evnb
commented
1 year ago Cool find! Can you explain how to do this?
Open null-dev opened 1 year ago
evnb
commented
1 year ago Cool find! Can you explain how to do this?
null-dev
commented
1 year ago @evnb There's a developer_menu_enabled setting inside the RemoteConfig bluetooth packet sent to the device.
So you just use frida/Xposed/smali patching to edit the bluetooth packet before the app serializes it and sends it.
I'm on a rooted device, so I used Xposed, here's my hook:
val clazz = lpparam.classLoader.loadClass(
// Java class that represents the RemoteConfig packet
"com.spotify.superbird.interappprotocol.remoteconfig.model.RemoteConfigAppProtocol\$RemoteConfigs"
)
XposedBridge.hookMethod(
clazz.constructors.first(), // Hook the constructor
object : XC_MethodHook() {
override fun beforeHookedMethod(param: MethodHookParam) {
// The constructor accepts a single argument: a Map of the remote config parameters
// Here we set developer_menu_enabled = true inside this Map
val result = param.args[0]
val map = result as MutableMap<String, Any>
map["developer_menu_enabled"] = true
}
}
)
everettperiman
commented
1 year ago I was also able to force the developer menu using MITM Web with this addon script. https://github.com/err4o4/spotify-car-thing-reverse-engineering/issues/12#issuecomment-1280036510
All you need is a computer to route through and any phone even ios will work with it. I did note that the developer menu is not persistent between loads.
By patching the Spotify APK I was able to open the developer menu on the device.
It's not very useful though, basically just contains a couple extra settings: