LG G6 | FRP Bypass Guide¶
This wiki is intended for private usage and serves as a reminder if you encounter another LG G6 device.
The LG G6 has proven to be one of the most challenging phones to hack in all aspects. It took considerable time and effort, spending over 100 hours, to finally break into it. None of the existing wikis out there actually work, and the creators behind them are often unreliable and even scammers. Following some tutorials may even result in bricking your device. Even the XDA forum lacks a legitimate tutorial for this device. Hopefully, this wiki will be helpful for someone who owns an LG G6 or newer versions of the device.
How to Flash Android 7.0 Firmware on LG G6¶
- If you are using Android 8.0 Oreo, you will need to re-flash your firmware to Android 7.0. It doesn't matter which specific firmware you choose from the LG-firmwares website until the device is successfully hacked. Simply select one, download the file, and use the LGUP tool to flash your device. You can obtain the LGUP tool and DLL file from this source: https://www.mylgphones.com/download-lg-up-software. However, for the sake of providing a comprehensive guide, let me explain how you can install APK files since existing guides and tutorials are limited and ineffective. None of them work!
APKS ON ANDROID 8.0 LOCKED BY FRP¶
NOTICE: This is NOT allowed on Android 7.0 so don't bother to try, it will just bring you to the limited settings panel with network settings only and you won't be able to move on to developer settings or override app settings.¶
1) Start your device.
2) On the welcome screen, press the next button.
3) Press skip in the lower right corner.
4) Turn on Wi-Fi and log in to your Wi-Fi network.
5) Go back to the welcome screen.
6) Press Accessibility.
7) Press settings.
8) Press Switch Access.
9) Press settings in the lower right corner.
10) Press Help & Feedback.
11) Press About Switch Access for Android.
12) Touch the YouTube video once.
13) Click on the clock icon beside the share icon.
14) YouTube will quickly start and take you to the Google Chrome browser.
15) Now click on Accept & Continue.
16) In the lower-left corner, click on No Thanks.
17) Now browse to https://nr1.nu/i/archive/lg-g6/terminal.apk.
18) Click on update permissions.
19) Click on Allow.
20) Wait until the file has been downloaded.
21) Now, the problem is that you won't be able to install this application since the settings and hidden menu are disabled, and you will just get redirected to the limited settings. It won't help to use QuickShortcutMaker or similar tools to try launching the development settings. Why? Because it's not even installed! And just to clarify, NO, you won't be allowed to download an APK file and install dev settings, bypassing the limited network settings. There is no way to do this, for real! However, let's move on:
22) Go back to the YouTube screen by pressing the back arrow.
23) Start a video and choose the share button.
24) Choose the email application provided by LG (the white icon with a blue E).
25) Allow the permissions for access contacts and email address.
26) Choose to sign in with your email (NOT A GMAIL ACCOUNT, IT IS NOT VALID AND WON'T WORK, AND IT WILL REDIRECT YOU TO THE LOGIN SCREEN WHERE YOU MUST LOGIN WITH THE OLD MAIL ACCOUNT).
27) Wait until you get connected and just hit next, followed by done.
28) Now you are on the "Send Message" screen in your email application.
29) Choose the add file button, located in the upper right corner behind your email address.
30) Now press on the terminal.apk file that you added.
31) You will now be allowed to install the application without enabling any permissions since they forgot to add permission denied on this one.
32) After you have installed the application, you can choose to open Terminal in the lower right corner.
33) Now you will notice EVERYTHING is locked due to SELinux enforcing, and you won't even be allowed to list applications by using the "pm list applications" command.
34) What you want to do now is to browse back to the YouTube screen in the Accessibility settings and press on the clock to start Google Chrome again, and feel free to download and install ALMOST any APK file.
35) It won't help to install lgsetupwizard.apk, settings.apk, or anything else that you have in mind for bypassing the FRP protection. Even hiddenmenu.apk will be denied due to permissions, and you are not even allowed to use USSD to open the hidden menu. BUT this will work on Android 7.0, so you must downgrade to Android 7.0.
FOR BYPASS FRP¶
If you're on Android 8.0 and need to reflash your device, you can browse LG's homepage to find instructions on how to do it. Since this is a separate process, I won't go into further detail on this topic. However, the main process involves the following steps:
1) Start LGUP Tool.
2) Reboot your device to recovery mode by performing the following steps: - Power off the device. - While the device is off, hold the VOLUME UP button and plug in the USB cable.
3) Choose your firmware file in LGUP tool and flash the firmware. That's it.
Just to clarify, when downgrading from Android 8.0 to Android 7.0, your device will be wiped, and if you installed any APKs using the above method, you won't be able to use those applications on Android 7.0 since they will be fully erased. If you are on Android 7.0 and upgrading to 8.0, your device won't be erased, but this doesn't matter much since you won't be allowed to install applications in the same way as on Android 8.0. This bug is only present in Android 8.0, as far as I know. However, let's proceed with bypassing FRP now:
1) Start your device after you have installed Android 7.0.
2) On the welcome screen, press the next button.
3) Press skip in the lower right corner.
4) Turn on Wi-Fi and log in to your Wi-Fi network.
5) Go back to the welcome screen.
6) Press Accessibility.
7) Press settings.
8) Press Switch Access.
9) Press settings in the lower right corner.
10) Press Help & Feedback.
11) Press About Switch Access for Android.
12) Touch the YouTube video once.
13) Click on the clock icon beside the share icon.
14) YouTube will start quickly and take you to the Google Chrome browser.
15) Now click on Accept & Continue.
16) In the lower-left corner, click on No Thanks.
17) Now browse to https://nr1.nu/i/archive/lg-g6/terminal.apk.
18) Click on update permissions.
19) Click on Allow.
20) Once Google Chrome has been started, go to a page that allows you to press on a phone number. For example, you can visit Telia.se and press on a phone number there. This will start your phone application.
21) Enter the USSD: *#546368#*870#, where 870 is the device model. Since we have an LG G6 870, we enter 870. You are now in the HiddenMenu.
Don't panic if USB Debugging is inactive, and you're not allowed to enable USB debugging! For users who do not have this issue, you can skip this part:¶
- Turn off your LG device.
- Repeat the flash process with LGUP.
- Once the installation is complete and your device is erasing itself with the white background and the Android logo on the screen saying "DO NOT TURN OFF YOUR DEVICE" - That's exactly what you must do. Turn off the device by holding the POWER + VOLUME DOWN buttons. If you're too late the first time, you will succeed the second time. Just press the buttons approximately 2-3 seconds before you know the screen will appear, so you power off the device during installation. Let the device remain powered off for approximately 1 minute, and then turn it on again and redo the process from step 1 to 22. This way, you will be able to enable USB debugging if you weren't too late when powering off the device. If USB debugging is still inactive, just keep trying again until it works. I discovered this after my third attempt, and now I have tried it several times. You must turn it off while it's between 0% and 100%, and since POWER + VOL DOWN takes approximately 7 seconds to power off the device, and the screen appears for around 4 seconds, you must press the buttons a few seconds before it's needed.
22) Once you are in the Hidden Menu, press on: - Device Menu - LDB - USB Debugging - Turn on debug mode when USB is connected.
23) You are now allowed to enter USB Debugging, but this won't help much due to the permissions issues. However, now you are allowed to list applications, which means you are also allowed to uninstall them (but still not allowed to start any application or do much else since "/" is mounted as read-only). Now, follow the instructions below exactly as provided, and do not install other apps unless you know exactly what you're doing. Otherwise, you might get stuck with a soft-bricked device. Just follow these instructions, and you'll be safe!
adb shell pm uninstall --user 0 com.android.google.gms
adb shell pm uninstall --user 0 com.lge.setupwizard
adb shell pm uninstall --user 0 com.lge.hiddenmenu
adb reboot
-
Once the device has rebooted after running the reboot command:
-
When you are back to the welcome screen: 1) Press the next button -> DO NOT CONNECT. 2) In the Wi-Fi settings, do NOT have a SIM card or connect to a Wi-Fi network. 3) Just press skip in the lower right corner and continue until you reach the HOME SCREEN, and you're done! Google can't connect to their servers because we removed the GMS package, and LG SetupWizard is gone, so the FRP protection can't be triggered. Reinstall applications from the /system application and enjoy your fully unlocked LG G6 870S device!
Enjoy your fully unlocked LG G6 870!
Other bugs I found while trying to bypass FRP:¶
When you are at the Wi-Fi settings, and the next button is inactive because you are forced to connect to a network, do the following to move further. The exact second you turn off the device, press the next button before it becomes inactive/grayed out. You will be asked if you want to continue to the next step, and now you will be allowed to take over the fingerprint and PIN code and erase the old owner's lock settings. But don't get too excited, once this step is done and you were allowed to enter the username, you will be redirected back to the Wi-Fi screen, and you won't be able to proceed. In some tutorials out there, some claim that you can take over lock screen settings by entering the phone application, going to settings, setting up new certificates, and then being allowed to install your own fingerprint. This is a waste of time, and it's much easier to use this bug to take over the PIN code. However, it won't help in any way to bypass FRP, even if some wikis out there claim that.
Bypassing FRP with Pictures¶
Press the arrow next button¶
Press on skip:¶
As you can see, the next button is grayed out, so connect to Wi-Fi (you can bypass this by quickly pressing on Wi-Fi and then pressing next)¶
Now hit next¶
Press "Setup as new"¶
This is probably what you're going to see, so let's bypass this¶
Go back to the main screen (Wi-Fi must be connected)¶
Press on settings¶
Press on switch access (This is why Wi-Fi connection must be added, otherwise there are no settings here)¶
Press on settings¶
Press on Help & Feedback¶
Press on About Switch Access for Android¶
Press quickly on top of the video, now you see the clock and press on it (no need for some annoying accessibility settings with an annoying voice)¶
Press on settings¶
Press on Help & Feedback¶
Press on About Switch Access for Android¶
Press quickly on top of the video, now you see the clock and press on it (no need for some annoying accessibility settings with an annoying voice)¶
Youtube getting started for 1 second you won't even notice¶
Now you're at Google Chrome¶
Press on No Thanks¶
Download any apk file if you want to see that settings are limited by your own:¶
Just hit Allow¶
Press on Open¶
Once done, you will see¶
Press on Settings (and fuck you scammers, this is what you will get to)
No worries, browse to any site that allows you to press a number (here is a link to the page I was using). Feel free to press on mail and try to install your apk as we did on Android 8.0. It's not possible; you will be redirected to the settings above.¶
However, once you press on the phone number, you get into the call application. Now enter the UUSD code for the secret menu (this code is not accepted on Android 8.0, hence why we are using Android 7.0).¶
*#546368#*870#
And now you're in the hidden menu which you weren't allowed to open in Android 8.0. Browse to SVC MENU:¶
Followed by pressing on LDB:¶
Bypassing FRP with Pictures¶
Sorry for the extremely big pictures, no idea how to fix, and I am too lazy to search.
Press arrow next button¶
Press on skip:¶
As you can see, the next button is grayed out, so connect to Wi-Fi (you can bypass this if you press quickly on Wi-Fi and press next)¶
Now hit next¶
Press Setup as new¶
Probably, this is what you're going to see, so let's bypass this¶
Go back to the main screen (Wi-Fi must be connected)¶
Press on settings¶
Press on switch access: (This is why Wi-Fi connection must be added; otherwise, there are no settings here)¶
Press on settings¶
Press on Help & Feedback¶
Press on about switch access for Android¶
Press fast on top of the video, now you see the clock, and press on it (no need for some annoying accessibilities with an annoying voice)¶
Youtube getting started for 1 second; you won't even notice¶
Now you're at Google Chrome¶
Press on No Thanks¶
Download any APK file if you want to see that settings are limited by your own:¶
Just hit Allow¶
Press on Open¶
Once done, you will see¶
Press on Settings (and fuck you scammers, this is what you will get)¶
No worries, browse to any site that allows you to press a number (here is a link to the page I was using). Feel free to press on mail and try to install your APK as we did on Android 8.0. It's not possible; you will be redirected to the settings above.¶
However, once you press on the phone number, you get into the call application. Now enter the UUSD code for the secret menu (this code is not accepted on Android 8.0, hence why we are using Android 7.0).¶
*#546368#*870#
And now you're in the hidden menu that you weren't allowed to open in Android 8.0. Browse to SVC MENU:¶
Followed by pressing on LDB:¶
Is the USB debugging button grayed out?¶
This seems to vary for different firmwares, as I have noticed:¶
Don't panic! Follow the steps below if the USB debugging button is grayed out. Others can move on to the next part:¶
Turn off your LG device Re-do the flash process with LGUP Once the installation is complete and your device is erasing itself with the white background and the Android logo on the screen saying "DO NOT TURN OFF YOUR DEVICE" - That's exactly what you must do so turn off device by holding POWER + VOLUME DOWN (if you will be too late the first time, you will succeed the second time, just press the buttons ~2-3 seconds before you know the screen will pop up so you will power off the device during installation) - Now let the device be powered off for ~1 minute and then turn it on again and redo the process from step 1 until 22, and you will be able to enable USB debugging if you weren't too late when powering off the device. IF it's still inactive, then just try again and try again until it works, actually I figure out this after my third attempt, and now I have tried this several times and you must turn it off while it's between 0% and 100% and since POWER + VOL DOWN takes ~7 seconds to power off device and the screen appears for around 4 seconds, you must press the buttons a few seconds before to turn it off exactly when it's needed.
Enable USB debugging:¶
Here is a video that shows what's required to uninstall other applications. Uninstalling other applications is at your own risk - I TAKE NO RESPONSIBILITY, AND I DON'T RECOMMEND THIS SINCE IT'S NOT NEEDED AND IT IS JUST A RISK. PLAY WITH THIS ONLY WHEN YOU'RE DONE.¶
However, if you don't want to watch the video, here's the oneliner you can copy and paste:
for apps in \
"com.android.google.gms \
com.lge.setupwizard \
com.lge.hiddenmenu \
com.google.android.setupwizard \
com.lge.easyhome"; do
pm uninstall --user 0 "${apps}";
done
am broadcast -a android.intent.action.MASTER_CLEAR;
reboot
Once you have completed the steps in the video and rebooted your device, you will be back to the main screen.¶
Click the next arrow button:¶
And skip again:¶
Connect to Wi-Fi and hit next:¶
<img src="https://user-images.githubusercontent
.com/26827453/204666789-172f0706-01fb-4e77-b632-d9683bfc546a.png" width="30%">
Touché
! You can now accept documents:¶
And just continue until you reach the HOME screen...
Nah, just kidding. Your device will be formatted. Don't panic
!!!!
The device will reboot, erase itself, and now the magic! You're done.¶
Set up your device as usual. For the third time, click the arrow next button:¶
Now you can continue without Wi-Fi connected, just move on to the next step without any Wi-Fi or SIM card
Click "Skip" for internet connection:¶
Now you're at Google Services. I always uncheck this option, but it's optional, of course.¶
Next, set up your fingerprint if you wish. I won't use this now during the wiki:¶
Okay, you're back to where you started before. Don't worry; it will work!
And now, enjoy your fully unlocked LG device with bypassed FRP. Feel free to do anything you want now; it's 100% yours.
The device will erase itself, but don't worry! We have now reset the permissions for everything, so just set up the device again. This time it won't reboot again.
Greetings¶
To all my friends that letting me play with their devices, you know who you are!
Contact¶
Mail: wuseman