How to unlock bootloader and root the LG Stylo 6 and K51 K61 and other K model LG devices

Search This thread

GMSS75

Member
Oct 24, 2021
10
0
Ok I was finally able to connect, back up, bootloader unlock and root my stylo 6.
I could never get the phone to connect with SPFT and mtkclient.

What I eventually did was open the phone and short the test points. (Mobo had to be removed, test points are on screen side of board)
After doing that the phone will connect instantly to mtkclient, and in my case I had no need to use SPFT at all.

Also I updated to latest firmware with Feb 2022 security patch and could still connect no problem and flash boot images.

Hopefully this helps anyone like me who can't get a connection to their phone otherwise.

Thanks to @Warlockguitarman for the tutorial, nice job!
 
Without using the test points you can get it to connect to mtk client by using sp flash tool to lengthen the time the stylo 6 is in the correct mode for mtk client, you won't connect to sp flash tool unless you use the by bypass utility, but the sp flash tool method is only needed for windows, use Linux for better connection
 
  • Like
Reactions: shinobisoft

Mastercodeon

Member
Jun 25, 2019
20
3
Without using the test points you can get it to connect to mtk client by using sp flash tool to lengthen the time the stylo 6 is in the correct mode for mtk client, you won't connect to sp flash tool unless you use the by bypass utility, but the sp flash tool method is only needed for windows, use Linux for better connection
This makes huge sense because that's how I was finally able to get my Stylo to connect to mtkclient last week. I built a program to automate forcing the device into brom by running flash_tool.exe -i and give it an xml file. The xml file tells it to only flash the preloader, and once it connect, it won't return anything when run as a silent process, so then the script knows it can continue and connect with mtkclient. I can power off the phone, arm the app, plug it in and it'll connect right up.
I wonder if there's a command line that will bypass the need for that xml file, and just attempt to flash the preloader in the first place, maybe using some specified scatter.

I'm also curious as to how other mtk phones connect, do they need this method or shorting out the test points? Or is this just strictly an LG/Stylo 6 thing?
 

shinobisoft

Recognized Contributor
Feb 18, 2012
3,293
3,379
Knoxville, TN
The k51 connects easily without sp flash tool, the Samsung A12 connects with test points, alcatels and many other phones connect easily, the only one I've found to need the sp flash tool process is the stylo 6
Would you mind doing a small write up on doing this with a Linux machine? I use Linux exclusively and all of the tools have issues with detecting devices when run on an OS via a virtual machine. I'd be more willing to try this then. I've not been active in modding/rooting in many years so I'm pretty damn rusty...
 

luridphantom

Senior Member
Apr 4, 2021
223
50
GT-i9250
AT&T Samsung Galaxy S III
linux is super easy like everyone is saying. just hold both volume buttons while the phone is off and plug in the cable and mtkclient should work 100% of the time. i had maybe a .001% success rate for windows

a little off topic but switching to linux helped me easily unlock and root my lg m250n and tribute dynasty

thanks for the really detailed write up warlock!!
 

CXZa

Senior Member
Apr 9, 2013
788
271
cxzstuff.blogspot.com
helped me easily unlock and root my lg m250n and tribute dynasty
Could you provide the exact details? The procedure was probably a bit different than the one explained in the OP??? Thanks.

Here is another way to have root on m250n. Have you tested it?
What I think is different for a user that it doesn't show info about the bootloader being unlocked, which would be nice...
Though I haven't tested so I don't for it sure...
https://forum.xda-developers.com/t/...7-m250-bootloader-secure-boot-bypass.4183545/
 

luridphantom

Senior Member
Apr 4, 2021
223
50
GT-i9250
AT&T Samsung Galaxy S III
Could you provide the exact details? The procedure was probably a bit different than the one explained in the OP??? Thanks.

