Took a while to work things out, but DirtySanta has been successfully extended to international versions of the LGE V20.
While I have tried to ensure this works for anyone, this may fail. I also do not provide any warranty! The result of a failure could include voiding of warranty and hardware damage. This is also one of the most complicated rooting procedures due to SE Linux, we've been unable to simplify things.
Be careful! Many of these commands have a high probability of resulting in a brick if mistyped. Be prepared to have your V20 out of commission for a day or two while you ask questions about the state your phone has ended up in.
Also Don't Panic! If something starts going wrong, stop. Better to have your daily driver out of commission for 24 hours, than have it out of commission permanently.
As of this time there are some sporadic reports of problems. Some people have camera trouble. If a cause can be identified these will definitely get fixed ASAP. Work is well under way, experimental fixes for this are out.
As preparation, I would like folks to be familiar with LGUP/LGBridge and how to use them. Using LGUP is also how to get back to stock. On the H990DS Bluetooth is implemented via kernel module and the kernel module has to be loaded off /system, therefore there is no choice but to write to /system.
Beware: Once past14 LGUP will recognize your device as a US996. Do not flash a US996 KDZ file! Doing so will brick you. See below for instructions on going back to stock.
Devices
v0.2.4 includes patches for all of the recently discovered kernel issues. The kernel Bluetooth patch is included, but the are also userspace patches for a portion of "BlueBorne". The "Broadpwn" vulnerability has also been patched. Yet more 802.11 patches have been added over v0.2.3a, unfortunately the fix for the KRACK attack is in the userspace program "wpa_supplicant" not the kernel.
Alternative instructions:
By @ahlok_hk here
Rooting and full bootloader unlock for the H990 versions of the LGE V20:
During all subsequent boots a red triangle with a warning about your device being corrupt will show up. The only method to remove that would be to get my kernel signed by LGE and I'm rather doubtful that will ever happen. Only thing we can do is to call it a badge of honor.
There is now a tool for writing KDZ files to phones. This is recommended in order to get up to date on security patches.
Going back to stock:
As with those whole rooting procedure, this is hazardous. Be careful, go slow and don't rush things.
Method 1a: (TWRP, strongly preferred!)
Method 1b: (TWRP, with file from another source)
This is simply a tweak of the above resulting from recalling there is a backup of aboot already on the phone itself.
Method 2: (fastboot)
Danger! This method is not recommended, except as an emergency fallback. Writes done via `fastboot flash` have be demonstrated to unreliable. This works if TWRP is unavailable, but avoid if possible.
Rescue from going back to stock problems:
Apparently it is possible to enable extra features in LGUP, documented in this thread. If you're forced to use approach back to stock approach v2, here is a method to rescue you. This may even have the potential to function as an alternative DirtySanta installation approach. This even works as a full back to stock method by itself! Thanks to @Prowler_gr for sharing!
Technical discussion
If you're not planning to build your own kernel and aren't curious about how things work, no need to read these long details.
What was my old tree is here. I've got a build hack, which I suspect is meant to be handled by other means (later compiler?) so some extras are here.
Now releasing version v0.2 here. With the extra hack for compilation and exfat is here.
My latest .zip makes use of the `fix-h990-cmdline` tool from here.
There are 3 major fixes needed for making working kernels for the H990.
Originally these values were added by hard-coding them. This works, but doesn't scale well. Even before my first kernel release I was pondering modifying things by reading them from the command-line. In order for this strategy to work, these additional arguments must be added to the Android boot image command-line. This additional step was implemented in `fix-h990-cmdline` in my lg-v20-tools. For a H990DS the string " model.name=LG-H990ds lge.sim_num=2 lge.dsds=dsds androidboot.bl_unlock_complete=false androidboot.authorized_kernel=true" is added, while for a H990 the string " model.name=LG-H990 lge.sim_num=1 lgs.dsds=none androidboot.bl_unlock_complete=false androidboot.authorized_kernel=true" is added.
With my current kernel source `fix-h990-cmdline` must be run on the boot image before the kernel will successfully boot. This is done inside the tools/ak2-core.sh script in the .zip file. The command is `$bin/fix-h990-cmdline /tmp/anykernel/boot-new.img`. `fix-h990-cmdline` could also be run on /dev/block/bootdevice/by-name/boot after the kernel had been installed.
Important note, modification of the boot image command-line must be done carefully. If a previous kernel already added the command-line options, care must be taken to ensure they're not present multiple times. `fix-h990-cmdline` was specifically written with this issue in mind, please don't break this. Also note fix-h990-cmdline will replace the values of "model.name", "lge.sim_num" and "lge.dsds" based upon the contents of the misc area; the values of "androidboot.bl_unlock_complete" and "androidboot.authorized_kernel" will be left alone if already present.
The most recent version of `fix-h990-cmdline` has been modified to allow specifying the model and SIM count on the command-line. `fix-h990-cmdline` will complain if the command-line disagrees with the misc area, but it will obey the command-line and lie to the kernel.
Thanks and warning:
This is near certain to void your warranty. While care has been taken to reduce the chance of producing a brick, there are no guarantees.
Thanks to:
@me2151 the original DirtySanta bootloader, crucial for this to work
@thubble for figuring out the last bit of the modem fix and (successful) guinea pig #2
@exadeci (successful) guinea pig #1
@Xenogenics helping others, posting some reasonable instructions
@USA-RedDragon for making everyone aware of LineageOS's source tree
A copy of the source tree used for building these is here. Two small hacks are used during the actual build process, this is an exact copy of what is built.
News:
v0.2.2: The kernel portion of BlueBorne is patched. Unfortunately there is apparently a userspace portion as well. Broadpwn (Wifi vulnerability) is patched.
v0.2.3: Adding the driver for the S5K2P7 camera sensor, seems LGE needs to work on their updates since they're required to release source for this updated driver, but haven't. This fixes the camera focus issue observed on some devices.
v0.2.3a: The internal fix-h990-cmdline utility was adjusted due to the quirk with single-SIM devices. This should make the dual-SIM menus disappear from single-SIM devices.
v0.2.4: Yet more 802.11 patches have been added (KRACK is in wpa_supplicant on /system, not the kernel). A tentative fix for the video recording issue has been found. There are distinct downsides to the fix, but at least something working is available
H990* Generic Kernel v0.2.4:
MD5: 5c37b2fa01417874fa6e4456a333792d
SHA1: 79033bad078991180b6f308c99527ef4cd6e1379
SHA512: c2167602edd93e7bab76e7e89093e2ebb1670163ccb812ec327b03d98931c57566a3ab565e81ca4b7de142771f22e6723f291df0c5cad82982a24d5da18b5011
H990* Generic Kernel v0.2.3a:
MD5: b9cd4c750e9bc8627d07243f7e4c3c82
SHA1: e16f348e11e765651564922823b9e38f27c41976
SHA512: 1965bec516d6b886aa283b24906a6bec1c3e8a9b39f1efd5f57c00eaa222940d3cc2420cee83712f47c17e0b397ab1b1d7254c5c43d40ca016e06630206f5505
H990* Generic Kernel v0.2.3:
MD5: fb32e04ec9f5f2fd21bf226db722947c
SHA1: e7ab1533106e0d11075e21b097629be307123879
SHA512: 0c58586c1a8a678d644912d2dd64d970cd0614a8c85bfaae787d1970b16bd03306bd3189f9b07ace80d0f9f9072fc7b6efbd4556da0b09d4ad205922b35aedd9
H990* Generic Kernel v0.2.2:
MD5: f85de33a3354973920b6ffc7baeb7d62
SHA1: 2a9dd897fd44efa13be0f4d2e17ef90ba896b399
SHA512: 3f4e8110b68ae58b38f3abc50d3633df9b45bf4a68120e37ea3934e78b659514d20a2ddbe2d35a30a23b9ed6285c47cacacd43676da82d678201e79748e57c8b
H990* Generic Kernel v0.2.1:
MD5: d08807bc5f3e14fbbcbadbf7013988d0
SHA1: 3b1871c974fe06a6125a47200dc0e35b12a20abc
SHA512: 6d84c27f5752b1313157bbebb917683ce37384032b3d72afc15fa3679839da325a1fdb0824aca28dda2d95161d0e4a0ec343e4e1f35fd0b3700e156d4d60f03f
Alternative kernel builds:
I'm carefully releasing source of my kernel builds (above) and others are welcome to build kernels modified to their preferences. They can also target any kernel issues they find and fix.
@jahlex has the "D.O.T.S." kernel here. This is built from stock LGE and targets camera issues. Due to being closer to LGE's source it may well provide some better hardware support.
@Leicxan has successfully built a werewolf derived kernel, here. For a number of people this works better.
While I have tried to ensure this works for anyone, this may fail. I also do not provide any warranty! The result of a failure could include voiding of warranty and hardware damage. This is also one of the most complicated rooting procedures due to SE Linux, we've been unable to simplify things.
Be careful! Many of these commands have a high probability of resulting in a brick if mistyped. Be prepared to have your V20 out of commission for a day or two while you ask questions about the state your phone has ended up in.
Also Don't Panic! If something starts going wrong, stop. Better to have your daily driver out of commission for 24 hours, than have it out of commission permanently.
As of this time there are some sporadic reports of problems. Some people have camera trouble. If a cause can be identified these will definitely get fixed ASAP. Work is well under way, experimental fixes for this are out.
As preparation, I would like folks to be familiar with LGUP/LGBridge and how to use them. Using LGUP is also how to get back to stock. On the H990DS Bluetooth is implemented via kernel module and the kernel module has to be loaded off /system, therefore there is no choice but to write to /system.
Beware: Once past14 LGUP will recognize your device as a US996. Do not flash a US996 KDZ file! Doing so will brick you. See below for instructions on going back to stock.
Devices
- H990DS (dual-SIM): Known working
- H990N (dual-SIM): Known working
- H990 (single-SIM): Known working
- H990* (other): ALPHA reports of success needed.
v0.2.4 includes patches for all of the recently discovered kernel issues. The kernel Bluetooth patch is included, but the are also userspace patches for a portion of "BlueBorne". The "Broadpwn" vulnerability has also been patched. Yet more 802.11 patches have been added over v0.2.3a, unfortunately the fix for the KRACK attack is in the userspace program "wpa_supplicant" not the kernel.
Alternative instructions:
By @ahlok_hk here
Rooting and full bootloader unlock for the H990 versions of the LGE V20:
- Ensure you have a backup plan: https://forum.xda-developers.com/v20/how-to/restore-v20-to-100-stock-bricked-devices-t3524903
- Backup your phone data. LG Bridge/LG Backup is pretty reliable, but I strongly advise backing up everything onto a desktop/laptop computer. If you backup to SD card, the SD card must not be encrypted! (failures will destroy the key and the data)
- Go to Settings -> General -> About phone -> Software info -> Android security patch level; if your phone is on an update after December 31, use LGUP to "refurbish" to an earlier firmware release (this will do a factory reset).
- Ensure you have ADB/Fastboot files installed and working: https://forum.xda-developers.com/showthread.php?t=2588979
This also requires developer mode -> USB debugging to be enabled.
- Ensure you have all relevant files prepared:
Installed backup plan.
Installed Terminal Emulator on device.
Downloaded DirtySanta's files and copied them to ADB directory.
Downloaded files, Put kernel and SU implementation (Magisk.zip and
SuperSU.zip work) into SD card; and TWRP into ADB directory.
Note: It may be necessary to temporarily disable anti-virus/anti-malware programs when unpacking the original DirtySanta. At least one has detected `dirtycow`/CVE-2016-5195 as malware (it can in fact act in that role).
- Using dirtysanta's steps: Run "RUNMEFIRST.bat" <-- Do not close.
- Run "step1.bat" <-- Wait until you can type something again.
- Type "run-as con" <-- If you get unknown package error, means your latest security patch patched it out; go back to step 3. LGUP should be able to downgrade you to an earlier firmware update.
- Type "chmod 0777 /storage/emulated/0/*"
- Open Terminal Emulator, Type "id"
- Look for something containing "untrusted_app". If not found, Start all over again. If found, continue.
- Type "applypatch /system/bin/atd /storage/emulated/0/dirtysanta" into Terminal Emulator
- Wait for RUNMEFIRST.bat console to prompt you to run step2.bat.
- Run "step2.bat"
- Save copies (put them somewhere safe where you'll remember them) of the files "abootbackup.img" and "bootbackup.img", which "step2.bat" saves in its directory, the latter is crucial in returning to stock.
- At a command prompt run the following commands, but make sure to wait at least 30 seconds between each. Do not skimp on that delay as otherwise the likelihood is this will fail (this is the most unreliable step in this process); waiting longer than 30 seconds is fine.
Code:fastboot flash recovery twrp-3.0.2-1-h990.img fastboot flash recovery twrp-3.0.2-1-h990.img fastboot reboot
- Boot in to TWRP.
Press and hold volume DOWN; press and hold power until the LG logo comes up, then briefly release power (0.5-1.0sec) and then hold power again. If you fail to get this right the first time, you will likely need to pull the battery out and start from power off.
You will then be prompted "Delete all user data (including LG and carrier apps) and reset all settings?"
Select "Yes" twice, and as long as TWRP installation was successful you'll get into TWRP and NO RESET will be done.
Inside TWRP flash "h990-kernel.zip" and then flash SU implementation (Magisk.zip or
SuperSU.zip). At this point the process should be complete. There won't be static on boot, you'll have root and nothing else should have changed.
If your phone's userdata got locked, there may be a need to wipe cache and data to regain access.
During all subsequent boots a red triangle with a warning about your device being corrupt will show up. The only method to remove that would be to get my kernel signed by LGE and I'm rather doubtful that will ever happen. Only thing we can do is to call it a badge of honor.
There is now a tool for writing KDZ files to phones. This is recommended in order to get up to date on security patches.
Going back to stock:
As with those whole rooting procedure, this is hazardous. Be careful, go slow and don't rush things.
Method 1a: (TWRP, strongly preferred!)
- Boot into TWRP (DOWN + Power with a brief release during LG logo).
- Copy the file "abootbackup.img" from your archive to your phone (adb push abootbackup.img /). This is the file you should have saved from step 15 above.
- Run `adb shell` and type (or copy&paste) the following commands:
Code:dd if=abootbackup.img of=/dev/block/bootdevice/by-name/aboot sync sleep 30 sync
- Get into Download mode. Power off phone from TWRP. Press and hold UP, then power phone on (no need to hold power).
- Load the appropriate KDZ file onto your phone via LGUP.
Method 1b: (TWRP, with file from another source)
This is simply a tweak of the above resulting from recalling there is a backup of aboot already on the phone itself.
- Boot into TWRP (DOWN + Power with a brief release during LG logo).
- Run `adb shell` and type (or copy&paste) the following commands:
Code:dd if=/dev/block/bootdevice/by-name/abootback of=/dev/block/bootdevice/by-name/aboot sync sleep 30 sync
- Get into Download mode. Power off phone from TWRP. Press and hold UP, then power phone on (no need to hold power).
- Load the appropriate KDZ file onto your phone via LGUP.
Method 2: (fastboot)
Danger! This method is not recommended, except as an emergency fallback. Writes done via `fastboot flash` have be demonstrated to unreliable. This works if TWRP is unavailable, but avoid if possible.
- Boot into fastboot mode. Any of these methods should work:
- (if Android running normally) Run `adb reboot bootloader`
- (from a powered down state) Press and hold DOWN, then plug in USB cable.
- (powered down, USB plugged in) Press and hold DOWN, then power on.
- With "abootbackup.img" in the current directory run the following commands, while waiting at least 30 seconds between them:
Code:fastboot flash aboot abootbackup.img (wait >30s) fastboot flash aboot abootbackup.img (wait >30s) fastboot reboot
- Get into Download mode. Press and hold UP. If the phone has already started to load Android, pull the battery, reinstall battery; then press and hold UP and power on.
- Load the appropriate KDZ file onto your phone via LGUP.
Rescue from going back to stock problems:
Apparently it is possible to enable extra features in LGUP, documented in this thread. If you're forced to use approach back to stock approach v2, here is a method to rescue you. This may even have the potential to function as an alternative DirtySanta installation approach. This even works as a full back to stock method by itself! Thanks to @Prowler_gr for sharing!
Technical discussion
If you're not planning to build your own kernel and aren't curious about how things work, no need to read these long details.
What was my old tree is here. I've got a build hack, which I suspect is meant to be handled by other means (later compiler?) so some extras are here.
Now releasing version v0.2 here. With the extra hack for compilation and exfat is here.
My latest .zip makes use of the `fix-h990-cmdline` tool from here.
There are 3 major fixes needed for making working kernels for the H990.
- First, the H990 has its own distinct version of the panel timings, which was added in this commit. Combined with the more robust graphics driver from CAF, this solves the "static" issue. The "static" issue is far more severe for the H990* than other V20 versions, the workaround of covering the proximity sensor does not work.
- Second, the kernel command-line needs to be modified. Crucially this tells the Android runtime whether the device is single-SIM or dual-SIM. This was originally implemented in a combination of commit 1 and commit 2. Notice CONFIG_CMDLINE and CONFIG_CMDLINE_EXTEND add on to the command-line passed by the boot loader.
- Third, the modem driver (files in /firmware) apparently gets its information on the modem chip by looking at a structure in the SMEM_ID_VENDOR0 portion of platform "smem" area. The original LGE boot loader puts appropriate values into this data structure, but the DirtySanta debug boot loader leaves important parts of the structure uninitialized. As such this area needed to be modified before modem initialization, done here.
Originally these values were added by hard-coding them. This works, but doesn't scale well. Even before my first kernel release I was pondering modifying things by reading them from the command-line. In order for this strategy to work, these additional arguments must be added to the Android boot image command-line. This additional step was implemented in `fix-h990-cmdline` in my lg-v20-tools. For a H990DS the string " model.name=LG-H990ds lge.sim_num=2 lge.dsds=dsds androidboot.bl_unlock_complete=false androidboot.authorized_kernel=true" is added, while for a H990 the string " model.name=LG-H990 lge.sim_num=1 lgs.dsds=none androidboot.bl_unlock_complete=false androidboot.authorized_kernel=true" is added.
With my current kernel source `fix-h990-cmdline` must be run on the boot image before the kernel will successfully boot. This is done inside the tools/ak2-core.sh script in the .zip file. The command is `$bin/fix-h990-cmdline /tmp/anykernel/boot-new.img`. `fix-h990-cmdline` could also be run on /dev/block/bootdevice/by-name/boot after the kernel had been installed.
Important note, modification of the boot image command-line must be done carefully. If a previous kernel already added the command-line options, care must be taken to ensure they're not present multiple times. `fix-h990-cmdline` was specifically written with this issue in mind, please don't break this. Also note fix-h990-cmdline will replace the values of "model.name", "lge.sim_num" and "lge.dsds" based upon the contents of the misc area; the values of "androidboot.bl_unlock_complete" and "androidboot.authorized_kernel" will be left alone if already present.
The most recent version of `fix-h990-cmdline` has been modified to allow specifying the model and SIM count on the command-line. `fix-h990-cmdline` will complain if the command-line disagrees with the misc area, but it will obey the command-line and lie to the kernel.
Thanks and warning:
This is near certain to void your warranty. While care has been taken to reduce the chance of producing a brick, there are no guarantees.
Thanks to:
@me2151 the original DirtySanta bootloader, crucial for this to work
@thubble for figuring out the last bit of the modem fix and (successful) guinea pig #2
@exadeci (successful) guinea pig #1
@Xenogenics helping others, posting some reasonable instructions
@USA-RedDragon for making everyone aware of LineageOS's source tree
A copy of the source tree used for building these is here. Two small hacks are used during the actual build process, this is an exact copy of what is built.
News:
v0.2.2: The kernel portion of BlueBorne is patched. Unfortunately there is apparently a userspace portion as well. Broadpwn (Wifi vulnerability) is patched.
v0.2.3: Adding the driver for the S5K2P7 camera sensor, seems LGE needs to work on their updates since they're required to release source for this updated driver, but haven't. This fixes the camera focus issue observed on some devices.
v0.2.3a: The internal fix-h990-cmdline utility was adjusted due to the quirk with single-SIM devices. This should make the dual-SIM menus disappear from single-SIM devices.
v0.2.4: Yet more 802.11 patches have been added (KRACK is in wpa_supplicant on /system, not the kernel). A tentative fix for the video recording issue has been found. There are distinct downsides to the fix, but at least something working is available
H990* Generic Kernel v0.2.4:
MD5: 5c37b2fa01417874fa6e4456a333792d
SHA1: 79033bad078991180b6f308c99527ef4cd6e1379
SHA512: c2167602edd93e7bab76e7e89093e2ebb1670163ccb812ec327b03d98931c57566a3ab565e81ca4b7de142771f22e6723f291df0c5cad82982a24d5da18b5011
H990* Generic Kernel v0.2.3a:
MD5: b9cd4c750e9bc8627d07243f7e4c3c82
SHA1: e16f348e11e765651564922823b9e38f27c41976
SHA512: 1965bec516d6b886aa283b24906a6bec1c3e8a9b39f1efd5f57c00eaa222940d3cc2420cee83712f47c17e0b397ab1b1d7254c5c43d40ca016e06630206f5505
H990* Generic Kernel v0.2.3:
MD5: fb32e04ec9f5f2fd21bf226db722947c
SHA1: e7ab1533106e0d11075e21b097629be307123879
SHA512: 0c58586c1a8a678d644912d2dd64d970cd0614a8c85bfaae787d1970b16bd03306bd3189f9b07ace80d0f9f9072fc7b6efbd4556da0b09d4ad205922b35aedd9
H990* Generic Kernel v0.2.2:
MD5: f85de33a3354973920b6ffc7baeb7d62
SHA1: 2a9dd897fd44efa13be0f4d2e17ef90ba896b399
SHA512: 3f4e8110b68ae58b38f3abc50d3633df9b45bf4a68120e37ea3934e78b659514d20a2ddbe2d35a30a23b9ed6285c47cacacd43676da82d678201e79748e57c8b
H990* Generic Kernel v0.2.1:
MD5: d08807bc5f3e14fbbcbadbf7013988d0
SHA1: 3b1871c974fe06a6125a47200dc0e35b12a20abc
SHA512: 6d84c27f5752b1313157bbebb917683ce37384032b3d72afc15fa3679839da325a1fdb0824aca28dda2d95161d0e4a0ec343e4e1f35fd0b3700e156d4d60f03f
Alternative kernel builds:
I'm carefully releasing source of my kernel builds (above) and others are welcome to build kernels modified to their preferences. They can also target any kernel issues they find and fix.
@jahlex has the "D.O.T.S." kernel here. This is built from stock LGE and targets camera issues. Due to being closer to LGE's source it may well provide some better hardware support.
@Leicxan has successfully built a werewolf derived kernel, here. For a number of people this works better.
Attachments
Last edited: