• Introducing XDA Computing: Discussion zones for Hardware, Software, and more!    Check it out!

[Sprint LG G8] Bootloader Unlocking and Permanent Root Guide

Search This thread

BrandonB1218

Senior Member
Jul 22, 2010
121
105
Edit with a quick note: My apologies if I have misrepresented my involvement in the development of this method. I have gotten some PM's asking for help getting other devices unlocked. I should make it clear that my involvement only goes as far as #1. Putting this guide together and #2. Testing various different things. An extremely short and not at all comprehensive list of the real talent involved here would be people like White, j4nn, Vlad48, those are just the ones I know of.

After lots of work and testing, we now have a method of bootloader unlocking that is safe, if done properly, by flashing a V50 engineering bootloader. Note that you must be on a firmware version vulnerable to temp rooting for this to work, either in slot A or slot B. I've put together a comprehensive guide, as well as a zip containing all of the required files. It has been thoroughly vetted by the members primarily responsible for developing this method of bootloader unlocking. I'm providing a Google Drive link to a zip that includes the required files and the guide.

Currently, I'm looking for boot image dumps for those of you that are on 20j, 20m, 20a, 20b, and 20c. Right now the only Magisk patched boot images I have available are for 20d and 20e, however if you can dump your boot image I would be happy to patch it for you if you have a different firmware version.

Please report back with your feedback and success.

[Update 6/01/2020] Minor corrections to guide. Separated guide from zip for easier updating in the future.
Required Files - https://drive.google.com/file/d/1H08suuBBmHqttfMLZqBfy9yCDoAWylNy/view?usp=sharing
Guide - https://drive.google.com/file/d/1M4oEa3jkF_ZZzl1SKc6tvQtukc-KEgXK/view?usp=sharing

Edit:
I've added the entirety of the guide in post #4 and #5, for those that would like to take a look without downloading the zip first. Just fyi the formatting may be a tad messed up as it was copy and pasted from LibreOffice.

Many people contributed to making this a possibility!
Thank you to:

[email protected]
Vlad48
j4nn
Antintin
Luis Rosado
Brigantti

And so many more. From devs to testers, the above list is miniscule compared to what should be up there. This is simply either who I know of and/or who I have interacted with directly. I'm more than happy to expand this list upon request if anyone that has contributed would like their name up there.
 

Attachments

  • IMG_20200531_143434.jpg
    IMG_20200531_143434.jpg
    253.9 KB · Views: 1,989
  • IMG_20200531_143517.jpg
    IMG_20200531_143517.jpg
    232.9 KB · Views: 1,991
  • IMG_20200531_143646.jpg
    IMG_20200531_143646.jpg
    250 KB · Views: 1,940
  • IMG_20200531_143704.jpg
    IMG_20200531_143704.jpg
    228.5 KB · Views: 1,899
Last edited:

BrandonB1218

Senior Member
Jul 22, 2010
121
105
Can anyone confirm this works?

I did it on my Sprint LG G8 without issue and at the time of writing 20+ testers have had success with this method.

Edit:
This method works by flashing a V50 engineering bootloader to allow access to fastboot commands, which then allows OEM unlocking. Stand by for pictures, will add them to the OP.

Edit 2:
Pictures added, and guide added below.
 
Last edited:
  • Like
Reactions: mr.vishh

BrandonB1218

Senior Member
Jul 22, 2010
121
105
Sprint LG G8 Temp Root, BL Unlock, TWRP, & Magisk Guide

Requirements

A Sprint LG G8 with the one of the following configurations:

A: Android 10 20e or lower and Pie on slots A/B or B/A.
B: Android 10 20e or lower and Android 10 any firmware on slots A/B or B/A.

1. LG 4.2 Drivers
2. The latest available ADB Platform Tools
3. Python 3.8.3 With PATH Set
4. OEM Unlocking Enabled in Developer Settings
5. ADB Debugging Enabled in Developer Settings
6. The files mentioned throughout this guide. They will either have links or they will be provided in the forum post.

Excellent reading comprehension and patience!

Warnings

1. You do this at your own risk!
2. Be prepared to data wipe/factory reset a lot.
3. There are some critical steps that you cannot get wrong or you risk a brick. Read very carefully, take your time.
4. There are a lot of steps involved in this guide. If you are unsure in the slightest, do not make an assumption. Ask for clarification before you proceed.

Step 1A, Firmware Check:

First, you need to verify your current firmware version. Anything 20e or lower is currently vulnerable to the Temp Root exploit provided by j4nn.

Open Settings > System > About Phone > Software Version, third line down. If your current version is 20f (the latest available from LG at the time of writing), your firmware is not vulnerable to the exploit and we will need to switch slots and check your firmware version there. It’s recommended that you factory data reset before performing this step to avoid the startup PIN lockout, regardless if you have one set or not, it will ask for a startup PIN and it WILL FAIL to unlock. Either way, you will be forced to factory reset.

Follow this guide provided by Antintin to switch slots: https://forum.xda-developers.com/lg-g8/how-to/people-trying-beta-want-to-revert-t4011925. After switching, boot to Android. Skip the initial setup. Please take note which slot you switched to that contains the prior version of Android. SABS 0 is slot A, SABS 1 is slot B.

If your current firmware version is vulnerable, skip to Step 2, Temp Rooting.

Step 1B, Switching Slots:

By this point, you will have switched to your inactive slot following the guide linked above and booted to Android. Follow the same steps listed above to check your firmware version. If you see anything lower than 20f, for example: 20a, 20b, 20c, 20d, 20e, this version is exploitable. If you have an exploitable firmware in this slot, continue to “Step 2, Temp Rooting”. If you do not have an exploitable firmware in this slot, the temp root exploit will not work and therefore, the bootloader unlock will not be possible.

Step 2, Temp Rooting:

Our next step is to achieve temp root on whichever slot is vulnerable. Follow this guide provided by j4nn and return here after you have temp root. https://forum.xda-developers.com/lg-g8/development/lg-g8-temp-root-exploit-via-cve-2020-t4100333

After achieving temp root:

Make a backup of your stock images. This step is not optional and if you skip it you do so at your own peril. No one is going to have a copy of your exact images. Copy and paste each line in your root shell and pull the images off your phone and keep them safe. There are also two scripts included with this guide, one that will automate the steps below, and the other that will perform a full backup of every partition. It’s recommended that you make a complete firmware backup. The images listed below are just the bare minimum.

dd if=/dev/block/sda28 of=/storage/emulated/0/Download/OP_a.img
dd if=/dev/block/sda29 of=/storage/emulated/0/Download/OP_b.img
dd if=/dev/block/sda19 of=/storage/emulated/0/Download/carrier.img
dd if=/dev/block/sde64 of=/storage/emulated/0/Download/catecontentfv.img
dd if=/dev/block/sde63 of=/storage/emulated/0/Download/catefv.img
dd if=/dev/block/sde57 of=/storage/emulated/0/Download/cateloader.img
dd if=/dev/block/sdg1 of=/storage/emulated/0/Download/frp.img
dd if=/dev/block/sdf5 of=/storage/emulated/0/Download/fsc.img
dd if=/dev/block/sdf4 of=/storage/emulated/0/Download/fsg.img
dd if=/dev/block/sda8 of=/storage/emulated/0/Download/ftm.img
dd if=/dev/block/sda31 of=/storage/emulated/0/Download/grow.img
dd if=/dev/block/sdf4 of=/storage/emulated/0/Download/fsg.img

Running the backup script

adb push backupall-part.sh /data/local/tmp

Execute the following in a root shell:

cd /data/local/tmp
sh backupall-part.sh

When complete, copy the backed up images from your internal storage Download folder to your computer.

You are now ready to proceed with Bootloader unlocking. Leave your root shell open.

Step 3A, Bootloader Unlocking:

Before We Begin:

A word of warning. These next steps involve issuing dd commands to overwrite your bootloader on your currently inactive slot (the active slot being the one you are on now with temp root) with a V50 engineering bootloader. This method has been performed at least half a dozen times without a brick. As long as you follow the instructions carefully, you should be fine.

Secondly, if your inactive slot is not on firmware version 20d, we will have to flash the entire 20d backup to the inactive slot via fastboot flash commands or you will likely not boot or have an extremely unstable system. (See the amended “Step 4, Flashing 20d” step.) You can find the 20d backup here, provided by Luis: https://drive.google.com/file/d/1lXpO-sntmFmabDJ2dnfkQXqL6kEDvca0/view?usp=sharing

The above link contains images for both 20d and Pie. The _a images are 20d, the _b images are Pie. If you do not already have one, and you would like a bootable Pie slot, you may flash the _b images to the slot containing the engineering bootloader. We will cover this topic in a later step. Do not attempt without reading the step, Bonus: Pie Slot, at the end of this guide.

Moving On:

We need to find out your current active slot. In your root shell, type, without the quotes, “getprop | grep slot”. If you are in slot A, continue to “Step 3B, Slot A dd Commands”. If you are in slot B, continue to “Step 3C, Slot B dd Commands”.

Step 3B, Slot A dd Commands:

The following dd commands will flash xbl, xbl_config, abl and laf from Pie, as well as the V50 engineering bootloader to slot B. Copy these images to your internal storage Download folder.

Before We Begin:

It is required that each of these commands be run at least 5 times to ensure proper flashing. If you’re going to brick, this is the time it’s going to happen. There is little risk as long as you flash the same images at least 5 times to ensure proper flashing.

Secondly, if at any point the dd commands fail, reboot, regain temp root, and try again.

Moving On:

In your root shell, run the following at least 5 times for each image. For example, you will flash the V50 bootloader 5 times before moving on to the next dd command.

1. dd if=/storage/emulated/0/Download/V500ES_abl_a.img of=/dev/block/bootdevice/by-name/abl_b

2. dd if=/storage/emulated/0/Download/xbl_b.img of=/dev/block/bootdevice/by-name/xbl_b

3. dd if=/storage/emulated/0/Download/xbl_config_b.img of=/dev/block/bootdevice/by-name/xbl_config_b

4. dd if=/storage/emulated/0/Download/laf_b.img of=/dev/block/bootdevice/by-name/laf_b

You can now exit the root shell by typing “exit” twice. This is required. Leave your cmd prompt or powershell window open.

Switch to slot B by following the guide linked above in Step 1A, Firmware Check.

Reboot to Fastboot while in slot B via the key combination volume down and power. Select the restart bootloader option using the volume keys, and the power button to confirm your selection. You must select restart bootloader or your device will not show up in fastboot devices even though you have booted to bootloader already!

Type fastboot devices in your cmd prompt or powershell window. You should now see your device listed in fastboot mode.

Type fastboot oem unlock, select Yes. You are now bootloader unlocked!

If slot A does contain firmware version 20d, proceed to “Step 4A, Magisk Flashing”.
If slot A does not contain firmware version 20d, proceed to “Step 4B, Flashing 20d”.

Step 3C, Slot B dd Commands:

The following dd commands will flash xbl, xbl_config, abl and laf from Pie, as well as the V50 engineering bootloader to slot A. Copy these images to your internal storage Download folder.

Before We Begin:

It is required that each of these commands be run at least 5 times to ensure proper flashing. If you’re going to brick, this is the time it’s going to happen. There is little risk as long as you flash the same images at least 5 times to ensure proper flashing.

Secondly, if at any point the dd commands fail, reboot, regain temp root, and try again.

Moving On:

In your root shell, run the following at least 5 times for each image. For example, you will flash the V50 bootloader 5 times before moving on to the next dd command.

1. dd if=/storage/emulated/0/Download/V500ES_abl_a.img of=/dev/block/bootdevice/by-name/abl_a

2. dd if=/storage/emulated/0/Download/xbl_b.img of=/dev/block/bootdevice/by-name/xbl_a

3. dd if=/storage/emulated/0/Download/xbl_config_b.img of=/dev/block/bootdevice/by-name/xbl_config_a

4. dd if=/storage/emulated/0/Download/laf_b.img of=/dev/block/bootdevice/by-name/laf_a

You can now exit the root shell by typing “exit” twice. This is required. Leave your cmd prompt or powershell window open.

Switch to slot A by following the guide linked above in Step 1A, Firmware Check.

Reboot to Fastboot while in slot A via the key combination volume down and power. Select the restart bootloader option using the volume keys, and the power button to confirm your selection. You must select restart bootloader or your device will not show up in fastboot devices even though you have booted to bootloader already!

Type fastboot devices in your cmd prompt or powershell window. You should now see your device listed in fastboot mode.

Type fastboot oem unlock, select Yes. You are now bootloader unlocked!

If slot B does contain firmware version 20d, proceed to “Step 4A, Magisk Flashing”.
If slot B does not contain firmware version 20d, proceed to “Step 4B, Flashing 20d”.
 
Last edited:

BrandonB1218

Senior Member
Jul 22, 2010
121
105
Step 4A, Magisk Flashing:

The next step is to flash the appropriate Magisk patched boot image for your firmware version. The following commands needs to be changed based on which slot your 20[a,b,c,d,e] firmware is located, and which patched image you’re flashing. For example, if 20d is in slot A, you will use “boot_a”, if it’s in slot B, you will use “boot_b”. Likewise, if 20d is in slot A, you will use “fastboot --set-active=a”, if it’s in slot B, you will use “fastboot --set-active=b”. Note: That’s a double dash before “set”.

fastboot flash boot_a sprint20d_magisk_patched.img
fastboot --set-active=a

Select power off, press the power button to confirm selection. It may take upwards of 10 – 20 seconds to get the phone to turn back on after powering off. This is normal. Boot to Android. If you have a successful boot, skip the initial setup and proceed to “Step 5, Finishing Up”.

Step 4B, Flashing 20d:

I’m leaving this step here in case it is needed. After some testing, we have determined that no stability problems occur as long as you flash a patched boot image that matches your current firmware version. Currently we have patched 20d and 20e boot images available.

For this step, you will need the 20d backup found in “Step 3A, Bootloader Unlocking”. As mentioned before, the _a images are 20d, the _b images are pie. You will only need the _a 20d images for this step.
This cannot be skipped if you are on anything other than 20d. You will have severe system problems IF it even boots at all. The process is straight forward, just slightly time consuming. Lets begin.
Extract the _a 20d images in the g820um20d.zip to your root Android folder containing your platform tools. Each and every image will need to be flashed, in no particular order. Just sort by file type and start from the top. The image file names directly correlate to the partition you are flashing to, for example: abl_a.img will be flashed to abl_a, and so on.
The following fastboot flash commands will need to be changed based on your primary slot letter (the slot that does NOT contain the engineering bootloader). For example, if that happens to be slot B, you will use fastboot flash abl_b abl_a.img, and so on.
fastboot flash abl_a abl_a.img
fastboot flash akmu_a akmu_a.img
And so on, it’s that simple. The only exception is the boot image. You will NOT flash the boot_a image, you will flash the Sprint20D magisk patched image instead.
Once complete execute the following:
fastboot erase userdata
fastboot --set-active=a or --set-active=b based on your primary slot letter.
Select power off, press the power button to confirm selection. It may take upwards of 10 – 20 seconds to get the phone to turn back on after powering off. This is normal. Boot to Android. If you have a successful boot, skip the initial setup and proceed to “Step 5, Finishing Up”.

Step 5, Finishing Up:
In this step we will flash TWRP, reboot to recovery, flash Magisk and dm-verity disabler. An SD card is recommended but not required for this step.

Copy the Disable_Dm-Verity zip, Magisk-v20.4.zip, and the twrp-installer zip to your SD card. Preferably to the Download folder. If you’re using internal storage only, you will move these files to the phone after you data wipe in TWRP.

Download the latest version of the Magisk Manager APK and install it.

Once installed, open Magisk Manager. It will ask you to perform additional setup. Allow it. The phone will reboot automatically. After the reboot, open Magisk Manager once more, tap on the 3 horizontal bars on the top left, and select Modules.
Tap the Plus sign and select the twrp-installer zip. This will flash TWRP. Note that in doing so, this will remove Magisk from the boot image. This is fine.

Shut down the phone and boot to recovery via the key combination. Hold volume down and power until you see Recovery mode flash on screen, you may release the buttons after you see this. You should now be in TWRP. Tap cancel when it asks for a password. Go to Wipe > Advanced > Select data (and only data), and wipe. Reboot the phone back to recovery. Do not let the system boot after data wiping. Go directly back to TWRP. You will NOT brick, however you will have to data wipe and reboot again.

After you’re back in TWRP, it should no longer be asking you for a password. This is good, it means we have removed the encryption.
Next, tap Install. Flash in this order Magisk-v20.4.zip, followed by a reboot directly to TWRP. Next, flash Disable_Dm-Verity. Reboot to system. Continue setup as normal.

Congratulations! You are now bootloader unlocked and rooted.

Bonus: Pie Slot:
As mentioned in “Step 3A, Bootloader Unlocking”, if you do not have a Pie slot, you can flash the Pie images in the zip mentioned in the same step via fastboot flash, the same way you (may have) flashed 20d in “Step 4B, Flashing 20d”. The only difference is you will be flashing all of the _b images except for abl, xbl, and xbl_config to the slot containing the engineering bootloader. You must fastboot erase userdata after flashing the Pie images. Once complete, simply reboot and you should have a bootable Pie slot. Please note that the V50 engineering bootloader prevents the touch screen from working in Pie.
 
Last edited:

IvanN8458

Member
Oct 3, 2012
35
3
Monterrey
No we cant, only lg has the keys to allow cross flashing. and yes it is server sided for now.

BL unlock will not fix an OPID mismatch. I'm told only LG themselves can allow for a proper cross flash, at least for now.


Ok, got it, thank you guys.

---------- Post added at 10:45 PM ---------- Previous post was at 10:35 PM ----------

What was the original model of your phone before trying to cross flash? If you don't know, check it with your imei

I got the phone in this condition, but the phone's got a tag in the back with the model LM-G820UM and a MEID D number written down. When I tried to flash a KDZ, cmd shows "OPID Mismatched SPR_US to" whatever the KDZ variant
 

TPMJB

Senior Member
Jun 28, 2010
1,356
363
www.blackcats-games.net
BL unlock will not fix an OPID mismatch. I'm told only LG themselves can allow for a proper cross flash, at least for now.

For now. We had a weird method in the LG V30 dubbed the "Frankenstein" method that allows everyone to crossflash to the US998 model which is completely unlocked. I picked up a sprint LG V8 that has some issues with the radio as it has problems connecting to wifi but not cellular (as far as I'm aware).
 

antintin

Senior Member
Sep 11, 2019
595
138
LG V40
LG G8
For now. We had a weird method in the LG V30 dubbed the "Frankenstein" method that allows everyone to crossflash to the US998 model which is completely unlocked. I picked up a sprint LG V8 that has some issues with the radio as it has problems connecting to wifi but not cellular (as far as I'm aware).
Up until the lg sdm 855 devices, there weren't as many cross flash locks. Now there's some hardware ones that are checked every boot

---------- Post added at 04:36 PM ---------- Previous post was at 04:34 PM ----------

For now. We had a weird method in the LG V30 dubbed the "Frankenstein" method that allows everyone to crossflash to the US998 model which is completely unlocked. I picked up a sprint LG V8 that has some issues with the radio as it has problems connecting to wifi but not cellular (as far as I'm aware).
I actually noticed a WiFi issue as well, but after flashing the havoc gsi it seems to be largely gone.
 

TPMJB

Senior Member
Jun 28, 2010
1,356
363
www.blackcats-games.net
Up until the lg sdm 855 devices, there weren't as many cross flash locks. Now there's some hardware ones that are checked every boot

---------- Post added at 04:36 PM ---------- Previous post was at 04:34 PM ----------


...why make Hardware locks? That's so incredibly stupid of a company like LG. Though it's quite clear they never cared for us to begin with, seeing how we have to jump through hoops to install custom roms.
 

traybourne

Senior Member
Aug 25, 2011
113
41
Can anyone confirm this works?

I just went through the steps in this guide and can confirm I was able to successfully unlock the bootloader and gain permanent root on my Sprint G8. I did encounter a couple issues though.

1. My phone kept rebooting at random points while trying to backup my current partitions with either the backup script, or manually executing the 'dd' commands. I think I was eventually able to backup all partitions, but it took a few tries.

2. I believe the file names xbl_a.img and xbl_config_a.img should be xbl_b.img and xbl_config_b.img for the commands in steps 3B and 3C as that is what they are named in the provided zip. Not a big deal, but could cause some people issues if they are not paying attention

3. My touchscreen does not work in TWRP, and I had to connect a USB mouse to use it. Not sure what is wrong there, but any help would be much appreciated.

Also my phone got an OTA update notification when I booted into the OS after completing everything. I'm guessing I should not install any OTA updates after unlock and root? What's the best way to update, or should I stay on 20d for now?
 

BrandonB1218

Senior Member
Jul 22, 2010
121
105
I just went through the steps in this guide and can confirm I was able to successfully unlock the bootloader and gain permanent root on my Sprint G8. I did encounter a couple issues though.

1. My phone kept rebooting at random points while trying to backup my current partitions with either the backup script, or manually executing the 'dd' commands. I think I was eventually able to backup all partitions, but it took a few tries.

2. I believe the file names xbl_a.img and xbl_config_a.img should be xbl_b.img and xbl_config_b.img for the commands in steps 3B and 3C as that is what they are named in the provided zip. Not a big deal, but could cause some people issues if they are not paying attention

3. My touchscreen does not work in TWRP, and I had to connect a USB mouse to use it. Not sure what is wrong there, but any help would be much appreciated.

Also my phone got an OTA update notification when I booted into the OS after completing everything. I'm guessing I should not install any OTA updates after unlock and root? What's the best way to update, or should I stay on 20d for now?

1. This is unfortunately, not uncommon due to the method used to temproot. It's not 100% stable. There are some things you can do to potentially get it more stable as discussed in the temproot thread, but it's not perfect.

2. You are correct. I neglected to update this part of the guide. I will fix it ASAP.

3. The touchscreen should work without any issues at all. None of us have had this problem. I will ask someone more knowledgeable to chime in on this one to see how we can get this resolved.

I would strongly recommend against doing any sort of OTA. You could technically do it and switch back to your other slot and reflash the patched boot image, however I do not have a patched 20f boot image and dumping yours would be difficult if you can't boot to Android afterwards. There may be other complications caused by doing an OTA that I'm not aware of as well.

Edit:
To answer your question about updating: If you can get a full 20e dump, you can flash it as described in the guide under the step "Flashing 20d". I would not recommend upgrading to 20f just if for any reason you need to remain vulnerable to temp root.
 
Last edited:
  • Like
Reactions: traybourne

BrandonB1218

Senior Member
Jul 22, 2010
121
105
The issue with touch not working on twrp it can be bypass if you just enter recovery with buttons combo and it works fine.thats how i did it

Ahh yes, this problem. For some reason, the touchscreen does not function 100% of the time when rebooting to recovery via adb or via Magisk or some other software method. Key combination is required.
 
  • Like
Reactions: brigantti

Top Liked Posts

  • There are no posts matching your filters.
  • 18
    Edit with a quick note: My apologies if I have misrepresented my involvement in the development of this method. I have gotten some PM's asking for help getting other devices unlocked. I should make it clear that my involvement only goes as far as #1. Putting this guide together and #2. Testing various different things. An extremely short and not at all comprehensive list of the real talent involved here would be people like White, j4nn, Vlad48, those are just the ones I know of.

    After lots of work and testing, we now have a method of bootloader unlocking that is safe, if done properly, by flashing a V50 engineering bootloader. Note that you must be on a firmware version vulnerable to temp rooting for this to work, either in slot A or slot B. I've put together a comprehensive guide, as well as a zip containing all of the required files. It has been thoroughly vetted by the members primarily responsible for developing this method of bootloader unlocking. I'm providing a Google Drive link to a zip that includes the required files and the guide.

    Currently, I'm looking for boot image dumps for those of you that are on 20j, 20m, 20a, 20b, and 20c. Right now the only Magisk patched boot images I have available are for 20d and 20e, however if you can dump your boot image I would be happy to patch it for you if you have a different firmware version.

    Please report back with your feedback and success.

    [Update 6/01/2020] Minor corrections to guide. Separated guide from zip for easier updating in the future.
    Required Files - https://drive.google.com/file/d/1H08suuBBmHqttfMLZqBfy9yCDoAWylNy/view?usp=sharing
    Guide - https://drive.google.com/file/d/1M4oEa3jkF_ZZzl1SKc6tvQtukc-KEgXK/view?usp=sharing

    Edit:
    I've added the entirety of the guide in post #4 and #5, for those that would like to take a look without downloading the zip first. Just fyi the formatting may be a tad messed up as it was copy and pasted from LibreOffice.

    Many people contributed to making this a possibility!
    Thank you to:

    [email protected]
    Vlad48
    j4nn
    Antintin
    Luis Rosado
    Brigantti

    And so many more. From devs to testers, the above list is miniscule compared to what should be up there. This is simply either who I know of and/or who I have interacted with directly. I'm more than happy to expand this list upon request if anyone that has contributed would like their name up there.
    3
    Sprint LG G8 Temp Root, BL Unlock, TWRP, & Magisk Guide

    Requirements

    A Sprint LG G8 with the one of the following configurations:

    A: Android 10 20e or lower and Pie on slots A/B or B/A.
    B: Android 10 20e or lower and Android 10 any firmware on slots A/B or B/A.

    1. LG 4.2 Drivers
    2. The latest available ADB Platform Tools
    3. Python 3.8.3 With PATH Set
    4. OEM Unlocking Enabled in Developer Settings
    5. ADB Debugging Enabled in Developer Settings
    6. The files mentioned throughout this guide. They will either have links or they will be provided in the forum post.

    Excellent reading comprehension and patience!

    Warnings

    1. You do this at your own risk!
    2. Be prepared to data wipe/factory reset a lot.
    3. There are some critical steps that you cannot get wrong or you risk a brick. Read very carefully, take your time.
    4. There are a lot of steps involved in this guide. If you are unsure in the slightest, do not make an assumption. Ask for clarification before you proceed.

    Step 1A, Firmware Check:

    First, you need to verify your current firmware version. Anything 20e or lower is currently vulnerable to the Temp Root exploit provided by j4nn.

    Open Settings > System > About Phone > Software Version, third line down. If your current version is 20f (the latest available from LG at the time of writing), your firmware is not vulnerable to the exploit and we will need to switch slots and check your firmware version there. It’s recommended that you factory data reset before performing this step to avoid the startup PIN lockout, regardless if you have one set or not, it will ask for a startup PIN and it WILL FAIL to unlock. Either way, you will be forced to factory reset.

    Follow this guide provided by Antintin to switch slots: https://forum.xda-developers.com/lg-g8/how-to/people-trying-beta-want-to-revert-t4011925. After switching, boot to Android. Skip the initial setup. Please take note which slot you switched to that contains the prior version of Android. SABS 0 is slot A, SABS 1 is slot B.

    If your current firmware version is vulnerable, skip to Step 2, Temp Rooting.

    Step 1B, Switching Slots:

    By this point, you will have switched to your inactive slot following the guide linked above and booted to Android. Follow the same steps listed above to check your firmware version. If you see anything lower than 20f, for example: 20a, 20b, 20c, 20d, 20e, this version is exploitable. If you have an exploitable firmware in this slot, continue to “Step 2, Temp Rooting”. If you do not have an exploitable firmware in this slot, the temp root exploit will not work and therefore, the bootloader unlock will not be possible.

    Step 2, Temp Rooting:

    Our next step is to achieve temp root on whichever slot is vulnerable. Follow this guide provided by j4nn and return here after you have temp root. https://forum.xda-developers.com/lg-g8/development/lg-g8-temp-root-exploit-via-cve-2020-t4100333

    After achieving temp root:

    Make a backup of your stock images. This step is not optional and if you skip it you do so at your own peril. No one is going to have a copy of your exact images. Copy and paste each line in your root shell and pull the images off your phone and keep them safe. There are also two scripts included with this guide, one that will automate the steps below, and the other that will perform a full backup of every partition. It’s recommended that you make a complete firmware backup. The images listed below are just the bare minimum.

    dd if=/dev/block/sda28 of=/storage/emulated/0/Download/OP_a.img
    dd if=/dev/block/sda29 of=/storage/emulated/0/Download/OP_b.img
    dd if=/dev/block/sda19 of=/storage/emulated/0/Download/carrier.img
    dd if=/dev/block/sde64 of=/storage/emulated/0/Download/catecontentfv.img
    dd if=/dev/block/sde63 of=/storage/emulated/0/Download/catefv.img
    dd if=/dev/block/sde57 of=/storage/emulated/0/Download/cateloader.img
    dd if=/dev/block/sdg1 of=/storage/emulated/0/Download/frp.img
    dd if=/dev/block/sdf5 of=/storage/emulated/0/Download/fsc.img
    dd if=/dev/block/sdf4 of=/storage/emulated/0/Download/fsg.img
    dd if=/dev/block/sda8 of=/storage/emulated/0/Download/ftm.img
    dd if=/dev/block/sda31 of=/storage/emulated/0/Download/grow.img
    dd if=/dev/block/sdf4 of=/storage/emulated/0/Download/fsg.img

    Running the backup script

    adb push backupall-part.sh /data/local/tmp

    Execute the following in a root shell:

    cd /data/local/tmp
    sh backupall-part.sh

    When complete, copy the backed up images from your internal storage Download folder to your computer.

    You are now ready to proceed with Bootloader unlocking. Leave your root shell open.

    Step 3A, Bootloader Unlocking:

    Before We Begin:

    A word of warning. These next steps involve issuing dd commands to overwrite your bootloader on your currently inactive slot (the active slot being the one you are on now with temp root) with a V50 engineering bootloader. This method has been performed at least half a dozen times without a brick. As long as you follow the instructions carefully, you should be fine.

    Secondly, if your inactive slot is not on firmware version 20d, we will have to flash the entire 20d backup to the inactive slot via fastboot flash commands or you will likely not boot or have an extremely unstable system. (See the amended “Step 4, Flashing 20d” step.) You can find the 20d backup here, provided by Luis: https://drive.google.com/file/d/1lXpO-sntmFmabDJ2dnfkQXqL6kEDvca0/view?usp=sharing

    The above link contains images for both 20d and Pie. The _a images are 20d, the _b images are Pie. If you do not already have one, and you would like a bootable Pie slot, you may flash the _b images to the slot containing the engineering bootloader. We will cover this topic in a later step. Do not attempt without reading the step, Bonus: Pie Slot, at the end of this guide.

    Moving On:

    We need to find out your current active slot. In your root shell, type, without the quotes, “getprop | grep slot”. If you are in slot A, continue to “Step 3B, Slot A dd Commands”. If you are in slot B, continue to “Step 3C, Slot B dd Commands”.

    Step 3B, Slot A dd Commands:

    The following dd commands will flash xbl, xbl_config, abl and laf from Pie, as well as the V50 engineering bootloader to slot B. Copy these images to your internal storage Download folder.

    Before We Begin:

    It is required that each of these commands be run at least 5 times to ensure proper flashing. If you’re going to brick, this is the time it’s going to happen. There is little risk as long as you flash the same images at least 5 times to ensure proper flashing.

    Secondly, if at any point the dd commands fail, reboot, regain temp root, and try again.

    Moving On:

    In your root shell, run the following at least 5 times for each image. For example, you will flash the V50 bootloader 5 times before moving on to the next dd command.

    1. dd if=/storage/emulated/0/Download/V500ES_abl_a.img of=/dev/block/bootdevice/by-name/abl_b

    2. dd if=/storage/emulated/0/Download/xbl_b.img of=/dev/block/bootdevice/by-name/xbl_b

    3. dd if=/storage/emulated/0/Download/xbl_config_b.img of=/dev/block/bootdevice/by-name/xbl_config_b

    4. dd if=/storage/emulated/0/Download/laf_b.img of=/dev/block/bootdevice/by-name/laf_b

    You can now exit the root shell by typing “exit” twice. This is required. Leave your cmd prompt or powershell window open.

    Switch to slot B by following the guide linked above in Step 1A, Firmware Check.

    Reboot to Fastboot while in slot B via the key combination volume down and power. Select the restart bootloader option using the volume keys, and the power button to confirm your selection. You must select restart bootloader or your device will not show up in fastboot devices even though you have booted to bootloader already!

    Type fastboot devices in your cmd prompt or powershell window. You should now see your device listed in fastboot mode.

    Type fastboot oem unlock, select Yes. You are now bootloader unlocked!

    If slot A does contain firmware version 20d, proceed to “Step 4A, Magisk Flashing”.
    If slot A does not contain firmware version 20d, proceed to “Step 4B, Flashing 20d”.

    Step 3C, Slot B dd Commands:

    The following dd commands will flash xbl, xbl_config, abl and laf from Pie, as well as the V50 engineering bootloader to slot A. Copy these images to your internal storage Download folder.

    Before We Begin:

    It is required that each of these commands be run at least 5 times to ensure proper flashing. If you’re going to brick, this is the time it’s going to happen. There is little risk as long as you flash the same images at least 5 times to ensure proper flashing.

    Secondly, if at any point the dd commands fail, reboot, regain temp root, and try again.

    Moving On:

    In your root shell, run the following at least 5 times for each image. For example, you will flash the V50 bootloader 5 times before moving on to the next dd command.

    1. dd if=/storage/emulated/0/Download/V500ES_abl_a.img of=/dev/block/bootdevice/by-name/abl_a

    2. dd if=/storage/emulated/0/Download/xbl_b.img of=/dev/block/bootdevice/by-name/xbl_a

    3. dd if=/storage/emulated/0/Download/xbl_config_b.img of=/dev/block/bootdevice/by-name/xbl_config_a

    4. dd if=/storage/emulated/0/Download/laf_b.img of=/dev/block/bootdevice/by-name/laf_a

    You can now exit the root shell by typing “exit” twice. This is required. Leave your cmd prompt or powershell window open.

    Switch to slot A by following the guide linked above in Step 1A, Firmware Check.

    Reboot to Fastboot while in slot A via the key combination volume down and power. Select the restart bootloader option using the volume keys, and the power button to confirm your selection. You must select restart bootloader or your device will not show up in fastboot devices even though you have booted to bootloader already!

    Type fastboot devices in your cmd prompt or powershell window. You should now see your device listed in fastboot mode.

    Type fastboot oem unlock, select Yes. You are now bootloader unlocked!

    If slot B does contain firmware version 20d, proceed to “Step 4A, Magisk Flashing”.
    If slot B does not contain firmware version 20d, proceed to “Step 4B, Flashing 20d”.
    3
    Step 4A, Magisk Flashing:

    The next step is to flash the appropriate Magisk patched boot image for your firmware version. The following commands needs to be changed based on which slot your 20[a,b,c,d,e] firmware is located, and which patched image you’re flashing. For example, if 20d is in slot A, you will use “boot_a”, if it’s in slot B, you will use “boot_b”. Likewise, if 20d is in slot A, you will use “fastboot --set-active=a”, if it’s in slot B, you will use “fastboot --set-active=b”. Note: That’s a double dash before “set”.

    fastboot flash boot_a sprint20d_magisk_patched.img
    fastboot --set-active=a

    Select power off, press the power button to confirm selection. It may take upwards of 10 – 20 seconds to get the phone to turn back on after powering off. This is normal. Boot to Android. If you have a successful boot, skip the initial setup and proceed to “Step 5, Finishing Up”.

    Step 4B, Flashing 20d:

    I’m leaving this step here in case it is needed. After some testing, we have determined that no stability problems occur as long as you flash a patched boot image that matches your current firmware version. Currently we have patched 20d and 20e boot images available.

    For this step, you will need the 20d backup found in “Step 3A, Bootloader Unlocking”. As mentioned before, the _a images are 20d, the _b images are pie. You will only need the _a 20d images for this step.
    This cannot be skipped if you are on anything other than 20d. You will have severe system problems IF it even boots at all. The process is straight forward, just slightly time consuming. Lets begin.
    Extract the _a 20d images in the g820um20d.zip to your root Android folder containing your platform tools. Each and every image will need to be flashed, in no particular order. Just sort by file type and start from the top. The image file names directly correlate to the partition you are flashing to, for example: abl_a.img will be flashed to abl_a, and so on.
    The following fastboot flash commands will need to be changed based on your primary slot letter (the slot that does NOT contain the engineering bootloader). For example, if that happens to be slot B, you will use fastboot flash abl_b abl_a.img, and so on.
    fastboot flash abl_a abl_a.img
    fastboot flash akmu_a akmu_a.img
    And so on, it’s that simple. The only exception is the boot image. You will NOT flash the boot_a image, you will flash the Sprint20D magisk patched image instead.
    Once complete execute the following:
    fastboot erase userdata
    fastboot --set-active=a or --set-active=b based on your primary slot letter.
    Select power off, press the power button to confirm selection. It may take upwards of 10 – 20 seconds to get the phone to turn back on after powering off. This is normal. Boot to Android. If you have a successful boot, skip the initial setup and proceed to “Step 5, Finishing Up”.

    Step 5, Finishing Up:
    In this step we will flash TWRP, reboot to recovery, flash Magisk and dm-verity disabler. An SD card is recommended but not required for this step.

    Copy the Disable_Dm-Verity zip, Magisk-v20.4.zip, and the twrp-installer zip to your SD card. Preferably to the Download folder. If you’re using internal storage only, you will move these files to the phone after you data wipe in TWRP.

    Download the latest version of the Magisk Manager APK and install it.

    Once installed, open Magisk Manager. It will ask you to perform additional setup. Allow it. The phone will reboot automatically. After the reboot, open Magisk Manager once more, tap on the 3 horizontal bars on the top left, and select Modules.
    Tap the Plus sign and select the twrp-installer zip. This will flash TWRP. Note that in doing so, this will remove Magisk from the boot image. This is fine.

    Shut down the phone and boot to recovery via the key combination. Hold volume down and power until you see Recovery mode flash on screen, you may release the buttons after you see this. You should now be in TWRP. Tap cancel when it asks for a password. Go to Wipe > Advanced > Select data (and only data), and wipe. Reboot the phone back to recovery. Do not let the system boot after data wiping. Go directly back to TWRP. You will NOT brick, however you will have to data wipe and reboot again.

    After you’re back in TWRP, it should no longer be asking you for a password. This is good, it means we have removed the encryption.
    Next, tap Install. Flash in this order Magisk-v20.4.zip, followed by a reboot directly to TWRP. Next, flash Disable_Dm-Verity. Reboot to system. Continue setup as normal.

    Congratulations! You are now bootloader unlocked and rooted.

    Bonus: Pie Slot:
    As mentioned in “Step 3A, Bootloader Unlocking”, if you do not have a Pie slot, you can flash the Pie images in the zip mentioned in the same step via fastboot flash, the same way you (may have) flashed 20d in “Step 4B, Flashing 20d”. The only difference is you will be flashing all of the _b images except for abl, xbl, and xbl_config to the slot containing the engineering bootloader. You must fastboot erase userdata after flashing the Pie images. Once complete, simply reboot and you should have a bootable Pie slot. Please note that the V50 engineering bootloader prevents the touch screen from working in Pie.
    2
    Hi, bro. Were you able to fix OPID Mismatched with this guide by any chance?

    No we cant, only lg has the keys to allow cross flashing. and yes it is server sided for now.
    2
    Me , antitin and Brandon successfully BL unlocked, if you follow the steps to the T, you will be bl unlock.