This is possible but not easy to do. Here's how I was able to achieve it:
- Acquire and install LGUP_Store_Frame_Ver_1_14_3.msi, LGH830_DLL.msi, and maybe an LG driver package as well (?)
- Follow the file-renaming advice in This post; then, follow the binary patching advice in this one, except with one modification -- the .dll bytes to patch will not appear in your renamed dll file in the same location as they do for OP; so search a hexdump for the bytes in question and then patch them where you find them. HxD makes this pretty easy.
- Put the phone in download mode
- Run LGUP (which should now recognize your phone). Don't use uppercut, the binary patches remove the need for uppercut, and seem to prevent uppercut from working anyhow.
- Click "dump"
- Chose where you want the dump to go (nb: it's ~30GB but compresses down to ~4GB if you 7zip it)
- Profit?
Now that you have your dump, I'm not sure how useful it is. Others report that flashing back doesn't restore the GSM unlock, but, who knows, maybe they made some mistake? Turning those dump files into any kind of useful flashable ROM or meaningful research is "left as an exercise for the reader"
People seem to think the GSM unlock is in a "hack" added to this ROM, but that doesn't make too much sense to me. My phone came with the factory seal completely intact from an Amazon purchase. The IMEI has been active since June. Also, these units have their bootloader locked, and the secure-boot mechanisms in the unit respect real T-Mobile ROMs. So presumably this means whoever baked it had access to closely-guarded LG secrets.
I kind-of suspect what's really going on is that LG baked the ROM, i.e., for testing purposes, and then accidentally shipped them to some distribution channel it was never intended for. Conceivably, they emerge from the LG womb unlocked, and ship with a couple of qfuse-like write-once constructs (maybe even literal qfuses), one which carrier-locks the phone and then a second, which carrier-unlocks the phone once the first one is triggered. If that were the case then probably the official T-mobile roms trip the first fuse once flashed or during initial setup, and leave the second fuse as-is, and our units ship without the first fuse triggered. But this is pure speculation.
Warning: These devices are known to hard brick. You can probably still have a wierd low-level conversation with your bricked device using Qualcomm tools which might allow you to un-brick it somehow... very steep learning curves may be involved. So although I think its nifty that I now have a dump, I wouldn't want to try to flash it unless I was prepared to brick the unit in question. Also be advised, if you publish this, it's probably some sort of copyright violation and also likely to contain various private information like your IMEI, various log files, ... really, who knows what's in there? Finally, I'm not sure what impact the /data encryption will have on these dumps, I haven't tried to tear them apart yet.
