lekensteyn / lglaf Goto Github PK

LG Download Mode utility and documentation

License: MIT License

Python 94.18% Lua 5.82%

lglaf's Introduction

LGLAF.py

LGLAF.py is a utility for communication with LG devices in Download Mode. This allows you to execute arbitrary shell commands on a LG phone as root.

Contents of this repository:

lglaf.py - main script for communication (see below).
partitions.py - manage (list / read / write) partitions.
extract-partitions.py - Dump all partitions (convenience script that uses partitions.py under the hood). By default the largest partitions (system, cache, cust, userdata) are not dumped though. This can be changed with the --max-size option.
dump-file.py - dumps a regular file from device.
protocol.md - Protocol documentation.
lglaf.lua - Wireshark dissector for LG LAF protocol.
scripts/ - Miscellaneous scripts.

Requirements

LGLAF.py depends on:

Python 2.7 or 3: https://www.python.org/
(Windows) LG driver, LGMobileDriver_WHQL_Ver_4.2.0.exe (16691672 bytes, sha256sum: d78ae6dfe7d34b9cabb8c4de5c6e734b6fed20b513d0da0183871bd77abba56c), WARNING: This file was found via google search, it's not downloaded directly from LG servers
(Linux) PyUSB: https://walac.github.io/pyusb/
Cryptography library: https://cryptography.io/en/latest/

On Linux, you must also install rules.d/42-usb-lglaf.rules to /etc/udev/rules.d/ in order to give the regular user access to the USB device.

Tested with:

LG G3 (D855) on 64-bit Arch Linux (Python 3.5.1, pyusb 1.0.0b2, libusb 1.0.20)
LG G3 (D855) on 32-bit Windows XP (Python 3.4.4, LG drivers).
LG G2 (VS985).
LG G4 (VS986) on Linux (Python 3.5) and Windows.
LG K10 2017 (M250N) on Linux (Both Python 2.7.13 and Python 3.5.3).

Usage

This tool provides an interactive shell where you can execute commands in Download Mode. To enter this mode:

Power off the phone.
Connect the phone to a computer using a USB cable.
Press and hold Volume up.
Briefly press the power button.
Wait for the Download mode screen to appear.
Release keys. You should now see a Firmware Update screen.

Now you can issue commands using the interactive shell:

(venv)[peter@al lglaf]$ python lglaf.py
LGLAF.py by Peter Wu (https://lekensteyn.nl/lglaf)
Type a shell command to execute or "exit" to leave.
# pwd
/
# uname -a
-: uname: not found
# cat /proc/version
Linux version 3.4.0-perf-gf95c7ee (lgmobile@LGEARND12B2) (gcc version 4.8 (GCC) ) #1 SMP PREEMPT Tue Aug 18 19:25:04 KST 2015
# exit

When commands are piped to stdin (or given via -c), the prompt is hidden:

(venv)[peter@al lglaf]$ echo mount | python lglaf.py
rootfs / rootfs rw 0 0
tmpfs /dev tmpfs rw,seclabel,nosuid,relatime,size=927232k,nr_inodes=87041,mode=755 0 0
devpts /dev/pts devpts rw,seclabel,relatime,mode=600 0 0
proc /proc proc rw,relatime 0 0
sysfs /sys sysfs rw,seclabel,relatime 0 0
selinuxfs /sys/fs/selinux selinuxfs rw,relatime 0 0
debugfs /sys/kernel/debug debugfs rw,relatime 0 0
/dev/block/platform/msm_sdcc.1/by-name/system /system ext4 ro,seclabel,noatime,data=ordered 0 0
/dev/block/platform/msm_sdcc.1/by-name/userdata /data ext4 rw,seclabel,nosuid,nodev,noatime,noauto_da_alloc,resuid=1000,errors=continue,data=ordered 0 0
/dev/block/platform/msm_sdcc.1/by-name/persist /persist ext4 ro,seclabel,nosuid,nodev,relatime,data=ordered 0 0
/dev/block/platform/msm_sdcc.1/by-name/cache /cache ext4 rw,seclabel,nosuid,nodev,noatime,data=ordered 0 0
(venv)[peter@al lglaf]$ python lglaf.py -c date
Thu Jan  1 01:30:06 GMT 1970
(venv)[peter@al lglaf]$

Advanced usage

If you know the protocol, you can send commands directly. Each request has a command, zero to four arguments and possibly a body. The lglaf.py tool accepts this command:

![command] [arguments] [body]

All of these words accept escape sequences such as \0 (octal escape), \x00 (hex), \n, \r and \t. The command must be exactly four bytes, the arguments and body are optional.

Arguments are comma-separated and must either be four-byte sequences (such as \0\1\2\3) or numbers (such as 0x03020100). If no arguments are given, but a body is needed, keep two spaces between the command and argument.

Reboot device (command CTRL, arg1 RSET, no body):

$ ./lglaf.py  --debug -c '!CTRL RSET'
LGLAF.py: DEBUG: Hello done, proceeding with commands
LGLAF.py: DEBUG: Header: b'CTRL' b'RSET' b'\0\0\0\0' b'\0\0\0\0' b'\0\0\0\0' b'\0\0\0\0' b'\xc7\xeb\0\0' b'\xbc\xab\xad\xb3'

Execute a shell command (command EXEC, no args, with body):

$ ./lglaf.py --debug --skip-hello -c '!EXEC  id\0'
LGLAF.py: DEBUG: Header: b'EXEC' b'\0\0\0\0' b'\0\0\0\0' b'\0\0\0\0' b'\0\0\0\0' b'/\0\0\0' b'\x8dK\0\0' b'\xba\xa7\xba\xbc'
uid=0(root) gid=0(root) context=u:r:toolbox:s0

License

See the LICENSE file for the license (MIT).

lglaf's People

Contributors

Stargazers

Watchers

Forkers

iwonasado langbeck hoangnova mathnerd314 evilpotato wenjinchoi qqlizhn mustaphaasbbar cherojeong sktjdgns1189 uflorin kirill9617 erik-smit kasual reydecopas steadfasterx snoremaster3000 nikotron teamregular blastagator nonamegsm krsse ariesgeek janddda renakunisaki mrnerd techmender gmt bmmhub anarcat manouchehri thawsystems gijstimmers tgusagi mgarkr canhcoco inarcissuss visdom2000 henrynnn celem lehmancurtis147 never4ever87 smurfix hobbit19 ivanjx juniojsv aiqs4 awest1981ks ekoputrapratama vgerris cfeedback haire41 s00dster gtr13920 haise0 aldhamdy smu1zel tassiovirginio jagarza2012 kebianizao poolesinc

lglaf's Issues

lglaf doesn't work anymore on LG K10 2017 (M250N) since the last Oreo update.

