• Introducing XDA Computing: Discussion zones for Hardware, Software, and more!    Check it out!

LG Stylo 6 root development! ANY HELP APPRECIATED. DISCORD LINK AVAILABLE

Search This thread

Tigerevo

Senior Member
Mar 14, 2011
82
15
I'm trying to find another stylo 6 as we speak to recreate the process without using a paid program. So to keep everyone from bricking their phones I gotta keep it a secret, how about we get the news out that it can be done I lost my job and a little bounty for my work would help me get my phone repair and unlock business officially started
Could you copy your boot and preloaded vbmeta img ? Maybe we can flash those and unlock ours. Still trying to find way to flash a partition
 

haise.zero

Senior Member
Oct 6, 2017
53
77
Pacific Northwest
LG V60 ThinQ
We can't, and it's not a very good idea to do so (it's a tricky process and we don't know much about how that works in LGUP yet).
Warlock and I have been chatting a bit about things and we're reverse engineering out what happened and how to reproduce it. Since we don't have any fastboot unlocking binaries present in fastbootd, it's my guess that after corruption Chimera managed to overwrite a couple of values that set the device as unlocked-by-default (see the Android developer docs on the bootloader, I'm on mobile and lazy).

I've been caught up in a lot so things are a little slow and we could use a hand. Feel free to pop in to the server at any time.
Message me on discord:
Haise#0906
 

jttru

Member
Apr 2, 2015
7
0
kdz file then dz save ending numbers use windows pc notepad to open img rewrite what needs to be changed i would my self but im not that good at it plz help would love to root it
 

jttru

Member
Apr 2, 2015
7
0
i know how to use all flashers key play for flashing is in kdz firmware common dll file just not that good on rewriting things this post has laf file for stylo 6 boost mobile type hoping it will help us the phones files is mirrored so only way is stock flash if your boot loader is locked and cant unlock it but im thinking change laf file root for others will be easier as we could make a twrp after gaining root first time
 

Attachments

  • laf.txt
    20.8 MB · Views: 38
i know how to use all flashers key play for flashing is in kdz firmware common dll file just not that good on rewriting things this post has laf file for stylo 6 boost mobile type hoping it will help us the phones files is mirrored so only way is stock flash if your boot loader is locked and cant unlock it but im thinking change laf file root for others will be easier as we could make a twrp after gaining root first time
I already have root
 

jemorris11235

New member
Jul 17, 2021
1
0
Samsung Galaxy Note 20
discord invite link


i have the lg stylo 6 LM-Q730MM by metro usa.

i have grab the ota.zip through a bug report then downloaded it
an used payload dumper python

an these are my results

untouched Lg Stylo 6 7-25-20 ota.zip https://www.mediafire.com/file/hx7k0fajaw2xl1i/76c9e56e3d40225a77a4dadacd68f89995801e6b.zip/file

Extracted payload.bin https://www.mediafire.com/file/s2xen6qtgxm4s5t/Lg_Stylo_6_7-25-20_payload_extract.zip/file

hope this helps root process
New discord invite would be nice as this one is expired.
 
Jul 9, 2015
14
1
Hi all, I don't know how helpful I'll be as I'm just a 23 year old techie who wants to get into tech but doesn't know how. I possess a LG Stylo 6 and can test whatever on it but I think I'll be joing the discord mostly as a lurker.

Reach out to me if there's anything I can help with though, I am pretty good with this stuff :)
 
Could you copy your boot and preloaded vbmeta img ? Maybe we can flash those and unlock ours. Still trying to find way to flash a partition
I can flash partitions that aren't protected, but the boot and vbmeta aren't different, but there are 18 other files that are changed from locked to unlocked, I have made a new thread with some updates, I'm about to start releasing more information on what files are changed. And in hoping to disable AVB soon, even with root and unlocked bootloader it has been something that I've yet to accomplish.
 

jttru

Member
Apr 2, 2015
7
0
A few updates!

Got through to the main window tonight. The app has several kind of obfuscations but we're working with it pretty well. LG went reaaally out of their way to break this app in all sorts of ways, presumably so that any R&D guys who get a new update wont be able to mess with it - or because we have it and they don't want us to do exactly what we're doing anyways. Besides, we have backups of earlier versions anyways so it doesn't matter.

Anyways, I've attached a screenshot - it's a little broken right now so don't mind that, we're definitely in the development phase, not even pre-alpha - so feel free to take a look! It's nice and shiny. :D

Tonight and tomorrow we'll be doing something really cool, too. This is also one of the last posts that'll be here for a while. Stay tuned and again feel free to join our discord!


View attachment 5274493
A few updates!

Got through to the main window tonight. The app has several kind of obfuscations but we're working with it pretty well. LG went reaaally out of their way to break this app in all sorts of ways, presumably so that any R&D guys who get a new update wont be able to mess with it - or because we have it and they don't want us to do exactly what we're doing anyways. Besides, we have backups of earlier versions anyways so it doesn't matter.

Anyways, I've attached a screenshot - it's a little broken right now so don't mind that, we're definitely in the development phase, not even pre-alpha - so feel free to take a look! It's nice and shiny. :D

Tonight and tomorrow we'll be doing something really cool, too. This is also one of the last posts that'll be here for a while. Stay tuned and again feel free to join our discord!


View attachment 5274493
Send a download link of one plz
 
Join me on my discord it's for far more than the stylo 6, all bootloader unlock discussions, getting closer to a successful flashable unlock, and I won't kick people out that are trying to help.
 
  • Like
Reactions: shinobisoft

luridphantom

Senior Member
Apr 4, 2021
55
13
Join me on my discord it's for far more than the stylo 6, all bootloader unlock discussions, getting closer to a successful flashable unlock, and I won't kick people out that are trying to help.
can you post an updated discord invite?
 

With a little help we found out all that is needed to build a new unlocking tool, I'm working with some developers to make this happen, it won't be a tethered unlock so no need to reflash the phone after each boot like what haise is trying to do, and no worries about glitches or any issues accept secured boot looks like it will take some more time to disable but we also have the source code for the bootloader so it should be in the works too, just taking me longer since I was banned from Haise server by him because I didn't want to stop my research and let him discourage me from continuing my quest for knowledge
 

arkdev

New member
Aug 3, 2021
2
0

With a little help we found out all that is needed to build a new unlocking tool, I'm working with some developers to make this happen, it won't be a tethered unlock so no need to reflash the phone after each boot like what haise is trying to do, and no worries about glitches or any issues accept secured boot looks like it will take some more time to disable but we also have the source code for the bootloader so it should be in the works too, just taking me longer since I was banned from Haise server by him because I didn't want to stop my research and let him discourage me from continuing my quest for knowledge

Thanks for your hard work. Could you please post a new discord invitation? I just saw this thread and the current link appears to be expired.

Also, in case you haven't already seen it, you might find this page to be useful: https://wiki.postmarketos.org/wiki/Android_Verified_Boot_(AVB)
 

Top Liked Posts

  • There are no posts matching your filters.
  • 1

    With a little help we found out all that is needed to build a new unlocking tool, I'm working with some developers to make this happen, it won't be a tethered unlock so no need to reflash the phone after each boot like what haise is trying to do, and no worries about glitches or any issues accept secured boot looks like it will take some more time to disable but we also have the source code for the bootloader so it should be in the works too, just taking me longer since I was banned from Haise server by him because I didn't want to stop my research and let him discourage me from continuing my quest for knowledge

    I'm glad to hear you're getting close. You do have a few things wrong about what I'm doing, i.e going for a tethered unlock, or apparently kicking people for wanting to help (you were removed for toxicity), and you were also never banned - not sure why you thought that. I did clearly mention you can feel free to come back after a little bit of time whenever you saw appropriate, so I would appreciate you reflecting what actually happened - or not at all since the forum isn't exactly the place for that.
    Outside of all of that, however, I'm glad to hear things are taking a good turn for you, and it's clear that you're learning quite a lot along the way. I hope your project works out. I'd appreciate you not hijacking the thread, however, as your description makes things sound like I've abandoned the project - which I haven't.
    Although, if you are feeling as confident as you are, I may move onto the V60 and recommend folks to go your project instead, as nine months on the Stylo 6 is understandably beginning to make me feel a bit burnt out.

    A note about secure boot, however - dealing with Android's verified boot is relatively easy enough, but dealing with the SoC's secure boot is not as much (except for the now commonly known exploits, but that's still unfortunately not an optimal solution).
    The read-only bootrom verifies the preloader, which verifies the bootloader, which then moves onto the init processes & eventually loads the kernel etc. from the boot.img. From there it's all AVB, though.
    If you do actually have the little kernel's source code for the MT6765, that's great, because outside of a singular private source, I haven't actually been able to find it anywhere. I hope it helps you out more than it has for me so far if you do have it (and weren't mistaken for the boot image). It's been giving me a few headaches. If you run into build errors during the linker process (something about a green led during a normal boot process, I can't remember off the top of my head) then let me know as well, because I haven't gotten around to that yet but it's been throwing me some issues. :)

    Best of luck, though! Let me know if you're feeling like you can really reproduce for folks as well. I'd like to know if I can actually forward them over to you and not have it end up with dead ends. Thanks.
  • 7

    The era of LGUP is dead; an update, for those of you who are not in our Discord

    First, some context for the abbreviations used:
    • LGMST = LG Mobile Service Tool, the successor of LGUP. More context within the post.
    • R&D = Research & Development, their department of developers and researches that work on their proprietary and consumer software and solutions
    • LG MC = LG MobileComm., their mobile phone division



    LGUP Background - Goodbye!​



    LGUP was created by their R&D team some time ago for personal use as well as for release to their collaborators, i.e the carriers that sell their devices under their own phone plans with their own software. There were three versions as far as we knew, being Dev, Lab, and CS, and even more configuration based on the UI_Config.lgl file which specified which options were available to which carriers. The LGUP.exe executable does not actually contain all of the instructions, methods, functions etc, but is rather a sort of shell to work with the LGUP_Common.dll library, which is where all of the real instructions are.
    Both of these files were built using C++, which the reverse engineers out there will know is extremely difficult to work with when a program is already compiled, and essentially impossible to decompile back to any sort of original source code, especially when it comes to the actual .exe that utilizes the dll library, since all versions of the exe after 1.14.3 have been packed with Themida. The NSA's Ghidra does an impressive job of working with this, but it is still brain-rotting to read through and work with even in rough C++, hence why there were so few patches ever made to this application and so little support. The good news is, nobody needs to spend four weeks on figuring out the internals of this anymore, and no assembly reverse engineering is required anymore.


    The Good News​



    We now have the latest - and probably the last available, since LG MC is shutting down - tool from LG's R&D department. The original LGMST that we obtained was v1.1.4.3, from April of 2020. The new one that we are now currently working with is v1.1.6.1, from March 24th of 2021, just barely over a week ago as of posting today. This version came with a set of drivers, too, which we're pretty confident are the ones that the development team has been working with. They're an older version, but not too old, and this makes sense because they've likely been using and working on this tool for a while now, and development for an application that interfaces with a device can cause unnecessarily tricky troubleshooting and incompatibility issues for the dev team if they're changing the driver that handles the actual communication all the time. It is much easier and more efficient to work with a consistently working driver version during development - and besides, the LG dev team's motto has always been "if it isn't broken we don't need to change it."

    LGMST is written in .NET, which the reverse engineers and any .NET developers will know is actually quite exciting to work with when doing reverse engineering. This is because .NET applications can be decompiled to C# and/or IL code that is nearly if not completely identical to the original source code. However, version 1.1.6.1 is far more heavily obfuscated than 1.1.4.3 was. We wouldn't be working with the new one and wiping our previous progress if the last version we had wasn't a year old. We wanted to avoid compatibility issues, and decided to move forward with this version instead and essentially start over.

    What this means for you guys is that you will have a higher level of compatibility and functions to work with. Absolutely worst case scenario: we can offer the opportunity to flash your devices and read information from a tool that YOU can easily decompile and work with by hand to tweak and alter as much as you'd like. Providing information about the full capability range of the program is something I want to refrain from doing though, because I don't want to make promises we cannot keep; however, I will state that with everything we've seen, it is all super exciting and should leave LGUP in the dust by comparison.


    The Crappy News​



    It's not really bad news so I refrained from using that term.

    Look, it'll be a while. We're not right around the corner from this, but we're closer than we have ever, ever been. I have full confidence in this program and the team that's working on this with me. There is a lot of functionality offered in this tool, and thus there is a lot more ground to cover than simply flashing firmware onto our devices. I can't go into detail here as to why, because it has been evident in the past that LG is watching us here in XDA, and I don't want to risk unveiling what we do and don't know.



    A Note to the LG R&D Team​



    Hi! I'm Haise, and in this message, I speak for the LG mobile device community.

    I wouldn't be here - none of us would be here - and I wouldn't have learned and obtained everything that I've obtained if it weren't for you. I thank you for this opportunity to learn and expand my skillset, but listen, I shouldn't have had to. None of your community and consumer base should be sitting here excited about the news I'm unveiling to them. My team, your community, and myself from the very beginning should have had the opportunity to unlock our devices from the get-go. And fine - secrets, competition, blah blah blah, I get it. You couldn't back then. But you can now, because it's over. Your Mobile Communications division has met its end, and support for every last one of your mobile device consumers has ended. Your last updates are rolling out, and every single one of your devices will reach its end of life, with no system updates, no security updates, no way to protect ourselves and no way to improve or work on our devices.
    So support us. It's over. You can finally let us unlock our devices now. You have solutions, too. Change your bootloader unlock page online to support all LG mobile devices and keep the portal up, or release your factory/engineering bootloader files for our devices, or make a crappy tool that'd take three days to build with three developers that can download the file and flash it to our device - hell I know a few people already that you could hire under contract - or just figure it out your way. It really isn't too late. You have every given moment right now to make a decision, and you should make the right one, because we aren't here to steal anything. We aren't here to leak your software and firmware information to competitors and it doesn't matter now, anyways, because they don't have you to compete against anymore.
    We purchased your devices. We own them, rightfully, but you've built them in such a strictly specific way that prevents us from taking advantage of our ownership. Your terms and conditions treat a purchase as if it were a lease.
    And if there's some sort of specific reason or restriction that you can't do that, then fine - at least voice it to us. Notice us and acknowledge us, because you built incredibly beautiful and impressive devices, and you had a lot of loyal fans of those devices out here - you still do. Don't let them down, don't leave them empty handed, don't completely screw them by leaving them with locked pieces of crap that they can never, ever improve; swallow your pride, work out a few things, let go of your uptight attitude and just let us do this on our own, because you're letting of of us now.
    Give us our freedom, because we loved you as a company and what you provided to us, and you did a good job with this. Don't ruin everything you've ever built and don't screw over your consumers. Let it go, and give us our freedom. We've earned it. They've earned it.
    5

    With a little help we found out all that is needed to build a new unlocking tool, I'm working with some developers to make this happen, it won't be a tethered unlock so no need to reflash the phone after each boot like what haise is trying to do, and no worries about glitches or any issues accept secured boot looks like it will take some more time to disable but we also have the source code for the bootloader so it should be in the works too, just taking me longer since I was banned from Haise server by him because I didn't want to stop my research and let him discourage me from continuing my quest for knowledge
    4
    discord invite link


    i have the lg stylo 6 LM-Q730MM by metro usa.

    i have grab the ota.zip through a bug report then downloaded it
    an used payload dumper python

    an these are my results

    untouched Lg Stylo 6 7-25-20 ota.zip https://www.mediafire.com/file/hx7k0fajaw2xl1i/76c9e56e3d40225a77a4dadacd68f89995801e6b.zip/file

    Extracted payload.bin https://www.mediafire.com/file/s2xen6qtgxm4s5t/Lg_Stylo_6_7-25-20_payload_extract.zip/file

    hope this helps root process
    3
    Not sure yet but I don't think I'll need it.. I don't want to start by diving deep and overlook a simpler solution than accessing fastboot.. I just need a developer that can modify a kdz.. if I can simply achieve root via the new magisk method, it's a start.. I'm picking up another stylo 6 today, then a real computer cause my chromebook useless.. I'll update if I get a modified kdz and what happens when I try to flash🤞
    I myself have just finally found this thread and am super more than willing to put in some work! :)

    so i've gotta:
    - `adb reboot recovery`
    - boot into fastboot from recovery
    - unlock the bootloader with `fastboot oem_unlock`
    - let the phone factory reset with an unlocked bootloader
    _____________________
    and:
    - download the .kdz firmware file for the unlocked version on pc
    - locate and extract the boot.bin with kdzTools and convert it to boot.img
    - send extracted file to my personal phone
    - patch boot.img in magisk manager app on my phone
    - send it back to pc with `adb pull /sdcard/boot.img C:/users/myname/`
    _____________________
    then:
    - load patched boot.img into the stylo 6 through `fastboot flash boot boot.img`
    - `fastboot reboot` and let it reboot hopefully with root AND with carrier unlock
    - download magisk manager to verify

    I guess I'll give this a shot and get back to you guys. :)
    2
    A few updates!

    Got through to the main window tonight. The app has several kind of obfuscations but we're working with it pretty well. LG went reaaally out of their way to break this app in all sorts of ways, presumably so that any R&D guys who get a new update wont be able to mess with it - or because we have it and they don't want us to do exactly what we're doing anyways. Besides, we have backups of earlier versions anyways so it doesn't matter.

    Anyways, I've attached a screenshot - it's a little broken right now so don't mind that, we're definitely in the development phase, not even pre-alpha - so feel free to take a look! It's nice and shiny. :D

    Tonight and tomorrow we'll be doing something really cool, too. This is also one of the last posts that'll be here for a while. Stay tuned and again feel free to join our discord!


    prepreprepreprealpha.png