LG LS740 Android forensics and kernel compiling

I recently has someone use my phone to do bad things so I have been working the phone a bit.
Please note that I used a known public method to root my phone, and this article assumes you too have already rooted you phone. The OneClick method works great for Virgin Mobile LG LS740. Please also note that the OneClick method *WILL NOT WORK* if your phone is encrypted. Decrypt the phone first, root, then re-encrypt phone.

The custom for android modified LiME is available here:
android-lime-forensics.tar
This article is about the Linux Memory Extractor, Volatility, and Android kernel compiling.

kernel compiling for LG LS740

sudo apt-get install build-essential android-tools-adb openjdk-7-jdk bison g++-multilib git gperf libxml2-utils make python-networkx zlib1g-dev:i386 zip

download the android NDK: http://dl.google.com/android/ndk/android-ndk-r10e-linux-x86_64.bin
extract into ~/android/android-ndk/

i am sure you can compile with just the NDK alone as the toolchains seems to be quite similar, but
i have to say this method works fine, and other methods have had many build errors.
so just to get things working, I did things this way. fyi.

now I have added all the utilities you need to build both the kernel and the whole sourcetree.
they are good to have, so don’t worry about the amount of packages you are installing because it
is quite likely you will want to compile the world later after compiling the kernel.
I am guessing you are also going to want to compile lime (or use the lime.ko provided here) too.

download the kernel from the LG website: http://opensource.lge.com/osSch/list?types=ALL&search=LS740
to know which kernel to download go into the settings on your android device
then scroll down to the about phone
the click software information
under software version it should say which version your device is using.

mine is using the ls740v5 version, and that is the kernel I have compiled here, and the lime module
I compiled is for this kernel.

after downloading the kernel file unzip it, and inside you will find the kernel in a tar.gz archive
and there is a readme with instructions. most of the instructions are good but there are a few needed modifications. they will be shown below.

this toolchain is required as there are many and I have found if you do not use this exact one builds can fail
download the toolchain required for the build:
mkdir ~/android
cd ~/android
git clone https://android.googlesource.com/platform/prebuilts/gcc/linux-x86/arm/arm-eabi-4.6
this should create the directory ~/android/arm-eabi-4.6
also untar/gzip your kernel in this directory
tar -zxvf KERNEL_ARCHIVE.tgz
this should create a folder called kernel here so it should be ~/android/kernel
you might as well untar/gzip the lime-forensics.tar.gz file in this directory while your here as
we will be using the directory later for LiME.
tar -zxvf lime-forensics.tar.gz
this should create the following directory: ~/android/lime-forensics

i have uploaded the modified version of the lime kernel module (compiled for LG LS740V5 software,
and the modified source)

cd ~/android/kernel
export ARCH=arm
export TARGET_PRODUCT=x5_spr_us
export DTS_TARGET=msm8226-x5_spr_us
export CROSS_COMPILE=~/android/arm-eabi-4.6/bin/arm-eabi-
make O=./out ARCH=arm x5_spr_us_defconfig
make O=./out

you have the option of using multiple threads using the -j4 (4 is the amount of threads)
but I chose not to use that here as this process is kinda touchy.
just trying to save you from possible compile errors here

now this will compile the source in the kernel directory ~/android/kernel/out/arch/arm/boot/zImage for use with lime.

once you have done these steps you are ready to compile the LiME kernel module for your kernel.

move into source of lime (modified src) and run:
make

the module will be called something like goldfish_lime.ko
that is the one you want to push to the phone.

to push to the phone:
adb devices (verify device online)
adb push lime.ko /data/local/tmp
adb shell
su
cd /data/local/tmp
insmod lime.ko ‘path=/storage/external_SD/ram.lime format=lime’

this will dump it to the sdcard for download via cardreader or a usb connection to the phone as a storage device.

**Volatility image analysis for this phone is INCOMPLETE. These instructions will tell you how to create
the needed profile for the phone, but as of yet mine does not work. Here is the info anyhow.

you now need to create a volatility profile for the android device so you can use the python script to rip data out of the lime image.

sudo apt-get install dwarfdump subversion python-distorm3
svn checkout https://volatility.googlecode.com/svn/trunk/ ~/android-volatility
cd ~/android-volatility/tools/linux

edit the make file to be the following:

——————————————————————————————————-
obj-m += module.o
KDIR ?= ~/android/kernel/out
CCPATH := ~/android/android-ndk/toolchains/arm-linux-androideabi-4.9/prebuilt/linux-x86_64/bin
DWARFDUMP := /usr/bin/dwarfdump

-include version.mk

all: dwarf

dwarf: module.c
$(MAKE) ARCH=arm CROSS_COMPILE=$(CCPATH)/arm-linux-androideabi- -C $(KDIR) CONFIG_DEBUG_INFO=y M=$(PWD) modules
$(DWARFDUMP) -di module.ko > module.dwarf

clean:
$(MAKE) -C $(KDIR)/lib/modules/$(KVER)/build M=”$(PWD)” clean
rm -f module.dwarf
——————————————————————————————————-
then drop into a shell and cd to that directory:
cd ~/android-volatility/tools/linux
make

then to create the zipped profile:
zip ~/android-volatility/volatility/plugins/overlays/linux/LG-LS740.zip module.dwarf ~/android/kernel/out/System.map

then:
cd ../../
chmod u+x vol.py
./vol.py –info | grep Linux

Should output:
Volatility Foundation Volatility Framework 2.3.1
LinuxLG-LS740ARM – A Profile for Linux LG-LS740 ARM

then you are good to go.

download the ram.lime file from the sdcard (i used a micro sd card to sd card converter and read the sd card in my pc)
but you can connect the phone in the file transfer mode and download it that way if you want.

now you can use volatility to perform the forensics you need on the android device memory dump.

./vol.py –profile=Linuxubntu-15_04-3_19_0-25×64 -f /home/fuion/Desktop/android_lime_dump/ram.lime linux_dmesg

to get a list of all the available commands (modules for linux we want) run the command below (with your ram image path and profile)
and then after it prints scroll up and find things with names prefixed with linux_ for the linux commands you can run.

./vol.py –profile=Linuxubntu-15_04-3_19_0-25×64 -f /home/fuion/Desktop/android_lime_dump/ram.lime –info

——————UPDATE FOR MAKING PROPER KERNEL MOD AND SYSTEM.MAP PROFILE FOR NEW RUNNING KERNEL AND KERNEL FLASH——-
Please note that this is a work in progress and it may not be the final solution I use.
the method below is only partially tested as I can not afford to risk damaging my phone right now as I am in the middle
of a serious financial transaction for which I need my phone. The information should be quite accurate though.

You may need to unlock your bootloader/rom etc using the method here: http://androidforums.com/threads/how-to-enable-fastboot-and-unlock-bootloader-no-flashing-needed-working.861226/

create a dropbox.com account
go to google play store
download flashify for root users
open flashify
click backup/restore
click backup current kernel
choose dropbox
enter your login details and allow it to link to the account

choose backup current recovery
choose dropbox

wait for files to be uploaded then go to dropbox.com
a Apps directory will have been created go inside it, then open Flashify, then open the folder named after your phone
in my case this was LSLS740

inside this folder will be two folder each with a file inside it.
go into each folder and download the file inside and save in a safe place as you will need this to
reflash the phone, and if anything goes wrong

i choose the dropbox method because I tried the backup to sd card method only to find there were no files on the sd card
so this solves that problem.

you can now use flashify to flash your boot.img (kernel 😉
once you flash your kernel you can reboot the phone, connect via adb, insmod the lime kernel mod
and dump the memory to sd card and copy it to your pc
you should them have a working System.map and module.dwarf
System.map is easy to find as you used it to compile the kernel, just rename the file x5_spr_us_defconfig to System.map
this file is located in your kernel source directory tree at : ~/android/kernel/arch/arm/configs/
and the instructions before this informed you on how to build the needed module.dwarf for the kernel you compiled.
thake both files and put then into a folder then cd into the folder and run this command:
zip LS740.zip System.map module.dwarf
remember this file needs to go into the volatility directory located at: ~/volatility/volatility/plugins/overlays/linux

so now once you have the lime img file dump from the new working kernel you compiled you can perform foresnics on the image
and find out if anyone is hooking your kernel syscalls, loading hidden kernel modules, etc

then you can issue the following commands to find out about the possible malware on the system:

./vol.py –profile=LINUXPHONEPROFILE_NAME -f /path/to/your/lime/dump.lime linux_check_inline_kernel
./vol.py –profile=LINUXPHONEPROFILE_NAME -f /path/to/your/lime/dump.lime linux_hidden_modules
./vol.py –profile=LINUXPHONEPROFILE_NAME -f /path/to/your/lime/dump.lime linux_check_syscall_arm

Leave a Reply