.

c.js

@@ -0,0 +1,53 @@
+// 043001RC00
+class Log {
+    static TAG = '[SMS]'
+    static Debug = true
+    static format(...msg) {
+        let m = []
+        for (let i = 0; i < msg.length; i++) {
+            if (typeof msg[i] === 'object') {
+                m.push(JSON.stringify(msg[i]))
+            } else {
+                m.push(msg[i])
+            }
+        }
+        m = m.join(' ')
+        return m
+    }
+    static i(...msg) {
+        if (!this.Debug) return
+        console.log(`\x1b[30m${this.TAG} ${this.format(...msg)}\x1b[0m`)
+    }
+    static w(...msg) {
+        console.log(`\x1b[33m${this.TAG} ${this.format(...msg)}\x1b[0m`)
+    }
+    static e(...msg) {
+        console.log(`\x1b[31m${this.TAG} ${this.format(...msg)}\x1b[0m`)
+    }
+    static s(...msg) {
+        console.log(`\x1b[32m${this.TAG} ${this.format(...msg)}\x1b[0m`)
+    }
+}
+
+function trace(tag) {
+    Log.e((tag || '') + Java.use('android.util.Log').getStackTraceString(Java.use('java.lang.Throwable').$new()))
+}
+
+setImmediate(() => {
+    Java.perform(function () {
+        const contentResolver = Java.use('android.content.ContentResolver')
+        contentResolver.update.overload(
+            'android.net.Uri',
+            'android.content.ContentValues',
+            'java.lang.String',
+            '[Ljava.lang.String;'
+        ).implementation = function (uri, values, selection, selectionArgs) {
+            Log.s(
+                `contentResolver.update(uri=${uri}, values=${values}, selection=${selection}, selectionArgs=${selectionArgs})`
+            )
+            const res = this.update(uri, values, selection, selectionArgs)
+            Log.s(res)
+            return res
+        }
+    })
+}, 0)

scripts/find_class.js

@@ -0,0 +1,47 @@
+class Log {
+    static TAG = '[Phone]'
+    static Debug = true
+    static format(...msg) {
+        let m = []
+        for (let i = 0; i < msg.length; i++) {
+            if (typeof msg[i] === 'object') {
+                m.push(JSON.stringify(msg[i]))
+            } else {
+                m.push(msg[i])
+            }
+        }
+        m = m.join(' ')
+        return m
+    }
+    static i(...msg) {
+        if (!this.Debug) return
+        console.log(`\x1b[30m${this.TAG} ${this.format(...msg)}\x1b[0m`)
+    }
+    static w(...msg) {
+        console.log(`\x1b[33m${this.TAG} ${this.format(...msg)}\x1b[0m`)
+    }
+    static e(...msg) {
+        console.log(`\x1b[31m${this.TAG} ${this.format(...msg)}\x1b[0m`)
+    }
+    static s(...msg) {
+        console.log(`\x1b[32m${this.TAG} ${this.format(...msg)}\x1b[0m`)
+    }
+}
+
+function trace(tag) {
+    Log.e((tag || '') + Java.use('android.util.Log').getStackTraceString(Java.use('java.lang.Throwable').$new()))
+}
+
+setImmediate(() => {
+    Java.perform(function () {
+        const SystemProperties = Java.use('android.os.SystemProperties')
+
+        const PhoneInterfaceManager = Java.use('com.android.phone.PhoneInterfaceManager')
+        Log.i(`PhoneInterfaceManager: ${PhoneInterfaceManager}`)
+
+        PhoneInterfaceManager.getImeiForSlot.overload('int', 'java.lang.String', 'java.lang.String').implementation = function (slotId, callingPackage, callingFeatureId) {
+            Log.i('PhoneInterfaceManager.getImeiForSlot', slotId, callingPackage, callingFeatureId)
+            return "999"
+        }
+    })
+})

scripts/system_server.js

@@ -0,0 +1,62 @@
+function trace(tag) {
+    Log.e((tag || '') + Java.use('android.util.Log').getStackTraceString(Java.use('java.lang.Throwable').$new()))
+}
+
+function readFile(path) {
+    var FileOutputStream = Java.use('java.io.FileOutputStream')
+    var FileInputStream = Java.use('java.io.FileInputStream')
+    var File = Java.use('java.io.File')
+    var InputStreamReader = Java.use('java.io.InputStreamReader')
+    var BufferedReader = Java.use('java.io.BufferedReader')
+    var ByteArrayOutputStream = Java.use('java.io.ByteArrayOutputStream')
+
+    var file = File.$new(path)
+    var fileInputStream = FileInputStream.$new(file)
+
+    var inputStreamReader = InputStreamReader.$new(Java.cast(fileInputStream, Java.use('java.io.InputStream')))
+    var bufferedReader = BufferedReader.$new(inputStreamReader)
+    var line
+    var content = ''
+    while ((line = bufferedReader.readLine()) !== null) {
+        content += line + '\n'
+    }
+
+    bufferedReader.close()
+    inputStreamReader.close()
+    fileInputStream.close()
+
+    return content
+}
+
+setImmediate(() => {
+    Java.perform(function () {
+        const Log = Java.use('android.util.Log')
+
+        function log(msg) {
+            console.log(`\x1b[30m[system_server] ${msg}\x1b[0m`)
+            Log.d('frida-system_server', msg)
+        }
+
+        const DeviceIdentifiersPolicy = Java.use(
+            'com.android.server.os.DeviceIdentifiersPolicyService$DeviceIdentifiersPolicy'
+        )
+
+        DeviceIdentifiersPolicy.getSerial.overload().implementation = function () {
+            const original = this.getSerial()
+            const spoof = '1234567890'
+            log(`DeviceIdentifiersPolicy.getSerial() called, returning: ${spoof}, original: ${original}`)
+            return spoof
+        }
+
+        DeviceIdentifiersPolicy.getSerialForPackage.overload('java.lang.String', 'java.lang.String').implementation =
+            function (callingPackage, callingFeatureId) {
+                const original = this.getSerialForPackage(callingPackage, callingFeatureId)
+                const spoof = '1234567890'
+                log(
+                    `DeviceIdentifiersPolicy.getSerialForPackage(${callingPackage}, ${callingFeatureId}) called, returning: ${spoof}, original: ${original}`
+                )
+                return spoof
+            }
+
+    })
+})

scripts/system_server_child.js

@@ -0,0 +1,48 @@
+function trace(tag) {
+    Log.e((tag || '') + Java.use('android.util.Log').getStackTraceString(Java.use('java.lang.Throwable').$new()))
+}
+
+function readFile(path) {
+    var FileOutputStream = Java.use('java.io.FileOutputStream')
+    var FileInputStream = Java.use('java.io.FileInputStream')
+    var File = Java.use('java.io.File')
+    var InputStreamReader = Java.use('java.io.InputStreamReader')
+    var BufferedReader = Java.use('java.io.BufferedReader')
+    var ByteArrayOutputStream = Java.use('java.io.ByteArrayOutputStream')
+
+    var file = File.$new(path)
+    var fileInputStream = FileInputStream.$new(file)
+
+    var inputStreamReader = InputStreamReader.$new(Java.cast(fileInputStream, Java.use('java.io.InputStream')))
+    var bufferedReader = BufferedReader.$new(inputStreamReader)
+    var line
+    var content = ''
+    while ((line = bufferedReader.readLine()) !== null) {
+        content += line + '\n'
+    }
+
+    bufferedReader.close()
+    inputStreamReader.close()
+    fileInputStream.close()
+
+    return content
+}
+
+setImmediate(() => {
+    Java.perform(function () {
+        const Log = Java.use('android.util.Log')
+
+        function log(msg) {
+            console.log(`\x1b[30m[system_server] ${msg}\x1b[0m`)
+            Log.d('frida-system_server', msg)
+        }
+
+        const WifiServiceImpl = Java.use('com.android.server.wifi.WifiServiceImpl')
+        WifiServiceImpl.getFactoryMacAddresses.overload().implementation = function () {
+            const original = this.getFactoryMacAddresses()
+            const spoof = ['00:00:00:00:00:00']
+            log(`WifiServiceImpl.getFactoryMacAddresses() called, returning: ${spoof}, original: ${original}`)
+            return spoof
+        }
+    })
+})

scripts/wifi.js

@@ -0,0 +1,74 @@
+function trace(tag) {
+    Log.e((tag || '') + Java.use('android.util.Log').getStackTraceString(Java.use('java.lang.Throwable').$new()))
+}
+
+function readFile(path) {
+    var FileOutputStream = Java.use('java.io.FileOutputStream')
+    var FileInputStream = Java.use('java.io.FileInputStream')
+    var File = Java.use('java.io.File')
+    var InputStreamReader = Java.use('java.io.InputStreamReader')
+    var BufferedReader = Java.use('java.io.BufferedReader')
+    var ByteArrayOutputStream = Java.use('java.io.ByteArrayOutputStream')
+
+    var file = File.$new(path)
+    var fileInputStream = FileInputStream.$new(file)
+
+    var inputStreamReader = InputStreamReader.$new(Java.cast(fileInputStream, Java.use('java.io.InputStream')))
+    var bufferedReader = BufferedReader.$new(inputStreamReader)
+    var line
+    var content = ''
+    while ((line = bufferedReader.readLine()) !== null) {
+        content += line + '\n'
+    }
+
+    bufferedReader.close()
+    inputStreamReader.close()
+    fileInputStream.close()
+
+    return content
+}
+
+setImmediate(() => {
+    Java.perform(function () {
+        const Log = Java.use('android.util.Log')
+
+        function log(msg) {
+            console.log(`\x1b[30m[system_server] ${msg}\x1b[0m`)
+            Log.d('frida-system_server', msg + '')
+        }
+        log(Java.classFactory.loader)
+
+        Java.enumerateClassLoadersSync().forEach((loader) => {
+            log(loader)
+        })
+
+        // const SystemServiceManager = Java.use('com.android.server.SystemServiceManager')
+        // log(SystemServiceManager.class.getClassLoader())
+        // const SystemServerClassLoaderFactory = Java.use('com.android.internal.os.SystemServerClassLoaderFactory')
+        // const classLoader = SystemServerClassLoaderFactory.getOrCreateClassLoader(
+        //     '/apex/com.android.wifi/javalib/service-wifi.jar',
+        //     SystemServiceManager.class.getClassLoader(),
+        //     false
+        // )
+        // log(classLoader)
+        // Java.classFactory.loader = classLoader
+        // // Java.enumerateLoadedClasses({
+        // //     onMatch: function (className) {
+        // //         if (className == 'com.android.server.wifi.WifiServiceImpl') {
+        // //             const WifiService = Java.use('com.android.server.wifi.WifiService')
+        // //         }
+        // //     },
+        // //     onComplete: function () {
+        // //         console.log('枚举结束')
+        // //     }
+        // // })
+        // const WifiServiceImpl = Java.use('com.android.server.wifi.WifiServiceImpl')
+        // log(WifiServiceImpl)
+        // WifiServiceImpl.getFactoryMacAddresses.overload().implementation = function () {
+        //     const original = this.getFactoryMacAddresses()
+        //     const spoof = ['00:00:00:00:00:00']
+        //     log(`WifiServiceImpl.getFactoryMacAddresses() called, returning: ${spoof}, original: ${original}`)
+        //     return spoof
+        // }
+    })
+})