[ROOT] DirtySanta comes for the H990

emdroidle

Senior Member
Oct 6, 2015
413
705
0
Took a while to work things out, but DirtySanta has been successfully extended to international versions of the LGE V20.

While I have tried to ensure this works for anyone, this may fail. I also do not provide any warranty! The result of a failure could include voiding of warranty and hardware damage. This is also one of the most complicated rooting procedures due to SE Linux, we've been unable to simplify things.

Be careful! Many of these commands have a high probability of resulting in a brick if mistyped. Be prepared to have your V20 out of commission for a day or two while you ask questions about the state your phone has ended up in.
Also Don't Panic! If something starts going wrong, stop. Better to have your daily driver out of commission for 24 hours, than have it out of commission permanently.


As of this time there are some sporadic reports of problems. Some people have camera trouble. If a cause can be identified these will definitely get fixed ASAP. Work is well under way, experimental fixes for this are out.


As preparation, I would like folks to be familiar with LGUP/LGBridge and how to use them. Using LGUP is also how to get back to stock. On the H990DS Bluetooth is implemented via kernel module and the kernel module has to be loaded off /system, therefore there is no choice but to write to /system.
Beware: Once past14 LGUP will recognize your device as a US996. Do not flash a US996 KDZ file! Doing so will brick you. See below for instructions on going back to stock.

Devices

  • H990DS (dual-SIM): Known working
  • H990N (dual-SIM): Known working
  • H990 (single-SIM): Known working
  • H990* (other): ALPHA reports of success needed.
There is now a v0.2.4 combined kernel. This version should work for all H990* variants and should hopefully have fewer issues due to being on a later kernel release. The quirk of some of the dual-SIM features showing up in menus should be fixed in v0.2.4.
v0.2.4 includes patches for all of the recently discovered kernel issues. The kernel Bluetooth patch is included, but the are also userspace patches for a portion of "BlueBorne". The "Broadpwn" vulnerability has also been patched. Yet more 802.11 patches have been added over v0.2.3a, unfortunately the fix for the KRACK attack is in the userspace program "wpa_supplicant" not the kernel. :(



Alternative instructions:
By @ahlok_hk here

Rooting and full bootloader unlock for the H990 versions of the LGE V20:
  1. Ensure you have a backup plan: https://forum.xda-developers.com/v20/how-to/restore-v20-to-100-stock-bricked-devices-t3524903
  2. Backup your phone data. LG Bridge/LG Backup is pretty reliable, but I strongly advise backing up everything onto a desktop/laptop computer. If you backup to SD card, the SD card must not be encrypted! (failures will destroy the key and the data)
  3. Go to Settings -> General -> About phone -> Software info -> Android security patch level; if your phone is on an update after December 31, use LGUP to "refurbish" to an earlier firmware release (this will do a factory reset).
  4. Ensure you have ADB/Fastboot files installed and working: https://forum.xda-developers.com/showthread.php?t=2588979
    This also requires developer mode -> USB debugging to be enabled.
  5. Ensure you have all relevant files prepared:
    Installed backup plan.
    Installed Terminal Emulator on device.
    Downloaded DirtySanta's files and copied them to ADB directory.
    Downloaded files, Put kernel and SU implementation (Magisk.zip and
    SuperSU.zip work) into SD card; and TWRP into ADB directory.
    Note: It may be necessary to temporarily disable anti-virus/anti-malware programs when unpacking the original DirtySanta. At least one has detected `dirtycow`/CVE-2016-5195 as malware (it can in fact act in that role).
  6. Using dirtysanta's steps: Run "RUNMEFIRST.bat" <-- Do not close.
  7. Run "step1.bat" <-- Wait until you can type something again.
  8. Type "run-as con" <-- If you get unknown package error, means your latest security patch patched it out; go back to step 3. LGUP should be able to downgrade you to an earlier firmware update.
  9. Type "chmod 0777 /storage/emulated/0/*"
  10. Open Terminal Emulator, Type "id"
  11. Look for something containing "untrusted_app". If not found, Start all over again. If found, continue.
  12. Type "applypatch /system/bin/atd /storage/emulated/0/dirtysanta" into Terminal Emulator
  13. Wait for RUNMEFIRST.bat console to prompt you to run step2.bat.
  14. Run "step2.bat"
  15. Save copies (put them somewhere safe where you'll remember them) of the files "abootbackup.img" and "bootbackup.img", which "step2.bat" saves in its directory, the latter is crucial in returning to stock.
  16. At a command prompt run the following commands, but make sure to wait at least 30 seconds between each. Do not skimp on that delay as otherwise the likelihood is this will fail (this is the most unreliable step in this process); waiting longer than 30 seconds is fine.
    Code:
    fastboot flash recovery twrp-3.0.2-1-h990.img
    
