Sprint LG G8 Temp Root, BL Unlock, TWRP, & Magisk Guide

Requirements

A Sprint LG G8 with the one of the following configurations:

A: Android 10 20e or lower and Pie on slots A/B or B/A.

B: Android 10 20e or lower and Android 10 any firmware on slots A/B or B/A.

1. LG 4.2 Drivers
2. The latest available ADB Platform Tools
3. Python 3.8.3 With PATH Set
4. OEM Unlocking Enabled in Developer Settings
5. ADB Debugging Enabled in Developer Settings
6. The files mentioned throughout this guide. They will either have links or they will be provided
in the forum post.

Excellent reading comprehension and patience!

Warnings

1. You do this at your own risk!

2. Be prepared to data wipe/factory reset a lot.
3. There are some critical steps that you cannot get wrong or you risk a brick. Read very carefully,
take your time.
4. There are a lot of steps involved in this guide. If you are unsure in the slightest, do not make an
assumption. Ask for clarification before you proceed.

Step 1A, Firmware Check:

First, you need to verify your current firmware version. Anything 20e or lower is currently vulnerable
to the Temp Root exploit provided by j4nn.

Open Settings > System > About Phone > Software Version, third line down. If your current version is
20f (the latest available from LG at the time of writing), your firmware is not vulnerable to the exploit
and we will need to switch slots and check your firmware version there. It’s recommended that you
factory data reset before performing this step to avoid the startup PIN lockout, regardless if you have
one set or not, it will ask for a startup PIN and it WILL FAIL to unlock. Either way, you will be forced
to factory reset.

Follow this guide provided by Antintin to switch slots: https://forum.xda-developers.com/lg-g8/how-to/

people-trying-beta-want-to-revert-t4011925. After switching, boot to Android. Skip the initial setup.
Please take note which slot you switched to that contains the prior version of Android. SABS 0 is slot
A, SABS 1 is slot B.

If your current firmware version is vulnerable, skip to Step 2, Temp Rooting.

Step 1B, Switching Slots:

By this point, you will have switched to your inactive slot following the guide linked above and booted
to Android. Follow the same steps listed above to check your firmware version. If you see anything
lower than 20f, for example: 20a, 20b, 20c, 20d, 20e, this version is exploitable. If you have an
exploitable firmware in this slot, continue to “Step 2, Temp Rooting”. If you do not have an
exploitable firmware in this slot, the temp root exploit will not work and therefore, the bootloader
unlock will not be possible.

Step 2, Temp Rooting:

Our next step is to achieve temp root on whichever slot is vulnerable. Follow this guide provided by
j4nn and return here after you have temp root. https://forum.xda-developers.com/lg-g8/development/lg-
g8-temp-root-exploit-via-cve-2020-t4100333

After achieving temp root:

Make a backup of your stock images. This step is not optional and if you skip it you do so at your own
peril. No one is going to have a copy of your exact images. Copy and paste each line in your root shell
and pull the images off your phone and keep them safe. There are also two scripts included with this
guide, one that will automate the steps below, and the other that will perform a full backup of every
partition. It’s recommended that you make a complete firmware backup. The images listed below are
just the bare minimum.

dd if=/dev/block/sda28 of=/storage/emulated/0/Download/OP_a.img
dd if=/dev/block/sda29 of=/storage/emulated/0/Download/OP_b.img
dd if=/dev/block/sda19 of=/storage/emulated/0/Download/carrier.img
dd if=/dev/block/sde64 of=/storage/emulated/0/Download/catecontentfv.img
dd if=/dev/block/sde63 of=/storage/emulated/0/Download/catefv.img
dd if=/dev/block/sde57 of=/storage/emulated/0/Download/cateloader.img
dd if=/dev/block/sdg1 of=/storage/emulated/0/Download/frp.img
dd if=/dev/block/sdf5 of=/storage/emulated/0/Download/fsc.img
dd if=/dev/block/sdf4 of=/storage/emulated/0/Download/fsg.img
dd if=/dev/block/sda8 of=/storage/emulated/0/Download/ftm.img
dd if=/dev/block/sda31 of=/storage/emulated/0/Download/grow.img
dd if=/dev/block/sdf4 of=/storage/emulated/0/Download/fsg.img

Running the backup script

adb push backupall-part.sh /data/local/tmp

Execute the following in a root shell:

cd /data/local/tmp
sh backupall-part.sh

When complete, copy the backed up images from your internal storage Download folder to your
computer.

You are now ready to proceed with Bootloader unlocking. Leave your root shell open.
Step 3A, Bootloader Unlocking:

Before We Begin:

A word of warning. These next steps involve issuing dd commands to overwrite your bootloader on
your currently inactive slot (the active slot being the one you are on now with temp root) with a V50
engineering bootloader. This method has been performed at least half a dozen times without a brick. As
long as you follow the instructions carefully, you should be fine.

Secondly, if your inactive slot is not on firmware version 20d, we will have to flash the entire 20d
backup to the inactive slot via fastboot flash commands or you will likely not boot or have an
extremely unstable system. (See the amended “Step 4, Flashing 20d” step.) You can find the 20d
backup here, provided by Luis: https://drive.google.com/file/d/1lXpO-
sntmFmabDJ2dnfkQXqL6kEDvca0/view?usp=sharing

The above link contains images for both 20d and Pie. The _a images are 20d, the _b images are Pie. If
you do not already have one, and you would like a bootable Pie slot, you may flash the _b images to
the slot containing the engineering bootloader. We will cover this topic in a later step. Do not attempt
without reading the step, Bonus: Pie Slot, at the end of this guide.

Moving On:

We need to find out your current active slot. In your root shell, type, without the quotes, “getprop | grep
slot”. If you are in slot A, continue to “Step 3B, Slot A dd Commands”. If you are in slot B, continue
to “Step 3C, Slot B dd Commands”.
Step 3B, Slot A dd Commands:

The following dd commands will flash xbl, xbl_config, abl and laf from Pie, as well as the V50
engineering bootloader to slot B. Copy these images to your internal storage Download folder.

Before We Begin:

It is required that each of these commands be run at least 5 times to ensure proper flashing. If you’re
going to brick, this is the time it’s going to happen. There is little risk as long as you flash the same
images at least 5 times to ensure proper flashing.

Secondly, if at any point the dd commands fail, reboot, regain temp root, and try again.

Moving On:

In your root shell, run the following at least 5 times for each image. For example, you will flash the
V50 bootloader 5 times before moving on to the next dd command.

1. dd if=/storage/emulated/0/Download/V500ES_abl_a.img of=/dev/block/bootdevice/by-name/abl_b

2. dd if=/storage/emulated/0/Download/xbl_b.img of=/dev/block/bootdevice/by-name/xbl_b

3. dd if=/storage/emulated/0/Download/xbl_config_b.img of=/dev/block/bootdevice/by-name/xbl_config_b

4. dd if=/storage/emulated/0/Download/laf_b.img of=/dev/block/bootdevice/by-name/laf_b

You can now exit the root shell by typing “exit” twice. This is required. Leave your cmd prompt or powershell
window open.

Switch to slot B by following the guide linked above in Step 1A, Firmware Check.

Reboot to Fastboot while in slot B via the key combination volume down and power. Select the restart
bootloader option using the volume keys, and the power button to confirm your selection. You must select restart
bootloader or your device will not show up in fastboot devices even though you have booted to bootloader
already!

Type fastboot devices in your cmd prompt or powershell window. You should now see your device listed in
fastboot mode.

Type fastboot oem unlock, select Yes. You are now bootloader unlocked!

If slot A does contain firmware version 20d, proceed to “Step 4A, Magisk Flashing”.
If slot A does not contain firmware version 20d, proceed to “Step 4B, Flashing 20d”.
Step 3C, Slot B dd Commands:

The following dd commands will flash xbl, xbl_config, abl and laf from Pie, as well as the V50
engineering bootloader to slot A. Copy these images to your internal storage Download folder.

Before We Begin:

It is required that each of these commands be run at least 5 times to ensure proper flashing. If you’re
going to brick, this is the time it’s going to happen. There is little risk as long as you flash the same
images at least 5 times to ensure proper flashing.

Secondly, if at any point the dd commands fail, reboot, regain temp root, and try again.

Moving On:

In your root shell, run the following at least 5 times for each image. For example, you will flash the
V50 bootloader 5 times before moving on to the next dd command.

1. dd if=/storage/emulated/0/Download/V500ES_abl_a.img of=/dev/block/bootdevice/by-name/abl_a

2. dd if=/storage/emulated/0/Download/xbl_b.img of=/dev/block/bootdevice/by-name/xbl_a

3. dd if=/storage/emulated/0/Download/xbl_config_b.img of=/dev/block/bootdevice/by-name/xbl_config_a

4. dd if=/storage/emulated/0/Download/laf_b.img of=/dev/block/bootdevice/by-name/laf_a

You can now exit the root shell by typing “exit” twice. This is required. Leave your cmd prompt or powershell
window open.

Switch to slot A by following the guide linked above in Step 1A, Firmware Check.

Reboot to Fastboot while in slot A via the key combination volume down and power. Select the restart
bootloader option using the volume keys, and the power button to confirm your selection. You must select restart
bootloader or your device will not show up in fastboot devices even though you have booted to bootloader
already!

Type fastboot devices in your cmd prompt or powershell window. You should now see your device listed in
fastboot mode.

Type fastboot oem unlock, select Yes. You are now bootloader unlocked!

If slot B does contain firmware version 20d, proceed to “Step 4A, Magisk Flashing”.
If slot B does not contain firmware version 20d, proceed to “Step 4B, Flashing 20d”.
Step 4A, Magisk Flashing:

The next step is to flash the appropriate Magisk patched boot image for your firmware version. The following
commands needs to be changed based on which slot your 20[a,b,c,d,e] firmware is located, and which patched
image you’re flashing. For example, if 20d is in slot A, you will use “boot_a”, if it’s in slot B, you will use
“boot_b”. Likewise, if 20d is in slot A, you will use “fastboot --set-active=a”, if it’s in slot B, you will use
“fastboot --set-active=b”. Note: That’s a double dash before “set”.

fastboot flash boot_a sprint20d_magisk_patched.img

fastboot --set-active=a

Select power off, press the power button to confirm selection. It may take upwards of 10 – 20 seconds to get the
phone to turn back on after powering off. This is normal. Boot to Android. If you have a successful boot, skip the
initial setup and proceed to “Step 5, Finishing Up”.

Step 4B, Flashing 20d:

I’m leaving this step here in case it is needed. After some testing, we have determined that no
stability problems occur as long as you flash a patched boot image that matches your current
firmware version. Currently we have patched 20d and 20e boot images available.

For this step, you will need the 20d backup found in “Step 3A, Bootloader Unlocking”. As mentioned
before, the _a images are 20d, the _b images are pie. You will only need the _a 20d images for this
step.
This cannot be skipped if you are on anything other than 20d. You will have severe system problems IF
it even boots at all. The process is straight forward, just slightly time consuming. Lets begin.
Extract the _a 20d images in the g820um20d.zip to your root Android folder containing your platform
tools. Each and every image will need to be flashed, in no particular order. Just sort by file type and
start from the top. The image file names directly correlate to the partition you are flashing to, for
example: abl_a.img will be flashed to abl_a, and so on.
The following fastboot flash commands will need to be changed based on your primary slot letter
(the slot that does NOT contain the engineering bootloader). For example, if that happens to be slot
B, you will use fastboot flash abl_b abl_a.img, and so on.
fastboot flash abl_a abl_a.img
fastboot flash akmu_a akmu_a.img
And so on, it’s that simple. The only exception is the boot image. You will NOT flash the boot_a
image, you will flash the Sprint20D magisk patched image instead.
Once complete execute the following:
fastboot erase userdata
fastboot --set-active=a or --set-active=b based on your primary slot letter.
Select power off, press the power button to confirm selection. It may take upwards of 10 – 20 seconds
to get the phone to turn back on after powering off. This is normal. Boot to Android. If you have a
successful boot, skip the initial setup and proceed to “Step 5, Finishing Up”.
Step 5, Finishing Up:
In this step we will flash TWRP, reboot to recovery, flash Magisk and dm-verity disabler. An SD card is
recommended but not required for this step.

Copy the Disable_Dm-Verity zip, Magisk-v20.4.zip, and the twrp-installer zip to your SD card.
Preferably to the Download folder. If you’re using internal storage only, you will move these files to
the phone after you data wipe in TWRP.

Download the latest version of the Magisk Manager APK and install it.
https://magiskmanager.com/#How_to_Download_Magisk_Manager_Latest_Version_751_For_Android
_2020_Method_1

Once installed, open Magisk Manager. It will ask you to perform additional setup. Allow it. The phone
will reboot automatically. After the reboot, open Magisk Manager once more, tap on the 3 horizontal
bars on the top left, and select Modules.
Tap the Plus sign and select the twrp-installer zip. This will flash TWRP. Note that in doing so, this
will remove Magisk from the boot image. This is fine.

Shut down the phone and boot to recovery via the key combination. The touchscreen is unlikely to
work in TWRP if you do not enter recovery via the key combination method. Hold volume down and
power until you see Recovery mode flash on screen, you may release the buttons after you see this. You
should now be in TWRP. Tap cancel when it asks for a password. Go to Wipe > Advanced > Select data
(and only data), and wipe. Reboot the phone back to recovery. Do not let the system boot after data
wiping. Go directly back to TWRP. You will NOT brick, however you will have to data wipe and
reboot again.

After you’re back in TWRP, it should no longer be asking you for a password. This is good, it means
we have removed the encryption.
Next, tap Install. Flash in this order Magisk-v20.4.zip, followed by a reboot directly to TWRP. Next,
flash Disable_Dm-Verity. Reboot to system. Continue setup as normal.

Congratulations! You are now bootloader unlocked and rooted.

Bonus: Pie Slot:

As mentioned in “Step 3A, Bootloader Unlocking”, if you do not have a Pie slot, you can flash the
Pie images in the zip mentioned in the same step via fastboot flash, the same way you (may have)
flashed 20d in “Step 4B, Flashing 20d”. The only difference is you will be flashing all of the _b
images except for abl, xbl, and xbl_config to the slot containing the engineering bootloader. You must
fastboot erase userdata after flashing the Pie images. Once complete, simply reboot and you should
have a bootable Pie slot. Please note that the V50 engineering bootloader prevents the touch screen
from working in Pie.