mirror of
https://github.com/Lekensteyn/lglaf.git
synced 2024-11-27 01:25:38 -05:00
Initial commit of docs
This commit is contained in:
commit
c88a4289e7
5 changed files with 396 additions and 0 deletions
4
.gitignore
vendored
Normal file
4
.gitignore
vendored
Normal file
|
@ -0,0 +1,4 @@
|
|||
*.py[cod]
|
||||
__pycache__/
|
||||
venv/
|
||||
.*.sw?
|
19
LICENSE
Normal file
19
LICENSE
Normal file
|
@ -0,0 +1,19 @@
|
|||
Copyright (c) 2015 Peter Wu <peter@lekensteyn.nl>
|
||||
|
||||
Permission is hereby granted, free of charge, to any person obtaining a copy
|
||||
of this software and associated documentation files (the "Software"), to deal
|
||||
in the Software without restriction, including without limitation the rights
|
||||
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
|
||||
copies of the Software, and to permit persons to whom the Software is
|
||||
furnished to do so, subject to the following conditions:
|
||||
|
||||
The above copyright notice and this permission notice shall be included in all
|
||||
copies or substantial portions of the Software.
|
||||
|
||||
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
|
||||
EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
|
||||
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
|
||||
IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM,
|
||||
DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR
|
||||
OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE
|
||||
OR OTHER DEALINGS IN THE SOFTWARE.
|
59
README.md
Normal file
59
README.md
Normal file
|
@ -0,0 +1,59 @@
|
|||
# LGLAF.py
|
||||
LGLAF.py is a utility for communication with LG devices in Download Mode. This
|
||||
allows you to execute arbitrary shell commands on a LG phone as root.
|
||||
|
||||
## Requirements
|
||||
LGLAF.py depends on:
|
||||
|
||||
- Python 2.7 or 3: https://www.python.org/
|
||||
- (Recommended) PyUSB: https://walac.github.io/pyusb/
|
||||
|
||||
Tested with:
|
||||
|
||||
- LG G3 (D855) on Arch Linux.
|
||||
|
||||
## Usage
|
||||
This tool provides an interactive shell where you can enter commands and see a
|
||||
response. Example use:
|
||||
|
||||
(venv)[peter@al lglaf]$ ./lglaf.py
|
||||
LGLAF.py by Peter Wu (https://lekensteyn.nl/lglaf)
|
||||
Type a shell command to execute or "exit" to leave.
|
||||
# pwd
|
||||
/
|
||||
# uname -a
|
||||
-: uname: not found
|
||||
# cat /proc/version
|
||||
Linux version 3.4.0-perf-gf95c7ee (lgmobile@LGEARND12B2) (gcc version 4.8 (GCC) ) #1 SMP PREEMPT Tue Aug 18 19:25:04 KST 2015
|
||||
# exit
|
||||
|
||||
When commands are piped to stdin, the promps is hidden:
|
||||
|
||||
(venv)[peter@al lglaf]$ echo mount | ./lglaf.py
|
||||
rootfs / rootfs rw 0 0
|
||||
tmpfs /dev tmpfs rw,seclabel,nosuid,relatime,size=927232k,nr_inodes=87041,mode=755 0 0
|
||||
devpts /dev/pts devpts rw,seclabel,relatime,mode=600 0 0
|
||||
proc /proc proc rw,relatime 0 0
|
||||
sysfs /sys sysfs rw,seclabel,relatime 0 0
|
||||
selinuxfs /sys/fs/selinux selinuxfs rw,relatime 0 0
|
||||
debugfs /sys/kernel/debug debugfs rw,relatime 0 0
|
||||
/dev/block/platform/msm_sdcc.1/by-name/system /system ext4 ro,seclabel,noatime,data=ordered 0 0
|
||||
/dev/block/platform/msm_sdcc.1/by-name/userdata /data ext4 rw,seclabel,nosuid,nodev,noatime,noauto_da_alloc,resuid=1000,errors=continue,data=ordered 0 0
|
||||
/dev/block/platform/msm_sdcc.1/by-name/persist /persist ext4 ro,seclabel,nosuid,nodev,relatime,data=ordered 0 0
|
||||
/dev/block/platform/msm_sdcc.1/by-name/cache /cache ext4 rw,seclabel,nosuid,nodev,noatime,data=ordered 0 0
|
||||
(venv)[peter@al lglaf]$
|
||||
|
||||
Or if you are on Windows and have LG drivers installed:
|
||||
|
||||
> reg query HKLM\hardware\devicemap\SERIALCOMM
|
||||
HKEY_LOCAL_MACHINE\hardware\devicemap\SERIALCOMM
|
||||
\Device\Serial0 REG_SZ COM1
|
||||
\Device\LGANDNETMDM0 REG_SZ COM3
|
||||
\Device\LGANDNETDIAG1 REG_SZ COM4
|
||||
> lglaf.py --serial COM4
|
||||
LGLAF.py by Peter Wu (https://lekensteyn.nl/lglaf)
|
||||
Type a shell command to execute or "exit" to leave.
|
||||
#
|
||||
|
||||
## License
|
||||
See the [LICENSE](LICENSE) file for the license (MIT).
|
193
info/lsusb.txt
Normal file
193
info/lsusb.txt
Normal file
|
@ -0,0 +1,193 @@
|
|||
Bus 002 Device 013: ID 1004:633e LG Electronics, Inc. G2 Android Phone [MTP mode]
|
||||
Device Descriptor:
|
||||
bLength 18
|
||||
bDescriptorType 1
|
||||
bcdUSB 2.10
|
||||
bDeviceClass 0
|
||||
bDeviceSubClass 0
|
||||
bDeviceProtocol 0
|
||||
bMaxPacketSize0 64
|
||||
idVendor 0x1004 LG Electronics, Inc.
|
||||
idProduct 0x633e G2 Android Phone [MTP mode]
|
||||
bcdDevice 2.32
|
||||
iManufacturer 1 LG Electronics Inc.
|
||||
iProduct 2 LGE Android Phone
|
||||
iSerial 3 LGD855xxxxxxxx
|
||||
bNumConfigurations 1
|
||||
Configuration Descriptor:
|
||||
bLength 9
|
||||
bDescriptorType 2
|
||||
wTotalLength 128
|
||||
bNumInterfaces 4
|
||||
bConfigurationValue 1
|
||||
iConfiguration 0
|
||||
bmAttributes 0x80
|
||||
(Bus Powered)
|
||||
MaxPower 500mA
|
||||
Interface Descriptor:
|
||||
bLength 9
|
||||
bDescriptorType 4
|
||||
bInterfaceNumber 0
|
||||
bAlternateSetting 0
|
||||
bNumEndpoints 3
|
||||
bInterfaceClass 6 Imaging
|
||||
bInterfaceSubClass 1 Still Image Capture
|
||||
bInterfaceProtocol 1 Picture Transfer Protocol (PIMA 15470)
|
||||
iInterface 5 MTP
|
||||
Endpoint Descriptor:
|
||||
bLength 7
|
||||
bDescriptorType 5
|
||||
bEndpointAddress 0x81 EP 1 IN
|
||||
bmAttributes 2
|
||||
Transfer Type Bulk
|
||||
Synch Type None
|
||||
Usage Type Data
|
||||
wMaxPacketSize 0x0200 1x 512 bytes
|
||||
bInterval 0
|
||||
Endpoint Descriptor:
|
||||
bLength 7
|
||||
bDescriptorType 5
|
||||
bEndpointAddress 0x01 EP 1 OUT
|
||||
bmAttributes 2
|
||||
Transfer Type Bulk
|
||||
Synch Type None
|
||||
Usage Type Data
|
||||
wMaxPacketSize 0x0200 1x 512 bytes
|
||||
bInterval 0
|
||||
Endpoint Descriptor:
|
||||
bLength 7
|
||||
bDescriptorType 5
|
||||
bEndpointAddress 0x82 EP 2 IN
|
||||
bmAttributes 3
|
||||
Transfer Type Interrupt
|
||||
Synch Type None
|
||||
Usage Type Data
|
||||
wMaxPacketSize 0x001c 1x 28 bytes
|
||||
bInterval 6
|
||||
Interface Association:
|
||||
bLength 8
|
||||
bDescriptorType 11
|
||||
bFirstInterface 1
|
||||
bInterfaceCount 2
|
||||
bFunctionClass 2 Communications
|
||||
bFunctionSubClass 2 Abstract (modem)
|
||||
bFunctionProtocol 1 AT-commands (v.25ter)
|
||||
iFunction 8 CDC Serial
|
||||
Interface Descriptor:
|
||||
bLength 9
|
||||
bDescriptorType 4
|
||||
bInterfaceNumber 1
|
||||
bAlternateSetting 0
|
||||
bNumEndpoints 1
|
||||
bInterfaceClass 2 Communications
|
||||
bInterfaceSubClass 2 Abstract (modem)
|
||||
bInterfaceProtocol 1 AT-commands (v.25ter)
|
||||
iInterface 6 CDC Abstract Control Model (ACM)
|
||||
CDC Header:
|
||||
bcdCDC 1.10
|
||||
CDC Call Management:
|
||||
bmCapabilities 0x00
|
||||
bDataInterface 2
|
||||
CDC ACM:
|
||||
bmCapabilities 0x02
|
||||
line coding and serial state
|
||||
CDC Union:
|
||||
bMasterInterface 1
|
||||
bSlaveInterface 2
|
||||
Endpoint Descriptor:
|
||||
bLength 7
|
||||
bDescriptorType 5
|
||||
bEndpointAddress 0x84 EP 4 IN
|
||||
bmAttributes 3
|
||||
Transfer Type Interrupt
|
||||
