Skip to content

Instantly share code, notes, and snippets.

@shinyquagsire23
Created February 11, 2020 20:20
Show Gist options
  • Star 3 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save shinyquagsire23/0d6a5119ee7fb40de2fcfb9088168d63 to your computer and use it in GitHub Desktop.
Save shinyquagsire23/0d6a5119ee7fb40de2fcfb9088168d63 to your computer and use it in GitHub Desktop.
LG Update Pulling
from Crypto.Cipher import AES
from Crypto import Random
import base64
import requests
import xml.etree.ElementTree as ET
block_size = AES.block_size
unpad = lambda s : s[0:-ord(s[-1])]
lg_deckey = "wleldpadptmdkdnt"
lg_enckey = "qlxnTldlsvntzl!#"
def pad(plain_text):
"""
func to pad cleartext to be multiples of 8-byte blocks.
If you want to encrypt a text message that is not multiples of 8-byte blocks,
the text message must be padded with additional bytes to make the text message to be multiples of 8-byte blocks.
"""
number_of_bytes_to_pad = block_size - len(plain_text) % block_size
ascii_string = chr(number_of_bytes_to_pad)
padding_str = number_of_bytes_to_pad * ascii_string
padded_plain_text = plain_text + padding_str
return padded_plain_text
def lg_encrypt(string):
key=lg_enckey
plain = pad(string)
iv = str("\x00"*AES.block_size)
cipher = AES.new(key, AES.MODE_CBC, iv)
encrypted_text = cipher.encrypt(plain)
return base64.b64encode(encrypted_text).replace("+", "m").replace("/", "f")
def lg_decrypt(string):
if len(string) == 0 or string == "\n":
return ""
key=lg_deckey
crypted = base64.b64decode(string)
iv = str("\x00"*AES.block_size)
cipher = AES.new(key, AES.MODE_ECB)
decrypted_text = cipher.decrypt(crypted)
return unpad(decrypted_text)
imei="lol"
esn = lg_encrypt(imei)
data = {'esn':esn}
r = requests.post(url = "https://csmg.lgmobile.com:49002/csmg/nb2c/gn_auth_model_check2.jsp", data = data)
def xml_recurse(node):
dec = lg_decrypt(node.text)
if (node.tag == "sw_url"):
dec = "http://tool.lime.gdms.lge.com/dn/downloader.dev?" + dec.split("?")[1]
print (node.tag, node.attrib, dec)
for child in node:
xml_recurse(child)
root = ET.fromstring(r.text)
xml_recurse(root)
('response', {'status': 'OK', 'req_cmd': 'gn_auth_model_check'}, '')
('gn_auth_model_check', {}, '')
('result', {}, 'OK')
('esn', {}, 'lol')
('model', {}, 'LMQ710ULM')
('suffix', {}, 'AAMZOP')
('msn', {}, 'lol')
('esn_date', {}, '')
('sw_version', {}, 'Q710ULM20C_00')
('sw_url', {}, 'http://tool.lime.gdms.lge.com/dn/downloader.dev?fileKey=FWDFOLF8C2O8AWU12A00FIQ/Q710ULM20c_00_AMZ_US_OP_1121.kdz&e=1581495520&h=9212c289d557d358ac925ba91358d014')
('sw_locale_url', {}, '')
('sw_recommand_uri', {}, '')
('app_version', {}, '')
('app_url', {}, '')
('cs_em_flag', {}, 'N')
('cs_em_uri', {}, 'N')
('chip_type', {}, 'EG')
('prod_type', {}, '2')
('buyer', {}, 'AMZ')
('file_name', {}, 'Q710ULM20c_00_AMZ_US_OP_1121.kdz')
('phone_os_version', {}, 'P')
('file_size', {}, '3062002529')
@allaf2
Copy link

allaf2 commented Mar 28, 2020

Hello Dear shinyquagsire23.
you are amazing.

i have looking for this code more than 2 years.
thanks man.
you are so pro.

i'm curious where did you find:

lg_deckey = "wleldpadptmdkdnt"
lg_enckey = "qlxnTldlsvntzl!#"

these two key always the same with no change?

thanks again.
with love.

@shinyquagsire23
Copy link
Author

shinyquagsire23 commented Mar 28, 2020

@allaf2, it's been a hot minute since I did the RE for this but iirc I looked at LG's PC client for updating, specifically the MacOS version since it's a bit easier to parse the code in IDA Pro.

@kid1232
Copy link

kid1232 commented Nov 1, 2020

Nice to found your code bro, i finding this api for a month. Thank you so much. I will try now

@kelisonbessa
Copy link

sorry but i'm not a python programmer, programming in php, but i would like to test and understand this script could tell me why i am getting this errors?
error_python

@haise0
Copy link

haise0 commented Jun 10, 2021

You've helped with a great project that's in the works. :)
Thank you.

@DerVerruckteFuchs
Copy link

sorry but i'm not a python programmer, programming in php, but i would like to test and understand this script could tell me why i am getting this errors?
error_python

The script needs to be run with python 2. With python 3 I get similar errors.

@Theprime02
Copy link

How can I use this, sorry I'm new to python and can I use this to debrick my hard brick LG V60?

@haise0
Copy link

haise0 commented Sep 21, 2021

How can I use this, sorry I'm new to python and can I use this to debrick my hard brick LG V60?

No - sorry. This would let you download the firmware file for your V60.
The extract utility is the only one working right now. I haven't ported my KDZ downloader to the python script quite yet.
If you want your firmware update file, you can let me know, but otherwise right now LGUP is your only way to flash a KDZ, and EDL mode would be the only way to flash the contents within it.

@Theprime02
Copy link

@haise0 ohh man, I've tried everything already but the problem is the firehose programmer for the v60 isn't available yet, I don't think LGUP would recognize my phone in EDL mode and unfortunately for me the phone is hard brick so that's the only way the PC recognizes it

@kelisonbessa
Copy link

What this python script does is access the LG api and return the firmware download URL based on the device's IMEI, but currently this script can't fetch the firmware of the latest models released by LG I created a page in PHP based in this python script.
https://kfhost.net/firmware-lg-tabela

Theprime02: which model exactly;
LG V60 ThinQ 5G LMV600TM https://kfhost.net/firmware/lg/model/LMV600TM
LG V60 ThinQ 5G LMV600EA https://kfhost.net/firmware/lg/model/LMV600EA
LG V60 ThinQ 5G LMV600VMLN https://kfhost.net/firmware/lg/model/LMV600VMLN
V60 ThinQ 5G LMV600VM https://kfhost.net/firmware/lg/model/LMV600VM

@Theprime02
Copy link

@kelisonbessa the thing with my phone is that it is hard brick, download mode doesn't work neither fastboot or ADB the only thing working is EDL mode and as far as I have understood the only way you can restore the software back is using the firehose of the phone with Qfil, but I might be wrong, maybe the software can be restored using other methods.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment