Forensics 101, Mobile Devices

Unlocking The Screen of an LG Android Smartphone with AT Modem Commands

by Oleg Davydov, CTO, Oxygen Forensics

Modern smartphones are much more than just a device for voice calls. Now they contain a lot of personal data – contact list, communication history, photos, videos, Geo tags etc. Most smartphones can also work as a modem.

Almost every modem is Hayes-compatible which means it supports commands of the AT language developed in 1977 by Hayes. Every model supports some basic set of commands which is defined by the manufacturer. Sometimes this set can be extended and can contain very interesting commands.

Let us study behavior of an LG smartphone. When you connect it to the computer by USB you get access to the modem automatically (pic. 1). What is peculiar for LG is that the modem is available even if the phone’s screen is locked.

Pic. 1

Thanks to that, we can learn some useful information about the phone using AT commands even if the phone is protected by a password. (pic. 2).

Pic. 2

To learn what commands are supported by this model we have to examine its firmware. For example, for Android smartphones we only need to research the file /system/bin/atd. The pictures 3-5 demonstrate some AT commands for LG G3 D855 found in this file.

Pic. 3

Pic. 4

Pic. 5

It is clear that the phone supports most of the basic AT+ command set which can be used to extract common information about it (pic. 5). But of the most interest are LG proprietary commands (commands of AT% type). These commands (like AT%IMEIx, AT%SIMID, AT%SIMIMSI, AT%MEID, AT%HWVER, AT%OSCER, AT%GWLANSSID) return basic information about the phone. Among them is hiding a real pearl – the command AT%KEYLOCK (pic. 4). As you might guess this command allows you to manage screen lock state. In order to study this command behavior we can run a debugger and use the cross-link to find its handling function code. You can see this in pic. 6.

Pic. 6

When the command AT%KEYLOCK is called, the corresponding function, depending on the argument count, calls either lge_set_keylock() or lge_get_keylock() function from the /system/lib/libatd_common.so library. Pic. 7 shows the code of function lge_set_keylock().

Pic. 7

As you can see from pic. 8, if you pass to the function lge_set_keylock() the value “0” = 0x30, it will eventually call the function which would remove the screen lock whatever method had been used to lock it (you can use PIN, password, pattern or fingerprint to do that). Then it will return the string “[0]KEYLOCK OFF” (pic. 8).

Pic. 8

It becomes obvious that the command AT%KEYLOCK=0 allows you to remove the screen lock without any additional manipulations.

It’s worth mentioning that this command only removes the screen lock without affecting user settings. The command works as described: it writes zero value (which means unlock) to the special RAM area which stores the value responsible for screen lock. This means the command does not modify ROM in any way. This behavior is forensically sound because no user data is touched and after reboot the smartphone will return to the locked state. The command does not allow the investigator to find the screen lock PIN / pattern / password; it just removes it for some time.

To perform this analysis we used an LG G3 D855 model (with V20g-SEA-XX firmware). However, the aforementioned AT commands have been proven to work on other LG smartphones as well (LG G4 H812, LG G5 H860, LG V10 H960 etc). All these models support this approach.

Therefore it’s more than easy to unlock the phone. All you need to have is an LG Android smartphone turned on and connected to a PC by USB. This backdoor is obviously left by LG for its service software but can be used for forensic purposes as well. But bear in mind that criminals can also use this approach.

Oxygen Forensics was founded in 2000 as a PC-to-Mobile Communication software company. This experience has allowed our team of mobile device experts to become unmatched in understanding mobile device communication protocols. With this knowledge, we have built innovative techniques into our Oxygen Forensic® Detective allowing our users to access much more critical information than competing forensic analysis tools. We offer the most advanced forensic data examination tools for mobile devices and cloud services. Our company delivers the universal forensic solution covering the widest range of mobile devices running iOS, Android, Windows Phone, BlackBerry and many others. Oxygen Forensic® products have been successfully used in more than 100 countries across the globe. More info at www.oxygen-forensic.com

Discussion

12 thoughts on “Unlocking The Screen of an LG Android Smartphone with AT Modem Commands

  1. This solution is already available in a UFED near you for about 8 months already for a long list of LG models.

    Posted by Ron Serber | February 6, 2017, 7:28 pm
    • Nice try, Ron

      Posted by oxygenforensics | February 6, 2017, 8:27 pm
      • Nice Try???
        The capability to unlock LG devices using this exact command was added to UFED v5.1 in June 2016.
        You can locate it in the v5.1 release notes.
        I did not say that this specific capability was copied from Cellebrite, just that its already in UFED for a long time.

        Posted by Ron Serber | February 7, 2017, 10:31 am
  2. Ron, this article is not about how excellent this or that software is. This is just a shared knowledge about how experts can research a piece of firmware and use a publicly available backdoor for free. Well, hope you know that some articles can be just a contribution but not a product promotion.

    Posted by oxygenforensics | February 7, 2017, 11:03 am
    • hi, very helpful article!

      I’m trying to enter a NCK code uasing the AT commands AT%ULCV and AT%ULCW but i keep getting error.I have the correct code. just the wrong formatting.Do you have any ideas on this? thanks!

      Send:AT%ULCV

      Recieve: AT%ULCV
      Recieve: SIM Unlock code Check[8 or 16] Digits
      Recieve: OK

      Send:AT%ULCV 9323345992920608

      Recieve: AT%ULCV 9323345992920608
      Recieve: ERROR

      Send:AT%ULCV=9323345992920608

      Recieve: AT%ULCV=9323345992920608
      Recieve: ULCV ERROR
      Recieve: OK

      Send:AT%ULCV=”9323345992920608″

      Recieve: AT%ULCV=”9323345992920608″
      Recieve: ULCV ERROR
      Recieve: OK

      Send:AT%ULCV”9323345992920608″

      Recieve: AT%ULCV”9323345992920608″
      Recieve: ERROR

      Send:AT%ULCV “9323345992920608”

      Recieve: AT%ULCV “9323345992920608”
      Recieve: ERROR

      Posted by jd | May 25, 2017, 12:22 am
  3. While we have been burdened with expectations of a successful successor to the LG G6, we have been saying for some time that this new phone will be the one phone which will rule them all.
    LG has already been on a roll and we expect that the G7 will also be up to the mark.

    Posted by Gray White | June 12, 2017, 12:39 pm

Trackbacks/Pingbacks

  1. Pingback: Unlocking Locked LG Smartphones | Digital Forensics | Computer Forensics | Blog - February 3, 2017

  2. Pingback: Week 5 – 2017 – This Week In 4n6 - February 4, 2017

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Join 955 other followers

%d bloggers like this: