• Introducing XDA Computing: Discussion zones for Hardware, Software, and more!    Check it out!
  • Fill out your device list and let everyone know which phones you have!    Edit Your Device Inventory

LG Stylo 6 root development! ANY HELP APPRECIATED. DISCORD LINK AVAILABLE

Search This thread

Yeedatoy

Senior Member
Jul 18, 2018
133
61
36
Charlotte
Moto G6
LG G7 ThinQ
Can you use Qfil with an mtk processor?
The US Stylo has a Qualcomm chip, there are only a few variants outside of the US that come with mtk processors, but there is a universal script to get root on most mtk devices, or at least temporary root. I'm not sure where it is but if you search around the forums I'm sure you can find it without much of a hard time.
 

shinobisoft

Recognized Contributor
Feb 18, 2012
3,286
3,357
Knoxville, TN
The US Stylo has a Qualcomm chip, there are only a few variants outside of the US that come with mtk processors, but there is a universal script to get root on most mtk devices, or at least temporary root. I'm not sure where it is but if you search around the forums I'm sure you can find it without much of a hard time.

I think you've been misinformed, at least about the Stylo 6. Check this link
 

haise.zero

Senior Member
Oct 6, 2017
51
72
Pacific Northwest
LG V60 ThinQ
There hasn't been a post from us in a while since development has been contained in the Discord.
For those who don't want to join to check in, here's where we're at:
- `fastboot oem` commands are not available from fastbootd, as with `fastboot flashing` commands. On top of that, fastbootd is **not** the bootloader, but just fastboot alone. The bootloader is not able to be booted, as LAF boots first. Booting bootloader from recovery sends the device back to system. We can get a root shell with SteadfasterX's lglaf, however, there are pretty much zero commands that we can run through it outside of the actual LAF commands, and we don't know enough about the arguments in bytes just yet to actually do anything with this.
- The Stylo 6 does not have an EDL mode that we've been able to find. That being said, we do have a suspicion that it's contained in laf as among other things; see below.
- The LGE Serial Port that gets mounted in download mode from laf accepts ATtention commands (AT commands). While it varies from what it will mount as when we have it in modem mode (use the PDM option in LGUP 1.16 with up to the 2.x dll after using the UI config and its addon) it still responds accordingly despite not showing up in device manager as a modem. This indicates that the laf partition has multiple modes of operation and that it, in some places at least, utilizes AT commands, likely to boot back into download mode (AT%DLOAD) after running the PDM option and writing an IMEI, etc as well as flashing a new KDZ.
- While we haven't been able to consistently replicate this across our devices and LGUP installations, LGUP actually will read the device when it is in modem mode. I have several options like HIDDEN MENU and a couple of others that are greyed out in download mode, but become available in modem mode. However, every option asks for the SPC code of the device and unfortunately there's not a whole that I've seen that would allow me to retrieve my device-specific SPC code. If anyone has a method of doing this that happens to be more modern or still relevant, let me know please.
- Crossflashing Android 10 and even 11 devices is in theory possible as it does not actually depend on any server side requests, but rather a TrustZone ID unlock of the device itself (referenced in lgup as a TZ ID Unlock). We believe it's contained within the DLL file itself to undergo that operation although we have not discovered exactly how to invoke that or where it is just yet.
- LGUP is packed with a Themida version from 2012. If anyone can unpack that, we can deobfuscate it ourselves and from there have very neatly written code that will help explain what we're actually looking at.
- Apparently download mode is not "normal" as when I go to dump the device it claims that this process only uses "NORMAL MODE." I have no idea what normal mode would be in this case.
- The hidden menu referred to in LGUP is apparently not the same one used in the dialer. Mastercodeon managed to get his toggled and working, and when he invoked said hidden menu it gave him essentially a single option, which was to enable the modem port even when in userspace, i.e connecting via USB in the home after unlocking his device mounts his phone as an LG phone as well as an LG modem.
 

dimevox

New member
Mar 21, 2021
1
0
Happy to see that members are working diligently on this device. I am an ethical hacker with years of experience in cybersecurity & offsec. However, not much knowledge with Android development. Id like to take get hands on with unlocking and rooting this device and have found this thread to be the absolute most helpful anywhere on the net thus far. Will join the discord if invites remain available.

I see that a member posted a root guide located here:

Still have yet to see anything on just how the bootloader is unlocked with this device.

My initial plan upon receiving this device was to install Kali Nethunter or another Debian based OS alongside to use in the field. I was not aware or LG preventing bootloader access. A linked tutorial or quick writeup on bootloader access would be appreciated.

Thanks for all the hard work, keep at it!
 
Last edited:

haise.zero

Senior Member
Oct 6, 2017
51
72
Pacific Northwest
LG V60 ThinQ
Happy to see that members are working diligently on this device. I am an ethical hacker with years of experience in cybersecurity & offsec. However, not much knowledge with Android development. Id like to take get hands on with unlocking and rooting this device and have found this thread to be the absolute most helpful anywhere on the net thus far. Will join the discord if invites remain available.

I see that a member posted a root guide located here:

Still have yet to see anything on just how the bootloader is unlocked with this device.

My initial plan upon receiving this device was to install Kali Nethunter or another Debian based OS alongside to use in the field. I was not aware or LG preventing bootloader access. A linked tutorial or quick writeup on bootloader access would be appreciated.

Thanks for all the hard work, keep at it!
The latest link from me should still be available; it's set to never expire.

There is no bootloader access, as you can't boot into the correct mode. If you try, you'll boot right back into system instead. We can boot into fastboot but it doesn't have the right binaries to receive the commands we need to use.
What we do have is download mode and LAF doesn't like to play nice with us. We're currently reverse engineering the latest LGMST in order to learn about how to use the LGUP_Common.dll library to interact with phones and are building our own program that will be utilizing it. It'll be a lengthy process but it should work extremely well.
What we could really use is a temp root solution via exploits; if you know much about writing scripts for that, I'd ask you to take a look at the Android security bulletin and let us know if you think you can cook something up for our devices. That'd allow us a lot more freedom and I could dump our device partitions and get to know our devices a lot better. Quite a few other things as well.

Thanks!
 
  • Like
Reactions: dimevox

haise.zero

Senior Member
Oct 6, 2017
51
72
Pacific Northwest
LG V60 ThinQ

The era of LGUP is dead; an update, for those of you who are not in our Discord

First, some context for the abbreviations used:
  • LGMST = LG Mobile Service Tool, the successor of LGUP. More context within the post.
  • R&D = Research & Development, their department of developers and researches that work on their proprietary and consumer software and solutions
  • LG MC = LG MobileComm., their mobile phone division



LGUP Background - Goodbye!​



LGUP was created by their R&D team some time ago for personal use as well as for release to their collaborators, i.e the carriers that sell their devices under their own phone plans with their own software. There were three versions as far as we knew, being Dev, Lab, and CS, and even more configuration based on the UI_Config.lgl file which specified which options were available to which carriers. The LGUP.exe executable does not actually contain all of the instructions, methods, functions etc, but is rather a sort of shell to work with the LGUP_Common.dll library, which is where all of the real instructions are.
Both of these files were built using C++, which the reverse engineers out there will know is extremely difficult to work with when a program is already compiled, and essentially impossible to decompile back to any sort of original source code, especially when it comes to the actual .exe that utilizes the dll library, since all versions of the exe after 1.14.3 have been packed with Themida. The NSA's Ghidra does an impressive job of working with this, but it is still brain-rotting to read through and work with even in rough C++, hence why there were so few patches ever made to this application and so little support. The good news is, nobody needs to spend four weeks on figuring out the internals of this anymore, and no assembly reverse engineering is required anymore.


The Good News​



We now have the latest - and probably the last available, since LG MC is shutting down - tool from LG's R&D department. The original LGMST that we obtained was v1.1.4.3, from April of 2020. The new one that we are now currently working with is v1.1.6.1, from March 24th of 2021, just barely over a week ago as of posting today. This version came with a set of drivers, too, which we're pretty confident are the ones that the development team has been working with. They're an older version, but not too old, and this makes sense because they've likely been using and working on this tool for a while now, and development for an application that interfaces with a device can cause unnecessarily tricky troubleshooting and incompatibility issues for the dev team if they're changing the driver that handles the actual communication all the time. It is much easier and more efficient to work with a consistently working driver version during development - and besides, the LG dev team's motto has always been "if it isn't broken we don't need to change it."

LGMST is written in .NET, which the reverse engineers and any .NET developers will know is actually quite exciting to work with when doing reverse engineering. This is because .NET applications can be decompiled to C# and/or IL code that is nearly if not completely identical to the original source code. However, version 1.1.6.1 is far more heavily obfuscated than 1.1.4.3 was. We wouldn't be working with the new one and wiping our previous progress if the last version we had wasn't a year old. We wanted to avoid compatibility issues, and decided to move forward with this version instead and essentially start over.

What this means for you guys is that you will have a higher level of compatibility and functions to work with. Absolutely worst case scenario: we can offer the opportunity to flash your devices and read information from a tool that YOU can easily decompile and work with by hand to tweak and alter as much as you'd like. Providing information about the full capability range of the program is something I want to refrain from doing though, because I don't want to make promises we cannot keep; however, I will state that with everything we've seen, it is all super exciting and should leave LGUP in the dust by comparison.


The Crappy News​



It's not really bad news so I refrained from using that term.

Look, it'll be a while. We're not right around the corner from this, but we're closer than we have ever, ever been. I have full confidence in this program and the team that's working on this with me. There is a lot of functionality offered in this tool, and thus there is a lot more ground to cover than simply flashing firmware onto our devices. I can't go into detail here as to why, because it has been evident in the past that LG is watching us here in XDA, and I don't want to risk unveiling what we do and don't know.



A Note to the LG R&D Team​



Hi! I'm Haise, and in this message, I speak for the LG mobile device community.

I wouldn't be here - none of us would be here - and I wouldn't have learned and obtained everything that I've obtained if it weren't for you. I thank you for this opportunity to learn and expand my skillset, but listen, I shouldn't have had to. None of your community and consumer base should be sitting here excited about the news I'm unveiling to them. My team, your community, and myself from the very beginning should have had the opportunity to unlock our devices from the get-go. And fine - secrets, competition, blah blah blah, I get it. You couldn't back then. But you can now, because it's over. Your Mobile Communications division has met its end, and support for every last one of your mobile device consumers has ended. Your last updates are rolling out, and every single one of your devices will reach its end of life, with no system updates, no security updates, no way to protect ourselves and no way to improve or work on our devices.
So support us. It's over. You can finally let us unlock our devices now. You have solutions, too. Change your bootloader unlock page online to support all LG mobile devices and keep the portal up, or release your factory/engineering bootloader files for our devices, or make a crappy tool that'd take three days to build with three developers that can download the file and flash it to our device - hell I know a few people already that you could hire under contract - or just figure it out your way. It really isn't too late. You have every given moment right now to make a decision, and you should make the right one, because we aren't here to steal anything. We aren't here to leak your software and firmware information to competitors and it doesn't matter now, anyways, because they don't have you to compete against anymore.
We purchased your devices. We own them, rightfully, but you've built them in such a strictly specific way that prevents us from taking advantage of our ownership. Your terms and conditions treat a purchase as if it were a lease.
And if there's some sort of specific reason or restriction that you can't do that, then fine - at least voice it to us. Notice us and acknowledge us, because you built incredibly beautiful and impressive devices, and you had a lot of loyal fans of those devices out here - you still do. Don't let them down, don't leave them empty handed, don't completely screw them by leaving them with locked pieces of crap that they can never, ever improve; swallow your pride, work out a few things, let go of your uptight attitude and just let us do this on our own, because you're letting of of us now.
Give us our freedom, because we loved you as a company and what you provided to us, and you did a good job with this. Don't ruin everything you've ever built and don't screw over your consumers. Let it go, and give us our freedom. We've earned it. They've earned it.
 

haise.zero

Senior Member
Oct 6, 2017
51
72
Pacific Northwest
LG V60 ThinQ
A few updates!

Got through to the main window tonight. The app has several kind of obfuscations but we're working with it pretty well. LG went reaaally out of their way to break this app in all sorts of ways, presumably so that any R&D guys who get a new update wont be able to mess with it - or because we have it and they don't want us to do exactly what we're doing anyways. Besides, we have backups of earlier versions anyways so it doesn't matter.

Anyways, I've attached a screenshot - it's a little broken right now so don't mind that, we're definitely in the development phase, not even pre-alpha - so feel free to take a look! It's nice and shiny. :D

Tonight and tomorrow we'll be doing something really cool, too. This is also one of the last posts that'll be here for a while. Stay tuned and again feel free to join our discord!


prepreprepreprealpha.png
 

haise.zero

Senior Member
Oct 6, 2017
51
72
Pacific Northwest
LG V60 ThinQ
Happy to see that members are working diligently on this device. I am an ethical hacker with years of experience in cybersecurity & offsec. However, not much knowledge with Android development. Id like to take get hands on with unlocking and rooting this device and have found this thread to be the absolute most helpful anywhere on the net thus far. Will join the discord if invites remain available.

I see that a member posted a root guide located here:

Still have yet to see anything on just how the bootloader is unlocked with this device.

My initial plan upon receiving this device was to install Kali Nethunter or another Debian based OS alongside to use in the field. I was not aware or LG preventing bootloader access. A linked tutorial or quick writeup on bootloader access would be appreciated.

Thanks for all the hard work, keep at it!

We could use some help in the near future from you, with your skillset being what it is.
Please join our Discord server and send me a DM to let me know who you are. We'll get you in the right place as soon as it's available.
 
Apparently you are! Care to share your method?
I'm trying to find another stylo 6 as we speak to recreate the process without using a paid program. So to keep everyone from bricking their phones I gotta keep it a secret, how about some more experienced developers help me out on recreating it
 
Last edited:

Top Liked Posts

  • There are no posts matching your filters.
  • 2
    I have 3 unlocked rooted stylo 6 and one k51, I bricked 1 stylo 6 after I relocked the bootloader and then tried to use sp flash tool to flash back dumped partitions from when it was rooted, I'll be back to work on it tonight
    1
    I found the unlock key. Literally the bootloader unlock key, and I believe the avb key, or directions to build the from multiple partition locations
  • 6

    The era of LGUP is dead; an update, for those of you who are not in our Discord

    First, some context for the abbreviations used:
    • LGMST = LG Mobile Service Tool, the successor of LGUP. More context within the post.
    • R&D = Research & Development, their department of developers and researches that work on their proprietary and consumer software and solutions
    • LG MC = LG MobileComm., their mobile phone division



    LGUP Background - Goodbye!​



    LGUP was created by their R&D team some time ago for personal use as well as for release to their collaborators, i.e the carriers that sell their devices under their own phone plans with their own software. There were three versions as far as we knew, being Dev, Lab, and CS, and even more configuration based on the UI_Config.lgl file which specified which options were available to which carriers. The LGUP.exe executable does not actually contain all of the instructions, methods, functions etc, but is rather a sort of shell to work with the LGUP_Common.dll library, which is where all of the real instructions are.
    Both of these files were built using C++, which the reverse engineers out there will know is extremely difficult to work with when a program is already compiled, and essentially impossible to decompile back to any sort of original source code, especially when it comes to the actual .exe that utilizes the dll library, since all versions of the exe after 1.14.3 have been packed with Themida. The NSA's Ghidra does an impressive job of working with this, but it is still brain-rotting to read through and work with even in rough C++, hence why there were so few patches ever made to this application and so little support. The good news is, nobody needs to spend four weeks on figuring out the internals of this anymore, and no assembly reverse engineering is required anymore.


    The Good News​



    We now have the latest - and probably the last available, since LG MC is shutting down - tool from LG's R&D department. The original LGMST that we obtained was v1.1.4.3, from April of 2020. The new one that we are now currently working with is v1.1.6.1, from March 24th of 2021, just barely over a week ago as of posting today. This version came with a set of drivers, too, which we're pretty confident are the ones that the development team has been working with. They're an older version, but not too old, and this makes sense because they've likely been using and working on this tool for a while now, and development for an application that interfaces with a device can cause unnecessarily tricky troubleshooting and incompatibility issues for the dev team if they're changing the driver that handles the actual communication all the time. It is much easier and more efficient to work with a consistently working driver version during development - and besides, the LG dev team's motto has always been "if it isn't broken we don't need to change it."

    LGMST is written in .NET, which the reverse engineers and any .NET developers will know is actually quite exciting to work with when doing reverse engineering. This is because .NET applications can be decompiled to C# and/or IL code that is nearly if not completely identical to the original source code. However, version 1.1.6.1 is far more heavily obfuscated than 1.1.4.3 was. We wouldn't be working with the new one and wiping our previous progress if the last version we had wasn't a year old. We wanted to avoid compatibility issues, and decided to move forward with this version instead and essentially start over.

    What this means for you guys is that you will have a higher level of compatibility and functions to work with. Absolutely worst case scenario: we can offer the opportunity to flash your devices and read information from a tool that YOU can easily decompile and work with by hand to tweak and alter as much as you'd like. Providing information about the full capability range of the program is something I want to refrain from doing though, because I don't want to make promises we cannot keep; however, I will state that with everything we've seen, it is all super exciting and should leave LGUP in the dust by comparison.


    The Crappy News​



    It's not really bad news so I refrained from using that term.

    Look, it'll be a while. We're not right around the corner from this, but we're closer than we have ever, ever been. I have full confidence in this program and the team that's working on this with me. There is a lot of functionality offered in this tool, and thus there is a lot more ground to cover than simply flashing firmware onto our devices. I can't go into detail here as to why, because it has been evident in the past that LG is watching us here in XDA, and I don't want to risk unveiling what we do and don't know.



    A Note to the LG R&D Team​



    Hi! I'm Haise, and in this message, I speak for the LG mobile device community.

    I wouldn't be here - none of us would be here - and I wouldn't have learned and obtained everything that I've obtained if it weren't for you. I thank you for this opportunity to learn and expand my skillset, but listen, I shouldn't have had to. None of your community and consumer base should be sitting here excited about the news I'm unveiling to them. My team, your community, and myself from the very beginning should have had the opportunity to unlock our devices from the get-go. And fine - secrets, competition, blah blah blah, I get it. You couldn't back then. But you can now, because it's over. Your Mobile Communications division has met its end, and support for every last one of your mobile device consumers has ended. Your last updates are rolling out, and every single one of your devices will reach its end of life, with no system updates, no security updates, no way to protect ourselves and no way to improve or work on our devices.
    So support us. It's over. You can finally let us unlock our devices now. You have solutions, too. Change your bootloader unlock page online to support all LG mobile devices and keep the portal up, or release your factory/engineering bootloader files for our devices, or make a crappy tool that'd take three days to build with three developers that can download the file and flash it to our device - hell I know a few people already that you could hire under contract - or just figure it out your way. It really isn't too late. You have every given moment right now to make a decision, and you should make the right one, because we aren't here to steal anything. We aren't here to leak your software and firmware information to competitors and it doesn't matter now, anyways, because they don't have you to compete against anymore.
    We purchased your devices. We own them, rightfully, but you've built them in such a strictly specific way that prevents us from taking advantage of our ownership. Your terms and conditions treat a purchase as if it were a lease.
    And if there's some sort of specific reason or restriction that you can't do that, then fine - at least voice it to us. Notice us and acknowledge us, because you built incredibly beautiful and impressive devices, and you had a lot of loyal fans of those devices out here - you still do. Don't let them down, don't leave them empty handed, don't completely screw them by leaving them with locked pieces of crap that they can never, ever improve; swallow your pride, work out a few things, let go of your uptight attitude and just let us do this on our own, because you're letting of of us now.
    Give us our freedom, because we loved you as a company and what you provided to us, and you did a good job with this. Don't ruin everything you've ever built and don't screw over your consumers. Let it go, and give us our freedom. We've earned it. They've earned it.
    4
    discord invite link


    i have the lg stylo 6 LM-Q730MM by metro usa.

    i have grab the ota.zip through a bug report then downloaded it
    an used payload dumper python

    an these are my results

    untouched Lg Stylo 6 7-25-20 ota.zip https://www.mediafire.com/file/hx7k0fajaw2xl1i/76c9e56e3d40225a77a4dadacd68f89995801e6b.zip/file

    Extracted payload.bin https://www.mediafire.com/file/s2xen6qtgxm4s5t/Lg_Stylo_6_7-25-20_payload_extract.zip/file

    hope this helps root process
    3
    Not sure yet but I don't think I'll need it.. I don't want to start by diving deep and overlook a simpler solution than accessing fastboot.. I just need a developer that can modify a kdz.. if I can simply achieve root via the new magisk method, it's a start.. I'm picking up another stylo 6 today, then a real computer cause my chromebook useless.. I'll update if I get a modified kdz and what happens when I try to flash🤞
    I myself have just finally found this thread and am super more than willing to put in some work! :)

    so i've gotta:
    - `adb reboot recovery`
    - boot into fastboot from recovery
    - unlock the bootloader with `fastboot oem_unlock`
    - let the phone factory reset with an unlocked bootloader
    _____________________
    and:
    - download the .kdz firmware file for the unlocked version on pc
    - locate and extract the boot.bin with kdzTools and convert it to boot.img
    - send extracted file to my personal phone
    - patch boot.img in magisk manager app on my phone
    - send it back to pc with `adb pull /sdcard/boot.img C:/users/myname/`
    _____________________
    then:
    - load patched boot.img into the stylo 6 through `fastboot flash boot boot.img`
    - `fastboot reboot` and let it reboot hopefully with root AND with carrier unlock
    - download magisk manager to verify

    I guess I'll give this a shot and get back to you guys. :)
    2
    Big, big things are coming, very soon. :)
    2
    A few updates!

    Got through to the main window tonight. The app has several kind of obfuscations but we're working with it pretty well. LG went reaaally out of their way to break this app in all sorts of ways, presumably so that any R&D guys who get a new update wont be able to mess with it - or because we have it and they don't want us to do exactly what we're doing anyways. Besides, we have backups of earlier versions anyways so it doesn't matter.

    Anyways, I've attached a screenshot - it's a little broken right now so don't mind that, we're definitely in the development phase, not even pre-alpha - so feel free to take a look! It's nice and shiny. :D

    Tonight and tomorrow we'll be doing something really cool, too. This is also one of the last posts that'll be here for a while. Stay tuned and again feel free to join our discord!


    prepreprepreprealpha.png