Unlocking pattern locked network-less LG G-Slate v909
Posted by: Borszczuk in Android, ComputersAmong many other devices I appeared to own LG G-Slate v909 Android tablet, I was given on one of the Google dev meetups. Quite neat device at its time, with built-in 3D camera mode and stuff, unfortunately LG already abandoned the model some time ago and the last available Android version is ancient Honeycomb and there’s no other custom firmware that is really usable, so it was mostly collecting dust these days as I was not really using the device for long time. But few days ago I wanted to give it away but found it pattern-locked.
Since I was not using it for ages I tried all patterns I suspected might work. No luck. Theoretically you can try to get rid of pattern lock by interfering system files using ADB (Android Developer Bridge) tool but… you guess it right, to use ADB you need to have USB debugging mode enabled on device and this one had this turned off, so “adb devices” listed nothing and I was not able to go that way at this point. I tried some more patterns until I reached hard limit where further unlock attempt required signing in to valid Google account. Easy task – if you got network enabled. But as you now guessed correctly again, this device had Wifi off (most likely to reduce battery drain). No big deal you may think, just go to settings, turn Wifi on and proceed. Not so easy – this screen locks you very much – nothing really can be done but entering valid email and password and tapping Sign in” button. Despite misleading presence of “back” button, you cannot leave this screen as this button is not working (and if you try to reset the device you will be back here once your tablet finish booting). Of course you cannot also tap bottom-right corner to unveil the menu and then be able to jump to system settings to play with it.
So basically you are asked to unlock your device with Google account, but this task requires active network connection. If you got no network enabled/connected you won’t be able to change that sa settings are unavailable because your device is locked. To enable settings access you need to unlock device first, but you cannot do that because you do not have network connection… Good job Google!
So at this moment I seemed to be doomed and the factory reset (incl. complete data wipe) looks like the only option remaining. But while I did not expected this device to hold anything valuable and I could do this reset, my rusted hacker soul was bleeding giving up so early… But hey, I am on holidays now, everyone around is sleeping now…. so factory reset – no, thanks bitch, I will try to kick you ass other way first…
Most devices nowadays are quite complex: firmware, boot loader, kernel, framework firmware, software here, software there. Someone must have screw something up, something that we could exploit for our needs. First, when I do more complex software, I always do have something I’d call “developer mode”. In such mode my software exposes all vital and crucial information, so I can quickly check its internal state of running system and find out why it behaved that or other way. I always try to remove this “developer mode” from release builds but I assumed that for certain type of applications you may find it beneficial to still have “developer mode” available even in release builds. When customer comes complaining that certain system feature is not working, service guys needs to be able to check that, which is especially important when one complains about hardware features not working correctly. So there I assumed should be “developer mode” on the device only service staff could activate when needed. But while i.e. accessing car “service mode” require additional hardware, I assumed that this should not be the case with these tables – devices are cheap and become quickly obsolete, so there’s high chance such service mode can be accessed w/o any additional hardware. I also hoped that, to simplify the whole development, this “service mode” would be just another application, utilising underlying Android framework. But as this is “service mode” app, there’s high chance it will be able to drive framework to not be respecting some (or even all) security factors that framework pays attention to while running in “consumer” mode.
I searched a bit to see if I could find any article or post about LG’s service modes and I managed to find a few posts on Korean forum about service mode in other devices, but as laziness is part of human nature I assumed LG devs may have used the same approach here too, so I tried them on my tablet so see. One of these, “press and hold volume up and down for 10 seconds”, seemed to also work on my LG G-Slate too and resulted in the promising “Input Service Code” prompt screen.
So next step was to find oud what is Service Code. LG G-Slate 909 seems not be that popular device, so I failed to find anything directly related to this model, but I found that for LG v900 model, working service code would be “3845#*900#”. This did not worked on mine device, but I suspected that “900” in the code may simply be the model number, so I replaced it with mine and… voila – “3845#*909#” and I was in service mode:
While there was no option to reset just settings (and by default pattern lock is off), I noticed that bottom-right corner of the screen looks differently comparing to “unlock with your Google account” screen with its “No internet connection” message. So my expectations that “service mode” thinks it lives in parallel world seems to be true (to be honest – this behaviour actually makes sense from business perspective. From security point of view – it’s complete disaster and you can safely assume any nowadays device features “service mode” of that sort or another. And because of its presence, you should pay attention to your sensitive data and if you got any, take care of its encryption). One tap there and I had normal Honeycomb notification view unveiled, with option to enter settings. Once I was there I quickly enabled USB debugging mode, turned on WiFi and connected to my hotel network. I was mostly at home now.
Having ADB access I tried to manipulate system databases to disable system lock, but this device has no “su” command and I also haven’t had this device rooted so I mostly seen “permission denied” in response to my attempts. But this was not a problem really – I still have my network enabled so my next step was just to fall back from “h4x0r” mode to ordinary user and just sign in to my Google account to unlock the tabled as now this step is expected to work. Once I did that, I was asked to set new pattern lock and finally I had my tablet back without any data wiped.