I like my LG G3(D850, AT&T variant) for its nice balance between features, build quality, and affordability. However, the AT&T integration makes less sense for me since I use Cricket Wireless:
- The network tethering is disabled as “No AT&T sim is found”.
- The address book flicks due to the AT&T address book access failure when opened.
- No OTA software update, ever.
Last weekend I finally pulled the trigger: I rooted the LG G3, installed the latest TWRP custom recovery, and flashed the custom ROM, Fulmics 6.1; and I just had a new phone:
- The software is updated to Android 6.0, Marshmallow.
- The network tethering finally works.
However, I cannot play the Pokémon Go as Niantic decided to shutdown service for the rooted device; so it is with the Android Pay1. Also the guest mode is replaced with multi-user support, which I deem as a big step backward.
All tinkering should start with a full system backup. It is essential to backup all the photos, your won’t have a second chance to take photos of your kids in two years old.
Then you need to enable the Developer Mode for ADB debugging, so we can put packages to the internal storage. Also we need to install the LG Driver to communicate the phone via the USB serial protocol used by the
Download and unzip the LG Root package, and open a command prompt from there. The first
adb session requires your confirmation on the device to consent, and you should see the attached device like this:
C:\Users\Kun\Downloads\LG_Root>adb devices List of devices attached LGD850d9650245 device
We then push the busybox, the root script
lg_root.sh and the SuperSU package to the internal storage:
C:\Users\Kun\Downloads\LG_Root>adb.exe push busybox /data/local/tmp/ && adb.exe push lg_root.sh /data/local/tmp && adb.exe push UPDATE-SuperSU-v2.46.zip /data/local/tmp 2848 KB/s (1048328 bytes in 0.359s) 1067 KB/s (9319 bytes in 0.008s) 2705 KB/s (4017098 bytes in 1.450s)
Boot the phone into LG Advanced Flash(LAF) mode as:
- Power off the phone
- Hold the volume up and connect the phone to the PC with USB cable
- Wait for Firmware Update screen shows in the phone.
Find the serial port, aka ttyUSB in a POSIX environment:
C:\Users\Kun\Downloads\LG_Root>ports.bat C:\Users\Kun\Downloads\LG_Root>reg query HKLM\hardware\devicemap\SERIALCOMM:vs HKEY_LOCAL_MACHINE\hardware\devicemap\SERIALCOMM \Device\LGANDNETMDM0 REG_SZ COM4 \Device\LGANDNETDIAG1 REG_SZ COM3
\Device\LGANDNETDIAG1 is mapped to COM3, YMMV; so we can open a serial console as:
C:\Users\Kun\Downloads\LG_Root>Send_Command.exe \\.\COM3 Author : blog.lvu.kr SPECIAL COMMAND : ENTER, LEAVE
I could not find the secret sauce of the magic
Send_Command, but the Unix port shed some lights on it: it opens the serial port,
COM3 in our case, and then writes the command to the stream with crafted packing, — I assume this may exploit the vulnerability to gain the root access?
Within the command prompt, we grant the SuperSU root privilege and launch it when booting up:
# sh /data/local/tmp/lg_root.sh dummy 1 /data/local/tmp/UPDATE-SuperSU-v2.46.zip /data/local/tmp/busybox
After the command is done, you have to disconnect the USB cable, pull the battery out and back to restart the phone.
TeamWinTWRP is a powerful utility to boot the phone into the recover mode with root access to the system partition; more or less like the Linux LiveCD. See the original README for more details.
Download and unzip the latest version, 18.104.22.168 for the time writing. Copy the
recovery.img to the SD card, and in the
adb shell session:
1|shell@g3:/ $ su su root@g3:/ # dd if=/dev/zero of=/dev/block/platform/msm_sdcc.1/by-name/recovery /dev/block/platform/msm_sdcc.1/by-name/recovery: write error: No space left on device 32769+0 records in 32768+0 records out 16777216 bytes transferred in 1.239 secs (13540933 bytes/sec) 1|root@g3:/ # dd if=/sdcard/recovery.img of=/dev/block/platform/msm_sdcc.1/by-name/recovery 28884+1 records in 28884+1 records out
We first zero filled the recovery partition, then dumped the TWRP recover image to the recovery partition, — you can safely ignore
no space left error.
Flash the Fulmics
Please read the Fulmics installation tutorial thoroughly and carefully, it contains lots of advices and detailed instructions. The TL;DR version is:
- Backup, backup, backup. We should backup the whole system, — the system, data, and boot partition in TWRP at least; and backup efs, modem just in case.
- Clean flash is highly recommended. It is not worthy the hassle to clean up the mess if dirty flash does not work.
- The order matters. When flashing multiple images in the TWRP, the last triumphs.
- In the Aroma installer, pay extra attention to the device carrier.
After the reboot, open the Fulmics Hub app, and click the hamburg menu, and then Fixes to install the D850 data fix. This fix is required to enable the mobile data networking for the D850 device.
The next step is to override the default APN setting: open Fulmics Tweak app, switch to Advanced tab, click Hidden Menu > Modem Protocol > PDP Setting >  APN Setting, press and hold the recent app button to add New APN, then follow the BYOP to Cricket:
- Name: Internet
- APN: ndo
- MMSC: http://mmsc.aiowireless.net
- MMS Proxy: proxy.aiowireless.net
- Multimedia Message Port: 80
- MCC: 310
- MNC: 150
- APN type: default,mms,fota,hipri,supl
- APN protocol: IPv4
- APN roaming protocol: IPv4
- Turn APN on/off: ON
You may want to checkout the Magisk for the systemless root approach. At the time of writing, Fulmics 6.1 does not support ramdisk compressed in the gzip format so it cannot load Magisk during bootup. The Fulmics 6.5 adds the gzip support.↩