[GUIDE] Unlock your LG V40 via 9008 mode (Every Variant except T-Mobile)

Search This thread

Xsavi

Senior Member
Mar 29, 2014
70
114
Georgia, USA
This Guide will explain how to unlock your LG V40 (Every variant except T-Mobile)

Unlock Prerequisites:
Make sure you have "Enable OEM Unlock" enabled in developer options, along with adb debugging. Very important. You'll be stuck with the red triangle otherwise. If you don't have the "Enable OEM Unlock" option in developer options, you'll have to flash frp with the v35 engineering bootloader. The frp image will be provided in the attachments section.

QPST Download:
It turns out the reason QFIL is failing is because it's missing quite a bit of stuff. I'm providing the zip to QPST (It's actually required) to install. QPST includes QFIL. My fault, I'm all over the place with this... Here it is (GDrive): QPST

Booting into EDL:
Note: This can be done while booted!

1. Plug in your Phone to your PC

2. Press and hold Power and Volume Down

3. As soon as your screen blanks, rapidly start pressing volume up.

4. If you've successfully booted into EDL, your screen will be completely blank and the device manager will show (Under COM Ports): Qualcomm HS-USB QDLoader 9008

nQeN45t.png


Using QFIL to Unlock Your Bootloader
QPST should be installed, and your in 9008 plugged into your PC.

Setting up QFIL:
1. Launch QFIL and set your storage type to UFS. This is located at the bottom right corner of the window The LG V40 has UFS storage. The leaked loader is a loader for LG SD845 UFS devices. If you try to send the loader with your storage set to emmc, it will NOT work. By default, it is set to emmc.

9jvV3rv.png


2. Select the port. Click select port and select the one that says "Qualcomm HS-USB QDLoader 9008 (COM #)" That is your phone. After it is highlighted, press OK.

3. Under select programmer, click browse, find the loader and select it.

4. Your screen should now look like this (Minus the Flat Build Stuff, that is for total unbrick purposes):

DmnzGBy.png


QFIL is now all setup and ready for flashing.

Flashing the Engineering Bootloader

1. In the upper left hand corner of the Window, click on Tools > Partition Manager from the drop down menu

smxXCkP.png


2. When the Partition Manager window comes up, find "abl_a" > click on it > right click and select Manage Partition Data.

AzuFXMm.png


3. When the "Raw Data Manager" window comes up, there are four options to choose from (I'll tell you what each of them does):

  • Erase: Wipes the specified partition clean
  • Read Data...: Backs up the partition. It will tell you where it saved it in the log output in the main window
  • Load Image: Flashes a .img file of your choice to the specified partition
  • Close: Brings you back to the Partition Manager

LKG7Wkg.png


You'll be using the load image function to flash the V35 Engineering bootloader to your device.

4. Click load image then select the V35 engineering bootloader. It will flash the image to your device.

Unlocking Your Device:

Now that the V35 Engineering Bootloader has been flashed to your device:

1. Press and hold the Power and Volume Down buttons until your device reboots out of 9008. When you hear the disconnect sound, immediately hold volume down (only volume down) to enter fastboot right away (this is required for both methods, my apologies).

2. When you've entered fastboot, execute this command:
Code:
fastboot oem unlock
Userdata will be wiped as a security measure as with all android devices.

3. While you're still in the v35 engineering bootloader flash back the stock pie bootloader (If originally on pie firmware) with:
Code:
fastboot flash abl_a path/to/ablpiestock.img

The V35 Engineering bootloader is OREO only. Some people have managed to boot with this on pie firmware. But generally, you WON'T be able to boot with this flashed if you're on PIE firmware. If you're on Oreo firmware, you can leave this flashed


4. For devices without the "Enable OEM Unlock" option, you'll need to flash frp! You can do so with (While still in V35 Bootloader):

Code:
fastboot flash frp path/to/frp

4a. Reboot right back into fastboot (hold volume down after rebooting) and run:
Code:
fastboot oem unlock

The reason you can't unlock your T-Mobile device is because no other bootloader/firmware will work with T-Mobile devices. Only T-Mobile firmware will work on it. If you're looking for root, avoid V405TA (T-Mobile) phones. Any other model will work for this.
 

Attachments

  • ablpiestock.img
    216 KB · Views: 6,256
  • v35eng.img
    1 MB · Views: 7,022
  • prog_ufs_firehose_Sdm845_lge.zip
    262.3 KB · Views: 7,676
  • frp.zip
    16 KB · Views: 5,560
Last edited:

TheLinuxMan02

Member
Sep 15, 2017
16
3
For some reason, the status says Download Fail:Fail to find QDLoader port after switch when I try to go to the partition manager.
 

Xsavi

Senior Member
Mar 29, 2014
70
114
Georgia, USA
Crap, I completely forgot an important detail. If you are using 9008 mode for the first time, you'll need to update the driver in Device Manager. Then select the port. My fault, I'll update that now.
It should say: Qualcomm HS-USB QDLoader 9008
 

tech_infinity

Senior Member
Jun 16, 2014
2,484
1,534
aakashverma.com
LG V30
@Xsavi This is Awesome! I might get a V40 later in the year
Btw a small point, the title says: Unlock your LG V40 (Via 9008) Root ONLY for T-Mobile variants.
while guide says: his Guide will explain how to unlock your LG V40 (Every variant except T-Mobile)
Title probably needs to be corrected :p
 

Xsavi

Senior Member
Mar 29, 2014
70
114
Georgia, USA
@Xsavi This is Awesome! I might get a V40 later in the year
Btw a small point, the title says: Unlock your LG V40 (Via 9008) Root ONLY for T-Mobile variants.
while guide says: his Guide will explain how to unlock your LG V40 (Every variant except T-Mobile)
Title probably needs to be corrected :p

Title and guide has been corrected. Thank you for the much needed suggestion!
 

toddyskates

Member
May 1, 2012
10
4
Also getting a Download Fail, but mine reads "Download Fail:Sahara Fail:QSaharaServer Fail:process fail". My port is showing as Qualcomm HS-USB QDLoader 9008 (COM7). I was sure to try to update the driver in device manager, and am prompted that "The best drivers for your device are already installed".
 

Xsavi

Senior Member
Mar 29, 2014
70
114
Georgia, USA
Also getting a Download Fail, but mine reads "Download Fail:Sahara Fail:QSaharaServer Fail:process fail". My port is showing as Qualcomm HS-USB QDLoader 9008 (COM7). I was sure to try to update the driver in device manager, and am prompted that "The best drivers for your device are already installed".

The culprit is QFIL being by itself instead of being installed with QPST.
 

WaseemAlkurdi

Senior Member
Apr 3, 2014
711
528
Amman
Is that a full, permanent unlock V30-style? So that means that I could now go ahead and buy a North American LG V40 safely as long as it isn't T-Mobile?
 

Xsavi

Senior Member
Mar 29, 2014
70
114
Georgia, USA
Is that a full, permanent unlock V30-style? So that means that I could now go ahead and buy a North American LG V40 safely as long as it isn't T-Mobile?

With 9008 and this firehose, you have complete access to your phone and can flash anything you want with no restrictions.

As long as it isn't T-Mobile, you're fine. The firehose works on those models, but any other firmware/bootloader won't work, so you can't really unlock on T-Mobile models.
 

clutterking

Senior Member
Jan 15, 2010
77
4
How to enter edl mode?

I can't wait to try this!

I'm holding pwr & - vol until the phone resets. While holding pwr & - vol down, I am tapping + vol. I can't get to the blank screen, the phone just restarts normally. Any advice?
 

Xsavi

Senior Member
Mar 29, 2014
70
114
Georgia, USA
I can't wait to try this!

I'm holding pwr & - vol until the phone resets. While holding pwr & - vol down, I am tapping + vol. I can't get to the blank screen, the phone just restarts normally. Any advice?

You have to start pressing volume up as soon as the screen blanks. It's an extremely small window. It'll take a few tries though. Plug in your device, and as soon as you hear the disconnect sound, start pressing volume up. It helps a little for me.
 
  • Like
Reactions: tech_infinity

WaseemAlkurdi

Senior Member
Apr 3, 2014
711
528
Amman
With 9008 and this firehose, you have complete access to your phone and can flash anything you want with no restrictions.

As long as it isn't T-Mobile, you're fine. The firehose works on those models, but any other firmware/bootloader won't work, so you can't really unlock on T-Mobile models.

Awesome! You guys are brilliant!
So do we expect a kickstart in development (like the V30's dev scene) now that an unlock is available for everybody?

And one last question: does this mean that we can unlock a (network) locked phone this way? I know that the usual answer is 'no', but from what I've seen around here, there's something called 'cross-flashing' of US unlocked firmware. Perhaps that means an unlock?
If not, do online unlock services work? (I do not want any names - I just want to know whether any service at all works).

I do apologize if my questions are stupid - it's only that with the overwhelming amount of (sometimes contradictory) posts here, I just want to make sure I'm doing everything correctly! :laugh:
 

Xsavi

Senior Member
Mar 29, 2014
70
114
Georgia, USA
Awesome! You guys are brilliant!
So do we expect a kickstart in development (like the V30's dev scene) now that an unlock is available for everybody?

And one last question: does this mean that we can unlock a (network) locked phone this way? I know that the usual answer is 'no', but from what I've seen around here, there's something called 'cross-flashing' of US unlocked firmware. Perhaps that means an unlock?
If not, do online unlock services work? (I do not want any names - I just want to know whether any service at all works).

I do apologize if my questions are stupid - it's only that with the overwhelming amount of (sometimes contradictory) posts here, I just want to make sure I'm doing everything correctly! :laugh:

Your questions aren't stupid. :)

Unfortunately, you can't sim unlock using this method. I'm hoping this will kickstart development for this device also, I already have a few ROMs made I have yet to release to XDA. Any 3rd party online unlock services are scams. Nowadays, everything is done server side when it comes to SIM unlocking your phone.

No problem dude! If you have any other questions, feel free to reach out to me. I'm super active in the V40 telegram group. I'm becoming more active here too (I need to. LoL).
 

copota

Senior Member
Jun 29, 2012
187
91
USA
Samsung Galaxy Note 20 Ultra
Note: If on Pie firmware, boot back into 9008 and flash the latest TWRP, along with the stock ABL so you can boot back into your firmware. With the engineering bootloader, you can't boot pie firmware. Only oreo.

Hey, thanks so much for this method. A damned shame we got to go through this just to get fastboot on these damn phones, but you're the all-stars we need to get it going.

Question. How are we flashing TWRP and ABL? Using fastboot or QFIL? Also, do you have a link to the latest TWRP? I know there's a thread in this forum for TWRP by SGCMarkus. Is that the TWRP version you recommend?
 
Last edited:

skeeeee

Member
Dec 16, 2015
9
3
Hey, thanks so much for this method. A damned shame we got to go through this just to get fastboot on these damn phones, but you're the all-stars we need to get it going.

Question. How are we flashing TWRP and ABL? Using fastboot or QFIL? Also, do you have a link to the latest TWRP? I know there's a thread in this forum for TWRP by SGCMarkus. Is that the TWRP version you recommend?

You can use either method to flash twrp and abl. If in QFIL, just follow the steps above but choose boot_a or boot_b for TWRP, and abl_a and abl_b for stock abl.
 
  • Like
Reactions: sbacham and copota

copota

Senior Member
Jun 29, 2012
187
91
USA
Samsung Galaxy Note 20 Ultra
I can't get my phone into 9008 mode. Would it be because I crossflashed my phone? Here's my crossflashing history...

edit: Never mind, when I plugged my phone into a power source, then tried it, I was able to get into 9008 mode.
 
Last edited:

Top Liked Posts

  • There are no posts matching your filters.
  • 45
    This Guide will explain how to unlock your LG V40 (Every variant except T-Mobile)

    Unlock Prerequisites:
    Make sure you have "Enable OEM Unlock" enabled in developer options, along with adb debugging. Very important. You'll be stuck with the red triangle otherwise. If you don't have the "Enable OEM Unlock" option in developer options, you'll have to flash frp with the v35 engineering bootloader. The frp image will be provided in the attachments section.

    QPST Download:
    It turns out the reason QFIL is failing is because it's missing quite a bit of stuff. I'm providing the zip to QPST (It's actually required) to install. QPST includes QFIL. My fault, I'm all over the place with this... Here it is (GDrive): QPST

    Booting into EDL:
    Note: This can be done while booted!

    1. Plug in your Phone to your PC

    2. Press and hold Power and Volume Down

    3. As soon as your screen blanks, rapidly start pressing volume up.

    4. If you've successfully booted into EDL, your screen will be completely blank and the device manager will show (Under COM Ports): Qualcomm HS-USB QDLoader 9008

    nQeN45t.png


    Using QFIL to Unlock Your Bootloader
    QPST should be installed, and your in 9008 plugged into your PC.

    Setting up QFIL:
    1. Launch QFIL and set your storage type to UFS. This is located at the bottom right corner of the window The LG V40 has UFS storage. The leaked loader is a loader for LG SD845 UFS devices. If you try to send the loader with your storage set to emmc, it will NOT work. By default, it is set to emmc.

    9jvV3rv.png


    2. Select the port. Click select port and select the one that says "Qualcomm HS-USB QDLoader 9008 (COM #)" That is your phone. After it is highlighted, press OK.

    3. Under select programmer, click browse, find the loader and select it.

    4. Your screen should now look like this (Minus the Flat Build Stuff, that is for total unbrick purposes):

    DmnzGBy.png


    QFIL is now all setup and ready for flashing.

    Flashing the Engineering Bootloader

    1. In the upper left hand corner of the Window, click on Tools > Partition Manager from the drop down menu

    smxXCkP.png


    2. When the Partition Manager window comes up, find "abl_a" > click on it > right click and select Manage Partition Data.

    AzuFXMm.png


    3. When the "Raw Data Manager" window comes up, there are four options to choose from (I'll tell you what each of them does):

    • Erase: Wipes the specified partition clean
    • Read Data...: Backs up the partition. It will tell you where it saved it in the log output in the main window
    • Load Image: Flashes a .img file of your choice to the specified partition
    • Close: Brings you back to the Partition Manager

    LKG7Wkg.png


    You'll be using the load image function to flash the V35 Engineering bootloader to your device.

    4. Click load image then select the V35 engineering bootloader. It will flash the image to your device.

    Unlocking Your Device:

    Now that the V35 Engineering Bootloader has been flashed to your device:

    1. Press and hold the Power and Volume Down buttons until your device reboots out of 9008. When you hear the disconnect sound, immediately hold volume down (only volume down) to enter fastboot right away (this is required for both methods, my apologies).

    2. When you've entered fastboot, execute this command:
    Code:
    fastboot oem unlock
    Userdata will be wiped as a security measure as with all android devices.

    3. While you're still in the v35 engineering bootloader flash back the stock pie bootloader (If originally on pie firmware) with:
    Code:
    fastboot flash abl_a path/to/ablpiestock.img

    The V35 Engineering bootloader is OREO only. Some people have managed to boot with this on pie firmware. But generally, you WON'T be able to boot with this flashed if you're on PIE firmware. If you're on Oreo firmware, you can leave this flashed


    4. For devices without the "Enable OEM Unlock" option, you'll need to flash frp! You can do so with (While still in V35 Bootloader):

    Code:
    fastboot flash frp path/to/frp

    4a. Reboot right back into fastboot (hold volume down after rebooting) and run:
    Code:
    fastboot oem unlock

    The reason you can't unlock your T-Mobile device is because no other bootloader/firmware will work with T-Mobile devices. Only T-Mobile firmware will work on it. If you're looking for root, avoid V405TA (T-Mobile) phones. Any other model will work for this.
    5
    Incorrectly referred to EDL than Download mode

    HI all, I just wanted to share my experience of this that may give some extra help for others going through this. But first, I'd not have got anywhere if it wasn't for a bunch of you on here, so many thanks to @Xsavi, @Ainz_Ooal_Gown, @DLS123, @LameMonster82 and many others! And I may as well pre-thank @SGCMarkus as his threads are coming soon enough...

    Ok, so my initial goal was to get root on my LG V40...

    I started with an LM-V405EBW V20a-IND-XX, so that meant I was not able to unlock the bootloader using the official LG method - I've got to admit, I liked the LG V40 phone, and it was a good price, and I thought it had developer support... I missed that it was only for one market (come on LG, please do better!)

    Anyway, challenge was set! All I really wanted was to have root... I naïvely thought a combination of @Ainz_Ooal_Gown's LGUP Guide and some KDZ tweaking from @DLS123 would get me there; however, I was about to run in to two snags: CrossDL errors and Chain of Trust issues

    So my first thought was: could I perhaps flash an EU image onto the phone and also get a bunch of security upgrades too! So I downloaded the latest one, V20e-LAO-COM. Then following @Ainz_Ooal_Gown's guide I evenutally ran into the CrossDL "Error 0x6004 OPEN_ESA_DS > OPEN_EU_DS". From searching around the only way I could force this was to use the LGUP_Cmd.exe from the LGUP v1.15 Developer version. And this worked perfectly, even though there were rumours around that such an indiscriminate flashing could be very dangerous and brick my phone - so beware and be careful!

    Ok, so now I learnt that IMEI and OEM Device-ID are a more integral part of the phone, and this flash has only brought me useful security fixes that my previous would not have - so that's good. However, I am a long way from root as my reading around this informed me that unless I could break the QCom Chain of Trust (eg. unlock the bootloader, etc.) then I was not going to get a phone that would boot up, certainly patching the boot in a KDZ image was not going to work. I saw that I could have this done remotely with those who owned an Octopusbox by hooking up via some websites or the V40 Telegram group - sadly both felt a little like giving up, and I couldn't afford one of the boxes so...

    Then I found this, @Xsavi's, guide. I ended up using the latest QPST from QPSTtool.com. I probably didn't need it, however I was getting many "Download Fail:Sahara Fail:QSaharaServer Fail:process fail" errors. I was unable to get the QFIL tool to download the partitions in the Partition Manager part of QFIL. When it works it should be very quick, but when it doesn't it will stall for a while, output some logs, and then that error (similar to the output here, although they are doing something different).
    Using the latest version of QPST seemed to fix this with the one given in this thread. But then it too started failing with the same error. So, from more reading, I started to get a feel that timing and maybe environment was important. In terms of timing, as soon as you put the phone into 9008 Mode* you need to as quickly as possible load up the Partition Manager, and in terms of environment, a freshly restarted phone put into this mode... possibly similar for the QPST tooling too... I didn't manage to repeat this to be sure.
    (* yes - 9008 Mode is a black screen, doesn't boot, doesn't seem to be on, hold <power>+<vol down> to reboot out of it. You also need to have the cable plugged it to go into this mode it seemed. And you have to be very quick once you turn the power off, pressing the <vol up> button to go into it too. You will know you got it as the phone will not turn back on, and in Windows Device Manager you will see the Qualcomm HS-USB QDLoader 9008 come up)

    I did a few things different from this guide that I'll cover here: I took a backup for the abl_a/abl_b and laf_a/laf_b partitions using QFIL. When you look at a partition you have an option to Read it too. I used this to make backups. I then used the V35 image to unlock the bootloader of the V40! (yes! success!) I then restored the abl_a I took a backup of. When I rebooted I was presented with a fastboot that was now not looking for unlocks, it wanted me to flash things. So I put the phone into Download mode, and then using LGUP I restored the V20e-LAO-COM KDZ. After a few reboots, a reset, and some processing time the LG V40 is now up and running and importantly with the bootloader still unlocked! And everything seems to be working so far...

    I realise looking back I could have cut out the CrossDL issues as everything would have been erased in the bootloader unlock. Oh and all of this was done via Windows 8.1 VM in VirtualBox: you can both download IMGs from Microsoft's site, then another part will give you the Product Keys. Anyway, hope that helps others a little bit through this too - next is to finally try out @DLS123's Magisk tutorial and I should be done, until some LineageOS desire sets in.

    Thanks again everyone! Looking forward to what can be done in this space now for this phone: 9008 Mode is amazing (and terrifying) for its scope!
    5
    Awesome! You guys are brilliant!
    So do we expect a kickstart in development (like the V30's dev scene) now that an unlock is available for everybody?

    And one last question: does this mean that we can unlock a (network) locked phone this way? I know that the usual answer is 'no', but from what I've seen around here, there's something called 'cross-flashing' of US unlocked firmware. Perhaps that means an unlock?
    If not, do online unlock services work? (I do not want any names - I just want to know whether any service at all works).

    I do apologize if my questions are stupid - it's only that with the overwhelming amount of (sometimes contradictory) posts here, I just want to make sure I'm doing everything correctly! :laugh:

    Your questions aren't stupid. :)

    Unfortunately, you can't sim unlock using this method. I'm hoping this will kickstart development for this device also, I already have a few ROMs made I have yet to release to XDA. Any 3rd party online unlock services are scams. Nowadays, everything is done server side when it comes to SIM unlocking your phone.

    No problem dude! If you have any other questions, feel free to reach out to me. I'm super active in the V40 telegram group. I'm becoming more active here too (I need to. LoL).
    3
    @Xsavi This is Awesome! I might get a V40 later in the year
    Btw a small point, the title says: Unlock your LG V40 (Via 9008) Root ONLY for T-Mobile variants.
    while guide says: his Guide will explain how to unlock your LG V40 (Every variant except T-Mobile)
    Title probably needs to be corrected :p

    Title and guide has been corrected. Thank you for the much needed suggestion!
    3
    Also getting a Download Fail, but mine reads "Download Fail:Sahara Fail:QSaharaServer Fail:process fail". My port is showing as Qualcomm HS-USB QDLoader 9008 (COM7). I was sure to try to update the driver in device manager, and am prompted that "The best drivers for your device are already installed".