temp root exploit for LG G8 ThinQ with android 10 firmware
including temporal magisk setup from the exploit
including temporal magisk setup from the exploit
The exploit uses CVE-2020-0041 originally designed for Pixel 3 running kernel 4.9.
I have adapted the Pixel 3 specific exploit for kernel 4.14 that is used with LG phones running Android 10 with March security patch level.
This work has been done upon request of @Inerent who contributed not only with very fine donations, but also did all the testing on his LG phone, as I do not own any LG phone myself.
As an addon I have implemented setup of magisk v20.4 from temp root exploit included su permission asking notification support, that has been also a hell of work to get working.
You can find currently running fw version with 'getprop ro.vendor.lge.factoryversion' command run in an adb shell.
- LMG820AT-00-V20a-LAO-COM-NOV-25-2019-ARB00+0 - Sprint G8 Android 10 beta November 2019 security patch (special treat for @antintin)
- LMG820AT-00-V20d-LAO-COM-DEC-17-2019-ARB00+1 - Sprint G8 fw 20d
- LMG820AT-00-V20d-LAO-COM-JAN-29-2020-ARB00+0 - T-Mobile US G8 January 2020 security patch
- LMG820AT-00-V20e-LAO-COM-FEB-05-2020-ARB00+0 - Sprint G8 fw 20e February 2020 patch
- LMG820AT-00-V20a-LAO-COM-JAN-09-2020-ARB00+5 - Verizon G8 fw 20a
- LMG820AT-00-V20i-LAO-COM-JAN-07-2020-ARB00+0 - AT&T G8 fw 20i
- LMG820AT-00-V20j-LAO-COM-FEB-04-2020-ARB00+0 - AT&T G8 G820UM fw 20j
- LMG820AT-00-V21b-LAO-COM-FEB-05-2020-ARB00+1 - Amazon G8 (G820QM821b_01_AMZ_US_OP_0205)
The only (unlikely) case when the exploit could work with different fw version (or different phone model) would be that they would use binary identical kernel image in the firmware.
- be sure to run supported firmware version on your phone (you may need to downgrade, involving factory reset)
- enable developer mode options and in there adb debugging (eventually install adb drivers)
- download the v50g8-mroot3.zip with the exploit attached in this post and unzip it
- use 'adb push v50g8-mroot3 /data/local/tmp' and get temp root with following commands in 'adb shell':
cd /data/local/tmp chmod 755 ./v50g8-mroot3 ./v50g8-mroot3
If it worked, you should see something like this:
[+] Mapped 200000 [+] selinux_enforcing before exploit: 1 ... [+] Launching privileged shell root_by_cve-2020-0041:/data/local/tmp # getenforce Permissive root_by_cve-2020-0041:/data/local/tmp # id uid=0(root) gid=0(root) groups=0(root) context=kernel root_by_cve-2020-0041:/data/local/tmp #
In case you get 'target is not supported', you may list supported targets with
Please see the 2nd post for magisk setup from temp root details.
Please be careful what you use the temp root for.
Changing something in partitions protected by dm-verity (or Android Verified Boot 2.0), like for example /system, /vendor or kernel boot partition, can result with a not anymore booting phone.
In such case you would need a way to emergency flash stock firmware to recover.
This is why it is called 'temp root' - you get a root shell only temporarily, it is lost with reboot and it does not allow to make permanent changes in crucial partitions until bootloader unlock is achieved.
Some partitions might still be possible to modify - for example in case of sony xperia phones it was possible to do permanent debloat via changes in /oem partition and such debloat would survive even factory reset. Similarly some modem configs have been present in /oem allowing to setup IMS for different operators/regions or tune other modem related stuff.
Exploit sources for all releases are available at my github here.
Big thanks to Blue Frost Security for the excellent writeup and the exploit itself.
MEMORY DUMP FOR NEW TARGETS
Implemented a tool that dumps kernel space memory to a file with the aim to hopefully be able to analyse it for adding new target support in case it does not have a downloadable firmware.
You can start it similarly as done with v50g8-mroot3, including the '-t num' option.
Use this tool only in case your phone is not supported but it is exploitable (i.e. v50g8-mroot3 does something reasonable /with any '-t num' option/ including crash/reboot of the phone).
When v50g8-mroot3 says "target is not supported", use 'v50g8-mroot3 -T' to list supported targets and then 'v50g8-mroot3 -t num' changing num to each one of listed targets, one by one.
Watch the output log to see which is the most successful (the longest reasonable output if you do not count looping/repeating the same lines).
With this way found the most close target, remember the '-t num' option and use it with v50g8-dump.
The tool hopefully creates /data/local/tmp/memdump.bin file and sleep indefinitely then.
Just open another cmd window and use
adb pull /data/local/tmp/memdump.bin
If you like my work, you can donate using the Donate to Me button with several methods there.