I'm afraid that LG did something with the last Oreo update to prevent us from using lglaf:

$ python extract-partitions.py --debug
2018-09-14 10:46:24,417 LGLAF.py: DEBUG: Using endpoints 83 (IN), 02 (OUT)
Traceback (most recent call last):
  File "extract-partitions.py", line 70, in <module>
    main()
  File "extract-partitions.py", line 65, in main
    with partitions.laf_open_disk(comm) as disk_fd:
  File "/usr/lib/python3.7/contextlib.py", line 112, in __enter__
    return next(self.gen)
  File "/home/user/Downloads/lglaf/partitions.py", line 59, in laf_open_disk
    open_header = comm.call(open_cmd)[0]
  File "/home/user/Downloads/lglaf/lglaf.py", line 254, in call
    raise RuntimeError('Command failed with error code %#x (%s)' % (errCode, msg))
RuntimeError: Command failed with error code 0x8000010a (LAF_ERROR_ACCESS_DENIED)

I made sure to enable OEM unlocking in Developer Options. Dialing *#*#759#*#* does not give me a OEM unlock menu anymore (as it did before).

Can not read usb dump on G4 in wireshark

I have added these new items to the lglaf.lua:

usb_product:add(0x1004633e, lglaf) -- LG G4 (H815 on LP)
usb_product:add(0x1004633a, lglaf) -- LG G4 (H815 on MM)

(yes they are different on between firmwares...)

Here is a dump taken while flashing with LGup:

excerpt: https://www.androidfilehost.com/?fid=889964283620771461
full: https://www.androidfilehost.com/?fid=889964283620771457

for reference here is the lafd from the device: http://www.filedropper.com/lafdg420p

LG LAF lua gets loaded it seems as I can see it in the protocols but it does not translate the dump..

Any help highly appreciated!!

The reason is I need to debug the issues for #7 and #24

Did someone managed to write TWRP to LG G4 with this tools?

The only stuff that works for me, is:

python lglaf.py -c '!INFO GPRO \x08\x0b\0\0' > props.bin

And then it's possible to view data with

python scripts/parse-props.py props.bin

Every other command fails. Thinking of is it possible to flash system firmware or at least TWRP so phone can be flashed from linux, without any windows touches.

Thanks guys...

"LAF Crypto failed to import!" error is unhelpful

try:
    import laf_crypto
except ImportError:
    _logger.warning("LAF Crypto failed to import!")
   pass

Printing a warning but not explaining why it happened isn't helpful, there's no way to know why it didn't load (missing a library, etc)

Overflow error

I get this error when running python3 ./extract-partitions.py --max-size 0 --debug -d dump:

2016-04-05 19:15:06,314 LGLAF.py: DEBUG: Using endpoints 83 (IN), 02 (OUT)
2016-04-05 19:15:06,376 extract-partitions: DEBUG: Opened fd 28 for disk
2016-04-05 19:15:06,409 extract-partitions: INFO: Skipping partition modem (mmcblk0p1), already found at dump/mmcblk0p1.bin
2016-04-05 19:15:06,417 extract-partitions: INFO: Skipping partition sbl1 (mmcblk0p2), already found at dump/mmcblk0p2.bin
<...>
2016-04-05 19:15:06,683 extract-partitions: INFO: Dumping partition system (mmcblk0p34) to dump/mmcblk0p34.bin (3489660928 bytes)
2016-04-05 19:15:06,684 partitions: DEBUG: Will read 3489660928 bytes at disk offset 469762048
Traceback (most recent call last):
  File "~/lglaf/partitions.py", line 75, in laf_open_disk
    yield fd_num
  File "./extract-partitions.py", line 61, in main
    dump_partitions(comm, disk_fd, args.outdir, args.max_size * 1024)
  File "./extract-partitions.py", line 46, in dump_partitions
    partitions.dump_partition(comm, disk_fd, out_path, part_offset, part_size, current_size)
  File "~/lglaf/partitions.py", line 167, in dump_partition
    data = laf_read(comm, disk_fd, read_offset // BLOCK_SIZE, chunksize)
  File "~/lglaf/partitions.py", line 83, in laf_read
    header, response = comm.call(read_cmd)
  File "~/lglaf/lglaf.py", line 168, in call
    header = self.read(0x20)
  File "~/lglaf/lglaf.py", line 148, in read
    buff = self._read(need, timeout=timeout)
  File "~/lglaf/lglaf.py", line 256, in _read
    array = self.usbdev.read(self.ep_in, 4*1024*1024, timeout=timeout)
  File "/nix/store/7s6iyjnm8r8c21ij9wiscrrcmda33dym-python3-3.4.4-env/lib/python3.4/site-packages/usb/core.py", line 988, in read
    self.__get_timeout(timeout))
  File "/nix/store/7s6iyjnm8r8c21ij9wiscrrcmda33dym-python3-3.4.4-env/lib/python3.4/site-packages/usb/backend/libusb1.py", line 833, in bulk_read
    timeout)
  File "/nix/store/7s6iyjnm8r8c21ij9wiscrrcmda33dym-python3-3.4.4-env/lib/python3.4/site-packages/usb/backend/libusb1.py", line 936, in __read
    _check(retval)
  File "/nix/store/7s6iyjnm8r8c21ij9wiscrrcmda33dym-python3-3.4.4-env/lib/python3.4/site-packages/usb/backend/libusb1.py", line 595, in _check
    raise USBError(_strerror(ret), ret, _libusb_errno[ret])
usb.core.USBError: [Errno 75] Overflow

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "./extract-partitions.py", line 64, in <module>
    main()
  File "./extract-partitions.py", line 61, in main
    dump_partitions(comm, disk_fd, args.outdir, args.max_size * 1024)
  File "/nix/store/7s6iyjnm8r8c21ij9wiscrrcmda33dym-python3-3.4.4-env/lib/python3.4/contextlib.py", line 77, in __exit__
    self.gen.throw(type, value, traceback)
  File "~/lglaf/partitions.py", line 78, in laf_open_disk
    comm.call(close_cmd)
  File "~/lglaf/lglaf.py", line 169, in call
    validate_message(header, ignore_crc=True)
  File "~/lglaf/lglaf.py", line 126, in validate_message
    raise RuntimeError("Expected trailer %r, found %r" % (tail_exp, tail))
RuntimeError: Expected trailer b'\xff\xff\xff\xff', found b'\x00\x00\x00\x00'

I have an LG G2 LS980, here is the various lsusb output (-t, -v):

/:  Bus 07.Port 1: Dev 1, Class=root_hub, Driver=ehci-pci/5p, 480M
    |__ Port 2: Dev 12, If 0, Class=Hub, Driver=hub/4p, 480M
        |__ Port 2: Dev 18, If 0, Class=Communications, Driver=, 480M
        |__ Port 2: Dev 18, If 1, Class=CDC Data, Driver=, 480M
        |__ Port 2: Dev 18, If 2, Class=Vendor Specific Class, Driver=, 480M

Bus 007 Device 018: ID 1004:633a LG Electronics, Inc. 
Device Descriptor:
  bLength                18
  bDescriptorType         1
  bcdUSB               2.10
  bDeviceClass          239 Miscellaneous Device
  bDeviceSubClass         2 
  bDeviceProtocol         1 Interface Association
  bMaxPacketSize0        64
  idVendor           0x1004 LG Electronics, Inc.
  idProduct          0x633a 
  bcdDevice            2.32
  iManufacturer           1 LG Electronics Inc.
  iProduct                2 LGE Android Phone
  iSerial                 3 LGLS9804ad507f4
  bNumConfigurations      1
  Configuration Descriptor:
    bLength                 9
    bDescriptorType         2
    wTotalLength           98
    bNumInterfaces          3
    bConfigurationValue     1
    iConfiguration          0 
    bmAttributes         0x80
      (Bus Powered)
    MaxPower              500mA
    Interface Association:
      bLength                 8
      bDescriptorType        11
      bFirstInterface         0
      bInterfaceCount         2
      bFunctionClass          2 Communications
      bFunctionSubClass       2 Abstract (modem)
      bFunctionProtocol       1 AT-commands (v.25ter)
      iFunction               7 CDC Serial
    Interface Descriptor:
      bLength                 9
      bDescriptorType         4
      bInterfaceNumber        0
      bAlternateSetting       0
      bNumEndpoints           1
      bInterfaceClass         2 Communications
      bInterfaceSubClass      2 Abstract (modem)
      bInterfaceProtocol      1 AT-commands (v.25ter)
      iInterface              5 CDC Abstract Control Model (ACM)
      CDC Header:
        bcdCDC               1.10
      CDC Call Management:
        bmCapabilities       0x00
        bDataInterface          1
      CDC ACM:
        bmCapabilities       0x02
          line coding and serial state
      CDC Union:
        bMasterInterface        0
        bSlaveInterface         1 
      Endpoint Descriptor:
        bLength                 7
        bDescriptorType         5
        bEndpointAddress     0x82  EP 2 IN
        bmAttributes            3
          Transfer Type            Interrupt
          Synch Type               None
          Usage Type               Data
        wMaxPacketSize     0x0040  1x 64 bytes
        bInterval               9
    Interface Descriptor:
      bLength                 9
      bDescriptorType         4
      bInterfaceNumber        1
      bAlternateSetting       0
      bNumEndpoints           2
      bInterfaceClass        10 CDC Data
      bInterfaceSubClass      0 
      bInterfaceProtocol      0 
      iInterface              6 CDC ACM Data
      Endpoint Descriptor:
        bLength                 7
        bDescriptorType         5
        bEndpointAddress     0x81  EP 1 IN
        bmAttributes            2
          Transfer Type            Bulk
          Synch Type               None
          Usage Type               Data
        wMaxPacketSize     0x0200  1x 512 bytes
        bInterval               0
      Endpoint Descriptor:
        bLength                 7
        bDescriptorType         5
        bEndpointAddress     0x01  EP 1 OUT
        bmAttributes            2
          Transfer Type            Bulk
          Synch Type               None
          Usage Type               Data
        wMaxPacketSize     0x0200  1x 512 bytes
        bInterval               0
    Interface Descriptor:
      bLength                 9
      bDescriptorType         4
      bInterfaceNumber        2
      bAlternateSetting       0
      bNumEndpoints           2
      bInterfaceClass       255 Vendor Specific Class
      bInterfaceSubClass    255 Vendor Specific Subclass
      bInterfaceProtocol    255 Vendor Specific Protocol
      iInterface              0 
      Endpoint Descriptor:
        bLength                 7
        bDescriptorType         5
        bEndpointAddress     0x83  EP 3 IN
        bmAttributes            2
          Transfer Type            Bulk
          Synch Type               None
          Usage Type               Data
        wMaxPacketSize     0x0200  1x 512 bytes
        bInterval               0
      Endpoint Descriptor:
        bLength                 7
        bDescriptorType         5
        bEndpointAddress     0x02  EP 2 OUT
        bmAttributes            2
          Transfer Type            Bulk
          Synch Type               None
          Usage Type               Data
        wMaxPacketSize     0x0200  1x 512 bytes
        bInterval               0
Binary Object Store Descriptor:
  bLength                 5
  bDescriptorType        15
  wTotalLength           22
  bNumDeviceCaps          2
  USB 2.0 Extension Device Capability:
    bLength                 7
    bDescriptorType        16
    bDevCapabilityType      2
    bmAttributes   0x00000002
      HIRD Link Power Management (LPM) Supported
  SuperSpeed USB Device Capability:
    bLength                10
    bDescriptorType        16
    bDevCapabilityType      3
    bmAttributes         0x00
    wSpeedsSupported   0x000f
      Device can operate at Low Speed (1Mbps)
      Device can operate at Full Speed (12Mbps)
      Device can operate at High Speed (480Mbps)
      Device can operate at SuperSpeed (5Gbps)
    bFunctionalitySupport   1
      Lowest fully-functional device speed is Full Speed (12Mbps)
    bU1DevExitLat           1 micro seconds
    bU2DevExitLat         500 micro seconds
can't get debug descriptor: Resource temporarily unavailable
Device Status:     0x0000
  (Bus Powered)

After detaching kernel driver, the next read operation may fail

When lglaf.py is used for the first time on Linux, it may detach kernel drivers such as cdc_acm. After this, there is somehow a race condition which could result in a timeout during the first read. Subsequent attempts seem to work fine though.

Maybe adding time.sleep(.1) could help (haven't tried it though), but the source of the issue is unknown.

USB

I've installed the rules and I still can't manage to get a USB signal in Download/Firmware mode. Just, "RuntimeError: USB device not found." Any ideas?

Windows 10 file read failed

Running on Windows 10, I had trouble with file operations. Made a few changes and it worked:

import os
class FileCommunication(Communication):
    def __init__(self, file_path):
        super(FileCommunication, self).__init__()
        if sys.version_info[0] >= 3:
            self.f = os.open(file_path, os.O_RDWR | os.O_BINARY)
        else:
            self.f = os.open(file_path, os.O_RDWR | os.O_BINARY)
    def _read(self, n, timeout=None):
        try:
            return os.read(self.f,n)
        except IOError as e:
            _logger.warning("failed to read")
            raise e
    def write(self, data):
        os.write(self.f,data)
    def close(self):
        os.close(self.f)

Need help and support new devices

I'm using WIN10 32bit And I have LG X Power (Ls755 MTK based Devices with CPU MT6755)
when i put the device in download mod and make the command

python lglaf.py --skip-hello --debug

it's show that the device isn't found or need to download LGusb driver.
but i was able to flash stock firmware with CM2 dongle and thats means the driver installed correctly

python lglaf.py --skip-hello --debug
LAF Crypto failed to import!
LGLAF.py: DEBUG: Using serial port: None
Traceback (most recent call last):
  File "lglaf.py", line 505, in <module>
    main()
  File "lglaf.py", line 478, in main
    comm = autodetect_device()
  File "lglaf.py", line 404, in autodetect_device
    raise RuntimeError("Device not found, try installing LG drivers")
RuntimeError: Device not found, try installing LG drivers

Output as one BIN

Just want to thank you for this project. It works perfectly for me. I was wondering if there was a way to get the script to extract as one BIN file? Essentially just output the physical mmcblk0. Thanks for your time and assistance.

Problem with communication port

Problem with communication port in windows7

Traceback (most recent call last):
File "C:\lglaf\lglaf.py", line 504, in
main()
File "C:\lglaf\lglaf.py", line 477, in main
comm = autodetect_device()
File "C:\lglaf\lglaf.py", line 404, in autodetect_device
return FileCommunication(serial_path)
File "C:\lglaf\lglaf.py", line 259, in init
self.f = open(file_path, 'r+b')
IOError: [Errno 2] No such file or directory: u'COM11'

Request Help Rooting LG-LS770 (Sprint)

So, I've been messing around with lglaf for a while, but I have never been able to get the job done.

I can get the device to respond to listing partitions, dumping the device, but I have yet to figure out how to push something to the /system/bin directory. I'm afraid to do much more than this due to LAF... The only reason I want to root this piece of crap is that it's the only thing I have, I'm disabled and broke, and I keep hitting the internal filespace wall. It sets the sd card as an internal partition and the external card as another, weird name.

Does anyone want to hand-hold me a touch? I know it's probably a lost cause, but I'd like to try... Hell if it goes well, I'd consider putting TWRP on it.

Gabriel

Can't write/wipe persistent partition.

Hi!

I have been trying to wipe the persistent partition in a LG MP450, but every time I do a WRTE or a TRIM command, I get the following:

lglaf$ python3 ./partitions.py --ufs --wipe persistent
Traceback (most recent call last):
  File "./partitions.py", line 370, in <module>
    main()
  File "./partitions.py", line 366, in main
    wipe_partition(comm, disk_fd, part_offset, part_size, block_size)
  File "./partitions.py", line 297, in wipe_partition
    laf_erase(comm, disk_fd, sector_start, sector_count)
  File "./partitions.py", line 102, in laf_erase
    header, response = comm.call(erase_cmd)
  File "/home/mvanotti/frp/lglaf/lglaf.py", line 264, in call
    raise RuntimeError('Command failed with error code %#x (%s)' % (errCode, msg))
RuntimeError: Command failed with error code 0x80000118 (LAF_ERROR_<unknown>)

I have tried issuing manual commands and nothing. Most of the other stuff works without issues (opening FDs, running some basic commands, etc).

Any ideas on what I can do?

MISC READ/WRTE ISSUES

Following instructions, cannot get any useful commands to go through. For my example, I followed the instructions on issue #48 written by runningNak3d where the MISC partition is being written and read from. I was able to find the sizes I needed collecting the data from ./partitions script. Here's the output of the MISC partition:

$ ./partitions.py --list | grep -B 2 -A 2 "misc"
2AB301DC-B302-BC20-6D2E-846FD0FE17AE abootbak
12 1152921504606846976 20480 53247 20117F86-E985-4357-B9EE-374BC1D8487D Unknown
46C2E671-08B2-C2FB-FFF6-94396C3F5797 misc
13 1152921504606846976 53248 86015 EBD0A0A2-B9E5-4433-87C0-68B6B72699C7 Basic data partition
64943174-93E7-D470-B376-3152366DEEDD persist

The offset starts at 20480, the size with a multiplicity of 512 comes out to 32768. Here's what I get. I have no idea what I'm doing wrong, a little help would be appreciated!!

OUTPUT:
$ python3 lglaf.py --debug --cr --rawshell -c 'MISC WRTE,20480,32768'

LGLAF.py: DEBUG: product id in CR list: >G4<
LGLAF.py: DEBUG: Device is: 633a, G4. Enabling Challenge/Response!
LGLAF.py: DEBUG: Using endpoints 83 (IN), 02 (OUT)
LGLAF.py: DEBUG: Using Protocol version: 0x1000003
LGLAF.py: DEBUG: CR detection: 1
LGLAF.py: DEBUG: Hello done, proceeding with commands
LGLAF.py: DEBUG: Challenge: b'0e3a527c'
LGLAF.py: DEBUG: Response: b'65effcc74ac3e005eb48a20d4a6e5521'
LGLAF.py: DEBUG: KILO METR Response -> Header: b'4b494c4f4d455452000000000200000000000000000000002f5d0000b4b6b3b0', Body: b''
Hello, I am LAF. Nice to meet you.

LG Q6: additionnal limitations from Lg ?

Hello everybody,
It try to use lglaf on my lg q6 but I face a few problems:

Needs to unlock, solved by PR #19
Cannot use commands with lglaf, because sh in not available on the q6. Only a few commands can be used directly: dmesg, unmount, fota, gota, ps, ls, mkdir, getenforce, grep (I found the list by extracting and opening the lafd binary with an hex editor, that seems to correlate with what I see in practice). I made this to be at least able to use the few available commands https://github.com/LG-Q6/lglaf/commit/ee36e156e3322e9173882c2817e587cef3f3d90f .
Related to the previous problem, we cannot obtain the informations about the partitions needed by partition.py (starting block, size) because the cat command is not available. As a workaround I extracted theses informations with adb and changed partition.py to get the informations from files https://github.com/LG-Q6/lglaf/commit/31c1afd0da36633deea09d2681d52eefeaa384c8.
I now be able to dump the partitions with "partition.py --dump file.img partition_name", the file image is correctly writen to the disk and is the same that the file from the kdz, even if I get this message:

./partitions.py --debug --dump test.img recovery
2017-11-01 10:02:58,350 LGLAF.py: DEBUG: Using endpoints 83 (IN), 02 (OUT)
mmcblk0p49
/sys/class/block/mmcblk0/mmcblk0p49
2017-11-01 10:02:58,351 partitions: DEBUG: Partition recovery (mmcblk0p49) at offset 310378496 (0x12800000) size 33554432 (0x2000000)
2017-11-01 10:02:58,755 partitions: DEBUG: Opened fd 42 for disk
2017-11-01 10:02:58,755 partitions: DEBUG: Will read 33554432 bytes at disk offset 310378496
2017-11-01 10:03:01,381 partitions: INFO: Wrote 33554432 bytes to test.img
Traceback (most recent call last):
  File "./partitions.py", line 288, in <module>
    main()
  File "./partitions.py", line 284, in main
    wipe_partition(comm, disk_fd, part_offset, part_size)
  File "/usr/lib64/python2.7/contextlib.py", line 24, in __exit__
    self.gen.next()
  File "./partitions.py", line 86, in laf_open_disk
    comm.call(close_cmd)
  File "/home/alex/lglaf/lglaf.py", line 236, in call
    raise RuntimeError('Command failed with error code %#x (%s)' % (errCode, msg))
RuntimeError: Command failed with error code 0x8000010a (LAF_ERROR_ACCESS_DENIED)

But I cannot write to the partitions, for exemple:

./partitions.py --debug --restore recovery.img recovery 
2017-11-01 10:06:03,126 LGLAF.py: DEBUG: Using endpoints 83 (IN), 02 (OUT)
mmcblk0p49
/sys/class/block/mmcblk0/mmcblk0p49
2017-11-01 10:06:03,127 partitions: DEBUG: Partition recovery (mmcblk0p49) at offset 310378496 (0x12800000) size 33554432 (0x2000000)
2017-11-01 10:06:03,540 partitions: DEBUG: Opened fd 43 for disk
2017-11-01 10:06:36,562 partitions: INFO: Done after writing 22439936 bytes from recovery.img
Traceback (most recent call last):
  File "./partitions.py", line 288, in <module>
    main()
  File "./partitions.py", line 284, in main
    wipe_partition(comm, disk_fd, part_offset, part_size)
  File "/usr/lib64/python2.7/contextlib.py", line 24, in __exit__
    self.gen.next()
  File "./partitions.py", line 86, in laf_open_disk
    comm.call(close_cmd)
  File "/home/alex/lglaf/lglaf.py", line 236, in call
    raise RuntimeError('Command failed with error code %#x (%s)' % (errCode, msg))
RuntimeError: Command failed with error code 0x8000010a (LAF_ERROR_ACCESS_DENIED)

And if I dump the partition again it's unchanged and nothing changed at reboot.
The error message is similare to the message I receive when I try to use a command before using auth.py, but it doesn't change anything for this, only for sending commands.

Does someone have similar problem on an other device ?
Do you have any solution or any clue to find how to solve that?

Thank you!

I tried to use --cr

and got
TypeError: unsupported operand type(s) for -: 'str' and 'int'

PyUSB is not detected

I installed all dependencies, but launching lglaf.py puts out:

user@laptop:~/Downloads/software/flashing/lglaf-master$ python lglaf.py
No handlers could be found for logger "LGLAF.py"
Traceback (most recent call last):
  File "lglaf.py", line 510, in <module>
    main()
  File "lglaf.py", line 483, in main
    comm = autodetect_device()
  File "lglaf.py", line 413, in autodetect_device
    raise RuntimeError("Please install PyUSB for USB support")
RuntimeError: Please install PyUSB for USB support

user@laptop:~/Downloads/software/flashing/lglaf-master$ pip3 install PyUSB
Requirement already satisfied: PyUSB in /home/user/.local/lib/python3.8/site-packages (1.0.2)

I'm trying to revive a borked LG G3 (d855) that worked for about 15 minutes until I decided to toggle encryption before restoring TWRP.

offset partition download

Hello,
i'd like to download one partition in separate parts because phone gets hot after some time and reboots. so i figured out i could do it in parts (eg. 512MB). so is it possible to set offset/size of downloaded data? and how? could you give me some example usage please

"Nice to meet you" on LG G6

I am attemping to use Shell to hopefully enable USB debugging on an LG G6 (LG-H873). I don't know if it's possible, and all of this is very new to me. The only command that works so far is dmesg. Not ls or cd grep or anything so far. I also don't understand how to "enable" --rawshell like I keep reading about. I have tried ./lglaf.py --rawshell and ./lglaf.py --rawshell (with two spaces) and lglaf.py --rawshell and lglaf.py --rawshell (with two spaces) and python lglaf.py --rawshell and python lglaf.py --rawshell (with two spaces) and python ./lglaf.py --rawshell and python ./lglaf.py --rawshell (with two spaces) and every time I get Hello, I am LAF. Nice to meet you.

What do I do to get commands to work? Is there any way to enable USB debugging? The issue is that my friend's daughter kept changing the lock screen password on her phone and then forgot it, and I am attempting to remove the lock screen without having to wipe the entire phone. I read that I can do that via ADB, but USB debugging must be enabled (it's not).

FR: add support to push data like lgup etc does

it would be nice if we could send data (in my case image files like twrp , system image etc) when in download mode.
would that be possible? This could make the kdz flasher tools obsolete for me due to the fact that i can extract them with the kdztools, then i want to push them to the device and flash them with dd..

Any chance that this may come one day?

Device not found

Traceback (most recent call last): File "C:\Users\junio\Desktop\lglaf-master\lglaf.py", line 510, in <module> main() File "C:\Users\junio\Desktop\lglaf-master\lglaf.py", line 483, in main comm = autodetect_device() File "C:\Users\junio\Desktop\lglaf-master\lglaf.py", line 409, in autodetect_device raise RuntimeError("Device not found, try installing LG drivers") RuntimeError: Device not found, try installing LG drivers

My device is lg k10 2017 and i is using windows.

Need to support LG tracfone devices

I have LG Tracfone (L33L)
I hope you make changes on this tool to support it.

Change link of Windows LG Driver to official website

At the time of writing, the Windows LG Driver is available on the official website. Under "LG Universal Mobile Drivers Download", choose "Windows" to download LGMobileDriver_WHQL_Ver_4.2.0.exe.

Direct link:
http://tool.cdn.gdms.lge.com/dn/downloader.dev?fileKey=UW00120120425

Dump and restore file

Hi Peter

I want added access points (apn)
Do I can for example, the work of back up. data/data/com.android.settings/ and restore without EXEC
Through the dump for example of the beginning of the user data by sector.
from you, I weak in English

Off-by-one error in partition sizing

The following code in partitions.py:

part_offset = part.first_lba * BLOCK_SIZE
part_size = (part.last_lba - part.first_lba) * BLOCK_SIZE

should be:

part_offset = part.first_lba * BLOCK_SIZE
part_size = (part.last_lba - part.first_lba + 1) * BLOCK_SIZE

Consider having a disk of 20 blocks, and you have a partition that starts at 5 and ends at 10. part_size would end up being 10 - 5, which is 5 blocks. Unfortunately, the partition is actually blocks 5,6,7,8,9,10 , which is 6 blocks!

Without this fix, downloading a partition will drop the last block.

Works on LG K10 2017 (m250n) on Ubuntu 17.04, Python 2.7.13.

Expected trailer on every command (win10)

I am using:

LG G4
windows 10 x64
python 2.7.11
LG mobile driver 4.2.0.0

Running any command generates an error such as:

$ python lglaf.py --skip-hello -c '!CTRL RSET'
LGLAF.py: WARNING: Expected trailer '\xfe\xff\xff\xff', found '\xf0$\x00\x10'

Even if the command works

LG D605 (L9II) 'hello' timeout.

I've got a problem with executing any command on my LG D605.

I've tried debugging USB with usbmon and Wireshark and noticed that last packet from device to host cames after script throws timeout error. ~~Is this normal, or have I stumble upon a bug?~~ Ok, it looks like a packet from urb_cancell with -ENOENT status.
The phone is boot looped, and I'm looking for a way to get my data back 😞

Sys info:

arch linux
kernel 5.2.6-arch1-1-ARCH

Wireshark dump:

usbmon-wireshark-fail-hell-lglaf.zip

Command output:

lglfs --debug

LGLAF.py: DEBUG: Detaching kernel driver for intf 0
LGLAF.py: DEBUG: Using endpoints 83 (IN), 02 (OUT)
Traceback (most recent call last):
  File "./lglaf.py", line 510, in <module>
    main()
  File "./lglaf.py", line 492, in main
    try_hello(comm)
  File "./lglaf.py", line 375, in try_hello
    data = comm.read(0x20, timeout=HELLO_READ_TIMEOUT)
  File "./lglaf.py", line 225, in read
    buff = self._read(need, timeout=timeout)
  File "./lglaf.py", line 334, in _read
    array = self.usbdev.read(self.ep_in, 2**14, timeout=timeout)
  File "/home/bartus/.local/lib/python3.7/site-packages/usb/core.py", line 988, in read
    self.__get_timeout(timeout))
  File "/home/bartus/.local/lib/python3.7/site-packages/usb/backend/libusb1.py", line 833, in bulk_read
    timeout)
  File "/home/bartus/.local/lib/python3.7/site-packages/usb/backend/libusb1.py", line 936, in __read
    _check(retval)
  File "/home/bartus/.local/lib/python3.7/site-packages/usb/backend/libusb1.py", line 595, in _check
    raise USBError(_strerror(ret), ret, _libusb_errno[ret])
usb.core.USBError: [Errno 110] Operation timed out

kmesg:

sie 08 16:11:48 grafZero kernel: usb 2-9: new high-speed USB device number 44 using xhci_hcd
sie 08 16:11:48 grafZero kernel: usb 2-9: New USB device found, idVendor=1004, idProduct=61f1, bcdDevice= 2.28
sie 08 16:11:48 grafZero kernel: usb 2-9: New USB device strings: Mfr=1, Product=2, SerialNumber=3
sie 08 16:11:48 grafZero kernel: usb 2-9: Product: LG Android USB Device
sie 08 16:11:48 grafZero kernel: usb 2-9: Manufacturer: LG Electronics Inc.
sie 08 16:11:48 grafZero kernel: usb 2-9: SerialNumber: LG-D605-710ec29
sie 08 16:11:48 grafZero kernel: cdc_acm 2-9:1.0: ttyACM0: USB ACM device
sie 08 16:11:48 grafZero kernel: usbcore: registered new interface driver cdc_acm
sie 08 16:11:48 grafZero kernel: cdc_acm: USB Abstract Control Model driver for USB modems and ISDN adapters

lsusb -d 1004: -v


Bus 002 Device 045: ID 1004:61f1 LG Electronics, Inc. Optimus Android Phone [LG Software mode]
Device Descriptor:
  bLength                18
  bDescriptorType         1
  bcdUSB               2.00
  bDeviceClass          239 Miscellaneous Device
  bDeviceSubClass         2 
  bDeviceProtocol         1 Interface Association
  bMaxPacketSize0        64
  idVendor           0x1004 LG Electronics, Inc.
  idProduct          0x61f1 Optimus Android Phone [LG Software mode]
  bcdDevice            2.28
  iManufacturer           1 LG Electronics Inc.
  iProduct                2 LG Android USB Device
  iSerial                 3 LG-D605-710ec29
  bNumConfigurations      1
  Configuration Descriptor:
    bLength                 9
    bDescriptorType         2
    wTotalLength       0x0062
    bNumInterfaces          3
    bConfigurationValue     1
    iConfiguration          0 
    bmAttributes         0x80
      (Bus Powered)
    MaxPower              500mA
    Interface Association:
      bLength                 8
      bDescriptorType        11
      bFirstInterface         0
      bInterfaceCount         2
      bFunctionClass          2 Communications
      bFunctionSubClass       2 Abstract (modem)
      bFunctionProtocol       1 AT-commands (v.25ter)
      iFunction               0 
    Interface Descriptor:
      bLength                 9
      bDescriptorType         4
      bInterfaceNumber        0
      bAlternateSetting       0
      bNumEndpoints           1
      bInterfaceClass         2 Communications
      bInterfaceSubClass      2 Abstract (modem)
      bInterfaceProtocol      1 AT-commands (v.25ter)
      iInterface              0 
      CDC Header:
        bcdCDC               1.10
      CDC Call Management:
        bmCapabilities       0x00
        bDataInterface          1
      CDC ACM:
        bmCapabilities       0x02
          line coding and serial state
      CDC Union:
        bMasterInterface        0
        bSlaveInterface         1 
      Endpoint Descriptor:
        bLength                 7
        bDescriptorType         5
        bEndpointAddress     0x82  EP 2 IN
        bmAttributes            3
          Transfer Type            Interrupt
          Synch Type               None
          Usage Type               Data
        wMaxPacketSize     0x0010  1x 16 bytes
        bInterval               9
    Interface Descriptor:
      bLength                 9
      bDescriptorType         4
      bInterfaceNumber        1
      bAlternateSetting       0
      bNumEndpoints           2
      bInterfaceClass        10 CDC Data
      bInterfaceSubClass      0 
      bInterfaceProtocol      0 
      iInterface              0 
      Endpoint Descriptor:
        bLength                 7
        bDescriptorType         5
        bEndpointAddress     0x81  EP 1 IN
        bmAttributes            2
          Transfer Type            Bulk
          Synch Type               None
          Usage Type               Data
        wMaxPacketSize     0x0200  1x 512 bytes
        bInterval               0
      Endpoint Descriptor:
        bLength                 7
        bDescriptorType         5
        bEndpointAddress     0x01  EP 1 OUT
        bmAttributes            2
          Transfer Type            Bulk
          Synch Type               None
          Usage Type               Data
        wMaxPacketSize     0x0200  1x 512 bytes
        bInterval               0
    Interface Descriptor:
      bLength                 9
      bDescriptorType         4
      bInterfaceNumber        2
      bAlternateSetting       0
      bNumEndpoints           2
      bInterfaceClass       255 Vendor Specific Class
      bInterfaceSubClass    255 Vendor Specific Subclass
      bInterfaceProtocol    255 Vendor Specific Protocol
      iInterface              0 
      Endpoint Descriptor:
        bLength                 7
        bDescriptorType         5
        bEndpointAddress     0x83  EP 3 IN
        bmAttributes            2
          Transfer Type            Bulk
          Synch Type               None
          Usage Type               Data
        wMaxPacketSize     0x0200  1x 512 bytes
        bInterval               0
      Endpoint Descriptor:
        bLength                 7
        bDescriptorType         5
        bEndpointAddress     0x02  EP 2 OUT
        bmAttributes            2
          Transfer Type            Bulk
          Synch Type               None
          Usage Type               Data
        wMaxPacketSize     0x0200  1x 512 bytes
        bInterval               0
Device Status:     0x0000
  (Bus Powered)

wireshark usbmon

Wipe LAF

Wondering if it's possible to build a script to auto-wipe LAF to unlock bootloader on certain devices? Sorry if it's a dumb question.

Lg Laf Protocol (INFOSPRO) Help Me

Hello.. Please help me INFOSPRO protocol. İm make all protocol read wrte erse all make.
not understand INFOSPRO some programs are installing it and progress bar progresses in the device..

Can you help me with this? I don't really understand your logic...

See..

Offsett is continuously changing between 20 and 40. How is his logic ?

"nice to meet you" on LG G3 D852

With latest master, I still can't run any commands in recovery mode on this LG G3 D852 phone (after adding usb rules as per #30). i was hoping that #27 would help - and it does get further than before, but it still fails with a friendly error message.

here's a debug trace:

$ sudo python3 lglaf.py --cr --debug
LGLAF.py: DEBUG: Using endpoints 83 (IN), 02 (OUT)
LGLAF.py: DEBUG: Doing KILO challenge response
LGLAF.py: DEBUG: Challenge: b'f29ae130'
LGLAF.py: DEBUG: Response: b'2f47ca81ebeee6f414263c0542c8d132'
LGLAF.py: DEBUG: KILO METR Response -> Header: b'4b494c4f4d455452000000000200000000000000000000002f5d0000b4b6b3b0', Body: b''
LGLAF.py: DEBUG: Hello done, proceeding with commands
LGLAF.py by Peter Wu (https://lekensteyn.nl/lglaf)
Type a shell command to execute or "exit" to leave.
# uname -a
Hello, I am LAF. Nice to meet you.#

not sure what that message means... anything i can do to help diagnostics here?

partitions.py --list gives "AssertionError: Expected arrow in ls output"

I'm getting this error when trying to run partitions.py --list AssertionError: Expected arrow in ls output
What does this mean? Am i doing something wrong?

Laf 1000005 little heads up needed

restore partitions slowly

What's the solution

dump normal But restore partitions slowly

How to edit it in order to transfer data quickly

New Commands

So I attached a debugger to LGUP and the following commands were found

SIGN

OPCMCHEK

MISCWRTE

CHCKCLER - this seems to unlock LAF for more commands. More on this to come as it is explored more

Add support for UFS devices

LG devices with UFS NAND use a sector size of 4096 not 512. Also, they have 7 block devices (/dev/block/sda to /dev/block/sdg) instead of the single block device (mmcblk0) that an eMMC device has.

I propose adding two switches:

--ufs to set the blocksize to 4096
--block to pass the block device that you want to work with

Alternatively could parse the GPT of all 7 block devices, and then issue the OPEN based on the partition that gets passed.

I am happy to open a PR, but some feedback on the best method of dealing with UFS would be good first :)

-- Brian

LG G2, model VS980 - partitions.py uses wrong path

This phone makes partitions.py (and therefore extract-partitions.py) look in the wrong folder in function "get_partitions". These scripts should be invoking "ls -l" at "/dev/block/platform/msm_sdcc.1/by-name" instead of the usual location. Other than that, everything works.

LGLAF permission denied - LG K10 (2017)

Hello guys, i have a problem with LG K10 (2017). The screen is broken and no adb enable and i need extract some data. When i try to execute the command python lglaf.py --cr --debug --rawshell give me this result

Traceback (most recent call last):
File "lglaf.py", line 510, in
main()
File "lglaf.py", line 483, in main
comm = autodetect_device()
File "lglaf.py", line 414, in autodetect_device
return USBCommunication()
File "lglaf.py", line 287, in init
current_cfg = self.usbdev.get_active_configuration()
File "/home/danilo/.local/lib/python2.7/site-packages/usb/core.py", line 875, in get_active_configuration
return self._ctx.get_active_configuration(self)
File "/home/danilo/.local/lib/python2.7/site-packages/usb/core.py", line 102, in wrapper
return f(self, *args, **kwargs)
File "/home/danilo/.local/lib/python2.7/site-packages/usb/core.py", line 236, in get_active_configuration
self.managed_open()
File "/home/danilo/.local/lib/python2.7/site-packages/usb/core.py", line 102, in wrapper
return f(self, *args, **kwargs)
File "/home/danilo/.local/lib/python2.7/site-packages/usb/core.py", line 120, in managed_open
self.handle = self.backend.open_device(self.dev)
File "/home/danilo/.local/lib/python2.7/site-packages/usb/backend/libusb1.py", line 786, in open_device
return _DeviceHandle(dev)
File "/home/danilo/.local/lib/python2.7/site-packages/usb/backend/libusb1.py", line 643, in init
_check(_lib.libusb_open(self.devid, byref(self.handle)))
File "/home/danilo/.local/lib/python2.7/site-packages/usb/backend/libusb1.py", line 595, in _check
raise USBError(_strerror(ret), ret, _libusb_errno[ret])
usb.core.USBError: [Errno 13] Access denied (insufficient permissions)

Any help, the mobile need to be root? Sorry for my english

MISCWTRE AND IOCT AND COPY my researtch need complate

hi I am new
but I sniffed LG LS775 7.0 singed firmware and it use MISCWTRE instead of WRTE command because when you MAKE WTRE command it gives fail any one has explain

[linux][H815] LGLAF.py: WARNING: Command failed with error code 0x8000010a

Hallo,
I'm trying to use your tool, but once I gained the root shell in download mode, each commant ends up with "LGLAF.py: WARNING: Command failed with error code 0x8000010a"

# python lglaf.py
LGLAF.py by Peter Wu (https://lekensteyn.nl/lglaf)
Type a shell command to execute or "exit" to leave.
# ls
LGLAF.py: WARNING: Command failed with error code 0x8000010a
# dir
LGLAF.py: WARNING: Command failed with error code 0x8000010a
# pwd
LGLAF.py: WARNING: Command failed with error code 0x8000010a

and the same if I pipe the command

# echo mount | python lglaf.py
LGLAF.py: WARNING: Command failed with error code 0x8000010a

System specs:
S.O.: Slackware linux "-current"
Python: 2.7.11
PyUsb: 1.0.0rc1
/etc/udev/rules.d/42-usb-lglaf.rules: 42-usb-lgaf.rules.txt
LG G4 (H815)

Any hint?

Patch boot partition

Is it safe to patch the boot with the magisk manager and restore via lglaf on the lg k10 m250?

IOError: [Errno 2] No such file or directory: u'COM11'

When I clone the repo and run python lglaf.py, I get the following error:

Traceback (most recent call last):
  File "lglaf.py", line 404, in <module>
    main()
  File "lglaf.py", line 382, in main
    comm = autodetect_device()
  File "lglaf.py", line 314, in autodetect_device
    return FileCommunication(serial_path)
  File "lglaf.py", line 187, in __init__
    self.f = open(file_path, 'r+b')
IOError: [Errno 2] No such file or directory: u'COM11'

I'm running Python 2.7 on Windows 10 x64, with an LG G5 (H830).

Baud rate change?

not an issue, just a question. is it possible to increase baud rate? some tools, paid ones mostly, seem to make the flash process faster. i was reading in lglaf.py to see if i could find something but im not experienced with python.

im a new user sorry if this is a neweb question

so i am trying to list partitions for an lg phone using the partitions list command but im getting back this error .
C:\Users\XXXXX>C:\Python27\python.exe C:\Users\XXXXX\Desktop\lglaf-master\pa
rtitions.py --list
No handlers could be found for logger "LGLAF.py"
Traceback (most recent call last):
File "C:\Users\XXXXX\Desktop\lglaf-master\partitions.py", line 274, in
main()
File "C:\Users\XXXXX\Desktop\lglaf-master\partitions.py", line 241, in main
comm = lglaf.autodetect_device()
File "C:\Users\XXXXX\Desktop\lglaf-master\lglaf.py", line 410, in autodetect
_device
return FileCommunication(serial_path)
File "C:\Users\XXXXX\Desktop\lglaf-master\lglaf.py", line 265, in init
self.f = open(file_path, 'r+b')
IOError: [Errno 2] No such file or directory: u'COM75'

what is the problem here i have tried a couple of phones diffrent models is this something from the phone or an error on my end thanks a lot

show the bricked phone's content in sdcard

I can list phone's all directory with this command lglaf.py --debug -c '!EXEC ls\0'
..
data
dev
...
sdcard
storage
...

Can I further list one of the above directories, say sdcard, using the above command?