[GUIDE] Automatic dual sim switching on latest official OTA - OnePlus 6 Guides, News, & Discussion

TL;DR:
You need root.
Shell command with root privileges to toggle sim programatically:
Code:
service call phone 162 i32 x i32 y
Where x is 0 for SIM1 and 1 for SIM2, and y is 0 to disable and 1 to enable.
For example:
Code:
service call phone 162 i32 1 i32 0
will disable SIM2 and
Code:
service call phone 162 i32 1 i32 1
will enable it.
Longer version, and how to find the magic "162" number:
You need:
1. vdexExtractor
2. jadx
Step by step:
1. Pull /system/framework/arm64/boot-framework.vdex
2. extract it with vdexExtractor, you should get some dex classfiles.
3. Open them with jadx and find the one that contains com.android.internal.telephony.ITelephony
4. Navigate to the class with jadx and locate the value of TRANSACTION_setSimPowerStateForSlot, this is your magic number.
After you have the command you can use for example Tasker to enable and disable the SIM card.
The only downside of using this method is that major Android version bumps will most likely break this, as the numbers vary from android build to android build.

Spent a few hours trying to figure this out for Oreo only to find your post about 5s before I found the solution myself! Many thanks. I've linked your post here to go with my N-only guide.

Sweet, I've been looking for a solution for this on my Oneplus 5 and this works perfectly with Tasker.

I tried this op OP6T but it doesn't seem to work. Can someone confirm? Maybe the 'magicnumber' differs.
I pulled the vdex file, but I don't know how to extract it with that command line tool vdexExtractor. Can someone help me with this? Here's the file

Maybe a dumb question, but what is enabled by this feature?

ChemoNL said:
Maybe a dumb question, but what is enabled by this feature?
Click to expand...
Click to collapse
Well it gives you the opportunity to run a Tasker command to toggle SIM state. For example disable a SIM during a certain time-frame. Automation FTW!
BTW can someone tell if this function will still work in the light of https://www.androidpolice.com/2018/11/12/tasker-lose-sms-call-functionality-google-security-changes/

help
projection said:
TL;DR:
You need root.
Shell command with root privileges to toggle sim programatically:
Code:
service call phone 162 i32 x i32 y
Where x is 0 for SIM1 and 1 for SIM2, and y is 0 to disable and 1 to enable.
For example:
Code:
service call phone 162 i32 1 i32 0
will disable SIM2 and
Code:
service call phone 162 i32 1 i32 1
will enable it.
Longer version, and how to find the magic "162" number:
You need:
1. vdexExtractor
2. jadx
Step by step:
1. Pull /system/framework/arm64/boot-framework.vdex
2. extract it with vdexExtractor, you should get some dex classfiles.
3. Open them with jadx and find the one that contains com.android.internal.telephony.ITelephony
4. Navigate to the class with jadx and locate the value of TRANSACTION_setSimPowerStateForSlot, this is your magic number.
After you have the command you can use for example Tasker to enable and disable the SIM card.
The only downside of using this method is that major Android version bumps will most likely break this, as the numbers vary from android build to android build.
Click to expand...
Click to collapse
what if i cant find TRANSACTION_setSimPowerStateForSlot even in nougat?

for what reason someone need to do such thing?

more_than_hater said:
for what reason someone need to do such thing?
Click to expand...
Click to collapse
My reason is that I only want to be reached on my work number during work hours. So in my case I disable sim2 at 1600 when I go home from work, and then I enable it right before I start working again.
The apps available for this don't work on my phone (opo5) so this was the only way I could find.

Vledderos said:
I tried this op OP6T but it doesn't seem to work. Can someone confirm? Maybe the 'magicnumber' differs.
I pulled the vdex file, but I don't know how to extract it with that command line tool vdexExtractor. Can someone help me with this? Here's the file
Click to expand...
Click to collapse
same here. i have no idea how to extract the vdex file ........

projection said:
TL;DR:
You need root.
Shell command with root privileges to toggle sim programatically:
Code:
service call phone 162 i32 x i32 y
Where x is 0 for SIM1 and 1 for SIM2, and y is 0 to disable and 1 to enable.
For example:
Code:
service call phone 162 i32 1 i32 0
will disable SIM2 and
Code:
service call phone 162 i32 1 i32 1
will enable it.
Longer version, and how to find the magic "162" number:
You need:
1. vdexExtractor
2. jadx
Step by step:
1. Pull /system/framework/arm64/boot-framework.vdex
2. extract it with vdexExtractor, you should get some dex classfiles.
3. Open them with jadx and find the one that contains com.android.internal.telephony.ITelephony
4. Navigate to the class with jadx and locate the value of TRANSACTION_setSimPowerStateForSlot, this is your magic number.
After you have the command you can use for example Tasker to enable and disable the SIM card.
The only downside of using this method is that major Android version bumps will most likely break this, as the numbers vary from android build to android build.
Click to expand...
Click to collapse
i've succesfully extracted boot-framework.vdex and obtained 3 new files:
boot-framework_classes.cdex
boot-framework_classes2.cdex
boot-framework_classes3.cdex
but using jadx i don't get any result... just an empty window
btw: i'm on op5t running pie

alessandro_xda said:
TL;DR:
You need root.
Shell command with root privileges to toggle sim programatically:
Where x is 0 for SIM1 and 1 for SIM2, and y is 0 to disable and 1 to enable.
For example:
will disable SIM2 and
i've succesfully extracted boot-framework.vdex and obtained 3 new files:
boot-framework_classes.cdex
boot-framework_classes2.cdex
boot-framework_classes3.cdex
but using jadx i don't get any result... just an empty window
btw: i'm on op5t running pie
Click to expand...
Click to collapse
Any luck with this? I am on pie op5t also and want to be able to switch on and off

BigBrosMo said:
Any luck with this? I am on pie op5t also and want to be able to switch on and off
Click to expand...
Click to collapse
I gave up

I had success. Oneplus 5 with Pie
I discovered that with Pie it is necessary another step between 2 and 3, because the step 2 now gives .cdex files (compact dex) instead of the .dex files, and jadx (at least the versions I tried) can read only .dex files.
In the github page of vdexExtractor I found a section about the vdexExtractor#compact-dex-converter, that is necessary to convert .cdex to .dex.
I used the Linux x86-64 - Statically compiled binaries, the shared libraries version didn't work on my Virtual Machine with linux Mint (I have only windows 10 on my pc)
Using that converter I obtained the .dex files that jadx can read and follow step 3 and 4 of the guide.
I hope to be of some help

dragone17 said:
I had success. Oneplus 5 with Pie
...
In the github page of vdexExtractor I found a section about the vdexExtractor#compact-dex-converter, that is necessary to convert .cdex to .dex.
I used the Linux x86-64 - Statically compiled binaries, the shared libraries version didn't work on my Virtual Machine with linux Mint (I have only windows 10 on my pc)
Click to expand...
Click to collapse
That's great! I am on an island right now in Thailand and with only a win7 machine. I would live to get this working as I don't want both Sims on all the time to conserve battery, and would like to automatically check my home SIM once and awhile in the background. While I am quite comp savvy I dont have the time/bandwidth to compile a Linux distro or virtual machine just to run this converter... Or... Do I even need to? What's the quickest and dirtiest method for me to find my "magic number"?
And is that number unique to the install or my IMEI? Like if I reinstall/upgrade the os do I need to redo the process or would it remain the same?

I'm sorry but I don't know if you can run vdexExtractor on windows. If it is possible, I couldn't find how. But jadx have a version with gui compiled to run on windows.
I suppose that the "magic number" depends on the os version, and maybe the phone model.
It didn't change for me on the various minor upgrades on oreo (5.1.5, 5.1.6, 5.1.7), and now it didn't change on the minor pie upgrades (9.0.2, 9.0.3).
Not sure if the number is the same on the various oneplus devices.

alessandro_xda said:
I gave up
Click to expand...
Click to collapse
Had the same problem. Extracted .cdex files I couldn't read from jadx and anything else I tried. Was about to give up, then just guesstimated. Most of the numbers I found were between 150-180, so I just experimented within that range and hit the magic number.

vkrin said:
Had the same problem. Extracted .cdex files I couldn't read from jadx and anything else I tried. Was about to give up, then just guesstimated. Most of the numbers I found were between 150-180, so I just experimented within that range and hit the magic number.
Click to expand...
Click to collapse
is there a way to read the current value before changing it?

The ID on OnePlus 7 on Pie is 175.
No idea if it's the same on the OP6 though.

My phones magic number was "177"
Op6 beta 16
Havoc 2.6

Related

Diagnose port (QXDM)

There is a command radiooptions we can run to enable QXDM, which should be the radio diagnose port. But don't know what's enabled, and where to read the diagnose messages. Please help...
It's interesting when run radiooptions with parameter 3, from /dev/smd0, we can read this line: [WCDMA] SDLOG Fail (no.-2)
And here is the radiooptions command help:
Usage: radiooptions [option] [extra_socket_args]
0 - RADIO_RESET,
1 - RADIO_OFF,
2 - UNSOL_NETWORK_STATE_CHANGE,
3 - QXDM_ENABLE,
4 - QXDM_DISABLE,
5 - RADIO_ON,
6 apn- SETUP_PDP apn,
7 - DEACTIVE_PDP,
8 number - DIAL_CALL number,
9 - ANSWER_CALL,
10 - END_CALL
blues said:
There is a command radiooptions we can run to enable QXDM, which should be the radio diagnose port. But don't know what's enabled, and where to read the diagnose messages. Please help...
It's interesting when run radiooptions with parameter 3, from /dev/smd0, we can read this line: [WCDMA] SDLOG Fail (no.-2)
And here is the radiooptions command help:
Usage: radiooptions [option] [extra_socket_args]
0 - RADIO_RESET,
1 - RADIO_OFF,
2 - UNSOL_NETWORK_STATE_CHANGE,
3 - QXDM_ENABLE,
4 - QXDM_DISABLE,
5 - RADIO_ON,
6 apn- SETUP_PDP apn,
7 - DEACTIVE_PDP,
8 number - DIAL_CALL number,
9 - ANSWER_CALL,
10 - END_CALL
Click to expand...
Click to collapse
Do you have an SD card in the phone?
Yes, I do have the 1G SD card come with the phone
Does it work for you?
Update:
Update: I noticed the sdcard is readonly when it is connected to my XP PC.
I have disconnected the usb storage. Now I can see sdcard is writable.
But still the QXDM is not working for me.
In Normal HTC CDMA Device Such Programmed are called automatically by just Pressing the Codes in Dialer of Phone
in CDMA
##3424# goes to PST ( Diagnostic Port ) but this command dont work in G1
When i dial this it says USSD Code Running but Flashes error " Connection problem or invalid MMI Code"
when i run
##778# ( ##pst# ) and dial it show " UNKNOWN APPLICATION "
Some of the G1 Source Pointing ## as Starting Code for Diagnostic Method
Code:
/* Example of how to route a call to another Application. */
58 if (POUND_POUND_SEARCH && number.startsWith("##")) {
59 Intent newIntent = new Intent(Intent.ACTION_SEARCH);
60 newIntent.putExtra(SearchManager.QUERY, number.substring(2));
61 newIntent.addFlags(Intent.FLAG_ACTIVITY_NEW_TASK);
62 context.startActivity(newIntent);
63 setResultData(null);
64 }
The Radio Option is defined in Following File of Android
http://git.source.android.com/?p=pl...2;hb=dbbb392e15b5ace6f19e76c49c80ea14292e8a4d
Which is
[platform/hardware/ril.git]/rild/radiooptions.c
are there any news on the diagnose port?
I'd love to be able to access some of the information using an app on the phone
I have looked at this app before. You can initiate calls, terminate calls and turn the radio on/off but the QXDM functions don't do anything. I have noticed that the Dalvik Debug Manager has an option to "dump radio state" when a device is connected, but it gives an error about a logfile that is missing. Perhaps this logfile is where QXDM messages are sent to.
You can type "logcat -b radio" to see the error msg too.
The app calls ril lib to send the AT commonds to the SMD0 port (shared memory channel between the application processor and radio processor). And the radio processor receives this AT commond, and if the software (AMSS?) runs on the radio chip (ARM9?) is configurated correctly, then it should produce the log.
Any one has the experince to reverse the firmware on the radio chip? I guess it is a simple switch we can turn it on if we knows the AMSS thing.
Any updates??
Check this out!
You may want to take a look at my post. This will virtually work with any device who's kernel source is released . http://forum.xda-developers.com/showthread.php?t=948360
Sorry to revive such an old post, but do your link doesn't work anymore. I need this info, thanks!

[GUIDE][CWM] WLAN Calibration and MAC address fix [CM]

This is for CyanogenMod and its derivates. Stock ROMs should be fine.
If you are inrested in editing your MAC address, there's a guide linked below. I don't know if stock ROMs will automcatically correct the MAC. In this case I think you have to edit /efs/imei/.nvmac.info (read more something about /efs before playing with it!)
Click to expand...
Click to collapse
The easiest way to do the calibration is:
Turn wifi ON and run
Code:
tiwlan_plts -n
This is the script called from a oneshot init service in my init.latona.rc if someone is interested. It will calibrate and correct the MAC automatically, even after a data wipe:
Code:
#!/system/bin/sh
if [ ! -f /data/misc/wifi/nvs_map.bin ]; then
insmod /system/lib/modules/tiwlan_drv.ko
/system/bin/tiwlan_loader -i /system/etc/wifi/tiwlan.ini -f /system/etc/wifi/firmware.bin
/system/bin/tiwlan_plts -n
rmmod tiwlan_drv
fi
____________________________________
Older method
Click to expand...
Click to collapse
UPDATE: I found an easy way to get the real MAC.
Download the apk attached or run the following commands:
Code:
su
mount -o remount,rw /system
ln -s /system/lib/modules/tiwlan_drv.ko /system/etc/wifi/tiwlan_drv.ko
#Make sure wifi is off
./mfgloader -l #Take the binary from a stock ROM
./mfgloader -u
rm /system/etc/wifi/tiwlan_drv.ko
mount -o remount,ro /system
After that your MAC address shoud begin with D0:C1:B1 and not 08:00:28.
To see your current MAC: System Settings > About phone > Status (turn wifi on)
Click to expand...
Click to collapse
____________________________________
This is the first post with some more informations about the calibration
Click to expand...
Click to collapse
While I was reading some logs, I noticed these lines
Code:
TIWLAN: 1089.979242: Starting to process NVS...
TIWLAN: 1089.983698: No Nvs, Setting default MAC address
TIWLAN: 1089.989007: pHwInit->uEEPROMCurLen: 1c
TIWLAN: 1089.993462: ERROR: If you are not calibating the device, you will soon get errors !!!
...
TIWLAN: 1094.726827: Station ID : 08-00-28-12-03-58
...
You can see that the device is not calibrated and that the default MAC address is assigned.
Each device should have a unique MAC address, two devices with the same MAC address in the same network will give problems.
________
UPDATE
I made two flashable files:
wlan_calibration.zip will only do the calibration
wlan_calibration_rand.zip will do the calibration and will randomize the last three octets of the address
Click to expand...
Click to collapse
If you still want to do it on your own, here the guide:
_______________
WLAN Calibration
Here the steps you need to follow (taken from: WLAN Calibration):
1) Turn wifi off
2) From ADB/terminal emulator run the following commands [1]:
Code:
$ su
# cd /data/misc/wifi
# insmod /system/lib/modules/tiwlan_drv.ko
# start wlan_loader
# ifconfig tiwlan0 up
# tiwlan_cu -b
/ w p 1 l 2 f 2
/ t b v 21
/ t b t 1 0 0 0 0 0 0 0
/ q
# rmmod tiwlan_drv
This will create this file: /data/misc/wifi/nvs_map.bin. If it's not there, you did something wrong.
After that you should not get the error while turning wifi ON.
________
MAC address fix
Even after the calibration, you'll still have the default MAC address (Station ID : 08-00-28-12-03-58). But no problem, you can 'easly' change it: Editing the MAC Address.
You need to get the newly created /data/misc/wifi/nvs_map.bin and edit it with an hex editor as described in the guide linked above.
I still don't know if the calibration will improve anything, but it surely won't hurt:
For optimal Wi-Fi performance it is mandatory to calibrate the Wi-Fi hardware
Click to expand...
Click to collapse
NOTE: nvs_map.bin is in /data, so if you do a factory reset you have to do this again.
___
[1]
ADB: System settings > Developers options (ON) > Root access > Apps and ADB
Wow...good solution buddy. I think u shouldpost this in development thread. People dont look much in general thread.
this should be added to the cm9/10 instalation .zip file
I did flash the zip file, ran the other commands thru terminal and see the file /data/misc/wifi/nvs_map.bin.
I don't understand the next step to be done.
I cannot open the bin file using hexeditor, I gave it root access.
And, in case i open it what mac address should i use? Is some address hard coded to each phone?
Hetalk said:
I did flash the zip file, ran the other commands thru terminal and see the file /data/misc/wifi/nvs_map.bin.
I don't understand the next step to be done.
I cannot open the bin file using hexeditor, I gave it root access.
And, in case i open it what mac address should i use? Is some address hard coded to each phone?
Click to expand...
Click to collapse
I don't know how MAC are assigned, I simply randomized the last part of the address (I kept the first part: 80:00:28).
Anyway I just uploaded a new zip file to make things even simpler. It will automatically randomize the last four three groups. If you want to use it, you need to delete /data/misc/wifi/nvs_map.bin first. EDIT: I changed the script, now you can do the calibration without removing the file.
Anyway I don't know what's wrong with your editor, I did it from my computer.
I tried using hex editor from play store.
I'll try the new zip tomorrow..
As I wrote in the OP, today I found the way to get the original MAC.
I don't know what is needed to make the commands work while in recovery (services needed etc...), so I made a dummy app (I simply adapted the code of an app I made few days ago to do a similar thing).
No fancy icon (it's the default one), no checks, ugly etc... It simply does the job (my Java knowledge is almost zero)
EDIT:
I almost forgot to say that the real MAC is in /efs/imei/.nvmac.info. It was the first place where I looked, but it's an hidden file an I didn't see at first.
bam....
Dear @loSconosciuto
I following this guide to solve the problem that actually I have in my phone with CM 11. In the Status menu, "non available" appears in my device WIFI mac. I following the guide step by step and I couldn't change it.
Could you help me?
carniman78 said:
Dear @loSconosciuto
I following this guide to solve the problem that actually I have in my phone with CM 11. In the Status menu, "non available" appears in my device WIFI mac. I following the guide step by step and I couldn't change it.
Could you help me?
Click to expand...
Click to collapse
This guide is for the kernel 2.6.35 which uses a completely different driver, it's quite an old thread. The calibration is done in a different way and I don't think that's the problem.
I'm not using CM11, so it's quite hard for me to know exactly what's wrong.
loSconosciuto said:
This guide is for the kernel 2.6.35 which uses a completely different driver, it's quite an old thread. The calibration is done in a different way and I don't think that's the problem.
I'm not using CM11, so it's quite hard for me to know exactly what's wrong.
Click to expand...
Click to collapse
Ok, sir. Thank you for your help.
Hi there
trying to fix Samsung s4 active i9295 wifi problem. at least got the MAC address showing (was 02:lots of zeroes) still unable to start wifi. is there anything else I should search for? tiwlan_drv.ko was not there so I downloaded it sepparately. do I need some more modules to be added? using stock 4 file engineering FW Android 5.0.1

[ROOT] Universal (temporal) root tool for dirtycow-capable Android M devices

Hi,
I've developed an universal & stable temporal root tool for "dirtycow-capable" Android M (and N?), i.e., without the 2016-11-06 patch.
It bypasses selinux via a vdso backdoor inside the init process which is injected by a memory-only dirtycow exploit.
This approach has the following advantages:
Memory-only: does not modify the filesystem
Scalable: easy to add new kernel and/or new devices
Stable: does not affect stability of your device
Reversible: the backdoor is cleared immediately after the root shell ends, which means no reboot is required after usage
Please use version v0.1.1 instead of v0.1 which has a severe bug!
Attention:
By "SELinux bypass" I mean the payload will run in init domian even if SELinux is in enforcing mode, however, a patch to sepolicy is still needed for making init domain unconfined. Usually this means a modified boot image is required.
Details, releases, usage and the source code is available at Github.
Maybe I'll turn it into a SuperSU installer in the future. Donations are welcome.
XDA:DevDB Information
VIKIROOT, Tool/Utility for all devices (see above for details)
Contributors
hyln9
Source Code: https://github.com/hyln9/VIKIROOT
Version Information
Status: Testing
Created 2017-01-20
Last Updated 2017-01-21
Hi, I am working on the LG Tribute HD model LGLS676 and we are looking for an exploit for MM 6.0.1 build MXB48T. is it possible to create a 32-bit version of this exploit? It's exactly what we need right now for a method to gain root as not even temp is not even close to possible, lg has this one airtight. I'm running Ubuntu 16.04.01 64 bit and can help test if needed on my device. Thanks in advance for any help you can or cannot provide ?
Sands207 said:
Hi, I am working on the LG Tribute HD model LGLS676 and we are looking for an exploit for MM 6.0.1 build MXB48T. is it possible to create a 32-bit version of this exploit? It's exactly what we need right now for a method to gain root as not even temp is not even close to possible, lg has this one airtight. I'm running Ubuntu 16.04.01 64 bit and can help test if needed on my device. Thanks in advance for any help you can or cannot provide
Click to expand...
Click to collapse
Thanks for your reply.
Unfortunately, 32-bit vDSO support is not available for Android currently.
hyln9 said:
Thanks for your reply.
Unfortunately, 32-bit vDSO support is not available for Android currently.
Click to expand...
Click to collapse
Could we use a different backdoor/exploit for x86 devices?
AptLogic said:
Could we use a different backdoor/exploit for x86 devices?
Click to expand...
Click to collapse
Great idea, I'll have a try in the emulator.
Hello and thank you for this!
I am stuck and need your help here please... I'm on an LG V10 (H960A) mm, and I think I followed the instructions on GitHub correctly:
1. Extracted the "exploit" binary
2. adb push /data/local/tmp
3. adb shell (cd to /data/local/tmp and made "exploit" executable)
4. Executed the "exploit"
and now I am stuck in "waiting for reverse connect shell". Turning device on/off, toggling Bluetooth etc does nothing... How should I proceed? Thanks in advance!
ftaios said:
Hello and thank you for this!
I am stuck and need your help here please... I'm on an LG V10 (H960A) mm, and I think I followed the instructions on GitHub correctly:
1. Extracted the "exploit" binary
2. adb push /data/local/tmp
3. adb shell (cd to /data/local/tmp and made "exploit" executable)
4. Executed the "exploit"
and now I am stuck in "waiting for reverse connect shell". Turning device on/off, toggling Bluetooth etc does nothing... How should I proceed? Thanks in advance!
Click to expand...
Click to collapse
A debug version was added to the download page.
Would you please run it as before and send me the two generated debug info file "vdso_orig.so" and "vdso_patched.so" to me? They are just dump of some part of kernel and don't contain any personal information.
My e-mail address is: hyln9$live.cn (replace $ with @)
Thanks!
@hyln9 how goes the looking for a 32bit exploit? I'm available to test any developments that have been made, using an AT&T Galaxy S5 running Android 5.0 ((I can upgrade to 5.1.1 or 6.0 if needed)
(Try exploiting wpa_supplicant )
hyln9 said:
A debug version was added to the download page.
Would you please run it as before and send me the two generated debug info file "vdso_orig.so" and "vdso_patched.so" to me? They are just dump of some part of kernel and don't contain any personal information.
My e-mail address is: hyln9$live.cn (replace $ with @)
Thanks!
Click to expand...
Click to collapse
Just sent them to you...
hyln9 said:
A debug version was added to the download page.
Would you please run it as before and send me the two generated debug info file "vdso_orig.so" and "vdso_patched.so" to me? They are just dump of some part of kernel and don't contain any personal information.
My e-mail address is: hyln9$live.cn (replace $ with @)
Thanks!
Click to expand...
Click to collapse
I also sent!!
Is there any way this can with for the at&t lg g5 h820 I believe. I hope so that is the only thing I hate with this phone. No root. So boring.
What port should we be using? When I use the non-debug version it hangs waiting for the reverse connection... using the debug version it dies before even creating a log file it says: "Internal error: unknown kernel." I'm running an AT&T G5 (H820) without the latest patches...
rvyhmeister said:
What port should we be using? When I use the non-debug version it hangs waiting for the reverse connection... using the debug version it dies before even creating a log file it says: "Internal error: unknown kernel." I'm running an AT&T G5 (H820) without the latest patches...
Click to expand...
Click to collapse
did you reboot phone?
and maybe you don't get error.
Not executable 64 bit elf file?
jcpowell said:
Not executable 64 bit elf file?
Click to expand...
Click to collapse
That means you're trying to run this 64 bit exploit on a 32 bit android system. The exploit doesn't work on 32 bit because 32bit systems don't have vdso. I'm working on a different exploit and I think this dev is too but I don't expect much out of my tests since it's mostly device specific.
iptr9 said:
did you reboot phone?
and maybe you don't get error.
Click to expand...
Click to collapse
Rebooted... running the debug
Now I get this
Syscall error: bind at line 392 with code 13.
No files are created... what port should I tell it? Thanks!
rvyhmeister said:
Rebooted... running the debug
Now I get this
Syscall error: bind at line 392 with code 13.
No files are created... what port should I tell it? Thanks!
Click to expand...
Click to collapse
maybe you have to cd into /data/local/tmp
and then ./exploit
iptr9 said:
maybe you have to cd into /data/local/tmp
and then ./exploit
Click to expand...
Click to collapse
I've done that... the interesting thing is that if I run simply
./exploit
it replies
CVE-2016-5195 POC FOR ANDROID 6.0.1 MARSHMALLOW
Usage:
./exploit port: use local terminal.
./exploit ip port: use remote terminal.
If I enter any number, it then fails...
rvyhmeister said:
I've done that... the interesting thing is that if I run simply
./exploit
it replies
CVE-2016-5195 POC FOR ANDROID 6.0.1 MARSHMALLOW
Usage:
./exploit port: use local terminal.
./exploit ip port: use remote terminal.
If I enter any number, it then fails...
Click to expand...
Click to collapse
try a port above 1024
saspipi said:
try a port above 1024
Click to expand...
Click to collapse
thanks.... it starts fine.... but then hangs waiting for the reverse shell to connect.... I've got the zip with the two debug files that I'm attaching

[Guide] [Android 6.0+] Change Device Model Name (Additional Steps Required)

Starting from Android Marshmallow and above, simply changing the ro.product.model entry in /system/build.prop will not change the device's name everywhere. The build.prop change can only be seen in Settings > About phone.
Introduced in 6.0, Android stores your device name in an additional location, in addition to the build.prop entry. It is stored in a database in your phone's memory. The value in the database is populated the first time you boot up your device (after installing ROM for example), so even if you alter the device name in build.prop, apps can still detect your "old" device name through the database entry.
In the past, the database was stored in a file, but since Marshmallow Settings Storage (com.android.providers.settings) stores a bunch of your phone's settings in memory. Here is how you can change your device's model name.
1. You should modify the ro.product.model entry your /system/build.prop if you haven't already:
Example:
Code:
ro.product.model=My Phone Model Name
2. Next, connect your device to the computer, make sure you have ADB installed.
Alternatively, you can use Terminal Emulator on your device. Run the commands below as root user, but do not include the adb shell part.
3. Execute the following to see the device name stored in the device's Settings database:
Code:
adb shell settings get global device_name
It should return your current device name, <DEVICE_NAME>.
4. Replace the existing model name with a new one:
Code:
adb shell settings put global device_name "<NEW_DEVICE_NAME>"
For example, if I want to change my device name to My Phone Model Name, I would issue the following command:
Code:
adb shell settings put global device_name "My Phone Model Name"
6. Now check to see the device name is updated (same as first command)
Code:
adb shell settings get global device_name
It should now return the updated device name. E.g, My Phone Model Name
Next, reboot your device and apps should correctly detect your new device name.
I hope this helps! Feel free to leave any questions or comments in this thread.
Additional Resources:
@piit79 has a similar tutorial for changing your device's ID, also for Marshmallow and above:
https://forum.xda-developers.com/ne...android-id-t3219345/post63168322#post63168322
Good tutorial, but I would recommend using simpler ADB commands.
For example, change this:
adb shell content insert --uri content://settings/global --bind name:s:device_name --bind value:s:<DEVICE_NAME>
to this:
adb shell settings put global device_name <DEVICE_NAME>
MishaalRahman said:
Good tutorial, but I would recommend using simpler ADB commands.
For example, change this:
adb shell content insert --uri content://settings/global --bind name:s:device_name --bind value:s:<DEVICE_NAME>
to this:
adb shell settings put global device_name <DEVICE_NAME>
Click to expand...
Click to collapse
Thanks, that makes it much simpler. Seems like the put command overwrites the existing value for you.
wow, good job, this looks really good (though i don't need it right now, it is good to know it's possible). my question is, would something similar be possible for the name of the rom and kernel? i'd like my bank's app to think i'm on stock, it does check safetynet but even with magisk and passed safetynet it doesn't work on any other rom than stock.. thanks in advance for your answer!
Google Photos
Will this enable Google Photos full size backup if I rename my 6P to Pixel XL?
This looks like it only changes the device name, that we can change through settings anyways. Editing the build.prop changed the model, but nothing else has changed that I can tell. For example, my Note 3 is running an S7 Edge port, the device and model name have been changed back to SM-900V (for the Note 3) but the product is still showing hero2ltexx. I realize that's just another build.prop line.
There is a huge possibility that this is doing just what it was intended to do and I daydreamed some imaginary far off results, but I figured I'd list it in case it was any help...thank you
bombaglad said:
wow, good job, this looks really good (though i don't need it right now, it is good to know it's possible). my question is, would something similar be possible for the name of the rom and kernel? i'd like my bank's app to think i'm on stock, it does check safetynet but even with magisk and passed safetynet it doesn't work on any other rom than stock.. thanks in advance for your answer!