    fastboot flash recovery twrp-3.0.2-1-h990.img
    
    fastboot reboot
    Of all steps this is by far the most unreliable! If you have problems at the end, most likely you'll need to get back to the bootloader (hold power-UP and then insert USB cable) and repeat this step.
  17. Boot in to TWRP.
    Press and hold volume DOWN; press and hold power until the LG logo comes up, then briefly release power (0.5-1.0sec) and then hold power again. If you fail to get this right the first time, you will likely need to pull the battery out and start from power off.
    You will then be prompted "Delete all user data (including LG and carrier apps) and reset all settings?"
    Select "Yes" twice, and as long as TWRP installation was successful you'll get into TWRP and NO RESET will be done.
    Inside TWRP flash "h990-kernel.zip" and then flash SU implementation (Magisk.zip or
    SuperSU.zip). At this point the process should be complete. There won't be static on boot, you'll have root and nothing else should have changed.

    If your phone's userdata got locked, there may be a need to wipe cache and data to regain access.

During all subsequent boots a red triangle with a warning about your device being corrupt will show up. The only method to remove that would be to get my kernel signed by LGE and I'm rather doubtful that will ever happen. Only thing we can do is to call it a badge of honor.

There is now a tool for writing KDZ files to phones. This is recommended in order to get up to date on security patches.



Going back to stock:
As with those whole rooting procedure, this is hazardous. Be careful, go slow and don't rush things.

Method 1a: (TWRP, strongly preferred!)
  1. Boot into TWRP (DOWN + Power with a brief release during LG logo).
  2. Copy the file "abootbackup.img" from your archive to your phone (adb push abootbackup.img /). This is the file you should have saved from step 15 above.
  3. Run `adb shell` and type (or copy&paste) the following commands:
    Code:
    dd if=abootbackup.img of=/dev/block/bootdevice/by-name/aboot
    sync
    sleep 30
    sync
  4. Get into Download mode. Power off phone from TWRP. Press and hold UP, then power phone on (no need to hold power).
  5. Load the appropriate KDZ file onto your phone via LGUP.

Method 1b: (TWRP, with file from another source)
This is simply a tweak of the above resulting from recalling there is a backup of aboot already on the phone itself.
  1. Boot into TWRP (DOWN + Power with a brief release during LG logo).
  2. Run `adb shell` and type (or copy&paste) the following commands:
    Code:
    dd if=/dev/block/bootdevice/by-name/abootback of=/dev/block/bootdevice/by-name/aboot
    sync
    sleep 30
    sync
  3. Get into Download mode. Power off phone from TWRP. Press and hold UP, then power phone on (no need to hold power).
  4. Load the appropriate KDZ file onto your phone via LGUP.

Method 2: (fastboot)
Danger! This method is not recommended, except as an emergency fallback. Writes done via `fastboot flash` have be demonstrated to unreliable. This works if TWRP is unavailable, but avoid if possible.
  1. Boot into fastboot mode. Any of these methods should work:
    • (if Android running normally) Run `adb reboot bootloader`
    • (from a powered down state) Press and hold DOWN, then plug in USB cable.
    • (powered down, USB plugged in) Press and hold DOWN, then power on.
  2. With "abootbackup.img" in the current directory run the following commands, while waiting at least 30 seconds between them:
    Code:
    fastboot flash aboot abootbackup.img
    (wait >30s)
    fastboot flash aboot abootbackup.img
    (wait >30s)
    fastboot reboot
  3. Get into Download mode. Press and hold UP. If the phone has already started to load Android, pull the battery, reinstall battery; then press and hold UP and power on.
  4. Load the appropriate KDZ file onto your phone via LGUP.

Rescue from going back to stock problems:
Apparently it is possible to enable extra features in LGUP, documented in this thread. If you're forced to use approach back to stock approach v2, here is a method to rescue you. This may even have the potential to function as an alternative DirtySanta installation approach. This even works as a full back to stock method by itself! Thanks to @Prowler_gr for sharing!



Technical discussion
If you're not planning to build your own kernel and aren't curious about how things work, no need to read these long details.

What was my old tree is here. I've got a build hack, which I suspect is meant to be handled by other means (later compiler?) so some extras are here.
Now releasing version v0.2 here. With the extra hack for compilation and exfat is here.

My latest .zip makes use of the `fix-h990-cmdline` tool from here.

There are 3 major fixes needed for making working kernels for the H990.
  1. First, the H990 has its own distinct version of the panel timings, which was added in this commit. Combined with the more robust graphics driver from CAF, this solves the "static" issue. The "static" issue is far more severe for the H990* than other V20 versions, the workaround of covering the proximity sensor does not work.
  2. Second, the kernel command-line needs to be modified. Crucially this tells the Android runtime whether the device is single-SIM or dual-SIM. This was originally implemented in a combination of commit 1 and commit 2. Notice CONFIG_CMDLINE and CONFIG_CMDLINE_EXTEND add on to the command-line passed by the boot loader.
  3. Third, the modem driver (files in /firmware) apparently gets its information on the modem chip by looking at a structure in the SMEM_ID_VENDOR0 portion of platform "smem" area. The original LGE boot loader puts appropriate values into this data structure, but the DirtySanta debug boot loader leaves important parts of the structure uninitialized. As such this area needed to be modified before modem initialization, done here.

Originally these values were added by hard-coding them. This works, but doesn't scale well. Even before my first kernel release I was pondering modifying things by reading them from the command-line. In order for this strategy to work, these additional arguments must be added to the Android boot image command-line. This additional step was implemented in `fix-h990-cmdline` in my lg-v20-tools. For a H990DS the string " model.name=LG-H990ds lge.sim_num=2 lge.dsds=dsds androidboot.bl_unlock_complete=false androidboot.authorized_kernel=true" is added, while for a H990 the string " model.name=LG-H990 lge.sim_num=1 lgs.dsds=none androidboot.bl_unlock_complete=false androidboot.authorized_kernel=true" is added.

With my current kernel source `fix-h990-cmdline` must be run on the boot image before the kernel will successfully boot. This is done inside the tools/ak2-core.sh script in the .zip file. The command is `$bin/fix-h990-cmdline /tmp/anykernel/boot-new.img`. `fix-h990-cmdline` could also be run on /dev/block/bootdevice/by-name/boot after the kernel had been installed.
Important note, modification of the boot image command-line must be done carefully. If a previous kernel already added the command-line options, care must be taken to ensure they're not present multiple times. `fix-h990-cmdline` was specifically written with this issue in mind, please don't break this. Also note fix-h990-cmdline will replace the values of "model.name", "lge.sim_num" and "lge.dsds" based upon the contents of the misc area; the values of "androidboot.bl_unlock_complete" and "androidboot.authorized_kernel" will be left alone if already present.
The most recent version of `fix-h990-cmdline` has been modified to allow specifying the model and SIM count on the command-line. `fix-h990-cmdline` will complain if the command-line disagrees with the misc area, but it will obey the command-line and lie to the kernel.



Thanks and warning:

This is near certain to void your warranty. While care has been taken to reduce the chance of producing a brick, there are no guarantees.


Thanks to:
@me2151 the original DirtySanta bootloader, crucial for this to work
@thubble for figuring out the last bit of the modem fix and (successful) guinea pig #2
@exadeci (successful) guinea pig #1
@Xenogenics helping others, posting some reasonable instructions
@USA-RedDragon for making everyone aware of LineageOS's source tree


A copy of the source tree used for building these is here. Two small hacks are used during the actual build process, this is an exact copy of what is built.

News:
v0.2.2: The kernel portion of BlueBorne is patched. Unfortunately there is apparently a userspace portion as well. Broadpwn (Wifi vulnerability) is patched.
v0.2.3: Adding the driver for the S5K2P7 camera sensor, seems LGE needs to work on their updates since they're required to release source for this updated driver, but haven't. This fixes the camera focus issue observed on some devices.
v0.2.3a: The internal fix-h990-cmdline utility was adjusted due to the quirk with single-SIM devices. This should make the dual-SIM menus disappear from single-SIM devices.
v0.2.4: Yet more 802.11 patches have been added (KRACK is in wpa_supplicant on /system, not the kernel). A tentative fix for the video recording issue has been found. There are distinct downsides to the fix, but at least something working is available

H990* Generic Kernel v0.2.4:
MD5: 5c37b2fa01417874fa6e4456a333792d
SHA1: 79033bad078991180b6f308c99527ef4cd6e1379
SHA512: c2167602edd93e7bab76e7e89093e2ebb1670163ccb812ec327b03d98931c57566a3ab565e81ca4b7de142771f22e6723f291df0c5cad82982a24d5da18b5011

H990* Generic Kernel v0.2.3a:
MD5: b9cd4c750e9bc8627d07243f7e4c3c82
SHA1: e16f348e11e765651564922823b9e38f27c41976
SHA512: 1965bec516d6b886aa283b24906a6bec1c3e8a9b39f1efd5f57c00eaa222940d3cc2420cee83712f47c17e0b397ab1b1d7254c5c43d40ca016e06630206f5505

H990* Generic Kernel v0.2.3:
MD5: fb32e04ec9f5f2fd21bf226db722947c
SHA1: e7ab1533106e0d11075e21b097629be307123879
SHA512: 0c58586c1a8a678d644912d2dd64d970cd0614a8c85bfaae787d1970b16bd03306bd3189f9b07ace80d0f9f9072fc7b6efbd4556da0b09d4ad205922b35aedd9

H990* Generic Kernel v0.2.2:
MD5: f85de33a3354973920b6ffc7baeb7d62
SHA1: 2a9dd897fd44efa13be0f4d2e17ef90ba896b399
SHA512: 3f4e8110b68ae58b38f3abc50d3633df9b45bf4a68120e37ea3934e78b659514d20a2ddbe2d35a30a23b9ed6285c47cacacd43676da82d678201e79748e57c8b

H990* Generic Kernel v0.2.1:
MD5: d08807bc5f3e14fbbcbadbf7013988d0
SHA1: 3b1871c974fe06a6125a47200dc0e35b12a20abc
SHA512: 6d84c27f5752b1313157bbebb917683ce37384032b3d72afc15fa3679839da325a1fdb0824aca28dda2d95161d0e4a0ec343e4e1f35fd0b3700e156d4d60f03f

Alternative kernel builds:
I'm carefully releasing source of my kernel builds (above) and others are welcome to build kernels modified to their preferences. They can also target any kernel issues they find and fix.

@jahlex has the "D.O.T.S." kernel here. This is built from stock LGE and targets camera issues. Due to being closer to LGE's source it may well provide some better hardware support.

@Leicxan has successfully built a werewolf derived kernel, here. For a number of people this works better.
 

Attachments

Last edited:

kingnose

Member
Jun 20, 2017
27
10
0
Hi, great job on unlocking the bootloader @emdroidle!

