[GUIDE] Unlock your LG V40 via 9008 mode (Every Variant except T-Mobile)

[AsItLies]

Unfortunately even using a USB 2.0 port did not work. I don't have much hope for it since I was able to connect over fastboot and EDL previously but it currently won't connect over USB at all.
I even tried putting it in the freezer in case the issue was something similar to what happened with the good old Note 4, but that only made it draw ~140 mA while it was cold instead of ~450 mA, still no indication of connecting on either of my computers.

What I can see/access right now is:

1. "V40 ThinQ Powered by Android" boot screen, then goes immediately to red triangle (specifically this time there is no "all slots are unbootable" message), then to V35 fastboot:
View attachment 5336015View attachment 5336017
2. EDL mode (I think). I hold power + volume down while in fastboot and then rapidly push the volume up button. If timed right it goes to a blank screen instead of rebooting to option 1 (V40 boot screen etc.).

3. A circle with a lightning bolt (presumably the charging screen) shows up momentarily -> red triangle -> V35 fastboot.

4. Factory reset screen (tried resetting, it didn't change anything)
View attachment 5336021

Maybe there's some magic key combination or something to be discovered in the future involving a microSD card (if it's even a software problem, perhaps some chip or fuse blew and that's why it won't connect over USB) but I think my V40 is now a fancy paperweight/parts phone. At least it was less than $100!

Obviously the phones not dead, it's just not booting. It's possible the usb port has gone bad, some say using a q-tip and isopropyl alcohol to clean it helps.

Be sure, in device manager, that you don't have anything with a '!' symbol (like android, etc), as that would mean a driver problem. I know you said it was working before, but check that again as windows can be very finicky.

Does the pc see the device using lgup? (device off, hold vol up, plug in usb cable). Yeah the usb problem needs to be figured out first. Seems possible, given the price u paid, it might have been bad to begin with and only worked intermittently?

cheers

 

[xv6700redfred]

I'm wondering if anyone can help me.

This is what I did step by step to screw up my phone.

Using qfil:
1. Used the "read" option to back-up the partitions of abl_a, abl_b, boot_a, boot_b, laf_a laf_b.
I located the partitions and named them accordingly.

I tried to follow the tutorial on page 30 of this form and failed to get past the bootloader unlock.

Used these codes:
astboot getvar all
fastboot oem unlock
fastboot --set-active=a
fastboot flash abl_a c:\original boot file here\abl_a.img

2. Erased the 6 partitions above.
3. Tried to restore the 6 partitions above, rebooted and I get a very dim error screen.

 

[AsItLies]

I'm wondering if anyone can help me.

This is what I did step by step to screw up my phone.

Using qfil:
1. Used the "read" option to back-up the partitions of abl_a, abl_b, boot_a, boot_b, laf_a laf_b.
I located the partitions and named them accordingly.

I tried to follow the tutorial on page 30 of this form and failed to get past the bootloader unlock.

Used these codes:
astboot getvar all
fastboot oem unlock
fastboot --set-active=a
fastboot flash abl_a c:\original boot file here\abl_a.img

2. Erased the 6 partitions above.
3. Tried to restore the 6 partitions above, rebooted and I get a very dim error screen.

I understand that sort of thing happens when you bork the partition table, usually by flashing an image to a wrong partition (the image is too big so it overwrites whats near it).

From the tele group the solution is the v40unbrick:

-------------------
v40unbrick:

Download (https://drive.google.com/drive/folders/1WQaaM35SWiF_UbXAM8hiRB95D2CDkIEq) the backup. Unzip it to find 7 luns (0-6).

1. Open QFIL
2. Select Flat Build
3. Click load xml and select the rawprogram(#) XML that is in the lun(0-6) folder.
4. If it asks you for a patch xml, click cancel. It's not needed to flash this backup.
5. Click download
6. Repeat steps for each lun folder.
---------------------

that will at least get the phone working again, but I think the backup is at&t pie (not positive). None the less, you'll then be able to flash a kdz of your choice or find a newer backup of at&t or sprint if that's what u want to use.

cheers

 

[xv6700redfred]

I understand that sort of thing happens when you bork the partition table, usually by flashing an image to a wrong partition (the image is too big so it overwrites whats near it).

From the tele group the solution is the v40unbrick:

-------------------
v40unbrick:

Download (https://drive.google.com/drive/folders/1WQaaM35SWiF_UbXAM8hiRB95D2CDkIEq) the backup. Unzip it to find 7 luns (0-6).

1. Open QFIL
2. Select Flat Build
3. Click load xml and select the rawprogram(#) XML that is in the lun(0-6) folder.
4. If it asks you for a patch xml, click cancel. It's not needed to flash this backup.
5. Click download
6. Repeat steps for each lun folder.
---------------------

that will at least get the phone working again, but I think the backup is at&t pie (not positive). None the less, you'll then be able to flash a kdz of your choice or find a newer backup of at&t or sprint if that's what u want to use.

cheers

I understand that sort of thing happens when you bork the partition table, usually by flashing an image to a wrong partition (the image is too big so it overwrites whats near it).

From the tele group the solution is the v40unbrick:

-------------------
v40unbrick:

Download (https://drive.google.com/drive/folders/1WQaaM35SWiF_UbXAM8hiRB95D2CDkIEq) the backup. Unzip it to find 7 luns (0-6).

1. Open QFIL
2. Select Flat Build
3. Click load xml and select the rawprogram(#) XML that is in the lun(0-6) folder.
4. If it asks you for a patch xml, click cancel. It's not needed to flash this backup.
5. Click download
6. Repeat steps for each lun folder.
---------------------

that will at least get the phone working again, but I think the backup is at&t pie (not positive). None the less, you'll then be able to flash a kdz of your choice or find a newer backup of at&t or sprint if that's what u want to use.

cheers

Thank you for your help on this I really appreciate it!

Ok so I didn't tell you the whole story. Lol
I did load the wrong backup file in fastboot with the "fastboot flash abl_a c:\original boot file here\abl_a.img"
there was an error code that said "data overflow" or something like that.

Then I went back into qfil and deleted all 6 of the partitions (noted in the above post) and proceeded to flash back the back-up partitions not knowing that I was loading them to the wrong partitions. 2 out of the 6 said the same error "data overflow" and I proceeded anyways. Once I found that I had labeled the back-up wrong I was able to load the correct back-up .bin files to the correct partition.

That's when I got the dim error screen upon reboot.

Fyi My phone is Lg v40, Sprint, Pie 9.
I will follow you instructions, thank you!

 

[xv6700redfred]

When I load all 7 xml files as you described above will this overwrite everything on the phone?
Like a dumbass I didn't save my imei number. Ugh...

 

[xv6700redfred]

I understand that sort of thing happens when you bork the partition table, usually by flashing an image to a wrong partition (the image is too big so it overwrites whats near it).

From the tele group the solution is the v40unbrick:

-------------------
v40unbrick:

Download (https://drive.google.com/drive/folders/1WQaaM35SWiF_UbXAM8hiRB95D2CDkIEq) the backup. Unzip it to find 7 luns (0-6).

1. Open QFIL
2. Select Flat Build
3. Click load xml and select the rawprogram(#) XML that is in the lun(0-6) folder.
4. If it asks you for a patch xml, click cancel. It's not needed to flash this backup.
5. Click download
6. Repeat steps for each lun folder.
---------------------

that will at least get the phone working again, but I think the backup is at&t pie (not positive). None the less, you'll then be able to flash a kdz of your choice or find a newer backup of at&t or sprint if that's what u want to use.

cheers

When I load all 7 xml files as you described above will this overwrite everything on the phone?
Like a dumbass I didn't save my imei number. Ugh...

 

[AsItLies]

When I load all 7 xml files as you described above will this overwrite everything on the phone?
Like a dumbass I didn't save my imei number. Ugh...

it shouldn't but always, before overwriting a partition, save it. In this case, the critical partitions (that have imei and serial) are ftm, fsg, modem, modemst1 and modemst2. Save those just in case you have to flash them back after doing the restore.

one thing that happens with doing a restore like this is after ea xml (lun), pretty sure it will need to be put back into edl mode ea time. Kind of a pain. Also, if one of the lun restore doesn't restore anything, not a big issue (I think there are actually 2 of them that do that).

finish them all, none the less, then it should boot.

cheers

 

