For almost a week now I have been looking for ways to break into com.android.internal.telephony.IccCard and master the supplyDepersonalization() method. Those who will also dig in this direction will not work . Even with the help of reflection - this is impossible. The only way (I don’t know if I am the first):

  1. Find on the device (as root ) the modem framework system/framework/telephony-common.jar

  2. Any archiver to get from it compiled classes.dex

  3. "Turn" it into a jar utility dex2jar

  4. And add the resulting archive to your development environment.

Personally, I have AIDE and I just unzipped android.jar and added the previously received archive to its contents.

Eventually

Now we can write in the import section, for example, so

 import com.android.internal.telephony.RIL;

And do whatever you want. The point is that all the code associated with the added classes will be successfully compiled and will be executed . I checked this by calling methods in different classes and getting return values.

Now to the point

Actually, the question itself, I'm trying to get an IccCard interface and doing so

 PhoneFactory.makeDefaultPhone(this); Phone p = PhoneFactory.getDefaultPhone(); IccCard i = p.getIccCard(); boolean x = i.getIccLockEnabled();

As a result, the application hangs (and does not even show a simple markup) when executing the method makeDefaultPhone() . I wondered why and I went to look for him:

 public static void makeDefaultPhone(Context context synchronized(Phone.class) { if (!sMadeDefaults) { sLooper = Looper.myLooper(); sContext = context; if (sLooper == null) { throw new RuntimeException("PhoneFactory.makeDefaultPhone must be called from Looper thread"); } int retryCount = 0; for(;;) { boolean hasException = false; retryCount ++; try { // use UNIX domain socket to // prevent subsequent initialization new LocalServerSocket("com.android.internal.telephony"); } catch (java.io.IOException ex) { hasException = true; } if ( !hasException ) { break; } else if (retryCount > SOCKET_OPEN_MAX_RETRY) { throw new RuntimeException("PhoneFactory probably already running"); } else { try { Thread.sleep(SOCKET_OPEN_RETRY_MILLIS); } catch (InterruptedException er) { } } } sPhoneNotifier = new DefaultPhoneNotifier(); // Get preferred network mode int preferredNetworkMode = RILConstants.PREFERRED_NETWORK_MODE; if (TelephonyManager.getLteOnCdmaModeStatic() == PhoneConstants.LTE_ON_CDMA_TRUE) { preferredNetworkMode = Phone.NT_MODE_GLOBAL; } int networkMode = Settings.Global.getInt(context.getContentResolver(), Settings.Global.PREFERRED_NETWORK_MODE, preferredNetworkMode); Rlog.i(LOG_TAG, "Network Mode set to " + Integer.toString(networkMode)); int cdmaSubscription = CdmaSubscriptionSourceManager.getDefault(context); Rlog.i(LOG_TAG, "Cdma Subscription set to " + cdmaSubscription); //reads the system properties and makes commandsinterface sCommandsInterface = new RIL(context, networkMode, cdmaSubscription); // Instantiate UiccController so that all other classes can just call getInstance() UiccController.make(context, sCommandsInterface); int phoneType = TelephonyManager.getPhoneType(networkMode); if (phoneType == PhoneConstants.PHONE_TYPE_GSM) { Rlog.i(LOG_TAG, "Creating GSMPhone"); sProxyPhone = new PhoneProxy(new GSMPhone(context, sCommandsInterface, sPhoneNotifier)); } else if (phoneType == PhoneConstants.PHONE_TYPE_CDMA) { switch (TelephonyManager.getLteOnCdmaModeStatic()) { case PhoneConstants.LTE_ON_CDMA_TRUE: Rlog.i(LOG_TAG, "Creating CDMALTEPhone"); sProxyPhone = new PhoneProxy(new CDMALTEPhone(context, sCommandsInterface, sPhoneNotifier)); break; case PhoneConstants.LTE_ON_CDMA_FALSE: default: Rlog.i(LOG_TAG, "Creating CDMAPhone"); sProxyPhone = new PhoneProxy(new CDMAPhone(context, sCommandsInterface, sPhoneNotifier)); break; } } // Ensure that we have a default SMS app. Requesting the app with // updateIfNeeded set to true is enough to configure a default SMS app. ComponentName componentName = SmsApplication.getDefaultSmsApplication(context, true /* updateIfNeeded */); String packageName = "NONE"; if (componentName != null) { packageName = componentName.getPackageName(); } Rlog.i(LOG_TAG, "defaultSmsApplication: " + packageName); // Set up monitor to watch for changes to SMS packages SmsApplication.initSmsPackageMonitor(context); sMadeDefaults = true; } } }

Well, well, carefully reading the code and disassembling each line, I realized that I did not need to contact PhoneFactory . Enough to create a Phone yourself. I'm trying this:

 int cdmaSubscription = CdmaSubscriptionSourceManager.getDefault(this); PhoneNotifier sPhoneNotifier = new DefaultPhoneNotifier(); RIL sRIL = new RIL(this, 9, cdmaSubscription); CommandsInterface sCommandsInterface = sRIL; GSMPhone gsmPhone = new GSMPhone(this, sCommandsInterface, sPhoneNotifier); Phone sProxyPhone = new PhoneProxy(gsmPhone);

DefaultPhoneNotifier has a constructor with a protected access modifier. Moreover, in the official document it is not at all (public). My framework has been modified by the manufacturer. What can be done in this case? Is it possible to create PhoneNotifier somehow differently? How to send unlock code differently?

UPDATE

The framework on the device under test is not modified at all. I noticed that in different versions of android somewhere protected is, and where it is not.

  • one
    in fact, through reflection, working with these classes is possible, but inconvenient. You may not have succeeded, for example, because of the incorrect number of arguments passed to the method, but this is not the problem. Try to go under the debugging of this method, and find out why it hangs (I'm assuming an infinite loop) - Vladyslav Matviienko
  • Thank you for responding :) Is it possible to go through a debugger using this method? And if so, where is the debugger in AIDE? By chance, not breakpoint? - Flippy
  • about reflection - it seemed to be like .. but still it was inconvenient: ( - Flippy
  • 7
    Are you seriously? trying to do such tasks in AIDE? Drop it. This is a complete perversion. - Vladyslav Matviienko
  • You should see the apps and toys that I created in this great app. Thanks to his bugs, I learned a bit more about developing. So, it turns out that there is no debugger in it? - Flippy

1 answer 1

would you need to marry, sir ...

All that supplyDepersonalization() does is send the AT+CLCK="PS",0,<password> command to the modem. The problem is that PS (i.e. SIM Lock ) service has long been unsupported by manufacturers of modems (baseband).

Try sending the modem command AT+CLCK=? which returns a list of supported choices. And if there is no PS , then no perversion on the Android side (application processor) will help you.

  • not at all, on one model it turned out. - Flippy
  • I haven't been supporting it for a long time, I mean the lack of a code for implementing this functionality in new versions of platform support packages that are provided by modem chipset manufacturers to their customers - phone manufacturers. in the already produced phones, where this functionality was initially included - of course, it has not gone anywhere. yours on one model didn’t pull at all, not at all - Pioneer
  • Is it possible to create your own class, inherit it from PhoneNotifier and redefine all its methods? And then just PhoneNotifier sPhoneNotifie = new MyDefaultNotifier() ? - Flippy
  • and the designer of this class to make public - Flippy
  • does not work, in the three methods that need to be redefined there are parameters with the type of classes that are not present - Flippy