Exploit possibility for H91810Q - LG V20 Questions & Answers

Because I never rooted my H918 and the replacement from T-Mobile insurance for bootloop issue came with H91810Q already installed, I have been looking for a way to possibly gain root access. Because an exploit will be needed for now, though there is some interesting looking work with modifying LG UP, I found this:
http://www.cvedetails.com/vulnerabi...r-2017/opec-1/Linux-Linux-Kernel-3.18.31.html
I'm not as familiar with coding or exploits as I would like to be, and not sure if I understand if this will give the necessary access but thought I would share for those that DO know and might point me in the right direction or explain if this would work or why it would not.

The exploit you are referring to is Blueborne. That doesn't help us. It is a bluetooth exploit that gains access to the phone. It allows the exploiter control over your phone, as in a thief who steals your phone now has control over it. That doesn't mean the thief could root it. Unless it's a dev on xda, but so far none have done it.
The dirty cow exploit no longer works after 10j firmware and since you can't roll back from 10q, no TWRP, no root.

Related

Qualcomm's Secure Execution Environment Exploit (possible root from this?)

I found this post on a blog about a vulnerability with the Qualcomm boot. I can't even begin to explain it but could this help us find a way to root?
LINK: https://bits-please.blogspot.com/20...howComment=1462371232579#c7966216604060424834
Fredo2000 said:
I found this post on a blog about a vulnerability with the Qualcomm boot. I can't even begin to explain it but could this help us find a way to root?
LINK: https://bits-please.blogspot.com/20...howComment=1462371232579#c7966216604060424834
Click to expand...
Click to collapse
This is a trustzone vulnerability that requires root to exploit it. No way to gain root through it
jcase said:
This is a trustzone vulnerability that requires root to exploit it. No way to gain root through it
Click to expand...
Click to collapse
Ah damn. Thanks for letting me know anyways
Not so - this vulnerability requires "mediaserver" permissions to execute and can be used to achieve root (see latest blog post).
Also, I'm releasing another exploit which allows escalation from zero permissions to "mediaserver" which works on all Android versions and phones.
Wow that's an impressive exploit. Congrats for finding it and explaining it in your write up. Have you been able to use it on an unrooted device like ours to gain root? What about the S7 edge that is chained down at the moment? Sounds like you might have an opportunity to cash in on the large bounties for both devices! Once again great work!!
Sent from my LG-H830 using XDA-Developers mobile app
Thanks. I've used the exploit to gain kernel code execution (better than root, since you can disable SELinux, etc.). The QSEE payload I provided should work as-in, since it's symbol-less (finds all the symbols directly in memory). As for the QSEE exploit; you'll need to change the symbols (under symbols.h) to match the Widevine application on your phone. As for the S7 edge - I know nothing about it (have never checked), but I can take a look in a couple of days when I'm at home.
How long did it take to discover and work on this exploit? I'm just a lay person that likes to root phones but I imagine this takes a ton of time to work on. I hope you submit your work and publish a root method and cash in on ~$5000 worth of bounties for all your hard work. And I hope Google implements your fixes soon to patch the holes you have discovered.
Sent from my LG-H830 using XDA-Developers mobile app
laginimaineb said:
Thanks. I've used the exploit to gain kernel code execution (better than root, since you can disable SELinux, etc.). The QSEE payload I provided should work as-in, since it's symbol-less (finds all the symbols directly in memory). As for the QSEE exploit; you'll need to change the symbols (under symbols.h) to match the Widevine application on your phone. As for the S7 edge - I know nothing about it (have never checked), but I can take a look in a couple of days when I'm at home.
Click to expand...
Click to collapse
Wow... This is all some seriously great stuff! If you have some time I would love to talk with you about how to get this working on the Sprint G5
laginimaineb said:
Thanks. I've used the exploit to gain kernel code execution (better than root, since you can disable SELinux, etc.). The QSEE payload I provided should work as-in, since it's symbol-less (finds all the symbols directly in memory). As for the QSEE exploit; you'll need to change the symbols (under symbols.h) to match the Widevine application on your phone. As for the S7 edge - I know nothing about it (have never checked), but I can take a look in a couple of days when I'm at home.
Click to expand...
Click to collapse
If you can modify the kernel, can you disable dm-verity?
If so, I think you might have just found root for our device...
I suggest that you first check if the G5 is even vulnerable to the QSEE vulnerability I disclosed... (extract the "system_" files from the KDZ and the DZ and search for the string "PRDiag"). Since I disclosed the vulnerability a few months ago, it could be patched on the latest version, but might still be vulnerable on previous ones.
Also, as for dm-verity - the QSEE exploit allows full system memory RW (which allows you to patch a running kernel and basically inject arbitrary code). But (!) you probably want to disable dm-verity at boot, which would require a bootloader unlock.
...Which brings me to my last point - If the LG G5 is vulnerable to the QSEE exploit I disclosed, I'm also releasing a QSEE to TZBSP (TrustZone kernel) exploit, which means you can blow any QFuse you like (which is the standard way to disable secure boot).
laginimaineb said:
I suggest that you first check if the G5 is even vulnerable to the QSEE vulnerability I disclosed... (extract the "system_" files from the KDZ and the DZ and search for the string "PRDiag"). Since I disclosed the vulnerability a few months ago, it could be patched on the latest version, but might still be vulnerable on previous ones.
Also, as for dm-verity - the QSEE exploit allows full system memory RW (which allows you to patch a running kernel and basically inject arbitrary code). But (!) you probably want to disable dm-verity at boot, which would require a bootloader unlock.
...Which brings me to my last point - If the LG G5 is vulnerable to the QSEE exploit I disclosed, I'm also releasing a QSEE to TZBSP (TrustZone kernel) exploit, which means you can blow any QFuse you like (which is the standard way to disable secure boot).
Click to expand...
Click to collapse
My god... you are the MAN!!! I'll check for the files ASAP (currently doing mother's day stuff) and report back.
Also, how can I donate to you?
jcase said:
This is a trustzone vulnerability that requires root to exploit it. No way to gain root through it
Click to expand...
Click to collapse
so you are wrong then? this CAN be used to get root?
laginimaineb said:
Not so - this vulnerability requires "mediaserver" permissions to execute and can be used to achieve root (see latest blog post).
Also, I'm releasing another exploit which allows escalation from zero permissions to "mediaserver" which works on all Android versions and phones.
Click to expand...
Click to collapse
Correct, bad wording on my part. However on this phone it really makes no difference, it is actually easier to gain execution as root than it is on mediaserver. This phone is /BAD/ as far as security is concerned. Multiple bootchain backdoors, beyond broke backup system, known kernel vulns left unpatched, heavily (and poorly) modified stagefright as well. We already have root on the phone, root was never the issue, issue was code signing (which was being worked on until someone shared my root knowing i didnt want it shared). LG is enforcing signature validation and dm-verity on this device, just a heads up.
If you release anything compatible with this phone, make sure the users know not to alter laf/recovery/boot/system. They will anyways, and blame you, but at least you warn them.
I sold my G5 after the drama here, so I am no longer working on it.
Syndicate0315 said:
so you are wrong then? this CAN be used to get root?
Click to expand...
Click to collapse
I was technically be wrong, but really makes little difference if the starting point is media server or root. It is honestly easier to get exec as root on this phone than media server. I have already demonstrated that root is not an issue on this device, issue is code signing. This vulnerability does not give you what you guys want, similar to the one of mine that everyone is passing around and emailing me daily about after I put in the read me that it will not do what you want. No one listens.
laginimaineb said:
I suggest that you first check if the G5 is even vulnerable to the QSEE vulnerability I disclosed... (extract the "system_" files from the KDZ and the DZ and search for the string "PRDiag"). Since I disclosed the vulnerability a few months ago, it could be patched on the latest version, but might still be vulnerable on previous ones.
Also, as for dm-verity - the QSEE exploit allows full system memory RW (which allows you to patch a running kernel and basically inject arbitrary code). But (!) you probably want to disable dm-verity at boot, which would require a bootloader unlock.
...Which brings me to my last point - If the LG G5 is vulnerable to the QSEE exploit I disclosed, I'm also releasing a QSEE to TZBSP (TrustZone kernel) exploit, which means you can blow any QFuse you like (which is the standard way to disable secure boot).
Click to expand...
Click to collapse
Blowing fuses is the standard way of enabling secure boot, not disabling. These phones already have that fuse blown. The more recent LG phones have used a signed blob to "unlock" (as far as the ones I've looked at), they are not following the motorola method of blowing a fuse.
The TMobile LG G5 is actually unlocked, all these guys need to do is pack twrp into a TOT (pretty much a raw image with a header) and flash it in download mode.
Fredo2000 said:
If you can modify the kernel, can you disable dm-verity?
If so, I think you might have just found root for our device...
Click to expand...
Click to collapse
He can modify the kernel at run time with this exploit, but not the binary image of it, nor the ram disk that has the settings to enforce dm-verity. It would still need an exploit to get exec in the proper user/context as well as a codesigning exploit
jcase said:
Correct, bad wording on my part. However on this phone it really makes no difference, it is actually easier to gain execution as root than it is on mediaserver. This phone is /BAD/ as far as security is concerned. Multiple bootchain backdoors, beyond broke backup system, known kernel vulns left unpatched, heavily (and poorly) modified stagefright as well. We already have root on the phone, root was never the issue, issue was code signing (which was being worked on until someone shared my root knowing i didnt want it shared). LG is enforcing signature validation and dm-verity on this device, just a heads up.
If you release anything compatible with this phone, make sure the users know not to alter laf/recovery/boot/system. They will anyways, and blame you, but at least you warn them.
I sold my G5 after the drama here, so I am no longer working on it.
I was technically be wrong, but really makes little difference if the starting point is media server or root. It is honestly easier to get exec as root on this phone than media server. I have already demonstrated that root is not an issue on this device, issue is code signing. This vulnerability does not give you what you guys want, similar to the one of mine that everyone is passing around and emailing me daily about.
Click to expand...
Click to collapse
sorry if this is me just being ignorant, but if we gain root on a device with an unlocked bootloader (t mobile), can't we flash root from an app on the phone, boot into recovery, and then flash the disable-dm-verity zip provided on the other thread?
And also, how is gaining root not a problem? Is it through the LAF backdoor?
Syndicate0315 said:
sorry if this is me just being ignorant, but if we gain root on a device with an unlocked bootloader (t mobile), can't we flash root from an app on the phone, boot into recovery, and then flash the disable-dm-verity zip provided on the other thread?
And also, how is gaining root not a problem? Is it through the LAF backdoor?
Click to expand...
Click to collapse
Pack TWRP in tot, flash in download mode. I've said this since day one, you dont need an exploit to root the tmobile variant. Writing an exploit for tmobile lg g5 is a waste of time and resources. Pack TWRP in TOT, flash tot, be done.
Root isn't a problem because the device has multiple publicly known vulnerabilities (and at least one written exploit) that work on it.
jcase said:
Pack TWRP in tot, flash in download mode. I've said this since day one, you dont need an exploit to root the tmobile variant. Writing an exploit for tmobile lg g5 is a waste of time and resources. Pack TWRP in TOT, flash tot, be done.
Root isn't a problem because the device has multiple publicly known vulnerabilities (and at least one written exploit) that work on it.
Click to expand...
Click to collapse
ahhhh OK that makes MUCH sense...
i have the Sprint variant, what would be the best way for me to go about finding a permanent root? would any of these methods work?
Syndicate0315 said:
ahhhh OK that makes MUCH sense...
i have the Sprint variant, what would be the best way for me to go about finding a permanent root? would any of these methods work?
Click to expand...
Click to collapse
Dig through the bootchain, looking for a vulnerability you can use to bypass the secureboot (or otherwise bypass signing requirement of boot.img), or look at LG's code in regards to unlock, i wouldnt be surprised if a route existed there, LG is notoriously bad at "security" features.
jcase said:
Pack TWRP in tot, flash in download mode. I've said this since day one, you dont need an exploit to root the tmobile variant. Writing an exploit for tmobile lg g5 is a waste of time and resources. Pack TWRP in TOT, flash tot, be done.
Root isn't a problem because the device has multiple publicly known vulnerabilities (and at least one written exploit) that work on it.
Click to expand...
Click to collapse
hate to see you've sold your G5. unfortunately, there is no tot for h830. however, sprint has one. I am unsure as to how one can create a tot.

Root first or update first?

Hello everyone,
My Moto X Pure edition is on the way on the mail. I'm already excited to root it and get twrp on it. However, I believe the phone will come with android lollipop installed, and I should get an option for an OTA update for android 6.0.
My question is: Should I root my phone and install twrp BEFORE receiving the update, or after? I plan to use WinDroid Toolkit to root my phone and install twrp (seems to be the easiest way) so have any of you done it while having 6.0 already installed?
Your phone will most likely arrive with 6.0 pre-installed on it. You can't take an OTA with TWRP installed. I can't answer the WinDroid question.
Edit: It will most likely come with 6.0 already assuming you purchased it from Motorola.
quakeaz said:
Your phone will most likely arrive with 6.0 pre-installed on it. You can't take an OTA with TWRP installed. I can't answer the WinDroid question.
Edit: It will most likely come with 6.0 already assuming you purchased it from Motorola.
Click to expand...
Click to collapse
Thanks a lot for your help! It's good that the phone will most likely come with MM. Does Motorola also offer an OTA update to 6.0.1?
I wanted to flash a pre-rooted stock-based ROM because I thought it would be easier to get root. Although, my preference really would be to get the stock update, then just root that. The only reason I wanted to flash an already rooted ROM was because it seems kind of tricky to root it haha. Is the systemless root by ivcarlos the easiest way to root MM? Or have you perhaps found another way to root it on MM?
Additionally, just to make sure before I go on with anything: I should first let the clean phone upgrade to android 6.0.1, AFTER that I should unlock the bootloader, followed by installing TWRP and root, correct? @vertigo_2_20
Thank you for any help you can give me!
Henryy97 said:
Thanks a lot for your help! It's good that the phone will most likely come with MM. Does Motorola also offer an OTA update to 6.0.1?
I wanted to flash a pre-rooted stock-based ROM because I thought it would be easier to get root. Although, my preference really would be to get the stock update, then just root that. The only reason I wanted to flash an already rooted ROM was because it seems kind of tricky to root it haha. Is the systemless root by ivcarlos the easiest way to root MM? Or have you perhaps found another way to root it on MM?
Additionally, just to make sure before I go on with anything: I should first let the clean phone upgrade to android 6.0.1, AFTER that I should unlock the bootloader, followed by installing TWRP and root, correct? @vertigo_2_20
Thank you for any help you can give me!
Click to expand...
Click to collapse
IIRC, that's how I did it (OTA 6.0.1 > unlock bootloader > flash TWRP > root), though I did miss some things along the way that I only found out about after the fact, so I've included warnings about those thing here. Before I rooted, I read the following (and a LOT more, but these are the primary ones I based how I did it on):
ivcarlos' method, which you mentioned
And this, which is what I followed for rooting, though I don't remember why. I also had to use 2.62-3 as mentioned in the instructions vs 2.65 which is mentioned at the end as verified working, since it didn't work for me.
I ran across this as well, probably when 2.65 didn't work, and there's some good tidbits in there, worth reading through.
I also found this, but only after I finished rooting with the other method, and I didn't have the time to mess with it. I don't know enough to say whether it's really a better method or not, but something worth checking out if you have the time.
Just make sure you backup anything you want to keep (phone log, texts, pictures, etc) before unlocking the bootloader. I recommend SMS Backup & Restore with Titanium Backup as a secondary backup. Then, use fastboot to back up your recovery before flashing TWRP (I didn't know to do this until too late). Also, make sure you back up your /system and /boot partitions (don't need /data, since you're dealing with a freshly wiped phone from unlocking the bootloader, so nothing there to back up) with TWRP (and store the backups on the external SD card and/or your computer) as soon as you get TWRP flashed, before you do anything else.
Remember, anything you do that modifies /system can potentially break the "systemless" aspect of this root, thereby breaking Android Pay as well as the ability to receive OTA updates. Examples of things that might do this are AdAway (there's apparently a systemless file that needs to be flashed before installing it, which I didn't realize until too late, so mine may be broken already) and battery apps like GSam and BetterBatteryStats. I've yet to get an answer on if these really do break it, though. One that definitely will is Xposed, but I just found there's a systemless version, so when I get time I plan on trying that out. I think even if you do break it you can just a) reflash your backup (/recovery, /boot, & /system) then take an OTA and reflash TWRP and re-root, or b) flash the updated partitions from the OTA then reflash recovery and re-root. Of course, any of those things that changed /system (AdAway, Xposed, battery apps, etc), will probably be broken by this, and I believe they're supposed to be uninstalled first and reinstalled after.
I wouldn't doubt if I've screwed something up, so hopefully somebody can correct me on anything I did, as well as provide more information regarding the breaking of systemless.
vertigo_2_20 said:
IIRC, that's how I did it (OTA 6.0.1 > unlock bootloader > flash TWRP > root), though I did miss some things along the way that I only found out about after the fact, so I've included warnings about those thing here. Before I rooted, I read the following (and a LOT more, but these are the primary ones I based how I did it on):
ivcarlos' method, which you mentioned
And this, which is what I followed for rooting, though I don't remember why. I also had to use 2.62-3 as mentioned in the instructions vs 2.65 which is mentioned at the end as verified working, since it didn't work for me.
I ran across this as well, probably when 2.65 didn't work, and there's some good tidbits in there, worth reading through.
I also found this, but only after I finished rooting with the other method, and I didn't have the time to mess with it. I don't know enough to say whether it's really a better method or not, but something worth checking out if you have the time.
Just make sure you backup anything you want to keep (phone log, texts, pictures, etc) before unlocking the bootloader. I recommend SMS Backup & Restore with Titanium Backup as a secondary backup. Then, use fastboot to back up your recovery before flashing TWRP (I didn't know to do this until too late). Also, make sure you back up your /system and /boot partitions (don't need /data, since you're dealing with a freshly wiped phone from unlocking the bootloader, so nothing there to back up) with TWRP (and store the backups on the external SD card and/or your computer) as soon as you get TWRP flashed, before you do anything else.
Remember, anything you do that modifies /system can potentially break the "systemless" aspect of this root, thereby breaking Android Pay as well as the ability to receive OTA updates. Examples of things that might do this are AdAway (there's apparently a systemless file that needs to be flashed before installing it, which I didn't realize until too late, so mine may be broken already) and battery apps like GSam and BetterBatteryStats. I've yet to get an answer on if these really do break it, though. One that definitely will is Xposed, but I just found there's a systemless version, so when I get time I plan on trying that out. I think even if you do break it you can just a) reflash your backup (/recovery, /boot, & /system) then take an OTA and reflash TWRP and re-root, or b) flash the updated partitions from the OTA then reflash recovery and re-root. Of course, any of those things that changed /system (AdAway, Xposed, battery apps, etc), will probably be broken by this, and I believe they're supposed to be uninstalled first and reinstalled after.
I wouldn't doubt if I've screwed something up, so hopefully somebody can correct me on anything I did, as well as provide more information regarding the breaking of systemless.
Click to expand...
Click to collapse
Thank you for your reply! I'll read the links you sent me, although from what I can see the "root done right" is for the nexus 6, and if it works for the moto x pure it doesn't seem to be overall that much beneficial over the systemless root.
What exactly is the effect of breaking the "systemless" aspect of the root? For example, if I install AdAway, what will happen? I didn't really get that from your post.
Perhaps after all this process, I'll write a how-to guide, heh
So according to your experience, SUPERSU 2.62-3 is the adequate version to use for android 6.0.1?
Thanks again!
Henryy97 said:
Thank you for your reply! I'll read the links you sent me, although from what I can see the "root done right" is for the nexus 6, and if it works for the moto x pure it doesn't seem to be overall that much beneficial over the systemless root.
What exactly is the effect of breaking the "systemless" aspect of the root? For example, if I install AdAway, what will happen? I didn't really get that from your post.
Perhaps after all this process, I'll write a how-to guide, heh
So according to your experience, SUPERSU 2.62-3 is the adequate version to use for android 6.0.1?
Thanks again!
Click to expand...
Click to collapse
My understanding is that breaking it will render Android Pay inoperable and will make it so you can't take an OTA, though as I mentioned, it seems you still can by reverting back, it's just a LOT more work. But again, as I said, I'm not completely sure and I haven't been able to get an answer.
As for the supersu version, it doesn't really matter, because you'll just update it once you're rooted and booted into the OS. I just found that, despite what that post said, 2.65 did not work for me, so I had to flash 2.62-3 which did. Not a big deal, was just a little frustrating and scary when 2.65 didn't work because I was worried that I broke something and that the method wasn't going to work.
Edit: Good catch BTW on the link having to do with the Nexus. I didn't even look at what sub-forum it was in. At least it's one less thing to worry about for now, though I do hope it spreads to more devices, because we could always use more, not to mention better (assuming it is) ways of doing things.
vertigo_2_20 said:
My understanding is that breaking it will render Android Pay inoperable and will make it so you can't take an OTA, though as I mentioned, it seems you still can by reverting back, it's just a LOT more work. But again, as I said, I'm not completely sure and I haven't been able to get an answer.
As for the supersu version, it doesn't really matter, because you'll just update it once you're rooted and booted into the OS. I just found that, despite what that post said, 2.65 did not work for me, so I had to flash 2.62-3 which did. Not a big deal, was just a little frustrating and scary when 2.65 didn't work because I was worried that I broke something and that the method wasn't going to work.
Edit: Good catch BTW on the link having to do with the Nexus. I didn't even look at what sub-forum it was in. At least it's one less thing to worry about for now, though I do hope it spreads to more devices, because we could always use more, not to mention better (assuming it is) ways of doing things.
Click to expand...
Click to collapse
Thanks. I am aware that you can revert back to lollipop, and do the update from there whenever you want to update to a newer OTA MM update. However, my real question is, what does it mean to break the systemless aspect? I know that it will prevent further OTA updates, but will xposed work as it should, etc? If I am rooting my device, it's really to get xposed. So, if it means that I must revert to an unrooted stock rom everytime I wanna update, then so be it. I just want to make sure that breaking the systemless root aspect will not make the ROM unstable. Will it?
Henryy97 said:
Thanks. I am aware that you can revert back to lollipop, and do the update from there whenever you want to update to a newer OTA MM update. However, my real question is, what does it mean to break the systemless aspect? I know that it will prevent further OTA updates, but will xposed work as it should, etc? If I am rooting my device, it's really to get xposed. So, if it means that I must revert to an unrooted stock rom everytime I wanna update, then so be it. I just want to make sure that breaking the systemless root aspect will not make the ROM unstable. Will it?
Click to expand...
Click to collapse
I think you'll find all the info you're looking for and more in those links. But in summary, as I said, AFAIK the only consequence is breaking OTAs. It does not prevent you from using xposed, rather xposed is one of the things that breaks it. Systemless is so called because it roots without affecting the /system partition, therefore preventing the breaking of Android Pay and allowing OTAs. Once /system is modified (unclear if at all or just beyond a point), these two will no longer function. So if you "break" the systemless root by doing stuff that modifies /system (i.e. xposed, etc), you basically now have a standard (non-systemless) root, which simply negates the benefits it provides. But as far as I could tell, systemless is the only option anyway, so you just do it since it works and it's easy, then you either are careful not to break it if Pay/OTAs are important to you, or if you don't care about those then you just do whatever you want just as if you were rooted in the traditional way. But as I said, once I get the time, I plan to try out the systemless xposed, though it may not matter since I might have already broken it, but may as well, and maybe it'll mean not having to uninstall it when it comes time to take an OTA. If you play with it and figure it out, let me know.
vertigo_2_20 said:
I think you'll find all the info you're looking for and more in those links. But in summary, as I said, AFAIK the only consequence is breaking OTAs. It does not prevent you from using xposed, rather xposed is one of the things that breaks it. Systemless is so called because it roots without affecting the /system partition, therefore preventing the breaking of Android Pay and allowing OTAs. Once /system is modified (unclear if at all or just beyond a point), these two will no longer function. So if you "break" the systemless root by doing stuff that modifies /system (i.e. xposed, etc), you basically now have a standard (non-systemless) root, which simply negates the benefits it provides. But as far as I could tell, systemless is the only option anyway, so you just do it since it works and it's easy, then you either are careful not to break it if Pay/OTAs are important to you, or if you don't care about those then you just do whatever you want just as if you were rooted in the traditional way. But as I said, once I get the time, I plan to try out the systemless xposed, though it may not matter since I might have already broken it, but may as well, and maybe it'll mean not having to uninstall it when it comes time to take an OTA. If you play with it and figure it out, let me know.
Click to expand...
Click to collapse
Once again, thanks. I reached the limit of thanks I can give for today, haha. I'm reading up much more on the process, etc. Just one final question, how often do the OTA updates come on average? I always like having the latest software installed, so MAYBE I can consider having an unrooted phone.. although that will be very difficult. I love my xposed. Anyway, I guess if updates only come about once a month, then rooting is fine. Not too much of a loss. I will definitely be making a how-to guide once I'm done with all of this! (and once my device arrives)
Henryy97 said:
Once again, thanks. I reached the limit of thanks I can give for today, haha. I'm reading up much more on the process, etc. Just one final question, how often do the OTA updates come on average? I always like having the latest software installed, so MAYBE I can consider having an unrooted phone.. although that will be very difficult. I love my xposed. Anyway, I guess if updates only come about once a month, then rooting is fine. Not too much of a loss. I will definitely be making a how-to guide once I'm done with all of this! (and once my device arrives)
Click to expand...
Click to collapse
I bought my phone ~5-6 months ago. When I got it, the MM update was waiting (released late last year). Probably ~2 months later, another update came through. Since then, nothing. So it looks like probably 3 maybe 4 a year. I'd rather be rooted with all the benefits than get a small update, though I'd really rather have both.
6.0.1 is not out yet although there is a reteu version posted which works great. Rooting is as simple flashing su 2.62-3 with twrp.
lafester said:
6.0.1 is not out yet although there is a reteu version posted which works great. Rooting is as simple flashing su 2.62-3 with twrp.
Click to expand...
Click to collapse
I'll check it out. Do you mind sharing the link to that version just in case? I am very confused now though, because @vertigo_2_20 says he has 6.0.1, and you say you didn't get it. Perhaps location matters? Can you elaborate a little bit more?
And actually, I've just realized: I think I was looking at too many outdated posts perhaps with all the complicated root procedures such as the one by ivcarlos. The guide that amit.lohar made is very simple which is the one vertigo kindly shared in this OP. One final question @vertigo_2_20 (sorry for so many questions). Does the method by amit.lohar work for 6.0 anddd 6.0.1? I would assume so since they're pretty much very similar. What is your take on this?
I assumed I was on 6.0.1 because I received a system update after being on MM, so I don't know what else it could be. Though it does just say 6.0 in settings. Regardless, I only did it a few weeks ago, so if you're fully updated, you'll be the same as what I was. Even if not, I would think it wouldn't matter. As long as you do a back up before messing with things, worse case scenario is you screw something up and restore the backup.
Henryy97 said:
I'll check it out. Do you mind sharing the link to that version just in case? I am very confused now though, because @vertigo_2_20 says he has 6.0.1, and you say you didn't get it. Perhaps location matters? Can you elaborate a little bit more?
And actually, I've just realized: I think I was looking at too many outdated posts perhaps with all the complicated root procedures such as the one by ivcarlos. The guide that amit.lohar made is very simple which is the one vertigo kindly shared in this OP. One final question @vertigo_2_20 (sorry for so many questions). Does the method by amit.lohar work for 6.0 anddd 6.0.1? I would assume so since they're pretty much very similar. What is your take on this?
Click to expand...
Click to collapse
No I don't get links for people... this forum is small and easy to read. Dev section has one pre loaded with franken and there are two threads in general.
Henryy97 said:
Once again, thanks. I reached the limit of thanks I can give for today, haha. I'm reading up much more on the process, etc. Just one final question, how often do the OTA updates come on average? I always like having the latest software installed, so MAYBE I can consider having an unrooted phone.. although that will be very difficult. I love my xposed. Anyway, I guess if updates only come about once a month, then rooting is fine. Not too much of a loss. I will definitely be making a how-to guide once I'm done with all of this! (and once my device arrives)
Click to expand...
Click to collapse
If receiving the OTA updates is something you really want, systemless root will allow you to get them with a lot less effort. The trick is knowing which of the apps that require root privileges will end up modifying your system. Avoid the ones that will and you can enjoy root with less work to get updates. If the only root required apps you are interested in modifies the system, then it will be a matter of what you value more.
Sent from my awesome phone!
That reminds me of another thing I haven't yet figured out. If /system is modified, I'm assuming the OTA will still show up and just won't install, but I wonder if it won't even show up anymore. Anyone know?
aybarrap1 said:
If receiving the OTA updates is something you really want, systemless root will allow you to get them with a lot less effort. The trick is knowing which of the apps that require root privileges will end up modifying your system. Avoid the ones that will and you can enjoy root with less work to get updates. If the only root required apps you are interested in modifies the system, then it will be a matter of what you value more.
Sent from my awesome phone!
Click to expand...
Click to collapse
Ahhh! I guess I'll just flash ROMS to update my phone then because I need my xposed Besides, after 6.0, if we want root, we can only get the systemless one anyway, right?
Also, I did not quite understand something about systemless root. If the root is 'systemless', then how can apps still edit the system? I've read up that after a memory wipe, the root will actually go away but what happens if I have apps that already modified the system? I just don't quite get how the apps can get into the system and modify it, if the root itself cannot do that because it is systemless. Am I getting the wrong idea here? I've read, and read, and read. I can't find an answer to that :/ According to what you have said though, if I were to get an app that modifies the system, then it would essentially *break* the systemless aspect of it, right? Therefore, it just becomes a normal root?
I feel like I'm going in circles now so I hope someone will be able to explain this for me or just point me in the right direction!
Systemless root does not mean root doesn't have access to /system, it simply means a way of gaining root access without modifying the /system partition, because if you gain root with the old methods, which DO modify /system, it breaks Android Pay and OTAs. Root still has access to modify system, hence why you have to be careful in installing apps, xposed, etc, because if they have root access, they can modify it, and if they do, your systemless root just became useless. The whole point is to NOT modify it so as to keep those certain functions intact, but it doesn't prevent you from doing so after gaining root.
vertigo_2_20 said:
Systemless root does not mean root doesn't have access to /system, it simply means a way of gaining root access without modifying the /system partition, because if you gain root with the old methods, which DO modify /system, it breaks Android Pay and OTAs. Root still has access to modify system, hence why you have to be careful in installing apps, xposed, etc, because if they have root access, they can modify it, and if they do, your systemless root just became useless. The whole point is to NOT modify it so as to keep those certain functions intact, but it doesn't prevent you from doing so after gaining root.
Click to expand...
Click to collapse
My experience was rooting 5.1.1 on the new phone. I backed up at every stage. I tried a few roms, no big deal. I liked 5.1.1 better due to micro sd card usage. I stupidly allowed the OTA to attempt to install. I knew it would fail but hoped it would stop nagging. The result I did not expect was phone continually rebooting on its own, trying to complete the update. After it completed the reboot it would start to shut down and begin the reboot process again. I restored a backup and froze the Motorola Update app with Titanium Backup. Problem solved. Don't do what I did!
Why would you want to stay on L? M is so much better. Between Doze and permission control, you'll have better battery life and more privacy and security. Not to mention the increased security from having more up-to-date software. I'd recommend just taking the update.

With AP requiring Locked Bootloader now, would a Root Exploit be the next adventure?

Looking at the current requirement for AP needing a locked bootloader now to function, and ARS dropping a new article on Rooting Android phones with Bitflips is now a thing, would there be any future possibility of getting Root on a Bootloader locked device?
I really wouldn't mind trying Stock Android on my 6P with the beta 7.1 builds, however the one thing I really don't want to do without, is Titanium Backup. I run too many apps that have no backup/cloud save function that TB really helps fill the gap in the complete lack of native Android Backup. (And saving my 100+ Chrome Tab sessions as well). Of course there is no guarantee we can even use AP with Root on a locked bootloader due to the checks they have been cooking into it over the past year, but I do wonder if with the change of the security of Android, will new ways to continue to have root be found even for our easily bootloader unlocked devices incase more apps start to look for bootloader unlocks as well in the near future.
I suppose the other side of the coin is to find how these apps look for the bootloaders locked/unlocked status and just block that, but outside of Chainfire's brilliance, who knows how easy/hard that task may be either.
Have you tried Helium? Some apps might not have backup capabilities though. Interesting read on that particular root method. I can assume only certain devices would work with that sort of exploit, depending how hard or easy it is to flip memory bits on the particular platform.
Also: http://www.xda-developers.com/sulta...otloader-check-on-latest-cm13-builds-for-op3/
This will be possible soon when the sources for the latest 7.1.1 kernel leak. Possible now using 6.0.1 and 7.0
There is Another one on ARS as well so it seems we may have options soon(tm).
Also I have tried Helium but it was next to useless for what I actually wanted to backup vs what it could. I'm going to dig around and see if there is any more manual method to backing up most of what I want.
What I see as a show stopper for me is the possibility to use TWRP
Other than that I would even be willing to give up adaway. For most parts I will probably find a workaround/other app to use.

Any custom ROMs available yet for the H915 Canadian Version (Freedom Mobile)?

LTE band 66 service and OTA updating is disabled through the DirtySanta root exploit on the stock build when rooted. I was hoping that there would be a ROM or two for the Canadian version of this device. Need something relatively stable, with nightly updates, and with support for AWS 3/Band 66 connectivity
Any leads are are appreciated. Thanks!
Considering the 915 isn't even a supported device no. If someone has gotten the 915 please let me know.
Until FREEDOM Mobile allows the LG V20 LOCKED bootloader to be UNlocked, there will be no FREEDOM to have a custom ROM anytime soon
That is what I got the T-mobile version with the unlockable bootloader which works great on NON-freedom.
lumberguy1028 said:
LTE band 66 service and OTA updating is disabled through the DirtySanta root exploit on the stock build when rooted. I was hoping that there would be a ROM or two for the Canadian version of this device. Need something relatively stable, with nightly updates, and with support for AWS 3/Band 66 connectivity
Any leads are are appreciated. Thanks!
Click to expand...
Click to collapse
Well i have a theory about getting root and signal on the 915 but it involves losing recovery afterwards. If anyone wants to discuss it let me know
markbencze said:
Well i have a theory about getting root and signal on the 915 but it involves losing recovery afterwards. If anyone wants to discuss it let me know
Click to expand...
Click to collapse
Actually very interested. I have the LGUP tool on Windows with Uppercut drivers installed, so I can unbrick my device even without recovery. Living without a rooted device is causing me extreme stress and trauma.
lumberguy1028 said:
Actually very interested. I have the LGUP tool on Windows with Uppercut drivers installed, so I can unbrick my device even without recovery. Living without a rooted device is causing me extreme stress and trauma.
Click to expand...
Click to collapse
Ok so here's my theory.
Basically we can root and have twrp but the problem is that signal ceases to exist afterwards which we assume is caused by the bootloader. Someone posted that they fixed their signal issues using the hidden menu features. But they didn't elaborate if they were rooted at the time and that was the direct reason for losing it in the first place. Nor have they replied. So that part is unknown. It may or may not be an option. The other question I had was is it just wind users who lose signals or does it affect wind devices that are unlocked but being used on other networks like bell, etc.
Anyway those are the unknown things that I'd like some clarification on. But in the meantime here's a theory I have that may or may not work if the above signal fix doesn't work.
So if the above fixing signal doesn't work via that hidden menu then we should be able to confirm the bootloader is the issue. What that means is that we need to have stock bootloader in order for everything to work.
But you cannot have stock bootloader with twrp unless you've "bumped" your recovery which we cannot do.
So my theory was to follow the whole root method and once your phone is booted up with root and twrp you would extract the stock recovery and stock bootloader from the restore file. Then you would flash them via flashfire which I'm told can be done. I'm told that flashing the bootloader does wipe your device which would eliminate root since it's the systemless method. So in theory you'd be back to pure stock again. That's not what we want to have. So we would have to use an alternative root like phh's root method flashed instead of supersu from twrp during the initial root process here. My theory is that you would be restored to stock again but you would have root at least.
So you would at least be able to tinker just not flash stuff. But I believe you can flash a few things from flashfire and still have root for general tinkering or ad block etc.
Of course there is also the possibility that with the locked bootloader (stock) that your phone may not even boot due to new security features in 7.0
But like I said this is just a theory that may or may not work. I haven't had time to try it because I'm constantly busy working and testing themes but if I do ever get time I would consider trying it if we can confirm that we are able to 100% restore to stock. At least with that confirmation we know that if it doesn't work we can get back to how things were.
Hopefully that makes sense.
markbencze said:
Ok so here's my theory.
Basically we can root and have twrp but the problem is that signal ceases to exist afterwards which we assume is caused by the bootloader. Someone posted that they fixed their signal issues using the hidden menu features. But they didn't elaborate if they were rooted at the time and that was the direct reason for losing it in the first place. Nor have they replied. So that part is unknown. It may or may not be an option. The other question I had was is it just wind users who lose signals or does it affect wind devices that are unlocked but being used on other networks like bell, etc.
Anyway those are the unknown things that I'd like some clarification on. But in the meantime here's a theory I have that may or may not work if the above signal fix doesn't work.
So if the above fixing signal doesn't work via that hidden menu then we should be able to confirm the bootloader is the issue. What that means is that we need to have stock bootloader in order for everything to work.
But you cannot have stock bootloader with twrp unless you've "bumped" your recovery which we cannot do.
So my theory was to follow the whole root method and once your phone is booted up with root and twrp you would extract the stock recovery and stock bootloader from the restore file. Then you would flash them via flashfire which I'm told can be done. I'm told that flashing the bootloader does wipe your device which would eliminate root since it's the systemless method. So in theory you'd be back to pure stock again. That's not what we want to have. So we would have to use an alternative root like phh's root method flashed instead of supersu from twrp during the initial root process here. My theory is that you would be restored to stock again but you would have root at least.
So you would at least be able to tinker just not flash stuff. But I believe you can flash a few things from flashfire and still have root for general tinkering or ad block etc.
Of course there is also the possibility that with the locked bootloader (stock) that your phone may not even boot due to new security features in 7.0
But like I said this is just a theory that may or may not work. I haven't had time to try it because I'm constantly busy working and testing themes but if I do ever get time I would consider trying it if we can confirm that we are able to 100% restore to stock. At least with that confirmation we know that if it doesn't work we can get back to how things were.
Hopefully that makes sense.
Click to expand...
Click to collapse
Im not sure how much you followed with me but... In my attempts to find a return to stock method i reflashed my stock aboot(bootloader). This bricked me. There is no way to use the stock bootloader once its been replaced that i have found.
me2151 said:
Im not sure how much you followed with me but... In my attempts to find a return to stock method i reflashed my stock aboot(bootloader). This bricked me. There is no way to use the stock bootloader once its been replaced that i have found.
Click to expand...
Click to collapse
Thanks for clearing that up. So then my next question was did you attempt that signal fix method and were you using yours on wind or was it an unlocked wind used on another network?
here's the link to this signal fix https://forum.xda-developers.com/showpost.php?p=70328080&postcount=3
and here is a post about someone saying they used it to fix their signal but they wouldn't elaborate on anything else.
https://forum.xda-developers.com/showpost.php?p=70571563&postcount=12
markbencze said:
Thanks for clearing that up. So then my next question was did you attempt that signal fix method and were you using yours on wind or was it an unlocked wind used on another network?
here's the link to this signal fix https://forum.xda-developers.com/showpost.php?p=70328080&postcount=3
and here is a post about someone saying they used it to fix their signal but they wouldn't elaborate on anything else.
https://forum.xda-developers.com/showpost.php?p=70571563&postcount=12
Click to expand...
Click to collapse
Lol Im the dirtysanta dev. I have a LS997. Not a 915.
me2151 said:
Lol Im the dirtysanta dev. I have a LS997. Not a 915.
Click to expand...
Click to collapse
Well I knew you had worked on ds. I wasn't sure however if you had a 915 or not. So then at this point it seems that if that signal fix is in fact valid that it is the only method to get things operational and I would presume it's a stretch given the user who posted about it doesn't seem to have any credibility to go by.
markbencze said:
Well I knew you had worked on ds. I wasn't sure however if you had a 915 or not. So then at this point it seems that if that signal fix is in fact valid that it is the only method to get things operational and I would presume it's a stretch given the user who posted about it doesn't seem to have any credibility to go by.
Click to expand...
Click to collapse
Thanks for this. Yeah DirtySanta may have been developed for LS997, but it seems to work on H915 minus the modem issue.
lumberguy1028 said:
Thanks for this. Yeah DirtySanta may have been developed for LS997, but it seems to work on H915 minus the modem issue.
Click to expand...
Click to collapse
Correct but it's useless to use since the phone doesn't function properly afterwards. If there was a confirmed way to have data and signal working then that would be great but there is nothing confirmed to work yet.
I've just moved to a V20 from a Note 4. All my Note4 ROMS were T-Mobile versions. I believe Rogers/Fido phones are basically the same as T-Mobile, which uses freq. channel 66 as well.
Has anyone tried a T-Mobile (918) ROM on the 915 yet? Might just work...
no root yet for freedom????/
whats the method
whats the method to root the lg h915
diehard2013 said:
no root yet for freedom????/
Click to expand...
Click to collapse
The 'Freedom' name becomes a bit ironic for the LG V20 H915 variant it seems. Not a lot of freedom when one can't unlock and root it. Just got one the other day as somehow my Note 4 stopped functioning as a phone, after a couple of months of fun running through loads of Lineage and other nightlies. Loved that phone, but I'll come to love the V20 I'm sure. Already like it a lot. But root seems essential. I haven't had an unrooted phone for more than a few hours in years. Adaway and just general user control of the file system seems essential. Getting rid of bloatware and such. I mean... I disabled a lot of that nonsense, but it's still there, existing in MY phone, which makes me mad. I want to dump a few custom notification sounds into root directories but can't. It's frustrating. So yeah, commenting to subscribe, and hoping a developer with a V20 in Canada decides to get excited enough to remedy the situation, whenever that becomes possible. Otherwise it seems I'll just have to get used to the odd ad and the other limitations.
GerardSamija said:
The 'Freedom' name becomes a bit ironic for the LG V20 H915 variant it seems. Not a lot of freedom when one can't unlock and root it. Just got one the other day as somehow my Note 4 stopped functioning as a phone, after a couple of months of fun running through loads of Lineage and other nightlies. Loved that phone, but I'll come to love the V20 I'm sure. Already like it a lot. But root seems essential. I haven't had an unrooted phone for more than a few hours in years. Adaway and just general user control of the file system seems essential. Getting rid of bloatware and such. I mean... I disabled a lot of that nonsense, but it's still there, existing in MY phone, which makes me mad. I want to dump a few custom notification sounds into root directories but can't. It's frustrating. So yeah, commenting to subscribe, and hoping a developer with a V20 in Canada decides to get excited enough to remedy the situation, whenever that becomes possible. Otherwise it seems I'll just have to get used to the odd ad and the other limitations.
Click to expand...
Click to collapse
Why Wouldent you just use the secret # in the hidden menu to change bands to get signial. Also you could try searching for exsisting bands that are near by, this dont require the hidden menu.
Sent from my [device_name] using XDA-Developers Legacy app
Not understanding what you are suggesting. I tried lots of hidden menu options to get the SIM recognized in the Note 4, but it appears the slot died on that phone. It just won't be a phone any more, no matter which ROM i flash.
If you mean the LG V20 I'm even more puzzled. How would changing hands help with rooting the phone?
GerardSamija said:
Not understanding what you are suggesting. I tried lots of hidden menu options to get the SIM recognized in the Note 4, but it appears the slot died on that phone. It just won't be a phone any more, no matter which ROM i flash.
If you mean the LG V20 I'm even more puzzled. How would changing hands help with rooting the phone?
Click to expand...
Click to collapse
Oops my bad i was sleeping while i read that. You can fix your sim card reader just use a soder tool. Also there maybe a root for this phone but i don't think it is safe enough yet.
Sent from my [device_name] using XDA-Developers Legacy app

Pros/Cons of Rooting Moto G5 Plus!?

I wish to root my phone(XT1686) but intend to keep the stock ROM(no bootloader unlock).
Is there any advantage in doing so? And will OTA updates be affected?
yourSAS said:
I wish to root my phone(XT1686) but intend to keep the stock ROM(no bootloader unlock).
Is there any advantage in doing so? And will OTA updates be affected?
Click to expand...
Click to collapse
It is not possible to root without unlocking the bootloader on this device...
If you don't have a specific reason to root, don't do it.
And once rooted, you cannot accept any OTA... most likely case if you do it will just fail, worst possible case it bricks (which can happen but is extremely rare).
To answer the question in your title, about the advantages of rooting...
Rooting gives you near full access to your device, and thus the ability to customize it beyond the options provided to you via the default interface. Also, some apps provide additional features on rooted phones. For example, some security programs recommend rooting your device so that it can more forcefully integrate itself with the device to protect against malware, hacking, etc. I tend to install a security package that works better on a rooted device, as well as make use of features that tend to only work on a rooted device, such as folder mounting from the internal SD card to the external one. Also, allows me to access system files that are unavailable otherwise, allowing me to customize certain sounds (or copy them at least).
If you decide you want to root your device, make sure you understand the steps to take BEFORE trying it. That means when you come across a guide on how to do it, make sure you get all the files that will be required and reading through the instructions step by step. If any of the steps sound like it will leave you lost on what to do, then DO NOT do any of it. Also, make sure you read the comments for the guide as well, looking for any mention of issues encountered and consider if you might encounter those issues as well. For example, if it causes issues for devices that use a particular carrier and you use that same carrier, you might want to leave well enough alone. Compare your phone version numbers with what others report having issues with (kernel, baseband, build, etc). Anything that someone has an issue with where their phone somehow matches up with yours in some way, take that as a sign to investigate deeper, so as to avoid having any issues yourself.
For the most part, unless you have a need or desire for a feature/function that requires rooting your device, don't mess with it. I'm not kidding, as one mistake can leave you without a working phone and without any options for returning/replacing it.
Thanks for the replies & warnings.
I'm not a noob so I know the risks of rooting. So maybe I should have rephrased it-
What are the advantages of rooting Moto G5 plus specifically?
Say like in terms of mods and other stuff? Also, is it possible to unroot once rooted- I mean to ask if it's possible to revert the state to factory mode with bootloader locked and stock ROM so that device will be eligible for OTA updates again?
yourSAS said:
Thanks for the replies & warnings.
I'm not a noob so I know the risks of rooting. So maybe I should have rephrased it-
What are the advantages of rooting Moto G5 plus specifically?
Say like in terms of mods and other stuff? Also, is it possible to unroot once rooted- I mean to ask if it's possible to revert the state to factory mode with bootloader locked and stock ROM so that device will be eligible for OTA updates again?
Click to expand...
Click to collapse
Bootloader lock is not relevant to OTA's. You might be able to relock, but the fact it was once unlocked cannot be hidden, it will always be very clear that it was unlocked.
Unrooting is easy, the issue arises undoing what you did with root, undoing them all depends what you changed.
I don't know of any reasons specific to this device to root.
acejavelin said:
Bootloader lock is not relevant to OTA's. You might be able to relock, but the fact it was once unlocked cannot be hidden, it will always be very clear that it was unlocked.
Click to expand...
Click to collapse
If the OEM knows I've unlocked bootloader, why will it push OTAs to my phone even though I've locked bootloader on my end? So isn't bootloader lock status relevant for OTA?
yourSAS said:
If the OEM knows I've unlocked bootloader, why will it push OTAs to my phone even though I've locked bootloader on my end? So isn't bootloader lock status relevant for OTA?
Click to expand...
Click to collapse
No, the status of your bootloader is not relevant... Moto will notify you of an available update and happily attempt to apply it regardless if your bootloader is locked or not.
What matters is if the boot or system partitions is changed, if there is ANY change to those, among other things like if the radio version or recovery versions don't match or the partition table is changed, the update will fail. If you flash any custom recovery it will fail as well.
On this subject I mention a slight con which is that some banking or financial apps might complain to you if they detect root. I have maybe 10 different bank and credit apps installed and all work flawlessly except 1. The Huntington Bank app wont allow me to use fingerprint login but otherwise the app is fully functional like mobile deposits. Just wanted to mention to be aware.

Resources