[GUIDE] Official LG G6 Bootloader Unlock (Currently supported: EU H870, USA US997)

Search This thread
By:
Advanced…
T

tracid1987

Senior Member
Mar 11, 2021
61
10
network-samurai said:
yes try logging in then in a separate tab open https://web.archive.org/web/2017022...r.lge.com/resource/mobile/IssueDeviceInfo.dev
Click to expand...
Click to collapse
I have just registered. But after opening this link it says page under construction :D funny :)

I have seen a post a member is seeking devs into his team to reverse engineer the algorythm. I think now is a big hope they will succeed.
Until now they were not motivated because the LG site was working so why spend time developing something which is alredy there for you. But now its gone so its a motivation to challenge themselves and find a solution. If they can solve safetynet they can solve this as well. I will be ready to support them by donating, i wont want the bootloader unlock for free :)
 
  • Like
Reactions: Cryomichel
N

network-samurai

Member
Mar 2, 2022
8
4
tracid1987 said:
I have just registered. But after opening this link it says page under construction :D funny :)

I have seen a post a member is seeking devs into his team to reverse engineer the algorythm. I think now is a big hope they will succeed.
Until now they were not motivated because the LG site was working so why spend time developing something which is alredy there for you. But now its gone so its a motivation to challenge themselves and find a solution. If they can solve safetynet they can solve this as well. I will be ready to support them by donating, i wont want the bootloader unlock for free :)
Click to expand...
Click to collapse
Try the 2019 link https://web.archive.org/web/2019111...r.lge.com/resource/mobile/IssueDeviceInfo.dev
 
T

tracid1987

Senior Member
Mar 11, 2021
61
10
BOXOFAWEEEEESOME said:
Serious Inquiry: Would you like to help my team reverse-engineer the LG bootloader locking algorithm? We plan to step though the process of failed and successful attempts while analyzing the state of components at each step. As many know, LG has recently terminated their unlocking service as they are no longer going to be manufacturing mobile phones. Devs everywhere are seeking a way to continue to unlock LG devices. I believe that we could make that possible, either for profit, or for the joy of successfully reverse-engineering a cryptographic algorithm, matched with a resounding cheer from superusers everywhere. Feel free to leave me a message @ [email protected]
Click to expand...
Click to collapse
 
N

network-samurai

Member
Mar 2, 2022
8
4
They must work with waybackmachine because the page was setup to redirect on page load no matter what. I have bypassed it by loading the file locally and removing the body onload function.

Which reveals the pages core functions, which I have identified this following line of particular interest, which I have amended to include the LG domain.

Code: 
var target = "https://developer.lge.com/resource/mobile/common/file/DownloadFile.dev" + "?fileId=" + encodeURIComponent( json.fileId ) ;

I believe this could possibly be reverse engineered to give us a direct link to where the files were originally hosted. I have probed the URL above which still appears to be active. The JSON component is the file ID of the file you want to download.

There are other functions present which may also interest others. I recommend reading directly from the source (ARCHIVE.org DEC 6 2021) as I have modified these functions to point to LG's domain for - probing purposes :alien:.

Code: 
<!-- file download시 사용 -->
// there was an iframe panel here i had to remove before I could post to XDA

    //event 호출시 정의된  parameter
    var successUrl;
    var frm;

    //로그인&메일인증여부 check(폼이름, 확인후 이동 action, 블랙리스트 체크여부)
    function checkLogin(vFrm, vSuccessUrl, vChkBlist) {
        var aJax = new devon.xSync("https://developer.lge.com/resource/mobile/main/CheckLogin.ajax");
        frm = vFrm;
        successUrl = vSuccessUrl;
        aJax.addQuery(frm);
        aJax.fire(); 
    }
    //afterAction(checkLogin) - 미로그인 상태일때 개발자등록 안내 Layer
    function failLogin() { 
        goRegisterGuide();   
      
    }
    //afterAction(checkLogin) - 로그인&메일인증 일때
    function successLogin(){
        if(successUrl != "") {
            actSubmit(frm, successUrl);
        }else{
            successLoginCheck();    //event 호출 화면에 선언 필요
        }
    }
    //개발자등록 안내 Layer Open
    function goRegisterGuide(){
            
        var popupWidth = $("#registerGuideView").width();
        var popupHeight = $("#registerGuideView").height();
      
        var wWidth = $(window).width();
        var wHeight = $(window).height();
      
        var offsetLeft = $( "#canvas" ).offset().left;
        var offsetTop = $( "#canvas" ).offset().top;
      
        var left = ( (wWidth  - popupWidth ) / 2 ) - offsetLeft;
        var top = ( (wHeight - popupHeight ) / 2 ) - offsetTop;
      
        $('#registerGuideView').html("");   
        $('#layerForm').ajaxSubmit({
            target:'#registerGuideView',
            url: '/main/RegisterGuide.do', 
            complete: function(){                 
                 $('#registerGuideView').dialog({
                        autoOpen:true,
                        modal: false,
                        width: 532,         
                        height: 210,   
                        resizable: false,
                        autoResize: false, 
                        overlay: {
                            opacity: 0.5,
                            background: "black"
                        },
                        open:function() {     
                            $(this).parents(".ui-dialog:first").find(".ui-dialog-titlebar").remove();
                            } 
                    });
                  
                 $('#registerGuideView').dialog('open');
            }
        });
    } 
  
      //개발자등록 안내 Layer Close
    function registerGuideClose() {
        $('#registerGuideView').dialog('close');
    }
    
  
    /* APP File 다운로드 */
    function evalDownload( fileId, funcCode ) {
        var aJax = new devon.xSync("https://developer.lge.com/resource/mobile/common/file/DownloadFilePath.ajax");   
      
        if( funcCode != undefined && funcCode != null ){
            aJax.addQuery( "funcCode", funcCode );         
        }     
        aJax.addQuery( "fileId", fileId );
        aJax.addQuery( "onAfterAction", "evalDownloadOnAfter" );
        aJax.fire();
    }

    // <START CSR : C20140919_10980>
    /* APP File 다운로드 QATest*/
    function evalDownloadQATest( fileId, funcCode ) {
        var aJax = new devon.xSync("https://developer.lge.com/resource/mobile/common/file/DownloadFilePathQATest.ajax");   
      
        if( funcCode != undefined && funcCode != null ){
            aJax.addQuery( "funcCode", funcCode );         
        }     
        aJax.addQuery( "fileId", fileId );
        aJax.addQuery( "onAfterAction", "evalDownloadOnAfter" );
        aJax.fire();
    }
     // <END CSR : C20140919_10980>

    /* APP File 다운로드 성공시 이력 저장 */
    function evalDownloadOnAfter(json){

        if( json.successFlag == 'Y' ){
            // gfts용 파일 다운로드
            if( json.gftsUrl != undefined && json.gftsUrl !='' ){
                var target = ""+json.gftsUrl+"";
                
                //if(navigator.userAgent.match(/iPhone/i) || navigator.userAgent.match(/iPod/i)) {
                if(navigator.userAgent.match(/iPhone/i) || navigator.userAgent.match(/iPod/i) || navigator.userAgent.match(/iPad/i) ) {
              
                    location.href = target;
                } else {
                    document.getElementById("ifrm").src = target;
                }               
              
             // gfts가 아닌 파일 다운로드         
            } else if (  json.fileId !='' ){
                var target = "https://developer.lge.com/resource/mobile/common/file/DownloadFile.dev" + "?fileId=" + encodeURIComponent( json.fileId ) ;
              
                //if(navigator.userAgent.match(/iPhone/i) || navigator.userAgent.match(/iPod/i)) {
                if(navigator.userAgent.match(/iPhone/i) || navigator.userAgent.match(/iPod/i) || navigator.userAgent.match(/iPad/i) ) {
              
                    location.href = target;
                } else {
                    document.getElementById("ifrm").src = target;
                }
            }
        } else {
            alert("File download fail!"); 
        }
    }
 
Last edited:
  • Like
Reactions: d3xxxter
T

tracid1987

Senior Member
Mar 11, 2021
61
10
network-samurai said:
They must work with waybackmachine because the page was setup to redirect on page load no matter what. I have bypassed it by loading the file locally and removing the body onload function.

