mirror of https://github.com/Lekensteyn/lglaf.git synced 2024-11-14 19:35:41 -05:00

LG Download Mode utility and documentation

Find a file

Peter Wu 39c9872ca0 dump-file.py: allow custom size Files like /proc/kmsg are reported as zero size. It can be useful to assume a larger size to avoid empty output. Some devices are locked down and do not support all shell commands. If you know the size (or just want to try to read 1 byte), then you can avoid executing shell commands.		2017-12-01 03:46:44 +00:00
info	add USB dump for LG G3 D852	2017-11-28 21:47:55 -05:00
rules.d	add support for g3 d852	2017-11-28 21:47:54 -05:00
scripts	parse-props.py: fix assert failure	2015-12-29 13:24:07 +01:00
.gitignore	Initial commit of docs	2015-12-24 20:03:03 +01:00
dump-file.py	dump-file.py: allow custom size	2017-12-01 03:46:44 +00:00
extract-partitions.py	partitions: Read and parse info from GPT rather than executing shell commands, which is restricted on recent devices	2017-11-25 23:49:17 +01:00
gpt.py	partitions: Read and parse info from GPT rather than executing shell commands, which is restricted on recent devices	2017-11-25 23:49:17 +01:00
laf_crypto.py	Add KILO challenge/response	2017-11-26 00:00:28 +01:00
lglaf.lua	Compatibility with Wireshark 2.3.x	2017-03-17 12:15:06 +01:00
lglaf.py	Add KILO challenge/response	2017-11-26 00:00:28 +01:00
LICENSE	dump-file.py: added	2016-01-03 22:22:38 +01:00
partitions.py	partitions: Read and parse info from GPT rather than executing shell commands, which is restricted on recent devices	2017-11-25 23:49:17 +01:00
protocol.md	Added rudimentary description to some new commands	2017-11-25 23:05:34 +01:00
README.md	Fix download mode instructions in README.md	2016-05-19 11:40:19 -07:00

README.md

LGLAF.py

LGLAF.py is a utility for communication with LG devices in Download Mode. This allows you to execute arbitrary shell commands on a LG phone as root.

Contents of this repository:

lglaf.py - main script for communication (see below).
partitions.py - manage (list / read / write) partitions.
extract-partitions.py - Dump all partitions (convenience script that uses partitions.py under the hood). By default the largest partitions (system, cache, cust, userdata) are not dumped though. This can be changed with the --max-size option.
dump-file.py - dumps a regular file from device.
protocol.md - Protocol documentation.
lglaf.lua - Wireshark dissector for LG LAF protocol.
scripts/ - Miscellaneous scripts.

Requirements

LGLAF.py depends on:

Python 2.7 or 3: https://www.python.org/
(Windows) LG driver, LGMobileDriver_WHQL_Ver_4.0.3.exe (12986920 bytes, sha256sum: 86e893b7f5da7f7d2656d9ce2563f082271983bb63903d0ed5cb279c560db459)
(Linux) PyUSB: https://walac.github.io/pyusb/

On Linux, you must also install rules.d/42-usb-lglaf.rules to /etc/udev/rules.d/ in order to give the regular user access to the USB device.

Tested with:

LG G3 (D855) on 64-bit Arch Linux (Python 3.5.1, pyusb 1.0.0b2, libusb 1.0.20)
LG G3 (D855) on 32-bit Windows XP (Python 3.4.4, LG drivers).
LG G2 (VS985).
LG G4 (VS986) on Linux (Python 3.5) and Windows.

Usage

This tool provides an interactive shell where you can execute commands in Download Mode. To enter this mode:

Power off the phone.
Connect the phone to a computer using a USB cable.
Press and hold Volume up.
Briefly press the power button.
Wait for the Download mode screen to appear.
Release keys. You should now see a Firmware Update screen.

Now you can issue commands using the interactive shell:

(venv)[peter@al lglaf]$ python lglaf.py
LGLAF.py by Peter Wu (https://lekensteyn.nl/lglaf)
Type a shell command to execute or "exit" to leave.
# pwd
/
# uname -a
-: uname: not found
# cat /proc/version
Linux version 3.4.0-perf-gf95c7ee (lgmobile@LGEARND12B2) (gcc version 4.8 (GCC) ) #1 SMP PREEMPT Tue Aug 18 19:25:04 KST 2015
# exit

When commands are piped to stdin (or given via -c), the prompt is hidden:

(venv)[peter@al lglaf]$ echo mount | python lglaf.py
rootfs / rootfs rw 0 0
tmpfs /dev tmpfs rw,seclabel,nosuid,relatime,size=927232k,nr_inodes=87041,mode=755 0 0
devpts /dev/pts devpts rw,seclabel,relatime,mode=600 0 0
proc /proc proc rw,relatime 0 0
sysfs /sys sysfs rw,seclabel,relatime 0 0
selinuxfs /sys/fs/selinux selinuxfs rw,relatime 0 0
debugfs /sys/kernel/debug debugfs rw,relatime 0 0
/dev/block/platform/msm_sdcc.1/by-name/system /system ext4 ro,seclabel,noatime,data=ordered 0 0
/dev/block/platform/msm_sdcc.1/by-name/userdata /data ext4 rw,seclabel,nosuid,nodev,noatime,noauto_da_alloc,resuid=1000,errors=continue,data=ordered 0 0
/dev/block/platform/msm_sdcc.1/by-name/persist /persist ext4 ro,seclabel,nosuid,nodev,relatime,data=ordered 0 0
/dev/block/platform/msm_sdcc.1/by-name/cache /cache ext4 rw,seclabel,nosuid,nodev,noatime,data=ordered 0 0
(venv)[peter@al lglaf]$ python lglaf.py -c date
Thu Jan  1 01:30:06 GMT 1970
(venv)[peter@al lglaf]$

Advanced usage

If you know the protocol, you can send commands directly. Each request has a command, zero to four arguments and possibly a body. The lglaf.py tool accepts this command:

![command] [arguments] [body]

All of these words accept escape sequences such as \0 (octal escape), \x00 (hex), \n, \r and \t. The command must be exactly four bytes, the arguments and body are optional.

Arguments are comma-separated and must either be four-byte sequences (such as \0\1\2\3) or numbers (such as 0x03020100). If no arguments are given, but a body is needed, keep two spaces between the command and argument.

Reboot device (command CTRL, arg1 RSET, no body):

$ ./lglaf.py  --debug -c '!CTRL RSET'
LGLAF.py: DEBUG: Hello done, proceeding with commands
LGLAF.py: DEBUG: Header: b'CTRL' b'RSET' b'\0\0\0\0' b'\0\0\0\0' b'\0\0\0\0' b'\0\0\0\0' b'\xc7\xeb\0\0' b'\xbc\xab\xad\xb3'

Execute a shell command (command EXEC, no args, with body):

$ ./lglaf.py --debug --skip-hello -c '!EXEC  id\0'
LGLAF.py: DEBUG: Header: b'EXEC' b'\0\0\0\0' b'\0\0\0\0' b'\0\0\0\0' b'\0\0\0\0' b'/\0\0\0' b'\x8dK\0\0' b'\xba\xa7\xba\xbc'
uid=0(root) gid=0(root) context=u:r:toolbox:s0

License

See the LICENSE file for the license (MIT).