Click to expand...
Click to collapse
Hi, the ROM and kernel information are not stored in the global settings database. However, you can try modifying your ROM name in the /system/build.prop file.
prwnd said:
Will this enable Google Photos full size backup if I rename my 6P to Pixel XL?
Click to expand...
Click to collapse
I'm not sure, but I think the device name must be set to Pixel XL when you set up your device for the first time. This is why full-size Photo backups work on custom "Pixel" ROMs (for non-Pixel devices).
I'm sure you can do it with terminal emulator on rooted device, so no ADB and PC is needed.
minimale_ldz said:
I'm sure you can do it with terminal emulator on rooted device, so no ADB and PC is needed.
Click to expand...
Click to collapse
You are right, if using Terminal on your device, you must be root user and use the same commands but remove the adb shell part.
I got this:
Too many arguments
usage: settings [--user NUM] get namespace key
settings [--user NUM] put namespace key value
settings [--user NUM] delete namespace key
settings [--user NUM] list namespace
namespace' is one of {system, secure, global}, case-insensitive
If '--user NUM' is not given, the operations are performed on the owner user.
Xperia M4 Aqua E2303
EDIT: OK; old method worked for me. Successfuly changed it. New method didn't work.
srdjanLeo said:
I got this:
Too many arguments
usage: settings [--user NUM] get namespace key
settings [--user NUM] put namespace key value
settings [--user NUM] delete namespace key
settings [--user NUM] list namespace
namespace' is one of {system, secure, global}, case-insensitive
If '--user NUM' is not given, the operations are performed on the owner user.
Xperia M4 Aqua E2303
EDIT: OK; old method worked for me. Successfuly changed it. New method didn't work.
Click to expand...
Click to collapse
Which command did you use? Make sure your device name is surrounded by double quotes.
JBNex said:
Which command did you use? Make sure your device name is surrounded by double quotes.
Click to expand...
Click to collapse
Forgot qoutes
I tried with Terminal Emulator and it works So, my mistake.
it needs root ??
I want a way to get google assistant without root or custom recovery on htc 10 ?
elawady.2014 said:
it needs root ??
I want a way to get google assistant without root or custom recovery on htc 10 ?
Click to expand...
Click to collapse
You can't use this to get Google Assistant, but yes it does work without root.
JBNex said:
I'm not sure, but I think the device name must be set to Pixel XL when you set up your device for the first time. This is why full-size Photo backups work on custom "Pixel" ROMs (for non-Pixel devices).
Click to expand...
Click to collapse
.
i had the same question. in fact this is the main reason I wanna change my device model number now my question is... If i wanna change my device model from "oneplus 3" to "Google pixel" i just need to use the command "Pixel XL 9000"? right?
.
and another question... what's with the" Pixel XL 9000"??? can't i just simply use "pixel/ Google pixel" cause, as far as i know, Google also offer full size photo backup for both pixel and pixel xl.
sahed01 said:
.
i had the same question. in fact this is the main reason I wanna change my device model number now my question is... If i wanna change my device model from "oneplus 3" to "Google pixel" i just need to use the command "Pixel XL 9000"? right?
.
and another question... what's with the" Pixel XL 9000"??? can't i just simply use "pixel/ Google pixel" cause, as far as i know, Google also offer full size photo backup for both pixel and pixel xl.
Click to expand...
Click to collapse
Oh that was just an example to show that you could change it to any name you want. Simply Pixel XL would work!
JBNex said:
Oh that was just an example to show that you could change it to any name you want. Simply Pixel XL would work!
Click to expand...
Click to collapse
.
okay. wish me luck! I'm gonna change my device name "oneplus 3" to "Pixel" let's see if full size unlimited photo backup works!
there is no such code as "ro.product.model" in my oneplus 3 device. only "ro.product.brand=oneplus" and "ro.product. manufacturer" what should I do?
Error
Yeah bro
I have changed it using build.prox but now my device is Automatically switching off and on how to solve it.....

GUIDE: How to avoid the Captive Portal Checkin to Google

Dear XDA community,
this my first own thread and guide so please be forbear with me
And i hope i choose the right section
As the topic in the thread says it handles about the Captive Portal Checkin done by Android.
So first some general info about this.
1. What is the Captive Portal Checkin?
Every time your android phone connects to the internet via mobile connection or wlan it sends a request to the following url:
http://connectivitycheck.gstatic.com (Google URL).
After that your gets device gets http 204 answer from the mentioned url and at that point the x-symbol at your network icon in the status bar disappears.
The reason for that behavior is that Android wants to be sure that your connection has internet access.
If you block that request via AfWall for example the dns fails in some cases and you can't go into the Internet.
Silly.
2. Why is this problematic?
That's a good question because this answer from Google doesn't much hold data. But every time when this connection is done Google get the following information:
- IP-adress
- Time of the internet access
- the Browser which you use
In my case i use custom roms and no Gapps to avoid Google as much as i can. So i don't want that "ping" to Google.
That's the reason why i searched for possibilitys to get rid of this ping. And thanks to a german security and privacy specalist i found a possibilty to avoid the ping to Google and have working Internet, too.
3. What did that guy do?
Very simple. He just started his own Captive Portal Checkin Service. So no need for Google anymore
WHAT YOU NEED:
- Computer with installed ADB
- Active USB Debugging at your phone
- At least Android 7
TESTED ON:
I tested his instructions on my old Xperia Z3 phone (CarbonROM 7.0 based on Android 9, Custom Rom).
IMPORTANT:
You need to execute the commands with a booted system (valid for both posts where i write the instructions). It DOESN'T work in the terminal of recoveries (e.g. twrp).
Thanks @jaysir for the information.
INSTRUCTIONS:
Android 7:
1. Connect the phone with your computer
2. Activate ADB and test the connection with the "adb devices" command. If your phone shows up go to step 3.
3. Execute these commands in your terminal:
=> adb shell 'settings put global captive_portal_http_url "http://captiveportal.kuketz.de" '
=> adb shell 'settings put global captive_portal_https_url "https://captiveportal.kuketz.de" '
Android 8 and 9:
1. Connect the phone with your computer
2. Activate ADB and test the connection with the "adb devices" command. If your phone shows up go to step 3.
3. Execute these commands in your terminal:
=> adb shell 'settings put global captive_portal_http_url "http://captiveportal.kuketz.de" '
=> adb shell 'settings put global captive_portal_https_url "https://captiveportal.kuketz.de" '
=> adb shell 'settings put global captive_portal_fallback_url "http://captiveportal.kuketz.de" '
=> adb shell 'settings put global captive_portal_other_fallback_urls "http://captiveportal.kuketz.de" '
Well that's it. When you want to revert back just execute the commands again with this url:
http command: http://connectivitycheck.gstatic.com/generate_204
https command:
https://connectivitycheck.gstatic.com/generate_204
Link to the source:
https://www.kuketz-blog.de/android-...204-http-antwort-von-captiveportal-kuketz-de/
If i make any typos tell me
Thanks again to the german security researcher and his community there is a way to deactivate the captive portal checkin completly.
It works on Android 7 and Android 8.1/9. But in comparision to the method in my first post this needs root access on your phone.
For all new users:
I recommend Magisk to gain root.
So now the instructions:
For Android 8/9:
1. Open a terminal on your phone (via terminal apps).
2. Type the following command:
- su
- su
- pm disable com.android.captiveportallogin
- settings put global captive_portal_detection_enabled 0
- settings put global captive_portal_server localhost
- settings put global captive_portal_mode 0
3. Then reboot your phone (via hardware buttons, system or terminal app).
For Android 7:
1. Open a terminal on your phone (via terminal apps).
2. Type the following commands:
- su
- settings put global captive_portal_detection_enabled 0
- settings put global captive_portal_server localhost
- settings put global captive_portal_mode 0
3. Then reboot your phone (via hardware buttons, system or terminal app).
Link to Source
https://www.kuketz-blog.de/empfehlungsecke/#captive-portal
Very nice and very important tutorial!
Just for completeness; and I don't claim and definitely don't have a copyright. I reported these procedures already here end of April in the thread "Enhanced Privacy, Security and Battery Duration! My Measures...". I mentioned it also once here in the AFWall+ thread.
I'm very glad that these procedures get repeated and repeated again. From my personal point of view it's so important to develop the stance to not allow Google to collect our data. I've subscribed to Mike Kuketz and am very grateful for his job and dedication.
Oswald Boelcke said:
Very nice and very important tutorial!
Just for completeness; and I don't claim and definitely don't have a copyright. I reported these procedures already here end of April in the thread "Enhanced Privacy, Security and Battery Duration! My Measures...". I mentioned it also once here in the AFWall+ thread.
I'm very glad that these procedures get repeated and repeated again. From my personal point of view it's so important to develop the stance to not allow Google to collect our data. I've subscribed to Mike Kuketz and am very grateful for his job and dedication.
Click to expand...
Click to collapse
I agree to you. It's a pity that so much people don't care about it.
I must admit i forgot to search in forum whether the instructions was already posted but as you said every mention helps.
Thanks, however, not working on pixel experience rom.
Update:
Seems no settings command under ADB shell, worked when turning on Usb debugging.
jaysir said:
Thanks, however, not working on pixel experience rom.
seems no settings command under ADB shell
Click to expand...
Click to collapse
Thx for your info. And i will try it on my old z3 with the custom rom which you mentioned.
I know there is a Android 9 based Pixel Experience for the z3.
Will report then.
dhacke said:
Thx for your info. And i will try it on my old z3 with the custom rom which you mentioned.
I know there is a Android 9 based Pixel Experience for the z3.
Will report then.
Click to expand...
Click to collapse
Sorry, I did not make myself clear.
It just not working under recovery mode.
After booting to the system and opening the USB debugging, it is working.
jaysir said:
Sorry, I did not make myself clear.
It just not working under recovery mode.
After booting to the system and opening the USB debugging, it is working.
Click to expand...
Click to collapse
Good to know (and i'm happy that now everything works)
I will edit the guide and add your information to it.
Thanks.
Thanks dhacke for all this information.