I know this is a noob question but I'm not really familiar with custom ROMs, but does this mean I can flash existing custom ROMs for the other V20 variants or do we need to wait for them to support the H990DS?

Thanks!
 
  • Like
Reactions: paiom

ronaldyeo

Senior Member
Sep 27, 2013
143
42
0
Anyone can confirm it is working ??
definitely up and working. OP has been working on this for months, and I feel that it is rather rude to post this here.
you can have a go counting the number of success in the bounty thread here.

Thanks again to emdroidle for the crazy amount of work and time spent here.
 

emdroidle

Senior Member
Oct 6, 2015
413
705
0
i rooted my H990N (Hong Kong version) successfully using H990DS-Kernel.zip.
i translated the root tutorial into chinese and modified the bat files (some in chinese too), and posted it here:
http://bbs.gfan.com/forum.php?mod=viewthread&tid=9163590
Uh, this may or may not have any effects, but if you go to Settings -> General -> About phone -> Common -> Hardware info -> Model number, you will likely find it reports your phone as a "LG-H990ds".

This is why I've got the instructions for information needed for adapting to new devices. This is also why that kernel wasn't listed as being for the H990N.

A few moments after this message is posted, there will be a new h990n-kernel.zip. As with others for which I lack the device, no guarantee it will work (it should, but reality...). From where you're at you can simply flash it in TWRP without repeating any other steps.


Great guide. The thread title is a little funny though :D
I thought it was appropriate. DirtySanta had already gotten most of the V20s, merely hadn't gotten these last few variants.


Anyone can confirm it is working ??
There are multiple confirmations. The big deal is this process is complicated. The step of installing TWRP has been shown to be unreliable due to fastboot not giving indications of completion.


Getting the error "LGUP can't load the model[C\Progrem Files(x86)\LGElectoronics\LGUP\model\com"

This post

https://forum.xda-developers.com/v2...ed-devices-t3524903/post70385757#post70385757

recomends using uppercut to avoid the error. Is this recomendation compatible with this root method?
That is only needed for the step downgrading the firmware to a version vulnerable to DirtyCOW. It is irrelevant exactly what method is used to do that.
 
  • Like
Reactions: alliGTR

faeterov

Senior Member
May 2, 2016
167
46
0
I'm currently on step 16. I see the phone in fastboot mode
(1130) Fastboot mode started

But as I type
fastboot flash recovery twrp-3.0.2-1-h990.img

I don't see any feedback from the screen of my phone. Also the command line gets stuck on <waiting for device>

I waited 1 minute, then started another command prompt, again flashed recovery, with no feedback again from the phone or the CMD

FInally, after some minutes I type
fastboot reboot

and the sma results...

Should I just restart?


EDIT: nevermind, seems like I had to reboot my pc in order for it to install the drivers to run fastboot.

---------- Post added at 03:48 PM ---------- Previous post was at 03:08 PM ----------

MMMM, root failed, I got a corrupted screen.

Will try to go back to stock and retry everything, but all seemed to go well.
 
Last edited:

Hamodi

Senior Member
Apr 25, 2011
2,151
358
0
...
definitely up and working. OP has been working on this for months, and I feel that it is rather rude to post this here.
you can have a go counting the number of success in the bounty thread here.

Thanks again to emdroidle for the crazy amount of work and time spent here.
I know its working with DS but shuold try it for single sim too
Non had test yet , will do this later tonight

---------- Post added at 04:32 PM ---------- Previous post was at 04:27 PM ----------

Come again?
What you mean ?
Static screen will be with every reboot
Not sure if its with 990 too but it was with others version
 

faeterov

Senior Member
May 2, 2016
167
46
0
I know its working with DS but shuold try it for single sim too
Non had test yet , will do this later tonight

---------- Post added at 04:32 PM ---------- Previous post was at 04:27 PM ----------



What you mean ?
Static screen will be with every reboot
Not sure if its with 990 too but it was with others version
I could get into twrp, so i wasnt able to continue with the mod. Went back to stock, will try again later on my phone H990DS.