• Stars
    star
    137
  • Rank 266,121 (Top 6 %)
  • Language
    Python
  • License
    MIT License
  • Created almost 9 years ago
  • Updated about 2 years ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

LG Download Mode utility and documentation

LGLAF.py

LGLAF.py is a utility for communication with LG devices in Download Mode. This allows you to execute arbitrary shell commands on a LG phone as root.

Contents of this repository:

  • lglaf.py - main script for communication (see below).
  • partitions.py - manage (list / read / write) partitions.
  • extract-partitions.py - Dump all partitions (convenience script that uses partitions.py under the hood). By default the largest partitions (system, cache, cust, userdata) are not dumped though. This can be changed with the --max-size option.
  • dump-file.py - dumps a regular file from device.
  • protocol.md - Protocol documentation.
  • lglaf.lua - Wireshark dissector for LG LAF protocol.
  • scripts/ - Miscellaneous scripts.

Requirements

LGLAF.py depends on:

On Linux, you must also install rules.d/42-usb-lglaf.rules to /etc/udev/rules.d/ in order to give the regular user access to the USB device.

Tested with:

  • LG G3 (D855) on 64-bit Arch Linux (Python 3.5.1, pyusb 1.0.0b2, libusb 1.0.20)
  • LG G3 (D855) on 32-bit Windows XP (Python 3.4.4, LG drivers).
  • LG G2 (VS985).
  • LG G4 (VS986) on Linux (Python 3.5) and Windows.
  • LG K10 2017 (M250N) on Linux (Both Python 2.7.13 and Python 3.5.3).

Usage

This tool provides an interactive shell where you can execute commands in Download Mode. To enter this mode:

  1. Power off the phone.
  2. Connect the phone to a computer using a USB cable.
  3. Press and hold Volume up.
  4. Briefly press the power button.
  5. Wait for the Download mode screen to appear.
  6. Release keys. You should now see a Firmware Update screen.

Now you can issue commands using the interactive shell:

(venv)[peter@al lglaf]$ python lglaf.py
LGLAF.py by Peter Wu (https://lekensteyn.nl/lglaf)
Type a shell command to execute or "exit" to leave.
# pwd
/
# uname -a
-: uname: not found
# cat /proc/version
Linux version 3.4.0-perf-gf95c7ee (lgmobile@LGEARND12B2) (gcc version 4.8 (GCC) ) #1 SMP PREEMPT Tue Aug 18 19:25:04 KST 2015
# exit

When commands are piped to stdin (or given via -c), the prompt is hidden:

(venv)[peter@al lglaf]$ echo mount | python lglaf.py
rootfs / rootfs rw 0 0
tmpfs /dev tmpfs rw,seclabel,nosuid,relatime,size=927232k,nr_inodes=87041,mode=755 0 0
devpts /dev/pts devpts rw,seclabel,relatime,mode=600 0 0
proc /proc proc rw,relatime 0 0
sysfs /sys sysfs rw,seclabel,relatime 0 0
selinuxfs /sys/fs/selinux selinuxfs rw,relatime 0 0
debugfs /sys/kernel/debug debugfs rw,relatime 0 0
/dev/block/platform/msm_sdcc.1/by-name/system /system ext4 ro,seclabel,noatime,data=ordered 0 0
/dev/block/platform/msm_sdcc.1/by-name/userdata /data ext4 rw,seclabel,nosuid,nodev,noatime,noauto_da_alloc,resuid=1000,errors=continue,data=ordered 0 0
/dev/block/platform/msm_sdcc.1/by-name/persist /persist ext4 ro,seclabel,nosuid,nodev,relatime,data=ordered 0 0
/dev/block/platform/msm_sdcc.1/by-name/cache /cache ext4 rw,seclabel,nosuid,nodev,noatime,data=ordered 0 0
(venv)[peter@al lglaf]$ python lglaf.py -c date
Thu Jan  1 01:30:06 GMT 1970
(venv)[peter@al lglaf]$

Advanced usage

If you know the protocol, you can send commands directly. Each request has a command, zero to four arguments and possibly a body. The lglaf.py tool accepts this command:

![command] [arguments] [body]

All of these words accept escape sequences such as \0 (octal escape), \x00 (hex), \n, \r and \t. The command must be exactly four bytes, the arguments and body are optional.

Arguments are comma-separated and must either be four-byte sequences (such as \0\1\2\3) or numbers (such as 0x03020100). If no arguments are given, but a body is needed, keep two spaces between the command and argument.

Reboot device (command CTRL, arg1 RSET, no body):

$ ./lglaf.py  --debug -c '!CTRL RSET'
LGLAF.py: DEBUG: Hello done, proceeding with commands
LGLAF.py: DEBUG: Header: b'CTRL' b'RSET' b'\0\0\0\0' b'\0\0\0\0' b'\0\0\0\0' b'\0\0\0\0' b'\xc7\xeb\0\0' b'\xbc\xab\xad\xb3'

Execute a shell command (command EXEC, no args, with body):

$ ./lglaf.py --debug --skip-hello -c '!EXEC  id\0'
LGLAF.py: DEBUG: Header: b'EXEC' b'\0\0\0\0' b'\0\0\0\0' b'\0\0\0\0' b'\0\0\0\0' b'/\0\0\0' b'\x8dK\0\0' b'\xba\xa7\xba\xbc'
uid=0(root) gid=0(root) context=u:r:toolbox:s0

License

See the LICENSE file for the license (MIT).

More Repositories

1

apk-downloader

APK Downloader Chrome Extension
JavaScript
321
star
2

pacemaker

Heartbleed (CVE-2014-0160) client exploit
Python
319
star
3

dmg2img

DMG2IMG allows you to convert a (compressed) Apple Disk Images (imported from http://vu1tur.eu.org/dmg2img). Note: the master branch contains imported code, but lacks bugfixes/features from the develop branch. "develop" branch is recommended!
C
178
star
4

ltunify

Tool for working with Logitech Unifying receivers and devices (mirror)
C
166
star
5

qt5printers

GDB Pretty printers for Qt5
Python
132
star
6

acpi-stuff

Tools for analysing ACPI DSDT/SSDT tables and notes
HTML
54
star
7

netns

Network Namespace management for Linux
Shell
48
star
8

wireguard-dissector

Wireshark dissector (written in Lua) for dissecting the WireGuard tunneling protocol.
Lua
46
star
9

luagcrypt

luagcrypt is a Lua interface to the libgcrypt library, written in C.
C
26
star
10

parse8xp

Convert between source code and TI83/TI84/TI84+/TI84s programs (in .8xp format)
Python
22
star
11

kdnet

Windows Kernel Debugger over Network (Wireshark dissector and maybe more)
Lua
20
star
12

el4000

Energy Logger 4000 utility
Python
16
star
13

clang-alloc-free-checker

Clang static analyzer plugin for checking memory issues in Wireshark/GLib applications (allocator mismatch and memleaks)
C++
14
star
14

make-gapps-zip

Documentation and tools for reproducible update.zip builds
Python
12
star
15

lua-unicode

Patched Lua library to add UTF-8 support on Windows.
CMake
12
star
16

windows-bootstrap

Scripts and tools to automate a Windows 7 installation for QEMU
PowerShell
11
star
17

hex-viewer

Hex viewer for modern browsers with bit annotation functionality
JavaScript
10
star
18

ssh-blocker

Block IP addresses based on SSH logs
C
10
star
19

noscript-nsa

NSA - NoScript Anywhere (Firefox Mobile add-on)
JavaScript
8
star
20

wireshark-fuzztools

Tools to assist in fuzzing (or triaging from oss-fuzz)
Python
7
star
21

chromium-quic

Subset of chromium repo: net/quic/ net/tools/quic/ net/third_party/quic/
C++
7
star
22

aur

Personal PKGBUILDs, from AUR and official repositories
Shell
4
star
23

rsyncbackup

Simple interface for encrypted offline backups with snapshots support
Shell
3
star
24

archdir

Bootstrap a QEMU/KVM VM for building Arch Linux packages
Shell
3
star
25

dnsallow

dnsallow enables whitelisting of IP addresses based on DNS responses.
C
3
star
26

wireshark-ansible

ansible configuration for setting up a gerrit + buildbot nine cluster
Python
3
star
27

qemu-tools

Miscellaneous tools related to QEMU
Python
2
star
28

pystubgen

Generates Python source code from a module for documentation purposes
Python
2
star
29

wgll

Low-level prototyping tool for WireGuard
Python
2
star
30

ls-l.info

Test domain
HTML
1
star
31

iot19-leshan

Practical assignment for the TU/e 2017 course on IoT (2IMN15) - Group 19
Java
1
star