Hardware hacking the LG L15G Sunrise

sunrise_complete_2

The Tracfone LG L15G recently dropped to $10 at Walmart, so I picked one up. As expected, the hardware is incredibly simple and accessible.

During my (very easy) work on this, I kept thinking: Why would anyone spend $700 on a “secure phone” (Silent Circle) when I can spend $10 on this one and take the microphone and camera out? It really depends on which security feature we’re looking at, and in this case, with the LG, it’s hardware security. At the very least, Silent Circle should make it very easy to physically remove specific, high-risk sensors. This LG still has Rotation Vector and Accelerometer senors, and I don’t know where those are located. Even still, compared to my Nexus 6, this is an extremely simple device to “secure”.

Ars Technica reviewed the LG Sunrise. While they are quite right about how “cheap” it is, I got the feeling like they have no appreciation for easy to hack devices, especially ones as powerful as Android.

A review of the $10 Walmart phone—better than nothing, but not by much

Reasons to keep a $10 Android around:

The end result, achievable within 5 minutes of work, resulted in the removal of the microphone, the front-facing sensors, the rear camera, and the rear speaker. I could have taken out the primary earphone too.

Processor and Sensors

via “CPU-Z”

CPU: Qualcomm Snapdragon 400
Model: MSM8926
Cores: 2
Architecture: 2x ARM Cortex-A7 @ 1.19 GHz
Revision: r0p3
Process: 28 nm
Clock Speed: 300 MHz – 1.19 GHz
CPU Load: (CPU 1 idles at 300 MHz with the second turned off. Idle load was 10-20%)
GPU Vendor: Qualcomm
GPU Rendered: Adreno 305 @ 400 MHz
GPU Clock Speed: 300 MHz
GPU Load: (Idles at 0%)
Scaling Governor: on demand

Model: LGL15G (y25_trf_us)
Manufacturer: LGE
Brand: lge
Board: y25
Screen Size: 3.46 inches
Screen Resolution: 320 x 480 pixels
Screen Density: 166 dpi
Total RAM: 420 MB
Available RAM: (Idle, 150 MG (35%)
Internal Storage: 1.80 GB
Available Storage: 1.49 GB (82%)

Android Verson: 4.4.2
API Level: 19
Bootloader: unknown
Build ID: KOT49I.LGL15G10f
Java VM: Dalvik 1.6.0
OpenGL ES: 3.0
Kernel Architecture: armv7I
Kernel Version: 3.4.0+(LGL15G10f.1419269528)
Root Access: (I rooted this test device just to see if I could, but I don’t recommend it)

LGE Accelerometer Sensor
LGE Rotation Vector Sensor

The hack

The only tool that I needed to open up the phone and do most of the work was a simple crosshead screwdriver.

sunrise_screwdriver_2

sunrise_screws_2

The disassembly was trivial as I didn’t need any tools (after the screws were removed).

sunrise_fourpart_2

To disconnect the system board from the back of the LCD screen, just disconnect the top right (earphone) and bottom left (home buttons) cables.

sunrise_homebuttons1_2

sunrise_earphone1_2

The rear camera simply disconnects. The front-facing sensors needed a moderate “push” (with the screwdriver) to disconnect.

sunrise_camoff_2

The microphone needed a moderate “pull” (with the pliers) to disconnect.

sunrise_micon_2

sunrise_micoff_2

As the Ars Technica review mentions, the hardware is very simple. The system board demonstrates that.

sunrise_boardfront_2

The rear speaker was easy to disconnect simply by removing the connecting wires. I didn’t have a good reason to remove this speaker. In my defense, I didn’t actually know (or test) if there was another microphone here. Plus, the vibrator is still attached.

sunrise_backspeaker_2

After all this, the phone booted up without issue. Buy a headset and make end-to-end encrypted calls with Signal, with or without using cell service.

sunrise_reinserted_2

sunrise_backwithout_2

StageFright

Android 4.4.2 is pretty bad. Using Signal would help defend against Stagefright.

CVE-2015-1538
CVE-2015-3829
CVE-2015-3828 (not vulnerable)
CVE-2015-3864
CVE-2015-3827
CVE-2015-3876 (not vulnerable)
CVE-2015-6602
CVE-2015-3824
CVE-2015-6575

Apps I was able to disable

Browser
Calendar
Chrome
Cloud Print
com.android.providers.partner
com.lge.sui.widget
ConfigUpdater
Drive
Favorite contacts Widget
Google Backup Transport
Google Calendar Sync
Google Contacts Sync
Google One Time Init
Google Partner Setup
Google Play Books
Google Play Games
Google Play Movies & TV
Google Play Music
Google Play Newsstand
Google Search
Google Text-to-speech Engine
Google+
Hangouts
LG VoiceCommand Speech Pack
Maps
Market Feedback Agent
Mobile Device Management
Multitasking Framework
Music
My Account Downloader
Polaris Office
Setup Wizard
Stret View
TalkBack
Tasks
Voice Command
WAP Service
YouTube