chipmunkmc/lglaf
1
0
Fork 0
mirror of https://github.com/Lekensteyn/lglaf.git synced 2024-11-27 01:25:38 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions

Initial commit of docs

Browse source
This commit is contained in:
Peter Wu 2015-12-24 19:59:23 +01:00
commit c88a4289e7
5 changed files with 396 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
.gitignore vendored Normal file
View file

@ -0,0 +1,4 @@
*.py[cod]
__pycache__/
venv/
.*.sw?

19
LICENSE Normal file
View file

@ -0,0 +1,19 @@
Copyright (c) 2015 Peter Wu <peter@lekensteyn.nl>
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM,
DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR
OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE
OR OTHER DEALINGS IN THE SOFTWARE.

59
README.md Normal file
View file

@ -0,0 +1,59 @@
# LGLAF.py
LGLAF.py is a utility for communication with LG devices in Download Mode. This
allows you to execute arbitrary shell commands on a LG phone as root.
## Requirements
LGLAF.py depends on:
- Python 2.7 or 3: https://www.python.org/
- (Recommended) PyUSB: https://walac.github.io/pyusb/
Tested with:
- LG G3 (D855) on Arch Linux.
## Usage
This tool provides an interactive shell where you can enter commands and see a
response. Example use:
(venv)[peter@al lglaf]$ ./lglaf.py
LGLAF.py by Peter Wu (https://lekensteyn.nl/lglaf)
Type a shell command to execute or "exit" to leave.
# pwd
/
# uname -a
-: uname: not found
# cat /proc/version
Linux version 3.4.0-perf-gf95c7ee (lgmobile@LGEARND12B2) (gcc version 4.8 (GCC) ) #1 SMP PREEMPT Tue Aug 18 19:25:04 KST 2015
# exit
When commands are piped to stdin, the promps is hidden:
(venv)[peter@al lglaf]$ echo mount | ./lglaf.py
rootfs / rootfs rw 0 0
tmpfs /dev tmpfs rw,seclabel,nosuid,relatime,size=927232k,nr_inodes=87041,mode=755 0 0
devpts /dev/pts devpts rw,seclabel,relatime,mode=600 0 0
proc /proc proc rw,relatime 0 0
sysfs /sys sysfs rw,seclabel,relatime 0 0
selinuxfs /sys/fs/selinux selinuxfs rw,relatime 0 0
debugfs /sys/kernel/debug debugfs rw,relatime 0 0
/dev/block/platform/msm_sdcc.1/by-name/system /system ext4 ro,seclabel,noatime,data=ordered 0 0
/dev/block/platform/msm_sdcc.1/by-name/userdata /data ext4 rw,seclabel,nosuid,nodev,noatime,noauto_da_alloc,resuid=1000,errors=continue,data=ordered 0 0
/dev/block/platform/msm_sdcc.1/by-name/persist /persist ext4 ro,seclabel,nosuid,nodev,relatime,data=ordered 0 0
/dev/block/platform/msm_sdcc.1/by-name/cache /cache ext4 rw,seclabel,nosuid,nodev,noatime,data=ordered 0 0
(venv)[peter@al lglaf]$
Or if you are on Windows and have LG drivers installed:
> reg query HKLM\hardware\devicemap\SERIALCOMM
HKEY_LOCAL_MACHINE\hardware\devicemap\SERIALCOMM
\Device\Serial0 REG_SZ COM1
\Device\LGANDNETMDM0 REG_SZ COM3
\Device\LGANDNETDIAG1 REG_SZ COM4
> lglaf.py --serial COM4
LGLAF.py by Peter Wu (https://lekensteyn.nl/lglaf)
Type a shell command to execute or "exit" to leave.
#
## License
See the [LICENSE](LICENSE) file for the license (MIT).

193
info/lsusb.txt Normal file
View file

@ -0,0 +1,193 @@
Bus 002 Device 013: ID 1004:633e LG Electronics, Inc. G2 Android Phone [MTP mode]
Device Descriptor:
bLength 18
bDescriptorType 1
bcdUSB 2.10
bDeviceClass 0
bDeviceSubClass 0
bDeviceProtocol 0
bMaxPacketSize0 64
idVendor 0x1004 LG Electronics, Inc.
idProduct 0x633e G2 Android Phone [MTP mode]
bcdDevice 2.32
iManufacturer 1 LG Electronics Inc.
iProduct 2 LGE Android Phone
iSerial 3 LGD855xxxxxxxx
bNumConfigurations 1
Configuration Descriptor:
bLength 9
bDescriptorType 2
wTotalLength 128
bNumInterfaces 4
bConfigurationValue 1
iConfiguration 0
bmAttributes 0x80
(Bus Powered)
MaxPower 500mA
Interface Descriptor:
bLength 9
bDescriptorType 4
bInterfaceNumber 0
bAlternateSetting 0
bNumEndpoints 3
bInterfaceClass 6 Imaging
bInterfaceSubClass 1 Still Image Capture
bInterfaceProtocol 1 Picture Transfer Protocol (PIMA 15470)
iInterface 5 MTP
Endpoint Descriptor:
bLength 7
bDescriptorType 5
bEndpointAddress 0x81 EP 1 IN
bmAttributes 2
Transfer Type Bulk
Synch Type None
Usage Type Data
wMaxPacketSize 0x0200 1x 512 bytes
bInterval 0
Endpoint Descriptor:
bLength 7
bDescriptorType 5
bEndpointAddress 0x01 EP 1 OUT
bmAttributes 2
Transfer Type Bulk
Synch Type None
Usage Type Data
wMaxPacketSize 0x0200 1x 512 bytes
bInterval 0
Endpoint Descriptor:
bLength 7
bDescriptorType 5
bEndpointAddress 0x82 EP 2 IN
bmAttributes 3
Transfer Type Interrupt
Synch Type None
Usage Type Data
wMaxPacketSize 0x001c 1x 28 bytes
bInterval 6
Interface Association:
bLength 8
bDescriptorType 11
bFirstInterface 1
bInterfaceCount 2
bFunctionClass 2 Communications
bFunctionSubClass 2 Abstract (modem)
bFunctionProtocol 1 AT-commands (v.25ter)
iFunction 8 CDC Serial
Interface Descriptor:
bLength 9
bDescriptorType 4
bInterfaceNumber 1
bAlternateSetting 0
bNumEndpoints 1
bInterfaceClass 2 Communications
bInterfaceSubClass 2 Abstract (modem)
bInterfaceProtocol 1 AT-commands (v.25ter)
iInterface 6 CDC Abstract Control Model (ACM)
CDC Header:
bcdCDC 1.10
CDC Call Management:
bmCapabilities 0x00
bDataInterface 2
CDC ACM:
bmCapabilities 0x02
line coding and serial state
CDC Union:
bMasterInterface 1
bSlaveInterface 2
Endpoint Descriptor:
bLength 7
bDescriptorType 5
bEndpointAddress 0x84 EP 4 IN
bmAttributes 3
Transfer Type Interrupt
Synch Type None
Usage Type Data
wMaxPacketSize 0x0040 1x 64 bytes
bInterval 9
Interface Descriptor:
bLength 9
bDescriptorType 4
bInterfaceNumber 2
bAlternateSetting 0
bNumEndpoints 2
bInterfaceClass 10 CDC Data
bInterfaceSubClass 0
bInterfaceProtocol 0
iInterface 7 CDC ACM Data
Endpoint Descriptor:
bLength 7
bDescriptorType 5
bEndpointAddress 0x83 EP 3 IN
bmAttributes 2
Transfer Type Bulk
Synch Type None
Usage Type Data
wMaxPacketSize 0x0200 1x 512 bytes
bInterval 0
Endpoint Descriptor:
bLength 7
bDescriptorType 5
bEndpointAddress 0x02 EP 2 OUT
bmAttributes 2
Transfer Type Bulk
Synch Type None
Usage Type Data
wMaxPacketSize 0x0200 1x 512 bytes
bInterval 0
Interface Descriptor:
bLength 9
bDescriptorType 4
bInterfaceNumber 3
bAlternateSetting 0
bNumEndpoints 2
bInterfaceClass 255 Vendor Specific Class
bInterfaceSubClass 255 Vendor Specific Subclass
bInterfaceProtocol 255 Vendor Specific Protocol
iInterface 0
Endpoint Descriptor:
bLength 7
bDescriptorType 5
bEndpointAddress 0x85 EP 5 IN
bmAttributes 2
Transfer Type Bulk
Synch Type None
Usage Type Data
wMaxPacketSize 0x0200 1x 512 bytes
bInterval 0
Endpoint Descriptor:
bLength 7
bDescriptorType 5
bEndpointAddress 0x03 EP 3 OUT
bmAttributes 2
Transfer Type Bulk
Synch Type None
Usage Type Data
wMaxPacketSize 0x0200 1x 512 bytes
bInterval 0
Binary Object Store Descriptor:
bLength 5
bDescriptorType 15
wTotalLength 22
bNumDeviceCaps 2
USB 2.0 Extension Device Capability:
bLength 7
bDescriptorType 16
bDevCapabilityType 2
bmAttributes 0x00000002
HIRD Link Power Management (LPM) Supported
SuperSpeed USB Device Capability:
bLength 10
bDescriptorType 16
bDevCapabilityType 3
bmAttributes 0x00
wSpeedsSupported 0x000f
Device can operate at Low Speed (1Mbps)
Device can operate at Full Speed (12Mbps)
Device can operate at High Speed (480Mbps)
Device can operate at SuperSpeed (5Gbps)
bFunctionalitySupport 1
Lowest fully-functional device speed is Full Speed (12Mbps)
bU1DevExitLat 1 micro seconds
bU2DevExitLat 500 micro seconds
Device Status: 0x0000
(Bus Powered)

121
protocol.md Normal file
View file

@ -0,0 +1,121 @@
# LG LAF Protocol
This document is a reverse-engineered protocol description for "LG LAG", the
download mode offered by various LG models. It is based on analysis on the
`Send_Command.exe` utility and `LGD855_20140526_LGFLASHv160.dll` file and a USB
trace using Wireshark and usbmon on Linux. Some commands were found in the
`/sbin/lafd` binary.
## Overview
LAF is a simple request/response protocol operating over USB. The USB details
are described at the end of the document, the messages are described below.
Each message consists of a header, followed by an optional body. The header
contains 32-bit DWORDs, integers are encoded in little-endian form:
| Offset (hex) | Offset (dec) | Type | Description
| ----:| --:| ---
| 0x00 | 0 | char[4] | Command
| 0x04 | 4 | var | Argument 1
| 0x08 | 8 | var | Argument 2
| 0x0c | 12 | var | Argument 3
| 0x10 | 16 | var | Argument 4 (not encountered)
| 0x14 | 20 | int | Body length
| 0x18 | 24 | int | CRC-16
| 0x1c | 28 | char[4] | Bit-wise invertion of command at offset 0
Arguments can be integers or character sequences depending on the command.
The CRC field is the CRC-16-CCITT calculation (LSB-first) over the header and
the body with zeroes in place of CRC.
Each request is followed by a response with a matching command field. If an
error occurs, the response contains command is `FAIL` with argument 1 being the
error code and the original request header as body.
## Commands
### OPEN - Open
Arguments: none
Request body: at most 276 (0x114) bytes (?)
### CLSE - Close
Arguments: none
### HELO - Hello
Arguments:
- arg1: DWORD Protocol Version (`\1\0\0\1`) (resp must match req.)
- arg2 (response): Minimum Protocol Version (`\0\0\x80\0` was observed)
### CTRL - Control
Arguments:
- arg1: "RSET" or "ONRS"
Note: `CTRL(RSET)` with no body is sent by the `Send_Command.exe` utility for
the `LEAVE` command.
### WRTE - Write
Arguments:
- arg1: ?
- arg2: ?
### READ - Read
Arguments:
- arg1: ?
- arg2: ?
- arg3: ?
Response body: present.
(Arguments probably encode read offset, length)
### ERSE - Erase
Arguments:
- arg1: ?
- arg2: ?
- arg3: ?
### EXEC - Execute Command
Arguments: none
Request body: NUL-terminated command.
Response body: standard output of the command.
The command is probably split on space and then passes to `execve`. In order to
see standard error, use variables and globbing, use a command such as:
sh -c "$@" -- eval 2>&1 echo $PATH
### INFO - Get Info
Arguments:
- arg1: action (`GPRO` - Get Properties, `SPRO` - Set Properties)
Request body: fixed size 2824 (0xb08)
Response body: present for `GPRO`
### UNLK - Unlock
Arguments: none
### RSVD - Reserved
Arguments: none
### IOCT
Unknown.
### MISC
Unknown.
### KILO
Unknown.
### DIFF
Unknown.
## USB layer
The LG Windows driver (via `LGMobileDriver_WHQL_Ver_4.0.3.exe`) exposes two
serial ports, `LGANDNETMDM0` and `LGANDNETDIAG1`. The `LGANDNETDIAG1` port is
used for LAF.
The LG G3 (D855) has Vendor ID 0x1004 and Product ID 0x633e.
There is only one configuration descriptor and LAF uses bulk transfers over
endpoints 5 (for input from the device) and endpoint 3 (for output to the
device).
For other descriptors, see [info/lsusb.txt](info/lsusb.txt).