chipmunkmc/lglaf
1
0
Fork 0
mirror of https://github.com/Lekensteyn/lglaf.git synced 2025-04-10 03:55:33 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions
LG Download Mode utility and documentation
40 commits 3 branches 0 tags 197 KiB
Find a file
Peter Wu 2d79e1565e Attempt to LG G4 compatibility 
lsusb from @invisiblek, unfortunately it seems to hang when used in
VirtualBox (USB passthrough from Windows to Linux).

The second CD of exposes the endpoints over bInterfaceNumber 2, so this
patch simply activates the second CD.

LG G4 (1004:6298) has this device descriptor:

    ...
    idVendor           0x1004 LG Electronics, Inc.
    idProduct          0x6298
    bcdDevice            3.10
    iManufacturer           1 LG Electronics Inc.
    iProduct                2 LGE Android Phone
    iSerial                 3 VS986xxxxxxxx
    bNumConfigurations      2
    Configuration Descriptor:
      ...
      bNumInterfaces          1
      bConfigurationValue     1
      ...
      Interface Descriptor:
        ...
        bNumEndpoints           3
        bInterfaceClass         6 Imaging
        bInterfaceSubClass      1 Still Image Capture
        bInterfaceProtocol      1 Picture Transfer Protocol (PIMA 15470)
        iInterface              5 MTP
        ...
        (EP 1 IN  Bulk)
        (EP 1 OUT Bulk)
        (EP 2 IN  Intr)
        ...
    Configuration Descriptor:
      ...
      bNumInterfaces          4
      bConfigurationValue     2
      ...
      Interface Descriptor:
        ...
        bNumEndpoints           3
        bInterfaceClass         6 Imaging
        bInterfaceSubClass      1 Still Image Capture
        bInterfaceProtocol      1 Picture Transfer Protocol (PIMA 15470)
        iInterface              6 MTP
        ...
        (EP 1 IN  Bulk)
        (EP 1 OUT Bulk)
        (EP 2 IN  Intr)
        ...
      Interface Association:
        bLength                 8
        bDescriptorType        11
        bFirstInterface         1
        bInterfaceCount         2
        bFunctionClass          2 Communications
        bFunctionSubClass       2 Abstract (modem)
        bFunctionProtocol       1 AT-commands (v.25ter)
        iFunction               9 CDC Serial
      Interface Descriptor:
        ...
        bNumEndpoints           1
        bInterfaceClass         2 Communications
        bInterfaceSubClass      2 Abstract (modem)
        bInterfaceProtocol      1 AT-commands (v.25ter)
        iInterface              7 CDC Abstract Control Model (ACM)
        ...
        (EP 4 IN  Intr)
      Interface Descriptor:
        ...
        bNumEndpoints           2
        bInterfaceClass        10 CDC Data
        bInterfaceSubClass      0
        bInterfaceProtocol      0
        iInterface              8 CDC ACM Data
        (EP 3 IN  Bulk)
        (EP 2 Out Bulk)
      Interface Descriptor:
        ...
        bInterfaceNumber        2
        bAlternateSetting       0
        bNumEndpoints           2
        bInterfaceClass       255 Vendor Specific Class
        bInterfaceSubClass    255 Vendor Specific Subclass
        bInterfaceProtocol    255 Vendor Specific Protocol
        iInterface              0
        (EP 5 IN  Bulk)
        (EP 3 OUT Bulk)
        ...
2015-12-29 18:43:22 +01:00
info Initial commit of docs 2015-12-24 20:03:03 +01:00
rules.d Add support for VS985 and others 2015-12-29 11:40:21 +01:00
scripts parse-props.py: fix assert failure 2015-12-29 13:24:07 +01:00
.gitignore Initial commit of docs 2015-12-24 20:03:03 +01:00
extract-partitions.py Move extract-partitions.py, add to README 2015-12-27 16:51:08 +01:00
lglaf.lua Add support for VS985 and others 2015-12-29 11:40:21 +01:00
lglaf.py Attempt to LG G4 compatibility 2015-12-29 18:43:22 +01:00
LICENSE Initial commit of docs 2015-12-24 20:03:03 +01:00
partitions.py Compatibility with LG G4 2015-12-29 18:26:07 +01:00
protocol.md Improve INFO GPRO field 2015-12-29 13:17:44 +01:00
README.md Move extract-partitions.py, add to README 2015-12-27 16:51:08 +01:00

README.md

LGLAF.py

LGLAF.py is a utility for communication with LG devices in Download Mode. This allows you to execute arbitrary shell commands on a LG phone as root.

Contents of this repository:

  • lglaf.py - main script for communication (see below).
  • partitions.py - manage (list / read / write) partitions.
  • extract-partitions.py - Dump all partitions (convenience script that uses partitions.py under the hood). By default the largest partitions (system, cache, cust, userdata) are not dumped though. This can be changed with the --max-size option.
  • protocol.md - Protocol documentation.
  • lglaf.lua - Wireshark dissector for LG LAF protocol.
  • scripts/ - Miscellaneous scripts.

Requirements

LGLAF.py depends on:

On Linux, you must also install rules.d/42-usb-lglaf.rules to /etc/udev/rules.d/ in order to give the regular user access to the USB device.

Tested with:

  • LG G3 (D855) on 64-bit Arch Linux (Python 3.5.1, pyusb 1.0.0b2, libusb 1.0.20)
  • LG G3 (D855) on 32-bit Windows XP (Python 3.4.4, LG drivers).

Usage

This tool provides an interactive shell where you can execute commands in Download Mode. To enter this mode:

  1. Power off the phone.
  2. Press and hold Volume up.
  3. Connect the phone to a computer using a USB cable.
  4. Wait for the Download mode screen to appear.
  5. Release keys. You should now see a Firmware Update screen.

Now you can issue commands using the interactive shell:

(venv)[peter@al lglaf]$ python lglaf.py
LGLAF.py by Peter Wu (https://lekensteyn.nl/lglaf)
Type a shell command to execute or "exit" to leave.
# pwd
/
# uname -a
-: uname: not found
# cat /proc/version
Linux version 3.4.0-perf-gf95c7ee (lgmobile@LGEARND12B2) (gcc version 4.8 (GCC) ) #1 SMP PREEMPT Tue Aug 18 19:25:04 KST 2015
# exit

When commands are piped to stdin (or given via -c), the prompt is hidden:

(venv)[peter@al lglaf]$ echo mount | python lglaf.py
rootfs / rootfs rw 0 0
tmpfs /dev tmpfs rw,seclabel,nosuid,relatime,size=927232k,nr_inodes=87041,mode=755 0 0
devpts /dev/pts devpts rw,seclabel,relatime,mode=600 0 0
proc /proc proc rw,relatime 0 0
sysfs /sys sysfs rw,seclabel,relatime 0 0
selinuxfs /sys/fs/selinux selinuxfs rw,relatime 0 0
debugfs /sys/kernel/debug debugfs rw,relatime 0 0
/dev/block/platform/msm_sdcc.1/by-name/system /system ext4 ro,seclabel,noatime,data=ordered 0 0
/dev/block/platform/msm_sdcc.1/by-name/userdata /data ext4 rw,seclabel,nosuid,nodev,noatime,noauto_da_alloc,resuid=1000,errors=continue,data=ordered 0 0
/dev/block/platform/msm_sdcc.1/by-name/persist /persist ext4 ro,seclabel,nosuid,nodev,relatime,data=ordered 0 0
/dev/block/platform/msm_sdcc.1/by-name/cache /cache ext4 rw,seclabel,nosuid,nodev,noatime,data=ordered 0 0
(venv)[peter@al lglaf]$ python lglaf.py -c date
Thu Jan  1 01:30:06 GMT 1970
(venv)[peter@al lglaf]$

Advanced usage

If you know the protocol, you can send commands directly. Each request has a command, zero to four arguments and possibly a body. The lglaf.py tool accepts this command:

![command] [arguments] [body]

All of these words accept escape sequences such as \0 (octal escape), \x00 (hex), \n, \r and \t. The command must be exactly four bytes, the arguments and body are optional.

Arguments are comma-separated and must either be four-byte sequences (such as \0\1\2\3) or numbers (such as 0x03020100). If no arguments are given, but a body is needed, keep two spaces between the command and argument.

Reboot device (command CTRL, arg1 RSET, no body):

$ ./lglaf.py  --debug -c '!CTRL RSET'
LGLAF.py: DEBUG: Hello done, proceeding with commands
LGLAF.py: DEBUG: Header: b'CTRL' b'RSET' b'\0\0\0\0' b'\0\0\0\0' b'\0\0\0\0' b'\0\0\0\0' b'\xc7\xeb\0\0' b'\xbc\xab\xad\xb3'

Execute a shell command (command EXEC, no args, with body):

$ ./lglaf.py --debug --skip-hello -c '!EXEC  id\0'
LGLAF.py: DEBUG: Header: b'EXEC' b'\0\0\0\0' b'\0\0\0\0' b'\0\0\0\0' b'\0\0\0\0' b'/\0\0\0' b'\x8dK\0\0' b'\xba\xa7\xba\xbc'
uid=0(root) gid=0(root) context=u:r:toolbox:s0

License

See the LICENSE file for the license (MIT).