-
Notifications
You must be signed in to change notification settings - Fork 76
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[linux][H815] LGLAF.py: WARNING: Command failed with error code 0x8000010a #7
Comments
So your USB stack is working fine, but the device is somehow reporting an error in response to the command (on the LAF protocol level). Do other operations work? For example:
|
It seems working.... |
Also reboot works
|
What about direct command invocation:
Aside, you can mark a whole block as code with this markup:
|
Aside: thank you very much, I was trying to figure out the right way! |
Ooh, actually, try two spaces between
|
A more question: why "lsusb" give me different results when devices is in "download mode" or "mtp" Download Mode
"MTP" mode
|
Same error code exit |
Devices can advertise different interfaces as they like (after a reset that is). Hmm, perhaps LG noticed about this loophole and patched it. Your firmware is from this January of this year while I tested it with firmware from last August. What you could try is to open Commands (replace
|
No way About different "lsusb" output, it's strange the the device has two different "idProduct", isn't it? |
Devices can pretty much advertise anything, even different idProducts. Some modems (and the OnePlusX for example) appear as mass-storage device, offering drivers to the host. After installing those drivers, the "normal" functionality becomes available. Maybe the device now needs a special greeting. What if you try an invalid command (such as If you feel like getting your hands dirty, consider finding the support tools for your phone (I forgot their names), set up a QEMU VM with USB-passthrough and record the USB communication. Then use the lglaf.lua Wireshark dissector in this repo for analysis of that communication. Hopefully it reveals the missing message. |
I'll try to set up a QEMU VM during the week |
I had set up quemu wm with USB-passthrough, and downloaded LG mobile support tool, the tool sees the device,and how can I record the USB communication? EDIT: ok, I've "sniffed" it using USBPcap |
I've a .pcap file, but I'm not able to dissect it, Would you be so kind to give it a look? |
Just wanted to note, I am following this as well. I have an LGVS425PP (LG Optimus Zone 3) and I am also receiving:
|
Any news on this feature? This tool has distinctly lower value until this gets fixed/worked around. |
mocolini, I disclaim particular knowledge of USB, but I suspect I may be able to make some sense of that capture. There any chance you could post it somewhere accessible so various eyes could examine the capture? (I hope @Lekensteyn will be able to attack this, but I can make an attempt) |
@mocolini I cannot find your pcap from April on my system and cannot recall whether I received it or not, can you share it again (possibly with @ehem too)? Btw, I also received a user report about the "KILO" command on a LG V10 6.0 which apparently appears before the "OPEN" command, perhaps there is some magic sequence needed to get allowance? |
That's it...hope it helps. |
I would simply like to report that I am having the exact same problem as mocolini and dmaiolo. If it helps, here is my lsusb output and props.bin |
@mocolini I took a brief look at it, but it does not look like LAF traffic at all. The protocol data is six bytes, starting with a NUL byte and ending with a NUL byte. There seems to be a pattern in that traffic though, the 5th byte in frame 3 is 53 and it increases over time. @ehem Can you have a further look at it? If you use Wireshark, right-click on "Leftover Capture Data" and use "Apply as Column", that helps with pattern spotting when scrolling over the list. @ledzepman71 Thanks, it might become useful for comparing versions. |
Looks like USB device 1 is either a keyboard or mouse, while USB device 2 is @mocolini's H815, notice frame 720. There is some traffic from the H815 in frames 592-722, but not enough to analyze and get things done. 😦 @mocolini any chance you could do a capture which starts before you plug in the USB cable to your device and then get the LG support tool to do something interesting? (what we really need is to observe it successfully doing some restricted operation) Just in case it wasn't obvious, I'm running into this as well and I'd like to get this fixed so I can do interesting things to my device. 😄 Problem is if they did it right this will be difficult or even impossible to break. I should also add, I'm dealing with a H962, so I'm guessing this will be an issue for all recent LG devices. |
Hallo, I've tried to capture something , but "LG Bridge" does non connect to the device. |
@mocolini have you tried the LGUP tool? The LG Mobile Support Tool ("LG Bridge") Ver 1.8.5.0 (windows 10 Ver 1511 build 10586.138) does identify my device and firmware version; however, there aren't any 'updates' or a stock kdz Also @Lekensteyn and @ehem, using Wireshark to analyze the pcap yields absolute gibberish to me. Is there anything specific you are looking for? I would like to help, but fear I lack the skill to contribute. |
Ok, I managed to make LG Bridge (and LGUP) working, give a look at this new attachment. |
Bellow you will find log files from LGFlash tool which includes the whole LAF protocol communication. |
@Lekensteyn have you had a chance to look at the lofs from lafd1? |
WRTE when used in official methods uses compression to send the data (given the correct args, typically it just feeds the raw/compressed dz/tot data which I'd assume is just lz or similarly compressed), which probably speeds it up quite a lot over sending just plain raw data. Keep in mind too, there is an additional CENT METR "mode" issued before closing the flash handles, though hopefully rebooting via the laf commands would clean up any outstanding handles and related flushes. I did solve and implement (in C, my python-ability sucks) the challenge response method before posting here previously, with even a basic shell for interactive exec then left it at that as its useless to me with a locked bootloader. The only real challenge I found was that my implementation of the crypto method was broken for that bit size and it took me a while to realize it. I prefer not to hoard, but to me this seems to be a beehive I'd rather not kick... making a standalone exe that just does the unlock would be trivial for one off private uses, or if the project maintainers want more info... snoremaster3000: the 8994 dll is using the same method/magic bytes as the others I looked at, making me think this method is currently even more universal than I thought it would be on MM LG devices. |
@joeblowma Are you able to get execution of binaries or file writes in your shell? My stock version of lafd is only allowing ls, ps, grep, mkdir, fota, gota, unmount, and dmesg. Can you characterize the crypto? Is it roll-your-own or a well-known algorithm? When I looked over the dissassembly I didn't see api calls in the area responsible for the challenge-response just a ton of math opcodes which quickly made my eyes hurt even when using a debugger to follow along. |
@joeblowma Can you please share CENT METR Auth Challenge? I have been digging into it, and interestingly they have around more than 10 xor functions inside. Not sure though they used only 4 byte received by CENT to generate Auth Data sent with METR. I am using delphi, and porting all these C output to it is hectic. It will be really appreciated if you can share it. Br, |
@snoremaster3000 as I said, they have severely limited the shell in these newer ones, my guess its mostly to mitigate the previous send_command tool though I'd bet there are ways around it as the parser is fairly primitive. I never explored it very far as having root in recovery mode does not get me root on a locked bootloader device, not even enough to see if it filters things like backspace escape key codes. Its nothing complicated, basically just enough they might get away with calling it DRM and feeding lawyers' boat collections while persecuting customers. As I've said elsewhere, I'll not "own" (if you can even call it that) another LG device in my lifetime - they not only suck at security but simply won't let us take it into our own hands if the "carrier" says so. @shadabmozaffar see all my previous statements for a clue as to why I didn't just dump it here the second I figured it out. I certainly wanted to... |
@joeblowma, i can see you mentioned that you solved, not in python but in C, but whatever is the language, it will be far better than those decompiled codes in iDA (which is also very nested, and i am unable to give much time to it as i am working on FireHose implementation also). I am just hoping to get any code which solves that challenge so i can convert later to delphi or python. Btw, i have not yet checked shell limitation on LAF ver. 0x10000003, yet i have own shell console written in delphi. Br, |
If download mode is implemented via "laf" then that is interesting news to me. The "laf" diskslice is an Android boot image, which means it can readily be unpacked and some analysis is possible. I'd be very careful about trying to overwrite it with an earlier version since it is almost certainly verified by hash or signature... (one interesting piece of news, they use MD5 in their KDZ files which is short enough to almost break on modern hardware with modern cryptographic techniques) |
I am experiencing the same error with D855: 0x8000010a. I would like to retrieve the userdata partition from a device in bootloop, therefore I would be very interested in a solution of this issue. |
@ehem Yes download mode is on the laf partition, the service that we are communicating with here is lafd. Yes, you can unpack the laf partition and find the binary for analysis at ramdisk/sbin/lafd. You can replace this binary with an older version however it will of course fail the boot hash check which unlike the KDZ file is not md5 (it's done by dm-verity which uses RSA). However, for every device I've seen with Marshmallow or earlier, this hasn't mattered even with a locked bootloader because verified boot was not set to enforcing. One should definatley backup their laf partition prior to overwriting so if nessessary they can simply reflash the original image. |
Through what mechanism do you want to reflash if LAF mode is broken (e.g. by broken signature)? |
I think LAF Signature Verification and shutdown things restrict only normal use of device. |
@Lekensteyn Good point, I'm so used to fastboot being available but I forget that many vendors remove or break it on purpose. However if it has a Qualcomm snapdragon you should still be able to reflash using QDLoader/QPST Config but this is definatley getting a little too close to the edge... |
Hi there.
Also, maybe it helps. H790 and H791 have diff info in
P.S.: anyway it's a great tool and work done here 👍 |
Hi! Even I get the same error as mocolini in Windows 10. Using Python 3.6.0. Any solution for this? Even |
Most likely, you need to authorize before using the commands. Take a look at #12 |
@snoremaster3000 Thanks for the PR! Could you make the required changes as requested by lekensteyn so that it will be merged ? Also, can anyone help with this command?
It should overwrite the recovery partition, but it seems that it's not persisted |
You sure its not just restoring recovery from recovery.img? Back when I had a rootable device I remember that being a thing. Provided your "abuse" of ls actually does anything on the newer laf, that is. |
maybe this will get you in the right direction :D |
@wchriseg that forum thread is basically discussing converting the python from pull request #12 (also mentioned a few posts above) of this project to delphi... not sure how that would help? |
Is this script working for anyone? My devices don't accept the response. Testing the challenge/response data linked earlier with both I looked at a newer |
@RenaKunisaki did you check the pull request? Specifically, I recall it saying something about not working correctly out of the box with newer python versions and thus wasn't merged; I did my own poc in C (I don't do python well) and that worked fine. As far as I could tell the second key was for devices that would be in the manufacturing pipeline, rather than consumer. |
@RenaKunisaki |
Ah, I thought that just meant it didn't work in Python 3. @joeblowma are you willing to share your C port? I'd really like to figure out how to get it working in Python, but first I need to get it working at all. |
Wow, nevermind, I goofed. It works. Even got it working in Python 3, will submit a pull request soon. |
Having this same issue on my Lg G6 https://forum.xda-developers.com/showpost.php?p=73197564&postcount=4 IF someone could kindly look for me and tell me what im doing wrong... im on Linux Debian if you dont wanna see the link heres a small example of what i mean
|
Hey @Lekensteyn - I managed to use a patched LGUP tool to do partition dumping with my phone. I dumped the smallest selectable "partition" (the first "PrimaryGPT", I believe My device is the T-Mobile G5 (H830) running the 20i update. |
Hey @segin, thanks for the pcap. Unfortunately I don't have time to look into it now, but maybe others with interest can look at it? |
@segin , You have correctly dumped partition table and what i can see there is your device has UFS file system which has 4KB sector and only a few partitions are there: As it is UFS Filesystem, your device may have multiple LUN and userdata should be at LUN 0 and system etc should be on LUN 4. |
By attaching a debugger to LGUP I found a couple of new commands INFOSPRO is called 4 times which by reading is setting some sort of properties SIGN SIGN is called twice before anything begins to work such as the OPEN or WRTE command and the response should be something like success cmd SIGN I think this is the missing link as after this all commands are given with 2 kilocent commands then 2 kilometr commands in that order so possibly the SIGN command is important but also the fact that the kilocent command is given twice then the 2 kilometr responses are sent but that's just speculation. Let me know what you guys think also two other commands that were found are OPCMCHEK MISCWRTE EDIT: disregard the SIGN part seems this is more important CHCKCLER is given twice before the exec command works it seems so new command there as well I think CHCKCLER is our missing link. Disclaimer I am on the LG G5 but it has the same issue. Debugged application message: [00:23:187] usb speed is high speed. . . |
Hallo,
I'm trying to use your tool, but once I gained the root shell in download mode, each commant ends up with "LGLAF.py: WARNING: Command failed with error code 0x8000010a"
and the same if I pipe the command
System specs:
S.O.: Slackware linux "-current"
Python: 2.7.11
PyUsb: 1.0.0rc1
/etc/udev/rules.d/42-usb-lglaf.rules: 42-usb-lgaf.rules.txt
LG G4 (H815)
Any hint?
The text was updated successfully, but these errors were encountered: