[H918|US996|H830] recowvery, unlock your V20/G5 potential - now with TWRP!

Search This thread

jerryspring

Senior Member
Feb 18, 2018
1,933
178
the -0 version I hope should be perfectly fine. not 100% certain on it though, the only difference since rc8 should be a few kernel bug fixes and a new exFAT driver, and a few extra partitions added to Flash Image page to work with the OTA 7z file I uploaded.

update: updated thread for B&H Photo V20 model US996.
Ever find a solution for the us cellular version to root?
 

johnny_bird

Member
Dec 22, 2016
6
0
Mesa
all was fine until i got to the command "adb logcat -s recovery" after that it stopped after the first 2 lines. Looked like this (copied from command prompt window)
C:\Program Files (x86)\Minimal ADB and Fastboot>adb logcat -s recowvery
--------- beginning of system
--------- beginning of main

I tried the whole process over three time each doing the same never getting any further, any clues or help would be greatly appreciated. Thank you.
LG V20 H918h on android 8.0.0
 

Phoenix591

Senior Member
Oct 15, 2017
678
762
all was fine until i got to the command "adb logcat -s recovery" after that it stopped after the first 2 lines. Looked like this (copied from command prompt window)
C:\Program Files (x86)\Minimal ADB and Fastboot>adb logcat -s recowvery
--------- beginning of system
--------- beginning of main

I tried the whole process over three time each doing the same never getting any further, any clues or help would be greatly appreciated. Thank you.
LG V20 H918h on android 8.0.0
This requires the very old december 2016 security patch, which is impossible to revert to on H918's on or past 10p (yours is, since you're on oreo, which is 20 something depending on your actual software version). you need to follow a different process which is exclusive to the H918 because only the H918 can use fastboot oem unlock.

This process, which is explained in more detail here
 
  • Like
Reactions: vudude

johnny_bird

Member
Dec 22, 2016
6
0
Mesa
Thank you

Thank you, I really do appreciate the response. I am yet to try the alternate method which you have so graciously presented to me. Been a little busy these past few days, but I indeed WILL mosey over to the links which are provided and give it a try. I really miss having a rooted phone and I know that the older a phone model gets over time, along with the forced upgrades the likelihood of there being a root for it diminishes greatly. That is why I have decided that when it comes time to get a new phone (whenever that might be), that the next one will be bought solely based on its ease of root-ability. That, I think will make things a whole lot easier in the future. Thank you again for all of your help. And a thank you as well to ALL of the gurus at XDA for your knowledge and expertise of the Android. Without it, I don't know who I would trust for the correct information on such matters.
 

johnny_bird

Member
Dec 22, 2016
6
0
Mesa
Thank you, your suggestion worked like a charm

This requires the very old december 2016 security patch, which is impossible to revert to on H918's on or past 10p (yours is, since you're on oreo, which is 20 something depending on your actual software version). you need to follow a different process which is exclusive to the H918 because only the H918 can use fastboot oem unlock.

This process, which is explained in more detail here

So I downgraded with the KDZ to Android 7.0.0, ran FWUL on a Windows 10 Enterprise computer, got TWRP put on the Download side, Flashed Magisk, then put TWRP on to the Recovery via the TWRP app on the phone. Backed up the phone with TWRP. Verified the root with a root checking app. I am all rooted and ready to implement and enjoy all of the benefits of a rooted device. Thank you again for all of your help, I am a very happy person right now.:D
 

rahimbe7

New member
Nov 28, 2019
1
0
when i put this command adb logcat -s recowvery iget --------- beginning of system
--------- beginning of main and stay like that nothing happened please help il using LG H918 10p .
 

jritt

Member
Mar 9, 2011
15
0
So I have LG V20 h91820h, will this method work for me? I thought that I had read that my phone could be rooted using lafsploit, but now I can't seem to find the instructions...is there any way I can achieve root on this device?
 

bennylava

Member
Sep 28, 2011
39
0
Can anyone make a Guide to installing Lineage on the G5 in 2021? If you patched past Android 7.0, you're screwed. I'm on 8.0 Oreo, and I just can't downgrade to 7.0 so that I can install a custom recovery. If anyone can explain how to do that, I'd be very gratefully. I so want to run Lineage.
 

jailedmike

Senior Member
May 2, 2018
64
6
Moto E 2015
LG V20
Can anyone make a Guide to installing Lineage on the G5 in 2021? If you patched past Android 7.0, you're screwed. I'm on 8.0 Oreo, and I just can't downgrade to 7.0 so that I can install a custom recovery. If anyone can explain how to do that, I'd be very gratefully. I so want to run Lineage.
I would read though this,
Lg g5 is basically the same, tmobile and sprint g5 will not be able to downgrade. The signing key changes on os to oreo and not shared with the other models. You might need to change script a bit for g5 names. I have not checked but I don't think so. On At&t you should use lgup to backup modem partition if you want full bands back. You need it to restore it after unlock. For v20 there is canadian h915 that is used if h910s need modem partition replaced. Not sure there is a Rogers (I think h915 is Rogers) g5 Kdz to get it from.. Otherwise downgrades are the same from g5 through at least v30 including v20... Otherwise I don't have g5 so not sure how else I can help anymore.
 

timba123

Senior Member
Feb 10, 2015
523
93
Maryland
LG V20
Ok. I have a H918 on android 7. Security patch of January 2018. Im on H91810S Firmware. From what i read i must downgrade to be able to root. Being that im on Nougat 10S am i going to be able to downgrade? ARB? If its possible, How far must i go back? I just want TWRP and Magisk root. Id like to downgrade and try dirty cow but i will probably have to do lafsploit method. Can experienced persons please give me a few tips please?
 

AddisonSparks

New member
Feb 27, 2022
4
3
i'm in the same position

Can anyone make a Guide to installing Lineage on the G5 in 2021? If you patched past Android 7.0, you're screwed. I'm on 8.0 Oreo, and I just can't downgrade to 7.0 so that I can install a custom recovery. If anyone can explain how to do that, I'd be very gratefully. I so want to run Lineage.
Hey I'm just finishing up this process with my G5 H830 (T-Mobile).. hopefully this helps someone.

Important: when I downgraded from Android 8 to 7, the phone was forced into factory reset. Definitely make a backup of anything you don't want to be erased.

The phone was left to me by my dad and was on android 8. I found a code somewhere (I'll paste below) that allowed me to check the anti-rollback version of the phone and it was 1. Depending on your carrier, I believe there are different codes you input using the dial pad to reveal the anti-rollback "ARB" version. I would double check the firmware you're downloading matches, but from what I've seen, android 8 and 7 both ship as ARB 1. The way it works is the number can go forwards but not backwards. ARB 1 system can flash ARB 2, but then once you have 2, you can't go back to 1. This code is supposed to be for both AT&T and T-mobile: *#*#244773825625#*#* it worked for me. I was able to find the H83020a android 7 KDZ and flash it with LGUP. Still took me hours of work after that and switching between windows 10 and linux mint to root from there, but android 7 took easily. LGUP is only windows. but the ADB commands for dirty cow would not complete for me in windows. It would always hang on "adb logcat -s recowvery". I decided to try the dirty cow commands using linux mint with the ADB 1.0.39 (I believe current) and everything worked as stated in the post. The only difference in command for linux (which to me was actually easier) is that you only "cd" into the dirty cow folder and adb runs from the base terminal.

This was the only tutorial that worked for me and even at that it didn't work on the first PC I was trying it on.

The phone was on android 8, and now it's android 7 nougat with TWRP on the screen.


UPDATE:


I flashed Lineage through TWRP without wiping the phone, and Lineage used some sort of encryption. I would power on the device, and when Lineage loads, it asks for a password. There is no password. I had a lot of trouble getting back to TWRP recovery because of LG's extremely limited recovery handling system. You can't just hold down buttons during power on to get to the proper recovery menu. Once I figured out the button combo, (power + volume down, release power, hold power again), I was able to get to the LG menu to choose the option to factory wipe the phone. That sent me back to TWRP, and there I did an advanced wipe before trying Lineage a second time. After doing a complete wipe and format of the internal storage and then loading the Lineage zip back onto the phone, I was able to flash it again as normal through TWRP and the OS runs as it should. Clean and smooth. I still don't know what encryption was carried over, as I just did a factory reset to downgrade to the 20a nougat firmware, but Lineage seems to need the advanced wipe option in TWRP that formats the internal storage and erases any encryption. At least in my case, it was neccesary. Luckily, you can access internal storage via USB with TWRP running so you can copy off any important files before wiping.
 
Last edited:

Top Liked Posts

  • There are no posts matching your filters.
  • 206
    If you are not an H918, H830, or US996 (Unlocked, NOT US Cellular) user, kindly leave this thread, this will not do anything for your device, exchange it if you're so desperate. Thank you.

    Note for US996: It's probably easier for you guys just to flash TWRP the normal way and pull your battery then do the factory reset dance to get in!

    Team Win Recovery Project 3.0.2-1



    Alright, so you guys have probably heard about me working on this project for a week now. Sorry it's been taking so long, there's been so many variables and hurdles to go through!

    I don't own the device myself, so it was all done over TeamViewer thanks to @slayerh4x and @Darriousx who stayed around in the #twrp channel on freenode to assist with their devices.

    This will allow you to install TWRP and flash SuperSU!

    Step 1: Unlocking your bootloader

    You will need to unlock your bootloader first. For this you'll probably need LG's drivers.

    Windows: http://tool.lime.gdms.lge.com/dn/downloader.dev?fileKey=UW00120120425
    Mac: http://tool.lime.gdms.lge.com/dn/downloader.dev?fileKey=UW00320110909

    You will also need adb and fastboot. You can download them in a portable small form factor here:
    http://forum.xda-developers.com/android/software/host-tools-t3402497

    Start by turning on developer options in Settings -> About device -> Software info -> Build number. (tap 7 times until it's enabled)

    Now navigate to Settings -> Developer options -> OEM unlock. (turn it on)

    Don't ever turn OEM unlock or Developer options off when using a custom ROM or recovery. This could lose to loss of all your data.

    For your computer to see ADB, you will need to put the phone in PTP mode (for transferring images). I don't know why this is, a misconfiguration in LG's kernel gadget drivers maybe?

    Extract adb and fastboot to a folder on your PC.

    Type adb start-server and make sure to check the notification on your phone to accept debugging authorization.
    You can reboot into fastboot mode with adb reboot bootloader once authorized.
    If it fails to authorize or show the notification on your phone, you may need to try other USB ports.

    H918/H830 users only:
    To unlock your bootloader, use fastboot oem unlock once the phone boots into fastboot mode.
    Warning: This step will wipe all your data and factory reset your phone!

    You can check the status of your bootloader lock with the fastboot getvar all command.
    ex. (bootloader) unlocked:yes

    You should now boot back into your phone (fastboot reboot).

    You will probably need to complete the Android setup wizard at this point to get access to ADB again.

    US996 users only:
    To unlock your bootloader, follow the unlock instructions on LG's site (I can't really help you there):
    https://developer.lge.com/resource/mobile/RetrieveBootloader.dev?categoryTypeCode=ANRS

    Once you're finished with unlocking your bootloader, continue on to step 2.

    Step 2: Running recowvery

    You can find the recowvery binaries (you need to download all of these) at:
    https://build.nethunter.com/android-tools/dirtycow/arm64/

    You're now ready to follow the recowvery installation instructions.
    See here: https://github.com/jcadduono/android_external_dirtycow#running (running section)

    Bonus: There's also a full write up on that page on how recowvery works if you're into that kind of stuff.

    Step 3: Flashing TWRP & Rooting

    Notice: There is currently no decryption support, just the same as the LG G5, I'm running into the exact same scenario (unable to start rpmb device).
    Due to this, I have disabled hardware decryption in this build to keep it stable. If you wish to have your data work in TWRP, you will need to disable decryption.
    If you're coming from the Note 7 or S7, this will be a familiar scenario for you. ;)

    Once you've got your permissive shell in adb, you will have access to your partitions via dd.
    You should transfer TWRP to your internal storage (name in twrp.img) using MTP, you can also just use adb push. (mentioned here)

    Download TWRP: (official builds, V20 is waiting for TWRP 3.1.0 for twrp.me download)
    H918: https://build.nethunter.com/test-builds/twrp/lge/twrp-3.0.2-1-h918.img
    US996: https://build.nethunter.com/test-builds/twrp/lge/twrp-3.0.2-1-us996.img
    H830: https://twrp.me/devices/lgg5h830.html

    This step requires that you've used dirtycow to replace /system/bin/run-as with recowvery-run-as. If you've rebooted since doing that, you will need to go back and do that again.
    Code:
    adb push twrp-3.0.2-x-xxxx.img /sdcard/twrp.img
    adb shell
    $ run-as exec dd if=/sdcard/twrp.img of=/dev/block/bootdevice/by-name/recovery
    "<wait for it to complete>"
    $ reboot recovery
    You should be inside TWRP now. It will ask you if you want to enable system modifications. You should swipe yes, otherwise your OS will replace TWRP on next boot.

    Flash the latest zip from https://build.nethunter.com/android-tools/no-verity-opt-encrypt/ to turn off forced encryption at boot and allow you to boot a modified system. If you're flashing SuperSU.zip, it will also do this for you so this won't be necessary.
    Warning: If you don't flash either no-verity-opt-encrypt or SuperSU, you will probably end up in a horrifying never-ending boot loop of "corruption"!

    Latest SuperSU: https://download.chainfire.eu/supersu

    To disable encryption after flashing SuperSU or the no-verity-opt-encrypt zip, you must use the [Format Data] button on the Wipe page in TWRP. No other options will work.
    Back up all your internal storage and apps data that you can to your PC. You can use Titanium Backup with SuperSU before doing this step if you like.
    Warning: Using [Format Data] will wipe all your apps and data (including internal storage) off the phone, giving you the out-of-the-box experience of a new phone!
    Once this is done, you should be able to backup/restore/use any function of TWRP without any issues.

    Flashed SuperSU? You're done! Boot up (it will reboot a few times) and set up your SuperSU Manager to your liking and give this post a thanks! :)

    Step 4: Have fun!

    I know a few people have mentioned donating, there is a button right on this post under my username. :p
    Sorry, I don't keep a list as I prefer to keep people's information confidential, but if you do send any money my way, you can request that I mention you at the bottom of this post with any details.

    I ask that people please not attach files in this thread, everything required is mentioned in this post, and should be stable in its present state. Thank you.
    42
    Ah, well good that TWRP now works. On one hand that means I wasted my evening yesterday, on the other, the process of getting it rooted is much simpler for you guys now. And it means I don't have to write a guide, an idea I wasn't particularly fond of anyway ;)
    30
    The combination of the amount of thanks on Chainfire's post that does nothing more than say he's glad he doesn't have to work on the device compared to my actual OP, and this headline on AndroidHeadlines: "Chainfire Successfully Gains Root Access To LG V20" is pretty frustrating. Why why why! :eek:

    In the meantime I've made a few bug fixes and cleaned up the code to recowvery, so it should be a little more understandable too. New binaries are already up at the same location.

    I'm wondering what other devices out there in the world don't have signature enforcement enabled (unlockable, or unlocked but inaccessible or flash disabled bootloader), whatever there is, recowvery will very likely work on them as well in its current state. I assume people have tried this on all variants of the V20 now... (skipping past the fastboot instructions)

    It should work on the H830 as well I think, negating the need to use TOTs and flash their entire device. :D (does it still do that?)
    20
    Well we know root has been achieved, but NOT released for the public as of yet. That's all I was saying... And I am glad to know that it worked on your Mac cause that's what I am in the process of doing at this very moment.

    Well then, let's release it to the public then.

    https://build.nethunter.com/test-builds/twrp/lge/twrp-3.0.2-0-beta4-h918.img

    Follow the instructions in the OP, there are instructions in the end of the README to flash the TWRP image.

    There is currently no decryption support, just the same as the LG G5, I'm running into the exact same scenario (unable to start rpmb device).

    Due to this, I have disabled hardware decryption in this build to keep it stable. If you wish to have your data work in TWRP, you will need to disable decryption.
    If you're coming from the Note 7 or S7, this will be a familiar scenario for you. ;)

    Flash the latest version from https://build.nethunter.com/android-tools/no-verity-opt-encrypt/ once you're in TWRP to turn off forced encryption at boot and allow you to boot a modified system. If you're flashing SuperSU.zip, it will also do this for you.

    Latest SuperSU: https://download.chainfire.eu/supersu

    To disable encryption after flashing SuperSU or the no-verity-opt-encrypt zip, you must use the [Format Data] button on the Wipe page in TWRP. No other options will work.
    Back up all your internal storage and apps data that you can to your PC. You can use Titanium Backup with SuperSU before doing this step if you like.
    Warning: Using [Format Data] will wipe all your apps and data (including internal storage) off the phone, giving you the out-of-the-box experience of a new phone!
    Once this is done, you should be able to backup/restore/use any function of TWRP without any issues.
    17
    TWRP is functioning on H918. Doing some more bug checking before I can make it official.