[GUIDE] [ADVANCED] Bootloader Unlock and Root for the T-Mobile LG Velvet (G900TM ONLY)

Search This thread

Wish39

Senior Member
Jan 13, 2015
206
59
ONLY WORKS FOR THE G900TM SINCE THAT MODEL HAS A MEDIATEK CHIP, DO NOT TRY THIS ON ANY OTHER VELVET MODEL

Prerequisites:
MTKclient: this is the free tool we will use to unlock the bootloader, follow the installation instructions here or use the provided LiveDVD that has everything ready to go: https://github.com/bkerler/mtkclient

LGUP: Use this patched one: https://tbl-locksmiths.com/showthread.php?tid=3

ADB (Android Debug Bridge): See here on how to install ADB: https://www.xda-developers.com/install-adb-windows-macos-linux/

FOR NOW YOU MUST USE AN UBUNTU OR DEBIAN BASED LINUX DISTRO SINCE MTKCLIENT DOES NOT PLAY NICE WITH AND REQUIRES MORE STEPS TO WORK ON WINDOWS. A VIRTUAL MACHINE WILL WORK FINE FOR THIS TUTORIAL.

UNLOCKING THE BOOTLOADER WILL WIPE YOUR DATA, PLEASE MAKE SURE YOU HAVE BACKED YOUR DATA UP BEFORE ATTEMPTING THIS.

1. If you are on Android 11 already, please downgrade to Android 10 first using the G900TM14k KDZ before attempting this. You can download it here or from another website. https://drive.google.com/file/d/1GYOHiuIbOqO9x_t8E-dvLI3sEKDe6fRS/view?usp=sharing
The reason that we are doing this is because in the Android 11 firmware, the phone’s preloader (first stage bootloader) has the exploit MTKclient needs to crash the phone into BROM mode (Mediatek equivalent to Qualcomm EDL mode) patched out. This means MTKclient will not work with the Android 11 firmware installed, unless you are willing to open up the phone and short some test points! By downgrading to Android 10, the exploitable preloader can be put back onto the device.

2. Install LGUP, then launch it when it is done. Make sure the “refurbish” option is selected, then click the button with the three dots that is circled in the picture.
MFbpP-STDlWaHANwNrqpShS1Uby4dg0dEvc4fb_bKuQiDpEhv4m5CzJtf1_hAd_DT2uNzGscGC6pJURfR9bLuf8W3GPj6dgybeROebpGn7nup-xstAkbFF8gXadYiZKZHxU6JLnJkrVlHo8Igg
3. Select the G900TM14k kdz file. Then click start and wait for the kdz to finish flashing.
vmFCgP8lRLZXImb6q-9OAXCXZXoLmt3XAjJarbMsIB2EEZYslMMdQ3JlIf43DYvWD8LcCvANHVJtx8mgY0GC17yXOOX1urcWy4opA3vX_mEIKtuRyL7wcrnrjjTGTVlWs0xrOvJ59NSiHFhtdQ

Vl0r5tBtEsqpjpvWq1CaDAyG-2Yjk89DbMDAdw_IisLAd794dR5Vl5_cqCp-km8vs-LBB--wUjoDu_f0ALHqDlq0kJjr2W1eDk0MxyhY3QtF672yHX7RSoYhu2yNMn2vFHPTY6VO8xwWDFbO1A
4. Now you are ready to use MTKclient. When using it, make sure the phone is powered off, run a command, and then plug the phone into your PC. Follow the instructions here: https://github.com/bkerler/mtkclient#unlock-bootloader
Output should look something like this example output:

Code:
[email protected]:~/Desktop/mtkclient-main$ python mtk e metadata,userdata,md_udc
MTK Flash/Exploit Client V1.50 (c) B.Kerler 2018-2021

Preloader - Status: Waiting for PreLoader VCOM, please connect mobile

Port - Hint:

Power off the phone before connecting.
For brom mode, press and hold vol up, vol dwn, or all hw buttons and connect usb.
For preloader mode, don't press any hw button and connect usb.


Port - Device detected :)
Preloader -     CPU:            MT6885/MT6883/MT6889/MT6880/MT6890(Dimensity 1000L/1000)
Preloader -     HW version:        0x0
Preloader -     WDT:            0x10007000
Preloader -     Uart:            0x11002000
Preloader -     Brom payload addr:    0x100a00
Preloader -     DA payload addr:    0x201000
Preloader -     CQ_DMA addr:        0x10212000
Preloader -     Var1:            0xa
Preloader - Disabling Watchdog...
Preloader - HW code:            0x816
Preloader - Target config:        0x5
Preloader -     SBC enabled:        True
Preloader -     SLA enabled:        False
Preloader -     DAA enabled:        True
Preloader -     SWJTAG enabled:        True
Preloader -     EPP_PARAM at 0x600 after EMMC_BOOT/SDMMC_BOOT:    False
Preloader -     Root cert required:    False
Preloader -     Mem read auth:        False
Preloader -     Mem write auth:        False
Preloader -     Cmd 0xC8 blocked:    False
Preloader -     HW subcode:        0x8a00
Preloader -     HW Ver:            0xcb00
Preloader -     SW Ver:            0x1
Mtk - We're not in bootrom, trying to crash da...
PLTools - Crashing da...
Preloader
Preloader - [LIB]: upload_data failed with error: DAA_SIG_VERIFY_FAILED (0x7024)
Preloader
Preloader - [LIB]: Error on uploading da data
Preloader - Jumping to 0x0
usb_class - USBError(19, 'No such device (it may have been disconnected)')
Preloader - Status: Waiting for PreLoader VCOM, please connect mobile

Port - Hint:

Power off the phone before connecting.
For brom mode, press and hold vol up, vol dwn, or all hw buttons and connect usb.
For preloader mode, don't press any hw button and connect usb.


Port - Device detected :)
Preloader -     CPU:            MT6885/MT6883/MT6889/MT6880/MT6890(Dimensity 1000L/1000)
Preloader -     HW version:        0x0
Preloader -     WDT:            0x10007000
Preloader -     Uart:            0x11002000
Preloader -     Brom payload addr:    0x100a00
Preloader -     DA payload addr:    0x201000
Preloader -     CQ_DMA addr:        0x10212000
Preloader -     Var1:            0xa
Preloader - Disabling Watchdog...
Preloader - HW code:            0x816
Preloader - Target config:        0xe5
Preloader -     SBC enabled:        True
Preloader -     SLA enabled:        False
Preloader -     DAA enabled:        True
Preloader -     SWJTAG enabled:        True
Preloader -     EPP_PARAM at 0x600 after EMMC_BOOT/SDMMC_BOOT:    False
Preloader -     Root cert required:    False
Preloader -     Mem read auth:        True
Preloader -     Mem write auth:        True
Preloader -     Cmd 0xC8 blocked:    True
Preloader -     HW subcode:        0x8a00
Preloader -     HW Ver:            0xcb00
Preloader -     SW Ver:            0x1
Preloader - ME_ID:            2DF842BC6706D1EA3150DC28E8B69081
Preloader - SOC_ID:            D68B399A7D66DF240C22270698248840AF48675FA82F2F5B8B2048A993A646B3
PLTools - Loading payload from mt6885_payload.bin, 0x264 bytes
PLTools - Kamakiri / DA Run
Kamakiri - Trying kamakiri2..
Kamakiri - Done sending payload...
PLTools - Successfully sent payload: /home/sugondeseballs/Desktop/mtkclient-main/mtkclient/payloads/mt6885_payload.bin
Port - Device detected :)
Main - Device is protected.
Main - Device is in BROM mode. Trying to dump preloader.
DAXFlash - Uploading stage 1 from MTK_AllInOne_DA_5.2124.bin
DAXFlash - Successfully uploaded stage 1, jumping ..
Preloader - Jumping to 0x200000
Preloader - Jumping to 0x200000: ok.
DAXFlash - Successfully received DA sync
DAXFlash - UFS FWVer:    0x2020
DAXFlash - UFS Blocksize:0x1000
DAXFlash - UFS ID:       SDINEDK4-128G
DAXFlash - UFS CID:      45015344494e45444b342d3132384720
DAXFlash - UFS LU0 Size: 0x1dcd800000
DAXFlash - UFS LU1 Size: 0x400000
DAXFlash - UFS LU2 Size: 0x400000
DAXFlash - DRAM config needed for : 45015344494e45444b342d3132384720
DAXFlash - Sending emi data ...
DAXFlash - Sending emi data succeeded.
DAXFlash - Uploading stage 2...
DAXFlash - Successfully uploaded stage 2
DAXFlash - UFS FWVer:    0x2020
DAXFlash - UFS Blocksize:0x1000
DAXFlash - UFS ID:       SDINEDK4-128G
DAXFlash - UFS CID:      45015344494e45444b342d3132384720
DAXFlash - UFS LU0 Size: 0x1dcd800000
DAXFlash - UFS LU1 Size: 0x400000
DAXFlash - UFS LU2 Size: 0x400000
DAXFlash - DA-CODE      : 0x161E0
DAXFlash - DA Extensions successfully added
DAXFlash - Formatting addr 0x94a2000 with length 0x2000000, please standby....
DAXFlash - Successsfully formatted addr 0x94a2000 with length 33554432.
Formatted sector 38050 with sector count 8192.
DAXFlash - Formatting addr 0x462800000 with length 0x1962800000, please standby....
DAXFlash - Successsfully formatted addr 0x462800000 with length 109026738176.
Formatted sector 4597760 with sector count 26617856.
DAXFlash - Formatting addr 0x7e08000 with length 0x169a000, please standby....
DAXFlash - Successsfully formatted addr 0x7e08000 with length 23699456.
Formatted sector 32264 with sector count 5786.
[email protected]:~/Desktop/mtkclient-main$ python mtk xflash seccfg unlock
MTK Flash/Exploit Client V1.50 (c) B.Kerler 2018-2021

sej - HACC init
sej - HACC run
sej - HACC terminate
sej - HACC init
sej - HACC run
sej - HACC terminate
sej - HACC init
sej - HACC run
sej - HACC terminate
Progress: |██████████████████████████████████████████████████| 100.0% Write (Sector 0x1 of 0x1, ) 0.05 MB/s
xflashext - Successfully wrote seccfg.

Congrats! Your bootloader is now unlocked!

Now if you want to flash back to Android 11 first and then root, you can! You can either perform the OTA updates needed to get to the latest Android 11 software version, or just download an Android 11 KDZ from one of those websites that hosts LG firmware and flash it with the “Upgrade” option selected in LGUP.

But doing so will replace the exploitable preloader. If you still want MTKclient to work, follow this process:
  • Download an Android 11 KDZ
  • Open up LGUP and select the KDZ
  • Select the “Partition DL” option and press “Start”
  • When the partition list window pops up, click “Select all” and uncheck the preloader partition, then press OK to start flashing.
EH3PZ72ZF_egLwtgvoSwO-b0fplPi5WEgpu7qvqfOHpsxTPTL0y0QYj-iYJz5Qb4YPlX4J5KzZ3Gf-qEEH2hobQMTcMVnkJ9AwSYtfRizwHKxlLf7PLFOTt4QBXo0MZ5AOJYK1G8df-Wk0aDVg

ROOTING INSTRUCTIONS (this part can be done in Windows or Linux):
  1. To root, dump both of the boot images from the phone using “python mtk r boot_a boot_a.bin” and “python mtk r boot_b boot_b.bin”. It’s fine to dump only boot_a or boot_b, but make sure to verify which boot slot your phone is in first, then dump the correct image.
  2. Turn the phone back on, then download the Magisk APK file from its Github page, and install it.
  3. Copy the dumped boot images to your phone’s storage.
  4. Then in the Magisk app, tap the Install button in the Magisk box, then tap “Select and patch a file”.
  5. Select your boot image, then press “Let’s go”.
  6. Wait for it to patch the boot image.
  7. When the app finishes patching the boot image it will be in the Downloads folder. If you want to patch the other boot image, repeat this process.
  8. When you have your patched boot images, copy them back to your computer, preferably to the same directory/folder where ADB is installed to.
  9. Make sure USB Debugging is enabled in the developer settings on your phone, then connect the phone to your computer. Allow the computer to access the phone if needed.
  10. Open up a command prompt in the folder where the boot images are and where ADB is installed and type “adb reboot fastboot”.
  11. Wait for the phone to boot to fastboot, then type and run these commands: “fastboot flash boot_a boot_a.bin” and “fastboot flash boot_b boot_b.bin”.
  12. Reboot the phone.
  13. You’re rooted!

Big thanks to @Warlockguitarman, who discovered the bootloader unlock exploit, and Bjoern Kerler, the author of MTKclient and integrated the exploit into the tool. Without them, many Mediatek devices including the T-Mobile Velvet would probably never have root!
 
Last edited:

Metconnect2000

Senior Member
Dec 5, 2015
119
17
Moto G 5G
Thanks for the write-up! quick question: any issues with the fingerprint function? I heard that some LG phones have issues with finger sensor after unlock, not sure if that applies here. I'm assuming this would break the OTA?
 

Wish39

Senior Member
Jan 13, 2015
206
59
Thanks for the write-up! quick question: any issues with the fingerprint function? I heard that some LG phones have issues with finger sensor after unlock, not sure if that applies here. I'm assuming this would break the OTA?
Hi, the fingerprint still works perfectly after unlocking the bootloader. If you root then you will break OTA updates. But I consider that an improvement for this phone because T-Mobile loves to force OTAs on their phones lol
 

username32

New member
Jul 1, 2022
1
1
I'm having trouble with unlocking the bootloader. I'm using the Live DVD from the MTKClient, but it seems to be getting stuck with "Status: Handshake failed, retrying..." and "Please disconnect, start mtkclient and reconnect". I'm not too familiar with Linux, I'm just double clicking the "MTK" app on the Live DVD desktop and running the commands from there. My device is powered off when running the commands and downgraded to Android 10. I have tried using the Live DVD on a virtual machine and running on two computers, but it doesn't seem to change anything.

EDIT: Used version 1.52 under the releases tab in Github and was successful. For idiots like me, heres what I did:

1. Download the Live CD provided and run it on a computer
2. On a seperate computer, download the latest release of MTKClient under the releasess tab (version 1.52) and extract to a USB drive
3. Boot into Live USB
4. Copy over MTKClient version 1.52 to Live CD
5. In the MTKClient files, right click and click "Open Terminal Here"
6. Follow original steps above to unlock bootloader

To root, I also used the Live CD since I kept getting issues in Windows
1. In Linux terminal, run "sudo apt-get install android-tools-fastboot" and "sudo apt-get install android-tools-adb"
2. Follow original steps to root phone
3. Make sure you replace "boot_a.bin" with the name of the file that Magisk generated
4. I typed in "fastboot flash boot_a" and then dragged the Magisk generated file and did that for Boot_b too
 
Last edited:
  • Like
Reactions: double b26

lentm

Senior Member
Dec 3, 2008
473
106
I'm having trouble with unlocking the bootloader. I'm using the Live DVD from the MTKClient, but it seems to be getting stuck with "Status: Handshake failed, retrying..." and "Please disconnect, start mtkclient and reconnect". I'm not too familiar with Linux, I'm just double clicking the "MTK" app on the Live DVD desktop and running the commands from there. My device is powered off when running the commands and downgraded to Android 10. I have tried using the Live DVD on a virtual machine and running on two computers, but it doesn't seem to change anything.

EDIT: Used version 1.52 under the releases tab in Github and was successful. For idiots like me, heres what I did:

1. Download the Live CD provided and run it on a computer
2. On a seperate computer, download the latest release of MTKClient under the releasess tab (version 1.52) and extract to a USB drive
3. Boot into Live USB
4. Copy over MTKClient version 1.52 to Live CD
5. In the MTKClient files, right click and click "Open Terminal Here"
6. Follow original steps above to unlock bootloader

To root, I also used the Live CD since I kept getting issues in Windows
1. In Linux terminal, run "sudo apt-get install android-tools-fastboot" and "sudo apt-get install android-tools-adb"
2. Follow original steps to root phone
3. Make sure you replace "boot_a.bin" with the name of the file that Magisk generated
4. I typed in "fastboot flash boot_a" and then dragged the Magisk generated file and did that for Boot_b too

What were the hardware key combo you used to get to BROM mode? I keep getting the handshake failed error, even though the other LG devices worked before.
 

lentm

Senior Member
Dec 3, 2008
473
106
Hi, the fingerprint still works perfectly after unlocking the bootloader. If you root then you will break OTA updates. But I consider that an improvement for this phone because T-Mobile loves to force OTAs on their phones lol

I was unable to do OTA updates even after I restored the stock boot img. It seems like bootloader unlock breaks OTA updates.
 

lentm

Senior Member
Dec 3, 2008
473
106
It normally will.I get a strange hex message when it tries to update,and it will tell you to contact LG Support.

It didn't matter as we could just do manual update with kdz files, but it feels like something happened on their T-Mobile version development.
We used to get the kdz file every 2-3 months, still nothing even when 20i ota is out already, and still no pending Android 12 updates on T-Mobile list.
 

Surgemanxx

Senior Member
Jun 21, 2022
77
24
LG G8X ThinQ
LG V60 ThinQ
It didn't matter as we could just do manual update with kdz files, but it feels like something happened on their T-Mobile version development.
We used to get the kdz file every 2-3 months, still nothing even when 20i ota is out already, and still no pending Android 12 updates on T-Mobile list.
I agree!T-Mobile's Velvet is still lagging behind for A12,and I'm assuming because of the Mediatek chipset is the reason being.I currently have the Verizon,and the AT&T versions and they was OTA'd a couple months ago.But,I think their just compiling 1 version for most of these last devices because they have the same Qualcomm chipsets.I have the LG Wing,and it's in the same boat still.It's still sitting at A11 and nothing in the works to go to A12 I have seen.
 

Wish39

Senior Member
Jan 13, 2015
206
59
I was unable to do OTA updates even after I restored the stock boot img. It seems like bootloader unlock breaks OTA updates.
Unlocking the bootloader may or may not break OTA updates on T-Mobile/Metro LG devices in my experience.
I had a Metro K51 that had OTA's break after just unlocking its bootloader, meanwhile my T-Mobile Velvet was able to OTA update even after unlocking its bootloader.
T-Mobile LG's use Google Play Services to distribute OTA updates, so it's something with GMS I guess, not sure.
 

Wish39

Senior Member
Jan 13, 2015
206
59
What were the hardware key combo you used to get to BROM mode? I keep getting the handshake failed error, even though the other LG devices worked before.
There's no BROM hardware key combo, did you downgrade the phone first?
Easiest way is to downgrade to Android 10, run a command on mtkclient and then simply power off the phone, plug it into your PC and let mtkclient do the work.
The only other way is to disassemble the phone and short the BROM testpoints on the motherboard, then plug the phone into your PC.
 

Wish39

Senior Member
Jan 13, 2015
206
59
I agree!T-Mobile's Velvet is still lagging behind for A12,and I'm assuming because of the Mediatek chipset is the reason being.I currently have the Verizon,and the AT&T versions and they was OTA'd a couple months ago.But,I think their just compiling 1 version for most of these last devices because they have the same Qualcomm chipsets.I have the LG Wing,and it's in the same boat still.It's still sitting at A11 and nothing in the works to go to A12 I have seen.
Korean Wing does have Android 12
 

lentm

Senior Member
Dec 3, 2008
473
106
Unlocking the bootloader may or may not break OTA updates on T-Mobile/Metro LG devices in my experience.
I had a Metro K51 that had OTA's break after just unlocking its bootloader, meanwhile my T-Mobile Velvet was able to OTA update even after unlocking its bootloader.
T-Mobile LG's use Google Play Services to distribute OTA updates, so it's something with GMS I guess, not sure.

If your Velvet was able to OTA update, it's probably because I unchecked preloader with PARTITION D/L option on LGUP when upgrading to Android 12.
 

double b26

Senior Member
Feb 14, 2013
60
13
West Virginia, USA
LG Velvet
A) Since this is a mediatek chipped device, is it not possible to unlock bootloader via adb and fastboot commands from a windows rig?

Then patch the boot image with magisk.

Flash patched image with adb or the smart phone flash tool?

Ive had success with other brands on mediatek android 10 using this method.

--> Here is a guide thats similar to the method ive successfully used to root other devices, but for mediatek android 11 devices

--> Here is another guide specifically for LG devices from the same source as above

--------------------

B) Re: Resources for the method in post 1

1. Anyone have the link to the latest android 11 kdz [G900TM20i]? I cant find a copy for d/l. Seems to be discrepancy whether OTA update will work post-root, and would like to have latest security patch

2. Is there a minimum version of ubuntu to use? I have one in the archives but it has to be at least a few years old. Should it work or do i want to grab a newer version to be sure?

--------------------

Thanks for the guide and help.

I just picked up this mint unlocked t-mobile velvet for less than $150 and so far seem like a nice device. Only gripe is no face unlock. Noticed a faceprint and handprint option in the service menu, but my understanding is that it doesnt serve any function on this device.

One of the main reasons i picked this device up was due to the mediatek chipset, and that mediatek devices are typically rootable with a generic process like i linked above. Im glad to see it can be rooted, even if not via the 'typical method' ive used for others.
 
Last edited:

Wish39

Senior Member
Jan 13, 2015
206
59
@double b26 Hey whats up. The normal fastboot method doesn't work for newer LG devices because those don't have normal fastboot, they only have fastbootd, which is fastboot in userspace. The bootloader unlock commands are missing, so you can't really do anything in there besides flash some partitions while in there.

As of now there isnt a KDZ for G900TM20i, and I recommend you use Ubuntu 20.04 LTS or newer so you dont run into compatibility issues.
Also I believe the handprint and faceprint options in the hidden menu are meant for the G8, guess LG was too lazy to remove those options.
 
  • Like
Reactions: double b26

Top Liked Posts

  • There are no posts matching your filters.
  • 1
    I just want to chime in and thank all the people that made this root possible. I had trouble unlocking the bootloader using Windows. Ended up using the live CD and that worked like a charm.

    I got the phone for free during last year's T-Mobile Black Friday. Now that it is rooted, the phone is actually useful. It's really not a bad phone. The screen quality is great. It also has a headphone jack and a built-in FM radio.

    EDIT: Just found out that the memory can be expanded to 2TB with an sdcard and there is also a desktop mode if used with a USB-C to HDMI dongle. If this had a better camera, I would actually consider using it as a daily driver!
  • 6
    ONLY WORKS FOR THE G900TM SINCE THAT MODEL HAS A MEDIATEK CHIP, DO NOT TRY THIS ON ANY OTHER VELVET MODEL

    Prerequisites:
    MTKclient: this is the free tool we will use to unlock the bootloader, follow the installation instructions here or use the provided LiveDVD that has everything ready to go: https://github.com/bkerler/mtkclient

    LGUP: Use this patched one: https://tbl-locksmiths.com/showthread.php?tid=3

    ADB (Android Debug Bridge): See here on how to install ADB: https://www.xda-developers.com/install-adb-windows-macos-linux/

    FOR NOW YOU MUST USE AN UBUNTU OR DEBIAN BASED LINUX DISTRO SINCE MTKCLIENT DOES NOT PLAY NICE WITH AND REQUIRES MORE STEPS TO WORK ON WINDOWS. A VIRTUAL MACHINE WILL WORK FINE FOR THIS TUTORIAL.

    UNLOCKING THE BOOTLOADER WILL WIPE YOUR DATA, PLEASE MAKE SURE YOU HAVE BACKED YOUR DATA UP BEFORE ATTEMPTING THIS.

    1. If you are on Android 11 already, please downgrade to Android 10 first using the G900TM14k KDZ before attempting this. You can download it here or from another website. https://drive.google.com/file/d/1GYOHiuIbOqO9x_t8E-dvLI3sEKDe6fRS/view?usp=sharing
    The reason that we are doing this is because in the Android 11 firmware, the phone’s preloader (first stage bootloader) has the exploit MTKclient needs to crash the phone into BROM mode (Mediatek equivalent to Qualcomm EDL mode) patched out. This means MTKclient will not work with the Android 11 firmware installed, unless you are willing to open up the phone and short some test points! By downgrading to Android 10, the exploitable preloader can be put back onto the device.

    2. Install LGUP, then launch it when it is done. Make sure the “refurbish” option is selected, then click the button with the three dots that is circled in the picture.
    MFbpP-STDlWaHANwNrqpShS1Uby4dg0dEvc4fb_bKuQiDpEhv4m5CzJtf1_hAd_DT2uNzGscGC6pJURfR9bLuf8W3GPj6dgybeROebpGn7nup-xstAkbFF8gXadYiZKZHxU6JLnJkrVlHo8Igg
    3. Select the G900TM14k kdz file. Then click start and wait for the kdz to finish flashing.
    vmFCgP8lRLZXImb6q-9OAXCXZXoLmt3XAjJarbMsIB2EEZYslMMdQ3JlIf43DYvWD8LcCvANHVJtx8mgY0GC17yXOOX1urcWy4opA3vX_mEIKtuRyL7wcrnrjjTGTVlWs0xrOvJ59NSiHFhtdQ

    Vl0r5tBtEsqpjpvWq1CaDAyG-2Yjk89DbMDAdw_IisLAd794dR5Vl5_cqCp-km8vs-LBB--wUjoDu_f0ALHqDlq0kJjr2W1eDk0MxyhY3QtF672yHX7RSoYhu2yNMn2vFHPTY6VO8xwWDFbO1A
    4. Now you are ready to use MTKclient. When using it, make sure the phone is powered off, run a command, and then plug the phone into your PC. Follow the instructions here: https://github.com/bkerler/mtkclient#unlock-bootloader
    Output should look something like this example output:

    Code:
    [email protected]:~/Desktop/mtkclient-main$ python mtk e metadata,userdata,md_udc
    MTK Flash/Exploit Client V1.50 (c) B.Kerler 2018-2021
    
    Preloader - Status: Waiting for PreLoader VCOM, please connect mobile
    
    Port - Hint:
    
    Power off the phone before connecting.
    For brom mode, press and hold vol up, vol dwn, or all hw buttons and connect usb.
    For preloader mode, don't press any hw button and connect usb.
    
    
    Port - Device detected :)
    Preloader -     CPU:            MT6885/MT6883/MT6889/MT6880/MT6890(Dimensity 1000L/1000)
    Preloader -     HW version:        0x0
    Preloader -     WDT:            0x10007000
    Preloader -     Uart:            0x11002000
    Preloader -     Brom payload addr:    0x100a00
    Preloader -     DA payload addr:    0x201000
    Preloader -     CQ_DMA addr:        0x10212000
    Preloader -     Var1:            0xa
    Preloader - Disabling Watchdog...
    Preloader - HW code:            0x816
    Preloader - Target config:        0x5
    Preloader -     SBC enabled:        True
    Preloader -     SLA enabled:        False
    Preloader -     DAA enabled:        True
    Preloader -     SWJTAG enabled:        True
    Preloader -     EPP_PARAM at 0x600 after EMMC_BOOT/SDMMC_BOOT:    False
    Preloader -     Root cert required:    False
    Preloader -     Mem read auth:        False
    Preloader -     Mem write auth:        False
    Preloader -     Cmd 0xC8 blocked:    False
    Preloader -     HW subcode:        0x8a00
    Preloader -     HW Ver:            0xcb00
    Preloader -     SW Ver:            0x1
    Mtk - We're not in bootrom, trying to crash da...
    PLTools - Crashing da...
    Preloader
    Preloader - [LIB]: upload_data failed with error: DAA_SIG_VERIFY_FAILED (0x7024)
    Preloader
    Preloader - [LIB]: Error on uploading da data
    Preloader - Jumping to 0x0
    usb_class - USBError(19, 'No such device (it may have been disconnected)')
    Preloader - Status: Waiting for PreLoader VCOM, please connect mobile
    
    Port - Hint:
    
    Power off the phone before connecting.
    For brom mode, press and hold vol up, vol dwn, or all hw buttons and connect usb.
    For preloader mode, don't press any hw button and connect usb.
    
    
    Port - Device detected :)
    Preloader -     CPU:            MT6885/MT6883/MT6889/MT6880/MT6890(Dimensity 1000L/1000)
    Preloader -     HW version:        0x0
    Preloader -     WDT:            0x10007000
    Preloader -     Uart:            0x11002000
    Preloader -     Brom payload addr:    0x100a00
    Preloader -     DA payload addr:    0x201000
    Preloader -     CQ_DMA addr:        0x10212000
    Preloader -     Var1:            0xa
    Preloader - Disabling Watchdog...
    Preloader - HW code:            0x816
    Preloader - Target config:        0xe5
    Preloader -     SBC enabled:        True
    Preloader -     SLA enabled:        False
    Preloader -     DAA enabled:        True
    Preloader -     SWJTAG enabled:        True
    Preloader -     EPP_PARAM at 0x600 after EMMC_BOOT/SDMMC_BOOT:    False
    Preloader -     Root cert required:    False
    Preloader -     Mem read auth:        True
    Preloader -     Mem write auth:        True
    Preloader -     Cmd 0xC8 blocked:    True
    Preloader -     HW subcode:        0x8a00
    Preloader -     HW Ver:            0xcb00
    Preloader -     SW Ver:            0x1
    Preloader - ME_ID:            2DF842BC6706D1EA3150DC28E8B69081
    Preloader - SOC_ID:            D68B399A7D66DF240C22270698248840AF48675FA82F2F5B8B2048A993A646B3
    PLTools - Loading payload from mt6885_payload.bin, 0x264 bytes
    PLTools - Kamakiri / DA Run
    Kamakiri - Trying kamakiri2..
    Kamakiri - Done sending payload...
    PLTools - Successfully sent payload: /home/sugondeseballs/Desktop/mtkclient-main/mtkclient/payloads/mt6885_payload.bin
    Port - Device detected :)
    Main - Device is protected.
    Main - Device is in BROM mode. Trying to dump preloader.
    DAXFlash - Uploading stage 1 from MTK_AllInOne_DA_5.2124.bin
    DAXFlash - Successfully uploaded stage 1, jumping ..
    Preloader - Jumping to 0x200000
    Preloader - Jumping to 0x200000: ok.
    DAXFlash - Successfully received DA sync
    DAXFlash - UFS FWVer:    0x2020
    DAXFlash - UFS Blocksize:0x1000
    DAXFlash - UFS ID:       SDINEDK4-128G
    DAXFlash - UFS CID:      45015344494e45444b342d3132384720
    DAXFlash - UFS LU0 Size: 0x1dcd800000
    DAXFlash - UFS LU1 Size: 0x400000
    DAXFlash - UFS LU2 Size: 0x400000
    DAXFlash - DRAM config needed for : 45015344494e45444b342d3132384720
    DAXFlash - Sending emi data ...
    DAXFlash - Sending emi data succeeded.
    DAXFlash - Uploading stage 2...
    DAXFlash - Successfully uploaded stage 2
    DAXFlash - UFS FWVer:    0x2020
    DAXFlash - UFS Blocksize:0x1000
    DAXFlash - UFS ID:       SDINEDK4-128G
    DAXFlash - UFS CID:      45015344494e45444b342d3132384720
    DAXFlash - UFS LU0 Size: 0x1dcd800000
    DAXFlash - UFS LU1 Size: 0x400000
    DAXFlash - UFS LU2 Size: 0x400000
    DAXFlash - DA-CODE      : 0x161E0
    DAXFlash - DA Extensions successfully added
    DAXFlash - Formatting addr 0x94a2000 with length 0x2000000, please standby....
    DAXFlash - Successsfully formatted addr 0x94a2000 with length 33554432.
    Formatted sector 38050 with sector count 8192.
    DAXFlash - Formatting addr 0x462800000 with length 0x1962800000, please standby....
    DAXFlash - Successsfully formatted addr 0x462800000 with length 109026738176.
    Formatted sector 4597760 with sector count 26617856.
    DAXFlash - Formatting addr 0x7e08000 with length 0x169a000, please standby....
    DAXFlash - Successsfully formatted addr 0x7e08000 with length 23699456.
    Formatted sector 32264 with sector count 5786.
    [email protected]:~/Desktop/mtkclient-main$ python mtk xflash seccfg unlock
    MTK Flash/Exploit Client V1.50 (c) B.Kerler 2018-2021
    
    sej - HACC init
    sej - HACC run
    sej - HACC terminate
    sej - HACC init
    sej - HACC run
    sej - HACC terminate
    sej - HACC init
    sej - HACC run
    sej - HACC terminate
    Progress: |██████████████████████████████████████████████████| 100.0% Write (Sector 0x1 of 0x1, ) 0.05 MB/s
    xflashext - Successfully wrote seccfg.

    Congrats! Your bootloader is now unlocked!

    Now if you want to flash back to Android 11 first and then root, you can! You can either perform the OTA updates needed to get to the latest Android 11 software version, or just download an Android 11 KDZ from one of those websites that hosts LG firmware and flash it with the “Upgrade” option selected in LGUP.

