From c88a4289e79809c20d145217bc5d44163307f6b2 Mon Sep 17 00:00:00 2001 From: Peter Wu Date: Thu, 24 Dec 2015 19:59:23 +0100 Subject: [PATCH] Initial commit of docs --- .gitignore | 4 + LICENSE | 19 +++++ README.md | 59 +++++++++++++++ info/lsusb.txt | 193 +++++++++++++++++++++++++++++++++++++++++++++++++ protocol.md | 121 +++++++++++++++++++++++++++++++ 5 files changed, 396 insertions(+) create mode 100644 .gitignore create mode 100644 LICENSE create mode 100644 README.md create mode 100644 info/lsusb.txt create mode 100644 protocol.md diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..8b11d0e --- /dev/null +++ b/.gitignore @@ -0,0 +1,4 @@ +*.py[cod] +__pycache__/ +venv/ +.*.sw? diff --git a/LICENSE b/LICENSE new file mode 100644 index 0000000..4110768 --- /dev/null +++ b/LICENSE @@ -0,0 +1,19 @@ +Copyright (c) 2015 Peter Wu + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all +copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, +EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF +MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. +IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, +DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR +OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE +OR OTHER DEALINGS IN THE SOFTWARE. diff --git a/README.md b/README.md new file mode 100644 index 0000000..2a4c574 --- /dev/null +++ b/README.md @@ -0,0 +1,59 @@ +# LGLAF.py +LGLAF.py is a utility for communication with LG devices in Download Mode. This +allows you to execute arbitrary shell commands on a LG phone as root. + +## Requirements +LGLAF.py depends on: + + - Python 2.7 or 3: https://www.python.org/ + - (Recommended) PyUSB: https://walac.github.io/pyusb/ + +Tested with: + + - LG G3 (D855) on Arch Linux. + +## Usage +This tool provides an interactive shell where you can enter commands and see a +response. Example use: + + (venv)[peter@al lglaf]$ ./lglaf.py + LGLAF.py by Peter Wu (https://lekensteyn.nl/lglaf) + Type a shell command to execute or "exit" to leave. + # pwd + / + # uname -a + -: uname: not found + # cat /proc/version + Linux version 3.4.0-perf-gf95c7ee (lgmobile@LGEARND12B2) (gcc version 4.8 (GCC) ) #1 SMP PREEMPT Tue Aug 18 19:25:04 KST 2015 + # exit + +When commands are piped to stdin, the promps is hidden: + + (venv)[peter@al lglaf]$ echo mount | ./lglaf.py + rootfs / rootfs rw 0 0 + tmpfs /dev tmpfs rw,seclabel,nosuid,relatime,size=927232k,nr_inodes=87041,mode=755 0 0 + devpts /dev/pts devpts rw,seclabel,relatime,mode=600 0 0 + proc /proc proc rw,relatime 0 0 + sysfs /sys sysfs rw,seclabel,relatime 0 0 + selinuxfs /sys/fs/selinux selinuxfs rw,relatime 0 0 + debugfs /sys/kernel/debug debugfs rw,relatime 0 0 + /dev/block/platform/msm_sdcc.1/by-name/system /system ext4 ro,seclabel,noatime,data=ordered 0 0 + /dev/block/platform/msm_sdcc.1/by-name/userdata /data ext4 rw,seclabel,nosuid,nodev,noatime,noauto_da_alloc,resuid=1000,errors=continue,data=ordered 0 0 + /dev/block/platform/msm_sdcc.1/by-name/persist /persist ext4 ro,seclabel,nosuid,nodev,relatime,data=ordered 0 0 + /dev/block/platform/msm_sdcc.1/by-name/cache /cache ext4 rw,seclabel,nosuid,nodev,noatime,data=ordered 0 0 + (venv)[peter@al lglaf]$ + +Or if you are on Windows and have LG drivers installed: + + > reg query HKLM\hardware\devicemap\SERIALCOMM + HKEY_LOCAL_MACHINE\hardware\devicemap\SERIALCOMM + \Device\Serial0 REG_SZ COM1 + \Device\LGANDNETMDM0 REG_SZ COM3 + \Device\LGANDNETDIAG1 REG_SZ COM4 + > lglaf.py --serial COM4 + LGLAF.py by Peter Wu (https://lekensteyn.nl/lglaf) + Type a shell command to execute or "exit" to leave. + # + +## License +See the [LICENSE](LICENSE) file for the license (MIT). diff --git a/info/lsusb.txt b/info/lsusb.txt new file mode 100644 index 0000000..1883a53 --- /dev/null +++ b/info/lsusb.txt @@ -0,0 +1,193 @@ +Bus 002 Device 013: ID 1004:633e LG Electronics, Inc. G2 Android Phone [MTP mode] +Device Descriptor: + bLength 18 + bDescriptorType 1 + bcdUSB 2.10 + bDeviceClass 0 + bDeviceSubClass 0 + bDeviceProtocol 0 + bMaxPacketSize0 64 + idVendor 0x1004 LG Electronics, Inc. + idProduct 0x633e G2 Android Phone [MTP mode] + bcdDevice 2.32 + iManufacturer 1 LG Electronics Inc. + iProduct 2 LGE Android Phone + iSerial 3 LGD855xxxxxxxx + bNumConfigurations 1 + Configuration Descriptor: + bLength 9 + bDescriptorType 2 + wTotalLength 128 + bNumInterfaces 4 + bConfigurationValue 1 + iConfiguration 0 + bmAttributes 0x80 + (Bus Powered) + MaxPower 500mA + Interface Descriptor: + bLength 9 + bDescriptorType 4 + bInterfaceNumber 0 + bAlternateSetting 0 + bNumEndpoints 3 + bInterfaceClass 6 Imaging + bInterfaceSubClass 1 Still Image Capture + bInterfaceProtocol 1 Picture Transfer Protocol (PIMA 15470) + iInterface 5 MTP + Endpoint Descriptor: + bLength 7 + bDescriptorType 5 + bEndpointAddress 0x81 EP 1 IN + bmAttributes 2 + Transfer Type Bulk + Synch Type None + Usage Type Data + wMaxPacketSize 0x0200 1x 512 bytes + bInterval 0 + Endpoint Descriptor: + bLength 7 + bDescriptorType 5 + bEndpointAddress 0x01 EP 1 OUT + bmAttributes 2 + Transfer Type Bulk + Synch Type None + Usage Type Data + wMaxPacketSize 0x0200 1x 512 bytes + bInterval 0 + Endpoint Descriptor: + bLength 7 + bDescriptorType 5 + bEndpointAddress 0x82 EP 2 IN + bmAttributes 3 + Transfer Type Interrupt + Synch Type None + Usage Type Data + wMaxPacketSize 0x001c 1x 28 bytes + bInterval 6 + Interface Association: + bLength 8 + bDescriptorType 11 + bFirstInterface 1 + bInterfaceCount 2 + bFunctionClass 2 Communications + bFunctionSubClass 2 Abstract (modem) + bFunctionProtocol 1 AT-commands (v.25ter) + iFunction 8 CDC Serial + Interface Descriptor: + bLength 9 + bDescriptorType 4 + bInterfaceNumber 1 + bAlternateSetting 0 + bNumEndpoints 1 + bInterfaceClass 2 Communications + bInterfaceSubClass 2 Abstract (modem) + bInterfaceProtocol 1 AT-commands (v.25ter) + iInterface 6 CDC Abstract Control Model (ACM) + CDC Header: + bcdCDC 1.10 + CDC Call Management: + bmCapabilities 0x00 + bDataInterface 2 + CDC ACM: + bmCapabilities 0x02 + line coding and serial state + CDC Union: + bMasterInterface 1 + bSlaveInterface 2 + Endpoint Descriptor: + bLength 7 + bDescriptorType 5 + bEndpointAddress 0x84 EP 4 IN + bmAttributes 3 + Transfer Type Interrupt + Synch Type None + Usage Type Data + wMaxPacketSize 0x0040 1x 64 bytes + bInterval 9 + Interface Descriptor: + bLength 9 + bDescriptorType 4 + bInterfaceNumber 2 + bAlternateSetting 0 + bNumEndpoints 2 + bInterfaceClass 10 CDC Data + bInterfaceSubClass 0 + bInterfaceProtocol 0 + iInterface 7 CDC ACM Data + Endpoint Descriptor: + bLength 7 + bDescriptorType 5 + bEndpointAddress 0x83 EP 3 IN + bmAttributes 2 + Transfer Type Bulk + Synch Type None + Usage Type Data + wMaxPacketSize 0x0200 1x 512 bytes + bInterval 0 + Endpoint Descriptor: + bLength 7 + bDescriptorType 5 + bEndpointAddress 0x02 EP 2 OUT + bmAttributes 2 + Transfer Type Bulk + Synch Type None + Usage Type Data + wMaxPacketSize 0x0200 1x 512 bytes + bInterval 0 + Interface Descriptor: + bLength 9 + bDescriptorType 4 + bInterfaceNumber 3 + bAlternateSetting 0 + bNumEndpoints 2 + bInterfaceClass 255 Vendor Specific Class + bInterfaceSubClass 255 Vendor Specific Subclass + bInterfaceProtocol 255 Vendor Specific Protocol + iInterface 0 + Endpoint Descriptor: + bLength 7 + bDescriptorType 5 + bEndpointAddress 0x85 EP 5 IN + bmAttributes 2 + Transfer Type Bulk + Synch Type None + Usage Type Data + wMaxPacketSize 0x0200 1x 512 bytes + bInterval 0 + Endpoint Descriptor: + bLength 7 + bDescriptorType 5 + bEndpointAddress 0x03 EP 3 OUT + bmAttributes 2 + Transfer Type Bulk + Synch Type None + Usage Type Data + wMaxPacketSize 0x0200 1x 512 bytes + bInterval 0 +Binary Object Store Descriptor: + bLength 5 + bDescriptorType 15 + wTotalLength 22 + bNumDeviceCaps 2 + USB 2.0 Extension Device Capability: + bLength 7 + bDescriptorType 16 + bDevCapabilityType 2 + bmAttributes 0x00000002 + HIRD Link Power Management (LPM) Supported + SuperSpeed