[H918|US996|H830] recowvery, unlock your V20/G5 potential - now with TWRP!

Search This thread

Catboy123

New member
Aug 5, 2018
3
0
No idea about the g5's arb or lack of, but this exploit requires the phone to be on the December 2016 security patch. You miay or may not be able to roll back to a vulnerable version depending on arb.

The phone has Anti Rollback, but as far as I am aware it is bypassable. The phone was originally on 20N, and I was able to flash a 20A KDZ to it unlocking the bootloader.
 

cnjax

Senior Member
Aug 4, 2011
4,282
10,895
Jacksonville, FL
The phone has Anti Rollback, but as far as I am aware it is bypassable. The phone was originally on 20N, and I was able to flash a 20A KDZ to it unlocking the bootloader.
As phoenix stated this exploit was patched a long time ago so unless you're on a security level prior to Dec 2016 which is doubtful, that's why it's not working

Sent from my LG-H910 using XDA Labs
 

Catboy123

New member
Aug 5, 2018
3
0
AFAIK the 20A patch is from November 2016. I'm new to rooting/flashing so you may well be correct that I've missed something, patch-wise.

Do you happen to know of any other ways? All of my XDA and Google searching brings me to the same dirtycow methods.
 

Vortell

Senior Member
May 27, 2009
1,102
368
LG V20
LG G6
Anybody with any knowledge on weather dirty Santa works on a bpt (Bright Point) us996? Then if it does what version it needs to be in to do it and if I can just flash standard us996 firmware over it? I have tried posting in the a few other thread about it with no luck. There is info on using dirty santy on us996 but most of it is about standard unlocked version or the ucl (US Cellular) version there is almost no mention if bpt version.
 
Last edited:

miguelr4720

Senior Member
May 24, 2015
111
35
27
New York
Warning: setcon transition to 'u:r:init:s0' failed (is SELinux Enforcing?)
Error 1: Operation not permitted
Welcome to recowvery! (run-as)
------------
Current uid: 2000
Setting capabilities
Attempting to escalate to root
Current uid: 0
We have root access!
------------
Executing: 'dd' with 2 arguments

1|h1:/ $

---------- Post added at 08:57 PM ---------- Previous post was at 08:56 PM ----------

How to Fix This Pronblem On H830 TMOBILE SOMEONE HELP ME FIX THIS
 

cnjax

Senior Member
Aug 4, 2011
4,282
10,895
Jacksonville, FL
Warning: setcon transition to 'u:r:init:s0' failed (is SELinux Enforcing?)
Error 1: Operation not permitted
Welcome to recowvery! (run-as)
------------
Current uid: 2000
Setting capabilities
Attempting to escalate to root
Current uid: 0
We have root access!
------------
Executing: 'dd' with 2 arguments

1|h1:/ $

---------- Post added at 08:57 PM ---------- Previous post was at 08:56 PM ----------

How to Fix This Pronblem On H830 TMOBILE SOMEONE HELP ME FIX THIS

dirty cow was patched a long time ago

Sent from my LG-H910 using XDA Labs
 
Jan 24, 2019
45
9
i followed the steps for the recowvery, but its hanging at the logcat command. i cannot seem to get an action out of it as it just hangs. the blinking line just sits there.

LG V20 H918

---------- Post added at 07:13 PM ---------- Previous post was at 06:17 PM ----------

i followed the steps for the recowvery, but its hanging at the logcat command. i cannot seem to get an action out of it as it just hangs. the blinking line just sits there.

LG V20 H918
@jcadduono
 

sxotty

Member
Feb 9, 2012
20
0
i followed the steps for the recowvery, but its hanging at the logcat command. i cannot seem to get an action out of it as it just hangs. the blinking line just sits there.

I have the exact same problem on h830 (I downgraded from 30c with uppercut). Something must have happened. don't think the prior command worked properly, mine crashes to white background tmobile screen then just sits forever. I think everything looks like it should work, but no dice.
divOQob.jpg

EZ0o0gE.jpg

0xKnzIP.png
 
Last edited:

sxotty

Member
Feb 9, 2012
20
0
Any suggestions?

As I could not get the logcat command to run (can someone tell me what exactly it is supposed to be doing? It seems like it is just logging a bunch of useless data) I tried to skip ahead. I saw someone else had some problems with the 'exec' package missing and knew it was b/c they did not swap the run as. So I started there.
It did overwrite run-as as you can see. But it did not seem to be able to write twrp fully. I marked it in red. It did say it got root access later though. If it got root access it seems strange I cannot use getenforce which does not give me permissive. As I said the logcat part fails.

I did
adb reboot recovery after the following and it went straight to the OS and skipped recovery. I did reboot recovery again and it went to No Command screen.

t2jA9CP.jpg
 
Jan 24, 2019
45
9
As phoenix stated this exploit was patched a long time ago so unless you're on a security level prior to Dec 2016 which is doubtful, that's why it's not working

Sent from my LG-H910 using XDA Labs

so basically we're screwed?

if so, i'm getting a refund and returning this device. i dont have time for this.
 

sxotty

Member
Feb 9, 2012
20
0
sad times

So I relocked the bootloader in fastboot, then unlocked it again just in case somehow the downgrade to 20A wasn't enough.

It made no difference sadly. logcat -s recowvery still does nothing on h83020A.

It is a bummer that downgrading does not work anymore.
 

sxotty

Member
Feb 9, 2012
20
0
Happy times - success

I was talking with the fellow who made easy recovery since this did not work. He made a script that did not do all the checks and it noted I had a mismatch in adb versions though I installed from this thread, perhaps I had another version from something else. Somehow the device retained version 40 of adb which would not allow the commands to complete even after downgrade on device. Anyway I checked the versions included with the script and found one that was 36. This was what I needed. I tried to uninstall adb from add remove programs, but version 40 persisted on the system level (perhaps if I had type .\adb it would have used the local file insted of system file). It was in c:\windows. I deleted that manually.

Then I typed in the normal series of commands mentioned but in powershell (not admin version btw just normal) you have to add .\ before adb on each line. Lo and behold it worked finally. Hallelujah. So I am writing this to let others know that there is hope. I am not sure if all the steps were necessary, but in short, what I did was
1) Downgrade to 20A using uppercut
2) Lock bootloader in fastboot
3) Unlock bootloader in fastboot
4) Find adb version 36 which matched h83020A
5) Type in the normal series of commands according to h918-recowvery-unlock-v20-root-shell-t3490594
Be careful once you get into TWRP not to screw things up. I went straight to the next part and updated to Oreo as I already has all the needed zips including magisk on the SD card.

Then I used
stock-h830-30c-zips-imgs-kdz-2018-08-01-t3845206
To return to oreo but retain unlock and root.

I might then try
277634#*#
. . .Then Scroll Down and Tap on ‘WiFi Test’
Tap on the ‘OTA Setting’ Option
Then Tap on the Big ‘Disable’ Button
 
Last edited:
Jan 24, 2019
45
9
I was talking with the fellow who made easy recovery since this did not work. He made a script that did not do all the checks and it noted I had a mismatch in adb versions though I installed from this thread, perhaps I had another version from something else. Somehow the device retained version 40 of adb which would not allow the commands to complete even after downgrade on device. Anyway I checked the versions included with the script and found one that was 36. This was what I needed. I tried to uninstall adb from add remove programs, but version 40 persisted on the system level (perhaps if I had type .\adb it would have used the local file insted of system file). It was in c:\windows. I deleted that manually.

Then I typed in the normal series of commands mentioned but in powershell you have to add .\ before adb on each line. Lo and behold it worked finally. Hallelujah. So I am writing this to let others know that there is hope. I am not sure if all the steps were necessary, but in short, what I did was
1) Downgrade to 20A using uppercut
2) Lock bootloader in fastboot
3) Unlock bootloader in fastboot
4) Find adb version 36 which matched h83020A
5) Type in the normal series of commands according to h918-recowvery-unlock-v20-root-shell-t3490594
Be careful once you get into TWRP not to screw things up. I went straight to the next part and updated to Oreo as I already has all the needed zips including magisk on the SD card.

Then I used
stock-h830-30c-zips-imgs-kdz-2018-08-01-t3845206
To return to oreo but retain unlock and root.
ill just stay unrooted. i dont have the patience for this, or the time. ill just stick to theming via Substratum and using nova launcher

---------- Post added at 10:54 PM ---------- Previous post was at 10:53 PM ----------

I was talking with the fellow who made easy recovery since this did not work. He made a script that did not do all the checks and it noted I had a mismatch in adb versions though I installed from this thread, perhaps I had another version from something else. Somehow the device retained version 40 of adb which would not allow the commands to complete even after downgrade on device. Anyway I checked the versions included with the script and found one that was 36. This was what I needed. I tried to uninstall adb from add remove programs, but version 40 persisted on the system level (perhaps if I had type .\adb it would have used the local file insted of system file). It was in c:\windows. I deleted that manually.

Then I typed in the normal series of commands mentioned but in powershell you have to add .\ before adb on each line. Lo and behold it worked finally. Hallelujah. So I am writing this to let others know that there is hope. I am not sure if all the steps were necessary, but in short, what I did was
1) Downgrade to 20A using uppercut
2) Lock bootloader in fastboot
3) Unlock bootloader in fastboot
4) Find adb version 36 which matched h83020A
5) Type in the normal series of commands according to h918-recowvery-unlock-v20-root-shell-t3490594
Be careful once you get into TWRP not to screw things up. I went straight to the next part and updated to Oreo as I already has all the needed zips including magisk on the SD card.

Then I used
stock-h830-30c-zips-imgs-kdz-2018-08-01-t3845206
To return to oreo but retain unlock and root.
but thank you for taking the time to type all that out. i may try some other day
 

jerryspring

Senior Member
Feb 18, 2018
1,934
168
If you are not an H918, H830, or US996 (Unlocked, NOT US Cellular) user, kindly leave this thread, this will not do anything for your device, exchange it if you're so desperate. Thank you.

Note for US996: It's probably easier for you guys just to flash TWRP the normal way and pull your battery then do the factory reset dance to get in!

Team Win Recovery Project 3.0.2-1



Alright, so you guys have probably heard about me working on this project for a week now. Sorry it's been taking so long, there's been so many variables and hurdles to go through!

I don't own the device myself, so it was all done over TeamViewer thanks to @slayerh4x and @Darriousx who stayed around in the #twrp channel on freenode to assist with their devices.

This will allow you to install TWRP and flash SuperSU!

Step 1: Unlocking your bootloader

You will need to unlock your bootloader first. For this you'll probably need LG's drivers.

Windows: http://tool.lime.gdms.lge.com/dn/downloader.dev?fileKey=UW00120120425
Mac: http://tool.lime.gdms.lge.com/dn/downloader.dev?fileKey=UW00320110909

You will also need adb and fastboot. You can download them in a portable small form factor here:
http://forum.xda-developers.com/android/software/host-tools-t3402497

Start by turning on developer options in Settings -> About device -> Software info -> Build number. (tap 7 times until it's enabled)

Now navigate to Settings -> Developer options -> OEM unlock. (turn it on)

Don't ever turn OEM unlock or Developer options off when using a custom ROM or recovery. This could lose to loss of all your data.

For your computer to see ADB, you will need to put the phone in PTP mode (for transferring images). I don't know why this is, a misconfiguration in LG's kernel gadget drivers maybe?

Extract adb and fastboot to a folder on your PC.

Type adb start-server and make sure to check the notification on your phone to accept debugging authorization.
You can reboot into fastboot mode with adb reboot bootloader once authorized.
If it fails to authorize or show the notification on your phone, you may need to try other USB ports.

H918/H830 users only:
To unlock your bootloader, use fastboot oem unlock once the phone boots into fastboot mode.
Warning: This step will wipe all your data and factory reset your phone!

You can check the status of your bootloader lock with the fastboot getvar all command.
ex. (bootloader) unlocked:yes

You should now boot back into your phone (fastboot reboot).

You will probably need to complete the Android setup wizard at this point to get access to ADB again.

US996 users only:
To unlock your bootloader, follow the unlock instructions on LG's site (I can't really help you there):
https://developer.lge.com/resource/mobile/RetrieveBootloader.dev?categoryTypeCode=ANRS

Once you're finished with unlocking your bootloader, continue on to step 2.

Step 2: Running recowvery

You can find the recowvery binaries (you need to download all of these) at:
https://build.nethunter.com/android-tools/dirtycow/arm64/

You're now ready to follow the recowvery installation instructions.
See here: https://github.com/jcadduono/android_external_dirtycow#running (running section)

Bonus: There's also a full write up on that page on how recowvery works if you're into that kind of stuff.

Step 3: Flashing TWRP & Rooting

Notice: There is currently no decryption support, just the same as the LG G5, I'm running into the exact same scenario (unable to start rpmb device).
Due to this, I have disabled hardware decryption in this build to keep it stable. If you wish to have your data work in TWRP, you will need to disable decryption.
If you're coming from the Note 7 or S7, this will be a familiar scenario for you. ;)

Once you've got your permissive shell in adb, you will have access to your partitions via dd.
You should transfer TWRP to your internal storage (name in twrp.img) using MTP, you can also just use adb push. (mentioned here)

Download TWRP: (official builds, V20 is waiting for TWRP 3.1.0 for twrp.me download)
H918: https://build.nethunter.com/test-builds/twrp/lge/twrp-3.0.2-1-h918.img
US996: https://build.nethunter.com/test-builds/twrp/lge/twrp-3.0.2-1-us996.img
H830: https://twrp.me/devices/lgg5h830.html

This step requires that you've used dirtycow to replace /system/bin/run-as with recowvery-run-as. If you've rebooted since doing that, you will need to go back and do that again.
Code:
adb push twrp-3.0.2-x-xxxx.img /sdcard/twrp.img
adb shell
$ run-as exec dd if=/sdcard/twrp.img of=/dev/block/bootdevice/by-name/recovery
"<wait for it to complete>"
$ reboot recovery
You should be inside TWRP now. It will ask you if you want to enable system modifications. You should swipe yes, otherwise your OS will replace TWRP on next boot.

Flash the latest zip from https://build.nethunter.com/android-tools/no-verity-opt-encrypt/ to turn off forced encryption at boot and allow you to boot a modified system. If you're flashing SuperSU.zip, it will also do this for you so this won't be necessary.
Warning: If you don't flash either no-verity-opt-encrypt or SuperSU, you will probably end up in a horrifying never-ending boot loop of "corruption"!

Latest SuperSU: https://download.chainfire.eu/supersu

To disable encryption after flashing SuperSU or the no-verity-opt-encrypt zip, you must use the [Format Data] button on the Wipe page in TWRP. No other options will work.
Back up all your internal storage and apps data that you can to your PC. You can use Titanium Backup with SuperSU before doing this step if you like.
Warning: Using [Format Data] will wipe all your apps and data (including internal storage) off the phone, giving you the out-of-the-box experience of a new phone!
Once this is done, you should be able to backup/restore/use any function of TWRP without any issues.

Flashed SuperSU? You're done! Boot up (it will reboot a few times) and set up your SuperSU Manager to your liking and give this post a thanks! :)

Step 4: Have fun!

I know a few people have mentioned donating, there is a button right on this post under my username. :p
Sorry, I don't keep a list as I prefer to keep people's information confidential, but if you do send any money my way, you can request that I mention you at the bottom of this post with any details.

I ask that people please not attach files in this thread, everything required is mentioned in this post, and should be stable in its present state. Thank you.

is this twrp compatible with h91810p?
 

Top Liked Posts

  • There are no posts matching your filters.
  • 206
    If you are not an H918, H830, or US996 (Unlocked, NOT US Cellular) user, kindly leave this thread, this will not do anything for your device, exchange it if you're so desperate. Thank you.

    Note for US996: It's probably easier for you guys just to flash TWRP the normal way and pull your battery then do the factory reset dance to get in!

    Team Win Recovery Project 3.0.2-1



    Alright, so you guys have probably heard about me working on this project for a week now. Sorry it's been taking so long, there's been so many variables and hurdles to go through!

    I don't own the device myself, so it was all done over TeamViewer thanks to @slayerh4x and @Darriousx who stayed around in the #twrp channel on freenode to assist with their devices.

