search

Lekensteyn / lglaf

LG Download Mode utility and documentation
https://lekensteyn.nl/lglaf/
MIT License
137 stars 74 forks source link

Dump file compatibility, read GPT from block device, py3 compatible KILO challenge/response #27

Closed tuxuser closed 6 years ago

tuxuser commented 6 years ago

Both changes target compatibility with more recent devices and are more reliable than parsing shell cmd output.

UPDATE: Adding py3 compatible KILO challenge/response via --cr switch: Added mode argument to specify on function call, mode 2 is currently used afaik. Made the key switchable via field _USE_MFGKEY - Normally we use the production key so there is no need to expose this switch on cmdline. PS: I did not go for the mentioned struct pack/unpack changes on purpose, it decreases readability imho.

Credits to: @joeblowma => Initial reverse engineering - most difficult part, easy for joeblowma tho ;) @snoremaster3000 => Porting the C code to python @steadfasterX => Pushing the code along to this repo

dump_file: Rather than using "stat -t" for enumerating the size of a file, use "ls -l". After removing the multiple whitespaces aka. tabs it gives the filesize in it's 3rd column.

partitions / extract_partitions: Instead of reading partition info by parsing shell output, GPT is read directly from mmcblk0 block device (LBA length: 34). For parsing the GPT a library from @jrd is used (jrd's Github Repo, also MIT licensed). I removed the call to ioctl for local disk as we are working with a remote device. The library is also utilized for pretty-printing. Further, the parameter "partition" in partitions.py is set to type "int" to use it more safely, without additional conversion.

Fixes issues:

9 partitions.py --list gives "AssertionError: Expected arrow in ls output"

24 LG Q6: additional limitations from LG? (Point 1 and 3)

26 offset partition download

Obsolete Pull Requests:

12 added challenge response algo

19 add challenge/response

22 fix: Expected arrow in ls output

aenglebert commented 6 years ago

Thank you for this PR. For PR #24 LG Q6: additional limitations from LG? , it fix point 1 but only partially point 3. With this PR I can now list the partitions and dump without the dirty hack of using preregistered informations about partitions. There is still an error when listing partitions and dumping a partition but that's working. However, writing to a partition is still broken. For dumping (file test.img is correctly writen):

python partitions.py --debug --dump recovery.img recovery 
2017-11-25 17:35:37,661 LGLAF.py: DEBUG: Using endpoints 83 (IN), 02 (OUT)
2017-11-25 17:35:38,212 partitions: DEBUG: #   Flags From(#s)   To(#s)     GUID/UID                             Type/Name
49    0   606208     671743     9D72D4E4-9958-42DA-AC26-BEA7A90B0434 Unknown
                                FF67A2D4-A7F1-2089-0C1F-96D838622AD1 recovery
2017-11-25 17:35:38,212 partitions: DEBUG: Opened fd 46 for disk
2017-11-25 17:35:38,213 partitions: DEBUG: Will read 33553920 bytes at disk offset 310378496
2017-11-25 17:35:40,867 partitions: INFO: Wrote 33553920 bytes to recovery.img
Traceback (most recent call last):
  File "partitions.py", line 279, in <module>
    main()
  File "partitions.py", line 275, in main
    wipe_partition(comm, disk_fd, part_offset, part_size)
  File "/usr/lib/python3.6/contextlib.py", line 88, in __exit__
    next(self.gen)
  File "partitions.py", line 67, in laf_open_disk
    comm.call(close_cmd)
  File "/home/alex/lglaf2/lglaf.py", line 249, in call
    raise RuntimeError('Command failed with error code %#x (%s)' % (errCode, msg))
RuntimeError: Command failed with error code 0x8000010a (LAF_ERROR_ACCESS_DENIED)

For writing (nothing is changed on the disk):

python partitions.py --debug --restore custom.img recovery        
2017-11-25 17:37:15,241 LGLAF.py: DEBUG: Using endpoints 83 (IN), 02 (OUT)
2017-11-25 17:37:15,793 partitions: DEBUG: #   Flags From(#s)   To(#s)     GUID/UID                             Type/Name
49    0   606208     671743     9D72D4E4-9958-42DA-AC26-BEA7A90B0434 Unknown
                                FF67A2D4-A7F1-2089-0C1F-96D838622AD1 recovery
2017-11-25 17:37:15,793 partitions: DEBUG: Opened fd 47 for disk
2017-11-25 17:37:15,794 partitions: DEBUG: Will write 22439936 bytes
2017-11-25 17:37:59,063 partitions: INFO: Done after writing 22439936 bytes from custom.img
Traceback (most recent call last):
  File "partitions.py", line 279, in <module>
    main()
  File "partitions.py", line 275, in main
    wipe_partition(comm, disk_fd, part_offset, part_size)
  File "/usr/lib/python3.6/contextlib.py", line 88, in __exit__
    next(self.gen)
  File "partitions.py", line 67, in laf_open_disk
    comm.call(close_cmd)
  File "/home/alex/lglaf2/lglaf.py", line 249, in call
    raise RuntimeError('Command failed with error code %#x (%s)' % (errCode, msg))
RuntimeError: Command failed with error code 0x8000010a (LAF_ERROR_ACCESS_DENIED)

In each case I did a lglaf.py --cr before to initiate a KILO chalenge/response but that seems to only allow commands but nothing changed for partitions. But it's still a realy good step, thank you !

tuxuser commented 6 years ago

Requested changes pushed

tuxuser commented 6 years ago

Done

Lekensteyn commented 6 years ago

Looks good, can you rebase and squash some fixup commits and acknowledge the authors (e.g. those from #19) in the commit message?

tuxuser commented 6 years ago

Done ;)

anarcat commented 6 years ago

this still doesn't succeed in giving a working shell on ght LG G3 D852 - i reported this in #31.