Interaction with the modem in the Android OS
In the previous article, I talked about how the radio interface layer is organized in the Android OS. Today I will talk about how you can interact directly with the modem.
It often happens that a tablet with a 3G modem does not provide an opportunity to make a call, send an SMS message and even find out the account balance. In this article we will deal with this, as well as see how to use all the functionality provided by the modem.
As you already know, the manufacturer’s RIL translates Android OS requests into a clear modem view. As a rule, many standardized Hayes AT commands are used to interact with the modem, however, some modem manufacturers supplement the standard set of AT commands with their own extensions. Today we will work at the level between the RIL manufacturer and the modem.
I note that for experiments your device should be rooted, and you should have minimal programming experience on the NDK.
First we need to install the name of the modem device file in the system. Typically, this is / dev / ttyACM0 or / dev / smd0 (/ dev / ttyUSB0 is also encountered). To find out, you need to execute the command to view the radio log in the terminal: logcat -b radio . The very first line of the radio log should look like: " Opening tty device / dev / ttyACM0 ". If there is no such line, then we are less fortunate; we will have to go through all the devices located in the / dev / directory. To do this, a test command " AT " must be sent to each file from this directory and, if it is a file of a modem device, see the response in the radio log " OK ". Commands can be sent for example using the terminal: echo "AT"> / dev / file_name .
Now, let's establish what commands are sent to the modem. To do this, carry out the "attack" of the MITM type.
For this:
Program code is available here .
After examining our log, you can see which AT commands and parameters correspond to the actions. After the start of the rild daemon, the modem is initialized, the necessary information is received from the base station, etc.
If you sent an SMS message, then the following sequence of AT commands corresponded to this:
AT + CMGS = 18
>
0001000b815686070855f4345005c8329bfd06 ^ z
The message looks like this because it is encoded in PDU format. By playing a programmed sequence of AT commands, you can verify that the message is being successfully sent. In this case, of course, is not displayed in the list of sent messages in the Android OS application.
Using the AT command AT + CUSD = 1, * 100 #, 15, you can make a USSD request
And using the command ATD + 79161234567; make an outgoing phone call.
')
Using this approach, it is possible to filter, for example, SMS messages, calls, etc.
Materials used:
1. fabiensanglard.net/cellphoneModem/index2.php
2. Source codes of manufacturer’s RIL
It often happens that a tablet with a 3G modem does not provide an opportunity to make a call, send an SMS message and even find out the account balance. In this article we will deal with this, as well as see how to use all the functionality provided by the modem.
As you already know, the manufacturer’s RIL translates Android OS requests into a clear modem view. As a rule, many standardized Hayes AT commands are used to interact with the modem, however, some modem manufacturers supplement the standard set of AT commands with their own extensions. Today we will work at the level between the RIL manufacturer and the modem.
I note that for experiments your device should be rooted, and you should have minimal programming experience on the NDK.
Let's get started
First we need to install the name of the modem device file in the system. Typically, this is / dev / ttyACM0 or / dev / smd0 (/ dev / ttyUSB0 is also encountered). To find out, you need to execute the command to view the radio log in the terminal: logcat -b radio . The very first line of the radio log should look like: " Opening tty device / dev / ttyACM0 ". If there is no such line, then we are less fortunate; we will have to go through all the devices located in the / dev / directory. To do this, a test command " AT " must be sent to each file from this directory and, if it is a file of a modem device, see the response in the radio log " OK ". Commands can be sent for example using the terminal: echo "AT"> / dev / file_name .
Now, let's establish what commands are sent to the modem. To do this, carry out the "attack" of the MITM type.
For this:
- Rename the real modem file to / dev / ttyACM0_real .
- Create the file / dev / ttyACM0 as a symbolic link to the pseudo-terminal / dev / ptmx .
- We will write to the log everything that goes through / dev / ttyACM0 and redirect it to / dev / ttyACM0_real
- Restart the rild daemon: " kill pid_rild ", it will start automatically.
Program code is available here .
After examining our log, you can see which AT commands and parameters correspond to the actions. After the start of the rild daemon, the modem is initialized, the necessary information is received from the base station, etc.
If you sent an SMS message, then the following sequence of AT commands corresponded to this:
AT + CMGS = 18
>
0001000b815686070855f4345005c8329bfd06 ^ z
The message looks like this because it is encoded in PDU format. By playing a programmed sequence of AT commands, you can verify that the message is being successfully sent. In this case, of course, is not displayed in the list of sent messages in the Android OS application.
Using the AT command AT + CUSD = 1, * 100 #, 15, you can make a USSD request
And using the command ATD + 79161234567; make an outgoing phone call.
')
Using this approach, it is possible to filter, for example, SMS messages, calls, etc.
Materials used:
1. fabiensanglard.net/cellphoneModem/index2.php
2. Source codes of manufacturer’s RIL
Source: https://habr.com/ru/post/185012/
All Articles