• Introducing XDA Computing: Discussion zones for Hardware, Software, and more!    Check it out!

[ROOT] DirtySanta comes for the H990

Search This thread


New member
Oct 1, 2018
I hope someone can assist. I’m doing this to unlock the bootloader to install LineageOS on my v20 h990n. I can’t get past step 7:Run "step1.bat" <-- Wait until you can type something again. I’ve followed every step to the letter and even restored the pre 2017 security patch. The window closes on its own and does not let me type the next step. I’ve ran it from the command line and it will say something like multiple devices/ emulators, I’ll list the devices and I’ll just see the v20 but when I run the RUNTHISFIRST it will show the v20 and emulator-5554, this is the only thing I can figure out that can help. I’ve restarted, used a different pc, renewed the debugging on the v20 and tried several times but is stuck. The device I’m trying to root is a v20 h990n. I’m running the latest windows 10 Ive made sure adb and fastboot work correctly I do have a old Linux computer running manjaro lying around but haven’t tried using it. Any assistance or suggestions are much appreciated.


New member
May 29, 2012
Quezon City
I did the steps in this main page about 2 years ago with success. I have used stock recently but wanted to try the LOS 18.1 since LG is closing down.

I tried the whole day using the same steps from before with no success. I am only able to boot with the static screen. The RUNMEFIRST.bat is not working for me. I managed to solve this by using the LOS 18.1 default recovery and then following the usage instruction for LOS 18.1 installation here

I just wanted to share this to everyone especially if you want to use LOS 18.1.

I hope this would save you a day! LOL

I can happily report a successful unlocking of the bootloader and customROM install (de-googled LOS "/e/-OS").
I had to downgrade stock from 20 something to 10c first. Only thing in the process was that RUNMEFIRST.sh did not come up with a prompt . Ihad been waiting for 25min, the terminal on the phone came up with the prompt though. I simply opened another terminal tab (using Linux) and went on with step2. I flashed the latest version of twrp here.
Eventually, the ROM and Magisk were installed.

Thanks a lot for this to all involved!


New member
Jul 21, 2012
Buenos Aires
My lack of knowledge caused me to get stuck in almost every point of the guide, but searching and reading this thread I finally got it.
My dear v20 thought his retirement was coming ... not today :)

I just installed LOS 18.1 without problems

Very thankful!


Nov 24, 2013
[SOLVED]...... by writing erlier version of .kdz with uppercut.

I receive purple broken screen with stripes after performing step 16 with flashing TWRP and erasing user data. Phone reboots with broken screen.

Or earlierif reboot after step 12, flashing patch inside phone.

Need help or explanation should I go on try to flash this phone or try return to seller, it is refurbished.

Ill describe steps in next message.


  • IMG_20210604_183028952_HDR.jpg
    1.6 MB · Views: 21
  • IMG_20210604_152931462_HDR.jpg
    2.3 MB · Views: 23
Last edited:


Nov 24, 2013
[SOLVED]...... by writing erlier version of .kdz with uppercut.

My security patch level is December 1, 2016.
Instruction doesn't say before which YEAR it must be.

I use H990N10e_00_OPEN_HK_DS_OP_1208.kdz
with UPPERCUT. It returns phone to working state after failed attempt.

On windows RUNMEFIRST.bat
reports BEGINING OF CRUSH at the end of writing patch.
is this normal or something is wrong?

C:\adb>adb logcat -s dirtysanta
* daemon not running. starting it now on port 5037 *
* daemon started successfully *
- waiting for device -
--------- beginning of system
--------- beginning of main
--------- beginning of crash
01-01 12:13:46.073 7344 7344 I dirtysanta: Starting Backup
01-01 12:13:47.502 7344 7344 I dirtysanta: Backup Complete.
01-01 12:13:52.502 7344 7344 I dirtysanta: Starting flash of Aboot!
01-01 12:13:52.674 7344 7344 I dirtysanta: Finished. Please run Step 2 now.

I dont receive any other error messages during commands execution.

But after i confirm Delete all user data twice phone reboots to broken screen.
It is even slightly broken during fastboot mode after stage2.bat. It has purple stripes at the top, but it works.

Ony terminal from Jack Palevich shows untrusted app when
Other terminals dont.
And it reports this even with fresh kdz and erased data.
So this is strange.

What causes fail?
Do I nee to downgrade or try another kdz?
Please need advice.
Detailed steps
flash with uppercot

# db logcat | grep -a dirtysanta
* daemon not running; starting now at tcp:5037
* daemon started successfully

# adb push dirtysanta /storage/emulated/0
dirtysanta: 1 file pushed, 0 skipped. 7.0 MB/s (18760 bytes in 0.003s)

# adb push aboot.img /storage/emulated/0
aboot.img: 1 file pushed, 0 skipped. 324.6 MB/s (2097152 bytes in 0.006s)

# adb push dirtycow /data/local/tmp
dirtycow: 1 file pushed, 0 skipped. 4.1 MB/s (9984 bytes in 0.002s)

# adb push my-run-as /data/local/tmp
my-run-as: 1 file pushed, 0 skipped. 5.2 MB/s (13796 bytes in 0.003s)

# adb shell chmod 0777 /data/local/tmp/*

# adb shell /data/local/tmp/dirtycow /system/bin/run-as /data/local/tmp/my-run-as
warning: new file size (13796) and file old size (14360) differ

size 14360

[*] mmap 0x7bcead0000
[*] exploit (patch)
[*] currently 0x7bcead0000=10102464c457f
[*] madvise = 0x7bcead0000 14360
[*] madvise = 0 1048576
[*] /proc/self/mem -2122317824 1048576
[*] exploited 0x7bcead0000=10101464c457f

# adb shell /data/local/tmp/dirtycow /system/bin/applypatch /data/local/tmp/dirtycow
warning: new file size (9984) and file old size (165144) differ

size 165144

[*] mmap 0x7b3ebd7000
[*] exploit (patch)
[*] currently 0x7b3ebd7000=10102464c457f
[*] madvise = 0x7b3ebd7000 165144
[*] madvise = 0 1048576
[*] /proc/self/mem 1367343104 1048576
[*] exploited 0x7b3ebd7000=10102464c457f

# adb shell
elsa:/ $ run-as con
elsa:/ #

# chmod 0777 /storage/emulated/0/*

on phone
# applypatch /system/bin/atd /storage/emulated/0/dirtysanta

# adb reboot bootloader

# fastboot flash recovery twrp-3.0.2-1-h990.img
sleep 30
# fastboot flash recovery twrp-3.0.2-1-h990.img
sleep 30
# fastboot reboot
Last edited:


Nov 24, 2013
Made my way to TWRP!
Something from following worked:

1. Flashed different .kdz firware with uppercot. [probably this helped]
2. Boot to recovery and cleared data directly after wrighting firware.
3. Send 3 times TWRP file (but this was done before).

It would be much better if first post had this advice and I didnt spent all day figuring out this.
New user may not know is it safe to flash different .kdz file.
And it is not very clear how much different it must be.

Files for h990ds may not work for h990n. Much newer version may create more problems.

Im glad it finaly worked!
One more step to free from bloatware and google`s clingy hugs.
Last edited:

Feldmarschall Edgar

Senior Member
Mar 18, 2017
Nexus 7
Samsung Galaxy Note 4
I intend to go back to stock because it seems that i wiped my H990DS to much while changing the rom and removed my ability to use the fingerprint sensor.
Now i am stuck at LGUP, which i already enchanced with uppercut, because even though LGUP should be for all devices LGUP starts as LGUP (US996) yet the device that is recognized as behing connected is my H990DS.
I also have an US996. I dont know if that could be the case but (besides the DLL just behing wrong) could the driver for the US996 be loaded when LGUP is started right befor the H990DS is recognized.

If it is the dll please point me to the proper dll i downloaded different once from LG Firmware. I also deleted LGUP and or implemented he dll in multiple configurations.


Oct 28, 2013
LG V20
I intend to go back to stock because it seems that i wiped my H990DS to much while changing the rom and removed my ability to use the fingerprint sensor.
Now i am stuck at LGUP, which i already enchanced with uppercut, because even though LGUP should be for all devices LGUP starts as LGUP (US996) yet the device that is recognized as behing connected is my H990DS.
I also have an US996. I dont know if that could be the case but (besides the DLL just behing wrong) could the driver for the US996 be loaded when LGUP is started right befor the H990DS is recognized.

If it is the dll please point me to the proper dll i downloaded different once from LG Firmware. I also deleted LGUP and or implemented he dll in multiple configurations.
I don't understand your post in its entirety. But the opening post of this thread says the following. Maybe it helps?

Beware: Once past14 LGUP will recognize your device as a US996. Do not flash a US996 KDZ file! Doing so will brick you. See below for instructions on going back to stock.


Feb 27, 2017
With my H990DS, something very strange happened when I followed this tutorial. I did manage to pass each and every step successfully.
When all was 100% done, I wanted to flash Lineage 18.1 (Android 11) but TWRP said the ROM, which is for H990*, is not for my model.
TWRP said my model was " . " !!!
I do not know where this could come from... :-//
Could someone help me ?
Thanks a lot in adv.

E3004 as shown below

Last edited:

Top Liked Posts

  • There are no posts matching your filters.
  • 110
    Took a while to work things out, but DirtySanta has been successfully extended to international versions of the LGE V20.

    While I have tried to ensure this works for anyone, this may fail. I also do not provide any warranty! The result of a failure could include voiding of warranty and hardware damage. This is also one of the most complicated rooting procedures due to SE Linux, we've been unable to simplify things.

    Be careful! Many of these commands have a high probability of resulting in a brick if mistyped. Be prepared to have your V20 out of commission for a day or two while you ask questions about the state your phone has ended up in.
    Also Don't Panic! If something starts going wrong, stop. Better to have your daily driver out of commission for 24 hours, than have it out of commission permanently.

    As of this time there are some sporadic reports of problems. Some people have camera trouble. If a cause can be identified these will definitely get fixed ASAP. Work is well under way, experimental fixes for this are out.

    As preparation, I would like folks to be familiar with LGUP/LGBridge and how to use them. Using LGUP is also how to get back to stock. On the H990DS Bluetooth is implemented via kernel module and the kernel module has to be loaded off /system, therefore there is no choice but to write to /system.
    Beware: Once past14 LGUP will recognize your device as a US996. Do not flash a US996 KDZ file! Doing so will brick you. See below for instructions on going back to stock.


    • H990DS (dual-SIM): Known working
    • H990N (dual-SIM): Known working
    • H990 (single-SIM): Known working
    • H990* (other): ALPHA reports of success needed.
    There is now a v0.2.4 combined kernel. This version should work for all H990* variants and should hopefully have fewer issues due to being on a later kernel release. The quirk of some of the dual-SIM features showing up in menus should be fixed in v0.2.4.
    v0.2.4 includes patches for all of the recently discovered kernel issues. The kernel Bluetooth patch is included, but the are also userspace patches for a portion of "BlueBorne". The "Broadpwn" vulnerability has also been patched. Yet more 802.11 patches have been added over v0.2.3a, unfortunately the fix for the KRACK attack is in the userspace program "wpa_supplicant" not the kernel. :(

    Alternative instructions:
    By @ahlok_hk here

    Rooting and full bootloader unlock for the H990 versions of the LGE V20:
    1. Ensure you have a backup plan: https://forum.xda-developers.com/v20/how-to/restore-v20-to-100-stock-bricked-devices-t3524903
    2. Backup your phone data. LG Bridge/LG Backup is pretty reliable, but I strongly advise backing up everything onto a desktop/laptop computer. If you backup to SD card, the SD card must not be encrypted! (failures will destroy the key and the data)
    3. Go to Settings -> General -> About phone -> Software info -> Android security patch level; if your phone is on an update after December 31, use LGUP to "refurbish" to an earlier firmware release (this will do a factory reset).
    4. Ensure you have ADB/Fastboot files installed and working: https://forum.xda-developers.com/showthread.php?t=2588979
      This also requires developer mode -> USB debugging to be enabled.
    5. Ensure you have all relevant files prepared:
      Installed backup plan.
      Installed Terminal Emulator on device.
      Downloaded DirtySanta's files and copied them to ADB directory.
      Downloaded files, Put kernel and SU implementation (Magisk.zip and
      SuperSU.zip work) into SD card; and TWRP into ADB directory.
      Note: It may be necessary to temporarily disable anti-virus/anti-malware programs when unpacking the original DirtySanta. At least one has detected `dirtycow`/CVE-2016-5195 as malware (it can in fact act in that role).
    6. Using dirtysanta's steps: Run "RUNMEFIRST.bat" <-- Do not close.
    7. Run "step1.bat" <-- Wait until you can type something again.
    8. Type "run-as con" <-- If you get unknown package error, means your latest security patch patched it out; go back to step 3. LGUP should be able to downgrade you to an earlier firmware update.
    9. Type "chmod 0777 /storage/emulated/0/*"
    10. Open Terminal Emulator, Type "id"
    11. Look for something containing "untrusted_app". If not found, Start all over again. If found, continue.
    12. Type "applypatch /system/bin/atd /storage/emulated/0/dirtysanta" into Terminal Emulator
    13. Wait for RUNMEFIRST.bat console to prompt you to run step2.bat.
    14. Run "step2.bat"
    15. Save copies (put them somewhere safe where you'll remember them) of the files "abootbackup.img" and "bootbackup.img", which "step2.bat" saves in its directory, the latter is crucial in returning to stock.
    16. At a command prompt run the following commands, but make sure to wait at least 30 seconds between each. Do not skimp on that delay as otherwise the likelihood is this will fail (this is the most unreliable step in this process); waiting longer than 30 seconds is fine.
      fastboot flash recovery twrp-3.0.2-1-h990.img
      fastboot flash recovery twrp-3.0.2-1-h990.img
      fastboot reboot
      Of all steps this is by far the most unreliable! If you have problems at the end, most likely you'll need to get back to the bootloader (hold power-UP and then insert USB cable) and repeat this step.
    17. Boot in to TWRP.
      Press and hold volume DOWN; press and hold power until the LG logo comes up, then briefly release power (0.5-1.0sec) and then hold power again. If you fail to get this right the first time, you will likely need to pull the battery out and start from power off.
      You will then be prompted "Delete all user data (including LG and carrier apps) and reset all settings?"
      Select "Yes" twice, and as long as TWRP installation was successful you'll get into TWRP and NO RESET will be done.
      Inside TWRP flash "h990-kernel.zip" and then flash SU implementation (Magisk.zip or
      SuperSU.zip). At this point the process should be complete. There won't be static on boot, you'll have root and nothing else should have changed.

      If your phone's userdata got locked, there may be a need to wipe cache and data to regain access.

    During all subsequent boots a red triangle with a warning about your device being corrupt will show up. The only method to remove that would be to get my kernel signed by LGE and I'm rather doubtful that will ever happen. Only thing we can do is to call it a badge of honor.

    There is now a tool for writing KDZ files to phones. This is recommended in order to get up to date on security patches.

    Going back to stock:
    As with those whole rooting procedure, this is hazardous. Be careful, go slow and don't rush things.

    Method 1a: (TWRP, strongly preferred!)
    1. Boot into TWRP (DOWN + Power with a brief release during LG logo).
    2. Copy the file "abootbackup.img" from your archive to your phone (adb push abootbackup.img /). This is the file you should have saved from step 15 above.
    3. Run `adb shell` and type (or copy&paste) the following commands:
      dd if=abootbackup.img of=/dev/block/bootdevice/by-name/aboot
      sleep 30
    4. Get into Download mode. Power off phone from TWRP. Press and hold UP, then power phone on (no need to hold power).
    5. Load the appropriate KDZ file onto your phone via LGUP.

    Method 1b: (TWRP, with file from another source)
    This is simply a tweak of the above resulting from recalling there is a backup of aboot already on the phone itself.
    1. Boot into TWRP (DOWN + Power with a brief release during LG logo).
    2. Run `adb shell` and type (or copy&paste) the following commands:
      dd if=/dev/block/bootdevice/by-name/abootback of=/dev/block/bootdevice/by-name/aboot
      sleep 30
    3. Get into Download mode. Power off phone from TWRP. Press and hold UP, then power phone on (no need to hold power).
    4. Load the appropriate KDZ file onto your phone via LGUP.

    Method 2: (fastboot)
    Danger! This method is not recommended, except as an emergency fallback. Writes done via `fastboot flash` have be demonstrated to unreliable. This works if TWRP is unavailable, but avoid if possible.
    1. Boot into fastboot mode. Any of these methods should work:
      • (if Android running normally) Run `adb reboot bootloader`
      • (from a powered down state) Press and hold DOWN, then plug in USB cable.
      • (powered down, USB plugged in) Press and hold DOWN, then power on.
    2. With "abootbackup.img" in the current directory run the following commands, while waiting at least 30 seconds between them:
      fastboot flash aboot abootbackup.img
      (wait >30s)
      fastboot flash aboot abootbackup.img
      (wait >30s)
      fastboot reboot
    3. Get into Download mode. Press and hold UP. If the phone has already started to load Android, pull the battery, reinstall battery; then press and hold UP and power on.
    4. Load the appropriate KDZ file onto your phone via LGUP.

    Rescue from going back to stock problems:
    Apparently it is possible to enable extra features in LGUP, documented in this thread. If you're forced to use approach back to stock approach v2, here is a method to rescue you. This may even have the potential to function as an alternative DirtySanta installation approach. This even works as a full back to stock method by itself! Thanks to @Prowler_gr for sharing!

    Technical discussion
    If you're not planning to build your own kernel and aren't curious about how things work, no need to read these long details.

    What was my old tree is here. I've got a build hack, which I suspect is meant to be handled by other means (later compiler?) so some extras are here.
    Now releasing version v0.2 here. With the extra hack for compilation and exfat is here.

    My latest .zip makes use of the `fix-h990-cmdline` tool from here.

    There are 3 major fixes needed for making working kernels for the H990.
    1. First, the H990 has its own distinct version of the panel timings, which was added in this commit. Combined with the more robust graphics driver from CAF, this solves the "static" issue. The "static" issue is far more severe for the H990* than other V20 versions, the workaround of covering the proximity sensor does not work.
    2. Second, the kernel command-line needs to be modified. Crucially this tells the Android runtime whether the device is single-SIM or dual-SIM. This was originally implemented in a combination of commit 1 and commit 2. Notice CONFIG_CMDLINE and CONFIG_CMDLINE_EXTEND add on to the command-line passed by the boot loader.
    3. Third, the modem driver (files in /firmware) apparently gets its information on the modem chip by looking at a structure in the SMEM_ID_VENDOR0 portion of platform "smem" area. The original LGE boot loader puts appropriate values into this data structure, but the DirtySanta debug boot loader leaves important parts of the structure uninitialized. As such this area needed to be modified before modem initialization, done here.

    Originally these values were added by hard-coding them. This works, but doesn't scale well. Even before my first kernel release I was pondering modifying things by reading them from the command-line. In order for this strategy to work, these additional arguments must be added to the Android boot image command-line. This additional step was implemented in `fix-h990-cmdline` in my lg-v20-tools. For a H990DS the string " model.name=LG-H990ds lge.sim_num=2 lge.dsds=dsds androidboot.bl_unlock_complete=false androidboot.authorized_kernel=true" is added, while for a H990 the string " model.name=LG-H990 lge.sim_num=1 lgs.dsds=none androidboot.bl_unlock_complete=false androidboot.authorized_kernel=true" is added.

    With my current kernel source `fix-h990-cmdline` must be run on the boot image before the kernel will successfully boot. This is done inside the tools/ak2-core.sh script in the .zip file. The command is `$bin/fix-h990-cmdline /tmp/anykernel/boot-new.img`. `fix-h990-cmdline` could also be run on /dev/block/bootdevice/by-name/boot after the kernel had been installed.
    Important note, modification of the boot image command-line must be done carefully. If a previous kernel already added the command-line options, care must be taken to ensure they're not present multiple times. `fix-h990-cmdline` was specifically written with this issue in mind, please don't break this. Also note fix-h990-cmdline will replace the values of "model.name", "lge.sim_num" and "lge.dsds" based upon the contents of the misc area; the values of "androidboot.bl_unlock_complete" and "androidboot.authorized_kernel" will be left alone if already present.
    The most recent version of `fix-h990-cmdline` has been modified to allow specifying the model and SIM count on the command-line. `fix-h990-cmdline` will complain if the command-line disagrees with the misc area, but it will obey the command-line and lie to the kernel.

    Thanks and warning:

    This is near certain to void your warranty. While care has been taken to reduce the chance of producing a brick, there are no guarantees.

    Thanks to:
    @me2151 the original DirtySanta bootloader, crucial for this to work
    @thubble for figuring out the last bit of the modem fix and (successful) guinea pig #2
    @exadeci (successful) guinea pig #1
    @Xenogenics helping others, posting some reasonable instructions
    @USA-RedDragon for making everyone aware of LineageOS's source tree

    A copy of the source tree used for building these is here. Two small hacks are used during the actual build process, this is an exact copy of what is built.

    v0.2.2: The kernel portion of BlueBorne is patched. Unfortunately there is apparently a userspace portion as well. Broadpwn (Wifi vulnerability) is patched.
    v0.2.3: Adding the driver for the S5K2P7 camera sensor, seems LGE needs to work on their updates since they're required to release source for this updated driver, but haven't. This fixes the camera focus issue observed on some devices.
    v0.2.3a: The internal fix-h990-cmdline utility was adjusted due to the quirk with single-SIM devices. This should make the dual-SIM menus disappear from single-SIM devices.
    v0.2.4: Yet more 802.11 patches have been added (KRACK is in wpa_supplicant on /system, not the kernel). A tentative fix for the video recording issue has been found. There are distinct downsides to the fix, but at least something working is available

    H990* Generic Kernel v0.2.4:
    MD5: 5c37b2fa01417874fa6e4456a333792d
    SHA1: 79033bad078991180b6f308c99527ef4cd6e1379
    SHA512: c2167602edd93e7bab76e7e89093e2ebb1670163ccb812ec327b03d98931c57566a3ab565e81ca4b7de142771f22e6723f291df0c5cad82982a24d5da18b5011

    H990* Generic Kernel v0.2.3a:
    MD5: b9cd4c750e9bc8627d07243f7e4c3c82
    SHA1: e16f348e11e765651564922823b9e38f27c41976
    SHA512: 1965bec516d6b886aa283b24906a6bec1c3e8a9b39f1efd5f57c00eaa222940d3cc2420cee83712f47c17e0b397ab1b1d7254c5c43d40ca016e06630206f5505

    H990* Generic Kernel v0.2.3:
    MD5: fb32e04ec9f5f2fd21bf226db722947c
    SHA1: e7ab1533106e0d11075e21b097629be307123879
    SHA512: 0c58586c1a8a678d644912d2dd64d970cd0614a8c85bfaae787d1970b16bd03306bd3189f9b07ace80d0f9f9072fc7b6efbd4556da0b09d4ad205922b35aedd9

    H990* Generic Kernel v0.2.2:
    MD5: f85de33a3354973920b6ffc7baeb7d62
    SHA1: 2a9dd897fd44efa13be0f4d2e17ef90ba896b399
    SHA512: 3f4e8110b68ae58b38f3abc50d3633df9b45bf4a68120e37ea3934e78b659514d20a2ddbe2d35a30a23b9ed6285c47cacacd43676da82d678201e79748e57c8b

    H990* Generic Kernel v0.2.1:
    MD5: d08807bc5f3e14fbbcbadbf7013988d0
    SHA1: 3b1871c974fe06a6125a47200dc0e35b12a20abc
    SHA512: 6d84c27f5752b1313157bbebb917683ce37384032b3d72afc15fa3679839da325a1fdb0824aca28dda2d95161d0e4a0ec343e4e1f35fd0b3700e156d4d60f03f

    Alternative kernel builds:
    I'm carefully releasing source of my kernel builds (above) and others are welcome to build kernels modified to their preferences. They can also target any kernel issues they find and fix.

    @jahlex has the "D.O.T.S." kernel here. This is built from stock LGE and targets camera issues. Due to being closer to LGE's source it may well provide some better hardware support.

    @Leicxan has successfully built a werewolf derived kernel, here. For a number of people this works better.
    The two tweaks I'm most tempted to do is adding UDF (rather better FS than exfat) and to enable some of the extra security protections around the modem (a vulnerable area).

    I'll be happy to assist others who want to add extras to the kernel. I've been assuming my taste in kernel tweaks wouldn't suit many people. Just need someone who wants to build kernels.
    Hi emdroidle, i complete a kernel based on Werewolf Kernel 2.0 stock branch, thanks for USA-Reddragon, here is his source code.
    I cherry-picked your latest dirtysanta modem code on v0.2-branch-BUILD. Just want to test the vedio record and see how it's beheave on LG'S stock kernel source.
    The difference from stock is I update zzmoove governor to the latest bLE-develop-k3xx branch, this is tweak for SD820's big.LTTLE CPU, and build kernel with Linaro Toolchain from The Flash.
    Other kernelf feature is as same as stock Werewolf Kernel.
    I test this on my V20 H990N for 2 weeks, video record and playback is fine. I am not a developer, just copy and paste the code to the source.....

    Btw, @emdroidle I noticed the phone connect to the cellular network is fater than before, with your latest modem code.

    Edit: 20171026
    1. My unofficial Werewolf kernel download from here
    2. My self-build kernel, just test on my H990N, and I don't use extand-sdcard, so can't test the exfat module, and I don't have much time for maintenance it, even this phone is not my daily use one. I build this kernel is just for my hobbit. Someone report they get a kernel crash after the lg logo appear.
    Be careful before you flash it!

    Download Link

    Source Code: https://github.com/guaibao1101/h990x-msm-3.18

    Thanks to emdroidle mention me in OP :)
    OK guys, I think I got it. Working on my H990DS root and focus working with s5k2p7 sensor.

    This is nothing more than the v0.2 kernel of emdroidle + s5k2p7 drivers.

    Need some beta testers here, just use this kernel instead of emdroidle's.

    EDIT : updated v0.2b with texfat
    EDIT 2 : updated v0.2d with cam & power drivers from LS997
    Hi guys,

    Here is a modified version of @emdroidle's 0.2.3a updated with all cam drivers from stock v10g. iI fixes video freeze issue.
    ===> h990-kernel-0.2.3b-jahlex.zip (14.33 MB)

    EDIT : and a brand new kernel I built based on v10g stock sources. Currently running on my H990DS. Need some beta testers here.
    ===> LGH990-stock-jahlex-0.1.zip (14.15 MB)

    Without big hope, I requested LGE, a while ago, to release the last sources for H990 and H990DS... and they just did. http://opensource.lge.com/osSch/list?types=ALL&search=H990

    Dear Customer,

    We received your request on the LG Open Source Code Distribution site (http://opensource.lge.com).
    This site provides source codes for FOSS (Free and Open Source Software) we use in our product.

    We uploaded the source code you requested, so it is now available for you to download.

    We hope this information is helpful.

    Thank you.
    Sincerely yours

    What I was thinking about camera drivers is confirmed. See attached screenshot.
    @emdroidle : hope it will help in solving the remaining issues.

    I will try to have a look on my side if I find some time (difficult at the moment).