Sometimes a question is asked at forensic conferences and on Internet sites: “Is it possible to create a complete copy of the memory of a mobile device without superuser’s privileges (i.e. create a full copy of the memory of the” non-rooted “mobile device)?” Yes, it is possible. You can use hardware methods to create a complete copy of the memory of such a device: a method of connecting to a device using the testing and debugging interface (JTAG interface), or a method of reading data directly from a memory chip (“chip-off” method) as well as software methods. Using software methods that typically exploit various vulnerabilities in system software you can extract data from mobile devices without having root privileges. This is possible for modern LG devices and a number of other devices, for example, devices that use “MTK” processors (MediaTek Inc.). In this article, we’ll talk about how to make a complete copy of the memory of a LG mobile device without having superuser’s rights, and discuss a number of other features of expert’s work with LG mobile devices.
LG has developed a technology that greatly simplifies the replacement of system firmware in the device. This technology is called “LAF” (LG Advanced Flash). Initially, LAF technology was developed for LG service centers. In particular, it allowed to restore working capacity of LG mobile devices which do not turn on and do not react to attempts to turn them on (often mobile devices go into this state when trying to increase user’s privileges in their operating system or in the case of errors in updating the system software produced by Unqualified users).However, a large number of utilities that use this technology appeared quite quickly outside specialized service centers for flashing the modified system software of LG mobile devices.
LAF protocol
LAF documentation is the property of LG and was not published in open access. However, there are enthusiasts who conducted the reverse development of proprietary files “Send_Command.exe”, “LGD855_20140526_LGFLASHv160.dll” and received the following data [1]:
LAF is a simple request / response protocol that works via USB interface. Each message consists of a header followed by a body. The header contains 32-bit words. The integers are coded in direct sequence.
Structure of the message
| Offset (in hexadecimal) | Offset (in decimal) | type | description |
| 0х00 | 0 | Variable type | command |
| 0х04 | 4 | Variable | Argument 1 |
| 0х08 | 8 | Variable | Argument 2 |
| 0х0с | 12 | Variable | Argument 3 |
| 0х10 | 16 | Variable | Argument 4 |
| 0х14 | 20 | integer | Message length |
| 0х18 | 24 | integer | Check sum (CRC-16) |
| 0х1с | 28 | Variable type | Bitwise inversion of the instruction by offset 0 |
LAF instructions
List of identified instructions:
| command | description |
| OPEN | To open the file |
| CLSE | To close the file |
| HELO | Hello. Sends the version of the communication protocol. |
| CTRL | Control. Depending on the argument, it reboots or turns off the device. |
| WRTE | Writing a file. Depending on the argument, it writes a file descriptor, a data block (multiple of 512 bytes), it writes a block of a certain length from the specified offset. |
| READ | Reading the file. Depending on the argument, it reads a file descriptor, a data block (multiple of 512 bytes), a block of a certain length or reads a block of a certain length from the specified offset. |
| ERSE | Erasing. Depending on the argument, it erases the file descriptor, data block (multiple of 512 bytes), it erases the block length from the specified offset. |
| EXEC | Executable command. |
| INFO | Requesting or setting properties (depending on the argument). |
| UNLK | Delete the file. |
| RSVD | Making a reservation. |
| IOCT | The purpose is not set. |
| MISC | The purpose is not set |
| KILO | The purpose is not set |
| DIFF | The purpose is not set |
| USB layer | It installs two consecutive virtual ports: LGANDNETMDM0 and LGANDNETDIAG1. LGANDNETDIAG1 port is used for “LAF”. |
Boot Mode
The main conditions for the successful creation of a complete copy of the memory of a LG mobile device and transferring the device to the Download Mode are:
1) Installing the latest driver for mobile devices, LG
2) Following the instructions for transferring the device to the Boot Mode.
Fig. 1. Instructions for transferring a LG mobile device to the “Oxygen Forensic Suite” download mode
There is an alternative instruction for transferring a LG mobile device to the Download Mode published on the site “LG Download Mode utility and documentation” [1]
- Turn off the mobile device.
- Connect the mobile device to the computer using the USB cable.
- Press and hold the volume up key.
- Click on the “Start” (“Power”) button.
- Wait for the mobile device to display the message “Download mode”.
- Release the volume up key. You should see the inscription on the screen of the mobile device: “Firmware Update” (“Firmware Update”).
Fig. 2. The image on the LG phone screen switched into the “Firmware Update” mode.
Creating a physical dump
To create a full copy of the memory of the LG mobile device you must:
Run the Data Extraction Wizard and select the option “LG Android dump”:
Fig. 3. The main window of the Data Extraction Wizard
Then you need to use the instructions in the “Download Mode” section of this article.
After that click on the button “Next” and after a short time you will see that the device is connected to the Data Extraction Wizard and you can go directly to creating a full copy of the mobile device’s memory.
Fig. 4. Image of the Data Extraction Wizard window with a connected mobile device LG
Fig. 5. The process of creating a full copy of the mobile device’s memory
Disabling screen lock
You can disable the screen lock for LG mobile devices. It does not matter which type of lock is set by the device owner: PIN, pattern, or fingerprint access.
To perform this operation the option “Unlock the screen lock” is selected in the main window of the Data Extraction Wizard.
Fig. 6. The item “Unlocking the screen”
Then follow the instructions of the Data Extraction Wizard.
Fig. 7. Instructions for the Data Extraction Wizard that are required to unlock the phone screen
When the program is running, it gives a command ‘unlock device’ to the LG phone. After that the phone will be unlocked. Changing other data of the system section of the mobile device does not occur.
The peculiarity of the approach to the devices with Android 6 operating system
When examining mobile devices running the Android operating system version 6, the expert may encounter the following problems:
- Encrypting the section with user data (“userdata”). Although this option is disabled by default, in the course of mobile devices research devices with an encrypted logical section of the user (“userdata”) are more common. Approaches to deciphering such sections will be considered in a separate article.
- Data storage in the cloud. In mobile devices with the Android operating system version 6, it is possible to save application data not in the phone’s memory, but in the cloud [2]. Therefore, the process of extracting user data from a mobile device may fail due to the fact that initially this data was not stored in the device. In this situation, you can use the functionality of the program “Mobile forensics”, which allows you to restore users’ names and passwords from cloud storage (or to find cloud storage tokens in your device) and access the device data stored in the clouds.
Conclusion
Getting a full copy of the mobile device’s memory, gaining access to the data in the locked mobile device are important steps in obtaining meaningful information when investigating cases. This article explored how to get a full copy of the LG mobile device’s memory without having superuser privileges and how to access the data of a locked LG mobile device, regardless of the type of lock installed by the device owner. Features of working with mobile devices running the Android 6 operating system have been considered.
Sources:
- LG Download Mode utility and documentation https://github.com/Lekensteyn/lglaf
- Auto Backup for Apps https://developer.android.com/guide/topics/data/autobackup.html
Authors:
