.

Verification fail.txt

@@ -0,0 +1,3 @@
+[verification_manager] Verification failed with error: syncVerif failed: PhoneVerifier.Verify failed: generic::invalid_argument: com.google.apps.framework.request.BadRequestException: VerifyRequest from UNIFIED_PHONE_IDENTITY rejected.
+                                                                                                    Invalid endpoint imsi: 3100102992729814
+2024-04-11 16:17:27.579 27118-27481 constellation           com.google.android.gms               I  [verification_manager] No challenge issued due to state: 1

gen.js

@@ -12,16 +12,16 @@ function randomeNumber(length) {
 }
 
 const mcc = "310"
-const mnc = "010"
+const mnc = "10"
 const simOperator = mcc + mnc
 const networkOperator = mcc + mnc
 const simSerialNumber = randomeNumber(20)
 const iccId = simSerialNumber
-const number = "8149255536" || randomeNumber(9)
+const number = "8149255276" || randomeNumber(9)
 const imei = nodeImei.random()
 const imsi = mcc + mnc + randomeNumber(10)
 const countryIso = "us"
-const subId = "18"
+const subId = "19"
 
 console.log(`
 const mcc = "${mcc}"

injects/all.js

@@ -2,6 +2,7 @@ import frida from "frida"
 import fs from "fs"
 import url from "url"
 import path from "path"
+import util from "util"
 
 const filePath = url.fileURLToPath(import.meta.url)
 const __dirname = path.dirname(filePath)
@@ -10,13 +11,13 @@ const mcc = "310"
 const mnc = "010"
 const simOperator = "310010"
 const networkOperator = "310010"
-const simSerialNumber = "14264327264370191966"
-const iccId = "14264327264370191966"
-const number = "8149255536"
-const imei = "359514067295219"
-const imsi = "3100103323746192"
+const simSerialNumber = "18118167723095689225"
+const iccId = "18118167723095689225"
+const number = "8149255276"
+const imei = "359028032842286"
+const imsi = "3100108091069016"
 const countryIso = "us"
-const subId = "18"
+const subId = "19"
 
 class Log {
     static TAG = ""
@@ -24,7 +25,9 @@ class Log {
         let m = []
         for (let i = 0; i < msg.length; i++) {
             if (typeof msg[i] === "object") {
-                m.push(JSON.stringify(msg[i]))
+                if ("[object Object]" === msg[i].toString()) {
+                    m.push(util.inspect(msg[i]))
+                }
             } else {
                 m.push(msg[i])
             }
@@ -201,7 +204,11 @@ class Tracer {
     }
 
     _onScriptMessage(message, data) {
-        Log.i(`[PID ${this.pid}] onScriptMessage()`, message)
+        if (message.type === "error") {
+            Log.e(`[PID ${this.pid}] onScriptMessage()`, message)
+        } else {
+            Log.i(`[PID ${this.pid}] onScriptMessage()`, message)
+        }
     }
 }
 

injects/cpdex.js

@@ -41,6 +41,10 @@ let exists = false
     execSync("adb push ../RcsHackTool.dex /sdcard/")
     console.log("Pushed RcsHackTool.dex")
 
+    console.log("Pushing gson.dex")
+    execSync("adb push ../gson.dex /sdcard/")
+    console.log("Pushed gson.dex")
+
     console.log("mounting /system as rw")
     await exec("mount -o rw,remount /")
     console.log("mounted /system as rw")
@@ -48,6 +52,10 @@ let exists = false
     console.log("Copying RcsHackTool.dex to system")
     await exec("cp /sdcard/RcsHackTool.dex /system/framework/")
     console.log("Copied RcsHackTool.dex to system")
+
+    console.log("Copying gson.dex to data")
+    await exec("cp /sdcard/gson.dex /data/data/com.google.android.apps.messaging/")
+    console.log("Copied gson.dex to data")
 // }
 
 p.kill()

scripts/spoof_gms.js

@@ -47,6 +47,12 @@ class Log {
 }
 
 Java.perform(function () {
+    const GsonClass = Java.openClassFile(
+        "/data/data/com.google.android.gms/gson.dex"
+    )
+    GsonClass.load()
+    Log.s("gson class loaded")
+
     const SmsManager = Java.use("android.telephony.SmsManager")
     SmsManager.getSmsManagerForSubscriptionId.overload("int").implementation =
         function (i) {
@@ -697,6 +703,9 @@ Java.perform(function () {
         list
     ) {
         Log.e("alyx.m", amlu, list)
+        for (let i = 0; i < list.size(); i++) {
+            Log.e(`list[${i}]=${list.get(i)}`)
+        }
         const a = amlu._a.value // string
         Log.e(`\ta=${a}`)
         const f = amlu.f.value // string
@@ -705,14 +714,41 @@ Java.perform(function () {
         for (let i = 0; i < g.size(); i++) {
             Log.e(`\tg[${i}]=${g.get(i)}`)
         }
-        const d = amlu.d.value // map
-        for (const key in d.keySet()) {
+
+        const h = amlu.h.value // list
+        if (h) {
+            for (let i = 0; i < h.size(); i++) {
+                Log.e(`\th[${i}]=${h.get(i)}`)
+            }
+        }
+
+        const HashMap = Java.use("java.util.HashMap")
+        const d = Java.cast(amlu.d.value, HashMap) // map
+        const keySet = d.keySet().toArray()
+        for (let key of keySet) {
             Log.e(`\td[${key}]=${d.get(key)}`)
+            Log.e(Object.getOwnPropertyNames(d.get(key).__proto__).join("\n"))
+            const gson = Java.use("com.google.gson.Gson").$new()
+            const json = gson.toJson(d.get(key))
+            Log.e(json)
         }
-        const e = amlu.e.value // map
-        for (const key in e.keySet()) {
+
+        const e = Java.cast(amlu.e.value, HashMap) // map
+        const keySet2 = e.keySet().toArray()
+        for (let key of keySet2) {
             Log.e(`\te[${key}]=${e.get(key)}`)
         }
         return this.m(amlu, list)
     }
+
+    const Bundle = Java.use("android.os.Bundle")
+    Bundle.getInt.overload("java.lang.String").implementation = function (str) {
+        Log.e(`Bundle.getInt: ${str}`)
+        if (str === "sim_slot_index") {
+          
+            trace()
+            return 0
+        }
+        return this.getInt(str)
+    }
 })