I was looking for a method to check and download KDZ update from LG.
I tried with this
but it shows
So I dumped traffic from LGBridge for mac OS and I found that now it is using this:
where ENC_IMEI is: base64_encode(AES256_encrypt(key, IMEI)
And now it works!
The bad news is that the AES256 key to decrypt all the values is still unknown.
I tried looking for the key in the "David" framework (where this link appears) but nothing...
Anyway looking in the LGBridge logs i found the decrypted version:
I think that key and IV are always the same, because making more "check for update", the ecrypted strings were always the same.
So, is someone interested to help me finding the key?
I tried with this
Code:
GET csmg.lgmobile.com:9002/csmg/b2c/client/auth_model_check2.jsp?esn=IMEI HTTP/1.1
Code:
<response req_cmd="auth_model_check" status="OK">
<auth_model_check>
<result>2</result>
<esn>IMEI</esn>
<model>LGABCD</model>
<suffix>XABCXX</suffix>
<msn/>
<esn_date/>
<sw_version/>
<sw_url/>
<sw_locale_url/>
<sw_recommand_uri/>
<app_version/>
<app_url/>
<cs_em_flag>N</cs_em_flag>
<cs_em_uri>N</cs_em_uri>
<chip_type/>
<prod_type/>
<buyer>ABC</buyer>
<file_name/>
</auth_model_check>
</response>
Code:
POST https://csmg.lgmobile.com:49002/csmg/nb2c/gn_mac_auth_check.jsp HTTP/1.1
[...]
esn=ENC_IMEI
And now it works!
Code:
<?xml version='1.0' encoding='utf-8'?>
<response req_cmd='gn_mac_auth_check' status='OK'>
<gn_mac_auth_check>
<result>+RLYdeul0Wq2LR9W80Dr7Q==</result>
<esn>[...]</esn>
<model>pkkxdJkDkqa9bLB5JhcINw==</model>
<suffix>BBr8V1JzR89dVaz5N074Ug==</suffix>
<msn>[...]</msn>
<esn_date>uz/t1Dh+UF74zmp+aFDJfg==</esn_date>
<sw_version>8sof3K0NIywkmKpYJNZ9pA==</sw_version>
<sw_url>nNDKjeaqClYJ63yWmSaIO+nlE3gjXluSN/64E/278RSt8dh+ivIkURKbS+MdZ3WqId+yqE3uBRGXtcdTv6z77Y3KIpxGLyK3Fj8i3XHdoWI0FOwg+BX/bBiRscYomZUZFrsAI+W6ai5pfMe32Y6QPQV5JNdnvU4P9YkAKlbEN6jORxdG3LIW+my3Ak5yeWtEbzeLWOhW65T8cdhPgPxsQj10yGOSQPjKE+lkUuENztE=</sw_url>
<sw_locale_url>uz/t1Dh+UF74zmp+aFDJfg==</sw_locale_url>
<sw_recommand_uri>uz/t1Dh+UF74zmp+aFDJfg==</sw_recommand_uri>
<app_version>uz/t1Dh+UF74zmp+aFDJfg==</app_version>
<app_url>uz/t1Dh+UF74zmp+aFDJfg==</app_url>
<cs_em_flag>IMBPpXxY/lQR/aH+hmE14w==</cs_em_flag>
<cs_em_uri>IMBPpXxY/lQR/aH+hmE14w==</cs_em_uri>
<chip_type>P9Tqe7bVC60By1eqGYwQrw==</chip_type>
<prod_type>x/kvneoEEi8TJsxajY84nA==</prod_type>
<mac_yn>SO++YTm9X4BexRU72YEcVQ==</mac_yn>
<file_name>B3sREU5ROkObBgVufGAakmSJiiFeq83HX/qnXHg3R8s=</file_name>
<buyer>Y6aP69S7Udccuog+H7JMxQ==</buyer>
<phone_os_version>IMBPpXxY/lQR/aH+hmE14w==</phone_os_version>
<file_size>v/NYq+/ekA2T/q5WDoOikQ==</file_size>
</gn_mac_auth_check> </response>
I tried looking for the key in the "David" framework (where this link appears) but nothing...
Anyway looking in the LGBridge logs i found the decrypted version:
Code:
dicResult = {
"app_url" = "";
"app_version" = "";
buyer = ITA;
"chip_type" = EG;
"cs_em_flag" = N;
"cs_em_uri" = N;
esn = [...];
"esn_date" = "";
"file_name" = "H85020q_00_OPEN_EU_OP_1025.kdz";
"file_size" = 2607484377;
"mac_yn" = y;
model = LGH850;
msn = [...];
"phone_os_version" = N;
"prod_type" = 2;
result = OK;
suffix = AITASV;
"sw_locale_url" = "";
"sw_recommand_uri" = "";
"sw_url" = "http: [REMOVE_THIS] //pkg03.lime.gdms.lge.com/dn/downloader.dev?fileKey=FW21XUTD728BASS12A42BSD/H85020q_00_OPEN_EU_OP_1025.kdz&e=1512010196&h=c683d07e4acf60ef2829d6bdf0834ac6";
"sw_version" = "H85020Q_00";
}
So, is someone interested to help me finding the key?
Last edited: