• After 15+ years, we've made a big change: Android Forums is now Early Bird Club. Learn more here.

Root Privilidge Escailation exploit in LG's backlight driver

giantpune

Android Enthusiast
Jun 13, 2012
452
476
So yesterday I was messing around with trying to get cm7 working when I ran an innocent shell command and my phone crashed. I tracked the cause back to the driver for the backlight in our LCD screen. While I was looking at it, I saw that the bug I found could actually be used to gain root access on our phone from any app that runs.

It took a couple hours to work up a working example for this that did something besides crash the phone, and named it 'Lit'. I already have quite a few root exploits for our phone saved up in case LG decides to fix the ones we have publicly. So theres nothing really to lose by not keeping this one to myself.

I suspect this one also affect other LG phones using the same buggy backlight driver. I have hardcoded an address in this code. To get it working on other models, somebody would need to get the correct address. Lit is a commandline program, so run it from the terminal emulator or adb or something and hopefully it'll give you a root shell. You might also want to contact LG and demand they fix it. I'm not really going to bother with that since I called and emailed them back in July about another one and got ignored.

Code:
j@media-pc:~$ adb shell
$ uname -a
Linux localhost 2.6.35.11 #1 PREEMPT Tue Jun 19 23:02:28 KST 2012 armv7l GNU/Linux
$ getprop | grep device
[ro.product.device]: [m3s]
$ id
uid=2000(shell) gid=2000(shell) groups=1003(graphics),1004(input),1007(log),1009(mount),1011(adb),1015(sdcard_rw),3001(net_bt_admin),3002(net_bt),3003(inet)
$ /data/local/tmp/lit
Lit - root exploit for the LG LM3530 backlight driver
2012 giantpune
[+] Using 29287461 as adapter address
[+] Opened led reg file
[+] Mapped 29287000
[+] algoAddr is at 29287000
[+] got root
# id
uid=0(root) gid=0(root)
#
Download lit.tar.gz from Sendspace.com - send big files the easy way
 
With multiple hole like this one, I wouldn't put my email address, credit card info, or any other personal information into this phone. If it wasn't a prepaid phone, I'd say to check your account every now and then and make sure there aren't any strange 1900 calls or texts sent to those premium numbers that charge you $2 a message.

With any app being able to get root access whenever it wants, they can most certainly do all this stuff. Definitely make sure you only install apps from trusted places. It would be trivial to stick this or a similar exploit into anglybirds and toss it up on thepiratebay and before you know it, your phone becomes somebody else's phone.
 
  • Like
Reactions: Dark One
Upvote 0
I used the gcc arm compiler from ndk r8(ish) to make the binary. As far as modifications go, I've found that if you tweak the mmap arguments a bit to get rid of the unnecessary executable permission, the mmap will succeed on some other devices and this exploit works. There are actually about 8 different backlight drivers from LG affected by this one, being used in several models. My root/cwm installer for the L38c family of phones uses this it ( http://androidforums.com/l3-all-things-root/682486-root-apk-l38c.html ).

The optimus V 's backlight driver is also vulnerable, but as the cpu+kernel config is setup in a way that doesn't let us run unaligned addresses, the kernel panics rather than executing the specified address.
 
Upvote 0

BEST TECH IN 2023

We've been tracking upcoming products and ranking the best tech since 2007. Thanks for trusting our opinion: we get rewarded through affiliate links that earn us a commission and we invite you to learn more about us.

Smartphones