Porting from XMM to Qualcomm based phones

[E3V3A]

We need to port this from using XMM based phones to using Qualcomm based phones. This should be possible as the ServiceMode structure is essentially the same. Later Qualcomm BP's are using wrapper that has a blocked menu navigation. This can be unblocked by "Q0"... I've opened a new branch called I9195 for porting to the Samsung Galaxy S4-mini (GT-I9195).

[danialgoodwin]

I'm planning on getting a used Samsung S5 soon for development purposes. So, I hope to be able to test/contribute for that part soon.

[E3V3A]

@danialgoodwin Thanks for joining, let me know if there's anything I can help you with to get started.

[lghamie]

Hi! Could you port it for Quallcomm based phones?

[daniel-bluesea]

hi, what is the status of this issue? is there an update way/solution to call "invokeOemRilRequestRaw" even if your app is not part of the Phone main looper?

[scintill]

@daniel-bluesea It's been awhile since I've looked at this, but I believe around Android 5 this got a little easier. The public TelephonyManager exposed this API somewhat recently. The @hide tag makes it undocumented IIRC, but since it's public it should be accessible (maybe just reflection required to access it?). You get this object by getSystemService() as described here.

After that, I think there is "just" the obstacle that the MODIFY_PHONE_STATE permission is required, which is only allowed to system apps, but last I knew you could get around this with something like Xposed. Another way, if you grant superuser to the app, would be running the "service" command-line utility as a privileged user like I did here, but it probably won't work for this API because the "service" utility doesn't seem to support byte arrays.

[daniel-bluesea]

@scintill thanks for your reply! the reason i asked my question regarding the "invokeOemRilRequestRaw" function is to be able to get the sim network lock (carrier lock) status of the the device as i saw in the depersonalisation / service mode apps. of course i just can switch sim cards and see what will happened, but i'm trying to do it using an app or adb..

[scintill]

I got the itch to see how seamless I could make this. My idea was it would make things pretty simple to be able to just invoke a Java method as root. In this case, if root calls invokeOemRilRequestRaw then it will have the MODIFY_PHONE_STATE permission, and it's probably easier for us to get root than get that system-level permission. I made a small proof-of-concept app here. (Note: it can be a little slow on first run, but once the code is cached it's quick.)

So, I have the core functionality of calling invokeOemRilRequestRaw here. The method is not documented, so the compiler can't find it when building. But, for now it should be there at runtime and be public, so we can find it with a little reflection hack and invoke it. Of course, this means they could remove it at any time, but it's still on AOSP master for now...

Example usage is here. This is just sending the bytes 0102 as dummy values right now, as I don't know useful values. My phone logs an error because it doesn't recognize the command.

FunctionRunner is my class that runs the method as root. Using su, it runs app_process, the Java VM wrapper that sets up some Android framework stuff and then invokes the main function in FunctionRunner, which reads in the function to execute, executes it, then writes out the result back to the Android app.

The FunctionRunner code should probably be polished a bit more (like make sure error handling/reporting is good), but this technique should make it pretty easy to bypass the system-level permissions required and use any API in an app.

I have a GT-I9195 running CM 12.1, so maybe @E3V3A and I can collaborate on finding interesting commands to send it. I don't know what commands you need, @daniel-bluesea, but if you haven't, you might check the output of adb logcat -b radio to see if the service mode app logs what it's doing.

[daniel-bluesea]

@scintill again, its a pleasure to read your posts :)

regarding the issue itself, my goal is not to modify the "phone state" but "just" get a certain status value of the device networl/carrier lock status. currently i'm not allowed to root a device in order to get this information (and also if i was allowed, its not a one click procedure as in the good old days of towel root :) i did some effort similar to this: http://roberto.greyhats.it/2016/05/samsung-access-rild.html, but Samsung already closed this door. i added the above link to help you get inspiration for future attempt :)

thanks again

[E3V3A]

Hi Guys! Nice to see you're still interested in this.

@scintill Yes, AFAIK, these commands are indeed the DIAG commands when used on Qualcomm based phones, such as the GT-I9195 and like. It could be interesting to see if other baseband makers (MTK, Huawei Balung, Samsung Shannon etc.) also use invokeOemRilRequestRaw methods.

@daniel-bluesea If you have a more specific idea what parameters you want to read, then it would be a better starting point for us to look into this.

[daniel-bluesea]

hi @E3V3A i think in the past you were part of a discussion @xda regarding the data i'm looking for.

The required message is RIL_REQUEST_OEM_HOOK_RAW and data is 0x04 02 00 04.

here is some relevant radio logs: D/RILJ ( 285): [0073]> OEM_HOOK_RAW[04020004] D/RILC ( 3309): [0073]> OEM_HOOK_RAW (raw_size=4) W/RILSWITCH( 3309): RIL REQUEST: OEM_HOOK_RAW received. Switch state is Vendor D/RILSWITCH( 3309): Routing to vendor RIL: RIL_REQUEST_OEM_HOOK_RAW - VVM Fix W/RILSWITCH( 3309): RIL REQUEST: OEM_HOOK_RAW --> FORCED TO VENDOR RIL E/RIL ( 3309): onRequest: OEM_HOOK_RAW E/RIL ( 3309): CreateRequest(): req(0x1b548), id(59), tok(0x1b530) - FUNC(0x 8011e8e9) E/RIL ( 3309): [EVT]:Req(1), RX(0) E/RIL ( 3309): requestOEMHookRaw E/RIL ( 3309): requestPersonalization E/RIL ( 3309): sub_func_id is <2> E/RIL ( 3309): <requestPersoStatus>

i "need" this perso status :)

[daniel-bluesea]

@E3V3A not specific enough? :)