class Log { static TAG = '[Phone]' static Debug = true static format(...msg) { let m = [] for (let i = 0; i < msg.length; i++) { if (typeof msg[i] === 'object') { m.push(JSON.stringify(msg[i])) } else { m.push(msg[i]) } } m = m.join(' ') return m } static i(...msg) { if (!this.Debug) return console.log(`\x1b[30m${this.TAG} ${this.format(...msg)}\x1b[0m`) } static w(...msg) { console.log(`\x1b[33m${this.TAG} ${this.format(...msg)}\x1b[0m`) } static e(...msg) { console.log(`\x1b[31m${this.TAG} ${this.format(...msg)}\x1b[0m`) } static s(...msg) { console.log(`\x1b[32m${this.TAG} ${this.format(...msg)}\x1b[0m`) } } function trace(tag) { Log.e((tag || '') + Java.use('android.util.Log').getStackTraceString(Java.use('java.lang.Throwable').$new())) } const config = { mcc: '310', mnc: '240', iccid: '15003704960405101503', number: '4432486416', imei: '359028036674149', imsi: '310240158368215', country: 'us' } setImmediate(() => { Java.perform(function () { function checkPackage(name) { // return ( // name.startsWith('com.google.android.gsf') || // name.startsWith('com.google.android.gms') || // name.startsWith('com.google.android.apps') || // name.startsWith('com.example') // ) return true } const PhoneInterfaceManager = Java.use('com.android.phone.PhoneInterfaceManager') PhoneInterfaceManager.getLine1NumberForDisplay.overload( 'int', 'java.lang.String', 'java.lang.String' ).implementation = function (subId, callingPackage, callingFeatureId) { const res = this.getLine1NumberForDisplay(subId, callingPackage, callingFeatureId) if (!checkPackage(callingPackage)) { return res } Log.i( `spoof PhoneInterfaceManager.getLine1NumberForDisplay(${subId}, ${callingPackage}, ${callingFeatureId}): ${res} -> ${config.number}` ) return config.number } PhoneInterfaceManager.getNetworkCountryIsoForPhone.overload('int').implementation = function (phoneId) { const res = this.getNetworkCountryIsoForPhone(phoneId) Log.i(`spoof PhoneInterfaceManager.getNetworkCountryIsoForPhone(${phoneId}): ${res} -> ${config.country}`) return config.country } PhoneInterfaceManager.getImeiForSlot.overload('int', 'java.lang.String', 'java.lang.String').implementation = function (slotId, callingPackage, callingFeatureId) { const res = this.getImeiForSlot(slotId, callingPackage, callingFeatureId) if (!checkPackage(callingPackage)) { return res } Log.i( `spoof PhoneInterfaceManager.getImeiForSlot(${slotId}, ${callingPackage}, ${callingFeatureId}): ${res} -> ${config.imei}` ) return config.imei } const SystemProperties = Java.use('android.os.SystemProperties') SystemProperties.get.overload('java.lang.String').implementation = function (key) { if ('gsm.sim.operator.iso-country' === key) { Log.i(`spoof SystemProperties.get(${key}): ${config.countryIso}`) return config.country } if ('gsm.sim.operator.numeric' === key) { Log.i(`spoof SystemProperties.get(${key}): ${config.mcc + config.mnc}`) return config.mcc + config.mnc } if ('gsm.operator.numeric' === key) { Log.i(`spoof SystemProperties.get(${key}): ${config.mcc + config.mnc}`) return config.mcc + config.mnc } return this.get(key) } const SubscriptionController = Java.use('com.android.internal.telephony.SubscriptionController') SubscriptionController.getSimStateForSlotIndex.overload('int').implementation = function (slotIndex) { const res = this.getSimStateForSlotIndex(slotIndex) Log.i(`spoof SubscriptionController.getSimStateForSlotIndex(${slotIndex}): ${res} -> 5`) return 5 } SubscriptionController.getPhoneNumberFromFirstAvailableSource.overload( 'int', 'java.lang.String', 'java.lang.String' ).implementation = function (subId, callingPackage, callingFeatureId) { const res = this.getPhoneNumberFromFirstAvailableSource(subId, callingPackage, callingFeatureId) if (!checkPackage(callingPackage)) { return res } Log.i( `spoof SubscriptionController.getPhoneNumberFromFirstAvailableSource(${subId}, ${callingPackage}, ${callingFeatureId}): ${res} -> ${config.number}` ) return config.number } const CharSequence = Java.use('java.lang.CharSequence') const stringClzz = Java.use('java.lang.String') const SubscriptionInfo = Java.use('android.telephony.SubscriptionInfo') const name = Java.cast(stringClzz.$new('T-Mobile'), CharSequence) const uicc = Java.array('android.telephony.UiccAccessRule', []) const BitmapConfig = Java.use('android.graphics.Bitmap$Config') const Bitmap = Java.use('android.graphics.Bitmap') console.log( Java.use('java.lang.Integer').valueOf(1), config.iccid, 0, name, name, 0, 0, config.number, 0, Bitmap.createBitmap(1, 1, BitmapConfig.ARGB_8888.value), config.mcc, config.mnc, config.country, false, Java.cast(uicc.$w, Java.use('[Landroid.telephony.UiccAccessRule;')), config.iccid ) SubscriptionInfo.$init( 1, config.iccid, 0, name, name, 0, 0, config.number, 0, Bitmap.createBitmap(1, 1, BitmapConfig.ARGB_8888.value), config.mcc, config.mnc, config.country, false, Java.cast(uicc.$w, Java.use('[Landroid.telephony.UiccAccessRule;')), config.iccid ) SubscriptionController.getActiveSubscriptionInfoList.overload('java.lang.String').implementation = function ( callingPackage ) { const res = this.getActiveSubscriptionInfoList(callingPackage) if (!checkPackage(callingPackage)) { return res } Log.i(`spoof SubscriptionController.getActiveSubscriptionInfoList(${callingPackage})`) for (let i = 0; i < res.size(); i++) { const info = Java.cast(res.get(i), SubscriptionInfo) info.mMcc.value = config.mcc info.mMnc.value = config.mnc info.mCountryIso.value = config.country info.mIccId.value = config.iccid } SystemProperties.set('gsm.sim.operator.iso-country', config.country) SystemProperties.set('gsm.sim.operator.numeric', config.mcc + config.mnc) SystemProperties.set('gsm.operator.numeric', config.mcc + config.mnc) return res } SubscriptionController.getActiveSubscriptionInfoList.overload( 'java.lang.String', 'java.lang.String' ).implementation = function (callingPackage, callingFeatureId) { const res = this.getActiveSubscriptionInfoList(callingPackage, callingFeatureId) if (!checkPackage(callingPackage)) { return res } Log.i(`spoof SubscriptionController.getActiveSubscriptionInfoList(${callingPackage}, ${callingFeatureId})`) for (let i = 0; i < res.size(); i++) { const info = Java.cast(res.get(i), SubscriptionInfo) info.mMcc.value = config.mcc info.mMnc.value = config.mnc info.mCountryIso.value = config.country info.mIccId.value = config.iccid } SystemProperties.set('gsm.sim.operator.iso-country', config.country) SystemProperties.set('gsm.sim.operator.numeric', config.mcc + config.mnc) SystemProperties.set('gsm.operator.numeric', config.mcc + config.mnc) return res } SubscriptionController.getActiveSubscriptionInfoList.overload('java.lang.String').implementation = function ( callingPackage ) { const res = this.getActiveSubscriptionInfoList(callingPackage) if (!checkPackage(callingPackage)) { return res } Log.i(`spoof SubscriptionController.getActiveSubscriptionInfoList(${callingPackage})`) for (let i = 0; i < res.size(); i++) { const info = Java.cast(res.get(i), SubscriptionInfo) info.mMcc.value = config.mcc info.mMnc.value = config.mnc info.mCountryIso.value = config.country info.mIccId.value = config.iccid } SystemProperties.set('gsm.sim.operator.iso-country', config.country) SystemProperties.set('gsm.sim.operator.numeric', config.mcc + config.mnc) SystemProperties.set('gsm.operator.numeric', config.mcc + config.mnc) return res } const PhoneSubInfoController = Java.use('com.android.internal.telephony.PhoneSubInfoController') PhoneSubInfoController.getIccSerialNumberForSubscriber.overload( 'int', 'java.lang.String', 'java.lang.String' ).implementation = function (subId, callingPackage, callingFeatureId) { const res = this.getIccSerialNumberForSubscriber(subId, callingPackage, callingFeatureId) if (!checkPackage(callingPackage)) { return res } Log.i( `spoof PhoneInterfaceManager.getIccSerialNumberForSubscriber(${subId}, ${callingPackage}, ${callingFeatureId}): ${res} -> ${config.iccid}` ) return config.iccid } PhoneSubInfoController.getSubscriberIdForSubscriber.overload( 'int', 'java.lang.String', 'java.lang.String' ).implementation = function (subId, callingPackage, callingFeatureId) { const res = this.getSubscriberIdForSubscriber(subId, callingPackage, callingFeatureId) if (!checkPackage(callingPackage)) { return res } Log.i( `spoof PhoneInterfaceManager.getSubscriberIdForSubscriber(${subId}, ${callingPackage}, ${callingFeatureId}): ${res} -> ${config.imsi}` ) return config.imsi } }) })