[xv6700redfred]

it shouldn't but always, before overwriting a partition, save it. In this case, the critical partitions (that have imei and serial) are ftm, fsg, modem, modemst1 and modemst2. Save those just in case you have to flash them back after doing the restore.

one thing that happens with doing a restore like this is after ea xml (lun), pretty sure it will need to be put back into edl mode ea time. Kind of a pain. Also, if one of the lun restore doesn't restore anything, not a big issue (I think there are actually 2 of them that do that).

finish them all, none the less, then it should boot.

cheers

Hello again, sorry for all the hand-holding here. I'll figure this out soon I'm sure. I loaded all the luns, Lun 0 failed to load. I then loaded back the Fsg, Ftm, Modem_a, Modem_b Modemst1, Modemst2. Nonetheless things are looking up. I was able to get into fastboot and also retrieve my IMEI number. But the phone will still not boot. I get a red triangle error on the screen and the phone automatically reboots after some time. Any idea on what could be going on?

 

[AsItLies]

Hello again, sorry for all the hand-holding here. I'll figure this out soon I'm sure. I loaded all the luns, Lun 0 failed to load. I then loaded back the Fsg, Ftm, Modem_a, Modem_b Modemst1, Modemst2. Nonetheless things are looking up. I was able to get into fastboot and also retrieve my IMEI number. But the phone will still not boot. I get a red triangle error on the screen and the phone automatically reboots after some time. Any idea on what could be going on?

You shouldn't need to reload those partitions. Just have them in case your IMEI disappears, but it probably won't. I'd say do the luns again and it will probably be okay.

Cheers

 

[xv6700redfred]

You shouldn't need to reload those partitions. Just have them in case your IMEI disappears, but it probably won't. I'd say do the luns again and it will probably be okay.

Cheers

I tried to load them again, the only one that would not load is Lun 0. I reboot after and still have the red triangle error.
Any ideas? If not no worries I will keep messing with it. Cheers!

 

[AsItLies]

I tried to load them again, the only one that would not load is Lun 0. I reboot after and still have the red triangle error.
Any ideas? If not no worries I will keep messing with it. Cheers!

Well a red triangle means partition mismatch. So somehow they are still not all of the same version.

I'd suggest this, flash the files from this link (not the boot one with twrp in the name). This should hopefully give you lgup (download) ability.

After flashing them with qfil, exit edl with holding vol - and the pwr button, after windows chime, just hold vol up (and of course leave usb plugged in).

That should then bring you to lgup download mode and you can then flash a kdz. I'd suggest go with the US Open Pie (there is no Q version). When flashing the kdz, first do it with partition D/L mode, select all partitions but ftm. Then, after it reboots and finishes, turn off, enter lgup mode again, and do a 'refurbish' with the exact same kdz you just used for D/L mode.

So, at this point anyway, yer gpt table error is gone, you've got backups of critical files (in case they are needed - **if** imei disappears), and with the above you should get download mode.

yer not that far away from having it being fully functional again. give it a go.

 

[gcwct71513]

Need Help. I did this on a LG V40 ThinQ (android 10, att) and it keep booting in EDL.

 

[silverrose]

Hey everyone!

First, Thanks for posting this guide and all the help you've given others, and me, as I try to figure this out.
Still having trouble with fastboot, but that's not the point of this post.

This post is to say what I think will fix the dreaded Sahara Error once and for all. At least it did for me.

Go into Firehose Configuration (under configuration) and check the box next to "DOWNLOAD PROTOCOL SAHARA" that says "Reset State Machine" in the upper left corner.

Once I did that, I connected no problem. I tried clearing the check box, and immediately had problems again. Checked it, and back in.

Hopefully this works for you, and if it does, let me, and more importantly, others know! Good luck, and happy rooting.

PS. Don't worry, I'll probably be back with questions on why my fastboot keeps crashing... O_O

Edit: Fixed the fastboot issues by using an older PC. Now where do I go from here? Install TWRP and then custom ROMS?

 

[AsItLies]

Need Help. I did this on a LG V40 ThinQ (android 10, att) and it keep booting in EDL.

follow what's in this post.

 

[gcwct71513]

follow what's in this post.

They all say "Download Fail:Sahara Fail:QSaharaServer Fail: Process fail"

 

[AsItLies]

They all say "Download Fail:Sahara Fail:QSaharaServer Fail: Process fail"

When you get a sahara error, that means the phone is not connecting properly and nothing will work, no matters how many of the luns you try, or if you try to look at the partitions, or anything... it's not connected, basically.

from the tele group on what to do with a sahara error:
__________________________________
When you get a sahara error on Qfil, change your USB port/cable.
Restart both phone and pc before trying again.
Check drivers on PC
Try reducing the COM port speed by going to device manager
Try another PC
Disable driver signature verification on Windows 10
If you run out of ideas, use a Linux installation; will save you a lot of trouble
_______________________________
It's not an uncommon thing, unfortunately. Cheers

 

[gcwct71513]

When you get a sahara error, that means the phone is not connecting properly and nothing will work, no matters how many of the luns you try, or if you try to look at the partitions, or anything... it's not connected, basically.

from the tele group on what to do with a sahara error:
__________________________________
When you get a sahara error on Qfil, change your USB port/cable.
Restart both phone and pc before trying again.
Check drivers on PC
Try reducing the COM port speed by going to device manager
Try another PC
Disable driver signature verification on Windows 10
If you run out of ideas, use a Linux installation; will save you a lot of trouble
_______________________________
It's not an uncommon thing, unfortunately. Cheers

Thank you. I'm able to boot to fastboot and download mode.

 

[laminarturbulent]

Obviously the phones not dead, it's just not booting. It's possible the usb port has gone bad, some say using a q-tip and isopropyl alcohol to clean it helps.

Be sure, in device manager, that you don't have anything with a '!' symbol (like android, etc), as that would mean a driver problem. I know you said it was working before, but check that again as windows can be very finicky.

Does the pc see the device using lgup? (device off, hold vol up, plug in usb cable). Yeah the usb problem needs to be figured out first. Seems possible, given the price u paid, it might have been bad to begin with and only worked intermittently?

cheers

I gotta say thanks for being so dedicated to helping out LG V40 users!

I've got somewhat good news to report:
After buying another V40 (also AT&T 30e), I was able to get the bootloader unlocked but now it's stuck going to fastboot (AT&T V40, not V35 engineering). FIXED after writing most of the post! Read to the end!

Here's what I did to get there:

1. This time I made sure to reboot once after enabling OEM unlock (this may be critical, not sure).
2. I followed this guide, naively thinking I could easily root without unlocking the bootloader (unlocked bootloader is a prerequisite but is not mentioned in the video).
   1. Basically I used QFIL to get boot_a, used the Magisk app to patch boot_a, then loaded the patched boot_a with QFIL.
   2. This resulted in the phone going to secure start-up and I did not know the password. So I factory reset it.
   3. Then the phone switched to the boot_b slot, and booted to Android.
   4. I tried step 1 again, patching boot_b with Magisk and flashing. Boom, red triangle, "all slots unbootable".
3. Reverting boot_a and boot_b did nothing, at this point I think some protection from the locked bootloader was triggered.
4. Loaded V35eng to abl_a (didn't know for sure if it was on slot b at this point). Could not get into fastboot, so I reverted abl_a. Loaded V35eng to boot_b, and was able to get into V35 engineering fastboot.
5. "fastboot oem unlock" worked this time, and the output was:
   (bootloader) Erasing userdata and cache OKAY [ 0.898s] finished. total time: 0.899s
   Which was different from my first V40, which always failed the first time trying fastboot oem unlock then said something like "already unlocked" the second time.
6. Reverted abl_b, and now the phone goes straight to V40 fastboot (at least it says it's unlocked!!!).
7. Reverting boot, abl, laf does not change this. USB still works which is fantastic, I can access EDL/9008 mode.
8. After updating fastboot.exe (I was using a version too old to have --set-active), fastboot --set-active=a worked and I was able to boot into Android on the stock boot_a.
9. I then loaded the Magisk-patched boot_a with QFIL, rebooted to Android, and got root!

So in the end I mostly followed the instructions on the first post to get it working. Lessons:

1. Definitely reboot at least once after choosing to "Enable OEM unlock" in developer settings.
2. Back up boot_a, boot_b, abl_a, abl_b before doing any flashing (you can also back up laf_a and laf_b but I didn't touch them this time).
3. Use a USB 2.0 A-to-C cable in a USB 2.0 port; ideally choose a port on the back of your motherboard if using a desktop.
   • I've noticed that USB 2.0 cables are generally more reliable but I can't say for certain that my use of a USB 3.1 type-C to type-C cable was what killed the USB data lines on my first V40 (at least I'm 90% sure they're dead, I haven't done an extensive clean of the port yet).
4. Get the latest fastboot.exe from this package.
5. Three-minute YouTube root tutorials are not to be trusted without reading many of the comments first.