I got here from a link on an XDA forum for the Huawei Watch 2 LTE smartwatch. Do you know if this can be done to the watch as well?
ajlajluk said:
Thanks dhacke for all this information.
I got here from a link on an XDA forum for the Huawei Watch 2 LTE smartwatch. Do you know if this can be done to the watch as well?
Click to expand...
Click to collapse
As far as i see it the adb method (post 1) could working because according to the Internet the device runs Wear OS which is basically a android version for smartwatches.
So in theory you can activate USB debugging and redirect the captive portal to mike kuketz service as long as the commands are accepted.
Regarding method 2 i can't say anything because i don't own a smartwatch and have zero knowledge whether root is possible/how it is done on those smartwatches (which is needed for that method).
dhacke said:
As far as i see it the adb method (post 1) could working because according to the Internet the device runs Wear OS which is basically a android version for smartwatches.
So in theory you can activate USB debugging and redirect the captive portal to mike kuketz service as long as the commands are accepted.
Regarding method 2 i can't say anything because i don't own a smartwatch and have zero knowledge whether root is possible/how it is done on those smartwatches (which is needed for that method).
Click to expand...
Click to collapse
Just as you said, I enabled adb debugging, opened a terminal session from my mac to the watch and sent the commands from version 1 and they were both accepted. I should be able to check if it has worked tomorrow so will keep everyone updated when I've tested it.
OK. My watch appeared to connect to wifi but then said "No Internet".
I've now done the same mod to my phone, deleted the supermarket wifi I'm trying to connect my watch to from both the watch and the phone and will try again. I'm also wondering whether haveing BT on at the same time is causing a problem so I'll try with it on and then off and see if it makes any difference.
Thanks again for giving me hope I'll be able to connect WearOS 2 to a captive portal wifi network.
Further to above, unfortunately still no joy. Watch says "Connected" for the briefest moment then "No Internet" and won't go any further.
Never mind.
Thanks again for your work for the Android community.
Is it safe?
We are sending data to completely unknown server, that's why asking.
Datta258 said:
Is it safe?
We are sending data to completely unknown server, that's why asking.
Click to expand...
Click to collapse
In my opinion yes. The mentioned security expert has a good reputation afaik and he didn't make any things in the past which give me a reason to distrust him.
And in the near future he will work for german commissioner for data protection and freedom of Informationen. So i think he is a trustworthy person.
In the privacy policy on his site for the captive portal check service he writes that no information at all will be logged.
Of course you can ask him directly via e-mail if my words don't soothe you; i can only share my opinion about that guy
Thanks.
dhacke said:
For Android 8/9:
1. Open a terminal on your phone (via terminal apps).
2. Type the following command:
- su
- su
- pm disable com.android.captiveportallogin
- settings put global captive_portal_detection_enabled 0
- settings put global captive_portal_server localhost
- settings put global_portal_mode 0
3. Then reboot your phone (via hardware buttons, system or terminal app).
Click to expand...
Click to collapse
Does this still work on Pie?
On my rooted Galaxy Note 10 (Pie, 1st Sept. Patch) it does not.
Btw. there is a typo, should it be "settings put global captive_portal_mode 0"? This is what I tried. If I then check the values by "settings get..." I get
1: 0
2: localhost
3: 0
So the values were taken, but it still tries to connect to captiveportal.kuketz.de or google (whatever I have set). If I block it, I will get the exclamation next to the wifi symbol.
ZXR said:
Does this still work on Pie?
On my rooted Galaxy Note 10 (Pie, 1st Sept. Patch) it does not.
Btw. there is a typo, should it be "settings put global captive_portal_mode 0"? This is what I tried. If I then check the values by "settings get..." I get
1: 0
2: localhost
3: 0
So the values were taken, but it still tries to connect to captiveportal.kuketz.de or google (whatever I have set). If I block it, I will get the exclamation next to the wifi symbol.
Click to expand...
Click to collapse
Oh yes you are right. There was a typo. It must be 'settings put global captive_portal_mode 0'.
Now it's corrected. Thanks.
Did you make a reboot after execute the commands?
On my side it works on Pie too. I have a z3 with Lineage 16 and my device doesn't make the check.
When it' still not work after the reboot and the commands are typed in right (=> no issue notification in the terminal comes up) the Samsung stock rom could be the problem.
In that case i would recommend to use kuketz server.
dhacke said:
Did you make a reboot after execute the commands?
Click to expand...
Click to collapse
Yes and even after several reboots I get:
adb shell settings get global captive_portal_detection_enabled
0
adb shell settings get global captive_portal_server
localhost
adb shell settings get global captive_portal_mode
0
But, if not opened via script, I can see 185.163.119.132 (kuketz) being blocked by AFWall and the exclamation mark. So I open it with
$IPTABLES -A "afwall" -d 185.163.119.132 -m owner --uid-owner 1000 -p tcp -j ACCEPT
This works but I would prefer no C-P check.
One off-topic question:
Do you have an idea how to open the IP 0.1.0.1:0 in AFWall? It is used for VoLTE, but even I use th script line above (with 0.1.0.1) it still gets blocked. I have to open UID 1000 completely...
ZXR said:
Yes and even after several reboots I get:
adb shell settings get global captive_portal_detection_enabled
0
adb shell settings get global captive_portal_server
localhost
adb shell settings get global captive_portal_mode
0
But, if not opened via script, I can see 185.163.119.132 (kuketz) being blocked by AFWall and the exclamation mark. So I open it with
$IPTABLES -A "afwall" -d 185.163.119.132 -m owner --uid-owner 1000 -p tcp -j ACCEPT
This works but I would prefer no C-P check.
Click to expand...
Click to collapse
You wrote 'adb'. Does it mean that you tried the commands in the adb shell from your Computer with connected phone?
That could explain why it isn't working. The commands must be typed in directly on the phone for deactivation.
I use the App 'Terminal Emulator' from F-Droid for this.
Link: https://f-droid.org/app/jackpal.androidterm
You could try it with that app once more. Apart from that i'm running out of ideas atm.
ZXR said:
One off-topic question:
Do you have an idea how to open the IP 0.1.0.1:0 in AFWall? It is used for VoLTE, but even I use th script line above (with 0.1.0.1) it still gets blocked. I have to open UID 1000 completely...
Click to expand...
Click to collapse
Sorry, but no. I don't use VoLTE or Scripts in AfWall+.

Categories

Resources