"nice to meet you" on LG G3 D852

[anarcat]

With latest master, I still can't run any commands in recovery mode on this LG G3 D852 phone (after adding usb rules as per #30). i was hoping that #27 would help - and it does get further than before, but it still fails with a friendly error message.

here's a debug trace:

$ sudo python3 lglaf.py --cr --debug
LGLAF.py: DEBUG: Using endpoints 83 (IN), 02 (OUT)
LGLAF.py: DEBUG: Doing KILO challenge response
LGLAF.py: DEBUG: Challenge: b'f29ae130'
LGLAF.py: DEBUG: Response: b'2f47ca81ebeee6f414263c0542c8d132'
LGLAF.py: DEBUG: KILO METR Response -> Header: b'4b494c4f4d455452000000000200000000000000000000002f5d0000b4b6b3b0', Body: b''
LGLAF.py: DEBUG: Hello done, proceeding with commands
LGLAF.py by Peter Wu (https://lekensteyn.nl/lglaf)
Type a shell command to execute or "exit" to leave.
# uname -a
Hello, I am LAF. Nice to meet you.# 

not sure what that message means... anything i can do to help diagnostics here?

[joeblowma]

"Hello, I am LAF. Nice to meet you." is the standard response when the command isn't in the list of supported commands. The EXEC shell is severely limited on these newer laf binaries, likely due to it being a path to root previously.

The obvious supported commands in the binary I'm looking at are: dmesg, umount, fota, gota, ls, mkdir, getenforce, ps, grep. There may be others, but these are the ones that are checked directly by stricmp (or similar)... it almost looks like some commands can be preceded by an 'S' and it goes off on a syscall, but I didn't go any deeper than that.

I did come across a vague mention of being able to get out of this little EXEC jail but as I can't unlock my bootloader (fastboot is literally stripped from my bootloader) I hit the end of my patience for LG entirely. They lost a customer in me at this point.

[anarcat]

yeah, so that's exactly what I figured here: they locked down the commands so you can't actually run anything. i'm not sure what I can actually do with this here - i was also hoping to root this device to make it useful again. as it is now it's full of spyware and thoroughly contaminated by a number of apps that can't be uninstalled because provided by the previous carrier.

the neighborhood shady cell phone repair shop told me they could root it for 20$ so maybe i'll just go and do this instead. ;)

thanks for the support, and yes, clearly, LG is not going to get any love from me in the future, considering the amount of time I wasted on this crap. the gory details are here.

so probably not this program's fault, closing... :(

[Lekensteyn]

@anarcat do commands like ls work for you? If you have grep, you could read text files with grep ^ /proc/cpuinfo for example (assuming that SELinux is not locking down things too much).

[anarcat]

On 2017-11-28 23:43:48, Peter Wu wrote:

@anarcat do commands like ls work for you? If you have grep, you could read text files with grep ^ /proc/cpuinfo for example (assuming that SELinux is not locking down things too much).

grep, ls, nothing works at all.

[joeblowma]

Sounds like pull #28 is relevant?

[anarcat]

definitely - i confirm that --rawshell fixes the issue and i can run commands again - woot!

[anarcat]

well, i can run some commands - but most commands are denied by the LAF. not sure i can go much further, unfortunately - as long as i can't run shell commands... i'm a still stuck and they win. :/

more precisely, i can't seem to install anything that would give me root out there. i can't write files, i can't use the mount command, ... the sh command is out there (e.g. in /system/bin) and i can see it with ls, but i can't run it.

of the commands you mentioned, the following works: ps, ls, mkdir (but does nothing), gota (same), fota (same), getenforce (says "Enforcing"). any other commands i can think of give the "Hello" message. i have tried using absolute paths to commands as well, and the S prefix (e.g. Ssh also fails).

btw, i can trigger a traceback when i mess around with the -c arguments:

$ python3 lglaf.py --debug --rawshell --cr -c '!S sh'
LGLAF.py: DEBUG: Using endpoints 83 (IN), 02 (OUT)
LGLAF.py: DEBUG: Doing KILO challenge response
LGLAF.py: DEBUG: Challenge: b'447d547a'
LGLAF.py: DEBUG: Response: b'9520395ef5261583d7a27fcb1f620fa8'
LGLAF.py: DEBUG: KILO METR Response -> Header: b'4b494c4f4d455452000000000200000000000000000000002f5d0000b4b6b3b0', Body: b''
LGLAF.py: DEBUG: Hello done, proceeding with commands
LGLAF.py: WARNING: Header field requires a DWORD, got bytes b'S'
Traceback (most recent call last):
  File "lglaf.py", line 491, in main
    payload = command_to_payload(command, args.rawshell)
  File "lglaf.py", line 451, in command_to_payload
    return make_request(command, args, body)
  File "lglaf.py", line 166, in make_request
    set_header(0, cmd)
  File "lglaf.py", line 163, in set_header
    (type(val).__name__, val)
AssertionError: Header field requires a DWORD, got bytes b'S'

maybe a better example, trying something that's in the README:

  File "lglaf.py", line 163, in set_header
    (type(val).__name__, val)
AssertionError: Header field requires a DWORD, got bytes b'id\x00'
[1083]anarcat@curie:lglaf$ python3 lglaf.py --debug --skip-hello --cr -c '!EXEC id\0'
LGLAF.py: DEBUG: Using endpoints 83 (IN), 02 (OUT)
LGLAF.py: DEBUG: Doing KILO challenge response
LGLAF.py: DEBUG: Challenge: b'955e5f61'
LGLAF.py: DEBUG: Response: b'c7b6fce0d987582aa04090029cf73bd2'
LGLAF.py: DEBUG: KILO METR Response -> Header: b'4b494c4f4d455452000000000200000000000000000000002f5d0000b4b6b3b0', Body: b''
LGLAF.py: WARNING: Header field requires a DWORD, got bytes b'id\x00'
Traceback (most recent call last):
  File "lglaf.py", line 491, in main
    payload = command_to_payload(command, args.rawshell)
  File "lglaf.py", line 451, in command_to_payload
    return make_request(command, args, body)
  File "lglaf.py", line 169, in make_request
    set_header(4 * (i + 1), arg)
  File "lglaf.py", line 163, in set_header
    (type(val).__name__, val)
AssertionError: Header field requires a DWORD, got bytes b'id\x00'
[1084]anarcat@curie:lglaf$ python3 lglaf.py --debug --skip-hello  -c '!EXEC id\0'
LGLAF.py: DEBUG: Using endpoints 83 (IN), 02 (OUT)
LGLAF.py: WARNING: Header field requires a DWORD, got bytes b'id\x00'
Traceback (most recent call last):
  File "lglaf.py", line 491, in main
    payload = command_to_payload(command, args.rawshell)
  File "lglaf.py", line 451, in command_to_payload
    return make_request(command, args, body)
  File "lglaf.py", line 169, in make_request
    set_header(4 * (i + 1), arg)
  File "lglaf.py", line 163, in set_header
    (type(val).__name__, val)
AssertionError: Header field requires a DWORD, got bytes b'id\x00'

is that normal?

[anarcat]

i can run -c '!CTRL RSET' though. :)

[Lekensteyn]

https://github.com/Lekensteyn/lglaf#advanced-usage

Arguments are comma-separated and must either be four-byte sequences (such as \0\1\2\3) or numbers (such as 0x03020100). If no arguments are given, but a body is needed, keep two spaces between the command and argument.

Are you able to use grep to read any file? (what about !EXEC grep --help\0'?) Note that the command must exit properly, otherwise the output is never returned. (e.g. waiting for stdin does not work. That is another caveat of --rawshell).

[anarcat]

grep fails:

$ python3 lglaf.py --debug  --cr -c '!EXEC grep --help\0'
LGLAF.py: DEBUG: Using endpoints 83 (IN), 02 (OUT)
LGLAF.py: DEBUG: Doing KILO challenge response
LGLAF.py: DEBUG: Challenge: b'7eb4580a'
LGLAF.py: DEBUG: Response: b'7d3a3cd9a0e2f840a35c73a30fe5bdee'
LGLAF.py: DEBUG: KILO METR Response -> Header: b'4b494c4f4d455452000000000200000000000000000000002f5d0000b4b6b3b0', Body: b''
LGLAF.py: DEBUG: Hello done, proceeding with commands
LGLAF.py: DEBUG: Header: b'EXEC' b'\0\0\0\0' b'\0\0\0\0' b'\0\0\0\0' b'\0\0\0\0' b'#\0\0\0' b',\xf5\0\0' b'\xba\xa7\xba\xbc'
Hello, I am LAF. Nice to meet you.

id also fails similarly, even with two spaces (completely missed that part ;).