I am currently working with a couple of different GSM Androids and the Android OS property gsm.sim.state caught my attention. I am interested in knowing just where this property is being defined by the system.
Does anyone know what part of the source code I can refer to in order to see where the OS checks for the SIM in order to assign a value for this property?
Does anyone know if there is a file within a running version of Android that contains this property so that I can modify it?
Thanks for your help.
XDA_BUST said:
I am currently working with a couple of different GSM Androids and the Android OS property gsm.sim.state caught my attention. I am interested in knowing just where this property is being defined by the system.
Does anyone know what part of the source code I can refer to in order to see where the OS checks for the SIM in order to assign a value for this property?
Does anyone know if there is a file within a running version of Android that contains this property so that I can modify it?
Thanks for your help.
Click to expand...
Click to collapse
Did you ever get a reply to this question or figure out the answer? I'm also interested in how and where to set the gsm.sim.state
Related
I hope this isn't a stupid question. But I couldn't find any real info regarding this. And after reading the Mysteries of Science thread it seemed to me, there really isn't much information regarding such things. So:
I noticed that for almost all Linux based OS you can find in-depth descriptions on how the OS works on a basic level. For example where specific settings are stored.
The guides at android.com deal with app development, but don't specify how you use the OS as a root user. For example, if I want to change WLAN settings, there must be a way to do that without using the GUI or by using special classes but by editing a config file. Or where does Android store the startup settings, i.e. which apps to start at boot time or at specific system events. Or where do apps register as default app for viewing certain filetypes. There is a description how to code it, but not how Android stores that information and how it can be edited/viewed manually.
Since it's linux based I guess there are plain text config files for all those things. But where...? Was such information ever released by Google?
bur2000 said:
For example, if I want to change WLAN settings, there must be a way to do that without using the GUI or by using special classes but by editing a config file.
Click to expand...
Click to collapse
You can change network interface with 'ifconfig' command.
You can get ifconfig command by installing busybox.
There are commands that can be used, but this is still a bit liek try&error. So it seems there is no full documentation on how Android works?
Has Google ever addressed this, do they plan to release such documentation?
Is it me or does the DeviceID of a Viewsonic G always come back as the same thing on every device?
I'm running TNT Lite. Running certain market apps immediately lets me take over an existing account owned by someone else, and other apps tell me my deviceID is already registered and give me the username / email address of the person who registered it.
First, it's a bad idea for an app to identify the user solely on the DeviceID. Second, it's a bad idea (and probably against the Android specifications) for all devices to report the same DeviceID, I would assume.
I've also written an app that tracks mileage for tax purposes. I developed a web based license solution that allows a user to either purchase the "pro" version through the Google Market, or I can also "gift" it to people, identified by their gmail account.
When I gift it to someone, it allows them to register up to three devices associated with their gmail account and it sends me an encrypted one-way hash of the DeviceID. I've seen a couple of the same DeviceID's associated with users that my own gTab reports.
This also means if anyone tries to set up an app that does any sort of encryption key based on the deviceID that it would be easy to break.
So, long story short, is this a problem with the core Viewsonic build, or is this an effect of TNT Lite? Or are all DeviceID's the same unless you have a cell radio?
VEGAn 5.1.1 has the same problem... found that out the other night while trying to get Line2 going.
If memory serves correctly there's a hack involving the Android Emulator that I'm adding to my list of todos.
Well I found a post here by Chief Beefalo describing how to do it, but his post is wrong when it comes to the viewsonic.
It's stored in the database at:
/data/data/com.android.providers.settings/databases/settings.db
In the "secure" table is a row with device_id. Just update that from sqlite should do the trick. It's a 16 digit hexadecimal number.
Of course then you still need to generate a random number that doesn't still conflict with anyone else...
Now the security expert in me starts to think about how bad it would be to write an app that would roll through a ton of deviceid's and log into Pocket Empires (which only locks it down by the deviceid, no password) and trash people's accounts.
I believe you found the android_id ... check out this write up:
http://augendev.wikispaces.com/Market+Fix
start at step 18
And I can confirm this works. You can use a tool such as Android ID Changer (on the market) to update your id. Once that is done you're now free of all the other custom rom holders.
Line2 is now working great for me!
Here's another link to the same (basic) instructions with a better download link if you have problems with the one above:
http://www.smartqmid.com/wiki/index.php?title=Getting_Android_Market_to_work_with_2.1_v1
Can't I just modify the Android ID with a random 16 hex digit number? It might be a duplicate with 1 device out there, but that would be better than to be a duplicate with every ROM of the same kind?
The emulator solution takes all of maybe 15 minutes. You could also look into stealing 15 of the 32 bytes consumed by a guid. I'd like to find the code that supposedly regenerates the android id and host it on a web page. Curious to learn what its variability is.
Sent from my Tegra 2 gTab using Tapatalk
This is also what we used to do over on the Pandigital Novel Slatedroid forum. It was called the "ugly" Market hack. Maybe it should have been called the "secure" Market hack.
When I originally got my GTablet, I couldn't figure out how to port the ugly hack over, and eventually we found the other Market hack that we currently use. Also, interesting enough, I added the xbin folder into TNT Lite originally to get sqlite because of early attempts to get that hack working.
OK. So I tried the emulator path and the problem I have is that I ended up with a 18 digit Android ID instead of the 16. The Android ID application will not let me change the ID to an 18 digit number, only a 16 digit one. Any ideas?
I dropped the first two digits ... go figure
Btw I'm finding the same Id on every rom ... it is not limited to any one distribution. The only app this has visibily effected for me is line2. Seems fewer and fewer apps rely on this value... atleast on its own. Problem for us is some bring in the imei code and all the gtab is going to do is return zeroes there.
Sent from my Tegra 2 gTab using Tapatalk
Synman said:
I dropped the first two digits ... go figure
Btw I'm finding the same Id on every rom ... it is not limited to any one distribution. The only app this has visibily effected for me is line2. Seems fewer and fewer apps rely on this value... atleast on its own. Problem for us is some bring in the imei code and all the gtab is going to do is return zeroes there.
Sent from my Tegra 2 gTab using Tapatalk
Click to expand...
Click to collapse
So you just dropped the first two digits and it worked? Let me try that!
Thank you!
BTW, I am running Vegan 5.1.1 So this is not a TNTLite only problem. I am guessing that any ROM will have this problem.
Agreed. I've seen the same id on vegan 5.1 and chalkilin.
Sent from my Tegra 2 gTab using Tapatalk
A suggestion:
any coder, or anyone who can modify the "SettingsProvider.apk" can change the creation to something else.
On FolioMod and Elocity i changed it to be based on the "ro.firstboot" value, so any new installs will always be different, and yes it might conflict in any firstboot values match by the second or a minute in other parts of the world but chances are small.
its normally generating it from the ro.serialno value..
Hi kernel hackers,
it is getting very silent recently about possible security hacks on the Milestone platform.
Today i stumbled over some kernel code located in /drivers/misc/sec.
Maybe this had been discussed already.... anyway
There're some interesting functions in the source code and i wonder which application is using this module to enter the secure world of OMAP.
Some of the functions are accessing registers, that are also involved in low level routines of the bootcode (e.g. mbmloader).
Some questions:
Which application in android userspace is using this module?
Could we tweak this module to get access to some of the protected OMAP registers?
Is it a signed module?
Would be nice to use a modified module and activate some of the blocked features (e.g. DAP controller for debugging).
Any comments welcome!!!
Regards,
scholbert
scholbert said:
Hi kernel hackers,
it is getting very silent recently about possible security hacks on the Milestone platform.
Today i stumbled over some kernel code located in /drivers/misc/sec.
Maybe this had been discussed already.... anyway
There're some interesting functions in the source code and i wonder which application is using this module to enter the secure world of OMAP.
Some of the functions are accessing registers, that are also involved in low level routines of the bootcode (e.g. mbmloader).
Some questions:
Which application in android userspace is using this module?
Could we tweak this module to get access to some of the protected OMAP registers?
Is it a signed module?
Would be nice to use a modified module and activate some of the blocked features (e.g. DAP controller for debugging).
Any comments welcome!!!
Regards,
scholbert
Click to expand...
Click to collapse
Well, I'm not a kernel hacker, but I have an educated guess...
I believe that the radio system uses those functions to check whether the kernel is valid or not, so, we have the radio not working with a replacement kernel that is loaded using kexec...
Perhaps, if it is possible to "change" this function using a module, we could get a function always telling the kernel is valid and have kexec working on Milestone. Again, I'm not a kernel hacker, but that is my guess.
Hi, I'm sorry that I wont be much help but these guys might;
https://www.droid-developers.org/
irc://irc.freenode.net/#milestone-modding
Hi,
thanks for your comments so far.
To be more precisely i think this kernel driver is calling the secure monitor in some way. See here:
https://www.droid-developers.org/wiki/Secure_Monitor
There's also a structure defined in that driver. I think i'll have to compare some of the ioctl entries.
https://www.droid-developers.org/wiki/Secure_Services
I'll do some investigation on this issue and search the web for some userland source code using this driver.
Again, if someone knows more about it, your welcome
Cheers,
scholbert
scholbert said:
Hi,
thanks for your comments so far.
To be more precisely i think this kernel driver is calling the secure monitor in some way. See here:
https://www.droid-developers.org/wiki/Secure_Monitor
There's also a structure defined in that driver. I think i'll have to compare some of the ioctl entries.
https://www.droid-developers.org/wiki/Secure_Services
I'll do some investigation on this issue and search the web for some userland source code using this driver.
Again, if someone knows more about it, your welcome
Cheers,
scholbert
Click to expand...
Click to collapse
you don't have to search for the source, it's on SourceForge:
http://sourceforge.net/projects/milestone.motorola/files/
SophT said:
you don't have to search for the source, it's on SourceForge:
http://sourceforge.net/projects/milestone.motorola/files/
Click to expand...
Click to collapse
Yeah sure, i knew this
Anyway, thanks for the hyperlink!
In the meantime i grepped all binaries from the latest distribution.
I found out, that two applications are using /dev/sec.
1. dbvc_atvc_property_set
2. tcmd
If someone knows which package of source code they belong to... would save some time searching.
EDIT:
O.K. Google did it for me...
Seems that both binaries are proprietary code. Some early conclusions:
1. dbvc_atvc_property_set
This one is started as a service in init.mapphone_umts.rc and seems to use /dev/sec for granting rights to access OMAP secure world (e.g. read eFuse values for unique device id, IMEI etc.).
This binary contains a certificate which is not Milestone specific (XT720 uses the same).
So right now i don't know, if this certificate is needed to access /dev/sec or the application itself identifies itself as trusted application (signed app).
Would make sense, if the BP uses signed applications to access certain low level functions, e.g. read/write the eFuse bank.
2. tcmd
This one is also started as a service in init.mapphone_umts.rc to access a variety of devices. Seems to be related to data streaming or stuff.
As stated it has an entry for /dev/sec and it got no certifcate.
Would be interesting to get some more info about that.
Further comments....
P.S.: This bloody security stuff is making me sick
Regards,
scholbert
Hi again,
i just compared some of the defines in the kernel driver headers (/drivers/misc/sec/sec_core.h) with the ones xvilka reversed inside mbmloader.
Code:
...
#define API_HAL_KM_SOFTWAREREVISION_READ 33 // 0x21
...
#define API_HAL_NB_MAX_SVC 39 // 0x27
#define API_HAL_MOT_EFUSE (API_HAL_NB_MAX_SVC + 10) // 0x31
#define API_HAL_MOT_EFUSE_READ (API_HAL_NB_MAX_SVC + 15) // 0x36
...
For comparison see the table here:
https://www.droid-developers.org/wiki/Secure_Services
It is obvious that /dev/sec allows to access OMAP secure world and uses the above mentioned API calls to push information to userspace apps.
The question would be, if ioctl must be certified through the API using some key ...
O.K. i see this is deep down code creeping, but maybe someone understands what i try to work out
See ya,
scholbert
scholbert said:
O.K. i see this is deep down code creeping, but maybe someone understands what i try to work out
Click to expand...
Click to collapse
I think I know what you are trying to work out, but I can't think of any way to help
You're pretty much comparing the results of your findings with that of the mbmloader dump right?
I would like so much to fully understand what you are doing, but I can understand just a little..
btw I hope that you'll be glad to know that you have all my psychological support!
mystichobo said:
I think I know what you are trying to work out, but I can't think of any way to help
You're pretty much comparing the results of your findings with that of the mbmloader dump right?
Click to expand...
Click to collapse
Yeah, kind of... we know for sure there's an API to access security functions on OMAP. I just digged out some parallels in kernel code and mbmloader.
If we could make use of security functions from within kernel space (by using a tweaked module) this would be a nice playground.
Perhaps, there's any bug or backdoor we could shamelessly exploit to:
a. boot custom kernel with second boot
b. tweak the security system and enable some hidden functions inside OMAP
puffo81 said:
I would like so much to fully understand what you are doing, but I can understand just a little..
btw I hope that you'll be glad to know that you have all my psychological support!
Click to expand...
Click to collapse
Thanks a lot for pointing out
Best regards,
scholbert
scholbert said:
Yeah, kind of... we know for sure there's an API to access security functions on OMAP. I just digged out some parallels in kernel code and mbmloader.
If we could make use of security functions from within kernel space (by using a tweaked module) this would be a nice playground.
Perhaps, there's any bug or backdoor we could shamelessly exploit to:
a. boot custom kernel with second boot
b. tweak the security system and enable some hidden functions inside OMAP
Click to expand...
Click to collapse
That's what I thought
Surprised noone has looked into it earlier really
Anyway good luck with it, adding my moral support too.
Cheers,
hobo
mystichobo said:
Surprised noone has looked into it earlier really
Anyway good luck with it, adding my moral support too.
Click to expand...
Click to collapse
I got into contact with xvilka.
Obviously there'd been some investigations concerning this issue.
To be honest, i don't know if it's worth to digg a little deeper or if it will ever led to something useful in the end. Could be fun though
Perhaps it would be nice idea to tweak the driver and put some debug message in the code.
Another interesting thing to do would be a logging function.
This way it would be possible to get some insights of the API to secure monitor.
Anyway, i think it's never useless to discuss about some hacking here. At least were at xda-developers
If you like to tweak some kernel code, join in!!!
Have fun!
scholbert
H,
Currently in the process of trying to edit the NFC source files of Java to change some of the functionality of the HCE feature of Android versions 4.4 and above.
I've downloaded the source and installed a custom version of AOSP to my Nexus 7, and am now looking to start adding my own code. However, when looking at how these source files are used/called i'm running into some trouble.
Are there any Kernel Trace programs available, to see what files/functions are being called and in which order, so I can start looking to add my own modifications to the source?
Any help is appreciated,
Thanks - Jay
XPosed
If the Java part of HCE is all you are interested in you may want to give a try to the Xposed framework [1].
The framework will allow your app to hook into any JAVA system call on a rooted device. You can e.g. hook into HostEmulationManager.notifyHostEmulationData and log or even manipulate any APDU received. You will find a short tutorial at [2]. At [3] you will find a small Xposed module targeting HCE. It is a new framework but no big deal after all.
I'm interested in HCE too and gained some experience over the last weeks so what exactly are you trying?
[1]
http://repo.xposed.info/
[2]
http://forum.xda-developers.com/showthread.php?t=2709324
[3]
http://forum.xda-developers.com/showthread.php?t=2573430
Hi Thomas
Essentially at my university, we have student cards that are MiFare Classic 1/4k RFID cards, that when placed up against a scanner outside of buildings/labs, scans the UID of the card and checks if the student is allowed access.
When Emulating a tag on an Android device, the UID (Not the AID) is randomly set. This is (I believe) set in the libnfc-nci code at the lower levels of Android, and so will require modifications at that level, and the levels above to allow me to pass a specific UID down the Android stack that will then be set.
I asked a similar question on Stackoverflow and got the following response:
http://stackoverflow.com/questions/28409934/editing-functionality-of-host-card-emulation-in-android
Essentially i'm looking for a way to find out what code is called when HCE is turned on, to find where the UID is set - after that I can look at passing down my own ID down from an app to set it myself.
Hi, i want to know if its possible to convert an app to not use PARSE as admin panel but host it on my own server... I want to buy an android source code that seam perfect for the app i want to do(as base) but it use parse as admin panel... and i dont want that... i want to host and manage 100% of the app on my own server so if parse shut down my app will be still up and running....
thx
Its possible. The effort needed depends on the below factors
1. If the code that gets/puts/modifies data from/to parse is written in a way that it can be changed easily (ex: if the logic is present at one place example: GetAdminData(), AddAdministrator())
2. If the code that gets/puts/modifies data from/to parse is used everywhere with no proper structure.
For (1) changes will be minimum
For (2) Changes are huge -> need to analyze the current design, upgrade, regress and test
Need to do a complete code inspection & analysis for (2).
Cost & time will bump up for (2) relative to (1)
thanks! The script i want to buy is
www.chupamobile.com/android-full-ap...r-create-your-location-based-android-app-7775
so what simple question i should ask to the developper on his sale page to know if its 1 or 2 the answer?