by Oleg Davydov, CTO, Oxygen Forensics
Modern smartphones are much more than just a device for voice calls. Now they contain a lot of personal data – contact list, communication history, photos, videos, Geo tags etc. Most smartphones can also work as a modem.
Almost every modem is Hayes-compatible which means it supports commands of the AT language developed in 1977 by Hayes. Every model supports some basic set of commands which is defined by the manufacturer. Sometimes this set can be extended and can contain very interesting commands.
Let us study behavior of an LG smartphone. When you connect it to the computer by USB you get access to the modem automatically (pic. 1). What is peculiar for LG is that the modem is available even if the phone’s screen is locked.
Thanks to that, we can learn some useful information about the phone using AT commands even if the phone is protected by a password. (pic. 2).
To learn what commands are supported by this model we have to examine its firmware. For example, for Android smartphones we only need to research the file /system/bin/atd. The pictures 3-5 demonstrate some AT commands for LG G3 D855 found in this file.
It is clear that the phone supports most of the basic AT+ command set which can be used to extract common information about it (pic. 5). But of the most interest are LG proprietary commands (commands of AT% type). These commands (like AT%IMEIx, AT%SIMID, AT%SIMIMSI, AT%MEID, AT%HWVER, AT%OSCER, AT%GWLANSSID) return basic information about the phone. Among them is hiding a real pearl – the command AT%KEYLOCK (pic. 4). As you might guess this command allows you to manage screen lock state. In order to study this command behavior we can run a debugger and use the cross-link to find its handling function code. You can see this in pic. 6.
When the command AT%KEYLOCK is called, the corresponding function, depending on the argument count, calls either lge_set_keylock() or lge_get_keylock() function from the /system/lib/libatd_common.so library. Pic. 7 shows the code of function lge_set_keylock().
As you can see from pic. 8, if you pass to the function lge_set_keylock() the value “0” = 0x30, it will eventually call the function which would remove the screen lock whatever method had been used to lock it (you can use PIN, password, pattern or fingerprint to do that). Then it will return the string “KEYLOCK OFF” (pic. 8).
It becomes obvious that the command AT%KEYLOCK=0 allows you to remove the screen lock without any additional manipulations.
It’s worth mentioning that this command only removes the screen lock without affecting user settings. The command works as described: it writes zero value (which means unlock) to the special RAM area which stores the value responsible for screen lock. This means the command does not modify ROM in any way. This behavior is forensically sound because no user data is touched and after reboot the smartphone will return to the locked state. The command does not allow the investigator to find the screen lock PIN / pattern / password; it just removes it for some time.
To perform this analysis we used an LG G3 D855 model (with V20g-SEA-XX firmware). However, the aforementioned AT commands have been proven to work on other LG smartphones as well (LG G4 H812, LG G5 H860, LG V10 H960 etc). All these models support this approach.
Therefore it’s more than easy to unlock the phone. All you need to have is an LG Android smartphone turned on and connected to a PC by USB. This backdoor is obviously left by LG for its service software but can be used for forensic purposes as well. But bear in mind that criminals can also use this approach.