Update LG G3 to Marshmallow

root hack

I like my LG G3(D850, AT&T variant) for its nice balance between features, build quality, and affordability. However, the AT&T integration makes less sense for me since I use Cricket Wireless:

Last weekend I finally pulled the trigger: I rooted the LG G3, installed the latest TWRP custom recovery, and flashed the custom ROM, Fulmics 6.1; and I just had a new phone:

However, I cannot play the Pokémon Go as Niantic decided to shutdown service for the rooted device; so it is with the Android Pay1. Also the guest mode is replaced with multi-user support, which I deem as a big step backward.

I follow the New Root Method for LG Devices , the TWRP recovery installation guide and Fulmics installation tutorial with focus on the D850 variant. Neither the original authors or I are responsible for bricked device, or any other collateral damage.

Root

All tinkering should start with a full system backup. It is essential to backup all the photos, your won’t have a second chance to take photos of your kids in two years old.

Then you need to enable the Developer Mode for ADB debugging, so we can put packages to the internal storage. Also we need to install the LG Driver to communicate the phone via the USB serial protocol used by the Send_Command.exe later.

Download and unzip the LG Root package, and open a command prompt from there. The first adb session requires your confirmation on the device to consent, and you should see the attached device like this:

C:\Users\Kun\Downloads\LG_Root>adb devices
List of devices attached
LGD850d9650245  device

We then push the busybox, the root script lg_root.sh and the SuperSU package to the internal storage:

C:\Users\Kun\Downloads\LG_Root>adb.exe push busybox /data/local/tmp/ && adb.exe push lg_root.sh /data/local/tmp && adb.exe push UPDATE-SuperSU-v2.46.zip /data/local/tmp
2848 KB/s (1048328 bytes in 0.359s)
1067 KB/s (9319 bytes in 0.008s)
2705 KB/s (4017098 bytes in 1.450s)

Boot the phone into LG Advanced Flash(LAF) mode as:

  1. Power off the phone
  2. Hold the volume up and connect the phone to the PC with USB cable
  3. Wait for Firmware Update screen shows in the phone.

Find the serial port, aka ttyUSB in a POSIX environment:

C:\Users\Kun\Downloads\LG_Root>ports.bat

C:\Users\Kun\Downloads\LG_Root>reg query HKLM\hardware\devicemap\SERIALCOMM:vs

HKEY_LOCAL_MACHINE\hardware\devicemap\SERIALCOMM
    \Device\LGANDNETMDM0    REG_SZ    COM4
    \Device\LGANDNETDIAG1    REG_SZ    COM3

Notice the \Device\LGANDNETDIAG1 is mapped to COM3, YMMV; so we can open a serial console as:

C:\Users\Kun\Downloads\LG_Root>Send_Command.exe \\.\COM3
Author : blog.lvu.kr
SPECIAL COMMAND : ENTER, LEAVE

I could not find the secret sauce of the magic Send_Command, but the Unix port shed some lights on it: it opens the serial port, COM3 in our case, and then writes the command to the stream with crafted packing, — I assume this may exploit the vulnerability to gain the root access?

Within the command prompt, we grant the SuperSU root privilege and launch it when booting up:

# sh /data/local/tmp/lg_root.sh dummy 1 /data/local/tmp/UPDATE-SuperSU-v2.46.zip /data/local/tmp/busybox

After the command is done, you have to disconnect the USB cable, pull the battery out and back to restart the phone.

TWRP recovery

TeamWinTWRP is a powerful utility to boot the phone into the recover mode with root access to the system partition; more or less like the Linux LiveCD. See the original README for more details.

Download and unzip the latest version, 3.0.2.0 for the time writing. Copy the recovery.img to the SD card, and in the adb shell session:

1|shell@g3:/ $ su
su

root@g3:/ # dd if=/dev/zero of=/dev/block/platform/msm_sdcc.1/by-name/recovery
/dev/block/platform/msm_sdcc.1/by-name/recovery: write error: No space left on device
32769+0 records in
32768+0 records out
16777216 bytes transferred in 1.239 secs (13540933 bytes/sec)

1|root@g3:/ # dd if=/sdcard/recovery.img of=/dev/block/platform/msm_sdcc.1/by-name/recovery
28884+1 records in
28884+1 records out

We first zero filled the recovery partition, then dumped the TWRP recover image to the recovery partition, — you can safely ignore no space left error.

Flash the Fulmics

Please read the Fulmics installation tutorial thoroughly and carefully, it contains lots of advices and detailed instructions. The TL;DR version is:

After the reboot, open the Fulmics Hub app, and click the hamburg menu, and then Fixes to install the D850 data fix. This fix is required to enable the mobile data networking for the D850 device.

The next step is to override the default APN setting: open Fulmics Tweak app, switch to Advanced tab, click Hidden Menu > Modem Protocol > PDP Setting > [5] APN Setting, press and hold the recent app button to add New APN, then follow the BYOP to Cricket:

At the time of writing, Fulmics 6.1 does not support ramdisk compressed in the gzip format so it cannot load Magisk during bootup. The Fulmics 6.5 adds the gzip support.

Footnotes

  1. You may want to checkout the Magisk for the systemless root approach.