Cracking the unlocked boot loader - LG V20 Guides, News, & Discussion

Post updated -- v2.0
I believe the code to check for locked / unlocked state exists in all the v20 boot loader. To test this, I need some H918 volunteers that are willing to factory reset their phones / lock their boot loaders. Then use the patched LG UP to dump your phone before it ever boots up. So:
* Enter fastboot
* fastboot oem lock
* Get into download mode
* Load LG UP and dump your persist partition
* Get back into fastboot
* fastboot oem unlock
* Back to download mode
* Dump your persist partition again.
* MARK them
Zip both up and post them somewhere.
If we can figure out what flag gets set, and if the code to check for that flag exists, then we won't need the engineering aboot. Qualcomm sends reference implementations of the boot code to vendors (LG in this case). LG sends that reference implementation to the carriers. Some (T-Mobile) left the command to unlock the boot loader in aboot. Others (AT&T) removed ALL fastboot commands -- however, it looks like they didn't remove the check. So there is a chance that we could unlock our boot loaders without the need of fastboot -- just flash a modified persistent partition.
But WAIT! You need to be rooted in order to modify the persistent partition, so that would be pointless. You are mostly correct. If my theory is correct, AND we can get LAF flashing to work, we would no longer need the eng aboot. Imagine -- graphic glitch free boots
I am mainly concerned with this because I want to be able to upgrade my firmware. Eventually they may release firmware that is no longer compatible with the eng. aboot.
EDIT1: Yep, it has been verified that the check is there. However, the check isn't on the misc partition, it is on the persistent partition. I am still trying to work out exactly what gets set, but I know for a fact that the H910 aboot still has the check to see if the boot loader is unlocked -- it just doesn't have the ability to do so. I can't speak for other variants. I only have an H910 and H918.
-- Brian

runningnak3d said:
I believe the code to check for locked / unlocked state exists in all the v20 boot loader. To test this, I need some H918 volunteers that are willing to factory reset their phones / lock their boot loaders. Then use the patched LG UP to dump your phone before it ever boots up. So:
* Enter fastboot
* fastboot oem lock
* Get into download mode
* Load LG UP and dump your misc partition
* Get back into fastboot
* fastboot oem unlock
* Back to download mode
* Dump your misc partition again.
* MARK them
Zip both up and post them somewhere. I think it is probably just some flag on the misc partition. The misc partition also contains phone specific info (not your IMEI -- but still), so don't post them publicly.
If we can figure out what flag gets set, and if the code to check for that flag exists, then we won't need the engineering aboot. Qualcomm sends reference implementations of the boot code to vendors (LG in this case). LG sends that reference implementation to the carriers. Some (T-Mobile) left the command to unlock the boot loader in aboot. Others (AT&T) removed ALL fastboot commands -- however, it looks like they didn't remove the check. So there is a chance that we could unlock our boot loaders without the need of fastboot -- just flash a modified misc partition.
But WAIT! You need to be rooted in order to modify the misc partition, so that would be pointless. You are mostly correct. If my theory is correct, AND we can get LAF flashing to work, we would no longer need the eng aboot. Imagine -- graphic glitch free boots
I am mainly concerned with this because I want to be able to upgrade my firmware. Eventually they may release firmware that is no longer compatible with the eng. aboot.
-- Brian
Click to expand...
Click to collapse
Sadly I would help you myself but I'm rocking the h910

No biggie. Since I have both, I can do this myself -- it is just a PITA since I am going to have to go back to using my G4 since I need both V20s out of stock and my V10 is dead
But I think I have figured it out. Just have to test it. Since I don't have an easy way to write to the H910 (see the LAF post for how this WILL be easy), I am just going to test flashing the stock aboot along with my modified persist. If I am right, then my phone will boot. If I am wrong, then it will boot loop and I will have to flash the H915 KDZ and root the thing all over again.
Unfortunately, since a LOT of boot config data is read from the persist partition, it looks like there is a risk of bricking the phone here. Some of what I am looking at tells me that if something is wrong, aboot just falls back to a default state. But some of it looks like it could just power down the phone -- meaning NO download mode.
EDIT: Unless I am really missing something, I don't see why the G5 and G6 guys aren't trying to figure this out. Looking at the G5 (can't speak for the G6) the code is there as well to check for an unlocked boot loader. If that is the case for the G6 as well, then any model G5, V20, or G6 would be rootable. I must be missing something
-- Brian

runningnak3d said:
Post updated -- v2.0
I believe the code to check for locked / unlocked state exists in all the v20 boot loader. To test this, I need some H918 volunteers that are willing to factory reset their phones / lock their boot loaders. Then use the patched LG UP to dump your phone before it ever boots up. So:
* Enter fastboot
* fastboot oem lock
* Get into download mode
* Load LG UP and dump your persist partition
* Get back into fastboot
* fastboot oem unlock
* Back to download mode
* Dump your persist partition again.
* MARK them
Zip both up and post them somewhere.
If we can figure out what flag gets set, and if the code to check for that flag exists, then we won't need the engineering aboot. Qualcomm sends reference implementations of the boot code to vendors (LG in this case). LG sends that reference implementation to the carriers. Some (T-Mobile) left the command to unlock the boot loader in aboot. Others (AT&T) removed ALL fastboot commands -- however, it looks like they didn't remove the check. So there is a chance that we could unlock our boot loaders without the need of fastboot -- just flash a modified persistent partition.
But WAIT! You need to be rooted in order to modify the persistent partition, so that would be pointless. You are mostly correct. If my theory is correct, AND we can get LAF flashing to work, we would no longer need the eng aboot. Imagine -- graphic glitch free boots
I am mainly concerned with this because I want to be able to upgrade my firmware. Eventually they may release firmware that is no longer compatible with the eng. aboot.
EDIT1: Yep, it has been verified that the check is there. However, the check isn't on the misc partition, it is on the persistent partition. I am still trying to work out exactly what gets set, but I know for a fact that the H910 aboot still has the check to see if the boot loader is unlocked -- it just doesn't have the ability to do so. I can't speak for other variants. I only have an H910 and H918.
-- Brian
Click to expand...
Click to collapse
I have my bootloader already unlocked and if you type oem unlock again then it'll just say its already unlocked
---------- Post added at 07:18 PM ---------- Previous post was at 07:16 PM ----------
dudeawsome said:
I have my bootloader already unlocked and if you type oem unlock again then it'll just say its already unlocked
Click to expand...
Click to collapse
nevermind I miss read i could check this out later tonight if I have time

Update -- well, you know what you get if you dump the persistent partition from an H918 with an unlocked boot loader, and you flash it, along with the v10m stock aboot? An H910 with a unlocked boot loader.
So -- this theory checks out. The only thing holding this back is cracking the rest of the LAF protocol. Once that is done, and we can send partitions, we can send the proper persistent partition to unlock the boot loader, and then send over whatever else we want -- recovery, boot, etc...
Time for me to get back to looking at packet dumps.
Seriously, I can't be the only one that thought of this. If you guys know of a thread / threads from other LG phones (could even be older G3, G4), PLEASE let me know. I don't want to completely reinvent the wheel.
-- Brian

runningnak3d said:
Update -- well, you know what you get if you dump the persistent partition from an H918 with an unlocked boot loader, and you flash it, along with the v10m stock aboot? An H910 with a unlocked boot loader.
So -- this theory checks out. The only thing holding this back is cracking the rest of the LAF protocol. Once that is done, and we can send partitions, we can send the proper persistent partition to unlock the boot loader, and then send over whatever else we want -- recovery, boot, etc...
Time for me to get back to looking at packet dumps.
Seriously, I can't be the only one that thought of this. If you guys know of a thread / threads from other LG phones (could even be older G3, G4), PLEASE let me know. I don't want to completely reinvent the wheel.
-- Brian
Click to expand...
Click to collapse
I stumbled upon this wondered if it would be any help? because it has some options that seem maybe help
https://androidforums.com/threads/cwmr-ms323-cwm-6-0-5-0-for-lg-l70.862965/page-3
---------- Post added at 07:40 PM ---------- Previous post was at 07:36 PM ----------
dudeawsome said:
I stumbled upon this wondered if it would be any help? because it has some options that seem maybe help
https://androidforums.com/threads/cwmr-ms323-cwm-6-0-5-0-for-lg-l70.862965/page-3
Click to expand...
Click to collapse
https://www.google.com/url?sa=t&rct...63389/&usg=AFQjCNGsxS7hf5mbfA1yzAo37_Bkx5FRYw
---------- Post added at 07:42 PM ---------- Previous post was at 07:40 PM ----------
https://forum.xda-developers.com/android/general/unbrick-lg-model-download-recovery-t3060184
---------- Post added at 07:47 PM ---------- Previous post was at 07:42 PM ----------
https://forum.xda-developers.com/android/software-hacking/tool-lg-download-mode-laf-t3285946
---------- Post added at 07:48 PM ---------- Previous post was at 07:47 PM ----------
https://forum.xda-developers.com/android/software-hacking/tool-lg-download-mode-laf-t3285946
---------- Post added at 07:50 PM ---------- Previous post was at 07:48 PM ----------
here is an older g3 root method it uses download mode thought it might be useful to check out
https://forum.xda-developers.com/lg-g3/general/guide-root-method-lg-devices-t3129197

The second to the last link is from the guy that I linked to. That is exactly what I am trying to do, only updated for newer LG phones. The principal is the same, however they have added more security since then -- but not enough.
If they were to completely remove the ability to unlock the boot loader, and they forced OTA updates. There would be no rooting -- period. Let me rephrase that. Rooting would require physical access to the CPU, and even then they could lock that down. I was around back in the days of hacking DirecTV, and the security they have in place on Qualcomm CPUs is still fairly weak. However, they have the ability to completely lock it down. I won't go into details in case someone gets an idea.
Right now, with the V20, any model (except the H918) can run firmware from any other model. That is kind of unheard of. I have no idea who was asleep at the wheel and said: "Aww screw it -- just use the same key for all of them!", but that has opened up a world of possibilities for us.
OK -- got of on a tangent. This whole exercise of unlocking the boot loader doesn't really help US much since we have the engineering aboot, and the H918 has fastboot oem unlock. However, maybe we can get some others to help, since this would apply the the G5, and the G6 and probably the V30 as well.
-- Brian

runningnak3d said:
The second to the last link is from the guy that I linked to. That is exactly what I am trying to do, only updated for newer LG phones. The principal is the same, however they have added more security since then -- but not enough.
If they were to completely remove the ability to unlock the boot loader, and they forced OTA updates. There would be no rooting -- period. Let me rephrase that. Rooting would require physical access to the CPU, and even then they could lock that down. I was around back in the days of hacking DirecTV, and the security they have in place on Qualcomm CPUs is still fairly weak. However, they have the ability to completely lock it down. I won't go into details in case someone gets an idea.
Right now, with the V20, any model (except the H918) can run firmware from any other model. That is kind of unheard of. I have no idea who was asleep at the wheel and said: "Aww screw it -- just use the same key for all of them!", but that has opened up a world of possibilities for us.
OK -- got of on a tangent. This whole exercise of unlocking the boot loader doesn't really help US much since we have the engineering aboot, and the H918 has fastboot oem unlock. However, maybe we can get some others to help, since this would apply the the G5, and the G6 and probably the V30 as well.
-- Brian
Click to expand...
Click to collapse
oh okay i see

Any hope for this? Do you need testers? I got my replacement 918 yesterday and if I can't root this thing I might just return it.

@justthefacts Since you have a fresh phone, I really need a couple of things:
Setup this USB sniffer for Windows: link. I have never done raw USB capture in Windows. I run a VM and capture through Linux with usbmon, but reading the docs, it looks very straight forward.
Enable sniffing before doing the following:
1 - Download the patched LG UP and dump your phone BEFORE unlocking the boot loader.
2 - Unlock your boot loader, and then dump your phone again.
I will discuss with you in private about the files.
I have an H918, but I am on a mix of 10p and 10j, because I want to keep root -- of course, so doing this myself isn't possible or reliable. Need a naked / fresh / 10p phone.
Next, I need a packet sniff of a full flash of the 10p KDZ. It will be HUGE since it will contain all the data that is sent, but I can deal with that if you can.
Zip it up, and post it someplace. Again, I would do this myself, but then I would be stuck on 10p.
If you need any help, or can't do it, let me know.
Root is completely possible if I can get some help from some people. This isn't a maybe, or I think it is possible -- it just requires more info on the LAF protocol so that a transfer can be started.
-- Brian

I won't be in front of a computer till sometime tonight at around 7 pm Pacific time. I'll get started then and will get in touch with questions.

This check you're talking about makes me think of something that happened with my recent G5.
It's the euro variant which can unlock. I did so, and... "removed"
But when the phone rebooted, I got the message "Your phone is corrupt, blah blah something" (won't boot), so I though ah damn. Then I got into LAF and flashed the latest KDZ, and whaddayouknow, it boot's again.
But now the bootloader is locked, and because what I did, it can't be unlocked again.
So I was thinking there must be some checking of the validity of unlock key in relation to imei and device id, or something.
Or maybe it was simply the act of writing the nv area with qpst, who knows...

@askermk2000 When you say that it was unlockable. Did you have to get the unlock.bin from LG, or was it unlockable via fastboot? Either way, once this is completely figured out, you will be able to unlock your phone again.
LG has PI**ED me off something fierce, and I am going to put all my effort into making them wish that they hadn't been complete idiots. I love learning, but having to reverse engineer my phone -- let me say that again -- *MY PHONE*, just so that I can run what I want, how I want, is just freaking absurd. So, since I do have to spend this effort -- I am going to make sure that they will have to go to OTA updates in order to lock their future phones down.
I would be just as mad if I bought a PC from HP, or Dell, and I couldn't install Linux on it. Not for any technical reason, just because they didn't want me to. Phones are no different. On the above mentioned PCs, you can go into UEFI and turn off secure boot. I want that same that to be EASILY possible on any phone that I buy. I don't mean just unlocking the boot loader. I mean being able to change the boot loader as well. Why? Because it is MY phone.
Also, please send me the complete details of what you did in a PM. I need to know what partitions you changed....
-- Brian

Hi, I have a spare v20. I can help you with anything as I dont use the phone at all. Just send me any files you want me use and I'll do it no problem. I promise I won't give any headaches I have been rooting and flashing my phones for over a decade

Hallo I have the lg v20 h918 7.0 10p can it be rooted?

xXCoolGuYXx said:
Hallo I have the lg v20 h918 7.0 10p can it be rooted?
Click to expand...
Click to collapse
Dude I just answered your question for the past 15 min... Not cool to be spamming around in the forums for something that was clearly explained. Peace out!

storm68 said:
Dude I just answered your question for the past 15 min... Not cool to be spamming around in the forums for something that was clearly explained. Peace out!
Click to expand...
Click to collapse
What's spamming just didn't know which one to put it in sorry

xXCoolGuYXx said:
Hallo I have the lg v20 h918 7.0 10p can it be rooted?
Click to expand...
Click to collapse
10P can't be rooted, it also can't be rolled back
Sent from my LG V20 using XDA Labs

BROKEN1981 said:
10P can't be rooted, it also can't be rolled back
Click to expand...
Click to collapse
Dang that sucks but thanks though .
---------- Post added at 11:55 PM ---------- Previous post was at 11:49 PM ----------
BROKEN1981 said:
10P can't be rooted, it also can't be rolled back
Click to expand...
Click to collapse
But I read on google it can be rooted can you look at this for me to see if I'm reading this right
https://www.androidinfotech.com/2017/08/lg-v20-t-mobile-h91810p.html
---------- Post added 16th October 2017 at 12:00 AM ---------- Previous post was 15th October 2017 at 11:55 PM ----------
BROKEN1981 said:
10P can't be rooted, it also can't be rolled back
Click to expand...
Click to collapse
Will the dirty cow way work?

xXCoolGuYXx said:
Dang that sucks but thanks though .
---------- Post added at 11:55 PM ---------- Previous post was at 11:49 PM ----------
But I read on google it can be rooted can you look at this for me to see if I'm reading this right
https://www.androidinfotech.com/2017/08/lg-v20-t-mobile-h91810p.html
---------- Post added 16th October 2017 at 12:00 AM ---------- Previous post was 15th October 2017 at 11:55 PM ----------
Will the dirty cow way work?
Click to expand...
Click to collapse
The answer is still no.

Related

USCC V20 (US996) Bootloader Unlock/Root Discussion

Just a thread for the few USCC people here - I've tried to UL the bootloader using TMO instructions - no go. It will reboot into the bootloader but it asks for the unlock.bin key (fastboot oem unlock returns an unknown command error). So at least theirs that much
Phone will also boot into recovery, and I get the associated normal options there (clear, mount /system, wide device/cache, load update via ADB, load update via SD, view recovery logs, etc). Interesting thing happens when I select "run graphics test" from the recovery menu - it gives an error, then the "no command" icon, then multicolor circles rotating - but it says "erasing" then "installing system update" then goes back to the recovery menu. Not sure if it's normal, but it's interesting.
I'm not a dev or a software guy really, but would like to hear some thoughts on the USCC version...would love to have root like the TMO - especially since it will get into the fastboot menu. Wish I knew more so I could be more help.
Same I'd like to here more about this since the unlocked version comes with an unlocked bootloader. I think it's because the T-Mobile version got released first so they had the jump start, and the unlocked version took till the 11th to be released so it's like we're late.
Killah1994 said:
Same I'd like to here more about this since the unlocked version comes with an unlocked bootloader. I think it's because the T-Mobile version got released first so they had the jump start, and the unlocked version took till the 11th to be released so it's like we're late.
Click to expand...
Click to collapse
you are talking about three different devices lol.. apparently USCC v20 is locked like everyone else.. TMobile typically allows BL unlocks, not because it was out first? and the unlocked variant is obviously from LG and unlockable by default...
elliwigy said:
you are talking about three different devices lol.. apparently USCC v20 is locked like everyone else.. TMobile typically allows BL unlocks, not because it was out first? and the unlocked variant is obviously from LG and unlockable by default...
Click to expand...
Click to collapse
There you go, knew I was getting something mixed up.
us996 comes with an unlocked bootloader? what? I'm pretty sure mines locked like the rest...
Sent from my LG-US996 using Tapatalk
jayochs said:
us996 comes with an unlocked bootloader? what? I'm pretty sure mines locked like the rest...
Click to expand...
Click to collapse
if u read my previous post u can see i said the uscc BL is locked lol like everyone else
I seem to have a US996, but I got it early on. I believe it to be bootloader locked though, even though it's a developers device. I'm almost 100% sure it's the sim unlocked version as I tried a few sims and they worked. Anything I can do to help?
Abumarf said:
I seem to have a US996, but I got it early on. I believe it to be bootloader locked though, even though it's a developers device. I'm almost 100% sure it's the sim unlocked version as I tried a few sims and they worked. Anything I can do to help?
Click to expand...
Click to collapse
I recommended the officially unlocked variant of the V20 to @Abumarf believing he'd have no issues whatsoever in unlocking the bootloader. He purchased one off eBay before the phone was officially released and I believe it came with a user debug kernel. It seems similar to the engineering kernels for Samsung devices, as he has root access through the adb shell. Unlike the temporary root method that @me2151 had posted, it can survive reboots. Yet I'm surprised the fastboot command to unlock the bootloader returns with failure.
Ephemera said:
I recommended the officially unlocked variant of the V20 to @Abumarf believing he'd have no issues whatsoever in unlocking the bootloader. He purchased one off eBay before the phone was officially released and I believe it came with a user debug kernel. It seems similar to the engineering kernels for Samsung devices, as he has root access through the adb shell. Unlike the temporary root method that @me2151 had posted, it can survive reboots. Yet I'm surprised the fastboot command to unlock the bootloader returns with failure.
Click to expand...
Click to collapse
does he have a copy of the debug kernel? you can pm me a link if possible thatd be great so we can take a look at it.. if it is an eng kernel, it could potentially help to root other variants with locked BLs
---------- Post added at 02:41 AM ---------- Previous post was at 02:40 AM ----------
Ephemera said:
I recommended the officially unlocked variant of the V20 to @Abumarf believing he'd have no issues whatsoever in unlocking the bootloader. He purchased one off eBay before the phone was officially released and I believe it came with a user debug kernel. It seems similar to the engineering kernels for Samsung devices, as he has root access through the adb shell. Unlike the temporary root method that @me2151 had posted, it can survive reboots. Yet I'm surprised the fastboot command to unlock the bootloader returns with failure.
Click to expand...
Click to collapse
can you upload your aboot and kernel etc? if theyre eng or debug files im interested to check them out
---------- Post added at 02:41 AM ---------- Previous post was at 02:41 AM ----------
Abumarf said:
I seem to have a US996, but I got it early on. I believe it to be bootloader locked though, even though it's a developers device. I'm almost 100% sure it's the sim unlocked version as I tried a few sims and they worked. Anything I can do to help?
Click to expand...
Click to collapse
can you upload your aboot and kernel etc? if theyre eng or debug files im interested to check them out
@elliwigy I will most likely be selling the phone or handing it over to @Ephemera as I can't use it as a daily driver. We'll update you on what happens. If we do decide to sell, I'll see if we can extract and send them your way before we do.
Abumarf said:
@elliwigy I will most likely be selling the phone or handing it over to @Ephemera as I can't use it as a daily driver. We'll update you on what happens. If we do decide to sell, I'll see if we can extract and send them your way before we do.
Click to expand...
Click to collapse
hopefully you are able to as it shouldnt really take any time at all lol.. it would really help a lot of ppl out if it is in fact a debug kernel..
the root we have is a temp tcp root shell using a context we cant really do anything we need to do at all so it was pretty much a dead end so far
Abumarf said:
@elliwigy I will most likely be selling the phone or handing it over to @Ephemera as I can't use it as a daily driver. We'll update you on what happens. If we do decide to sell, I'll see if we can extract and send them your way before we do.
Click to expand...
Click to collapse
I will pay you for the debug files
I'm no developer or modder. I don't know too much about all that. I would rather not play with it, and that's the reason I'm selling it.
Abumarf said:
I'm no developer or modder. I don't know too much about all that. I would rather not play with it, and that's the reason I'm selling it.
Click to expand...
Click to collapse
you wont b doing anything to the phone.. if u have an adb root shell would just be copying a few files from the phone.. we can even tell you exactly what commands to use to make it easy.. we can invite you to a google hangout even so we can explain each step
Abumarf said:
I'm no developer or modder. I don't know too much about all that. I would rather not play with it, and that's the reason I'm selling it.
Click to expand...
Click to collapse
Whay are you asking for the phone?
I was looking to get what I spent for it, around $800
elliwigy said:
if u read my previous post u can see i said the uscc BL is locked lol like everyone else
Click to expand...
Click to collapse
yeah, the US cellular us996. it's different from the American unlocked us996. according to LG anyway, it lists it as two different phones.
I'm not on a US cellular one. I'm in an unlocked one with Verizon. the post above you said unlocked had unlocked bootloader. mines as unlocked as you get, and it doesn't have an unlocked bootloader.
Sent from my LG V20 US996
http://developer.lge.com/community/...nuId=38&contsTypeCode=QUE&prodTypeCode=MOBILE
Make yourselves heard. Let LG know we want the bootloader to be unlockable on the US996. I've talked to their live chat and they claim that they "didn't know people would want to unlock their bootloader". Show them we do.
Abumarf said:
I was looking to get what I spent for it, around $800
Click to expand...
Click to collapse
Ok if you download terminal emulator and type in get prop and send me the screen shots so i can verify it is indeed a debug kernel i will buy it from you but i would like to have proof of debug kernel
Sure, here it is: https://drive.google.com/file/d/0BwI6DTQJV37Ob1BwRkRab0xPRkk/view?usp=drivesdk
Also the phone is already up on Swappa
---------- Post added at 08:45 PM ---------- Previous post was at 08:36 PM ----------
@rickberg forgot to tag you

FRP is unlock?

I dont have open my bootloader but in bootloader i see FRP is Unlock. The other is locked but why is FRP Unlock?
Rommco05 said:
If is locked bootloader you can make one test. Go to Developer section and check OEM. I think right now is enabled. So disable OEM and again check FRP in fastboot. Don't forget, before unlocking bootloader always enable OEM, becasue if you unlock bootloder with OEM disabled you can't anymore switch to enable
Click to expand...
Click to collapse
You're right, if FRP is unlocked = OEM enabled by the respective voice on developer options menu
I have unlocked boot loader but by accident must have left this Oem enabled because now I am getting error on fastboot screen about FRP enabled and I am not allowed to flash anything via fastboot
So do I need to relock the bootloader now in order to have the option inside of developers options to Oem enabled?
I have read that people that unlock and then relock the bootloader have run into many problems after doing so
Somebody help me, please. I am really depressed, I feel now that I will be stuck on build 360 for the rest of my life. And I cant even sell the phone used in this condition because i dont want the bad karma of selling a crippled phone to an innocent victim. It is against my religious beliefs to inflict harm purposefully onto another. So I am in bad shape PERMANENT if I cannot get this working. Also I am in bad financial condition also have lost alot of money on other tragedies recently in my personal life. Im really depressed about this =(
fc3211 said:
Somebody help me, please. (...)
Click to expand...
Click to collapse
Hey explain more, please; from which situation you stumbled here? Have you already tried dload method? You have custom recovery or not? Can't know what to do without an easy resume about how you came here
RedSkull23 said:
Hey explain more, please; from which situation you stumbled here? Have you already tried dload method? You have custom recovery or not? Can't know what to do without an easy resume about how you came here
Click to expand...
Click to collapse
I have rooted Honor 6x BLN-L24C567B630 with OpenKitin Twrp
I have tried dload method (But I can only get the 365 and 366 builds. Even though I am currently on Build 360 I am not able to obtain the dload files for 360 because on the website the files are not available to download.
So I have tried to unzip the build 365 files into the dload folder of my SDcard and then power off phone and held the 3 buttons to turn it on but the update always fails at 5%
I have FRP lock (that is my big problem) and I am no longer able to change it inside of developer options because the option is greyed out after i unlocked my bootloader. I have also tried to boot into fastboot to flash the stock boot.img and recovery.img but flashing fails because of the FRP lock.
The only other idea I can think is to relock the bootloader and hope that this will allow me to then go to developer options to turn off the FRP lock that is giving me so much trouble. But I want to confirm with you that this will be okay because I dont want to permanently brick my phone. I am afraid to relock the bootloader because I have read posts of others who did so and have catastrophic results.
So any advice? Else I am stuck on build 360 for the rest of my life. If I could relock the bootloader and loose root permanently and go back to stock I would be okay with that. I cant even sell the phone used because it has system notification about build 365 ota update available but when you try to install it the update fails (because of the FRP lock and the fact that I have TWRP). So eBay customer would immediately try to run the system update and it would fail and then they would complain to me and ask me to refund their money.
So unless I can fix this issue phone is not capable of being sold. How do you think I will feel when Oreo update is distributed and I will be the only one that cannot install it because of my FRP lock?
UPDATE: I think I see what I was doing wrong, I was tryinf to flash build 365 and build 366 even though I am currently on build 360. So I downloaded again the build 360 files and unzipped it into the dload folder.
THis time it went all the way to 100% and it says it was a success. But after that it restarted the phone and now I am at the blue HONOR splash screen and has been over 5 minutes stuck there so I am getting nervous again.
Uggggg.... Its been over 15 minutes now and its still stuck at the blue splash screen that says HONOR.
How long should I wait before I try to hold down the power button to restart the phone? Im planning to wait at least 1 hour. I have it with the charger plugged in.
Boy I hope I didnt brick the thing permanently. Thats the last thing I need this week with all my other problems that I am struggling with
---------- Post added at 07:35 PM ---------- Previous post was at 06:40 PM ----------
I finally got impatient and rebooted it by holding down the power button but it remained stuck on the splash screen. Then I tried holding down Volume up + Power and I was at black Emui recovery and there was option to do factory reset. I pressed FACTORY RESET and phone looks like it is okay now, I was able to get into the Emui white screen where it asks you what language and begins new phone setup. What a relief! I think I may be okay, will update this thread after completing setup procedure
---------- Post added at 07:48 PM ---------- Previous post was at 07:35 PM ----------
Booya, baby! I am back up and running. And I thank you kindly to all the gurus on this forum to help me save my phone from my own mistakes. I dont plan to root again, I am snake-bitten now after this scary experience. I am snake-bitten now and too afraid to root again
Huawei is just too dangerous with the FRP lock thing. If anyone is reading this old thread and having the same problem than feel free to PM me and I will be happy to help you step-by-step if you run into the same issue.
The main secret is that you have to flash the dload of the EXACT SAME BUILD that you had before trying to update. The mistake I made was the fact that I was rooted and I tried to use dload to upgrade up to build 365 but that is impossible. If you are rooted (and if you failed to turn off the FRP lock inside of developers options prior to unlocking your bootloader) than you can only use dload to restore to stock on the same build as you currently have. I am assuming that if you are not rooted than you can also utilize dload method to upgrade to a newer build BUT NOT IF YOU ARE ROOTED. That was the main lesson I learned

Root bounty for H918 10p/q

How about starting a bounty for root on H918 10p/q? Maybe if we can draw enough interest in this more developers would be willing to contribute to finding a root method? Thoughts?
that would be great if someone had the talent, T-mobile has it pretty locked down from what I read.
would love that as well.. I got excited when I saw the H910 was rooted up to 10q..
What is the current bounty at ?
If you are going to start a bounty thread, it will need to be about a grand. I figure it will take about 3 bricks to get it right.
I can now open and write to a protected block device (sde) using the LAF protocol. The problem is that you have to send the WHOLE block device, and it is excruciatingly slow. If it fails, you have a 9008 brick:
Code:
aboot -> /dev/block/sde6
boot -> /dev/block/sde1
recovery -> /dev/block/sde2
So, you image /dev/block/sde of a rooted device, and then write it back to the device you want to root. sde isn't very big, so that helps, but even so, it is SLOW I am talking days to READ, and writing is about 4 times slower. If it fails, and your phone loses power (it doesn't charge in download mode), you have a brick that only LG can fix because you have lost aboot. To get into download mode, you need 3 things: xbl, aboot, and laf. xbl and laf are on other block devices, but that doesn't matter if you lose aboot.
Because it is so slow, I don't even know if it works. I aborted and luckily my phone was still recognized by LG UP, so I flashed before my phone lost power.
Bottom line, I don't take money for my TIME on a hobby, but I am not about to brick my phones -- and like I said, I *KNOW* several bricks would happen in order to get it right.
-- Brian
a bit sketchy to try to root h918 10p and q because of anti rollback, i'm still on 10k and i could root back on 10j but i perfer not to, because custom rom's disable the second screen plus i heard it's a bit buggy, stock firmware isn't all that bad but if you truly are looking to get root on it you will need about a grand yeah cuz you will need to brick around 3-2-4 phones.
i know for me, i just prefer root so I can use XPOSED and also some root style apps that allow me to delete or disable stock apps that i do not use..
Does being on 10q block only root? Is it still possible to flash TWRP and Lineage just with no root? Could you manually set something like V4A from TWRP with adb root shell so it doesn't need su in the user space?
retro486 said:
Does being on 10q block only root? Is it still possible to flash TWRP and Lineage just with no root? Could you manually set something like V4A from TWRP with adb root shell so it doesn't need su in the user space?
Click to expand...
Click to collapse
The dirty cow exploit no longer works after 10j firmware and since you can't roll back from 10q, no TWRP.
Huh, I wasn't aware TWRP required exploits... I thought it was just the recovery partition flash...
retro486 said:
Huh, I wasn't aware TWRP required exploits... I thought it was just the recovery partition flash...
Click to expand...
Click to collapse
The whole point of dirty cow was to get TWRP on the phone. After that it could be rooted. It took an exploit to get TWRP on the phone.
Sorry for the bad news, but that's how it worked.
retro486 said:
Huh, I wasn't aware TWRP required exploits... I thought it was just the recovery partition flash...
Click to expand...
Click to collapse
The fastboot commands are missing. That's why you can't just send TWRP. If the fastboot commands was there, then you can send TWRP and root later.
Sent from my LG V20 using XDA Labs
The fact they went out of their way to remove fastboot commands blows my mind.
Wait till they figure out that an end user doesn't need download mode for anything. All carriers doing encrypted OTA updates like AT&T does. Then remove adb access, and viola.....
The V20 will be my last LG phone.
Yeah I think I'm going to get a dedicated hifi player, I'm tired of all these steep compromises to try and get an all-in-one device. The older Note 4's were great, just a bit slow and I hate the rear-firing speaker but honestly I might just go back to that or bite the bullet and go OnePlus. Oh well!
bigcletus said:
How about starting a bounty for root on H918 10p/q? Maybe if we can draw enough interest in this more developers would be willing to contribute to finding a root method? Thoughts?
Click to expand...
Click to collapse
I'm thinking about selling the T-mobile H918 (at a loss) to buy the ATT H910 or H996 (I forget which) so I can unlock both the sim card and the bootloader and attain root on the T-mobile LG V20. That would add up to a significant "bounty" if an exploit is actually possible. Somebody smarter than me would have to tell us if that can be done?
I would DEFINITELY pay someone to root my H918 that's already on "q." The LG v20 is much better than the Nexus devices I'm used too. Removable battery already lasts 3 times as long as a normal battery even without buying oversize batteries!
@bjveee If you are going to get another V20, get the unlocked US996. The bootloader can officially be unlocked, and you have full fastboot.
Right now, (now being the key word), the H910 can be rooted, but only because AT&T hasn't incremented the ARB version *yet*. Since they just released v10r and ARB still wasn't incremented, I am guessing they won't bother until Oreo (if we even get it) is released. In order to increment ARB, they have to compile ALL of the firmware with the new ARB version, and then send that OTA. Since the only way to get their updates is to have someone factory reset their phone, and then dump the latest update, I think AT&T is under the delusion that their phone is more secure than they think.....
-- Brian
I don't know if this is any easier, and it doesn't solve the problem for people who already are on p/q, but for us folks on the older firmware, it would be great if there was a way to upgrade the bootloader and radio without triggering the increment. That way we could always roll back to the older official firmware.
The bootloader IS what increments ARB, and if you have even ONE piece of firmware get loaded with a greater ARB, then it gets incremented. So, you can run the H918 10q modem with 10j bootloader. And if you try, you will then be stuck running the entire 10q bootstack.
There is no way around ARB. I am not one that will usually say something is impossible, but this is impossible.
-- Brian
retro486 said:
Yeah I think I'm going to get a dedicated hifi player, I'm tired of all these steep compromises to try and get an all-in-one device. The older Note 4's were great, just a bit slow and I hate the rear-firing speaker but honestly I might just go back to that or bite the bullet and go OnePlus. Oh well!
Click to expand...
Click to collapse
The new Razar phone is pretty sick.
Sent from my LG V20 using XDA Labs
runningnak3d said:
The bootloader IS what increments ARB, and if you have even ONE piece of firmware get loaded with a greater ARB, then it gets incremented. So, you can run the H918 10q modem with 10j bootloader. And if you try, you will then be stuck running the entire 10q bootstack.
There is no way around ARB. I am not one that will usually say something is impossible, but this is impossible.
-- Brian
Click to expand...
Click to collapse
So you are telling me with every confidence there will not be any future exploit to get around ARB. The only reasonable course of action is to buy the US version of the unlocked H966 and do it quickly!
~Bruce
---------- Post added at 06:53 PM ---------- Previous post was at 06:51 PM ----------
bjveee said:
So you are telling me with every confidence there will not be any future exploit to get around ARB. The only reasonable course of action is to buy the US version of the unlocked H966 and do it quickly!
~Bruce
Click to expand...
Click to collapse
US996....

Any chance for root (ever)?

I have an option to get new phone with contract reneval. I like devices with strange "additions", thats why I had Moto Z3 Play before. And now I'm thinking about Velvet coz of it's Dual Screen.
However I need root for few apps I use (some for my own usage, some work related).
Do You believe that there will be a way to root Velvet in the nearest feature? Or ever?
I'm more asking if You believe there will be a way to fash Magisk patched kernel.
I know that nonflagship LG device doesnt even have an option to unlock bootoloader nd even the flagships (V60?) have blocked fastboot command, so unlocking does nothing...
https://developer.lge.com/resource/mobile/RetrieveBootloader.dev?categoryId=CTULRS0703
Sad to see this after I chose something else...
Still, as I read about other LG devices it seems that unlockable bootloader doesn't have to mean that there is access to fastboot commands. An without that there is no reason to unlock it.
I thought about a new phone for a long time and I hope you are wrong. because I chose velvet. previously i had g6 and i already miss & root mods a lot. and what did you buy?
Realme X3 Superzoom. At least there is a root solution already
And they should share the sources like they did with older devices.
I'll miss the 2nd screen, but... Had a chance to play with it and my carrier gives it for free (screen or headphones) along with 3rd year of warranty.
I waiting for headphines ? they add choice (screen or it) after i buy phone :laugh: and i worry about lg is coming down with smartphone ... Have nice day and good luck with powerusing :victory:
Headphones? I'd choose the screen. F**k their DAC
Maybe one day I'll get LG with Dual Screen? Will see. As I signed the contract in the store I have no way to change it (not sure if I want to).
Anyway, nice day to You too. I miejmy nadzieje, ze znajdzie sie sposob na roota na Velveta
support unlocking the bootloader: • LG VELVET: LMG900EM/LMG
The following devices support unlocking the bootloader:
• LG VELVET: LMG900EM/LMG900EMW/LMG900EMX/LMG900D for the European market
dietoro said:
The following devices support unlocking the bootloader:
• LG VELVET: LMG900EM/LMG900EMW/LMG900EMX/LMG900D for the European market
Click to expand...
Click to collapse
I’ve been seeing the LMG900M a lot on ebay, wondering if this works too as i haven’t seen it on this list?
In the dark
Is there anyway us as a collective to unlock the bootloader ourselves. I literally don't know like I'm very new to this and want to try it out a rooted device
got a velvet.
unlock bootloader was no prob.
but stock roms are in kdz format. uncompressable since last dev of un-kdz un-dz seems to support just old and smaller formats.
tried several boot.img's and twrp's that seem to be same chipset.
nothing worked so far. hopin some of the rom-gurus gets hot on that dual-screen feature/case...which works really good.
i didnt get it to work with root, but i dont give up hope.
---------- Post added at 09:47 PM ---------- Previous post was at 09:30 PM ----------
Catrock31 said:
Is there anyway us as a collective to unlock the bootloader ourselves. I literally don't know like I'm very new to this and want to try it out a rooted device
Click to expand...
Click to collapse
just complete the process that wifredzik posted as link.
you ll get an unlock file from lg immediately.
enable developer options on your phone and in the following usb debugging.
boot into bootloader via adb and unlock as lg describes in the manual.
thats whats worked for me so far.
payed around with stock roms of other new mobile-phones that have the same chipset to extract the boot.img and modify it with magisk.
my strategy is to boot in with root, but without flashing partitions so that i can dump the original boot.img and modify with magisk just to flash it back.
but no other boot.img worked so far.
if there is somebody out there who can breakup the lg velvet stock rom (kdz-format) to intact img files please let me know.
BR
Mike
MikGx said:
got a velvet.
unlock bootloader was no prob.
but stock roms are in kdz format. uncompressable since last dev of un-kdz un-dz seems to support just old and smaller formats.
tried several boot.img's and twrp's that seem to be same chipset.
nothing worked so far. hopin some of the rom-gurus gets hot on that dual-screen feature/case...which works really good.
i didnt get it to work with root, but i dont give up hope.
---------- Post added at 09:47 PM ---------- Previous post was at 09:30 PM ----------
just complete the process that wifredzik posted as link.
you ll get an unlock file from lg immediately.
enable developer options on your phone and in the following usb debugging.
boot into bootloader via adb and unlock as lg describes in the manual.
thats whats worked for me so far.
Click to expand...
Click to collapse
Problem, i got the Canadian version witch is not one of the models listed on their site
Catrock31 said:
Problem, i got the Canadian version witch is not one of the models listed on their site
Click to expand...
Click to collapse
hm...i would try it anyways.
the worst that can happen is that lg dont sends back the unlock.bin.
iv`e taken a look inside the file.
its encrypted. so, no way to create it the easy way by yourself...
br
Mike
Lg Velvet Stock Ringtones
Anyone could please upload the stock ringtones? thanks
Root LG Velvet (LM-G900EM)
As i've found a way to root the Velvet i opended a new thread ind the Velvet section.
Have fun!
BR
Mike

Very close with a Sim Unlock for the T-Mobile version. need some help

I have been working on the sim unlock for the gm1915 for some time now. And could really use the help of our community. My Oneplus7 Pro is still financed, it was bought on ebay and can't be activated. So now I'm at the point that no messages pop up for the sim and I have some service but it won't register on the Network. Attached is the firehose I extracted from the .OPS Tmobile msmdownload on here. I don't think it's anywhere on line so enjoy my time well spent. The best way to use it is with QFIL then you can manage all the partitions as needed. I could really use a efs or qcn from a unlocked tmobile Op7P just make Sure u know how to clean out the imei. For your own benefits.
Update..
By digging into the unlock i found way more then i exspected . It seems there is a wrapper on the system. If anyone has noticed the Alarm or the Wake_lock .it all starts up after the very first boot ,with the gboard. Gboard and all the otheres are bonded together buy location services . This is all the gmscore .and when one is tripped by the alarm that is the wake_lock (clock) they all know. And the simlock is android auto that is part of the hidden apps. I found a whitelist.xml showing them all.when the wrong sim is entered the alarm is tripped and call is made to honk the horn,this is the simlock wallpaper that pops up.Also its swiches the sim id to emergency only.The carrier plmns used to lock are located and tyed to game mode,I have found a vulnerablity in the gmscore and have been able to pull it all. There is just way to much more to go into. All of these items have to be cleard to simunlock ,this is why the Tmobile rom is needed. If in the process somthing is done wrong and tripps the alarm the phone will reset the lock and sometimes reboot and not start back up.
heres the Firehose files
Update, by erasing the modemst1 and modemst2 it deleats the sim lock. And don't effect the IMEI at all. But by erasing them it clears all the uim configurations. Restoring efs with twrp goes back to locked. I'm in the process of rebuilding the missing NV- items one by one and should have a fully functional Sim Unlock for the T-Mobile OP7p. After doing all I have I might just have a working bypass for most T-Mobile locked qualcomm devices using the unlock app.
Nice work
Good luck, keep us posted on progress.
Good work friend.
Can this work also for the gm1925?
justencase6 said:
Update, by erasing the modemst1 and modemst2 it deleats the sim lock. And don't effect the IMEI at all. But by erasing them it clears all the uim configurations. Restoring efs with twrp goes back to locked. I'm in the process of rebuilding the missing NV- items one by one and should have a fully functional Sim Unlock for the T-Mobile OP7p. After doing all I have I might just have a working bypass for most T-Mobile locked qualcomm devices using the unlock app.
Click to expand...
Click to collapse
Thanks, please keep us posted!
elital said:
Good work friend.
Can this work also for the gm1925?
Click to expand...
Click to collapse
very well possible . if you would like to test out and help me out PM me. i need others that can help me out.
PM sent as I'm same situation as you.
Very interesting
How were you able to erase the modems? I get an error (Critical Partition is locked) when I try and do this on my 7T
droidout said:
How were you able to erase the modems? I get an error (Critical Partition is locked) when I try and do this on my 7T
Click to expand...
Click to collapse
You will need to unpack the firehose file from the.ops back up file in the msmdownload tool for your phone. The one I have won't work .Its a different SOC then you can use it with QFIL and manage the partitions.
Am in
All help needed please. We need to crack this thing.
Maybe a bounty for anyone that can crack it too will help
sbenjy said:
All help needed please. We need to crack this thing.
Maybe a bounty for anyone that can crack it too will help
Click to expand...
Click to collapse
Right now I don't have access to all the info. And money is limited. I'm waiting for a good deal from eBay for one that only has a working unlocked main board. Don't care about anything else on it as long as I can connect to it. Then things will move faster. It seems they added alot this time.to stop us all
Update . If anyone would like to know and is not with the telegram group. I have found all the reasons why the T-Mobile OnePlus 7 pro has not been unlocked yet. Qualcomm has changed alot of internals and has a new updated encryption with the sdm855 SOC. But I'm not going to let it stop me. I have found out that the sim lock is implimented in the stock modem. I'm about done fully unencrypting it and already have it half way unpacked. I have also learnd that there might be a EFUSE for the sim lock. something else quit new. Looks like they must have started paying the programmers at tmobile for a change also.
keep it up dear we are waiting your work
i have a 7T that is sim locked and cannot be unlocked waiting your work
justencase6 said:
Update . If anyone would like to know and is not with the telegram group. I have found all the reasons why the T-Mobile OnePlus 7 pro has not been unlocked yet. Qualcomm has changed alot of internals and has a new updated encryption with the sdm855 SOC. But I'm not going to let it stop me. I have found out that the sim lock is implimented in the stock modem. I'm about done fully unencrypting it and already have it half way unpacked. I have also learnd that there might be a EFUSE for the sim lock. something else quit new. Looks like they must have started paying the programmers at tmobile for a change also.
Click to expand...
Click to collapse
Hey mate send me the link for the group. I got a little info I found out along my ways too
---------- Post added at 04:27 PM ---------- Previous post was at 04:23 PM ----------
I have a unlocked modemst we can play with. We may be able to push this. As I saw you tried to zero modemst out just like I did. It does sim unlock the device for sure. But as stated it also won't properly read a sim as I believe nv is screwed up. If we can combine some of this I bet we do it. I gots a few ideas as well. If any one is willing to try stuff and such. Mines already unlocked. I got mine done directly from tmobile so I can't out right test my other ideas any more
---------- Post added at 04:28 PM ---------- Previous post was at 04:27 PM ----------
On a further note. I would prefer you be rooted with twrp already just so you have your own backups and such and not in the same boat I was for a bit
oneplus 7t T- mobile
please everybody lets work on this im ready i have a sim locked t mobile oneplus 7t and there is no wy to unlock i got it from ebay . im ready for any testing
---------- Post added at 07:43 PM ---------- Previous post was at 07:41 PM ----------
TheMadScientist said:
Hey mate send me the link for the group. I got a little info I found out along my ways too
---------- Post added at 04:27 PM ---------- Previous post was at 04:23 PM ----------
I have a unlocked modemst we can play with. We may be able to push this. As I saw you tried to zero modemst out just like I did. It does sim unlock the device for sure. But as stated it also won't properly read a sim as I believe nv is screwed up. If we can combine some of this I bet we do it. I gots a few ideas as well. If any one is willing to try stuff and such. Mines already unlocked. I got mine done directly from tmobile so I can't out right test my other ideas any more
---------- Post added at 04:28 PM ---------- Previous post was at 04:27 PM ----------
On a further note. I would prefer you be rooted with twrp already just so you have your own backups and such and not in the same boat I was for a bit
Click to expand...
Click to collapse
im ready for any testin i have locked and simlocked oneplus 7t just give me the ideas and i will implement
Hi Op, have you tried the method of the sprint HTC One M9 to make a back up of a T-mo unlocked phone and try to write it to a locked one?
come on! we're dying here. I bouhght the tmobile op 7 pro and converted it to international. i got rid of that and currently have 2 GM1917 (OP7 Pro Unlocked) also a GM1925 which is my main problem. Its the OP 7 Pro 5G Sprint version. I've been trying t
frostwildfire said:
Hi Op, have you tried the method of the sprint HTC One M9 to make a back up of a T-mo unlocked phone and try to write it to a locked one?
Click to expand...
Click to collapse
wont work, i have went as far as erasing the full ufs even the gpt tables, and then writing back , the problem is the device encrypts the modemst1 and 2 using the hardware id .and that ID is hardcoded to the SOC and cant be changed , so u cant write another modemst1 and 2 to another device. the lock flag is encrypted inside them. I have been able to unlock the gm1925 sprint model .have locked and unlocked the same device 3 times now with sprints server.and just have to write the efs back to lock. even have a full log of the process. its just that im out of my range of exspertease and im haveing to learn as i go.
justencase6 said:
wont work, i have went as far as erasing the full ufs even the gpt tables, and then writing back , the problem is the device encrypts the modemst1 and 2 using the hardware id .and that ID is hardcoded to the SOC and cant be changed , so u cant write another modemst1 and 2 to another device. the lock flag is encrypted inside them. I have been able to unlock the gm1925 sprint model .have locked and unlocked the same device 3 times now with sprints server.and just have to write the efs back to lock. even have a full log of the process. its just that im out of my range of exspertease and im haveing to learn as i go.
Click to expand...
Click to collapse
Hi, I have also the gm1925 sprint model. Can you help to unlock it?

Categories

Resources