[Update: 10i firmware] How to Root T-Mobile LG V20, install TWRP and Disable Force Encrypt using Dirty Cow kernel exploit (recowvery)

Avatar
  Update (Dec 20th, 2016): The T-Mobile LG V20 is receiving an update to firmware version 10i. The new firmware comes with December security patch and includes a patch for dirty cow vulnerability and the recowvery root method as well.

If you want to keep root on your T-Mobile V20, do NOT install the 10i update for the device until another rooting method is discovered. 

Status: Rooted

Although LG allows bootloader unlocking on the LG V20, but you cannot install TWRP recovery directly on the device as LG has put in place a secure system that doesn’t allow modifications to any partitions on the device.

But thanks to developer jcadduono over at xda who released a workaround to install TWRP recovery on LG V20 using the Dirty Cow root exploit in kernel. The developer likes to call his workaround as recowvery.

Using recowvery exploit you can install TWRP recovery on your LG V20 and then flash SuperSU zip to disable force encrypt and get root access.

Let’s get started..

Downloads

How to Install TWRP on LG V20 using recowvery

  1. Setup ADB and Fastboot on your PC.
  2. Unlock bootloader on your LG V20.
  3. Download and save the following four recowvery files from the download links above to a separate folder on your PC.
    • dirtycow
    • recowvery-applypatch
    • recowvery-app_process64
    • recowvery-run-as
  4. Download and transfer the LG V20 TWRP recovery .img file from the downloads section above to your phone’s base directory (not inside any folder).
  5. Make sure USB debugging is enabled on your V20.
  6. Connect your LG V20 to the PC.
  7. Now open a command window on your PC inside the folder where you saved recowvery files in Step 3 above. To do that, “Shift + Right click” on any empty white space inside the folder and select Open command window here from the context menu.
  8. Once command window is opened, issue the following commands one-by-one to get a root shell on your device using the Dirty Cow exploit:
    adb push dirtycow /data/local/tmp
    adb push recowvery-applypatch /data/local/tmp
    adb push recowvery-app_process64 /data/local/tmp
    adb push recowvery-run-as /data/local/tmp

    └ This will push the recowvery files to your device’s tmp folder.

    adb shell 
    cd /data/local/tmp
    chmod 0777 *
    ./dirtycow /system/bin/applypatch recowvery-applypatch

    └ Wait for the script to finish.

    ./dirtycow /system/bin/app_process64 recowvery-app_process64

    └ Wait for completion, you phone might look like it’s crashing.

    exit
    adb logcat -s recowvery

    └ Wait for the command to tell you it was successful. Once done, press CTRL+C on your keyboard.

    adb shell reboot recovery

    └ Your phone will reboot and recovery will be reflashed to stock.

    adb shell 
    getenforce

    └ It should say permissive.

    cd /data/local/tmp
    ./dirtycow /system/bin/run-as recowvery-run-as
    run-as exec ./recowvery-applypatch boot

    └ recowvery patched boot image will be flashed, wait for it to complete.

    run-as su

    └ This will give you a shell with root access.

    dd if=/sdcard/twrp-3.0.2-0-beta4-h918.img of=/dev/block/bootdevice/by-name/recovery

    └ This will install/flash TWRP recovery to your LG V20.

  9. TWRP recovery is now installed on your LG V20. Now follow the instructions below to disable Force encrypt and root LG V20 using SuperSU zip.

How to Disable Force Encrypt and Root LG V20

Download SuperSU v2.78 (latest)

  1. Download and transfer the SuperSU zip file from the download link above to your LG V20.
  2. Connect your phone to the PC and open a command window on PC.
  3. Issue the following command on the PC to boot your LG V20 into TWRP recovery:
    adb reboot recovery
  4. Once in TWRP recovery, tap on Install and select the SuperSU zip file that you transferred to your phone in Step 1 above.
  5. After selecting the .zip file, slide you finger on the  Swipe to Confirm Flash button on screen to begin the flashing process.
    └ This will install SuperSU and patch boot image to not force encrypt your LG V20 on boot. But since your device is already encrypted, you need to format Data once to decrypt it. If you do not want to decrypt though, then skip Step 6th and 7th below.
  6. Once SuperSU is flashed, go back to TWRP main menu » select Wipe » Advanced Wipe » tap on Data and then slide your finger on the Swipe to Wipe button.
    └ This will decrypt your LG V20 and DELETE all data on the device.
  7. Since we wiped the device in the step above to decrypt it, you need to flash the SuperSU zip once again (follow Step 4th and 5th again).
  8. Once done, go to TWRP main screen » select Reboot » select System.

That’s all. Your LG V20 is now rooted and decrypted. To verify, download any root checker app from the Play store.

Happy Androiding! 

14 comments
  1. This is only for the T-Mobile variant no? Are there any systemless root options for the other variants? Sprint’s bootloader is locked

  2. This is only for the T-Mobile variant no? Are there any systemless root options for the other variants? Sprint’s bootloader is locked

  3. ./dirtycow /system/bin/app_process64 recowvery-app_process64
    └ Wait for completion, you phone might look like it’s crashing.

    HOW LONG DOES THIS TAKE?!!?!?!?!?

  4. ./dirtycow /system/bin/app_process64 recowvery-app_process64
    └ Wait for completion, you phone might look like it’s crashing.

    HOW LONG DOES THIS TAKE?!!?!?!?!?

Leave a Reply

Your email address will not be published. Required fields are marked *

Previous Post

How to Unlock Bootloader on LG V20 H918 (T-Mobile)

Next Post

OnePlus 4 release date in rumors already – August 2017

Related Posts