Here is another way to have root on m250n. Have you tested it?
What I think is different for a user that it doesn't show info about the bootloader being unlocked, which would be nice...
Though I haven't tested so I don't for it sure...
https://forum.xda-developers.com/t/...7-m250-bootloader-secure-boot-bypass.4183545/
oops my output got cut off a bit but there were no issues unlocking the bootloader through mtkclient for the m250n. only issue is i have no confirmation, not a warning screen or a message in the dev options. i already have temp root through mtk-su so i didnt experiment much further


Code:
Preloader -     Mem read auth:        False
Preloader -     Mem write auth:        False
Preloader -     Cmd 0xC8 blocked:    False
Preloader - Get Target info
Preloader -     HW subcode:        0x8a00
Preloader -     HW Ver:            0xcb00
Preloader -     SW Ver:            0x1
Preloader - ME_ID:           
Mtk - We're not in bootrom, trying to crash da...
PLTools - Crashing da...
Preloader
Preloader - [LIB]: upload_data failed with error: DA_IMAGE_SIG_VERIFY_FAIL (0x2001)
Preloader
Preloader - [LIB]: Error on uploading da data
Preloader - Jumping to 0x0
usb_class - USBError(5, 'Input/Output Error')
Preloader - Status: Waiting for PreLoader VCOM, please connect mobile
Preloader
Preloader - [LIB]: Status: Handshake failed, retrying...
Port - Device detected :)
Preloader -     CPU:            MT6755/MT6750/M/T/S(Helio P10/P15/P18)
Preloader -     HW version:        0x0
Preloader -     WDT:            0x10007000
Preloader -     Uart:            0x11002000
Preloader -     Brom payload addr:    0x100a00
Preloader -     DA payload addr:    0x201000
Preloader -     CQ_DMA addr:        0x10212c00
Preloader -     Var1:            0xa
Preloader - Disabling Watchdog...
Preloader - HW code:            0x326
Preloader - Target config:        0x5
Preloader -     SBC enabled:        True
Preloader -     SLA enabled:        False
Preloader -     DAA enabled:        True
Preloader -     SWJTAG enabled:        True
Preloader -     EPP_PARAM at 0x600 after EMMC_BOOT/SDMMC_BOOT:    False
Preloader -     Root cert required:    False
Preloader -     Mem read auth:        False
Preloader -     Mem write auth:        False
Preloader -     Cmd 0xC8 blocked:    False
Preloader - Get Target info
Preloader - BROM mode detected.
Preloader -     HW subcode:        0x8a00
Preloader -     HW Ver:            0xcb00
Preloader -     SW Ver:            0x1
Preloader - ME_ID:            69A24F1A1C650D8183AD3DC76CB8BD73
PLTools - Loading payload from mt6755_payload.bin, 0x258 bytes
PLTools - Kamakiri / DA Run
Kamakiri - Trying kamakiri2..
Kamakiri - Done sending payload...
PLTools - Successfully sent payload: /opt/mtkclient/mtkclient/payloads/mt6755_payload.bin
Port - Device detected :)
DA_handler - Device is protected.
DA_handler - Device is in BROM mode. Trying to dump preloader.
DAXFlash - Uploading xflash stage 1 from MTK_AllInOne_DA_5.2136.bin
DAXFlash - Successfully uploaded stage 1, jumping ..
Preloader - Jumping to 0x200000
Preloader - Jumping to 0x200000: ok.
DAXFlash - Successfully received DA sync
DAXFlash - Sending emi data ...
DAXFlash - Sending emi data succeeded.
DAXFlash - Uploading stage 2...
DAXFlash - Successfully uploaded stage 2
DAXFlash - EMMC FWVer:      0x0
DAXFlash - EMMC ID:         QE13MB
DAXFlash - EMMC CID:        150100514531334d420d52ac90781419
DAXFlash - EMMC Boot1 Size: 0x400000
DAXFlash - EMMC Boot2 Size: 0x400000
DAXFlash - EMMC GP1 Size:   0x0
DAXFlash - EMMC GP2 Size:   0x0
DAXFlash - EMMC GP3 Size:   0x0
DAXFlash - EMMC GP4 Size:   0x0
DAXFlash - EMMC RPMB Size:  0x400000
DAXFlash - EMMC USER Size:  0x3a3e00000
DAXFlash - Reconnecting to preloader
DAXFlash - Connected to preloader
DAXFlash - DA-CODE      : 0x50B76
DAXFlash - DA Extensions successfully added
sej - HACC init
sej - HACC run
sej - HACC terminate
sej - HACC init
sej - HACC run
sej - HACC terminate
Done |--------------------------------------------------| 0.0% Write (Sector 0x0Progress: |██████████████████████████████████████████████████| 100.0% Write (Sector 0x1 of 0x1, ) 0.04 MB/s
DA_handler - Successfully wrote seccfg.
 