    This will allow you to install TWRP and flash SuperSU!

    Step 1: Unlocking your bootloader

    You will need to unlock your bootloader first. For this you'll probably need LG's drivers.

    Windows: http://tool.lime.gdms.lge.com/dn/downloader.dev?fileKey=UW00120120425
    Mac: http://tool.lime.gdms.lge.com/dn/downloader.dev?fileKey=UW00320110909

    You will also need adb and fastboot. You can download them in a portable small form factor here:
    http://forum.xda-developers.com/android/software/host-tools-t3402497

    Start by turning on developer options in Settings -> About device -> Software info -> Build number. (tap 7 times until it's enabled)

    Now navigate to Settings -> Developer options -> OEM unlock. (turn it on)

    Don't ever turn OEM unlock or Developer options off when using a custom ROM or recovery. This could lose to loss of all your data.

    For your computer to see ADB, you will need to put the phone in PTP mode (for transferring images). I don't know why this is, a misconfiguration in LG's kernel gadget drivers maybe?

    Extract adb and fastboot to a folder on your PC.

    Type adb start-server and make sure to check the notification on your phone to accept debugging authorization.
    You can reboot into fastboot mode with adb reboot bootloader once authorized.
    If it fails to authorize or show the notification on your phone, you may need to try other USB ports.

    H918/H830 users only:
    To unlock your bootloader, use fastboot oem unlock once the phone boots into fastboot mode.
    Warning: This step will wipe all your data and factory reset your phone!

    You can check the status of your bootloader lock with the fastboot getvar all command.
    ex. (bootloader) unlocked:yes

    You should now boot back into your phone (fastboot reboot).

    You will probably need to complete the Android setup wizard at this point to get access to ADB again.

    US996 users only:
    To unlock your bootloader, follow the unlock instructions on LG's site (I can't really help you there):
    https://developer.lge.com/resource/mobile/RetrieveBootloader.dev?categoryTypeCode=ANRS

    Once you're finished with unlocking your bootloader, continue on to step 2.

    Step 2: Running recowvery

    You can find the recowvery binaries (you need to download all of these) at:
    https://build.nethunter.com/android-tools/dirtycow/arm64/

    You're now ready to follow the recowvery installation instructions.
    See here: https://github.com/jcadduono/android_external_dirtycow#running (running section)

    Bonus: There's also a full write up on that page on how recowvery works if you're into that kind of stuff.

    Step 3: Flashing TWRP & Rooting

    Notice: There is currently no decryption support, just the same as the LG G5, I'm running into the exact same scenario (unable to start rpmb device).
    Due to this, I have disabled hardware decryption in this build to keep it stable. If you wish to have your data work in TWRP, you will need to disable decryption.
    If you're coming from the Note 7 or S7, this will be a familiar scenario for you. ;)

    Once you've got your permissive shell in adb, you will have access to your partitions via dd.
    You should transfer TWRP to your internal storage (name in twrp.img) using MTP, you can also just use adb push. (mentioned here)

    Download TWRP: (official builds, V20 is waiting for TWRP 3.1.0 for twrp.me download)
    H918: https://build.nethunter.com/test-builds/twrp/lge/twrp-3.0.2-1-h918.img
    US996: https://build.nethunter.com/test-builds/twrp/lge/twrp-3.0.2-1-us996.img
    H830: https://twrp.me/devices/lgg5h830.html

    This step requires that you've used dirtycow to replace /system/bin/run-as with recowvery-run-as. If you've rebooted since doing that, you will need to go back and do that again.
    Code:
    adb push twrp-3.0.2-x-xxxx.img /sdcard/twrp.img
    adb shell
    $ run-as exec dd if=/sdcard/twrp.img of=/dev/block/bootdevice/by-name/recovery
    "<wait for it to complete>"
    $ reboot recovery
    You should be inside TWRP now. It will ask you if you want to enable system modifications. You should swipe yes, otherwise your OS will replace TWRP on next boot.

    Flash the latest zip from https://build.nethunter.com/android-tools/no-verity-opt-encrypt/ to turn off forced encryption at boot and allow you to boot a modified system. If you're flashing SuperSU.zip, it will also do this for you so this won't be necessary.
    Warning: If you don't flash either no-verity-opt-encrypt or SuperSU, you will probably end up in a horrifying never-ending boot loop of "corruption"!

    Latest SuperSU: https://download.chainfire.eu/supersu

    To disable encryption after flashing SuperSU or the no-verity-opt-encrypt zip, you must use the [Format Data] button on the Wipe page in TWRP. No other options will work.
    Back up all your internal storage and apps data that you can to your PC. You can use Titanium Backup with SuperSU before doing this step if you like.
    Warning: Using [Format Data] will wipe all your apps and data (including internal storage) off the phone, giving you the out-of-the-box experience of a new phone!
    Once this is done, you should be able to backup/restore/use any function of TWRP without any issues.

    Flashed SuperSU? You're done! Boot up (it will reboot a few times) and set up your SuperSU Manager to your liking and give this post a thanks! :)

    Step 4: Have fun!

    I know a few people have mentioned donating, there is a button right on this post under my username. :p
    Sorry, I don't keep a list as I prefer to keep people's information confidential, but if you do send any money my way, you can request that I mention you at the bottom of this post with any details.

    I ask that people please not attach files in this thread, everything required is mentioned in this post, and should be stable in its present state. Thank you.
    42
    Ah, well good that TWRP now works. On one hand that means I wasted my evening yesterday, on the other, the process of getting it rooted is much simpler for you guys now. And it means I don't have to write a guide, an idea I wasn't particularly fond of anyway ;)
    30
    The combination of the amount of thanks on Chainfire's post that does nothing more than say he's glad he doesn't have to work on the device compared to my actual OP, and this headline on AndroidHeadlines: "Chainfire Successfully Gains Root Access To LG V20" is pretty frustrating. Why why why! :eek:

    In the meantime I've made a few bug fixes and cleaned up the code to recowvery, so it should be a little more understandable too. New binaries are already up at the same location.

    I'm wondering what other devices out there in the world don't have signature enforcement enabled (unlockable, or unlocked but inaccessible or flash disabled bootloader), whatever there is, recowvery will very likely work on them as well in its current state. I assume people have tried this on all variants of the V20 now... (skipping past the fastboot instructions)

    It should work on the H830 as well I think, negating the need to use TOTs and flash their entire device. :D (does it still do that?)
    20
    Well we know root has been achieved, but NOT released for the public as of yet. That's all I was saying... And I am glad to know that it worked on your Mac cause that's what I am in the process of doing at this very moment.

    Well then, let's release it to the public then.

    https://build.nethunter.com/test-builds/twrp/lge/twrp-3.0.2-0-beta4-h918.img

    Follow the instructions in the OP, there are instructions in the end of the README to flash the TWRP image.

    There is currently no decryption support, just the same as the LG G5, I'm running into the exact same scenario (unable to start rpmb device).

    Due to this, I have disabled hardware decryption in this build to keep it stable. If you wish to have your data work in TWRP, you will need to disable decryption.
    If you're coming from the Note 7 or S7, this will be a familiar scenario for you. ;)

    Flash the latest version from https://build.nethunter.com/android-tools/no-verity-opt-encrypt/ once you're in TWRP to turn off forced encryption at boot and allow you to boot a modified system. If you're flashing SuperSU.zip, it will also do this for you.

    Latest SuperSU: https://download.chainfire.eu/supersu

    To disable encryption after flashing SuperSU or the no-verity-opt-encrypt zip, you must use the [Format Data] button on the Wipe page in TWRP. No other options will work.
    Back up all your internal storage and apps data that you can to your PC. You can use Titanium Backup with SuperSU before doing this step if you like.
    Warning: Using [Format Data] will wipe all your apps and data (including internal storage) off the phone, giving you the out-of-the-box experience of a new phone!
    Once this is done, you should be able to backup/restore/use any function of TWRP without any issues.
    17
    TWRP is functioning on H918. Doing some more bug checking before I can make it official.
Our Apps
Get our official app!
The best way to access XDA on your phone
Nav Gestures
Add swipe gestures to any Android
One Handed Mode
Eases uses one hand with your phone