LG FORTUNE LG-M153 ...
 
Notifications
Clear all

LG FORTUNE LG-M153 Screen Lock Bypass?  

  RSS
UnallocatedClusters
(@unallocatedclusters)
Senior Member

Colleagues,

I have a numeric screen locked LG Fortune model LG-M513 (Qualcomm Snapdragon 210 MSM8909) running Android 6.0.1 Marshmallow.

I can place the phone in "download mode" which brings up a "Firmware Update" screen, but that is as far as I have gotten to attempt to bypass the screen lock.

In "download mode", the phone is displaying the following

"633A S0.0 AS0.0 B74 SS V LG-M153 06.0.1 Hrev_10 M15310a"

I search FF for references to this phone model but did not find any.

Any suggestions to bypass the screenlock?

Quote
Posted : 18/04/2018 7:16 pm
Igor_Michailov
(@igor_michailov)
Senior Member

May be the article can help you

Unlocking The Screen of an LG Android Smartphone with AT Modem Commands

https://articles.forensicfocus.com/2017/02/03/unlocking-the-screen-of-an-lg-android-smartphone-with-at-modem-commands/

ReplyQuote
Posted : 19/04/2018 7:09 am
RonS
 RonS
(@rons)
Active Member

The LG-M153 is supported using the Cellebrite UFED EDL method.

Ron

ReplyQuote
Posted : 19/04/2018 8:37 pm
UnallocatedClusters
(@unallocatedclusters)
Senior Member

Hello Igor -

Thank you very much for pointing me to your article!

I read your article but would like to confirm the applications I need to download, install and use to replicate the steps your article shows.

If possible, please confirm my applications, versions and sources are correct below

1) FROM PIC 2 HUAWEI MODEM TERMINAL V0.32

Download Source??? https://www.unlock4modems.com/downloads/huawei-modem-terminal-v0-32/

2) FROM PICS 3 & 4 I cannot determine the software being shown nor a source to download the software from. I do see "IDA" but cannot tell what application this is.

Is it possible that I only need the Huawei Modem Terminal V0.32 software, which I will use to send the "AT%KEYLOCK=0" command to the phone (as shown in PIC 8)???

Also, is it "safe" to download and install the Huawei Modem Terminal software to my main forensic laptop? By safe, I mean there is no spyware/malware/backdoor included; I am not a malware expert at all, but do read the news https://www.theverge.com/2018/1/14/16890110/new-bill-ban-huawei-zte-phones-tech-congress-mike-conaway-cybersecurity

I have a laptop I could install the Huawei Modem Terminal to and then later wipe if need be, but I would rather not "infect" my main forensic laptop with additional backdoors beyond what ever backdoors my government's NSA may or may not have in place.

ReplyQuote
Posted : 19/04/2018 9:41 pm
UnallocatedClusters
(@unallocatedclusters)
Senior Member

The LG-M153 is supported using the Cellebrite UFED EDL method.

Ron

Hello Ron,

I attempted the EDL method with the newest cable but had no success at all. I will give it a go again.

[EDIT1] I tried every variation of the Generic Qualcomm EDL download mode acquisition but no success. I am able to put the phone in "download mode" by holding the up volume key and then connecting the phone to the USB cable but no success on extracting data. I am able to use Cellebrite Cable 523 per the instructions (option 5) to put the phone in download mode, but a window comes up asking to verify if debugging mode is enabled. Obviously debugging mode is not enabled but I have tried both "yes" and "abort" options with no success. When I search in Phone Detective for this particular model, nothing comes up. [EDIT1]

** This particular phone was found on the hood of my client's car. My client believes her ex-boyfriend left the LG phone after ripping out all of the electrical wiring under her car's hood.

My Pro Bono cases seem to have interesting circumstances like this.

I will have to consult with the legal assistance lawyer who engaged me on this case, but I assume that the phone owner does not have any reasonable expectations of privacy having left the phone at the scene of an apparent crime.

I was able to use Cellebrite to extract the MSISDN number from the SIM card, which I then reported to the attorney and suggested she issue a subpoena to Cricket mobile for information regarding the phone owner (call logs and cell tower data).

It is only a theory at this point that the phone belongs to my client's ex-boyfriend and that the ex-boyfriend was the person who vandalized her car.

I am hoping to extract evidence which LE can then leverage to arrest the ex-boyfriend (I am a civilian forensic specialist and not LE).

ReplyQuote
Posted : 19/04/2018 9:48 pm
mcman
(@mcman)
Active Member

A little late but if you have AXIOM I would give our LG bypass a try, works really well for a lot of LG devices. I haven't tried your specific model as I don't have many Cricket devices on hand but can't hurt to try.

Jamie
Magnet Forensics

ReplyQuote
Posted : 27/04/2018 8:43 pm
UnallocatedClusters
(@unallocatedclusters)
Senior Member

Jamie,

I do have Axiom and will give it a try. I will report my results

ReplyQuote
Posted : 27/04/2018 9:16 pm
passcodeunlock
(@passcodeunlock)
Senior Member

Axiom (and many other softwares) might be using the same AT commands which Igor posted at the very beginning of the thread )

ReplyQuote
Posted : 28/04/2018 9:11 am
RonS
 RonS
(@rons)
Active Member

The LG-M153 is supported using the Cellebrite UFED EDL method.

Ron

Hello Ron,

I attempted the EDL method with the newest cable but had no success at all. I will give it a go again.

[EDIT1] I tried every variation of the Generic Qualcomm EDL download mode acquisition but no success. I am able to put the phone in "download mode" by holding the up volume key and then connecting the phone to the USB cable but no success on extracting data. I am able to use Cellebrite Cable 523 per the instructions (option 5) to put the phone in download mode, but a window comes up asking to verify if debugging mode is enabled. Obviously debugging mode is not enabled but I have tried both "yes" and "abort" options with no success. When I search in Phone Detective for this particular model, nothing comes up. [EDIT1]

** This particular phone was found on the hood of my client's car. My client believes her ex-boyfriend left the LG phone after ripping out all of the electrical wiring under her car's hood.

My Pro Bono cases seem to have interesting circumstances like this.

I will have to consult with the legal assistance lawyer who engaged me on this case, but I assume that the phone owner does not have any reasonable expectations of privacy having left the phone at the scene of an apparent crime.

I was able to use Cellebrite to extract the MSISDN number from the SIM card, which I then reported to the attorney and suggested she issue a subpoena to Cricket mobile for information regarding the phone owner (call logs and cell tower data).

It is only a theory at this point that the phone belongs to my client's ex-boyfriend and that the ex-boyfriend was the person who vandalized her car.

I am hoping to extract evidence which LE can then leverage to arrest the ex-boyfriend (I am a civilian forensic specialist and not LE).

You need to put the phone into EDL mode.
If this is not accomplished using our special cable, you might need to short the internal phone eMMC CLK and CMD lines to GND.

I suggest you approach support and ask for the EDL method document that has this in more details.

Multiple customers used this method to get a physical extraction from this specific model.

Best regards,
Ron

ReplyQuote
Posted : 28/04/2018 2:49 pm
UnallocatedClusters
(@unallocatedclusters)
Senior Member

Many thanks for your reply Ron- I will contact support

ReplyQuote
Posted : 28/04/2018 3:19 pm
passcodeunlock
(@passcodeunlock)
Senior Member

@RonS the problem with this device is that triggering EDL mode with the UFED cable won't work for some reason, so the only option remains shorting the emmc

@UnallocatedClusters I can confirm that shorting the emmc triggered a fault signal and at the next connect the device went to EDL mode. It is very confusing, because the device screen remains black, like nothing would happening.

ReplyQuote
Posted : 29/04/2018 4:07 pm
arcaine2
(@arcaine2)
Active Member

@RonS the problem with this device is that triggering EDL mode with the UFED cable won't work for some reason, so the only option remains shorting the emmc

This was actually considered a security hole and patched by lots of vendors in recent firmwares couple months back so it's even impossible to reboot to edl mode from fastboot (this was a thing for Xiaomi devices) or from working system via adb and testpoint is the only option. From my experience, booting LG (and Huawei) into EDL using only a cable rarely worked anyway.

ReplyQuote
Posted : 29/04/2018 8:04 pm
RonS
 RonS
(@rons)
Active Member

It is patched in newer devices and newer chipsets.
It does work for 100's of other models including the M153.

Shoring eMMC is simpler than a chipoff or ISP/JTAG, so worth trying.

RonS

ReplyQuote
Posted : 29/04/2018 9:39 pm
passcodeunlock
(@passcodeunlock)
Senior Member

For some models there are two EDL testing points, just usually without marks. Shortening those also makes the phone boot into DEL mode next time.

@RonS true, entering the EDL is way easier then any chip-off/JTAG/ISP, but the real "power" of the factory mode is being able to "read" the encryption keys from the Trusted Zone for almost any Qualcomm based device and make a decrypted acquisition on the fly directly from the device. Some say it's a security hole, but I look at it as a backdoor left there on purpose )

ReplyQuote
Posted : 30/04/2018 9:06 am
Share: