How to bootloader unlock T-Mobile LG Velvet and root it with Magisk
Unlocking the bootloader, rooting a device and flashing aftermarket ROMs are popular hobbies here on XDA. The power user community has high regard for the ability to modify their devices and they find almost no interest in phones if they cannot be bootloader unlocked. Many older devices are actually kept alive by third-party ROMs, which are also godsends for smartphones that are on the verge of losing official support. LG, for example, no longer makes Android smartphones, so owners of LG devices may have to settle for custom ROMs in the near future. However, the process isn’t exactly straightforward due to LG’s bootloader unlocking policy.
LG has a long history with bootloader unlocking. The Korean OEM used to allow only a handful of models to be unlocked by end users – likely due to carrier demands. Nevertheless, the company permanently grabbed the feature a few months ago, which means people have to rely on unofficial methods to get their bootloader unlocked. This time, XDA Senior Member Wish39 has come up with a truly innovative process to unlock the bootloader of the T-Mobile variant of the LG Velvet and then root the device.
How to Bootloader Unlock and Root T-Mobile LG Velvet
The T-Mobile edition of the LG Velvet (model number LM-G900TM) is powered by the MediaTek Dimensity 1000C SoC. This makes it a unique one in the Velvet series, as all other variants of the smartphone have either the Qualcomm Snapdragon 750G (5G) or the Snapdragon 845 (4G) chipset. The aforementioned MediaTek platform is vulnerable to a known bootrom exploit, which can be used to bypass bootloader security and unlock the bootloader. Afterwards, rooting the device is child’s play.
Step 1: Downgrade to Android 10
In case the target T-Mobile LG Velvet is running Android 11, we need to downgrade it to Android 10. This is because the Android 11 firmware for this device has already patched the exploitable preloader (aka first stage bootloader). You also need a PC, as the flashing tool only works under Windows.
- Download and install the latest USB drivers for LG.
- Download any Android 10 based KDZ firmware package for T-Mobile LG Velvet from a reputed LG firmware hosting site.
- Download a properly patched LGUP tool to flash the KDZ package.
- Install LGUP and open the executable file.
- Select REDECORATE alternative as the process. Then click the button with three dots in the lower right corner to select the KDZ file.
- Reboot LG Velvet into download mode. To do so, turn off your phone. Then connect the USB cable to the PC, hold down the Volume Up button on the phone and connect the other end of the cable to the phone. You should see a screen that says “Firmware Update” next to a USB logo on your phone.
- click on Start and wait for the flashing process to finish.
- If all goes well, the phone will reboot to the Android 10 firmware.
Step 2: Unlock the bootloader
Now that we have restored the exploitable preloader on the T-Mobile LG Velvet, we can unlock the bootloader in no time. Thanks to the MTKClient project by security analyst Bjoern Kerler, you don’t need to take care of the payloads and other low-level reversion tools. All you need to do is run a couple of Python scripts.
- Download the MTKClient tool from its official GitHub repo and set it up by following the readme.
- Make sure your phone is turned off. Next, run the following command in a terminal window on your PC, and then connect your phone to your PC.
python mtk e metadata,userdata,md_udc
This will delete
userdatapartitions on the phone
- At this stage we are ready to execute the unlock command
python mtk xflash seccfg unlock
- Restart your phone using the following command:
python mtk reset
Then disconnect the USB cable to allow the phone to reboot.
- Now you have a bootloader unlocked T-Mobile LG Velvet.
Step 3: Upgrade to Android 11
Since the bootloader is now unlocked, we can (re-)upgrade to the Android 11 firmware. However, directly flashing an Android 11 KDZ will replace the exploitable preloader, therefore we have to choose a selective flashing procedure.
- Download the latest Android 11 KDZ for T-Mobile LG Velvet.
- Open LGUP and select KDZ.
- Boot your phone into download mode and connect it to your PC.
- Select DEVELING DL option and click on Start button.
- When you see the partition list window, click choose all and uncheck the preloader partition, then press OK to start flashing.
- After completing the flashing process, the phone should boot to Android 11 with an unlocked bootloader.
Step 4: Flash stock boot image using Magisk for root
An unlocked bootloader allows us to run unsigned code on the device. As a result, we can now patch the stock boot image using Magisk and flash the modified image to gain root access.
- Dump the boot image from your phone to your PC using MTKClient.
- Copy the dumped image to your phone and patch it with Magisk. Then copy the patched image from your phone to your PC.
- Reboot the phone to the bootloader interface using ADB:
adb reboot fastboot
- Flash the Magisk-patched boot image with Fastboot:
fastboot flash boot name_of_the_patched_boot_image.img
- Restart your phone.
- This is all it takes to root your T-Mobile LG Velvet.
What will be next?
There are currently no versions of TWRP or any custom ROMs on our forums for the T-Mobile LG Velvet. Nevertheless, an unlocked bootloader allows you to play with different GSI builds. Once you’re rooted, you’ll also be able to make use of a large number of root apps and Magisk modules, which allow you to change various aspects of your device.
If you’re looking for more details on the process, check out the following thread in our forums:
Bootloader Unlock and Root for T-Mobile LG Velvet (G900TM ONLY)