Root & Install TWRP H830 (20A) (Nougat) LG G5. Hard Recowvery Method

[GioAlvarez777]

Hi guys, I didnt have much luck with the Easy Recowvery method on my G5 (20A)
Sooo, i thought i'd share with you, (what i like to call) Hard Recowvery method.
This is the most effective way i've rooted & installed TWRP my H830 on 7.0 (Nougat)

First lets download the neccessary recowvery files located here (Put them all in a folder): https://build.nethunter.com/android-tools/dirtycow/arm64/
Make sure you have the latest twrp for your phone: https://twrp.me/devices/lgg5h830.html
Latest Verity zip: https://build.nethunter.com/android-tools/no-verity-opt-encrypt/
Latest SuperSU: https://download.chainfire.eu/1021/SuperSU/SR3-SuperSU-v2.79-SR3-20170114223742.zip
---
Shift+Open Command window in Recowvery folder
Note: Use app_process32 on 32-bit targets.
once in cmd window from your recowvery folder follow these steps:
---
adb push dirtycow /data/local/tmp
adb push recowvery-applypatch /data/local/tmp
adb push recowvery-app_process64 /data/local/tmp
adb push recowvery-run-as /data/local/tmp

adb shell

$ cd /data/local/tmp
$ chmod 0777 *
$ ./dirtycow /system/bin/applypatch recowvery-applypatch
"<wait for completion>"
$ ./dirtycow /system/bin/app_process64 recowvery-app_process64
"<wait for completion, your phone will look like it's crashing>"
$ exit

adb logcat -s recowvery
"<wait for it to tell you it was successful>"
"[CTRL+C]"

adb shell reboot recovery
"<wait for phone to boot up again, your recovery will be reflashed to stock>"

adb shell

$ getenforce
"<it should say Permissive, adjust source and build for your device!>"

$ cd /data/local/tmp
$ ./dirtycow /system/bin/run-as recowvery-run-as
$ run-as exec ./recowvery-applypatch boot
"<wait for it to flash your boot image this time>"

$ run-as su

(You need to rename the twrp img to "twrp.img" and put in the root of your internal storage, OR you can use this adb push command. The next two steps wont be neccessary if already done so.)

adb push twrp-3.0.2-x-xxxx.img /sdcard/twrp.img
adb shell

run-as exec dd if=/sdcard/twrp.img of=/dev/block/bootdevice/by-name/recovery
"<wait for it to complete>"
$ reboot recovery
---
You should be in TWRP now,
flash supersu and the verity 4.1 zips. [Format Data] will remove internal storage encryption. so back up everything you need to with nandroid. lg backup, or titanium. (So i saw that they have updated verity zips but i just used 4.1)
I prefer lg backup, its easiest.
After you format data reflash supersu and verity zips for the hell of it. (you dont have to i dont think but i just did anyway)
Now just reboot, & enjoy

This isnt a method i created, i got it from this thread. and made the steps i felt were neccessary.
https://forum.xda-developers.com/v20/development/h918-recowvery-unlock-v20-root-shell-t3490594

 

[Tinbender418]

Works until "run-as exec dd if=/sdcard/twrp.img of=/dev/block/bootdevice/by-name/recovery" then says:
Current uid: 0
We have root access!
------------
Executing: 'dd' with 2 arguments

dd: /sdcard/twrp.img: No such file or directory
1|h1:/data/local/tmp #
No Twrp recovery any help?

---------- Post added at 08:47 PM ---------- Previous post was at 08:07 PM ----------

Forgot to rename recovery.

---------- Post added at 09:32 PM ---------- Previous post was at 08:47 PM ----------

Problem solved! Forgot to rename img.

 

[djevil]

Works until "run-as exec dd if=/sdcard/twrp.img of=/dev/block/bootdevice/by-name/recovery" then says:
Current uid: 0
We have root access!
------------
Executing: 'dd' with 2 arguments

dd: /sdcard/twrp.img: No such file or directory
1|h1:/data/local/tmp #
No Twrp recovery any help?

---------- Post added at 08:47 PM ---------- Previous post was at 08:07 PM ----------

Forgot to rename recovery.

---------- Post added at 09:32 PM ---------- Previous post was at 08:47 PM ----------

Problem solved! Forgot to rename img.

The 2 agreement how did u type it BC I had that but I didn't know what to type so I use the toolkit instead

Sent from my LG-H830 using Tapatalk

 

[Tinbender418]

Rename to twrp.omg move to internal sd card.

Sent from my LG-H830 using Tapatalk

 

[GioAlvarez777]

sorry guys i was busy! & yes you need to rename the recovery img to "twrp.img". i will add the step to rename the twrp file!

 

[GioAlvarez777]

The 2 agreement how did u type it BC I had that but I didn't know what to type so I use the toolkit instead

Sent from my LG-H830 using Tapatalk

Just copy and paste everything as you see it. and if you mean you didnt know how to rename twrp recover just rename to "twrp.img"

 

[jdkzombie]

so my getenforce keeps saying enforcing?

---------- Post added at 10:39 AM ---------- Previous post was at 10:35 AM ----------

and the command to run-as exec says no exec found?

---------- Post added at 10:50 AM ---------- Previous post was at 10:39 AM ----------

Hmm so after looking it up, apparently my brand new G5 I just got today is on 20c and not 20a. I guess that is the problem?

 

[jdkzombie]

hello?

 

[Tinbender418]

hello?

Yes that is the problem Read Autoprime's thread on the H83020c update. He explains a way to root device by downgrading to H83020a using LGUP.

Sent from my LG-H830 using Tapatalk

 

[wadamean]

I don't seem to get passed the adb logcat step because I do so and it says that all process was done correctly but my phone won't at all boot up after he T-Mobile logo
Tried and did everything step by step and this is always the problem and can't get passed it
Someone please help


Sent from my iPhone using Tapatalk

 

[djerick3]

Just use the Automagically thread a few below this one. You have to be on 20A for it to work. I used that method and it worked on the first try. Now I'm on 20C and I'm rooted as well. This way is way too complicated.

 

[wadamean]

Just use the Automagically thread a few below this one. You have to be on 20A for it to work. I used that method and it worked on the first try. Now I'm on 20C and I'm rooted as well. This way is way too complicated.

The easy recovery method that runs the script? I have tried it countless times and also doesn't seem to work

 

[djerick3]

The easy recovery method that runs the script? I have tried it countless times and also doesn't seem to work

First you need to run the script and follow the instructions to the letter. If you read into the thread you'll see that you need to turn off verification before you run it. I forget what option it is but ill check and post it for you. Worked smooth for me first try.

 

[eliolicious]

Stuck

I seem to be stuck at adb logcat -s recowvery
"<wait for it to tell you it was successful>"
"[CTRL+C]"

It's been a while. It hasn't moved from there and it won't let me input anything else. I got stuck after beginning of main and beginning of system.

 

[veekay]

Will this work starting from MM or only once on Nougat? My phone hasn't downloaded the update yet and it won't let me force it. Trying it on MM doesn't seem to complete.

 

[Rican39]

Sent from my LG-H830 using XDA-Developers Legacy app

---------- Post added at 04:17 AM ---------- Previous post was at 03:48 AM ----------

Deleted

Sent from my LG-H830 using XDA-Developers Legacy app

Sent from my LG-H830 using XDA-Developers Legacy app

 

[joesee]

Well this is interesting. The script the people above are talking about never worked for me. So I came here and got my hands dirty and did it the manual way. Everything worked great until I formatted data and reflashed verity and su zips. After booting, all I can get the phone to do is boot to twrp. I've successfully flashed the 20A kdz back to stock with unlocked bootloader. Just wondering what I did wrong?

Once I get into TWRP the steps used were:

1 - Flash SuperSU
2- Flash verity zip
3- Format Data
4- Flash SuperSU again (for good measure)
5- Flash verity zip again (for good measure)

All these instructions make sense but at the top of the OP it says to NOT swipe to allow system modifications. I thought after formatting data and flashing the verity zip that we can swipe to allow. If we can't modify the system partition, how do we access it for busybox, etc..

Sorry for the odd questions - just looking for clarity!


UPDATE: Sorry, I resolved my own problem. Just don't ever swipe to modify system in TWRP and you're good. Not sure why this was the case.

 

[codahq]

I seem to be stuck at adb logcat -s recowvery
"<wait for it to tell you it was successful>"
"[CTRL+C]"

It's been a while. It hasn't moved from there and it won't let me input anything else. I got stuck after beginning of main and beginning of system.

I have this same problem. Did you figure out the issue?

 

[codahq]

I have this same problem. Did you figure out the issue?

I figured out the issue. There are a bunch of threads floating around here that seem to think that the dirtycow exploit will work on 20A and 20C. That is definitely not the case. 20C it is patched so you have to KDZ back to 20A and then exploit. Then you can TWRP flash 20C if you want to go back to 20C.

I'm was on 20C though and dirtycow definitely doesn't work.

 

[chairman011]

Noob question

I got this phone lg g 5 tmobile variant yesterday. I was on marshmallow rooted with Xposed Framework Flashed 7.0 thinking it was a rom. I lost root and lost custom recovery I'm trying to root on 7.0 via dirty cow but instructions r too complicated. Can anybody tell me what dirty cow files to download and were to put the folder pls