  • Like
Reactions: CXZa

CXZa

Senior Member
Apr 9, 2013
788
271
cxzstuff.blogspot.com
unlocking the bootloader through mtkclient for the m250n
Okay, thanks. That probably did the job if it said so.
Maybe.. Should test by trying write something there.
Like a TWRP etc...

How about bank apks etc. did they stop working at this point already? I know that they do when magisk manager is installed. Though with mtk-su one doesn't really need magisk manager ...
 
Last edited:

luridphantom

Senior Member
Apr 4, 2021
223
50
GT-i9250
AT&T Samsung Galaxy S III
Okay, thanks. That probably did the job if it said so.
Maybe.. Should test by trying write something there.
Like a TWRP etc...

How about bank apks etc. did they stop working at this point already? I know that they do when magisk manager is installed. Though with mtk-su one doesn't really need magisk manager ...
havent fully explored root on it due to work commitments but feel free to go ahead and try

with mtkclient it should be pretty much unbrickable
 

guero.lurias

Member
Dec 27, 2018
46
6
41
Mesa
HI THANK U 4 tutorial warlockguitarman, was able to unlock bootloader and root with magisk, i got a question, i think i read somewhere that you'd teach how to network unlock by flashing other carrier firmware? could you give me any advice on how to make work? I have the Q730TM10 boost mobile but i want to make it ATT.
 

Mastercodeon

Member
Jun 25, 2019
20
3
HI THANK U 4 tutorial warlockguitarman, was able to unlock bootloader and root with magisk, i got a question, i think i read somewhere that you'd teach how to network unlock by flashing other carrier firmware? could you give me any advice on how to make work? I have the Q730TM10 boost mobile but i want to make it ATT.
Unfortunately ATT made their firmware unavailable for download because they locked their servers down(don't know the specifics), so flashing an ATT firmware is gonna be a fun task unless you find someone willing to give you a copy of the att kdz. Otherwise, you're best bet is to carrier unlock the device (DMed you about that already). But yes, cross flashing is easily done. In your case I'm pretty sure a carrier unlock will be more doable.
 

JUSTPIE

New member
Dec 20, 2012
3
0
If anyone wants to get it root the alcetel 7 6062w just follow the instruction that Warlockguitarman has but with a few modifications to the commands
first make sure to back up with python mtk rf flash.bin and save it somewhere else cause its like 30GB

then do
"python mtk rl" out to get the boot.bin


to unlock the boot loader use
"python mtk da seccfg unlock"

then just follow the magisk app part to patch the boot.bin and make sure u save when u get it to the PC side to save it as
boot.img to make it easier and use this command

"python mtk w boot boot.img"

and ur done, super easy but a little time consuming for the most part

make sure to back up, back up back up, dont be lazy with it just in case

been looking for way for a long time since i got the phone around 2018 and this is the only way it worked
 
Apr 21, 2017
6
0
Verizon LG K51, used TFT MTK Module to unlock bootloader by going to Brom mode. 1st attempt
Used mtkclient to extract boot_a & boot_b
Installed alpha version of magiks, updated to most current & still says alpha in file name
Patched boot_a & boot_b
Renamed both patched boot.img from .img to .bin also renamed blank vbmeta to vbmeta.bin
Put patched boot_a.bin & boot_b.bin & vbmeta.bin
Placed all 3 files in the mtkclient folder where mtk & mtk_gui are.
Ran python mtk_gui
Connected phone in Brom again
Flashed all of these at the same time
boot_a.bin & boot_b.bin
Vbmeta.bin (blank)

Use vbmeta.bin for each of the vbmeta_a & b's
boot_a.bin
vbmeta_a/vbmeta_system_a/vbmeta_vendor_a
boot_b.bin
vbmeta_b/vbmeta_system_b/vbmeta_vendor_b

Hold power until phone reboots
Complete, enjoy
 

lentm

Senior Member
Dec 3, 2008
473
106
It looks like BROM mode has been removed on Tmobile 20h firmware.
Installed 20f kdz with LGUP and re-rooted. Not sure about 20g.

Q: Is there a way to update the firmware via ota with root?
I tried to restore the stock boot with dd command, but I found out I can't write to boot when I can with OnePlus. :\
I need to find a way to restore the stock boot,
so I can try ota update without rebooting, back up the new stock boot with dd command on shell, and patch the inactive boot slot via magisk.
 

luridphantom

Senior Member
Apr 4, 2021
223
50
GT-i9250
AT&T Samsung Galaxy S III
It looks like BROM mode has been removed on Tmobile 20h firmware.
Installed 20f kdz with LGUP and re-rooted. Not sure about 20g.

Q: Is there a way to update the firmware via ota with root?
I tried to restore the stock boot with dd command, but I found out I can't write to boot when I can with OnePlus. :\
I need to find a way to restore the stock boot,
so I can try ota update without rebooting, back up the new stock boot with dd command on shell, and patch the inactive boot slot via magisk.
use partition dl in lgup like this guide https://www.xda-developers.com/how-to-bootloader-unlock-root-magisk-tmobile-lg-velvet/
 

Top Liked Posts

  • There are no posts matching your filters.
  • 11
    STYLO 6 MTKCLIENT INSTRUCTIONS FOR FLASHING, BACKING UP, UNLOCKING THE BOOTLOADER, AND ROOTING ON WINDOWS 10/11:

    !!!WARNING!!! ATTEMPT THIS AT YOUR OWN RISK, READ THE FULL TUTORIAL BEFORE YOU START!!! I AM NOT RESPONSIBLE FOR ANY BRICKED DEVICES! THIS PROCESS IS NOT FOR THE INEXPERIENCED PLEASE HAVE ADB COMMANDS KNOWLEDGE BEFORE TRYING TO ATTEMPT!!

    THIS PROCESS WILL WIPE ALL YOUR DATA SO BE PREPARED FOR THE FACTORY RESET TO BE FORCED BEFORE YOU CAN BOOT THE PHONE!!!

    DOWNLOADS:
    1. Download Python from here "https://www.python.org/downloads/"
    2. Download USBDK here "https://github.com/daynix/UsbDk/releases/download/v1.00-22/UsbDk_1.0.22_x64.msi"
    3. Download mtkclient here "https://github.com/bkerler/mtkclient"
    4. Download SP Flash Tool here "https://www.mediafire.com/file/kyoksq6kncpg8sg/SP_Flash_Tool_v5.2124_Win.zip/file"
    5. Download Magisk APK here "https://github.com/topjohnwu/Magisk/releases"

    INSTALLATION:
    1. Install Python (select "Add Python X.X to PATH")
    2. Install USBDK
    3. Install Mtkclient- While in the mtkclient folder hold shift and right click and select "Open PowerShell window here" Run this command in that window "python setup.py install" and then run command "pip3 install -r requirements.txt" Mtkclient is now installed correctly.
    4. Install SP Flash Tool and use the Scatter file I provided and the preloader file I provided.
    5. MTK VCOM Drivers need to be installed.

    NEED TO KNOW:
    ***For the Stylo 6 to connect you must remove some of the loaders from the mtkclient-main\mtkclient\Loader file leaving MTK_AllInOne_DA_5.2136.bin as the only loader needed. Just highlight the unneeded ones and cut and paste them into the parent folder so you will have them for other devices.

    ***To run a command you will need to hold shift and right click to open a PowerShell window to use the tool.

    ***With Mtkclient waiting for the phone to be connected by hitting enter with your command entered, you will also need to click "Download" in SP Flash Tool to cause it to be waiting for the phones connection.

    Now that both tools are awaiting the phones connection make sure the phone is completely shut off and plug it in WITHOUT ANY BUTTONS PUSHED! You should now be connected to Mtkclient and the tool will be running the command you entered. If you do not get connected with a couple attempts close out mtkclient powershell window and reopen it.

    !!!!!DO NOT UNLOCK OR ROOT THE PHONE BEFORE A PROPER BACK UP OF THE DEVICE IS TAKEN!!!!!

    !!!!!DO NOT SKIP THIS STEP!!!!!

    I recommend taking a full flash back up of the phone right off the bat, this will take a couple hours, but for more experienced users there is a backup of each partition separated into each file separately that will work too.

    "python mtk rf flash.bin" Is the command to make 1 single full flash file to restore the phone. To restore the phone with that file the command is "python mtk wf flash.bin"
    "python mtk rl out" Is the command that separates each partition into its each individual file and places the files in the out folder, to restore the whole out folder the command is "python mtk wl out" I recommend this backup after unlocking your bootloader so you will have your boot images to use for rooting.

    UNLOCKING YOUR BOOTLOADER:
    To unlock your bootloader you will first need a full backup to ensure you can recover a bricked device, you will then run these two commands in this order...
    "python mtk e metadata,userdata,md_udc"
    "python mtk da seccfg unlock"

    CONGRATULATIONS YOUR BOOTLOADER IS UNLOCKED!!!

    ROOTING YOUR PHONE:
    Now to root your phone you will need that single partition back up, or at least your boot_a.img or boot_b.img or both. "python mtk r boot_a,boot_b boot_a.img,boot_b.img" this will pull both your boot.img files only 1 is necessary, but both can be used.

    !!ATTENTION!! DO NOT, I REPEAT DO NOT MIX UP YOUR BOOT_A AND BOOT_B FILES YOU WILL LOOSE WIFI OR BLUETOOTH IF YOU FLASH THEM TO THE WRONG SLOT!!!

    You install the Magisk APK to your phone and you patch your boot.img with the app, change their names to patched_a.img and patched_b.img if you do both of them, you then copy them to your computer in the same folder that the mtkclient tool is located. If you have fastboot access you can flash patched_a.img to your phone with these commands... "adb reboot fastboot" then "fastboot flash boot_a patched_a.img" and you can ensure your phone boots to that slot with this command... "fastboot --set-active=a"
    On models without fastboot access, you will need to flash both your patched_a and patched_b.img with mtkclient.
    AGAIN DO NOT MIX THEM UP!!!

    "python mtk w boot_a,boot_b patched_a.img,patched_b.img"

    CONGRATULATIONS YOUR PHONE IS NOW ROOTED!!!

    NOW MAKE ANOTHER BACKUP!!!
    Many who are not experienced with root can easily brick or send their device into a bootloop. So once you get it successfully rooted I recommend you do another backup, run this command to do that
    "python mtk rf rootedflash.bin"
    that will give your new backup a different name so you can keep them organized. You will be able to restore it right back to where you have a freshly rooted phone.

    Tips and Tricks:
    If you have the 2021 December update you may need to flash an older firmware because LG made a patch to mess up the connection with mtkclient!
    To reboot the phone from Brom hold power and volume down buttons until it reboots.
    To boot the phone into recovery hold power and volume down until the phone says booting recovery, from recovery you can shut the phone down to try to connect to mtkclient on failed attempts and to boot into fastboot.

    On other devices the SP Flash Tool is not needed, like for instance the K51 doesn't need that step.

    Special thanks to Bjoern Kerler for his work on his mtkclient tool that makes this all possible.
    And to the team at Hovatek for working with me.

    I am hoping that a twrp is created for this device soon so that all of this will be a safer easier process, but for now you just have to tread lightly with modifications to the phone as many things aren't tested and may cause a bootloop or a bricked device.
    3
    You will lose all data. It forces a factory reset, my tutorial tells it all, the hard part is setting it up, once it's set up correctly it's just running all the commands, sometimes it takes a few attempts to get the phone to connect properly but other than that it's pretty straightforward, you don't gotta worry about bricking it if you make a proper backup first and follow the steps exactly as I've laid them out
    2
    linux is super easy like everyone is saying. just hold both volume buttons while the phone is off and plug in the cable and mtkclient should work 100% of the time. i had maybe a .001% success rate for windows

    a little off topic but switching to linux helped me easily unlock and root my lg m250n and tribute dynasty

    thanks for the really detailed write up warlock!!
    1
    Here is the scatter and preloader file for SP Flash Tool for the Stylo 6
    1
    I hate to resurrect an old thread, does anyone happen to have stock firmware recovery and system image?
    I bought this phone for cheap and it looks like someone packaged malware on it/yeeted the recovery and I need to restore it to stock. I will be reporting that company to the authorities.
    Download the ROM from https://lgrom.com/, it worked best for me. For the stock recovery, I'm pretty sure it's already on the image.
    And flash it with this https://lgflash.com/.