by Oleg Davydov, CTO, Oxygen Forensics
Modern smartphones are much more than just a device for voice calls. Now they contain a lot of personal data – contact list, communication history, photos, videos, Geo tags etc. Most smartphones can also work as a modem.
Almost every modem is Hayes-compatible which means it supports commands of the AT language developed in 1977 by Hayes. Every model supports some basic set of commands which is defined by the manufacturer. Sometimes this set can be extended and can contain very interesting commands.
Let us study behavior of an LG smartphone. When you connect it to the computer by USB you get access to the modem automatically (pic. 1). What is peculiar for LG is that the modem is available even if the phone’s screen is locked.
Pic. 1
Thanks to that, we can learn some useful information about the phone using AT commands even if the phone is protected by a password. (pic. 2).
Pic. 2
To learn what commands are supported by this model we have to examine its firmware. For example, for Android smartphones we only need to research the file /system/bin/atd. The pictures 3-5 demonstrate some AT commands for LG G3 D855 found in this file.
Pic. 3
Pic. 4
Pic. 5
It is clear that the phone supports most of the basic AT+ command set which can be used to extract common information about it (pic. 5). But of the most interest are LG proprietary commands (commands of AT% type). These commands (like AT%IMEIx, AT%SIMID, AT%SIMIMSI, AT%MEID, AT%HWVER, AT%OSCER, AT%GWLANSSID) return basic information about the phone. Among them is hiding a real pearl – the command AT%KEYLOCK (pic. 4). As you might guess this command allows you to manage screen lock state. In order to study this command behavior we can run a debugger and use the cross-link to find its handling function code. You can see this in pic. 6.
Pic. 6
When the command AT%KEYLOCK is called, the corresponding function, depending on the argument count, calls either lge_set_keylock() or lge_get_keylock() function from the /system/lib/libatd_common.so library. Pic. 7 shows the code of function lge_set_keylock().
Pic. 7
As you can see from pic. 8, if you pass to the function lge_set_keylock() the value “0” = 0x30, it will eventually call the function which would remove the screen lock whatever method had been used to lock it (you can use PIN, password, pattern or fingerprint to do that). Then it will return the string “[0]KEYLOCK OFF” (pic. 8).
Pic. 8
It becomes obvious that the command AT%KEYLOCK=0 allows you to remove the screen lock without any additional manipulations.
It’s worth mentioning that this command only removes the screen lock without affecting user settings. The command works as described: it writes zero value (which means unlock) to the special RAM area which stores the value responsible for screen lock. This means the command does not modify ROM in any way. This behavior is forensically sound because no user data is touched and after reboot the smartphone will return to the locked state. The command does not allow the investigator to find the screen lock PIN / pattern / password; it just removes it for some time.
To perform this analysis we used an LG G3 D855 model (with V20g-SEA-XX firmware). However, the aforementioned AT commands have been proven to work on other LG smartphones as well (LG G4 H812, LG G5 H860, LG V10 H960 etc). All these models support this approach.
Therefore it’s more than easy to unlock the phone. All you need to have is an LG Android smartphone turned on and connected to a PC by USB. This backdoor is obviously left by LG for its service software but can be used for forensic purposes as well. But bear in mind that criminals can also use this approach.
Oxygen Forensics was founded in 2000 as a PC-to-Mobile Communication software company. This experience has allowed our team of mobile device experts to become unmatched in understanding mobile device communication protocols. With this knowledge, we have built innovative techniques into our Oxygen Forensic® Detective allowing our users to access much more critical information than competing forensic analysis tools. We offer the most advanced forensic data examination tools for mobile devices and cloud services. Our company delivers the universal forensic solution covering the widest range of mobile devices running iOS, Android, Windows Phone, BlackBerry and many others. Oxygen Forensic® products have been successfully used in more than 100 countries across the globe. More info at www.oxygen-forensic.com
LG G3 (D857) didn’t work http://wx3.sinaimg.cn/mw690/ce682c6ely1fcfi7ba7sej20n70e5ad9.jpg
Please make sure that USB-modem is turned on in the mobile device settings.
I Try again and succeed thanks 🙂
This solution is already available in a UFED near you for about 8 months already for a long list of LG models.
Nice try, Ron
Nice try, Ron
Nice Try???
The capability to unlock LG devices using this exact command was added to UFED v5.1 in June 2016.
You can locate it in the v5.1 release notes.
I did not say that this specific capability was copied from Cellebrite, just that its already in UFED for a long time.
Ron, this article is not about how excellent this or that software is. This is just a shared knowledge about how experts can research a piece of firmware and use a publicly available backdoor for free. Well, hope you know that some articles can be just a contribution but not a product promotion.
I have an LG G4 stuck on a boot loop with only upload mode available.
I’m able to send it AT commands. Are there commands that will 1. allow me to back up the data, or 2. allow me to reboot the device to recovery mode?
hi, very helpful article!
I’m trying to enter a NCK code uasing the AT commands AT%ULCV and AT%ULCW but i keep getting error.I have the correct code. just the wrong formatting.Do you have any ideas on this? thanks!
Send:AT%ULCV
Recieve: AT%ULCV
Recieve: SIM Unlock code Check[8 or 16] Digits
Recieve: OK
Send:AT%ULCV 9323345992920608
Recieve: AT%ULCV 9323345992920608
Recieve: ERROR
Send:AT%ULCV=9323345992920608
Recieve: AT%ULCV=9323345992920608
Recieve: ULCV ERROR
Recieve: OK
Send:AT%ULCV=”9323345992920608″
Recieve: AT%ULCV=”9323345992920608″
Recieve: ULCV ERROR
Recieve: OK
Send:AT%ULCV”9323345992920608″
Recieve: AT%ULCV”9323345992920608″
Recieve: ERROR
Send:AT%ULCV “9323345992920608”
Recieve: AT%ULCV “9323345992920608”
Recieve: ERROR
i think its either
AT%ULCV=9323345992920608
AT%ULCV=9,3,2,3,3,4,5,9,9,2,9,2,0,6,0,8
AT%ULCV9,3,2,3,3,4,5,9,9,2,9,2,0,6,0,8
Hello Qassam. By now this is for LG devices only
While we have been burdened with expectations of a successful successor to the LG G6, we have been saying for some time that this new phone will be the one phone which will rule them all.
LG has already been on a roll and we expect that the G7 will also be up to the mark.