    But doing so will replace the exploitable preloader. If you still want MTKclient to work, follow this process:
    • Download an Android 11 KDZ
    • Open up LGUP and select the KDZ
    • Select the “Partition DL” option and press “Start”
    • When the partition list window pops up, click “Select all” and uncheck the preloader partition, then press OK to start flashing.
    EH3PZ72ZF_egLwtgvoSwO-b0fplPi5WEgpu7qvqfOHpsxTPTL0y0QYj-iYJz5Qb4YPlX4J5KzZ3Gf-qEEH2hobQMTcMVnkJ9AwSYtfRizwHKxlLf7PLFOTt4QBXo0MZ5AOJYK1G8df-Wk0aDVg

    ROOTING INSTRUCTIONS (this part can be done in Windows or Linux):
    1. To root, dump both of the boot images from the phone using “python mtk r boot_a boot_a.bin” and “python mtk r boot_b boot_b.bin”. It’s fine to dump only boot_a or boot_b, but make sure to verify which boot slot your phone is in first, then dump the correct image.
    2. Turn the phone back on, then download the Magisk APK file from its Github page, and install it.
    3. Copy the dumped boot images to your phone’s storage.
    4. Then in the Magisk app, tap the Install button in the Magisk box, then tap “Select and patch a file”.
    5. Select your boot image, then press “Let’s go”.
    6. Wait for it to patch the boot image.
    7. When the app finishes patching the boot image it will be in the Downloads folder. If you want to patch the other boot image, repeat this process.
    8. When you have your patched boot images, copy them back to your computer, preferably to the same directory/folder where ADB is installed to.
    9. Make sure USB Debugging is enabled in the developer settings on your phone, then connect the phone to your computer. Allow the computer to access the phone if needed.
    10. Open up a command prompt in the folder where the boot images are and where ADB is installed and type “adb reboot fastboot”.
    11. Wait for the phone to boot to fastboot, then type and run these commands: “fastboot flash boot_a boot_a.bin” and “fastboot flash boot_b boot_b.bin”.
    12. Reboot the phone.
    13. You’re rooted!

    Big thanks to @Warlockguitarman, who discovered the bootloader unlock exploit, and Bjoern Kerler, the author of MTKclient and integrated the exploit into the tool. Without them, many Mediatek devices including the T-Mobile Velvet would probably never have root!
    1
    I'm having trouble with unlocking the bootloader. I'm using the Live DVD from the MTKClient, but it seems to be getting stuck with "Status: Handshake failed, retrying..." and "Please disconnect, start mtkclient and reconnect". I'm not too familiar with Linux, I'm just double clicking the "MTK" app on the Live DVD desktop and running the commands from there. My device is powered off when running the commands and downgraded to Android 10. I have tried using the Live DVD on a virtual machine and running on two computers, but it doesn't seem to change anything.

    EDIT: Used version 1.52 under the releases tab in Github and was successful. For idiots like me, heres what I did:

    1. Download the Live CD provided and run it on a computer
    2. On a seperate computer, download the latest release of MTKClient under the releasess tab (version 1.52) and extract to a USB drive
    3. Boot into Live USB
    4. Copy over MTKClient version 1.52 to Live CD
    5. In the MTKClient files, right click and click "Open Terminal Here"
    6. Follow original steps above to unlock bootloader

    To root, I also used the Live CD since I kept getting issues in Windows
    1. In Linux terminal, run "sudo apt-get install android-tools-fastboot" and "sudo apt-get install android-tools-adb"
    2. Follow original steps to root phone
    3. Make sure you replace "boot_a.bin" with the name of the file that Magisk generated
    4. I typed in "fastboot flash boot_a" and then dragged the Magisk generated file and did that for Boot_b too
    1
    @double b26 Hey whats up. The normal fastboot method doesn't work for newer LG devices because those don't have normal fastboot, they only have fastbootd, which is fastboot in userspace. The bootloader unlock commands are missing, so you can't really do anything in there besides flash some partitions while in there.

    As of now there isnt a KDZ for G900TM20i, and I recommend you use Ubuntu 20.04 LTS or newer so you dont run into compatibility issues.
    Also I believe the handprint and faceprint options in the hidden menu are meant for the G8, guess LG was too lazy to remove those options.
    1
    I just want to chime in and thank all the people that made this root possible. I had trouble unlocking the bootloader using Windows. Ended up using the live CD and that worked like a charm.

    I got the phone for free during last year's T-Mobile Black Friday. Now that it is rooted, the phone is actually useful. It's really not a bad phone. The screen quality is great. It also has a headphone jack and a built-in FM radio.

    EDIT: Just found out that the memory can be expanded to 2TB with an sdcard and there is also a desktop mode if used with a USB-C to HDMI dongle. If this had a better camera, I would actually consider using it as a daily driver!