LG V50 ThinQ gets root on locked bootloader thanks to an exploit
LG’s bootloader unlocking policy is quite annoying as the company tends to whitelist only a handful of regional device variants to be unlocked via their official portal. The situation isn’t always their fault, though, as U.S. carriers tend to make the decision to block bootloader unlocking. Take for example the LG V50 ThinQ—while you can unlock the bootloader of the European variant (LM-V500EM), you can’t unlock the Sprint or the Verizon models. That makes rooting virtually impossible on these carriers models, but developers have recently made a breakthrough in this front. It is now possible to get a root shell, albeit temporary, on bootloader locked LG V50 ThinQ units.
XDA Recognized Developer j4nn used the Pixel 3-specific CVE-2020-0041 exploit (read more about it here) to achieve root access in shell on the LG V50 ThinQ’s Android 10 firmware running the Linux 4.14 kernel. The current form of the modified exploit is tested on the Korean LG V50 ThinQ variant (LM-V500N) with software version V500N20m, but it is reportedly working on LG G8 ThinQ’s Android 10 firmware as well with little adjustments. In theory, any Snapdragon 855-powered LG phone running Android 10 with the March 2020 security patch level or lower should be vulnerable to the exploit.
By virtue of being a “temp root” method, root access will be lost as soon as you reboot your phone. Moreover, Android Verified Boot 2.0 may kick in and brick your phone if you try to make permanent changes to protected partitions such as boot, system, and vendor without an unlocked bootloader. That being said, the exploit is currently available in its compiled form, while the developer will soon release the source code. The executable should be invoked from a regular ADB shell or a terminal emulator, and it should show the following message after successful privilege escalation.
[+] Mapped 200000\n[+] selinux_enforcing before exploit: 1\n...\n[*] Launching privileged shell\nroot_by_cve-2020-0041:/data/local/tmp # uname -a\nLinux localhost 4.14.176-g563a8d550f67-dirty #5 SMP PREEMPT Sun Apr 26 02:26:43 CEST 2020 aarch64\nroot_by_cve-2020-0041:/data/local/tmp # getenforce\nPermissive\nroot_by_cve-2020-0041:/data/local/tmp # id\nuid=0(root) gid=0(root) groups=0(root) context=kernel\nroot_by_cve-2020-0041:/data/local/tmp #
XDA Senior Member Inerent and other members are trying to integrate Magisk on top of the root shell, but the process is not complete yet at the time of writing this article. It could also be possible to install a custom recovery on your bootloader locked LG V50 with the help of Safestrap or similar solutions, but we’ll have to wait and see if such custom development will pick up on the phone.