including temporal magisk setup from the exploit
The exploit uses CVE-2020-0041 originally designed for Pixel 3 running kernel 4.9.
I have adapted the Pixel 3 specific exploit for kernel 4.14 that is used with LG phones running Android 10 with March security patch level.
This work has been done upon request of @Inerent who contributed not only with very fine donations, but also did all the testing on his LG phone, as I do not own any LG phone myself.
As an addon I have implemented setup of magisk v20.4 from temp root exploit included su permission asking notification support, that has been also a hell of work to get working.
You can find currently running fw version with 'getprop ro.vendor.lge.factoryversion' command run in an adb shell.
- LMV500NAT-00-V20m-LAO-COM-MAR-10-2020+0 - LG V50 ThinQ with V500N20m fw, 2020-03-01 security patch level
- LMV500NAT-00-V20f-LAO-COM-JAN-31-2020+0 - LG V50 ThinQ with V500N20f fw, 2020-01-01 security patch level
- LMV500NAT-00-V20b-LAO-COM-DEC-23-2019+0 - LG V50 ThinQ with V500N20b fw, 2019-12-01 security patch level
- LMV450AT-00-V20a-LAO-COM-JAN-15-2020-ARB00+2 - LG V50 ThinQ Sprint fw, 2020-01-01 security patch level
The only (unlikely) case when the exploit could work with different fw version (or different phone model) would be that they would use binary identical kernel image in the firmware.
- be sure to run supported firmware version on your phone (you may need to downgrade, involving factory reset)
- enable developer mode options and in there adb debugging (eventually install adb drivers)
- download the v50g8-mroot.zip with the exploit attached in this post and unzip it
- use 'adb push v50g8-mroot /data/local/tmp' and get temp root with following commands in 'adb shell':
cd /data/local/tmp chmod 755 ./v50g8-mroot ./v50g8-mroot
If it worked, you should see something like this:
[+] Mapped 200000 [+] selinux_enforcing before exploit: 1 ... [+] Launching privileged shell root_by_cve-2020-0041:/data/local/tmp # getenforce Permissive root_by_cve-2020-0041:/data/local/tmp # id uid=0(root) gid=0(root) groups=0(root) context=kernel root_by_cve-2020-0041:/data/local/tmp #
Please see the 2nd post for magisk setup from temp root details.
Please be careful what you use the temp root for.
Changing something in partitions protected by dm-verity (or Android Verified Boot 2.0), like for example /system, /vendor or kernel boot partition, can result with a not anymore booting phone.
In such case you would need a way to emergency flash stock firmware to recover.
This is why it is called 'temp root' - you get a root shell only temporarily, it is lost with reboot and it does not allow to make permanent changes in crucial partitions until bootloader unlock is achieved.
Some partitions might still be possible to modify - for example in case of sony xperia phones it was possible to do permanent debloat via changes in /oem partition and such debloat would survive even factory reset. Similarly some modem configs have been present in /oem allowing to setup IMS for different operators/regions or tune other modem related stuff.
Original sources available here, my modifications to make it compatible with LG kernel 4.14 will be released with a forked project on my github later.
Big thanks to Blue Frost Security for the excellent writeup and the exploit itself.
If you like my work, you can donate using the Donate to Me button with several methods there.
- @Catalin Oprea ($710)
- Luis Rosado ($30)
- Kirn Gill ($6) LG V60 user
- Android Maisters ($30)
- Matthew Hinkle ($40)
- Daniel Novo ($22)
- Tony Romeo ($56)
- Yurii Boiko ($20)
- VL48 ($33)
- Savcho Savchev ($30)
- Josue W ($15)
- Reyna Cruz ($15)
- Tyler Thompson ($3)
- Tam Van Phan ($8,4)
- MR D CRANSON ($25)
- Gilberto Lozada ($15)
- Keith Young ($45)
- Zee Bee ($11)
- Kevin Borges ($50) root bounty at gofundme.com
- Catalin Oprea (+$50) root bounty at gofundme.com
- Luke Miller ($50) root bounty at gofundme.com
- @AngryManMLS ($20)