Update LG G3 to Marshmallow
root hackI like my LG G3(D850, AT&T variant) for its nice balance between features, build quality, and affordability. However, the AT&T integration makes less sense for me since I use Cricket Wireless:
- The network tethering is disabled as “No AT&T sim is found”.
- The address book flicks due to the AT&T address book access failure when opened.
- No OTA software update, ever.
Last weekend I finally pulled the trigger: I rooted the LG G3, installed the latest TWRP custom recovery, and flashed the custom ROM, Fulmics 6.1; and I just had a new phone:
- The software is updated to Android 6.0, Marshmallow.
- The network tethering finally works.
However, I cannot play the Pokémon Go as Niantic decided to shutdown service for the rooted device; so it is with the Android Pay1. Also the guest mode is replaced with multi-user support, which I deem as a big step backward.
Root
All tinkering should start with a full system backup. It is essential to backup all the photos, your won’t have a second chance to take photos of your kids in two years old.
Then you need to enable the Developer Mode for ADB debugging, so we can put
packages to the internal storage. Also we need to install the LG Driver to
communicate the phone via the USB serial protocol used by the Send_Command.exe
later.
Download and unzip the LG Root package, and open a command prompt from there.
The first adb
session requires your confirmation on the device to consent, and
you should see the attached device like this:
C:\Users\Kun\Downloads\LG_Root>adb devices
List of devices attached
LGD850d9650245 device
We then push the busybox, the root script lg_root.sh
and the SuperSU package
to the internal storage:
C:\Users\Kun\Downloads\LG_Root>adb.exe push busybox /data/local/tmp/ && adb.exe push lg_root.sh /data/local/tmp && adb.exe push UPDATE-SuperSU-v2.46.zip /data/local/tmp
2848 KB/s (1048328 bytes in 0.359s)
1067 KB/s (9319 bytes in 0.008s)
2705 KB/s (4017098 bytes in 1.450s)
Boot the phone into LG Advanced Flash(LAF) mode as:
- Power off the phone
- Hold the volume up and connect the phone to the PC with USB cable
- Wait for Firmware Update screen shows in the phone.
Find the serial port, aka ttyUSB in a POSIX environment:
C:\Users\Kun\Downloads\LG_Root>ports.bat
C:\Users\Kun\Downloads\LG_Root>reg query HKLM\hardware\devicemap\SERIALCOMM:vs
HKEY_LOCAL_MACHINE\hardware\devicemap\SERIALCOMM
\Device\LGANDNETMDM0 REG_SZ COM4
\Device\LGANDNETDIAG1 REG_SZ COM3
Notice the \Device\LGANDNETDIAG1
is mapped to COM3, YMMV; so we can open a
serial console as:
C:\Users\Kun\Downloads\LG_Root>Send_Command.exe \\.\COM3
Author : blog.lvu.kr
SPECIAL COMMAND : ENTER, LEAVE
I could not find the secret sauce of the magic Send_Command
, but the Unix
port shed some lights on it: it opens the serial port, COM3
in our case, and
then writes the command to the stream with crafted packing, — I assume this
may exploit the vulnerability to gain the root access?
Within the command prompt, we grant the SuperSU root privilege and launch it when booting up:
# sh /data/local/tmp/lg_root.sh dummy 1 /data/local/tmp/UPDATE-SuperSU-v2.46.zip /data/local/tmp/busybox
After the command is done, you have to disconnect the USB cable, pull the battery out and back to restart the phone.
TWRP recovery
TeamWinTWRP is a powerful utility to boot the phone into the recover mode with root access to the system partition; more or less like the Linux LiveCD. See the original README for more details.
Download and unzip the latest version, 3.0.2.0 for
the time writing. Copy the recovery.img
to the SD card, and in the adb shell
session:
1|shell@g3:/ $ su
su
root@g3:/ # dd if=/dev/zero of=/dev/block/platform/msm_sdcc.1/by-name/recovery
/dev/block/platform/msm_sdcc.1/by-name/recovery: write error: No space left on device
32769+0 records in
32768+0 records out
16777216 bytes transferred in 1.239 secs (13540933 bytes/sec)
1|root@g3:/ # dd if=/sdcard/recovery.img of=/dev/block/platform/msm_sdcc.1/by-name/recovery
28884+1 records in
28884+1 records out
We first zero filled the recovery partition, then dumped the TWRP recover image
to the recovery partition, — you can safely ignore no space left
error.
Flash the Fulmics
Please read the Fulmics installation tutorial thoroughly and carefully, it contains lots of advices and detailed instructions. The TL;DR version is:
- Backup, backup, backup. We should backup the whole system, — the system, data, and boot partition in TWRP at least; and backup efs, modem just in case.
- Clean flash is highly recommended. It is not worthy the hassle to clean up the mess if dirty flash does not work.
- The order matters. When flashing multiple images in the TWRP, the last triumphs.
- In the Aroma installer, pay extra attention to the device carrier.
After the reboot, open the Fulmics Hub app, and click the hamburg menu, and then Fixes to install the D850 data fix. This fix is required to enable the mobile data networking for the D850 device.
The next step is to override the default APN setting: open Fulmics Tweak app, switch to Advanced tab, click Hidden Menu > Modem Protocol > PDP Setting > [5] APN Setting, press and hold the recent app button to add New APN, then follow the BYOP to Cricket:
- Name: Internet
- APN: ndo
- MMSC: http://mmsc.aiowireless.net
- MMS Proxy: proxy.aiowireless.net
- Multimedia Message Port: 80
- MCC: 310
- MNC: 150
- APN type: default,mms,fota,hipri,supl
- APN protocol: IPv4
- APN roaming protocol: IPv4
- Turn APN on/off: ON
At the time of writing, Fulmics 6.1 does not support ramdisk compressed in the gzip format so it cannot load Magisk during bootup. The Fulmics 6.5 adds the gzip support.