WARNING

keep in mind - the title says it all:

its more then a PoC at this state but it is still a WIP and its currently in the progress from going from beta to stable!



Most important:



DO NOT FLASH WITH ANY FIREHOSE (if you dont know what this sentence means - good!!).



Using a firehose programmer will put your device in a state which makes it more or less useless!

That means if you ever come in the situation where someone will tell you: Use QFIL to program with firehose .....



DO NOT do this until you know about the heavy consequences! You may not like the result.



This is a general warning regarding all the unbrick 9008 guides you can find here at XDA and elsewhere!



About

You will be able to flash TWRP

You will be able to flash stock LP, MM, N

You will be able to flash any custom ROM of your choice (any android version)

of your choice (any android version) Ofc you can root with supersu or magisk

Prepare yourself today!

Setup SALT - I highly recommend FWUL in persistent mode to do so Downgrade to LP or MM if needed Do a basic backup with SALT





At the moment of writing this is a Proof of Concept (PoC) to unlock the bootloader on any G4 model like H810, H812, H815 noninternational, etc.



thx to @neutrondev I know a little bit more about the how and what of the emmc programming. thanks again!



If you are brave enough and if you read the limitations 3 times and STILL want to test it for your device.. let me know. Chances are ~5% that it works in general with a 95(no) to 5(yes) chance to get the device fully working (so HIGH CHANCES OF FAILURE!).



The method SEEMS TO depend on a Anti Rollback of 0 / non fused device:



QFUSE in technical (thx to @neutrondev):

Quote: Originally Posted by neutrondev Originally Posted by How are those fuses working and why can't this be reverted?



As you already know all our electronics are working by lithography on a silicone wafer. On this silicone wafer there a million of transistors. By software means you can overload 1 transistor (that is normally in the off state) with a higher voltage than needed. By doing this a great enough time you will actually breakdown the oxide between the gate and the substrate and you will have a conductive channel all the time (from a logic 0 to a logic 1 or vice versa, depends on the implementation). THERE IS NO WAY TO BUILD THE OXIDE LAYER AGAIN. QFUSE explained source 1

QFUSE explained source 2

Anti Rollback + QFUSE



That means atm this should work for (see Proofs topic for the confirmed ones!): LS991 - afai can say: the only device WITHOUT ANY functional limitations!!

H810

H812

VS986 - as long as Anti Rollback is not set or 0

any H81x - - as long as Anti Rollback is not set or 0

check the Anti Rollback on your device and report back!

The following is confirmed to work on MM:

1. Open the phone app

2. In the dial-pad, enter the following code: *#546368#*(Insert last three digits of your model*number)#

Examples:

H812: *#546368#*812#*

H815: *#546368#*815#*

3. Click SVC Menu

4. Click Version Info

5. At the very bottom, you should see the Anti-rollback value

Yesterday I bought the inifitybox to check if we can recover with this plus maybe unlock the other models.

This will take about 20 days until it gets delivered (ETA = 14th of August). Until then I will look into some other ways ofc..

Infinity Box doesnt hel



p me out here.. good bye to the money



keep in mind - the title says it all:

its a PoC and a WIP and its in Alpha state. which just means I'm a the beginning and may more worse, bad or good things will happen. who knows.



What does PoC mean?



1) Its a heavily in progress thing. Do not expect anything finished yet

2) The main goal is to proof that we can unlock the bootloader even on devices not enabled to

3) The whole process is very - I mean - VERY advanced. At least for NOW.

4) Atm there are heavy limitations (see known issues topic)



Why



ok first of all: I own a H815 international device. This can be officially unlocked. Story should end here right? Why should I try to find a way for unlocking the device unofficially???

Hm a good question. The answer is: I don't remember HOW it started but if I begin things I wanna finish it. Well at the end one can say the reason is a lack of features in TWRP:



TWRP at the time as I bought my G4 was not able to decrypt fully encrypted devices (I encrypt everything and always) so I started to fix this with all the stuff around which is required for this. Besides this I fixed other stuffs which were annoying you and me in TWRP added features and so on.

Once this was done it continues with android_FIsH and so TWRP-in-FIsH - which was mainly another Proof of Concept to see if we can boot TWRP without flashing it. This way I brought TWRP on bootloader locked devices.

well but here there was one big issue: TWRP-in-FIsH works only up to LL so I started to find a way to make it possible on later Android versions. That took some more weeks where I tried to find other approaches.

I began to investigate the boot chain, bootloader, exploits and more to understand and find a way in the hope of an easy backdoor or something.



So many throwbacks within the whole process up to the day I started investigating even deeper up to the qcom low level base... and here we are now.





How



At the moment of writing the way is as follows: Method 1) Open your device and shorten 2 PINs

Method 2) Erase TZ partition in download mode Convert your device to a LS991 by flashing a special prepared bootloader stack To have all your country related stuff you need to flash the STOCK ROM of your device model but in a way that do not touch that new bootloader stack (NO KDZ!!). This step MAY require to re-partition the device. Flash TWRP in special steps You're unlocked and can now boot into TWRP to flash whatever you want.

Even when the following steps are going in more details they require still much knowledge and are not for inexperienced users!

Thats for a reason because as long all this is just a PoC in Alpha state I want to avoid that users doing it without actually knowing about the consequences. When ready I will release a step by step one:



Quote: -> windows preparation

start in signin off mode: shutdown.exe /r /o /f /t 00

install qpst, drivers and stuff



-> download mode (lglaf shell):

backup WHOLE mmcblk0 !

-> DIAG mode:

*#546368#*815#* -> SVC MENU -> ...?! PORT TEST

backup QCN !!!!!!!

-> 9008 mode:

backup

convert to LS991

-> in fastboot: flash all partitions but without the bootloader unlock partitions!

for i in $(find ./*.image |cut -d / -f 2|egrep -vi "(gpt|aboot.|boot.|laf.|tz.|sbl1.|pmic.|rpm.|sdi.| hyp.|misc)");do fastboot flash ${i/.image} $i;done

sudo fastboot format userdata

Install TWRP. This is a sensitive step by step guide! Follow it EXACTLY otherwise TWRP would be replaced by the system recovery.

sudo fastboot flash boot twrp.img (yes to BOOT!!)

sudo fastboot reboot

you should see TWRP!

copy the twrp image via MTP to your device

flash TWRP image file by using: Install -> Install Image button -> choose twrp.img -> choose recovery partition

IMPORTANT: now choose the home button and reboot -> then RECOVERY!!! thats crucial important and you should see TWRP afterwards

reboot -> bootloader

sudo fastboot flash boot boot.image (yes we overwrite boot with the correct boot image now) Optional:

fastboot flash boot_permissive.img (set selinux to permissive)



Hint: The lglaf shell in download mode will work only when there is a system partition flashed! Optional:fastboot flash boot_permissive.img (set selinux to permissive)Hint: The lglaf shell in download mode will work only when there is a system partition flashed!



Known issues | Limitations



Ok read this carefully. Read it at least 3 times and if you do not understand something ASK!



SERIOUS . There is no way back once you go this way. Maybe there will be a way back one day but tbh I DO NOT THINK SO (this requires leaked files by LG). So prepare yourself.

If the issues mentioned on the next lines can't be fixed that means u will get stuck with a maybe forever unusable device! SERIOUS . There will be no way back once you go this way!

. There will be once you go this way! The chance that you will loose any warranty when doing this ? 99,9999% !

You can have luck but the change is heavy and even my grandma will understand that something strange happened to this phone

UPDATE: Well I send my device back to LG twice while completely hard bricked due to my unlocking attempts without any problem though. It can differ in your country ofc..

when doing this ? 99,9999% ! You can have luck but the change is heavy and even my grandma will understand that something strange happened to this phone Well I send my device back to LG twice while completely hard bricked due to my unlocking attempts without any problem though. It can differ in your country ofc.. IMEI gets lost after flashing - SOLVED

(flash fsg plus an erase of modemst1 and 2 required. I will sort out the exact way later)

- (flash fsg plus an erase of modemst1 and 2 required. I will sort out the exact way later) WiFi MAC gets lost (no WiFi connection possible) after flashing -> easy to fix when you have made a backup - SOLVED

(flash misc backup and maybe an erase of modemst1 and 2. I will sort out the exact way later)

-> easy to fix when you have made a backup - (flash misc backup and maybe an erase of modemst1 and 2. I will sort out the exact way later) Camera is unusable (FCs) - PARTIALLY SOLVED

(flash ls991 modem image. Prevents cell service from working though. ads2p and modem and maybe others are SIGNED!)

- (flash ls991 modem image. Prevents cell service from working though. ads2p and modem and maybe others are SIGNED!) NO SOUND - Errors regarding Audio in logcat - PARTIALLY SOLVED

(flash ls991 a2dp files from the modem image. Those files are signed.)

- (flash ls991 a2dp files from the modem image. Those files are signed.) Errors regarding qseecomd (device encryption, keymaster stuff etc)

(first test of replacing rpm in a non-destructive way looking good but needs further testing)

(device encryption, keymaster stuff etc) (first test of replacing rpm in a non-destructive way looking good but needs further testing) Before flashing ANYTHING (TOT or KDZ) you have to ensure that the Anti Rollback version will not be increased !! thats f** important! Otherwise you may get a complete useless/bricked device which can be recovered by LG only

!! thats f** important! Otherwise you may get a complete useless/bricked device which can be recovered by LG only You may not be able to use KDZ flashing with LGup anymore. If things going wrong for you one day its not the end of the journey. u just need to boot into qcom 9008 mode and reflash the bootloader stack and you're back in business

BUT : Read the previous issue ! Anti Rollback is crucial for this! If you flash any higher rollback version u are f*** !

with LGup anymore. If things going wrong for you one day its not the end of the journey. u just need to boot into qcom 9008 mode and reflash the bootloader stack and you're back in business ! Anti Rollback is crucial for this! If you flash any higher rollback version u are f*** ! TWRP does not detect the device (easy to fix though)

(I will add the proper detection in the official TWRP once the other stuff is done or when I get bored before then earlier) - SOLVED (see post #27)

- (see post #27) cell service not working -> reason is not clear atm. we have users with H810 where it works quite great without SPRINT network..

(flashing ls991 modem will prevent other networks from working - obviously. I work on a fix to replace the baseband to a device specific one.)

completely untested:



- phone calls for any other device then H810 (hey I need to fix the cell service / baseband issue first)

- internet over LTE, GSM etc for any other device then H810

- everything else

Proofs?!



IMPORTANT NOTE: THE FOLLOWING LIST IS NOT CURRENT! FOR A CURRENT LIST FOLLOW THIS THREAD AND WATCH OUT THE LATEST STATE REPORT



Devices and Users (if you do not see your device here it does not means that it will not work for it but you would be the first for your model)



H815 EUR (no cell service so no calls possible atm)

- User @steadfasterX

H815T (confirmed to be unlocked but device now catched by the ILAPO...)

- User @the_naxhoo

H812 (not completely tested yet - no SIM card test possible, sound, cam, wifi works)

- User @SePhIrOtX

H810 (fully working!! except 4G -> as we cannot test it)

- User @Chebhou

- User @fawadshah33 (cell service working but no confirmation for mobile data yet)

Downloads

Participate / Support / IRC Channel

PC (HexChat and Pidgin are only 2 of them! This list is not complete!)

(HexChat and Pidgin are only 2 of them! This list is not complete!) Android (Yaaic, AndChat, HoloIRC, AndroIRC are only a few of them! This list is not complete!)

(Yaaic, AndChat, HoloIRC, AndroIRC are only a few of them! This list is not complete!) Web (KiwiIRC-Web,FreenodeWebchat])



(KiwiIRC-Web,FreenodeWebchat]) When you have to choose a channel it is: #Carbonfusion-user

When you be asked for a server network choose: freenode

During the journey of this PoC the way of unlocking changed several times!I named my latest approach UsU which stands for: Unofficial secureboot-off/steadfasterX Unlock.UsU is the latest approach without any functional limitations and will be super easy to flash.It is still a WIP so if you want to keep updated when UsU will be released subscribe to this thread.I understand that all this is very exciting but before releasing I want to ensure to give you the best experience for flsshing and using. you may have some questions so I decided to sum up the most important ones here:UsU will work for any G4 model for sure and has been evenfor almost any model already.UsU has no restriction on a specific G4 model or country version.UsU will work on any ARB but you will need LP or MM to actually flash UsU.UsU will enable to let you use your device like an official unlocked one with just some small limitations.Everything else(cell service, mobile data, wifi, BT, call, sms, etc).All the information about what and how will be released together with UsU when ready.asking for an ETA ensure you read the Announcement link of this thread (requires a browser)The unlock will be done by SALT which ensures all precautions are taken and the whole flashing progress can be verified multiple times.Yea. There are proofs already thats why I began this thread. I first wanted to wait up to the time I had one.Maybe some stuff to watch first? go on here: https://forum.xda-developers.com/showpost.php?p=73204281&postcount=23Wait.Be patient.IRC means Internet Relay Chat and you will get best support there only.Choose how to get in: