[GUIDE] Unlock your LG V40 via 9008 mode (Every Variant except T-Mobile)

Search This thread

AamirXtreme

Senior Member
Sep 6, 2013
59
9
Khaur
I have successfully unlocked my v40q Verizon with it and installed twrp+magisk+hovac 3.8 custom ROM. But I am unable to put my phone in Diag port 901d mode to repair it's imei. Dialer codes don't work at all. I tried "setprop sys.usb.config diag,adb " via terminal emulator and adb with su access but all in vain. Can someone guide me to enable Diag port on my phone because I read Verizon phones are notorious in this regard.
 

AsItLies

Senior Member
Nov 4, 2009
1,540
581
tucson
Samsung Galaxy S10
Great Guide! However, I cannot get the Partition Manager window to open. It says "Download Fail:Sahara Fail:QsaharaServer Fail:process fail"

Sahara error is exceptionally common. If you search this thread you'll find the solutions. 1) be sure to use a usb 2.0 port. 2) be sure to use a usb data cable, not charging cable. 3) be sure to have windows set to 'allow unsigned drivers' to run.

some have had to just use a different computer. It's old software (qfil).
 
Sahara error is exceptionally common. If you search this thread you'll find the solutions. 1) be sure to use a usb 2.0 port. 2) be sure to use a usb data cable, not charging cable. 3) be sure to have windows set to 'allow unsigned drivers' to run.

some have had to just use a different computer. It's old software (qfil).
Oh yeah, I was using a front panel usb 3 port... That is like the most basic troubleshooting step. How could I have forgotten that? Thanks!
 

hooutoo

Senior Member
Apr 17, 2009
465
62
Ft. Lauderdale
Sounds not good. But, numerous people I've read indicated when doing this not all lun's flash, but after doing all they could, it finally booted.

so one thing, the phone can be put in edl mode from any screen. Even if it's blank. When u plug it in, does it show the battery charge indicator? I've waited for that to almost completely finish (showing the circle and %), then press and hold all 3 buttons and when screen blanks start spamming vol up.

essentially, you can't brick a v40. Some I've read have opened the device and shorted the pins in the back, to get to edl. Personally, my device has always responded per method above.

Yeah the unfortunate thing with the backup is that after ea lun is flashed it reboots, so have to go back to edl for ea lun.

I have the xml setup to flash everything at once for at&t Q, but have only used it with the bkerler edl python utilities. It works, if u want to try it. But like all these backups, it does not contain (nor should they) the ftm, fsg, modem, modemst1, modemst2 partitions. Those contain your imei and s/n info and should not be flashed to a different phone.

good luck
Asltlies, I realize this is a pretty old post but looking for a little info concerning "bkerler edl python utilities". I wanted to see if this would work with a lmv600am? Please pm me if you can?

Thanks in advance.
 

AsItLies

Senior Member
Nov 4, 2009
1,540
581
tucson
Samsung Galaxy S10
Asltlies, I realize this is a pretty old post but looking for a little info concerning "bkerler edl python utilities". I wanted to see if this would work with a lmv600am? Please pm me if you can?

Thanks in advance.

So the bkerler edl python utilities need the basic firehose for the qualcomm device. I don't have a v60 so don't know if it's available for it or not. But if it is, then yes, they would work for it.
 

dervan101

Member
Aug 17, 2018
7
0
I have the same proble, but I do not understand the steps you put forward. Also how do i flash twrp because I have successfully flashed the V35 Engineering image
1641761757998.png
1641761819075.png
 

AsItLies

Senior Member
Nov 4, 2009
1,540
581
tucson
Samsung Galaxy S10
I have the same proble, but I do not understand the steps you put forward. Also how do i flash twrp because I have successfully flashed the V35 Engineering imageView attachment 5504525View attachment 5504527

whenever you read directions that say '/path/to/something'

They are talking about ON YOUR COMPUTER, you enter THAT PATH. It's a generic way to indicate, I don't know the names of the paths on your computer, so YOU type in WHATEVER they happen to be.

It looks from the output the bootloader is already unlocked, you can verify that by simply booting the device and if one of the first screens you see has a yellow caution indicator, that verifies that it's unlocked.

cheers
 

dervan101

Member
Aug 17, 2018
7
0
whenever you read directions that say '/path/to/something'

They are talking about ON YOUR COMPUTER, you enter THAT PATH. It's a generic way to indicate, I don't know the names of the paths on your computer, so YOU type in WHATEVER they happen to be.

It looks from the output the bootloader is already unlocked, you can verify that by simply booting the device and if one of the first screens you see has a yellow caution indicator, that verifies that it's unlocked.

cheers
Well noted. Thanks so much! I encountered another problem: after successfully installing TWRP and running it, I flashed SU for root and now when I boot the device it says DECRYPTION UNCESSFUL but when I press reset, it comes back to the same thing.
 

AsItLies

Senior Member
Nov 4, 2009
1,540
581
tucson
Samsung Galaxy S10
Well noted. Thanks so much! I encountered another problem: after successfully installing TWRP and running it, I flashed SU for root and now when I boot the device it says DECRYPTION UNCESSFUL but when I press reset, it comes back to the same thing.

why would u want to use SU? Virtually everyone, for years, has been using magisk. And there are tons of magisk modules that help with so many things.

One thing you should always do after getting twrp is flash dm-verity-force-encrypt (then u won't get decryption errors) and flash magisk.
 
  • Like
Reactions: dervan101

dervan101

Member
Aug 17, 2018
7
0
why would u want to use SU? Virtually everyone, for years, has been using magisk. And there are tons of magisk modules that help with so many things.

One thing you should always do after getting twrp is flash dm-verity-force-encrypt (then u won't get decryption errors) and flash magisk.
thanks a lot. I will try that and give feedback
 

dervan101

Member
Aug 17, 2018
7
0
Hello and thank you so much for your help earlier.
I don't know what I did but I bricked my lg v405UA AT&T and now it is stuck on QUALCOMM HS-USB QDLoader 9008
and will not boot no matter how many times a flash the v35 engineering image and press power+volume down to get
it out of EDL mode.
 

AsItLies

Senior Member
Nov 4, 2009
1,540
581
tucson
Samsung Galaxy S10
Hello and thank you so much for your help earlier.
I don't know what I did but I bricked my lg v405UA AT&T and now it is stuck on QUALCOMM HS-USB QDLoader 9008
and will not boot no matter how many times a flash the v35 engineering image and press power+volume down to get
it out of EDL mode.

Okay, because I'm not standing there watching you, and your description is lacking, must ask: are you holding vol down and power for at least 5 seconds? The directions say to hold them down until you hear the windows 'chime' sound, indicating a device has been disconnected?

it sounds like you haven't done that, and it's still just sitting there in edl mode.
 

dervan101

Member
Aug 17, 2018
7
0
I hold it for at least 15 seconds because that's the amount it time it usually takes to disconnect. But now it just disconnects and comes back to QUALCOMM HS-USB QDLoader 9008 mode
 

dervan101

Member
Aug 17, 2018
7
0
Okay, because I'm not standing there watching you, and your description is lacking, must ask: are you holding vol down and power for at least 5 seconds? The directions say to hold them down until you hear the windows 'chime' sound, indicating a device has been disconnected?

it sounds like you haven't done that, and it's still just sitting there in edl mode.
i found a tutorial on
that helped me debrick.
I will try again and flash dm-verity-force-encrypt this time. Thanks so much once again.
 

boredsalt

New member
Jan 25, 2022
4
0
Hi, I read the replies under this thread and saw that apparently this works for LG V35. Not sure if this works in my case?

I bought a second-hand LG V35 that was rooted with Magisk. However as I needed to download apps that required me to be unrooted, I thought I could just uninstall it. Since then I cannot turn it off and it is stuck in a never-ending loop between "no command" and the LG logo. I tried to get it into recovery and fastboot mode but it does not get there.

As I just got the phone, I did not enable developer's mode or USB debugging so my laptop does not recognise the device even when I plugged it in. I read that I will need to go into EDL mode instead. Can experts please help to confirm this before I do anything else to my phone? Thank you.
 

AsItLies

Senior Member
Nov 4, 2009
1,540
581
tucson
Samsung Galaxy S10
Hi, I read the replies under this thread and saw that apparently this works for LG V35. Not sure if this works in my case?

I bought a second-hand LG V35 that was rooted with Magisk. However as I needed to download apps that required me to be unrooted, I thought I could just uninstall it. Since then I cannot turn it off and it is stuck in a never-ending loop between "no command" and the LG logo. I tried to get it into recovery and fastboot mode but it does not get there.

As I just got the phone, I did not enable developer's mode or USB debugging so my laptop does not recognise the device even when I plugged it in. I read that I will need to go into EDL mode instead. Can experts please help to confirm this before I do anything else to my phone? Thank you.

so, no, if you need apps that look to see if you're rooted, you use magisk 'hide', you don't 'uninstall it'.

Magisk isn't 'installed', it's injected into the boot partition, uninstalling the app doesn't remove it from the boot partition.

anyway, to get to edl now; Something not commonly known is that you can get to edl from ANY screen. Even if the device is bootlooping, you can still get to edl.

It's really the same procedure you would use if it were booted, except that you won't see a 'count down' screen. You just wait for it to blank and the start spamming vol up. If it doesn't work first time, try again, as it will work.

cheers
 

boredsalt

New member
Jan 25, 2022
4
0
Thanks AsltLies. I finally managed to get to the Flashing the Engineering Bootloader step. I right clicked on the abl_a > manage partition data > load the V35 engineering bootloader image. I did not back up my abl_a though, not sure if that is going to affect anything. Anyway, I came to this screen where I could toggle between start, power off, recovery mode, restart bootloader.

I am not sure if I should execute "fastboot oem unlock" or "fastboot flash frp path/to/frp"? How do I know if the person who sold this to me has enabled the "Enable OEM Unlock" option?

IMAG0494.jpg
 
Last edited:

AsItLies

Senior Member
Nov 4, 2009
1,540
581
tucson
Samsung Galaxy S10
Thanks AsltLies. I finally managed to get to the Flashing the Engineering Bootloader step. I right clicked on the abl_a > manage partition data > load the V35 engineering bootloader image. I did not back up my abl_a though, not sure if that is going to affect anything. Anyway, I came to this screen where I could toggle between start, power off, recovery mode, restart bootloader. I am not sure if I am on the right track?

View attachment 5524233

Well yes, it will be a problem. Your original abl is what you should flash back to it's partition, after you are through using (unlocking the bootloader) with the engineering abl.

The engineering abl is always going to be the android version the device was released with. So it almost certainly won't be able to boot the device if it's not running the original version of android.

When the directions tell you to back up certain partitions, they do so for a reason, you ignore them at your own peril (some partitions, like ftm, are specific to your device, there is no backup you can find).

good luck
 

boredsalt

New member
Jan 25, 2022
4
0
Oh my gosh, is there any way I can reverse back to that step? Sorry, I did not saw any information on how to back up those files on the 1st post until I came across another website.
 

Top Liked Posts

  • There are no posts matching your filters.
  • 45
    This Guide will explain how to unlock your LG V40 (Every variant except T-Mobile)

    Unlock Prerequisites:
    Make sure you have "Enable OEM Unlock" enabled in developer options, along with adb debugging. Very important. You'll be stuck with the red triangle otherwise. If you don't have the "Enable OEM Unlock" option in developer options, you'll have to flash frp with the v35 engineering bootloader. The frp image will be provided in the attachments section.

    QPST Download:
    It turns out the reason QFIL is failing is because it's missing quite a bit of stuff. I'm providing the zip to QPST (It's actually required) to install. QPST includes QFIL. My fault, I'm all over the place with this... Here it is (GDrive): QPST

    Booting into EDL:
    Note: This can be done while booted!

    1. Plug in your Phone to your PC

    2. Press and hold Power and Volume Down

    3. As soon as your screen blanks, rapidly start pressing volume up.

    4. If you've successfully booted into EDL, your screen will be completely blank and the device manager will show (Under COM Ports): Qualcomm HS-USB QDLoader 9008

    nQeN45t.png


    Using QFIL to Unlock Your Bootloader
    QPST should be installed, and your in 9008 plugged into your PC.

    Setting up QFIL:
    1. Launch QFIL and set your storage type to UFS. This is located at the bottom right corner of the window The LG V40 has UFS storage. The leaked loader is a loader for LG SD845 UFS devices. If you try to send the loader with your storage set to emmc, it will NOT work. By default, it is set to emmc.

    9jvV3rv.png


    2. Select the port. Click select port and select the one that says "Qualcomm HS-USB QDLoader 9008 (COM #)" That is your phone. After it is highlighted, press OK.

    3. Under select programmer, click browse, find the loader and select it.

    4. Your screen should now look like this (Minus the Flat Build Stuff, that is for total unbrick purposes):

    DmnzGBy.png


    QFIL is now all setup and ready for flashing.

    Flashing the Engineering Bootloader

    1. In the upper left hand corner of the Window, click on Tools > Partition Manager from the drop down menu

    smxXCkP.png


    2. When the Partition Manager window comes up, find "abl_a" > click on it > right click and select Manage Partition Data.

    AzuFXMm.png


    3. When the "Raw Data Manager" window comes up, there are four options to choose from (I'll tell you what each of them does):

    • Erase: Wipes the specified partition clean
    • Read Data...: Backs up the partition. It will tell you where it saved it in the log output in the main window
    • Load Image: Flashes a .img file of your choice to the specified partition
    • Close: Brings you back to the Partition Manager

    LKG7Wkg.png


    You'll be using the load image function to flash the V35 Engineering bootloader to your device.

    4. Click load image then select the V35 engineering bootloader. It will flash the image to your device.

    Unlocking Your Device:

    Now that the V35 Engineering Bootloader has been flashed to your device:

    1. Press and hold the Power and Volume Down buttons until your device reboots out of 9008. When you hear the disconnect sound, immediately hold volume down (only volume down) to enter fastboot right away (this is required for both methods, my apologies).

    2. When you've entered fastboot, execute this command:
    Code:
    fastboot oem unlock
    Userdata will be wiped as a security measure as with all android devices.

    3. While you're still in the v35 engineering bootloader flash back the stock pie bootloader (If originally on pie firmware) with:
    Code:
    fastboot flash abl_a path/to/ablpiestock.img

    The V35 Engineering bootloader is OREO only. Some people have managed to boot with this on pie firmware. But generally, you WON'T be able to boot with this flashed if you're on PIE firmware. If you're on Oreo firmware, you can leave this flashed


    4. For devices without the "Enable OEM Unlock" option, you'll need to flash frp! You can do so with (While still in V35 Bootloader):

    Code:
    fastboot flash frp path/to/frp

    4a. Reboot right back into fastboot (hold volume down after rebooting) and run:
    Code:
    fastboot oem unlock

    The reason you can't unlock your T-Mobile device is because no other bootloader/firmware will work with T-Mobile devices. Only T-Mobile firmware will work on it. If you're looking for root, avoid V405TA (T-Mobile) phones. Any other model will work for this.
    5
    Incorrectly referred to EDL than Download mode

    HI all, I just wanted to share my experience of this that may give some extra help for others going through this. But first, I'd not have got anywhere if it wasn't for a bunch of you on here, so many thanks to @Xsavi, @Ainz_Ooal_Gown, @DLS123, @LameMonster82 and many others! And I may as well pre-thank @SGCMarkus as his threads are coming soon enough...

    Ok, so my initial goal was to get root on my LG V40...

    I started with an LM-V405EBW V20a-IND-XX, so that meant I was not able to unlock the bootloader using the official LG method - I've got to admit, I liked the LG V40 phone, and it was a good price, and I thought it had developer support... I missed that it was only for one market (come on LG, please do better!)

    Anyway, challenge was set! All I really wanted was to have root... I naïvely thought a combination of @Ainz_Ooal_Gown's LGUP Guide and some KDZ tweaking from @DLS123 would get me there; however, I was about to run in to two snags: CrossDL errors and Chain of Trust issues

    So my first thought was: could I perhaps flash an EU image onto the phone and also get a bunch of security upgrades too! So I downloaded the latest one, V20e-LAO-COM. Then following @Ainz_Ooal_Gown's guide I evenutally ran into the CrossDL "Error 0x6004 OPEN_ESA_DS > OPEN_EU_DS". From searching around the only way I could force this was to use the LGUP_Cmd.exe from the LGUP v1.15 Developer version. And this worked perfectly, even though there were rumours around that such an indiscriminate flashing could be very dangerous and brick my phone - so beware and be careful!

    Ok, so now I learnt that IMEI and OEM Device-ID are a more integral part of the phone, and this flash has only brought me useful security fixes that my previous would not have - so that's good. However, I am a long way from root as my reading around this informed me that unless I could break the QCom Chain of Trust (eg. unlock the bootloader, etc.) then I was not going to get a phone that would boot up, certainly patching the boot in a KDZ image was not going to work. I saw that I could have this done remotely with those who owned an Octopusbox by hooking up via some websites or the V40 Telegram group - sadly both felt a little like giving up, and I couldn't afford one of the boxes so...

    Then I found this, @Xsavi's, guide. I ended up using the latest QPST from QPSTtool.com. I probably didn't need it, however I was getting many "Download Fail:Sahara Fail:QSaharaServer Fail:process fail" errors. I was unable to get the QFIL tool to download the partitions in the Partition Manager part of QFIL. When it works it should be very quick, but when it doesn't it will stall for a while, output some logs, and then that error (similar to the output here, although they are doing something different).
    Using the latest version of QPST seemed to fix this with the one given in this thread. But then it too started failing with the same error. So, from more reading, I started to get a feel that timing and maybe environment was important. In terms of timing, as soon as you put the phone into 9008 Mode* you need to as quickly as possible load up the Partition Manager, and in terms of environment, a freshly restarted phone put into this mode... possibly similar for the QPST tooling too... I didn't manage to repeat this to be sure.
    (* yes - 9008 Mode is a black screen, doesn't boot, doesn't seem to be on, hold <power>+<vol down> to reboot out of it. You also need to have the cable plugged it to go into this mode it seemed. And you have to be very quick once you turn the power off, pressing the <vol up> button to go into it too. You will know you got it as the phone will not turn back on, and in Windows Device Manager you will see the Qualcomm HS-USB QDLoader 9008 come up)

    I did a few things different from this guide that I'll cover here: I took a backup for the abl_a/abl_b and laf_a/laf_b partitions using QFIL. When you look at a partition you have an option to Read it too. I used this to make backups. I then used the V35 image to unlock the bootloader of the V40! (yes! success!) I then restored the abl_a I took a backup of. When I rebooted I was presented with a fastboot that was now not looking for unlocks, it wanted me to flash things. So I put the phone into Download mode, and then using LGUP I restored the V20e-LAO-COM KDZ. After a few reboots, a reset, and some processing time the LG V40 is now up and running and importantly with the bootloader still unlocked! And everything seems to be working so far...

    I realise looking back I could have cut out the CrossDL issues as everything would have been erased in the bootloader unlock. Oh and all of this was done via Windows 8.1 VM in VirtualBox: you can both download IMGs from Microsoft's site, then another part will give you the Product Keys. Anyway, hope that helps others a little bit through this too - next is to finally try out @DLS123's Magisk tutorial and I should be done, until some LineageOS desire sets in.

    Thanks again everyone! Looking forward to what can be done in this space now for this phone: 9008 Mode is amazing (and terrifying) for its scope!
    5
    Awesome! You guys are brilliant!
    So do we expect a kickstart in development (like the V30's dev scene) now that an unlock is available for everybody?

    And one last question: does this mean that we can unlock a (network) locked phone this way? I know that the usual answer is 'no', but from what I've seen around here, there's something called 'cross-flashing' of US unlocked firmware. Perhaps that means an unlock?
    If not, do online unlock services work? (I do not want any names - I just want to know whether any service at all works).

    I do apologize if my questions are stupid - it's only that with the overwhelming amount of (sometimes contradictory) posts here, I just want to make sure I'm doing everything correctly! :laugh:

    Your questions aren't stupid. :)

    Unfortunately, you can't sim unlock using this method. I'm hoping this will kickstart development for this device also, I already have a few ROMs made I have yet to release to XDA. Any 3rd party online unlock services are scams. Nowadays, everything is done server side when it comes to SIM unlocking your phone.

    No problem dude! If you have any other questions, feel free to reach out to me. I'm super active in the V40 telegram group. I'm becoming more active here too (I need to. LoL).
    3
    @Xsavi This is Awesome! I might get a V40 later in the year
    Btw a small point, the title says: Unlock your LG V40 (Via 9008) Root ONLY for T-Mobile variants.
    while guide says: his Guide will explain how to unlock your LG V40 (Every variant except T-Mobile)
    Title probably needs to be corrected :p

    Title and guide has been corrected. Thank you for the much needed suggestion!
    3
    Also getting a Download Fail, but mine reads "Download Fail:Sahara Fail:QSaharaServer Fail:process fail". My port is showing as Qualcomm HS-USB QDLoader 9008 (COM7). I was sure to try to update the driver in device manager, and am prompted that "The best drivers for your device are already installed".