LG devices it seems that unlockable bootloader doesn't have to mean that there is access to fastboot commands. An without that there is no reason to unlock it.
I thought about a new phone for a long time and I hope you are wrong. because I chose velvet. previously i had g6 and i already miss & root mods a lot. and what did you buy?
Realme X3 Superzoom. At least there is a root solution already
And they should share the sources like they did with older devices.
I'll miss the 2nd screen, but... Had a chance to play with it and my carrier gives it for free (screen or headphones) along with 3rd year of warranty.
I waiting for headphines ? they add choice (screen or it) after i buy phone :laugh: and i worry about lg is coming down with smartphone ... Have nice day and good luck with powerusing :victory:
Headphones? I'd choose the screen. F**k their DAC
Maybe one day I'll get LG with Dual Screen? Will see. As I signed the contract in the store I have no way to change it (not sure if I want to).
Anyway, nice day to You too. I miejmy nadzieje, ze znajdzie sie sposob na roota na Velveta
support unlocking the bootloader: • LG VELVET: LMG900EM/LMG
The following devices support unlocking the bootloader:
• LG VELVET: LMG900EM/LMG900EMW/LMG900EMX/LMG900D for the European market
dietoro said:
The following devices support unlocking the bootloader:
• LG VELVET: LMG900EM/LMG900EMW/LMG900EMX/LMG900D for the European market
Click to expand...
Click to collapse
I’ve been seeing the LMG900M a lot on ebay, wondering if this works too as i haven’t seen it on this list?
In the dark
Is there anyway us as a collective to unlock the bootloader ourselves. I literally don't know like I'm very new to this and want to try it out a rooted device
got a velvet.
unlock bootloader was no prob.
but stock roms are in kdz format. uncompressable since last dev of un-kdz un-dz seems to support just old and smaller formats.
tried several boot.img's and twrp's that seem to be same chipset.
nothing worked so far. hopin some of the rom-gurus gets hot on that dual-screen feature/case...which works really good.
i didnt get it to work with root, but i dont give up hope.
---------- Post added at 09:47 PM ---------- Previous post was at 09:30 PM ----------
Catrock31 said:
Is there anyway us as a collective to unlock the bootloader ourselves. I literally don't know like I'm very new to this and want to try it out a rooted device
Click to expand...
Click to collapse
just complete the process that wifredzik posted as link.
you ll get an unlock file from lg immediately.
enable developer options on your phone and in the following usb debugging.
boot into bootloader via adb and unlock as lg describes in the manual.
thats whats worked for me so far.
payed around with stock roms of other new mobile-phones that have the same chipset to extract the boot.img and modify it with magisk.
my strategy is to boot in with root, but without flashing partitions so that i can dump the original boot.img and modify with magisk just to flash it back.
but no other boot.img worked so far.
if there is somebody out there who can breakup the lg velvet stock rom (kdz-format) to intact img files please let me know.
BR
Mike
MikGx said:
got a velvet.
unlock bootloader was no prob.
but stock roms are in kdz format. uncompressable since last dev of un-kdz un-dz seems to support just old and smaller formats.
tried several boot.img's and twrp's that seem to be same chipset.
nothing worked so far. hopin some of the rom-gurus gets hot on that dual-screen feature/case...which works really good.
i didnt get it to work with root, but i dont give up hope.
---------- Post added at 09:47 PM ---------- Previous post was at 09:30 PM ----------
just complete the process that wifredzik posted as link.
you ll get an unlock file from lg immediately.
enable developer options on your phone and in the following usb debugging.
boot into bootloader via adb and unlock as lg describes in the manual.
thats whats worked for me so far.
Click to expand...
Click to collapse
Problem, i got the Canadian version witch is not one of the models listed on their site
Catrock31 said:
Problem, i got the Canadian version witch is not one of the models listed on their site
Click to expand...
Click to collapse
hm...i would try it anyways.
the worst that can happen is that lg dont sends back the unlock.bin.
iv`e taken a look inside the file.
its encrypted. so, no way to create it the easy way by yourself...
br
Mike
Lg Velvet Stock Ringtones
Anyone could please upload the stock ringtones? thanks
Root LG Velvet (LM-G900EM)
As i've found a way to root the Velvet i opended a new thread ind the Velvet section.
Have fun!
BR
Mike
I have been working on the sim unlock for the gm1915 for some time now. And could really use the help of our community. My Oneplus7 Pro is still financed, it was bought on ebay and can't be activated. So now I'm at the point that no messages pop up for the sim and I have some service but it won't register on the Network. Attached is the firehose I extracted from the .OPS Tmobile msmdownload on here. I don't think it's anywhere on line so enjoy my time well spent. The best way to use it is with QFIL then you can manage all the partitions as needed. I could really use a efs or qcn from a unlocked tmobile Op7P just make Sure u know how to clean out the imei. For your own benefits.
Update..
By digging into the unlock i found way more then i exspected . It seems there is a wrapper on the system. If anyone has noticed the Alarm or the Wake_lock .it all starts up after the very first boot ,with the gboard. Gboard and all the otheres are bonded together buy location services . This is all the gmscore .and when one is tripped by the alarm that is the wake_lock (clock) they all know. And the simlock is android auto that is part of the hidden apps. I found a whitelist.xml showing them all.when the wrong sim is entered the alarm is tripped and call is made to honk the horn,this is the simlock wallpaper that pops up.Also its swiches the sim id to emergency only.The carrier plmns used to lock are located and tyed to game mode,I have found a vulnerablity in the gmscore and have been able to pull it all. There is just way to much more to go into. All of these items have to be cleard to simunlock ,this is why the Tmobile rom is needed. If in the process somthing is done wrong and tripps the alarm the phone will reset the lock and sometimes reboot and not start back up.
heres the Firehose files
Update, by erasing the modemst1 and modemst2 it deleats the sim lock. And don't effect the IMEI at all. But by erasing them it clears all the uim configurations. Restoring efs with twrp goes back to locked. I'm in the process of rebuilding the missing NV- items one by one and should have a fully functional Sim Unlock for the T-Mobile OP7p. After doing all I have I might just have a working bypass for most T-Mobile locked qualcomm devices using the unlock app.
Nice work
Good luck, keep us posted on progress.
Good work friend.
Can this work also for the gm1925?
justencase6 said:
Update, by erasing the modemst1 and modemst2 it deleats the sim lock. And don't effect the IMEI at all. But by erasing them it clears all the uim configurations. Restoring efs with twrp goes back to locked. I'm in the process of rebuilding the missing NV- items one by one and should have a fully functional Sim Unlock for the T-Mobile OP7p. After doing all I have I might just have a working bypass for most T-Mobile locked qualcomm devices using the unlock app.
Click to expand...
Click to collapse
Thanks, please keep us posted!
elital said:
Good work friend.
Can this work also for the gm1925?
Click to expand...
Click to collapse
very well possible . if you would like to test out and help me out PM me. i need others that can help me out.
PM sent as I'm same situation as you.
Very interesting
How were you able to erase the modems? I get an error (Critical Partition is locked) when I try and do this on my 7T
droidout said:
How were you able to erase the modems? I get an error (Critical Partition is locked) when I try and do this on my 7T
Click to expand...
Click to collapse
You will need to unpack the firehose file from the.ops back up file in the msmdownload tool for your phone. The one I have won't work .Its a different SOC then you can use it with QFIL and manage the partitions.
Am in
All help needed please. We need to crack this thing.
Maybe a bounty for anyone that can crack it too will help
sbenjy said:
All help needed please. We need to crack this thing.
Maybe a bounty for anyone that can crack it too will help
Click to expand...
Click to collapse
Right now I don't have access to all the info. And money is limited. I'm waiting for a good deal from eBay for one that only has a working unlocked main board. Don't care about anything else on it as long as I can connect to it. Then things will move faster. It seems they added alot this time.to stop us all
Update . If anyone would like to know and is not with the telegram group. I have found all the reasons why the T-Mobile OnePlus 7 pro has not been unlocked yet. Qualcomm has changed alot of internals and has a new updated encryption with the sdm855 SOC. But I'm not going to let it stop me. I have found out that the sim lock is implimented in the stock modem. I'm about done fully unencrypting it and already have it half way unpacked. I have also learnd that there might be a EFUSE for the sim lock. something else quit new. Looks like they must have started paying the programmers at tmobile for a change also.
keep it up dear we are waiting your work
i have a 7T that is sim locked and cannot be unlocked waiting your work
justencase6 said:
Update . If anyone would like to know and is not with the telegram group. I have found all the reasons why the T-Mobile OnePlus 7 pro has not been unlocked yet. Qualcomm has changed alot of internals and has a new updated encryption with the sdm855 SOC. But I'm not going to let it stop me. I have found out that the sim lock is implimented in the stock modem. I'm about done fully unencrypting it and already have it half way unpacked. I have also learnd that there might be a EFUSE for the sim lock. something else quit new. Looks like they must have started paying the programmers at tmobile for a change also.
