lglaf
lglaf copied to clipboard
Lekensteyn
im a new user sorry if this is a neweb question
so i am trying to list partitions for an lg phone using the partitions list command but im getting back this error .
C:\Users\XXXXX>C:\Python27\python.exe C:\Users\XXXXX\Desktop\lglaf-master\pa
rtitions.py --list
No handlers could be found for logger "LGLAF.py"
Traceback (most recent call last):
File "C:\Users\XXXXX\Desktop\lglaf-master\partitions.py", line 274, in
what is the problem here i have tried a couple of phones diffrent models is this something from the phone or an error on my end thanks a lot
I believe the issue is your USB port number. The request will error out if using a port id higher than 10. Don't take my word for it as I'm commenting from memory...
sorry same problem again
C:\Users\HASHASH\Desktop\lglaf-master>partitions.py --list
No handlers could be found for logger "LGLAF.py"
Traceback (most recent call last):
File "C:\Users\HASHASH\Desktop\lglaf-master\partitions.py", line 274, in
You are connecting in Download Mode, correct? If so, it could be a driver issue. Since you're running Windows, uninstall ALL LG drivers. Reboot PC. Reinstall drivers and reboot. Now connect your device to PC, preferrably in Download mode. Let drivers install. Reboot once more. Now try using lglaf.py.
I'm only guessing here as I have very little info to go on. Please let us know what device you're using and it's Android version. The more info you can provide us the greater the chances we'll have of being able to assist you.
Sent from my LG Stylo3 using FastHub
yeah im connected in download mode and i am 100% sure of my drivers because i use it for programming using different boxes and everything works normally. the device that i am trying to connect is lg ls777 also i tried to connect other devices but all of them were the same ls450 ls675 ls676. but main concentration is ls777.what i want to accomplish is zv9 and over sim unlock currently the only way to unlock this phone is using emmc connection and writing the modem and carrier partitions directly to emmc so i can bypass the lg signature that no one has. i was reading a previous issue link: https://github.com/Lekensteyn/lglaf/issues/48 what runningnak3d was saying and i am trying to implement it so i can unlock these phones a have practice boards and i am willing to try it out dont really care if i hard brick them i can just do emmc repair. as he was saying that the only way to bypass the lg signature is by writing the file to the misc then from the misc you move it to the sector you want into pieces of 512 bytes since this an emmc so as he said You have to use 1-MISCWRTE 2-IOCT 3-COPY 4-IOCT again
this i what i want to accomplish i also have another model which i want to do the same process to but i want to at least be able to figure out ther first one LOL
thanks a lot for your help
I have a LS777 also, but haven't even tried using lglaf with it. I normally do my modding etc. on a Linux box but I can do some experimenting in Windows 7 to see if I experience the same issues.
Sorry for the late reply different time zone. Anyway don't bother your self switching to windows I'm formatting my old laptop right now and downloading kali Linux on it and I'll follow your process and report back to you but do you think it's possible what I want to do
I'm honestly not sure if you can accomplish your goal with this or not. No harm in trying I guess. Especially since you say you can repair a device if you brick it. As for Windows, my PC is dual boot so it's no problem for me to test. My only issue is time. That's something I don't have much of nowadays...
i now have a linux distro on my laptop i will get on the job as soon as i wake up tomorrow morning lol its already late over here i will be updating you if i have any problems and if the problem persists thanks a lot shinobisoft
so no im in linux but i have a couple of problems with the ls777 and a couple of newer models.
this is from lg ls450 when i run the partitions command list i get all the partitions and size and everything like that so i can basically run commands. but when i try on newer models for example ls777 or m210 i get this problem.
root@localhost:~/Desktop/lglaf-master# python partitions.py --list
Traceback (most recent call last):
File "partitions.py", line 274, in
On devices running Marshmallow and newer it seems LG has taken further steps to prevent us from modding their devices. These devices require the KILO challenge/response scenario ( -cr switch ).
Is it possible to talk to you in PM using whatsapp or anything your comfortable with I have some stuff that i want to ask you in private can't really post them online they are stuff I am trying to do but I can't let the competition in my country to get any hints if it's not too much to ask of you.
@pomgrapes it looks like you may need to run your partitions.py as python3 if using in linux. Also, this is assuming you've already patched the files to 4096 instead of 512 like before. So, I have a LG G7 T-Mobile (LG710TM), you can parse the properties, restart, power off using CTRL command, but haven't been able to parse for partitions using partitions.py and lglaf.py --cr gives me a shell, but gives me the infamous LAFBot saying Hello. Has anyone dealt with the new LG G7's and tried to pull firmwares, wipe cache, etc? Any help would be appreciated!
@P3nguin-M On UFS devices you have to send a valid OPEN payload for the LUN you are trying to open. If you look at @steadfasterX's fork, he has included the OPEN payloads for the most common LUNs.
-- Brian
Erm.. I found this in Lekensteins: https://github.com/Lekensteyn/lglaf/blob/master/protocol.md git'd steadfasters fork, but could not find any documentation published on his fork. From what I took on the protocol page, if frp was sdg1 i would first need to open the partition and then wipe? Here's what I get when i try to open:
python3 lglaf.py --cr --rawshell -c '!OPEN /dev/block/sdg1' LGLAF.py: WARNING: Header field requires a DWORD, got bytes b'/dev/block/sdg1'
You need two spaces after OPEN, but that is only part of your problem.
/dev/block/sdg1 isn't a valid block device -- that is a partition, and isn't even enumerated by lafd -- you only have access to block devices (/dev/block/sda sdb sdc etc).
Second, that isn't a valid OPEN payload. This is the OPEN payload for /dev/block/sde:
open_cmd = lglaf.make_request(b'OPEN', body=b'\x2f\x64\x65\x76\x2f\x62\x6c\x6f\x63\x6b\x2f\x73\x64\x65\x00\x06\xfb\x0f\x00\x00\x30\xb0\x9d\x06\x42\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x04\x00\x00\x00\x30\xb0\x9d\x06\x00\x00\x00\x00\xdd\x60\x1a\x10\x48\x52\x9f\x06\xd8\x4f\x9d\x06\x06\x00\x00\x00\x00\x00\x00\x00\x58\x52\x9f\x06\x00\x00\x00\x00\x0c\x00\x06\x00\x04\x00\x00\x00\x60\xea\xff\x03\xeb\x27\x00\x10\xdc\xea\xff\x03\x30\xb0\x9d\x06\x64\xea\xff\x03\x41\x76\x1a\x10\x00\x00\x61\x06\x00\x00\x00\x00\x30\xb0\x9d\x06\xc0\xea\xff\x03\xbe\xe4\x09\x10\x30\xb0\x9d\x06\xb6\xd9\xee\xd8\x48\x00\x00\x00\xbc\x52\xa7\x06\xdb\xe4\x09\x10\x30\xb0\x9d\x06\x30\xc0\x9d\x06\x30\xc0\x9d\x06\x00\x00\x00\x00\xdc\xea\xff\x03\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\xb6\xd9\xee\xd8\xfc\xea\xff\x03\xf0\x9a\x1d\x10\x48\x00\x00\x00\x10\x00\x00\x00\x08\xeb\xff\x03\x7b\x8c\x03\x10\x10\x00\x00\x00\x8a\x8c\x03\x10\x7e\xd8\xee\xd8\xba\x8c\x03\x10\x00\x6f\x6f\x74\x00\xd9\xee\xd8\xa0\xe8\xff\x03\x9c\xec\xff\x03\x02\x00\x02\x00\xb6\x81\x00\x00\x00\x00\xb6\x01\x00\x00\x00\x00\x00\x00\x00\x00\0')
The first 14 bytes DO decode to /dev/block/sde, but I haven't spent the time to decode the rest of the payload because it works fine as is when sniffed from LG UP on any UFS device.
This only allows you to READ. If you want to write -- good luck. All new versions of lafd have been patched to prevent writing without a SIGN payload. However, it is still possible to get a root shell with toybox IF you can find a version of lafd that has the bug AND will run on your device.
EDIT: actually if you are just looking to wipe the partition, the ERSE opcode works once you properly open the block device. I am looking for my sniffs, because I have the OPEN payloads for all the block devices, so I can give you the one for sdg.
EDIT2: updated the post to indicate that this payload is for /dev/block/sde and NOT /dev/block/sda
-- Brian
The OPEN payload for sdg.
open_cmd = lglaf.make_request(b'OPEN', body=b'\x2f\x64\x65\x76\x2f\x62\x6c\x6f\x63\x6b\x2f\x73\x64\x67\x00\x06\xf5\x0f\x00\x00\x20\x90\x9d\x06\x42\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x0a\x00\x00\x00\x20\x90\x9d\x06\x00\x00\x00\x00\xdd\x60\x1a\x10\x48\x52\x9f\x06\xd8\x4f\x9d\x06\x04\x00\x00\x00\x00\x00\x00\x00\x58\x52\x9f\x06\x00\x00\x00\x00\x0c\x00\x04\x00\x0a\x00\x00\x00\x60\xea\xff\x03\xeb\x27\x00\x10\xdc\xea\xff\x03\x20\x90\x9d\x06\x64\xea\xff\x03\x41\x76\x1a\x10\x00\x00\x61\x06\x00\x00\x00\x00\x20\x90\x9d\x06\xc0\xea\xff\x03\xbe\xe4\x09\x10\x20\x90\x9d\x06\xb6\xd9\xee\xd8\x66\x00\x00\x00\xbc\x52\xa7\x06\xdb\xe4\x09\x10\x20\x90\x9d\x06\x20\xa0\x9d\x06\x20\xa0\x9d\x06\x00\x00\x00\x00\xdc\xea\xff\x03\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\xb6\xd9\xee\xd8\xfc\xea\xff\x03\xf0\x9a\x1d\x10\x66\x00\x00\x00\x10\x00\x00\x00\x08\xeb\xff\x03\x7b\x8c\x03\x10\xdc\xea\xff\x03\xbc\x21\x1f\x10\x7e\xd8\xee\xd8\xba\x8c\x03\x10\x50\x72\x69\x6d\x61\x72\x79\x47\x50\x54\x00\x03\x9c\xec\xff\x03\x02\x00\x02\x00\xb6\x81\x00\x00\x00\x00\xb6\x01\x00\x00\x00\x00\x00\x00\x00\x00\0')
-- Brian
after modifying partitions.py to the above code, i ran: python3 lglaf.py --debug --cr -c '!OPEN ' LGLAF.py: DEBUG: product id in CR list: >G4< LGLAF.py: DEBUG: Device is: 633a, G4. Enabling Challenge/Response! LGLAF.py: DEBUG: Using endpoints 83 (IN), 02 (OUT) LGLAF.py: DEBUG: Using Protocol version: 0x1 LGLAF.py: DEBUG: CR detection: 1 LGLAF.py: DEBUG: Hello done, proceeding with commands LGLAF.py: DEBUG: Challenge: b'2b657b15' LGLAF.py: DEBUG: Response: b'2b66cad5a8f8f3ffdce7854dc1d36f2f' LGLAF.py: DEBUG: KILO METR Response -> Header: b'4b494c4f4d455452000000000200000000000000000000002f5d0000b4b6b3b0', Body: b'' LGLAF.py: DEBUG: Header: b'OPEN' b'J\0\0\0' b'\0\0\0\0' b'\0\0\0\0' b'\0\0\0\0' b'\0\0\0\0' b'\xa7\xf6\0\0' b'\xb0\xaf\xba\xb1' I'm not sure what happened. Or if I did it properly? python3 partitions.py --list still doesn't work even though I believe i opened it. Let me check dmesg
DMESG: ------------------A_N-END. <6>[ 3659.660307 / 08-07 17:06:42.419][5] AWAKE: effective vote is now 0 voted by POLLING_LOGGER_VOTER,1 <12>[ 3660.098794 / 08-07 17:06:42.849][1] [LAF] protocol version mismatch. rcv = 1000001, dev = 1000013 <12>[ 3660.098957 / 08-07 17:06:42.849][1] [LAF] not allow to use old dll for security. <12>[ 3660.111920 / 08-07 17:06:42.869][1] [LAF] default access list. <12>[ 3660.112065 / 08-07 17:06:42.869][1] [LAF] use write protection for /dev/block/sda <12>[ 3660.112199 / 08-07 17:06:42.869][1] [LAF] Not protected partition!!! /dev/block/sda <12>[ 3660.112355 / 08-07 17:06:42.869][1] [LAF] success to open the flash driver, dev = /dev/block/sda, fd = 75 <12>[ 3663.726656 / 08-07 17:06:46.489][0] [LAF] protocol version mismatch. rcv = 1000001, dev = 1000013 <12>[ 3663.726824 / 08-07 17:06:46.489][0] [LAF] not allow to use old dll for security. <12>[ 3665.554221 / 08-07 17:06:48.309][1] [LAF] dmesg!!
pretty sure, partitions.py was already at 4096 and gpt.py needed to be changed to 4096
@P3nguin-M
yea I saw the same for the V40 right now! They changed something in the proto / firmware again
<12>[ 67.387844 / 01-22 15:59:39.309][0] [LAF] default access list.
<12>[ 67.387862 / 01-22 15:59:39.309][0] [LAF] use write protection for /dev/block/sda
<12>[ 67.387876 / 01-22 15:59:39.309][0] [LAF] Not protected partition!!! /dev/block/sda
<12>[ 67.387908 / 01-22 15:59:39.309][0] [LAF] success to open the flash driver, dev = /dev/block/sda, fd = 68
<12>[ 67.388985 / 01-22 15:59:39.309][0] [LAF] not certificated. (0x3000) is not allow to read(count : 12288).
<12>[ 67.389000 / 01-22 15:59:39.309][0] [LAF] laf_message.command = 0x44414552(READ)
<12>[ 67.389013 / 01-22 15:59:39.309][0] [LAF] laf_message.arg0 = 0x44
<12>[ 100.924024 / 01-22 16:00:12.849][0] [LAF] protocol version mismatch. rcv = 1000001, dev = 1000017
<12>[ 100.924042 / 01-22 16:00:12.849][0] [LAF] not allow to use old dll for security.
<12>[ 101.010232 / 01-22 16:00:12.929][1] [LAF] Not protected partition!!! /dev/block/sda
<12>[ 101.010271 / 01-22 16:00:12.929][1] [LAF] success to open the flash driver, dev = /dev/block/sda, fd = 68
<12>[ 101.011405 / 01-22 16:00:12.929][1] [LAF] not certificated. (0x3000) is not allow to read(count : 12288).
<12>[ 101.011422 / 01-22 16:00:12.929][1] [LAF] laf_message.command = 0x44414552(READ)
<12>[ 101.011435 / 01-22 16:00:12.929][1] [LAF] laf_message.arg0 = 0x44
<12>[ 101.011446 / 01-22 16:00:12.929][1] [LAF] laf_message.arg1 = 0x3
<12>[ 101.011458 / 01-22 16:00:12.929][1] [LAF] laf_message.arg_opt0 = 0x3000
<12>[ 101.011471 / 01-22 16:00:12.929][1] [LAF] laf_message.arg_opt1 = 0x0
<12>[ 129.644520 / 01-22 16:00:41.569][1] [LAF] protocol version mismatch. rcv = 1000001, dev = 1000017
<12>[ 129.644536 / 01-22 16:00:41.569][1] [LAF] not allow to use old dll for security.
That happens when the READ (!!) command has been sent without (guessing here) a proper ioctl or similiar before. maybe the not certificated message is also a / the reason. I trying to get an USB dump from flashing but atm I am lost for those devices. If you have such a USB dump lemme know.