Unlocking the bootloader, rooting a device, and flashing aftermarket ROMs are popular hobbies here at XDA. The power user community holds the ability to mod their devices in high regard, and they almost find no interest in phones if they are not able to be bootloader unlocked. Many legacy devices are actually kept alive by third-party ROMs, which are also godsends for smartphones that are standing on the verge of losing official support. LG, for example, no longer makes Android smartphones, hence owners of LG devices might want to settle with custom ROMs in the near future. However, the process isn’t exactly straightforward due to LG’s bootloader unlocking policy.
LG has a storied history with regards to bootloader unlocking. The Korean OEM used to allow only a handful of models to be unlocked by end-users — probably due to requirements from carriers. Nonetheless, the company permanently seized the opportunity a few months ago, which means people have to rely on unofficial methods to get their bootloader unlocked. This time, XDA Senior Member Wish39 has come up with a really innovative process to unlock the bootloader of the T-Mobile variant of the LG Velvet and subsequently, root the device.
How to bootloader unlock and root the T-Mobile LG Velvet
The T-Mobile edition of the LG Velvet (model number LM-G900TM) is powered by the MediaTek Dimensity 1000C SoC. This makes it a unique one in the Velvet lineup, as all other variants of the smartphone feature either the Qualcomm Snapdragon 750G (5G) or the Snapdragon 845 (4G) chipset. The aforementioned MediaTek platform is vulnerable to a known bootrom exploit, which can be utilized to bypass the bootloader security and unlock the bootloader. Afterward, it’s a child’s play to root the device.
Step 1: Downgrade to Android 10
In case the target T-Mobile LG Velvet is running Android 11, we need to downgrade it to Android 10. This is because the Android 11 firmware for this device already patched the exploitable preloader (aka first stage bootloader). You need a PC as well, as the flashing tool works only under Windows.
- Download and install the latest USB drivers for LG.
- Download any Android 10-based KDZ firmware package for the T-Mobile LG Velvet from a reputed LG firmware hosting site.
- Download a properly patched LGUP tool for flashing the KDZ package.
- Install LGUP and open its executable.
- Select the REFURBISH option as the process. Next, click on the button with three dots in the lower right corner to select the KDZ file.
- Reboot the LG Velvet to the download mode. To do so, turn off your phone. Next, plug the USB cable into your PC, hold down the Volume Up button of the phone, and connect the other end of the cable to the phone. You should see a screen with the text “Firmware Update” alongside a USB logo on the phone.
- Click on the Start button and wait for the flashing process to finish.
- If everything goes right, the phone will reboot to the Android 10 firmware.
Step 2: Unlock the bootloader
Now that we have restored the exploitable preloader on the T-Mobile LG Velvet, we can unlock its bootloader in a jiffy. Thanks to the MTKClient project by security analyst Bjoern Kerler, you don’t have to take care of the exploit payloads and other low-level reverse-engineering tools. All you need to do is execute a couple of Python scripts.
- Download the MTKClient tool from its official GitHub repo and set it up by following the readme.
- Make sure the phone is turned off. Next, run the following command in a terminal window on your PC, and then plug the phone into your PC.
python mtk e metadata,userdata,md_udc
This will erase the
userdatapartitions on your phone
- At this stage, we are ready to execute the unlock command
python mtk xflash seccfg unlock
- Reboot the phone using the following command:
python mtk reset
Next, disconnect the USB cable to let the phone reboot.
- Now you have a bootloader unlocked T-Mobile LG Velvet.
Step 3: Upgrade to Android 11
Since the bootloader is now unlocked, we can (re-)upgrade to the Android 11 firmware. However, directly flashing an Android 11 KDZ will replace the exploitable preloader, hence we need to opt for a selective flashing procedure.
- Download the latest Android 11 KDZ for the T-Mobile LG Velvet.
- Open up LGUP and select the KDZ.
- Boot the phone to the download mode and connect it to your PC.
- Select the PARTITION DL option and click on the Start button.
- When you see the partition list window, click Select All and uncheck the preloader partition, then press OK to start flashing.
- After finishing up the flashing process, the phone should boot to Android 11 with an unlocked bootloader.
Step 4: Patch the stock boot image using Magisk for root
An unlocked bootloader allows us to run unsigned code on the device. As a result, we can now patch the stock boot image using Magisk and flash the modified image to gain root access.
- Dump the stock boot image from the phone to your PC using MTKClient.
- Copy the dumped image to your phone and patch it using Magisk. Then copy the patched image from your phone to your PC.
- Reboot the phone to the bootloader interface using ADB:
adb reboot fastboot
- Flash the Magisk-patched boot image using Fastboot:
fastboot flash boot name_of_the_patched_boot_image.img
- Reboot the phone.
- This is all it takes to root your T-Mobile LG Velvet.
There are currently no builds of TWRP or any custom ROMs on our forums for the T-Mobile LG Velvet. Nonetheless, an unlocked bootloader allows you to play with different GSI builds. Being rooted, you’ll be able to avail of a huge number of root apps and Magisk modules too, which allows you to change different aspects of your device.
If you are looking for more details on the process, check out the following thread in our forums:
Bootloader Unlock and Root for the T-Mobile LG Velvet (G900TM ONLY)