• Introducing XDA Computing: Discussion zones for Hardware, Software, and more!    Check it out!

[ROOT] DirtySanta comes for the H990

Search This thread

emdroidle

Senior Member
Oct 6, 2015
413
710
Took a while to work things out, but DirtySanta has been successfully extended to international versions of the LGE V20.

While I have tried to ensure this works for anyone, this may fail. I also do not provide any warranty! The result of a failure could include voiding of warranty and hardware damage. This is also one of the most complicated rooting procedures due to SE Linux, we've been unable to simplify things.

Be careful! Many of these commands have a high probability of resulting in a brick if mistyped. Be prepared to have your V20 out of commission for a day or two while you ask questions about the state your phone has ended up in.
Also Don't Panic! If something starts going wrong, stop. Better to have your daily driver out of commission for 24 hours, than have it out of commission permanently.


As of this time there are some sporadic reports of problems. Some people have camera trouble. If a cause can be identified these will definitely get fixed ASAP. Work is well under way, experimental fixes for this are out.


As preparation, I would like folks to be familiar with LGUP/LGBridge and how to use them. Using LGUP is also how to get back to stock. On the H990DS Bluetooth is implemented via kernel module and the kernel module has to be loaded off /system, therefore there is no choice but to write to /system.
Beware: Once past14 LGUP will recognize your device as a US996. Do not flash a US996 KDZ file! Doing so will brick you. See below for instructions on going back to stock.

Devices

  • H990DS (dual-SIM): Known working
  • H990N (dual-SIM): Known working
  • H990 (single-SIM): Known working
  • H990* (other): ALPHA reports of success needed.
There is now a v0.2.4 combined kernel. This version should work for all H990* variants and should hopefully have fewer issues due to being on a later kernel release. The quirk of some of the dual-SIM features showing up in menus should be fixed in v0.2.4.
v0.2.4 includes patches for all of the recently discovered kernel issues. The kernel Bluetooth patch is included, but the are also userspace patches for a portion of "BlueBorne". The "Broadpwn" vulnerability has also been patched. Yet more 802.11 patches have been added over v0.2.3a, unfortunately the fix for the KRACK attack is in the userspace program "wpa_supplicant" not the kernel. :(



Alternative instructions:
By @ahlok_hk here

Rooting and full bootloader unlock for the H990 versions of the LGE V20:
  1. Ensure you have a backup plan: https://forum.xda-developers.com/v20/how-to/restore-v20-to-100-stock-bricked-devices-t3524903
  2. Backup your phone data. LG Bridge/LG Backup is pretty reliable, but I strongly advise backing up everything onto a desktop/laptop computer. If you backup to SD card, the SD card must not be encrypted! (failures will destroy the key and the data)
  3. Go to Settings -> General -> About phone -> Software info -> Android security patch level; if your phone is on an update after December 31, use LGUP to "refurbish" to an earlier firmware release (this will do a factory reset).
  4. Ensure you have ADB/Fastboot files installed and working: https://forum.xda-developers.com/showthread.php?t=2588979
    This also requires developer mode -> USB debugging to be enabled.
  5. Ensure you have all relevant files prepared:
    Installed backup plan.
    Installed Terminal Emulator on device.
    Downloaded DirtySanta's files and copied them to ADB directory.
    Downloaded files, Put kernel and SU implementation (Magisk.zip and
    SuperSU.zip work) into SD card; and TWRP into ADB directory.
    Note: It may be necessary to temporarily disable anti-virus/anti-malware programs when unpacking the original DirtySanta. At least one has detected `dirtycow`/CVE-2016-5195 as malware (it can in fact act in that role).
  6. Using dirtysanta's steps: Run "RUNMEFIRST.bat" <-- Do not close.
  7. Run "step1.bat" <-- Wait until you can type something again.
  8. Type "run-as con" <-- If you get unknown package error, means your latest security patch patched it out; go back to step 3. LGUP should be able to downgrade you to an earlier firmware update.
  9. Type "chmod 0777 /storage/emulated/0/*"
  10. Open Terminal Emulator, Type "id"
  11. Look for something containing "untrusted_app". If not found, Start all over again. If found, continue.
  12. Type "applypatch /system/bin/atd /storage/emulated/0/dirtysanta" into Terminal Emulator
  13. Wait for RUNMEFIRST.bat console to prompt you to run step2.bat.
  14. Run "step2.bat"
  15. Save copies (put them somewhere safe where you'll remember them) of the files "abootbackup.img" and "bootbackup.img", which "step2.bat" saves in its directory, the latter is crucial in returning to stock.
  16. At a command prompt run the following commands, but make sure to wait at least 30 seconds between each. Do not skimp on that delay as otherwise the likelihood is this will fail (this is the most unreliable step in this process); waiting longer than 30 seconds is fine.
    Code:
    fastboot flash recovery twrp-3.0.2-1-h990.img
    
    fastboot flash recovery twrp-3.0.2-1-h990.img
    
    fastboot reboot
    Of all steps this is by far the most unreliable! If you have problems at the end, most likely you'll need to get back to the bootloader (hold power-UP and then insert USB cable) and repeat this step.
  17. Boot in to TWRP.
    Press and hold volume DOWN; press and hold power until the LG logo comes up, then briefly release power (0.5-1.0sec) and then hold power again. If you fail to get this right the first time, you will likely need to pull the battery out and start from power off.
    You will then be prompted "Delete all user data (including LG and carrier apps) and reset all settings?"
    Select "Yes" twice, and as long as TWRP installation was successful you'll get into TWRP and NO RESET will be done.
    Inside TWRP flash "h990-kernel.zip" and then flash SU implementation (Magisk.zip or
    SuperSU.zip). At this point the process should be complete. There won't be static on boot, you'll have root and nothing else should have changed.

    If your phone's userdata got locked, there may be a need to wipe cache and data to regain access.

During all subsequent boots a red triangle with a warning about your device being corrupt will show up. The only method to remove that would be to get my kernel signed by LGE and I'm rather doubtful that will ever happen. Only thing we can do is to call it a badge of honor.

There is now a tool for writing KDZ files to phones. This is recommended in order to get up to date on security patches.



Going back to stock:
As with those whole rooting procedure, this is hazardous. Be careful, go slow and don't rush things.

Method 1a: (TWRP, strongly preferred!)
  1. Boot into TWRP (DOWN + Power with a brief release during LG logo).
  2. Copy the file "abootbackup.img" from your archive to your phone (adb push abootbackup.img /). This is the file you should have saved from step 15 above.
  3. Run `adb shell` and type (or copy&paste) the following commands:
    Code:
    dd if=abootbackup.img of=/dev/block/bootdevice/by-name/aboot
    sync
    sleep 30
    sync
  4. Get into Download mode. Power off phone from TWRP. Press and hold UP, then power phone on (no need to hold power).
  5. Load the appropriate KDZ file onto your phone via LGUP.

Method 1b: (TWRP, with file from another source)
This is simply a tweak of the above resulting from recalling there is a backup of aboot already on the phone itself.
  1. Boot into TWRP (DOWN + Power with a brief release during LG logo).
  2. Run `adb shell` and type (or copy&paste) the following commands:
    Code:
    dd if=/dev/block/bootdevice/by-name/abootback of=/dev/block/bootdevice/by-name/aboot
    sync
    sleep 30
    sync
  3. Get into Download mode. Power off phone from TWRP. Press and hold UP, then power phone on (no need to hold power).
  4. Load the appropriate KDZ file onto your phone via LGUP.

Method 2: (fastboot)
Danger! This method is not recommended, except as an emergency fallback. Writes done via `fastboot flash` have be demonstrated to unreliable. This works if TWRP is unavailable, but avoid if possible.
  1. Boot into fastboot mode. Any of these methods should work:
    • (if Android running normally) Run `adb reboot bootloader`
    • (from a powered down state) Press and hold DOWN, then plug in USB cable.
    • (powered down, USB plugged in) Press and hold DOWN, then power on.
  2. With "abootbackup.img" in the current directory run the following commands, while waiting at least 30 seconds between them:
    Code:
    fastboot flash aboot abootbackup.img
    (wait >30s)
    fastboot flash aboot abootbackup.img
    (wait >30s)
    fastboot reboot
  3. Get into Download mode. Press and hold UP. If the phone has already started to load Android, pull the battery, reinstall battery; then press and hold UP and power on.
  4. Load the appropriate KDZ file onto your phone via LGUP.

Rescue from going back to stock problems:
Apparently it is possible to enable extra features in LGUP, documented in this thread. If you're forced to use approach back to stock approach v2, here is a method to rescue you. This may even have the potential to function as an alternative DirtySanta installation approach. This even works as a full back to stock method by itself! Thanks to @Prowler_gr for sharing!



Technical discussion
If you're not planning to build your own kernel and aren't curious about how things work, no need to read these long details.

What was my old tree is here. I've got a build hack, which I suspect is meant to be handled by other means (later compiler?) so some extras are here.
Now releasing version v0.2 here. With the extra hack for compilation and exfat is here.

My latest .zip makes use of the `fix-h990-cmdline` tool from here.

There are 3 major fixes needed for making working kernels for the H990.
  1. First, the H990 has its own distinct version of the panel timings, which was added in this commit. Combined with the more robust graphics driver from CAF, this solves the "static" issue. The "static" issue is far more severe for the H990* than other V20 versions, the workaround of covering the proximity sensor does not work.
  2. Second, the kernel command-line needs to be modified. Crucially this tells the Android runtime whether the device is single-SIM or dual-SIM. This was originally implemented in a combination of commit 1 and commit 2. Notice CONFIG_CMDLINE and CONFIG_CMDLINE_EXTEND add on to the command-line passed by the boot loader.
  3. Third, the modem driver (files in /firmware) apparently gets its information on the modem chip by looking at a structure in the SMEM_ID_VENDOR0 portion of platform "smem" area. The original LGE boot loader puts appropriate values into this data structure, but the DirtySanta debug boot loader leaves important parts of the structure uninitialized. As such this area needed to be modified before modem initialization, done here.

Originally these values were added by hard-coding them. This works, but doesn't scale well. Even before my first kernel release I was pondering modifying things by reading them from the command-line. In order for this strategy to work, these additional arguments must be added to the Android boot image command-line. This additional step was implemented in `fix-h990-cmdline` in my lg-v20-tools. For a H990DS the string " model.name=LG-H990ds lge.sim_num=2 lge.dsds=dsds androidboot.bl_unlock_complete=false androidboot.authorized_kernel=true" is added, while for a H990 the string " model.name=LG-H990 lge.sim_num=1 lgs.dsds=none androidboot.bl_unlock_complete=false androidboot.authorized_kernel=true" is added.

With my current kernel source `fix-h990-cmdline` must be run on the boot image before the kernel will successfully boot. This is done inside the tools/ak2-core.sh script in the .zip file. The command is `$bin/fix-h990-cmdline /tmp/anykernel/boot-new.img`. `fix-h990-cmdline` could also be run on /dev/block/bootdevice/by-name/boot after the kernel had been installed.
Important note, modification of the boot image command-line must be done carefully. If a previous kernel already added the command-line options, care must be taken to ensure they're not present multiple times. `fix-h990-cmdline` was specifically written with this issue in mind, please don't break this. Also note fix-h990-cmdline will replace the values of "model.name", "lge.sim_num" and "lge.dsds" based upon the contents of the misc area; the values of "androidboot.bl_unlock_complete" and "androidboot.authorized_kernel" will be left alone if already present.
The most recent version of `fix-h990-cmdline` has been modified to allow specifying the model and SIM count on the command-line. `fix-h990-cmdline` will complain if the command-line disagrees with the misc area, but it will obey the command-line and lie to the kernel.



Thanks and warning:

This is near certain to void your warranty. While care has been taken to reduce the chance of producing a brick, there are no guarantees.


Thanks to:
@me2151 the original DirtySanta bootloader, crucial for this to work
@thubble for figuring out the last bit of the modem fix and (successful) guinea pig #2
@exadeci (successful) guinea pig #1
@Xenogenics helping others, posting some reasonable instructions
@USA-RedDragon for making everyone aware of LineageOS's source tree


A copy of the source tree used for building these is here. Two small hacks are used during the actual build process, this is an exact copy of what is built.

News:
v0.2.2: The kernel portion of BlueBorne is patched. Unfortunately there is apparently a userspace portion as well. Broadpwn (Wifi vulnerability) is patched.
v0.2.3: Adding the driver for the S5K2P7 camera sensor, seems LGE needs to work on their updates since they're required to release source for this updated driver, but haven't. This fixes the camera focus issue observed on some devices.
v0.2.3a: The internal fix-h990-cmdline utility was adjusted due to the quirk with single-SIM devices. This should make the dual-SIM menus disappear from single-SIM devices.
v0.2.4: Yet more 802.11 patches have been added (KRACK is in wpa_supplicant on /system, not the kernel). A tentative fix for the video recording issue has been found. There are distinct downsides to the fix, but at least something working is available

H990* Generic Kernel v0.2.4:
MD5: 5c37b2fa01417874fa6e4456a333792d
SHA1: 79033bad078991180b6f308c99527ef4cd6e1379
SHA512: c2167602edd93e7bab76e7e89093e2ebb1670163ccb812ec327b03d98931c57566a3ab565e81ca4b7de142771f22e6723f291df0c5cad82982a24d5da18b5011

H990* Generic Kernel v0.2.3a:
MD5: b9cd4c750e9bc8627d07243f7e4c3c82
SHA1: e16f348e11e765651564922823b9e38f27c41976
SHA512: 1965bec516d6b886aa283b24906a6bec1c3e8a9b39f1efd5f57c00eaa222940d3cc2420cee83712f47c17e0b397ab1b1d7254c5c43d40ca016e06630206f5505

H990* Generic Kernel v0.2.3:
MD5: fb32e04ec9f5f2fd21bf226db722947c
SHA1: e7ab1533106e0d11075e21b097629be307123879
SHA512: 0c58586c1a8a678d644912d2dd64d970cd0614a8c85bfaae787d1970b16bd03306bd3189f9b07ace80d0f9f9072fc7b6efbd4556da0b09d4ad205922b35aedd9

H990* Generic Kernel v0.2.2:
MD5: f85de33a3354973920b6ffc7baeb7d62
SHA1: 2a9dd897fd44efa13be0f4d2e17ef90ba896b399
SHA512: 3f4e8110b68ae58b38f3abc50d3633df9b45bf4a68120e37ea3934e78b659514d20a2ddbe2d35a30a23b9ed6285c47cacacd43676da82d678201e79748e57c8b

H990* Generic Kernel v0.2.1:
MD5: d08807bc5f3e14fbbcbadbf7013988d0
SHA1: 3b1871c974fe06a6125a47200dc0e35b12a20abc
SHA512: 6d84c27f5752b1313157bbebb917683ce37384032b3d72afc15fa3679839da325a1fdb0824aca28dda2d95161d0e4a0ec343e4e1f35fd0b3700e156d4d60f03f

Alternative kernel builds:
I'm carefully releasing source of my kernel builds (above) and others are welcome to build kernels modified to their preferences. They can also target any kernel issues they find and fix.

@jahlex has the "D.O.T.S." kernel here. This is built from stock LGE and targets camera issues. Due to being closer to LGE's source it may well provide some better hardware support.

@Leicxan has successfully built a werewolf derived kernel, here. For a number of people this works better.
 

Attachments

  • h990-kernel-v0.2.2.zip
    14.3 MB · Views: 948
  • h990-kernel-v0.2.3.zip
    14.3 MB · Views: 694
  • h990-kernel-v0.2.3a.zip
    14.3 MB · Views: 869
  • h990-kernel-v0.2.4.zip
    14.3 MB · Views: 7,986
Last edited:

kingnose

Member
Jun 20, 2017
27
10
Hi, great job on unlocking the bootloader @emdroidle!

I know this is a noob question but I'm not really familiar with custom ROMs, but does this mean I can flash existing custom ROMs for the other V20 variants or do we need to wait for them to support the H990DS?

Thanks!
 
  • Like
Reactions: paiom

emdroidle

Senior Member
Oct 6, 2015
413
710
i rooted my H990N (Hong Kong version) successfully using H990DS-Kernel.zip.
i translated the root tutorial into chinese and modified the bat files (some in chinese too), and posted it here:
http://bbs.gfan.com/forum.php?mod=viewthread&tid=9163590
Uh, this may or may not have any effects, but if you go to Settings -> General -> About phone -> Common -> Hardware info -> Model number, you will likely find it reports your phone as a "LG-H990ds".

This is why I've got the instructions for information needed for adapting to new devices. This is also why that kernel wasn't listed as being for the H990N.

A few moments after this message is posted, there will be a new h990n-kernel.zip. As with others for which I lack the device, no guarantee it will work (it should, but reality...). From where you're at you can simply flash it in TWRP without repeating any other steps.


Great guide. The thread title is a little funny though :D
I thought it was appropriate. DirtySanta had already gotten most of the V20s, merely hadn't gotten these last few variants.


Anyone can confirm it is working ??
There are multiple confirmations. The big deal is this process is complicated. The step of installing TWRP has been shown to be unreliable due to fastboot not giving indications of completion.


Getting the error "LGUP can't load the model[C\Progrem Files(x86)\LGElectoronics\LGUP\model\com"

This post

https://forum.xda-developers.com/v2...ed-devices-t3524903/post70385757#post70385757

recomends using uppercut to avoid the error. Is this recomendation compatible with this root method?
That is only needed for the step downgrading the firmware to a version vulnerable to DirtyCOW. It is irrelevant exactly what method is used to do that.
 
  • Like
Reactions: alliGTR

djodjo131

Member
Mar 27, 2009
14
3
i have a grey screen on acces twrp why?
892284Picture3.jpg
 

faeterov

Senior Member
May 2, 2016
167
46
I'm currently on step 16. I see the phone in fastboot mode
(1130) Fastboot mode started

But as I type
fastboot flash recovery twrp-3.0.2-1-h990.img

I don't see any feedback from the screen of my phone. Also the command line gets stuck on <waiting for device>

I waited 1 minute, then started another command prompt, again flashed recovery, with no feedback again from the phone or the CMD

FInally, after some minutes I type
fastboot reboot

and the sma results...

Should I just restart?


EDIT: nevermind, seems like I had to reboot my pc in order for it to install the drivers to run fastboot.

---------- Post added at 03:48 PM ---------- Previous post was at 03:08 PM ----------

MMMM, root failed, I got a corrupted screen.

Will try to go back to stock and retry everything, but all seemed to go well.
 
Last edited:

Hamodi

Senior Member
Apr 25, 2011
2,151
358
...
Its not corrupted screen .
When you see it put the phone with the screen on table for 30 sec
 

Hamodi

Senior Member
Apr 25, 2011
2,151
358
...
definitely up and working. OP has been working on this for months, and I feel that it is rather rude to post this here.
you can have a go counting the number of success in the bounty thread here.

Thanks again to emdroidle for the crazy amount of work and time spent here.
I know its working with DS but shuold try it for single sim too
Non had test yet , will do this later tonight

---------- Post added at 04:32 PM ---------- Previous post was at 04:27 PM ----------


What you mean ?
Static screen will be with every reboot
Not sure if its with 990 too but it was with others version
 

faeterov

Senior Member
May 2, 2016
167
46
I know its working with DS but shuold try it for single sim too
Non had test yet , will do this later tonight

---------- Post added at 04:32 PM ---------- Previous post was at 04:27 PM ----------



What you mean ?
Static screen will be with every reboot
Not sure if its with 990 too but it was with others version

I could get into twrp, so i wasnt able to continue with the mod. Went back to stock, will try again later on my phone H990DS.
 

Top Liked Posts

  • There are no posts matching your filters.
  • 111
    Took a while to work things out, but DirtySanta has been successfully extended to international versions of the LGE V20.

    While I have tried to ensure this works for anyone, this may fail. I also do not provide any warranty! The result of a failure could include voiding of warranty and hardware damage. This is also one of the most complicated rooting procedures due to SE Linux, we've been unable to simplify things.

    Be careful! Many of these commands have a high probability of resulting in a brick if mistyped. Be prepared to have your V20 out of commission for a day or two while you ask questions about the state your phone has ended up in.
    Also Don't Panic! If something starts going wrong, stop. Better to have your daily driver out of commission for 24 hours, than have it out of commission permanently.


    As of this time there are some sporadic reports of problems. Some people have camera trouble. If a cause can be identified these will definitely get fixed ASAP. Work is well under way, experimental fixes for this are out.


    As preparation, I would like folks to be familiar with LGUP/LGBridge and how to use them. Using LGUP is also how to get back to stock. On the H990DS Bluetooth is implemented via kernel module and the kernel module has to be loaded off /system, therefore there is no choice but to write to /system.
    Beware: Once past14 LGUP will recognize your device as a US996. Do not flash a US996 KDZ file! Doing so will brick you. See below for instructions on going back to stock.

    Devices

    • H990DS (dual-SIM): Known working
    • H990N (dual-SIM): Known working
    • H990 (single-SIM): Known working
    • H990* (other): ALPHA reports of success needed.
    There is now a v0.2.4 combined kernel. This version should work for all H990* variants and should hopefully have fewer issues due to being on a later kernel release. The quirk of some of the dual-SIM features showing up in menus should be fixed in v0.2.4.
    v0.2.4 includes patches for all of the recently discovered kernel issues. The kernel Bluetooth patch is included, but the are also userspace patches for a portion of "BlueBorne". The "Broadpwn" vulnerability has also been patched. Yet more 802.11 patches have been added over v0.2.3a, unfortunately the fix for the KRACK attack is in the userspace program "wpa_supplicant" not the kernel. :(



    Alternative instructions:
    By @ahlok_hk here

    Rooting and full bootloader unlock for the H990 versions of the LGE V20:
    1. Ensure you have a backup plan: https://forum.xda-developers.com/v20/how-to/restore-v20-to-100-stock-bricked-devices-t3524903
    2. Backup your phone data. LG Bridge/LG Backup is pretty reliable, but I strongly advise backing up everything onto a desktop/laptop computer. If you backup to SD card, the SD card must not be encrypted! (failures will destroy the key and the data)
    3. Go to Settings -> General -> About phone -> Software info -> Android security patch level; if your phone is on an update after December 31, use LGUP to "refurbish" to an earlier firmware release (this will do a factory reset).
    4. Ensure you have ADB/Fastboot files installed and working: https://forum.xda-developers.com/showthread.php?t=2588979
      This also requires developer mode -> USB debugging to be enabled.
    5. Ensure you have all relevant files prepared:
      Installed backup plan.
      Installed Terminal Emulator on device.
      Downloaded DirtySanta's files and copied them to ADB directory.
      Downloaded files, Put kernel and SU implementation (Magisk.zip and
      SuperSU.zip work) into SD card; and TWRP into ADB directory.
      Note: It may be necessary to temporarily disable anti-virus/anti-malware programs when unpacking the original DirtySanta. At least one has detected `dirtycow`/CVE-2016-5195 as malware (it can in fact act in that role).
    6. Using dirtysanta's steps: Run "RUNMEFIRST.bat" <-- Do not close.
    7. Run "step1.bat" <-- Wait until you can type something again.
    8. Type "run-as con" <-- If you get unknown package error, means your latest security patch patched it out; go back to step 3. LGUP should be able to downgrade you to an earlier firmware update.
    9. Type "chmod 0777 /storage/emulated/0/*"
    10. Open Terminal Emulator, Type "id"
    11. Look for something containing "untrusted_app". If not found, Start all over again. If found, continue.
    12. Type "applypatch /system/bin/atd /storage/emulated/0/dirtysanta" into Terminal Emulator
    13. Wait for RUNMEFIRST.bat console to prompt you to run step2.bat.
    14. Run "step2.bat"
    15. Save copies (put them somewhere safe where you'll remember them) of the files "abootbackup.img" and "bootbackup.img", which "step2.bat" saves in its directory, the latter is crucial in returning to stock.
    16. At a command prompt run the following commands, but make sure to wait at least 30 seconds between each. Do not skimp on that delay as otherwise the likelihood is this will fail (this is the most unreliable step in this process); waiting longer than 30 seconds is fine.
      Code:
      fastboot flash recovery twrp-3.0.2-1-h990.img
      
      fastboot flash recovery twrp-3.0.2-1-h990.img
      
      fastboot reboot
      Of all steps this is by far the most unreliable! If you have problems at the end, most likely you'll need to get back to the bootloader (hold power-UP and then insert USB cable) and repeat this step.
    17. Boot in to TWRP.
      Press and hold volume DOWN; press and hold power until the LG logo comes up, then briefly release power (0.5-1.0sec) and then hold power again. If you fail to get this right the first time, you will likely need to pull the battery out and start from power off.
      You will then be prompted "Delete all user data (including LG and carrier apps) and reset all settings?"
      Select "Yes" twice, and as long as TWRP installation was successful you'll get into TWRP and NO RESET will be done.
      Inside TWRP flash "h990-kernel.zip" and then flash SU implementation (Magisk.zip or
      SuperSU.zip). At this point the process should be complete. There won't be static on boot, you'll have root and nothing else should have changed.

      If your phone's userdata got locked, there may be a need to wipe cache and data to regain access.

    During all subsequent boots a red triangle with a warning about your device being corrupt will show up. The only method to remove that would be to get my kernel signed by LGE and I'm rather doubtful that will ever happen. Only thing we can do is to call it a badge of honor.

    There is now a tool for writing KDZ files to phones. This is recommended in order to get up to date on security patches.



    Going back to stock:
    As with those whole rooting procedure, this is hazardous. Be careful, go slow and don't rush things.

    Method 1a: (TWRP, strongly preferred!)
    1. Boot into TWRP (DOWN + Power with a brief release during LG logo).
    2. Copy the file "abootbackup.img" from your archive to your phone (adb push abootbackup.img /). This is the file you should have saved from step 15 above.
    3. Run `adb shell` and type (or copy&paste) the following commands:
      Code:
      dd if=abootbackup.img of=/dev/block/bootdevice/by-name/aboot
      sync
      sleep 30
      sync
    4. Get into Download mode. Power off phone from TWRP. Press and hold UP, then power phone on (no need to hold power).
    5. Load the appropriate KDZ file onto your phone via LGUP.

    Method 1b: (TWRP, with file from another source)
    This is simply a tweak of the above resulting from recalling there is a backup of aboot already on the phone itself.
    1. Boot into TWRP (DOWN + Power with a brief release during LG logo).
    2. Run `adb shell` and type (or copy&paste) the following commands:
      Code:
      dd if=/dev/block/bootdevice/by-name/abootback of=/dev/block/bootdevice/by-name/aboot
      sync
      sleep 30
      sync
    3. Get into Download mode. Power off phone from TWRP. Press and hold UP, then power phone on (no need to hold power).
    4. Load the appropriate KDZ file onto your phone via LGUP.

    Method 2: (fastboot)
    Danger! This method is not recommended, except as an emergency fallback. Writes done via `fastboot flash` have be demonstrated to unreliable. This works if TWRP is unavailable, but avoid if possible.
    1. Boot into fastboot mode. Any of these methods should work:
      • (if Android running normally) Run `adb reboot bootloader`
      • (from a powered down state) Press and hold DOWN, then plug in USB cable.
      • (powered down, USB plugged in) Press and hold DOWN, then power on.
    2. With "abootbackup.img" in the current directory run the following commands, while waiting at least 30 seconds between them:
      Code:
      fastboot flash aboot abootbackup.img
      (wait >30s)
      fastboot flash aboot abootbackup.img
      (wait >30s)
      fastboot reboot
    3. Get into Download mode. Press and hold UP. If the phone has already started to load Android, pull the battery, reinstall battery; then press and hold UP and power on.
    4. Load the appropriate KDZ file onto your phone via LGUP.

    Rescue from going back to stock problems:
    Apparently it is possible to enable extra features in LGUP, documented in this thread. If you're forced to use approach back to stock approach v2, here is a method to rescue you. This may even have the potential to function as an alternative DirtySanta installation approach. This even works as a full back to stock method by itself! Thanks to @Prowler_gr for sharing!



    Technical discussion
    If you're not planning to build your own kernel and aren't curious about how things work, no need to read these long details.

    What was my old tree is here. I've got a build hack, which I suspect is meant to be handled by other means (later compiler?) so some extras are here.
    Now releasing version v0.2 here. With the extra hack for compilation and exfat is here.

    My latest .zip makes use of the `fix-h990-cmdline` tool from here.

    There are 3 major fixes needed for making working kernels for the H990.
    1. First, the H990 has its own distinct version of the panel timings, which was added in this commit. Combined with the more robust graphics driver from CAF, this solves the "static" issue. The "static" issue is far more severe for the H990* than other V20 versions, the workaround of covering the proximity sensor does not work.
    2. Second, the kernel command-line needs to be modified. Crucially this tells the Android runtime whether the device is single-SIM or dual-SIM. This was originally implemented in a combination of commit 1 and commit 2. Notice CONFIG_CMDLINE and CONFIG_CMDLINE_EXTEND add on to the command-line passed by the boot loader.
    3. Third, the modem driver (files in /firmware) apparently gets its information on the modem chip by looking at a structure in the SMEM_ID_VENDOR0 portion of platform "smem" area. The original LGE boot loader puts appropriate values into this data structure, but the DirtySanta debug boot loader leaves important parts of the structure uninitialized. As such this area needed to be modified before modem initialization, done here.

    Originally these values were added by hard-coding them. This works, but doesn't scale well. Even before my first kernel release I was pondering modifying things by reading them from the command-line. In order for this strategy to work, these additional arguments must be added to the Android boot image command-line. This additional step was implemented in `fix-h990-cmdline` in my lg-v20-tools. For a H990DS the string " model.name=LG-H990ds lge.sim_num=2 lge.dsds=dsds androidboot.bl_unlock_complete=false androidboot.authorized_kernel=true" is added, while for a H990 the string " model.name=LG-H990 lge.sim_num=1 lgs.dsds=none androidboot.bl_unlock_complete=false androidboot.authorized_kernel=true" is added.

    With my current kernel source `fix-h990-cmdline` must be run on the boot image before the kernel will successfully boot. This is done inside the tools/ak2-core.sh script in the .zip file. The command is `$bin/fix-h990-cmdline /tmp/anykernel/boot-new.img`. `fix-h990-cmdline` could also be run on /dev/block/bootdevice/by-name/boot after the kernel had been installed.
    Important note, modification of the boot image command-line must be done carefully. If a previous kernel already added the command-line options, care must be taken to ensure they're not present multiple times. `fix-h990-cmdline` was specifically written with this issue in mind, please don't break this. Also note fix-h990-cmdline will replace the values of "model.name", "lge.sim_num" and "lge.dsds" based upon the contents of the misc area; the values of "androidboot.bl_unlock_complete" and "androidboot.authorized_kernel" will be left alone if already present.
    The most recent version of `fix-h990-cmdline` has been modified to allow specifying the model and SIM count on the command-line. `fix-h990-cmdline` will complain if the command-line disagrees with the misc area, but it will obey the command-line and lie to the kernel.



    Thanks and warning:

    This is near certain to void your warranty. While care has been taken to reduce the chance of producing a brick, there are no guarantees.


    Thanks to:
    @me2151 the original DirtySanta bootloader, crucial for this to work
    @thubble for figuring out the last bit of the modem fix and (successful) guinea pig #2
    @exadeci (successful) guinea pig #1
    @Xenogenics helping others, posting some reasonable instructions
    @USA-RedDragon for making everyone aware of LineageOS's source tree


    A copy of the source tree used for building these is here. Two small hacks are used during the actual build process, this is an exact copy of what is built.

    News:
    v0.2.2: The kernel portion of BlueBorne is patched. Unfortunately there is apparently a userspace portion as well. Broadpwn (Wifi vulnerability) is patched.
    v0.2.3: Adding the driver for the S5K2P7 camera sensor, seems LGE needs to work on their updates since they're required to release source for this updated driver, but haven't. This fixes the camera focus issue observed on some devices.
    v0.2.3a: The internal fix-h990-cmdline utility was adjusted due to the quirk with single-SIM devices. This should make the dual-SIM menus disappear from single-SIM devices.
    v0.2.4: Yet more 802.11 patches have been added (KRACK is in wpa_supplicant on /system, not the kernel). A tentative fix for the video recording issue has been found. There are distinct downsides to the fix, but at least something working is available

    H990* Generic Kernel v0.2.4:
    MD5: 5c37b2fa01417874fa6e4456a333792d
    SHA1: 79033bad078991180b6f308c99527ef4cd6e1379
    SHA512: c2167602edd93e7bab76e7e89093e2ebb1670163ccb812ec327b03d98931c57566a3ab565e81ca4b7de142771f22e6723f291df0c5cad82982a24d5da18b5011

    H990* Generic Kernel v0.2.3a:
    MD5: b9cd4c750e9bc8627d07243f7e4c3c82
    SHA1: e16f348e11e765651564922823b9e38f27c41976
    SHA512: 1965bec516d6b886aa283b24906a6bec1c3e8a9b39f1efd5f57c00eaa222940d3cc2420cee83712f47c17e0b397ab1b1d7254c5c43d40ca016e06630206f5505

    H990* Generic Kernel v0.2.3:
    MD5: fb32e04ec9f5f2fd21bf226db722947c
    SHA1: e7ab1533106e0d11075e21b097629be307123879
    SHA512: 0c58586c1a8a678d644912d2dd64d970cd0614a8c85bfaae787d1970b16bd03306bd3189f9b07ace80d0f9f9072fc7b6efbd4556da0b09d4ad205922b35aedd9

    H990* Generic Kernel v0.2.2:
    MD5: f85de33a3354973920b6ffc7baeb7d62
    SHA1: 2a9dd897fd44efa13be0f4d2e17ef90ba896b399
    SHA512: 3f4e8110b68ae58b38f3abc50d3633df9b45bf4a68120e37ea3934e78b659514d20a2ddbe2d35a30a23b9ed6285c47cacacd43676da82d678201e79748e57c8b

    H990* Generic Kernel v0.2.1:
    MD5: d08807bc5f3e14fbbcbadbf7013988d0
    SHA1: 3b1871c974fe06a6125a47200dc0e35b12a20abc
    SHA512: 6d84c27f5752b1313157bbebb917683ce37384032b3d72afc15fa3679839da325a1fdb0824aca28dda2d95161d0e4a0ec343e4e1f35fd0b3700e156d4d60f03f

    Alternative kernel builds:
    I'm carefully releasing source of my kernel builds (above) and others are welcome to build kernels modified to their preferences. They can also target any kernel issues they find and fix.

    @jahlex has the "D.O.T.S." kernel here. This is built from stock LGE and targets camera issues. Due to being closer to LGE's source it may well provide some better hardware support.

    @Leicxan has successfully built a werewolf derived kernel, here. For a number of people this works better.
    26
    The two tweaks I'm most tempted to do is adding UDF (rather better FS than exfat) and to enable some of the extra security protections around the modem (a vulnerable area).

    I'll be happy to assist others who want to add extras to the kernel. I've been assuming my taste in kernel tweaks wouldn't suit many people. Just need someone who wants to build kernels.
    Hi emdroidle, i complete a kernel based on Werewolf Kernel 2.0 stock branch, thanks for USA-Reddragon, here is his source code.
    I cherry-picked your latest dirtysanta modem code on v0.2-branch-BUILD. Just want to test the vedio record and see how it's beheave on LG'S stock kernel source.
    The difference from stock is I update zzmoove governor to the latest bLE-develop-k3xx branch, this is tweak for SD820's big.LTTLE CPU, and build kernel with Linaro Toolchain from The Flash.
    Other kernelf feature is as same as stock Werewolf Kernel.
    I test this on my V20 H990N for 2 weeks, video record and playback is fine. I am not a developer, just copy and paste the code to the source.....


    Btw, @emdroidle I noticed the phone connect to the cellular network is fater than before, with your latest modem code.

    Edit: 20171026
    1. My unofficial Werewolf kernel download from here
    2. My self-build kernel, just test on my H990N, and I don't use extand-sdcard, so can't test the exfat module, and I don't have much time for maintenance it, even this phone is not my daily use one. I build this kernel is just for my hobbit. Someone report they get a kernel crash after the lg logo appear.
    Be careful before you flash it!

    Download Link
    Here

    Source Code: https://github.com/guaibao1101/h990x-msm-3.18

    Thanks to emdroidle mention me in OP :)
    25
    OK guys, I think I got it. Working on my H990DS root and focus working with s5k2p7 sensor.

    This is nothing more than the v0.2 kernel of emdroidle + s5k2p7 drivers.

    Need some beta testers here, just use this kernel instead of emdroidle's.

    EDIT : updated v0.2b with texfat
    EDIT 2 : updated v0.2d with cam & power drivers from LS997
    17
    Hi guys,

    Here is a modified version of @emdroidle's 0.2.3a updated with all cam drivers from stock v10g. iI fixes video freeze issue.
    ===> h990-kernel-0.2.3b-jahlex.zip (14.33 MB)

    EDIT : and a brand new kernel I built based on v10g stock sources. Currently running on my H990DS. Need some beta testers here.
    ===> LGH990-stock-jahlex-0.1.zip (14.15 MB)
    17
    Hi,

    Without big hope, I requested LGE, a while ago, to release the last sources for H990 and H990DS... and they just did. http://opensource.lge.com/osSch/list?types=ALL&search=H990

    Dear Customer,

    We received your request on the LG Open Source Code Distribution site (http://opensource.lge.com).
    This site provides source codes for FOSS (Free and Open Source Software) we use in our product.

    We uploaded the source code you requested, so it is now available for you to download.

    We hope this information is helpful.

    Thank you.
    Sincerely yours

    What I was thinking about camera drivers is confirmed. See attached screenshot.
    @emdroidle : hope it will help in solving the remaining issues.

    I will try to have a look on my side if I find some time (difficult at the moment).