USB Device Capability: + bLength 10 + bDescriptorType 16 + bDevCapabilityType 3 + bmAttributes 0x00 + wSpeedsSupported 0x000f + Device can operate at Low Speed (1Mbps) + Device can operate at Full Speed (12Mbps) + Device can operate at High Speed (480Mbps) + Device can operate at SuperSpeed (5Gbps) + bFunctionalitySupport 1 + Lowest fully-functional device speed is Full Speed (12Mbps) + bU1DevExitLat 1 micro seconds + bU2DevExitLat 500 micro seconds +Device Status: 0x0000 + (Bus Powered) diff --git a/protocol.md b/protocol.md new file mode 100644 index 0000000..f82b27d --- /dev/null +++ b/protocol.md @@ -0,0 +1,121 @@ +# LG LAF Protocol +This document is a reverse-engineered protocol description for "LG LAG", the +download mode offered by various LG models. It is based on analysis on the +`Send_Command.exe` utility and `LGD855_20140526_LGFLASHv160.dll` file and a USB +trace using Wireshark and usbmon on Linux. Some commands were found in the +`/sbin/lafd` binary. + +## Overview +LAF is a simple request/response protocol operating over USB. The USB details +are described at the end of the document, the messages are described below. + +Each message consists of a header, followed by an optional body. The header +contains 32-bit DWORDs, integers are encoded in little-endian form: + +| Offset (hex) | Offset (dec) | Type | Description +| ----:| --:| --- +| 0x00 | 0 | char[4] | Command +| 0x04 | 4 | var | Argument 1 +| 0x08 | 8 | var | Argument 2 +| 0x0c | 12 | var | Argument 3 +| 0x10 | 16 | var | Argument 4 (not encountered) +| 0x14 | 20 | int | Body length +| 0x18 | 24 | int | CRC-16 +| 0x1c | 28 | char[4] | Bit-wise invertion of command at offset 0 + +Arguments can be integers or character sequences depending on the command. + +The CRC field is the CRC-16-CCITT calculation (LSB-first) over the header and +the body with zeroes in place of CRC. + +Each request is followed by a response with a matching command field. If an +error occurs, the response contains command is `FAIL` with argument 1 being the +error code and the original request header as body. + +## Commands + +### OPEN - Open +Arguments: none +Request body: at most 276 (0x114) bytes (?) + +### CLSE - Close +Arguments: none + +### HELO - Hello +Arguments: + - arg1: DWORD Protocol Version (`\1\0\0\1`) (resp must match req.) + - arg2 (response): Minimum Protocol Version (`\0\0\x80\0` was observed) + +### CTRL - Control +Arguments: + - arg1: "RSET" or "ONRS" + +Note: `CTRL(RSET)` with no body is sent by the `Send_Command.exe` utility for +the `LEAVE` command. + +### WRTE - Write +Arguments: + - arg1: ? + - arg2: ? + +### READ - Read +Arguments: + - arg1: ? + - arg2: ? + - arg3: ? +Response body: present. + +(Arguments probably encode read offset, length) + +### ERSE - Erase +Arguments: + - arg1: ? + - arg2: ? + - arg3: ? + +### EXEC - Execute Command +Arguments: none +Request body: NUL-terminated command. +Response body: standard output of the command. + +The command is probably split on space and then passes to `execve`. In order to +see standard error, use variables and globbing, use a command such as: + + sh -c "$@" -- eval 2>&1 echo $PATH + +### INFO - Get Info +Arguments: + - arg1: action (`GPRO` - Get Properties, `SPRO` - Set Properties) +Request body: fixed size 2824 (0xb08) +Response body: present for `GPRO` + +### UNLK - Unlock +Arguments: none + +### RSVD - Reserved +Arguments: none + +### IOCT +Unknown. + +### MISC +Unknown. + +### KILO +Unknown. + +### DIFF +Unknown. + +## USB layer +The LG Windows driver (via `LGMobileDriver_WHQL_Ver_4.0.3.exe`) exposes two +serial ports, `LGANDNETMDM0` and `LGANDNETDIAG1`. The `LGANDNETDIAG1` port is +used for LAF. + +The LG G3 (D855) has Vendor ID 0x1004 and Product ID 0x633e. + +There is only one configuration descriptor and LAF uses bulk transfers over +endpoints 5 (for input from the device) and endpoint 3 (for output to the +device). + +For other descriptors, see [info/lsusb.txt](info/lsusb.txt).