xiongzhu
/
frida-rcs-hack


			
				
					
						
						
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267
							class Log {
    static TAG = '[Phone]'
    static Debug = true
    static format(...msg) {
        let m = []
        for (let i = 0; i < msg.length; i++) {
            if (typeof msg[i] === 'object') {
                m.push(JSON.stringify(msg[i]))
            } else {
                m.push(msg[i])
            }
        }
        m = m.join(' ')
        return m
    }
    static i(...msg) {
        if (!this.Debug) return
        console.log(`\x1b[30m${this.TAG} ${this.format(...msg)}\x1b[0m`)
    }
    static w(...msg) {
        console.log(`\x1b[33m${this.TAG} ${this.format(...msg)}\x1b[0m`)
    }
    static e(...msg) {
        console.log(`\x1b[31m${this.TAG} ${this.format(...msg)}\x1b[0m`)
    }
    static s(...msg) {
        console.log(`\x1b[32m${this.TAG} ${this.format(...msg)}\x1b[0m`)
    }
}

function trace(tag) {
    Log.e((tag || '') + Java.use('android.util.Log').getStackTraceString(Java.use('java.lang.Throwable').$new()))
}

const config = {
    mcc: '310',
    mnc: '240',
    iccid: '15003704960405101503',
    number: '4432486416',
    imei: '359028036674149',
    imsi: '310240158368215',
    country: 'us'
}
setImmediate(() => {
    Java.perform(function () {
        function checkPackage(name) {
            // return (
            //     name.startsWith('com.google.android.gsf') ||
            //     name.startsWith('com.google.android.gms') ||
            //     name.startsWith('com.google.android.apps') ||
            //     name.startsWith('com.example')
            // )
            return true
        }
        const PhoneInterfaceManager = Java.use('com.android.phone.PhoneInterfaceManager')

        PhoneInterfaceManager.getLine1NumberForDisplay.overload(
            'int',
            'java.lang.String',
            'java.lang.String'
        ).implementation = function (subId, callingPackage, callingFeatureId) {
            const res = this.getLine1NumberForDisplay(subId, callingPackage, callingFeatureId)
            if (!checkPackage(callingPackage)) {
                return res
            }
            Log.i(
                `spoof PhoneInterfaceManager.getLine1NumberForDisplay(${subId}, ${callingPackage}, ${callingFeatureId}): ${res} -> ${config.number}`
            )
            return config.number
        }

        PhoneInterfaceManager.getNetworkCountryIsoForPhone.overload('int').implementation = function (phoneId) {
            const res = this.getNetworkCountryIsoForPhone(phoneId)
            Log.i(`spoof PhoneInterfaceManager.getNetworkCountryIsoForPhone(${phoneId}): ${res} -> ${config.country}`)
            return config.country
        }

        PhoneInterfaceManager.getImeiForSlot.overload('int', 'java.lang.String', 'java.lang.String').implementation =
            function (slotId, callingPackage, callingFeatureId) {
                const res = this.getImeiForSlot(slotId, callingPackage, callingFeatureId)
                if (!checkPackage(callingPackage)) {
                    return res
                }
                Log.i(
                    `spoof PhoneInterfaceManager.getImeiForSlot(${slotId}, ${callingPackage}, ${callingFeatureId}): ${res} -> ${config.imei}`
                )
                return config.imei
            }

        const SystemProperties = Java.use('android.os.SystemProperties')
        SystemProperties.get.overload('java.lang.String').implementation = function (key) {
            if ('gsm.sim.operator.iso-country' === key) {
                Log.i(`spoof SystemProperties.get(${key}): ${config.countryIso}`)
                return config.country
            }
            if ('gsm.sim.operator.numeric' === key) {
                Log.i(`spoof SystemProperties.get(${key}): ${config.mcc + config.mnc}`)
                return config.mcc + config.mnc
            }
            if ('gsm.operator.numeric' === key) {
                Log.i(`spoof SystemProperties.get(${key}): ${config.mcc + config.mnc}`)
                return config.mcc + config.mnc
            }
            return this.get(key)
        }

        const SubscriptionController = Java.use('com.android.internal.telephony.SubscriptionController')
        SubscriptionController.getSimStateForSlotIndex.overload('int').implementation = function (slotIndex) {
            const res = this.getSimStateForSlotIndex(slotIndex)
            Log.i(`spoof SubscriptionController.getSimStateForSlotIndex(${slotIndex}): ${res} -> 5`)
            return 5
        }
        SubscriptionController.getPhoneNumberFromFirstAvailableSource.overload(
            'int',
            'java.lang.String',
            'java.lang.String'
        ).implementation = function (subId, callingPackage, callingFeatureId) {
            const res = this.getPhoneNumberFromFirstAvailableSource(subId, callingPackage, callingFeatureId)
            if (!checkPackage(callingPackage)) {
                return res
            }
            Log.i(
                `spoof SubscriptionController.getPhoneNumberFromFirstAvailableSource(${subId}, ${callingPackage}, ${callingFeatureId}): ${res} -> ${config.number}`
            )
            return config.number
        }
        const CharSequence = Java.use('java.lang.CharSequence')
        const stringClzz = Java.use('java.lang.String')
        const SubscriptionInfo = Java.use('android.telephony.SubscriptionInfo')
        const name = Java.cast(stringClzz.$new('T-Mobile'), CharSequence)
        const uicc = Java.array('android.telephony.UiccAccessRule', [])

        const BitmapConfig = Java.use('android.graphics.Bitmap$Config')
        const Bitmap = Java.use('android.graphics.Bitmap')

        console.log(
            Java.use('java.lang.Integer').valueOf(1), 
            config.iccid,
            0,
            name,
            name,
            0,
            0,
            config.number,
            0,
            Bitmap.createBitmap(1, 1, BitmapConfig.ARGB_8888.value),
            config.mcc,
            config.mnc,
            config.country,
            false,
            Java.cast(uicc.$w, Java.use('[Landroid.telephony.UiccAccessRule;')),
            config.iccid
        )
        SubscriptionInfo.$init(
            1,
            config.iccid,
            0,
            name,
            name,
            0,
            0,
            config.number,
            0,
            Bitmap.createBitmap(1, 1, BitmapConfig.ARGB_8888.value),
            config.mcc,
            config.mnc,
            config.country,
            false,
            Java.cast(uicc.$w, Java.use('[Landroid.telephony.UiccAccessRule;')),
            config.iccid
        )
        SubscriptionController.getActiveSubscriptionInfoList.overload('java.lang.String').implementation = function (
            callingPackage
        ) {
            const res = this.getActiveSubscriptionInfoList(callingPackage)
            if (!checkPackage(callingPackage)) {
                return res
            }
            Log.i(`spoof SubscriptionController.getActiveSubscriptionInfoList(${callingPackage})`)
            for (let i = 0; i < res.size(); i++) {
                const info = Java.cast(res.get(i), SubscriptionInfo)
                info.mMcc.value = config.mcc
                info.mMnc.value = config.mnc
                info.mCountryIso.value = config.country
                info.mIccId.value = config.iccid
            }
            SystemProperties.set('gsm.sim.operator.iso-country', config.country)
            SystemProperties.set('gsm.sim.operator.numeric', config.mcc + config.mnc)
            SystemProperties.set('gsm.operator.numeric', config.mcc + config.mnc)
            return res
        }

        SubscriptionController.getActiveSubscriptionInfoList.overload(
            'java.lang.String',
            'java.lang.String'
        ).implementation = function (callingPackage, callingFeatureId) {
            const res = this.getActiveSubscriptionInfoList(callingPackage, callingFeatureId)
            if (!checkPackage(callingPackage)) {
                return res
            }
            Log.i(`spoof SubscriptionController.getActiveSubscriptionInfoList(${callingPackage}, ${callingFeatureId})`)
            for (let i = 0; i < res.size(); i++) {
                const info = Java.cast(res.get(i), SubscriptionInfo)
                info.mMcc.value = config.mcc
                info.mMnc.value = config.mnc
                info.mCountryIso.value = config.country
                info.mIccId.value = config.iccid
            }
            SystemProperties.set('gsm.sim.operator.iso-country', config.country)
            SystemProperties.set('gsm.sim.operator.numeric', config.mcc + config.mnc)
            SystemProperties.set('gsm.operator.numeric', config.mcc + config.mnc)

            return res
        }

        SubscriptionController.getActiveSubscriptionInfoList.overload('java.lang.String').implementation = function (
            callingPackage
        ) {
            const res = this.getActiveSubscriptionInfoList(callingPackage)
            if (!checkPackage(callingPackage)) {
                return res
            }
            Log.i(`spoof SubscriptionController.getActiveSubscriptionInfoList(${callingPackage})`)
            for (let i = 0; i < res.size(); i++) {
                const info = Java.cast(res.get(i), SubscriptionInfo)
                info.mMcc.value = config.mcc
                info.mMnc.value = config.mnc
                info.mCountryIso.value = config.country
                info.mIccId.value = config.iccid
            }
            SystemProperties.set('gsm.sim.operator.iso-country', config.country)
            SystemProperties.set('gsm.sim.operator.numeric', config.mcc + config.mnc)
            SystemProperties.set('gsm.operator.numeric', config.mcc + config.mnc)
            return res
        }

        const PhoneSubInfoController = Java.use('com.android.internal.telephony.PhoneSubInfoController')
        PhoneSubInfoController.getIccSerialNumberForSubscriber.overload(
            'int',
            'java.lang.String',
            'java.lang.String'
        ).implementation = function (subId, callingPackage, callingFeatureId) {
            const res = this.getIccSerialNumberForSubscriber(subId, callingPackage, callingFeatureId)
            if (!checkPackage(callingPackage)) {
                return res
            }
            Log.i(
                `spoof PhoneInterfaceManager.getIccSerialNumberForSubscriber(${subId}, ${callingPackage}, ${callingFeatureId}): ${res} -> ${config.iccid}`
            )
            return config.iccid
        }
        PhoneSubInfoController.getSubscriberIdForSubscriber.overload(
            'int',
            'java.lang.String',
            'java.lang.String'
        ).implementation = function (subId, callingPackage, callingFeatureId) {
            const res = this.getSubscriberIdForSubscriber(subId, callingPackage, callingFeatureId)
            if (!checkPackage(callingPackage)) {
                return res
            }
            Log.i(
                `spoof PhoneInterfaceManager.getSubscriberIdForSubscriber(${subId}, ${callingPackage}, ${callingFeatureId}): ${res} -> ${config.imsi}`
            )
            return config.imsi
        }
    })
})