EDIT 4/11/2022: Just finished rooting the first V40 since I replaced the USB port. Found my old post had a typo where I said I flashed V35eng to "boot_b" when I meant "abl_b" since the phone went to slot b which meant I couldn't access the V35 fastboot until flashing it to abl_b.

 

[AsItLies]

I gotta say thanks for being so dedicated to helping out LG V40 users!

I've got somewhat good news to report:
After buying another V40 (also AT&T 30e), I was able to get the bootloader unlocked but now it's stuck going to fastboot (AT&T V40, not V35 engineering). FIXED after writing most of the post! Read to the end!
View attachment 5347903
Here's what I did to get there:

1. This time I made sure to reboot once after enabling OEM unlock (this may be critical, not sure).
2. I followed this guide, naively thinking I could easily root without unlocking the bootloader (unlocked bootloader is a prerequisite but is not mentioned in the video).
   1. Basically I used QFIL to get boot_a, used the Magisk app to patch boot_a, then loaded the patched boot_a with QFIL.
   2. This resulted in the phone going to secure start-up and I did not know the password. So I factory reset it.
   3. Then the phone switched to the boot_b slot, and booted to Android.
   4. I tried step 1 again, patching boot_b with Magisk and flashing. Boom, red triangle, "all slots unbootable".
3. Reverting boot_a and boot_b did nothing, at this point I think some protection from the locked bootloader was triggered.
4. Loaded V35eng to abl_a (didn't know for sure if it was on slot b at this point). Could not get into fastboot, so I reverted abl_a. Loaded V35eng to boot_b, and was able to get into V35 engineering fastboot.
5. "fastboot oem unlock" worked this time, and the output was:
   (bootloader) Erasing userdata and cache OKAY [ 0.898s] finished. total time: 0.899s
   Which was different from my first V40, which always failed the first time trying fastboot oem unlock then said something like "already unlocked" the second time.
6. Reverted abl_b, and now the phone goes straight to V40 fastboot (at least it says it's unlocked!!!).
7. Reverting boot, abl, laf does not change this. USB still works which is fantastic, I can access EDL/9008 mode.
8. After updating fastboot.exe (I was using a version too old to have --set-active), fastboot --set-active=a worked and I was able to boot into Android on the stock boot_a.
9. I then loaded the Magisk-patched boot_a with QFIL, rebooted to Android, and got root!

So in the end I mostly followed the instructions on the first post to get it working. Lessons:

1. Definitely reboot at least once after choosing to "Enable OEM unlock" in developer settings.
2. Back up boot_a, boot_b, abl_a, abl_b before doing any flashing (you can also back up laf_a and laf_b but I didn't touch them this time).
3. Use a USB 2.0 A-to-C cable in a USB 2.0 port; ideally choose a port on the back of your motherboard if using a desktop.
   • I've noticed that USB 2.0 cables are generally more reliable but I can't say for certain that my use of a USB 3.1 type-C to type-C cable was what killed the USB data lines on my first V40 (at least I'm 90% sure they're dead, I haven't done an extensive clean of the port yet).
4. Get the latest fastboot.exe from this package.
5. Three-minute YouTube root tutorials are not to be trusted without reading many of the comments first.

One thing is certain, you've learned quite a bit from this experience. And I always feel like, if that's all you get out of it, that's not all bad, it's even pretty dang good.

So one thing, with later versions of android, to get twrp, we have to 'ramdisk inject' it into the existing bootloader. As catch-22 would have it, you have to have twrp already installed to do that.

So, while there are numerous ways to accomplish that task, the point is it's been done already for pretty much all variants of the lg v40. Basically, just indicate which variant / version you're using, and someone will have the boot image patched with twrp for you already.

As example, if you had korean open 30f installed, this would be the boot image patched with twrp. After flashing this with qfil, boot directly to twrp, if asked for pw just cancel out of that, format data, reboot recovery, flash magisk and dm-verity, and yer done.