Click to expand...
Click to collapse
Hey mate send me the link for the group. I got a little info I found out along my ways too
---------- Post added at 04:27 PM ---------- Previous post was at 04:23 PM ----------
I have a unlocked modemst we can play with. We may be able to push this. As I saw you tried to zero modemst out just like I did. It does sim unlock the device for sure. But as stated it also won't properly read a sim as I believe nv is screwed up. If we can combine some of this I bet we do it. I gots a few ideas as well. If any one is willing to try stuff and such. Mines already unlocked. I got mine done directly from tmobile so I can't out right test my other ideas any more
---------- Post added at 04:28 PM ---------- Previous post was at 04:27 PM ----------
On a further note. I would prefer you be rooted with twrp already just so you have your own backups and such and not in the same boat I was for a bit
oneplus 7t T- mobile
please everybody lets work on this im ready i have a sim locked t mobile oneplus 7t and there is no wy to unlock i got it from ebay . im ready for any testing
---------- Post added at 07:43 PM ---------- Previous post was at 07:41 PM ----------
TheMadScientist said:
Hey mate send me the link for the group. I got a little info I found out along my ways too
---------- Post added at 04:27 PM ---------- Previous post was at 04:23 PM ----------
I have a unlocked modemst we can play with. We may be able to push this. As I saw you tried to zero modemst out just like I did. It does sim unlock the device for sure. But as stated it also won't properly read a sim as I believe nv is screwed up. If we can combine some of this I bet we do it. I gots a few ideas as well. If any one is willing to try stuff and such. Mines already unlocked. I got mine done directly from tmobile so I can't out right test my other ideas any more
---------- Post added at 04:28 PM ---------- Previous post was at 04:27 PM ----------
On a further note. I would prefer you be rooted with twrp already just so you have your own backups and such and not in the same boat I was for a bit
Click to expand...
Click to collapse
im ready for any testin i have locked and simlocked oneplus 7t just give me the ideas and i will implement
Hi Op, have you tried the method of the sprint HTC One M9 to make a back up of a T-mo unlocked phone and try to write it to a locked one?
come on! we're dying here. I bouhght the tmobile op 7 pro and converted it to international. i got rid of that and currently have 2 GM1917 (OP7 Pro Unlocked) also a GM1925 which is my main problem. Its the OP 7 Pro 5G Sprint version. I've been trying t
frostwildfire said:
Hi Op, have you tried the method of the sprint HTC One M9 to make a back up of a T-mo unlocked phone and try to write it to a locked one?
Click to expand...
Click to collapse
wont work, i have went as far as erasing the full ufs even the gpt tables, and then writing back , the problem is the device encrypts the modemst1 and 2 using the hardware id .and that ID is hardcoded to the SOC and cant be changed , so u cant write another modemst1 and 2 to another device. the lock flag is encrypted inside them. I have been able to unlock the gm1925 sprint model .have locked and unlocked the same device 3 times now with sprints server.and just have to write the efs back to lock. even have a full log of the process. its just that im out of my range of exspertease and im haveing to learn as i go.
justencase6 said:
wont work, i have went as far as erasing the full ufs even the gpt tables, and then writing back , the problem is the device encrypts the modemst1 and 2 using the hardware id .and that ID is hardcoded to the SOC and cant be changed , so u cant write another modemst1 and 2 to another device. the lock flag is encrypted inside them. I have been able to unlock the gm1925 sprint model .have locked and unlocked the same device 3 times now with sprints server.and just have to write the efs back to lock. even have a full log of the process. its just that im out of my range of exspertease and im haveing to learn as i go.
Click to expand...
Click to collapse
Hi, I have also the gm1925 sprint model. Can you help to unlock it?