[GUIDE][UNBRICK] Patch LGUP to unlock features & unbrick V20 (Variant mismatch fix)

[Prowler_gr]

[GUIDE][UNBRICK] Patch LGUP to unlock features & unbrick V20 (Variant mismatch fix)

Team

After a flash gone very bad, I got myself a brick with a locked bootloader & wrong viariant in LGUP [US996-->H990ds].
In my attempt to recover I tried several silly things including flashing another variants firmware, however I managed to find a way to unbrick & restore the original firmware.

I ran into the G5 thread by @smitel, and did something similar for our V20 by patching LGUP.exe & our phones LGUP_common.dll with HxD Hex editor (my patched files attached).

After doing this I was able to force-flash either partial or full stock kdz using the [PARTITION DL] option, bypassing the variant mismatch warning (Phone was fully recognised as US996).
It even corrected the partition layout (H990DS is different to US996).

Credits about the original patch should go to @smitel
Press the THANKS button if you have found this thread helpfull

 

[emdroidle]

I ran into the G5 thread by @smitel by patching LGUP.exe & our phones LGUP_common.dll with HxD Hex editor (my patched files attached)
After doing this I was able to force-flash either partial or full stock kdz using the [PARTITION DL] option, without getting the dreaded variant mismatch.

I very glad to read you managed to save your phone! What you've found though may potentially be rather more powerful than you think (I don't know how powerful you think this is).

Instead of the complex DirtySanta procedure using DirtyCOW/CVE-2016-5195, it should be possible to use this to directly rewrite aboot. At which point you've greatly simplified the procedure, as well as opening it up for phones which lack a sufficiently early KDZ (Sprint which has no KDZ, H990TR which January is earliest).

Does still need a bit of experimentation to confirm though...

 

[Prowler_gr]

I very glad to read you managed to save your phone! What you've found though may potentially be rather more powerful than you think (I don't know how powerful you think this is).

Instead of the complex DirtySanta procedure using DirtyCOW/CVE-2016-5195, it should be possible to use this to directly rewrite aboot. At which point you've greatly simplified the procedure, as well as opening it up for phones which lack a sufficiently early KDZ (Sprint which has no KDZ, H990TR which January is earliest).

Does still need a bit of experimentation to confirm though...

I'm aware of the great value of my discovery. (Almost makes us unbrickable)
I was able to upgrade official firmware without loosing root or twrp.
To be honest I haven't tried flashing aboot or unofficial kdz, but if possible it unlocks full potential....

 

[emdroidle]

I'm aware of the great value of my discovery. (Almost makes us unbrickable)
I was able to upgrade official firmware without loosing root or twrp.
To be honest I haven't tried flashing aboot or unofficial kdz, but if possible it unlocks full potential....

I'd hardly rate it as "almost unbrickable" (`dd if=/dev/zero of=/dev/block/bootdevice/by-name/xbl2`; you're toast), but does give additional tricks.
There are a few other methods of doing firmware upgrades without losing root or TWRP. Both extracting the KDZ and turning into a flashable .zip, or my tool for directly writing the contents of a KDZ file.

The real potential here is if this can be used to install the DirtySanta aboot image, then it is a much simpler installation method. This should also be able to avoid the unreliable installing TWRP via `fastboot flash`. Additionally since this isn't relying on DirtyCOW/CVE-2016-5195 even up to date phones should be able to use this.

You're on a vanilla H990 single-SIM? Rooted via my method? Other method?

 

[Prowler_gr]

I agree that this method won't save you once you lose "Download Mode" that's why I used the word "Almost"

I have a dual-sim H990DS, originally rooted with your method (even paid for your bounty. although hadn't pledged).
I had a US996 rom fully flashed on my phone (with different partition layout), & I was still able to go back using this method.

 

[runningnak3d]

Well, I will be the guinea pig

I got my H910 back from LG, and of course dirtycow was patched, so if this can flash the us996 debug aboot and not brick my phone, that will be something.

EDIT: @emdroidle I am not at home, but looking at your repo, it looks like you are now able to package back up a v20 format KDZ. If that is true, and this patched LG UP can ignore the signature of the KDZ -- this may very well be one of the greatest finds in a long time. Really looking forward to testing it to see....

 

[bilong9]

It worked on my device. thank you very much

---------- Post added at 02:07 PM ---------- Previous post was at 02:02 PM ----------

Well, I will be the guinea pig

I got my H910 back from LG, and of course dirtycow was patched, so if this can flash the us996 debug aboot and not brick my phone, that will be something.

EDIT: @emdroidle I am not at home, but looking at your repo, it looks like you are now able to package back up a v20 format KDZ. If that is true, and this patched LG UP can ignore the signature of the KDZ -- this may very well be one of the greatest finds in a long time. Really looking forward to testing it to see....

I have a h910 device and I have kdz to h910pr version. But I can not unlock device to root. And I used this way. It can kdz us996 files without problems

 

[runningnak3d]

@bilong9 So you flashed a stock US996 KDZ onto your H910 with this method, or did you repackage a KDZ with the US996 debug aboot?

-- Brian

 

[bilong9]

Well, I will be the guinea pig

I got my H910 back from LG, and of course dirtycow was patched, so if this can flash the us996 debug aboot and not brick my phone, that will be something.

EDIT: @emdroidle I am not at home, but looking at your repo, it looks like you are now able to package back up a v20 format KDZ. If that is true, and this patched LG UP can ignore the signature of the KDZ -- this may very well be one of the greatest finds in a long time. Really looking forward to testing it to see....

@bilong9 So you flashed a stock US996 KDZ onto your H910 with this method, or did you repackage a KDZ with the US996 debug aboot?

-- Brian

Yes. I used this method for my h910 device. My english is very bad sorry

---------- Post added at 02:50 PM ---------- Previous post was at 02:26 PM ----------

---------- Post added at 02:54 PM ---------- Previous post was at 02:50 PM ----------

 

[Prowler_gr]

I already knew that you can flash any V20 variants stock rom if the kdz is officially signed by LG (my phone was fully recognised as US996 when bricked & was able to flash H990DS firmware).
What I don't know is if an unofficial .kdz (not signed by LG - eg compiled with KDZ extractor) can be flashed.
I strongly suspect it would but haven't tried it yet.

 

[Slashbeast24]

I wish this had worked for me. Both LGUP and LG Flashtool 2014 both fail every time. With your patched files for LGUP I got stuck at 4% and then it crashes. Before I used the patched files I got stuck at 9% and then it crashes. I'm on US99610H and I want to downgrade but have had no luck and I can't seem to find how to solve the issues I'm having.

 

[pro_granade]

@me2151

 

[Prowler_gr]

I wish this had worked for me. Both LGUP and LG Flashtool 2014 both fail every time. With your patched files for LGUP I got stuck at 4% and then it crashes. Before I used the patched files I got stuck at 9% and then it crashes. I'm on US99610H and I want to downgrade but have had no luck and I can't seem to find how to solve the issues I'm having.

Perhaps try one partition at a time, or try disabling antivirus (my hex edit invalidates the files signature hence some antivirus may classify it as malware).
To be sure I would try flashing US99610H again (to rule-out anti-rollback)...

 

[me2151]

@me2151

already attempted it yesterday. it dumps partitions fine but installing partitions is wonkey. it wouldnt flash my boot.img but would flash its header so the phone refused to boot. crashes when you try to flash aboot on.

 

[Slashbeast24]

Perhaps try one partition at a time, or try disabling antivirus (my hex edit invalidates the files signature hence some antivirus may classify it as malware).
To be sure I would try flashing US99610H again (to rule-out anti-rollback)...

Alright, so I downloaded the US99610H KDZ and I just hit Upgrade and It did say something about Anti-Rollback check passed and the LGUP program didn't crash. Is there any way to go back to a previous firmware version or am I stuck with an Unrootable V20?

 

[Prowler_gr]

Alright, so I downloaded the US99610H KDZ and I just hit Upgrade and It did say something about Anti-Rollback check passed and the LGUP program didn't crash. Is there any way to go back to a previous firmware version or am I stuck with an Unrootable V20?

That hints that anti-rollback is active on your phone (you can flash your current firmware or a higher version - not an older one). Try flashing system only & see what happens (cannot guarantee you won't get a brick, but I believe its highly unlikely - you have been warned)

 

[Prowler_gr]

already attempted it yesterday. it dumps partitions fine but installing partitions is wonkey. it wouldnt flash my boot.img but would flash its header so the phone refused to boot. crashes when you try to flash aboot on.

Is your phone still recognised?
I suggest you retry with another cable (try the lg stock), updated drivers etc. I have flashed aboot many times on my H990DS.

 

[me2151]

Is your phone still recognised?
I suggest you retry with another cable (try the lg stock), updated drivers etc. I have flashed aboot many times on my H990DS.

lol my phones bricked now(different reason than this) and im leaving the v20 scene

 

[Slashbeast24]

Perhaps try one partition at a time, or try disabling antivirus (my hex edit invalidates the files signature hence some antivirus may classify it as malware).
To be sure I would try flashing US99610H again (to rule-out anti-rollback)...

That hints that anti-rollback is active on your phone (you can flash your current firmware or a higher version - not an older one). Try flashing system only & see what happens (cannot guarantee you won't get a brick, but I believe its highly unlikely - you have been warned)

Alright, so if I just flash the system while clicking Partition DL, I run the risk of having a brick. If I don't get a brick would that somehow deactivate anti-rollback if I just flash the US99610H System?

 

[Prowler_gr]

lol my phones bricked now(different reason than this) and im leaving the v20 scene

lol. You got me sweating. I farewell you (in your thread), & then I read your post here thinking it's because of this...
Enjoy your new toy!!!