Synch Type None
|
||||
Usage Type Data
|
||||
wMaxPacketSize 0x0040 1x 64 bytes
|
||||
bInterval 9
|
||||
Interface Descriptor:
|
||||
bLength 9
|
||||
bDescriptorType 4
|
||||
bInterfaceNumber 2
|
||||
bAlternateSetting 0
|
||||
bNumEndpoints 2
|
||||
bInterfaceClass 10 CDC Data
|
||||
bInterfaceSubClass 0
|
||||
bInterfaceProtocol 0
|
||||
iInterface 7 CDC ACM Data
|
||||
Endpoint Descriptor:
|
||||
bLength 7
|
||||
bDescriptorType 5
|
||||
bEndpointAddress 0x83 EP 3 IN
|
||||
bmAttributes 2
|
||||
Transfer Type Bulk
|
||||
Synch Type None
|
||||
Usage Type Data
|
||||
wMaxPacketSize 0x0200 1x 512 bytes
|
||||
bInterval 0
|
||||
Endpoint Descriptor:
|
||||
bLength 7
|
||||
bDescriptorType 5
|
||||
bEndpointAddress 0x02 EP 2 OUT
|
||||
bmAttributes 2
|
||||
Transfer Type Bulk
|
||||
Synch Type None
|
||||
Usage Type Data
|
||||
wMaxPacketSize 0x0200 1x 512 bytes
|
||||
bInterval 0
|
||||
Interface Descriptor:
|
||||
bLength 9
|
||||
bDescriptorType 4
|
||||
bInterfaceNumber 3
|
||||
bAlternateSetting 0
|
||||
bNumEndpoints 2
|
||||
bInterfaceClass 255 Vendor Specific Class
|
||||
bInterfaceSubClass 255 Vendor Specific Subclass
|
||||
bInterfaceProtocol 255 Vendor Specific Protocol
|
||||
iInterface 0
|
||||
Endpoint Descriptor:
|
||||
bLength 7
|
||||
bDescriptorType 5
|
||||
bEndpointAddress 0x85 EP 5 IN
|
||||
bmAttributes 2
|
||||
Transfer Type Bulk
|
||||
Synch Type None
|
||||
Usage Type Data
|
||||
wMaxPacketSize 0x0200 1x 512 bytes
|
||||
bInterval 0
|
||||
Endpoint Descriptor:
|
||||
bLength 7
|
||||
bDescriptorType 5
|
||||
bEndpointAddress 0x03 EP 3 OUT
|
||||
bmAttributes 2
|
||||
Transfer Type Bulk
|
||||
Synch Type None
|
||||
Usage Type Data
|
||||
wMaxPacketSize 0x0200 1x 512 bytes
|
||||
bInterval 0
|
||||
Binary Object Store Descriptor:
|
||||
bLength 5
|
||||
bDescriptorType 15
|
||||
wTotalLength 22
|
||||
bNumDeviceCaps 2
|
||||
USB 2.0 Extension Device Capability:
|
||||
bLength 7
|
||||
bDescriptorType 16
|
||||
bDevCapabilityType 2
|
||||
bmAttributes 0x00000002
|
||||
HIRD Link Power Management (LPM) Supported
|
||||
SuperSpeed USB Device Capability:
|
||||
bLength 10
|
||||
bDescriptorType 16
|
||||
bDevCapabilityType 3
|
||||
bmAttributes 0x00
|
||||
wSpeedsSupported 0x000f
|
||||
Device can operate at Low Speed (1Mbps)
|
||||
Device can operate at Full Speed (12Mbps)
|
||||
Device can operate at High Speed (480Mbps)
|
||||
Device can operate at SuperSpeed (5Gbps)
|
||||
bFunctionalitySupport 1
|
||||
Lowest fully-functional device speed is Full Speed (12Mbps)
|
||||
bU1DevExitLat 1 micro seconds
|
||||
bU2DevExitLat 500 micro seconds
|
||||
Device Status: 0x0000
|
||||
(Bus Powered)
|
121
protocol.md
Normal file
121
protocol.md
Normal file
|
@ -0,0 +1,121 @@
|
|||
# LG LAF Protocol
|
||||
This document is a reverse-engineered protocol description for "LG LAG", the
|
||||
download mode offered by various LG models. It is based on analysis on the
|
||||
`Send_Command.exe` utility and `LGD855_20140526_LGFLASHv160.dll` file and a USB
|
||||
trace using Wireshark and usbmon on Linux. Some commands were found in the
|
||||
`/sbin/lafd` binary.
|
||||
|
||||
## Overview
|
||||
LAF is a simple request/response protocol operating over USB. The USB details
|
||||
are described at the end of the document, the messages are described below.
|
||||
|
||||
Each message consists of a header, followed by an optional body. The header
|
||||
contains 32-bit DWORDs, integers are encoded in little-endian form:
|
||||
|
||||
| Offset (hex) | Offset (dec) | Type | Description
|
||||
| ----:| --:| ---
|
||||
| 0x00 | 0 | char[4] | Command
|
||||
| 0x04 | 4 | var | Argument 1
|
||||
| 0x08 | 8 | var | Argument 2
|
||||
| 0x0c | 12 | var | Argument 3
|
||||
| 0x10 | 16 | var | Argument 4 (not encountered)
|
||||
| 0x14 | 20 | int | Body length
|
||||
| 0x18 | 24 | int | CRC-16
|
||||
| 0x1c | 28 | char[4] | Bit-wise invertion of command at offset 0
|
||||
|
||||
Arguments can be integers or character sequences depending on the command.
|
||||
|
||||
The CRC field is the CRC-16-CCITT calculation (LSB-first) over the header and
|
||||
the body with zeroes in place of CRC.
|
||||
|
||||
Each request is followed by a response with a matching command field. If an
|
||||
error occurs, the response contains command is `FAIL` with argument 1 being the
|
||||
error code and the original request header as body.
|
||||
|
||||
## Commands
|
||||
|
||||
### OPEN - Open
|
||||
Arguments: none
|
||||
Request body: at most 276 (0x114) bytes (?)
|
||||
|
||||
### CLSE - Close
|
||||
Arguments: none
|
||||
|
||||
### HELO - Hello
|
||||
Arguments:
|
||||
- arg1: DWORD Protocol Version (`\1\0\0\1`) (resp must match req.)
|
||||
- arg2 (response): Minimum Protocol Version (`\0\0\x80\0` was observed)
|
||||
|
||||
### CTRL - Control
|
||||
Arguments:
|
||||
- arg1: "RSET" or "ONRS"
|
||||
|
||||
Note: `CTRL(RSET)` with no body is sent by the `Send_Command.exe` utility for
|
||||
the `LEAVE` command.
|
||||
|
||||
### WRTE - Write
|
||||
Arguments:
|
||||
- arg1: ?
|
||||
- arg2: ?
|
||||
|
||||
### READ - Read
|
||||
Arguments:
|
||||
- arg1: ?
|
||||
- arg2: ?
|
||||
- arg3: ?
|
||||
Response body: present.
|
||||
|
||||
(Arguments probably encode read offset, length)
|
||||
|
||||
### ERSE - Erase
|
||||
Arguments:
|
||||
- arg1: ?
|
||||
- arg2: ?
|
||||
- arg3: ?
|
||||
|
||||
### EXEC - Execute Command
|
||||
Arguments: none
|
||||
Request body: NUL-terminated command.
|
||||
Response body: standard output of the command.
|
||||
|
||||
The command is probably split on space and then passes to `execve`. In order to
|
||||
see standard error, use variables and globbing, use a command such as:
|
||||
|
||||
sh -c "$@" -- eval 2>&1 echo $PATH
|
||||
|
||||
### INFO - Get Info
|
||||
Arguments:
|
||||
- arg1: action (`GPRO` - Get Properties, `SPRO` - Set Properties)
|
||||
Request body: fixed size 2824 (0xb08)
|
||||
Response body: present for `GPRO`
|
||||
|
||||
### UNLK - Unlock
|
||||
Arguments: none
|
||||
|
||||
### RSVD - Reserved
|
||||
Arguments: none
|
||||
|
||||
### IOCT
|
||||
Unknown.
|
||||
|
||||
### MISC
|
||||
Unknown.
|
||||
|
||||
### KILO
|
||||
Unknown.
|
||||
|
||||
### DIFF
|
||||
Unknown.
|
||||
|
||||
## USB layer
|
||||
The LG Windows driver (via `LGMobileDriver_WHQL_Ver_4.0.3.exe`) exposes two
|
||||
serial ports, `LGANDNETMDM0` and `LGANDNETDIAG1`. The `LGANDNETDIAG1` port is
|
||||
used for LAF.
|
||||
|
||||
The LG G3 (D855) has Vendor ID 0x1004 and Product ID 0x633e.
|
||||
|
||||
There is only one configuration descriptor and LAF uses bulk transfers over
|
||||
endpoints 5 (for input from the device) and endpoint 3 (for output to the
|
||||
device).
|
||||
|
||||
For other descriptors, see [info/lsusb.txt](info/lsusb.txt).
|
Loading…
Reference in a new issue