[H918|US996|H830] recowvery, unlock your V20/G5 potential - now with TWRP!

jcadduono

Recognized Developer
Jan 17, 2014
1,492
6,206
0
28
Thunder Bay
adduono.com
If you are not an H918, H830, or US996 (Unlocked, NOT US Cellular) user, kindly leave this thread, this will not do anything for your device, exchange it if you're so desperate. Thank you.

Note for US996: It's probably easier for you guys just to flash TWRP the normal way and pull your battery then do the factory reset dance to get in!

Team Win Recovery Project 3.0.2-1



Alright, so you guys have probably heard about me working on this project for a week now. Sorry it's been taking so long, there's been so many variables and hurdles to go through!

I don't own the device myself, so it was all done over TeamViewer thanks to @slayerh4x and @Darriousx who stayed around in the #twrp channel on freenode to assist with their devices.

This will allow you to install TWRP and flash SuperSU!

Step 1: Unlocking your bootloader

You will need to unlock your bootloader first. For this you'll probably need LG's drivers.

Windows: http://tool.lime.gdms.lge.com/dn/downloader.dev?fileKey=UW00120120425
Mac: http://tool.lime.gdms.lge.com/dn/downloader.dev?fileKey=UW00320110909

You will also need adb and fastboot. You can download them in a portable small form factor here:
http://forum.xda-developers.com/android/software/host-tools-t3402497

Start by turning on developer options in Settings -> About device -> Software info -> Build number. (tap 7 times until it's enabled)

Now navigate to Settings -> Developer options -> OEM unlock. (turn it on)

Don't ever turn OEM unlock or Developer options off when using a custom ROM or recovery. This could lose to loss of all your data.

For your computer to see ADB, you will need to put the phone in PTP mode (for transferring images). I don't know why this is, a misconfiguration in LG's kernel gadget drivers maybe?

Extract adb and fastboot to a folder on your PC.

Type adb start-server and make sure to check the notification on your phone to accept debugging authorization.
You can reboot into fastboot mode with adb reboot bootloader once authorized.
If it fails to authorize or show the notification on your phone, you may need to try other USB ports.

H918/H830 users only:
To unlock your bootloader, use fastboot oem unlock once the phone boots into fastboot mode.
Warning: This step will wipe all your data and factory reset your phone!

You can check the status of your bootloader lock with the fastboot getvar all command.
ex. (bootloader) unlocked:yes

You should now boot back into your phone (fastboot reboot).

You will probably need to complete the Android setup wizard at this point to get access to ADB again.

US996 users only:
To unlock your bootloader, follow the unlock instructions on LG's site (I can't really help you there):
https://developer.lge.com/resource/mobile/RetrieveBootloader.dev?categoryTypeCode=ANRS

Once you're finished with unlocking your bootloader, continue on to step 2.

Step 2: Running recowvery

You can find the recowvery binaries (you need to download all of these) at:
https://build.nethunter.com/android-tools/dirtycow/arm64/

You're now ready to follow the recowvery installation instructions.
See here: https://github.com/jcadduono/android_external_dirtycow#running (running section)

Bonus: There's also a full write up on that page on how recowvery works if you're into that kind of stuff.

Step 3: Flashing TWRP & Rooting

Notice: There is currently no decryption support, just the same as the LG G5, I'm running into the exact same scenario (unable to start rpmb device).
Due to this, I have disabled hardware decryption in this build to keep it stable. If you wish to have your data work in TWRP, you will need to disable decryption.
If you're coming from the Note 7 or S7, this will be a familiar scenario for you. ;)

Once you've got your permissive shell in adb, you will have access to your partitions via dd.
You should transfer TWRP to your internal storage (name in twrp.img) using MTP, you can also just use adb push. (mentioned here)

Download TWRP: (official builds, V20 is waiting for TWRP 3.1.0 for twrp.me download)
H918: https://build.nethunter.com/test-builds/twrp/lge/twrp-3.0.2-1-h918.img
US996: https://build.nethunter.com/test-builds/twrp/lge/twrp-3.0.2-1-us996.img
H830: https://twrp.me/devices/lgg5h830.html

This step requires that you've used dirtycow to replace /system/bin/run-as with recowvery-run-as. If you've rebooted since doing that, you will need to go back and do that again.
Code:
adb push twrp-3.0.2-x-xxxx.img /sdcard/twrp.img
adb shell
$ run-as exec dd if=/sdcard/twrp.img of=/dev/block/bootdevice/by-name/recovery
"<wait for it to complete>"
$ reboot recovery
You should be inside TWRP now. It will ask you if you want to enable system modifications. You should swipe yes, otherwise your OS will replace TWRP on next boot.

Flash the latest zip from https://build.nethunter.com/android-tools/no-verity-opt-encrypt/ to turn off forced encryption at boot and allow you to boot a modified system. If you're flashing SuperSU.zip, it will also do this for you so this won't be necessary.
Warning: If you don't flash either no-verity-opt-encrypt or SuperSU, you will probably end up in a horrifying never-ending boot loop of "corruption"!

Latest SuperSU: https://download.chainfire.eu/supersu

To disable encryption after flashing SuperSU or the no-verity-opt-encrypt zip, you must use the [Format Data] button on the Wipe page in TWRP. No other options will work.
Back up all your internal storage and apps data that you can to your PC. You can use Titanium Backup with SuperSU before doing this step if you like.
Warning: Using [Format Data] will wipe all your apps and data (including internal storage) off the phone, giving you the out-of-the-box experience of a new phone!
Once this is done, you should be able to backup/restore/use any function of TWRP without any issues.

Flashed SuperSU? You're done! Boot up (it will reboot a few times) and set up your SuperSU Manager to your liking and give this post a thanks! :)

Step 4: Have fun!

I know a few people have mentioned donating, there is a button right on this post under my username. :p
Sorry, I don't keep a list as I prefer to keep people's information confidential, but if you do send any money my way, you can request that I mention you at the bottom of this post with any details.

I ask that people please not attach files in this thread, everything required is mentioned in this post, and should be stable in its present state. Thank you.
 
Last edited:

jinkerz9430

Senior Member
Sep 12, 2014
1,149
331
118
Kissimmee, FL
Alright, so you guys have probably heard about me working on this project for a week now. Sorry it's been taking so long, there's been so many variables and hurdles to go through!

I don't own the device myself, so it was all done over TeamViewer thanks to @slayerh4x and @Darriousx who stayed around in the #twrp channel on freenode to assist with their devices.

Understand that I'm still working on getting TWRP to boot, there seems to be something about the stock kernel sources that doesn't want TWRP to be a part of it. :p

This will not get you SuperSU or app root access, this is only a root shell allowing you to flash TWRP when it's ready and do other things.
This does however open up some methods of installing SuperSU without TWRP. @Chainfire might have some ideas if he wishes to show up here and stir up some noise. ;)
We do have the ability to do a full ramdisk unpack, edit, repack, and flash within the confines of /data/local while booted into the permissive system using recowvery-applypatch.
This should bring some opportunities, but it's still more sane to just wait for TWRP.

For the instructions on using recowvery, you should read the README.md on the GitHub page:
https://github.com/jcadduono/android_external_dirtycow

You can find the recowvery binaries prebuilt at:
https://build.nethunter.com/android-tools/dirtycow/arm64/

You will need to unlock your bootloader first. For this you'll probably need LG's drivers.

Windows: http://tool.lime.gdms.lge.com/dn/downloader.dev?fileKey=UW00120120425
Mac: http://tool.lime.gdms.lge.com/dn/downloader.dev?fileKey=UW00320110909

You will also need adb and fastboot. You can download them in a portable small form factor here:
http://forum.xda-developers.com/android/software/host-tools-t3402497

Start by turning on developer options in Settings -> About device -> Software info -> Build number. (tap 7 times until it's enabled)

Now navigate to Settings -> Developer options -> OEM unlock. (turn it on)

Don't ever turn OEM unlock or Developer options off when using a custom ROM or recovery. This could lose to loss of all your data.

For your computer to see ADB, you will need to put the phone in PTP mode (for transferring images). I don't know why this is, a misconfiguration in LG's kernel gadget drivers maybe?

Extract adb and fastboot to a folder on your PC.

Type adb start-server and make sure to check the notification on your phone to accept debugging authorization.
You can reboot into fastboot mode with adb reboot bootloader once authorized.
If it fails to authorize or show the notification on your phone, you may need to try other USB ports.

To unlock your bootloader, use fastboot oem unlock once the phone boots into fastboot mode.
Warning: This step will wipe all your data and factory reset your phone!

You can check the status of your bootloader lock with the fastboot getvar all command.
ex. (bootloader) unlocked:yes

You should now boot back into your phone (fastboot reboot).

You're now ready to follow the recowvery installation instructions.
See here: https://github.com/jcadduono/android_external_dirtycow

There's also a full write up on that page on how recowvery works if you're into that kind of stuff.
I probably need to proof read it though, I'm really tired.
Thank you for taking the time to begin with the first step to develop on this device! (although i will have to do a replacement tomorrow for 2 defects that emerged on my phone) I always had in mind that this device had only a 50% of chances to get rooted, and that it might actually never get rooted . But now chances have increased even more thanks to your hard work. and also thanks to the others you previously mentioned. Let us see if Chainfire takes an interest on adding the final details :):good:
 

NotATreoFan

Senior Moderator / Developer & Moderator Committee
Staff member
Jul 12, 2006
18,396
8,996
253
The Interwebs
twitch.tv
I've got ADB working fine, but get nothing with fastboot. Just a blank line when I type 'fastboot devices'. Tried 3 different USB ports also. Windows 10 x64.

I did grab the ADB/fastboot files linked in the first post, but the older files I had don't work either, and they have no issues with my Nexus 7 2013 and HTC 10.
 
  • Like
Reactions: nyfl2004

mrtruckincowboy

Senior Member
Jun 16, 2011
1,036
207
0
Promising stuff ,I just upgraded to this phone yesterday ,and was hoping to eventually get custom roms on it

Sent from my VS995 using Tapatalk

---------- Post added at 03:24 PM ---------- Previous post was at 03:21 PM ----------

Quick question should I wait or take the ota updates?

Sent from my VS995 using Tapatalk
 

douger1957

Senior Member
Jul 31, 2010
1,261
442
83
Fort Wayne
Promising stuff ,I just upgraded to this phone yesterday ,and was hoping to eventually get custom roms on it

Sent from my VS995 using Tapatalk

---------- Post added at 03:24 PM ---------- Previous post was at 03:21 PM ----------

Quick question should I wait or take the ota updates?

Sent from my VS995 using Tapatalk
My advice? Never, ever take an update until the developers say that they are sure they can exploit it. From what I can see, this process uses the "dirty cow" exploit which will assuredly be fixed on the next security update.

---------- Post added at 05:11 PM ---------- Previous post was at 05:10 PM ----------

So Idk what to do or how to get the file to flash it.. Any help?
Why not wait until they can get full root and TWRP? As I see it, this process is to help other developers and people that know what they're doing refine and advance the move to full root. I don't think it's quite ready for prime time yet. It does nothing but get the foot in the door for rooting.

---------- Post added at 05:17 PM ---------- Previous post was at 05:11 PM ----------

And, we're off to the races. Let the "I bricked my phone" threads begin!
 
Last edited:

jinkerz9430

Senior Member
Sep 12, 2014
1,149
331
118
Kissimmee, FL
[/COLOR]And, we're off to the races. Let the "I bricked my phone" threads begin!
LOL! YASSSSSS i can imagine that already. There will be some who will get it hard bricked .

---------- Post added at 05:39 PM ---------- Previous post was at 05:34 PM ----------

Promising stuff ,I just upgraded to this phone yesterday ,and was hoping to eventually get custom roms on it

Sent from my VS995 using Tapatalk

---------- Post added at 03:24 PM ---------- Previous post was at 03:21 PM ----------

Quick question should I wait or take the ota updates?

Sent from my VS995 using Tapatalk
Isn't your model the verizon model? If it is... I havent heard any Verizon user to have unlocked the bootloader for their LG V20's. Not to be a downer, but the methods on this thread are only possible for the H918 (Tmobile variant). unless someone found a way to unlock Verizon's bootloader. :confused:
 
  • Like
Reactions: suaverc118

mrtruckincowboy

Senior Member
Jun 16, 2011
1,036
207
0
LOL! YASSSSSS i can imagine that already. There will be some who will get it hard bricked .

---------- Post added at 05:39 PM ---------- Previous post was at 05:34 PM ----------



Isn't your model the verizon model? If it is... I havent heard any Verizon user to have unlocked the bootloader for their LG V20's. Not to be a downer, but the methods on this thread are only possible for the H918 (Tmobile variant). unless someone found a way to unlock Verizon's bootloader. :confused:
They discuss unlocking in the first post so I'm optimistic. Even if not there has been custom stuff done around locked bootloader.I came from s4 and that was possible with the loki method so im optimistic

Sent from my VS995 using Tapatalk
 

jinkerz9430

Senior Member
Sep 12, 2014
1,149
331
118
Kissimmee, FL
They discuss unlocking in the first post so I'm optimistic. Even if not there has been custom stuff done around locked bootloader.I came from s4 and that was possible with the loki method so im optimistic

Sent from my VS995 using Tapatalk
Oh. Great to know. I hope they manage to do something with the verizon variants, in fact, with all the variants . Maybe after that they will have more interest on the device :cool:
 

wolfgart

Senior Member
Sep 14, 2007
1,875
1,198
143
Rome
alright, so you guys have probably heard about me working on this project for a week now. Sorry it's been taking so long, there's been so many variables and hurdles to go through!

I don't own the device myself, so it was all done over teamviewer thanks to @slayerh4x and @darriousx who stayed around in the #twrp channel on freenode to assist with their devices.

Understand that i'm still working on getting twrp to boot, there seems to be something about the stock kernel sources that doesn't want twrp to be a part of it. :p

this will not get you supersu or app root access, this is only a root shell allowing you to flash twrp when it's ready and do other things.
this does however open up some methods of installing supersu without twrp. @chainfire might have some ideas if he wishes to show up here and stir up some noise. ;)
we do have the ability to do a full ramdisk unpack, edit, repack, and flash within the confines of /data/local while booted into the permissive system using recowvery-applypatch.
This should bring some opportunities, but it's still more sane to just wait for twrp.

For the instructions on using recowvery, you should read the readme.md on the github page:
https://github.com/jcadduono/android_external_dirtycow

you can find the recowvery binaries prebuilt at:
https://build.nethunter.com/android-tools/dirtycow/arm64/

you will need to unlock your bootloader first. For this you'll probably need lg's drivers.

Windows: http://tool.lime.gdms.lge.com/dn/downloader.dev?filekey=uw00120120425
mac: http://tool.lime.gdms.lge.com/dn/downloader.dev?filekey=uw00320110909

you will also need adb and fastboot. You can download them in a portable small form factor here:
http://forum.xda-developers.com/android/software/host-tools-t3402497

start by turning on developer options in settings -> about device -> software info -> build number. (tap 7 times until it's enabled)

now navigate to settings -> developer options -> oem unlock. (turn it on)

don't ever turn oem unlock or developer options off when using a custom rom or recovery. This could lose to loss of all your data.

For your computer to see adb, you will need to put the phone in ptp mode (for transferring images). I don't know why this is, a misconfiguration in lg's kernel gadget drivers maybe?

Extract adb and fastboot to a folder on your pc.

Type adb start-server and make sure to check the notification on your phone to accept debugging authorization.
You can reboot into fastboot mode with adb reboot bootloader once authorized.
If it fails to authorize or show the notification on your phone, you may need to try other usb ports.

To unlock your bootloader, use fastboot oem unlock once the phone boots into fastboot mode.
warning: This step will wipe all your data and factory reset your phone!

you can check the status of your bootloader lock with the fastboot getvar all command.
Ex. (bootloader) unlocked:yes

you should now boot back into your phone (fastboot reboot).

You're now ready to follow the recowvery installation instructions.
See here: https://github.com/jcadduono/android_external_dirtycow

there's also a full write up on that page on how recowvery works if you're into that kind of stuff.
I probably need to proof read it though, i'm really tired.
you are the man !!!!!!!!!!!!!!!!!!!!!!!
 

douger1957

Senior Member
Jul 31, 2010
1,261
442
83
Fort Wayne
LOL! YASSSSSS i can imagine that already. There will be some who will get it hard bricked .

---------- Post added at 05:39 PM ---------- Previous post was at 05:34 PM ----------



Isn't your model the verizon model? If it is... I havent heard any Verizon user to have unlocked the bootloader for their LG V20's. Not to be a downer, but the methods on this thread are only possible for the H918 (Tmobile variant). unless someone found a way to unlock Verizon's bootloader. :confused:
For me, there's a certain amount of education that needs to be tackled before you start messing with a phone. I have never had a LG smartphone before, but rather quickly discovered that LGUP is not ODIN, and that yes, you can hard brick a LG doing stuff that a Samsung will shrug off.

Too many people are impatient and won't let the developers come out with a product that is relatively easy to use. Too many people won't take the time to learn what they're doing and how to fix their mistakes. Too many people won't bother to read and follow simple instructions, and too many people think their experience on other phones will play out here. The only thing this phone has in common with others is the basic Android. It's what LG has put on top that has given the developers a hard time. That, and Nougat seems to be a new beast to be slain.
 

jinkerz9430

Senior Member
Sep 12, 2014
1,149
331
118
Kissimmee, FL
For me, there's a certain amount of education that needs to be tackled before you start messing with a phone. I have never had a LG smartphone before, but rather quickly discovered that LGUP is not ODIN, and that yes, you can hard brick a LG doing stuff that a Samsung will shrug off.

Too many people are impatient and won't let the developers come out with a product that is relatively easy to use. Too many people won't take the time to learn what they're doing and how to fix their mistakes. Too many people won't bother to read and follow simple instructions, and too many people think their experience on other phones will play out here. The only thing this phone has in common with others is the basic Android. It's what LG has put on top that has given the developers a hard time. That, and Nougat seems to be a new beast to be slain.

yup! i couldn't have written it better hahaha. But it is bound to happen for some people that will not pay careful attention. I mena, im not an expert, im maybe a little more than a noob now since i have been dealing with this for quite some time, and that is why i just started my C++ class :cool: in order to reach at least a good-to-go level of understanding.
 
  • Like
Reactions: douger1957

jcadduono

Recognized Developer
Jan 17, 2014
1,492
6,206
0
28
Thunder Bay
adduono.com
As this method does not ever mount your system r/w, it won't brick your system. Since it also can't provide you with real root access until you reboot recovery into a permissive system, you risk no chances of bricking your device if this is not for it, because if your device is locked, the recovery will refuse to boot and be replaced with stock again 2 seconds later.

Unfortunately I have not yet disabled verity in the fstab, so if a H918 user uses their new root shell to remount system as r/w then they will be bricked. I'll see if I can find a decent way to do this...probably with sed.

But yeah. You're safe if your bootloader is locked. :)
 
Last edited:

bambam126

Senior Member
Dec 21, 2010
528
136
0
Norwalk CA
As this method does not ever mount your system r/w, it won't brick your system. Since it also can't provide you with real root access until you reboot recovery into a permissive system, you risk no chances of bricking your device if this is not for it, because if your device is locked, the recovery will refuse to boot and be replaced with stock again 2 seconds later.

Unfortunately I have not yet disabled verity in the fstab, so if a V20 user uses their new root shell to remount system as r/w then they will be bricked. I'll see if I can find a decent way to do this...probably with sed.

But yeah. You're safe if your bootloader is locked. :)

Locked or unlock
 

douger1957

Senior Member
Jul 31, 2010
1,261
442
83
Fort Wayne
As this method does not ever mount your system r/w, it won't brick your system. Since it also can't provide you with real root access until you reboot recovery into a permissive system, you risk no chances of bricking your device if this is not for it, because if your device is locked, the recovery will refuse to boot and be replaced with stock again 2 seconds later.

Unfortunately I have not yet disabled verity in the fstab, so if a V20 user uses their new root shell to remount system as r/w then they will be bricked. I'll see if I can find a decent way to do this...probably with sed.

But yeah. You're safe if your bootloader is locked. :)
Oh, ye of little faith. Where there's a will, there's a way. :eek: :p ;)