It's not that hard, but as you've seen, there's a bit to be learned. But doing the above, in addition to the unlocking B/L, as you've discovered, then you'll have twrp, magisk, unencrypted... basically, all set!

cheers

 

[pichulo]

This Guide will explain how to unlock your LG V40 (Every variant except T-Mobile)​

Unlock Prerequisites:
Make sure you have "Enable OEM Unlock" enabled in developer options, along with adb debugging. Very important. You'll be stuck with the red triangle otherwise. If you don't have the "Enable OEM Unlock" option in developer options, you'll have to flash frp with the v35 engineering bootloader. The frp image will be provided in the attachments section.

QPST Download:
It turns out the reason QFIL is failing is because it's missing quite a bit of stuff. I'm providing the zip to QPST (It's actually required) to install. QPST includes QFIL. My fault, I'm all over the place with this... Here it is (GDrive): QPST

Booting into EDL:
Note: This can be done while booted!

1. Plug in your Phone to your PC

2. Press and hold Power and Volume Down

3. As soon as your screen blanks, rapidly start pressing volume up.

4. If you've successfully booted into EDL, your screen will be completely blank and the device manager will show (Under COM Ports): Qualcomm HS-USB QDLoader 9008

Using QFIL to Unlock Your Bootloader
QPST should be installed, and your in 9008 plugged into your PC.

Setting up QFIL:
1. Launch QFIL and set your storage type to UFS. This is located at the bottom right corner of the window The LG V40 has UFS storage. The leaked loader is a loader for LG SD845 UFS devices. If you try to send the loader with your storage set to emmc, it will NOT work. By default, it is set to emmc.

2. Select the port. Click select port and select the one that says "Qualcomm HS-USB QDLoader 9008 (COM #)" That is your phone. After it is highlighted, press OK.

3. Under select programmer, click browse, find the loader and select it.

4. Your screen should now look like this (Minus the Flat Build Stuff, that is for total unbrick purposes):

QFIL is now all setup and ready for flashing.

Flashing the Engineering Bootloader

1. In the upper left hand corner of the Window, click on Tools > Partition Manager from the drop down menu

2. When the Partition Manager window comes up, find "abl_a" > click on it > right click and select Manage Partition Data.

3. When the "Raw Data Manager" window comes up, there are four options to choose from (I'll tell you what each of them does):

• Erase: Wipes the specified partition clean
• Read Data...: Backs up the partition. It will tell you where it saved it in the log output in the main window
• Load Image: Flashes a .img file of your choice to the specified partition
• Close: Brings you back to the Partition Manager

You'll be using the load image function to flash the V35 Engineering bootloader to your device.

4. Click load image then select the V35 engineering bootloader. It will flash the image to your device.

Unlocking Your Device:

Now that the V35 Engineering Bootloader has been flashed to your device:

1. Press and hold the Power and Volume Down buttons until your device reboots out of 9008. When you hear the disconnect sound, immediately hold volume down (only volume down) to enter fastboot right away (this is required for both methods, my apologies).

2. When you've entered fastboot, execute this command:

fastboot oem unlock

Userdata will be wiped as a security measure as with all android devices.

3. While you're still in the v35 engineering bootloader flash back the stock pie bootloader (If originally on pie firmware) with:

fastboot flash abl_a path/to/ablpiestock.img

The V35 Engineering bootloader is OREO only. Some people have managed to boot with this on pie firmware. But generally, you WON'T be able to boot with this flashed if you're on PIE firmware. If you're on Oreo firmware, you can leave this flashed


4. For devices without the "Enable OEM Unlock" option, you'll need to flash frp! You can do so with (While still in V35 Bootloader):

fastboot flash frp path/to/frp

4a. Reboot right back into fastboot (hold volume down after rebooting) and run:

fastboot oem unlock

The reason you can't unlock your T-Mobile device is because no other bootloader/firmware will work with T-Mobile devices. Only T-Mobile firmware will work on it. If you're looking for root, avoid V405TA (T-Mobile) phones. Any other model will work for this.

Is this guide applicable to LM-V409NUA running android 10 (korean version crossflashed to Sprint unlocked phone)?
My software version is V409NUA30b.
I think that will only work if Im in Oreo, right?
Thanks in advance.