Which reveals the pages core functions, which I have identified this following line of particular interest, which I have amended to include the LG domain.

Code: 
var target = "https://developer.lge.com/resource/mobile/common/file/DownloadFile.dev" + "?fileId=" + encodeURIComponent( json.fileId ) ;

I believe this could possibly be reverse engineered to give us a direct link to where the files were originally hosted. I have probed the URL above which still appears to be active. The JSON component is the file ID of the file you want to download.

There are other functions present which may also interest others. I recommend reading directly from the source (ARCHIVE.org DEC 6 2021) as I have modified these functions to point to LG's domain for - probing purposes :alien:.

Code: 
<!-- file download시 사용 -->
// there was an iframe panel here i had to remove before I could post to XDA

    //event 호출시 정의된  parameter
    var successUrl;
    var frm;

    //로그인&메일인증여부 check(폼이름, 확인후 이동 action, 블랙리스트 체크여부)
    function checkLogin(vFrm, vSuccessUrl, vChkBlist) {
        var aJax = new devon.xSync("https://developer.lge.com/resource/mobile/main/CheckLogin.ajax");
        frm = vFrm;
        successUrl = vSuccessUrl;
        aJax.addQuery(frm);
        aJax.fire();
    }
    //afterAction(checkLogin) - 미로그인 상태일때 개발자등록 안내 Layer
    function failLogin() {
        goRegisterGuide();  
     
    }
    //afterAction(checkLogin) - 로그인&메일인증 일때
    function successLogin(){
        if(successUrl != "") {
            actSubmit(frm, successUrl);
        }else{
            successLoginCheck();    //event 호출 화면에 선언 필요
        }
    }
    //개발자등록 안내 Layer Open
    function goRegisterGuide(){
           
        var popupWidth = $("#registerGuideView").width();
        var popupHeight = $("#registerGuideView").height();
     
        var wWidth = $(window).width();
        var wHeight = $(window).height();
     
        var offsetLeft = $( "#canvas" ).offset().left;
        var offsetTop = $( "#canvas" ).offset().top;
     
        var left = ( (wWidth  - popupWidth ) / 2 ) - offsetLeft;
        var top = ( (wHeight - popupHeight ) / 2 ) - offsetTop;
     
        $('#registerGuideView').html("");  
        $('#layerForm').ajaxSubmit({
            target:'#registerGuideView',
            url: '/main/RegisterGuide.do',
            complete: function(){                
                 $('#registerGuideView').dialog({
                        autoOpen:true,
                        modal: false,
                        width: 532,        
                        height: 210,  
                        resizable: false,
                        autoResize: false,
                        overlay: {
                            opacity: 0.5,
                            background: "black"
                        },
                        open:function() {    
                            $(this).parents(".ui-dialog:first").find(".ui-dialog-titlebar").remove();
                            }
                    });
                 
                 $('#registerGuideView').dialog('open');
            }
        });
    }
 
      //개발자등록 안내 Layer Close
    function registerGuideClose() {
        $('#registerGuideView').dialog('close');
    }
   
 
    /* APP File 다운로드 */
    function evalDownload( fileId, funcCode ) {
        var aJax = new devon.xSync("https://developer.lge.com/resource/mobile/common/file/DownloadFilePath.ajax");  
     
        if( funcCode != undefined && funcCode != null ){
            aJax.addQuery( "funcCode", funcCode );        
        }    
        aJax.addQuery( "fileId", fileId );
        aJax.addQuery( "onAfterAction", "evalDownloadOnAfter" );
        aJax.fire();
    }

    // <START CSR : C20140919_10980>
    /* APP File 다운로드 QATest*/
    function evalDownloadQATest( fileId, funcCode ) {
        var aJax = new devon.xSync("https://developer.lge.com/resource/mobile/common/file/DownloadFilePathQATest.ajax");  
     
        if( funcCode != undefined && funcCode != null ){
            aJax.addQuery( "funcCode", funcCode );        
        }    
        aJax.addQuery( "fileId", fileId );
        aJax.addQuery( "onAfterAction", "evalDownloadOnAfter" );
        aJax.fire();
    }
     // <END CSR : C20140919_10980>

    /* APP File 다운로드 성공시 이력 저장 */
    function evalDownloadOnAfter(json){

        if( json.successFlag == 'Y' ){
            // gfts용 파일 다운로드
            if( json.gftsUrl != undefined && json.gftsUrl !='' ){
                var target = ""+json.gftsUrl+"";
               
                //if(navigator.userAgent.match(/iPhone/i) || navigator.userAgent.match(/iPod/i)) {
                if(navigator.userAgent.match(/iPhone/i) || navigator.userAgent.match(/iPod/i) || navigator.userAgent.match(/iPad/i) ) {
             
                    location.href = target;
                } else {
                    document.getElementById("ifrm").src = target;
                }              
             
             // gfts가 아닌 파일 다운로드        
            } else if (  json.fileId !='' ){
                var target = "https://developer.lge.com/resource/mobile/common/file/DownloadFile.dev" + "?fileId=" + encodeURIComponent( json.fileId ) ;
             
                //if(navigator.userAgent.match(/iPhone/i) || navigator.userAgent.match(/iPod/i)) {
                if(navigator.userAgent.match(/iPhone/i) || navigator.userAgent.match(/iPod/i) || navigator.userAgent.match(/iPad/i) ) {
             
                    location.href = target;
                } else {
                    document.getElementById("ifrm").src = target;
                }
            }
        } else {
            alert("File download fail!");
        }
    }
Click to expand...
Click to collapse
You are really a network samurai :D you should post this info elsewhere as well in other LG threads. somebody may team up with you to analize
 
N

network-samurai

Member
Mar 2, 2022
8
4
tracid1987 said:
You are really a network samurai :D you should post this info elsewhere as well in other LG threads. somebody may team up with you to analize
Click to expand...
Click to collapse
If we could get hold of an unlock.bin file and analyse the meta information we could possibly find out what the fileId contains, maybe it's just a simple device identifier. Then we would all be able to download our bootloader unlocks directly from source.
 
  • Like
Reactions: Cryomichel
W

WojtekCC

Member
Dec 12, 2020
37
11

Attachments

  • unlock.bin
    1 KB · Views: 129
  • Like
Reactions: d3xxxter, Hichem2006, vctzbr and 2 others
C

Cryomichel

Member
Aug 31, 2021
26
2
LG G3
LG G5
Keep going guys !!! I own a G5 H850 and I'm depserate to unlock the bootloader and try custom roms before changing phone !!
I a have a H850 running Oreo and I could provide Imei and device Id if needed !
I tried several LG supports and they dont want to hear anything sadly!
 
You must log in or register to reply here.

Similar threads

J
Google Camera HDR+ (V4.0) ported to SD820/821 and works with G6
Replies
2K
Views
614K
M
markomil
A
list of LG G6 Stock firmware
Replies
418
Views
173K
S
surfshark
1
LG G6 Moisture Detection Fix!!
Replies
60
Views
119K
B
badcrcs
mauronofrio
[TOOL][G6] TOOL ALL IN ONE (Drivers|Unlock|TWRP|Factory Image|Stock Recovery)
Replies
108
Views
106K
R
rndmcmx
D
LG G6 Android Oreo update will arrive in Europe by the end of June / Good Bye my G6
Replies
380
Views
90K
R
RisingNoob

Top Liked Posts

24 Hours All time
  • There are no posts matching your filters.
  • 76
    autoprime
    autoprime
    gnl5y9m.jpg
    The LG G6 H870 for the European market and the USA carrier-free US997 can now be officially unlocked through LG's developer unlock program.
    Your H870 is from outside Europe? You have a H871/2/3/etc or H870K/DS/etc? That's not a European H870, won't work. Your US997 tied to a carrier? Won't work.

    Please read the FAQ and use the thread search feature before asking questions.

    This thread is a work in progress and actively being updated.

    LG Developer Unlock Site Here

    Prerequisites:
    • European LG G6 H870 or USA carrier-free US997
    • Computer w/ADB & Fastboot. ADB/Fastboot for Windows here. ADB/Fastboot for Linux/OS X here.
    • Basic knowledge of ADB, Fastboot and Windows command prompt or Linux/OS X terminal.
    • Device IMEI. This 15-digit code can be found on your box, the settings menu or by dialing *#06#
    • LG developer account -- sign up for free by clicking the "Start Unlocking the Bootloader" button at the bottom of the LG site HERE.


    Directions:
    LG's official bootloader unlock directions can be found here but I've still rewritten the steps out below while revising some things and also adding steps for TWRP and root.

    1. Enable USB-Debugging on your phone. USB-Debugging is required for the adb commands to work. To enable USB-Debugging, go to Settings >> About phone >> Software info and tap Build number until it says you are now a developer. Return to the previous screen, select Developer Options and enable USB-Debugging (this option may be greyed out if you have your USB cable plugged into your phone).

    2. Enable OEM unlock on your phone. To enable OEM unlock, go to Settings >> Developer options and toggle/turn on Enable OEM Unlock.

    3. Open CommandPrompt or Terminal and enter the following ADB command to reboot into the bootloader:
    Code: 
    adb reboot bootloader
    If ADB is not detecting your device try switching your phone's USB mode from Charging to MTP or PTP. If using Windows please make sure you've installed LG's USB drivers. You can download them HERE.

    Alternatively, you may be able to boot into fastboot without ADB by powering off the phone then power the phone on while holding Volume UP (USB cable will need to be removed otherwise it may boot into LG Download Mode)

    4. Once in the bootloader, use the following fastboot command to obtain Device ID:
    Code: 
    fastboot oem device-id
    Fastboot command will return a string. This is the Device ID which is needed to generate your unique unlock key.
    Example :
    Code: 
    $ fastboot oem device-id
(bootloader)-----------------------------------------------------------------
(bootloader) Device-ID
(bootloader) CD58B679A38D6B613ED518F37A05E013
(bootloader) F93190BD558261DBBC5584E8EF8789B1
(bootloader)-----------------------------------------------------------------

    To generate your unlock key, you will need to paste together the 2 lines of output into one continuous string without "(bootloader)" or spaces. In the example above, the Device ID would be:

    CD58B679A38D6B613ED518F37A05E013F93190BD558261DBBC5584E8EF8789B1

    5. Copy Device ID and IMEI into the LG Developers Bootloader Unlock site and hit the confirm button. In a few moments the unlock.bin will be emailed to you. Download unlock.bin to computer.

    6. While the phone is still in fastboot enter the following command to unlock the bootloader:
    This will unlock your bootloader AND factory reset your device wiping all data!
    You can use the LG Backup app or LG Bridge to backup and restore your data before unlocking the bootloader.
    Code: 
    fastboot flash unlock unlock.bin

    7. You can now reboot the phone and boot into your bootloader unlocked device! Enter:
    Code: 
    fastboot reboot

    8. Want TWRP or root?
    For TWRP you will need to download the TWRP H870 image. Current unofficial TWRP build is available HERE. (thanks to @Rashed97)
    For root you will need to download either SuperSU or Magisk and then flash either of the zips using TWRP.

    Reboot back into the bootloader
    Code: 
    adb reboot bootloader
    (you'll have to first re-enable USB debugging since data was wiped after the bootloader unlock)

    or power off again.. unplug the USB cable then power on the phone while holding Volume UP.

    9. Flash TWRP:
    Code: 
    fastboot flash recovery twrp.img

    After flashing TWRP unplug the USB cable and power off the phone (hold volume down + power button).. continue holding until phone reboots...
    As soon as you see the LG logo on the screen.. let go of the power button then quickly press it again (never letting go of volume down).
    Keep holding until you see the Factory Reset screen. Click thru the factory reset screens using the volume buttons to move up/down and power button to select. Choose "Yes" twice until it boots into TWRP. Despite what the screen says it won't actually factory reset/wipe your data... as long as you've installed TWRP. If stock recovery is installed it WILL wipe data.

    For TWRP to "stick" you must 1st boot into TWRP and not boot back into Android until after doing one of the following...

    10. Now you can flash your root zip of choice.

    Feel free to back up first.. but otherwise.. time to install SuperSU/Magisk. Reboot into system when finished.

    Have fun and be careful.


    FAQ:
    Q: I have an H870 but it is not a European H870... can I unlock the bootloader?
    A: No, this official unlock program is ONLY for the H870 model for countries in Europe just like LG did for the LG G4 and G5.
    But... for about a 10 day span G4 devices from SE Asia worked with the official site and users received unlock.bin files.. despite that variant never showing up on the supported list. So you never know what can happen until you try and submit your device-id/IMEI into the LG Developer Bootloader Unlock site. :good:

    Q: Will more devices be added?
    A: Impossible to say what will happen in the future.. we must wait and see. The LG G5 bootloader unlock program was originally only open to the European H850 but months later the H840 G5SE and the USA RS988 G5 were added to the program.

    Q: I can't get my phone to show up with ADB or Fastboot, watdo?
    A: Make sure ADB/Fastboot is properly setup for your OS... udev rules setup in Linux.. LG USB drivers installed for Windows... OS X/MacOS just works. Also, confirm USB debugging is enabled.
    ADB still not working?... try changing the phones USB modes.. from maybe charging to MTP.. or MTP to PTP.

    Q: What happens to warranty if I unlock or root?
    A: YMMV I suppose. The official LG site claims that warranty is void if damage is caused by the unlock. On the T-Mobile G6 there is now a bootloader unlock counter. I will assume this counter is also on the H870/US997, so it will be hard to hide the fact that you unlocked the bootloader. Please share any unlocked bootloader LG G6 warranty replacement stories in this thread.

    Q: Can I re-lock the bootloader?
    It IS possible to re-lock the bootloader with the the command: fastboot oem lock
    You'll have to boot back into the bootloader (adb reboot bootloader) to issue the fastboot command.
    Re-locking the bootloader WILL wipe data just like the unlock process. Use LG Backup app/LG Bridge or another backup method first if you want your data.
    Flashing a KDZ in LGUP or LG Bridge will NOT relock the bootloader.

    DO NOT re-lock the bootloader if you have a modified boot/system img... restore them to stock first or you will not be able to boot into android after the lock and need to flash a KDZ in download mode.

    Q: So many words... yudodat?
    A: Here is a video on how to unlock the G4... up until the 6minute mark it is step-by-step 100% the same as G6. Only slight difference is when you get to the TWRP/root steps. https://www.youtube.com/watch?v=O64GfQORCaE
    Click to expand...
    Click to collapse

    y u quote OP?

    Follow me on twitter for future updates on LG-related things - twitter.com/@utoprime

    Find this thread helpful? Hit the Thanks button!
    Feeling extra generous? Consider donating to me.
    View
    9
    N
    nima0003
    I'm building TWRP for you guys right now
    View
    9
    autoprime
    autoprime
    @Rashed97 has put together some new TWRP images that have data mounting and data decryption working.

    downloads.codefi.re/rashed/g6/

    It is recommended to now use these TWRP builds until they are officially available on TWRP.me
    View
    5
    M
    markfm
    Thanks autoprime, keeping an eye out for us G6 owners in the rootless wasteland ☺

    (As a VS988 owner I know I'm really stuck in purgatory, but can always hope ? It was time to finally upgrade from my G3 - you did awesome work on that phone, hugely appreciated by many.)

    Donated.
    View
    5
    W
    WojtekCC
    tracid1987 said:
    Somebody must have a bin file on this forum. try to ask
    Click to expand...
    Click to collapse
    network-samurai said:
    If we could get hold of an unlock.bin file and analyse the meta information we could possibly find out what the fileId contains, maybe it's just a simple device identifier. Then we would all be able to download our bootloader unlocks directly from source.
    Click to expand...
    Click to collapse
    Do what you need to do.
    View

New posts