[Security Fix - Update] USSD Codes can remotly wipe your data - HTC One X

In the www the info is spread that its possible to remote whipe devices with USSD codes. More info here:
Remote wipe attack not limited to Samsung phones, Android dialer may be to blame
and here:
http://dylanreeve.posterous.com/remote-ussd-attack
I immediatly took a look at our sense code on smali level and "fixed" that issue. I put that fixed into quotes because of follwing things:
Just because your Imei shows when executing this "security test" doesnt automatically mean your phone is vulnarable:
Code:
.method static handleChars(Landroid/content/Context;Ljava/lang/String;ZLandroid/widget/EditText;Landroid/content/res/Resources;)Z
.locals 2
invoke-static {p1}, Landroid/telephony/PhoneNumberUtils;->stripSeparators(Ljava/lang/String;)Ljava/lang/String;
move-result-object v0
invoke-static {p0, v0, p2, p4}, Lcom/android/htcdialer/widget/SpecialCharSequenceMgr;->handleIMEIDisplay(Landroid/content/Context;Ljava/lang/String;ZLandroid/content/res/Resources;)Z
move-result v1
if-nez v1, :cond_0
invoke-static {p0, v0}, Lcom/android/htcdialer/widget/SpecialCharSequenceMgr;->handlePinEntry(Landroid/content/Context;Ljava/lang/String;)Z
move-result v1
if-nez v1, :cond_0
invoke-static {p0, v0, p3, p4}, Lcom/android/htcdialer/widget/SpecialCharSequenceMgr;->handleAdnEntry(Landroid/content/Context;Ljava/lang/String;Landroid/widget/EditText;Landroid/content/res/Resources;)Z
move-result v1
if-nez v1, :cond_0
invoke-static {p0, v0}, Lcom/android/htcdialer/widget/SpecialCharSequenceMgr;->handleSecretCode(Landroid/content/Context;Ljava/lang/String;)Z
move-result v1
if-eqz v1, :cond_1
:cond_0
const/4 v1, 0x1
:goto_0
return v1
:cond_1
const/4 v1, 0x0
goto :goto_0
.end method
The handlechars method is called when text/numbers are entered via the dialpad. In this method you can see four submethods:
handleIMEIDisplay
handlePinEntry
handleAdnEntry
handleSecretCode
Means that the display of imei and executing the USSD Codes
(handleSecretCode method) is handled in different methods.
In the handleSecretCode there are a few hadcoded commands that are executed, like:
com.android.phone.NetworkModeSelectionActivity or com.android.phone.CallFeaturesSetting
which arent dangerous, there are two sendBroadcasts commands though
which are sending the command with a android.provider.Telephony.SECRET_CODE intent
One of those is limted to commands that are starting with
*#*#
Click to expand...
Click to collapse
or ending with
*#*#
Click to expand...
Click to collapse
. So if USSD commands are always starting with
*
Click to expand...
Click to collapse
, which is also said in the article, that one isnt dangerous.
Please read the update at the bottom.
The other one is just executed when the phonetype is 2:
Code:
const/4 v10, 0x2
const/4 v5, 0x1
.....
invoke-virtual {v3}, Landroid/telephony/TelephonyManager;->getPhoneType()I
move-result v7
The phonetype 2 is:
Phonetype 2
and the broadcast is also sent with the beggining string:
android_secret_code://cdma
Click to expand...
Click to collapse
....so this broadcast shouldnt affect us and isnt dangerous as well.
No guaranties that im right with my guess. But for those that are still frightend, do the follwing:
Code:
.method static handleChars(Landroid/content/Context;Ljava/lang/String;ZLandroid/widget/EditText;Landroid/content/res/Resources;)Z
.locals 2
invoke-static {p1}, Landroid/telephony/PhoneNumberUtils;->stripSeparators(Ljava/lang/String;)Ljava/lang/String;
move-result-object v0
invoke-static {p0, v0, p2, p4}, Lcom/android/htcdialer/widget/SpecialCharSequenceMgr;->handleIMEIDisplay(Landroid/content/Context;Ljava/lang/String;ZLandroid/content/res/Resources;)Z
move-result v1
if-nez v1, :cond_0
invoke-static {p0, v0}, Lcom/android/htcdialer/widget/SpecialCharSequenceMgr;->handlePinEntry(Landroid/content/Context;Ljava/lang/String;)Z
move-result v1
if-nez v1, :cond_0
invoke-static {p0, v0, p3, p4}, Lcom/android/htcdialer/widget/SpecialCharSequenceMgr;->handleAdnEntry(Landroid/content/Context;Ljava/lang/String;Landroid/widget/EditText;Landroid/content/res/Resources;)Z
#move-result v1
#if-nez v1, :cond_0
#invoke-static {p0, v0}, Lcom/android/htcdialer/widget/SpecialCharSequenceMgr;->handleSecretCode(Landroid/content/Context;Ljava/lang/String;)Z
#move-result v1
if-eqz v1, :cond_1
:cond_0
const/4 v1, 0x1
:goto_0
return v1
:cond_1
const/4 v1, 0x0
goto :goto_0
.end method
its in the HtcDialier.apk,
android/htcdialer/widget/SpecialCharSequenceMgr.smali
this will deactivate the call for the handleSecretCode method where the possible dangerous commands could be executed.
This should work, from my interpretation of the code..I'm not responsible if it doesnt work and your phone data is still vulnarable.
If you comment out the call for the Imei window and start the security test again you will notice though that you imei shouldnt show anymore liek before.
I will attach my already modified version, should work on all 2.17 based roms...and also earlier.
Cheers, Jan
Update:
HTC secret codes for HTC One X
*#*#7780#*#* = factory reset !! BE CAREFUL!
##4772579# = reset GPS - working?
*2767*3855# = factory format !! BE CAREFUL!
*#*#197328640#*#* = service mode? - after two tests seems to be NOT WORKING
Click to expand...
Click to collapse
...would mean that if *#*#7780#*#* will work, theres a risk that this command is sent via the 1st broadcast I explained, means that there could be a danger.
But if you test it you will see that none of those codes affect us in any way.

Great job, you're really fast!
EDIT: installation fails on my HOX.. it asks me if I want to replace this system app and when I say OK it fails installation.

Slaytanic said:
Great job, you're really fast!
EDIT: installation fails on my HOX.. it asks me if I want to replace this system app and when I say OK it fails installation.
Click to expand...
Click to collapse
you need to push it to system/app with adb. You cant install it.
I will create a flashable zip in a few...
EDIT: flashabel zip attached.

When try to install this apk he decline, shoul substitute in the system directly?
---------- Post added at 08:07 AM ---------- Previous post was at 08:05 AM ----------
j4n87 said:
you need to push it to system/app with adb. You cant install it.
I will create a flashable zip in a few...
EDIT: flashabel zip attached.
Click to expand...
Click to collapse
Already answer

j4n87 said:
you need to push it to system/app with adb. You cant install it.
I will create a flashable zip in a few...
EDIT: flashabel zip attached.
Click to expand...
Click to collapse
You're too fast :good: Thanks! I'll donate for your marriage

Great, I done testing by myself yesterday..
My HOX prompt out my IMEI, OMG..
Thanks for the FIX..
You're even faster than Samsumg..
HTC should voices out and fix it ASAP too..

Thanks
This is a little over my head but did the test and my IMEI showed up so I guess im vulnerable, thanks for the fix.

I did the test...Nothing happened, no dialer run, no showing #06, no IMEI appeared, loaded like plain link....Do i need install this fix??
ROM - ViperX 2.7.1, Browser - Opera :cyclops:

TAGTRAUM said:
I did the test...Nothing happened, no dialer run, no showing #06, no IMEI appeared, loaded like plain link....Do i need install this fix??
ROM - ViperX 2.7.1, Browser - Opera :cyclops:
Click to expand...
Click to collapse
read somewhere that only stock browsers are vulnerable. Opera, Chrome, Firefox etc. should be fine...

TAGTRAUM said:
I did the test...Nothing happened, no dialer run, no showing #06, no IMEI appeared, loaded like plain link....Do i need install this fix??
ROM - ViperX 2.7.1, Browser - Opera :cyclops:
Click to expand...
Click to collapse
All HTC Sense devices are affected...this browser thing seems to work just on stock browser though. But keep in mind that those codes ca be sent via sms as well.
Please read my article carefully again, then you can decide on your own if you want to flash this patch or not.

robocik said:
read somewhere that only stock browsers are vulnerable. Opera, Chrome, Firefox etc. should be fine...
Click to expand...
Click to collapse
correct, but as mentioned above those codes could be sent via sms as well.
btw...you are alive! =P
Imo theres really no danger concerning this codes.
the USSD code to factory data reset a Galaxy S3 is *2767*3855# can be triggered from browser like this: <frame src="tel:*2767*3855%23" />
Click to expand...
Click to collapse
I didnt tested it myself, but through my code analysis this code should never execute on our sense One X devices.
Please check the updated OP at the bottom.

Just made a quick fix app for those that don't want to alter their dialers - http://forum.xda-developers.com/showthread.php?t=1908170

j4n87 said:
All HTC Sense devices are affected...this browser thing seems to work just on stock browser though. But keep in mind that those codes ca be sent via sms as well.
Please read my article carefully again, then you can decide on your own if you want to flash this patch or not.
Click to expand...
Click to collapse
Nope, it works on chrome too.
I am using an AOSP contacts/dialer hybrid and I see the IMEI when visiting the page linked in OP (through chrome).
Now, I tried to fix the code part in the dialer I use but I get FCs after installing, no matter if I sign the apk or not.
But I trust you fully if you say that there should be no effect on our One X as there is no Facotry Reset code to be run through the dialer.
Also, I have a nandroid around which is never really older than 2 weeks and my apps backup and sync to Drive every other day.
Btw, I attached the apk if you want to have a look.

pandata000 said:
Just made a quick fix app for those that don't want to alter their dialers - http://forum.xda-developers.com/showthread.php?t=1908170
Click to expand...
Click to collapse
planned that as well, but dont have ecplise at work =D.
Good work m8, linked it in the first post above the attachments.

I update the dial but lose the red venon dial, if i run the redvenon zip this invulnerability comes again, right?

samarain said:
I update the dial but lose the red venon dial, if i run the redvenon zip this invulnerability comes again, right?
Click to expand...
Click to collapse
Yepp
Sent from my HTC One X using xda premium

Great work Jan! I knew someone in XDA will fix the problem

Flashed .zip file via CWM, after rebooting my phone I went to this http://dylanreeve.com/phone.php page to check if this working, the IMEI thing poped up anyway. Does this thing works? How can I check that?

ViTAMiNCHEG said:
Flashed .zip file via CWM, after rebooting my phone I went to this http://dylanreeve.com/phone.php page to check if this working, the IMEI thing poped up anyway. Does this thing works? How can I check that?
Click to expand...
Click to collapse
please reread the OP.

Samsung have the same problem
Anyway thx for the fix
Sent from my HTC One X using XDA Premium App

Related

[MOD] Services.jar mod to allow BLN on stock Mms.apk

Hi,
The credits of this mod goes the author montymintypie who made the modification to the services.jar for the GT-I9000.
I only ported the modification's to the GT-I9100 and made a version for both odex and deodex rom's.
Files:
ONE.PT.XXKG6.Services.Patch.BLN.zip
ONE.PT.XXKG6.Services.Patch.BLN.DEODEX.zip
KH3:
ONE.PT.XXKH3.Services.Patch.BLN.zip
XWKI4
ONE.PT.XWKI4.Services.Patch.BLN.zip
ONE.PT.XWKI4.Services.Patch.BLN.DEODEX.zip
liblights are included, be sure to use a kernel that suports BLN and Neldar's BLN app.
Thanks for sicopat for tracking the original author, montymintypie.
Big thanks ,Work finally
Nice to see someone has managed to get this working for the I9100. Very useful
Just got my first Sammy. Come from moto and HTC... Pray tell, what is BLN?
Sent from my GT-I9100 using Tapatalk
alias_neo said:
Just got my first Sammy. Come from moto and HTC... Pray tell, what is BLN?
Sent from my GT-I9100 using Tapatalk
Click to expand...
Click to collapse
The two soft keys at the side of the home button light up when the screen is off, just to show you have a notification
dh2311 said:
The two soft keys at the side of the home button light up when the screen is off, just to show you have a notification
Click to expand...
Click to collapse
Ah ok, mine doesn't do that stock, iv been baffled since I got the phone yesterday that it doesn't have a notification led.
It took me about 5 minutes just staring aimlessly at my phone wondering where my buttons where, when then suddenly I turned the screen on and they lit up.
Soon as I ascertain how easily I can mod the phone and get it to rooted stock uk, and easily back to the stock voda uk it has on it now, I will. It is only a day old after all.
Sent from my GT-I9100 using Tapatalk
Works as advertised. Time to uninstall NoLED on my Galaxy S2...
alias_neo said:
Ah ok, mine doesn't do that stock, iv been baffled since I got the phone yesterday that it doesn't have a notification led.
It took me about 5 minutes just staring aimlessly at my phone wondering where my buttons where, when then suddenly I turned the screen on and they lit up.
Soon as I ascertain how easily I can mod the phone and get it to rooted stock uk, and easily back to the stock voda uk it has on it now, I will. It is only a day old after all.
Sent from my GT-I9100 using Tapatalk
Click to expand...
Click to collapse
Nice story bro.
gusoldier said:
Nice story bro.
Click to expand...
Click to collapse
Rofl xD
Sent from my GT-I9100 using Tapatalk
Can you post a link to the original thread or the changes made to services.jar? Just out of curiosity..I want to know where and what changes are made...
Thanks for finding it, needless to say is very useful. Again thank you!
Works perfectly on Criskelo V10
ONLY thing I miss now, is full compatabillity with scrolling widgets with TW
Not work for me on Litening 5.0 . Now no notification for new SMS. How can I back to original? Tks!
Check the files inside the ZIP you've downloaded and take the same files out of the ZIP of the ROM you're running. Now push those files to your device using the 'adb push' command
Sent from my sgs2
Should this work without any other changes except BLN Pro and correct liblights?
I've done it manually, so exchanged both files on my Litening 5 but seems not to work!? Ideas why?
Use Odex Version for Litening 5, this one is working fine!
Modifications to Services.jar from montymintypie
Modification of the file : services/com/android/server/NotificationManagerService.smali b/smali/com/android/server/NotificationManagerService.smali
Code:
diff -urN a/smali/com/android/server/NotificationManagerService.smali b/smali/com/android/server/NotificationManagerService.smali
--- a/smali/com/android/server/NotificationManagerService.smali
+++ b/smali/com/android/server/NotificationManagerService.smali
@@ -2064,7 +2064,7 @@
:goto_0
iget-boolean v4, p0, Lcom/android/server/NotificationManagerService;->mScreenOn:Z
- if-nez v4, :cond_0
+ [B]#if-nez v4, :cond_0[/B]
iget-object v4, p0, Lcom/android/server/NotificationManagerService;->mLedNotification:Lcom/android/server/NotificationManagerService$NotificationRecord;
@@ -2114,7 +2114,7 @@
iget-boolean v4, p0, Lcom/android/server/NotificationManagerService;->mScreenOn:Z
- if-nez v4, :cond_3
+ [B]#if-nez v4, :cond_3[/B]
.line 1147
iput-boolean v7, p0, Lcom/android/server/NotificationManagerService;->mPendingPulseNotification:Z
please, add credits to montymintypie in first post
sicopat said:
Modifications to Services.jar from Nedlar himself (author of BLN Control)
Modification of the file : services/com/android/server/NotificationManagerService.smali b/smali/com/android/server/NotificationManagerService.smali
Code:
diff -urN a/smali/com/android/server/NotificationManagerService.smali b/smali/com/android/server/NotificationManagerService.smali
--- a/smali/com/android/server/NotificationManagerService.smali
+++ b/smali/com/android/server/NotificationManagerService.smali
@@ -2064,7 +2064,7 @@
:goto_0
iget-boolean v4, p0, Lcom/android/server/NotificationManagerService;->mScreenOn:Z
- if-nez v4, :cond_0
+ [B]#if-nez v4, :cond_0[/B]
iget-object v4, p0, Lcom/android/server/NotificationManagerService;->mLedNotification:Lcom/android/server/NotificationManagerService$NotificationRecord;
@@ -2114,7 +2114,7 @@
iget-boolean v4, p0, Lcom/android/server/NotificationManagerService;->mScreenOn:Z
- if-nez v4, :cond_3
+ [B]#if-nez v4, :cond_3[/B]
.line 1147
iput-boolean v7, p0, Lcom/android/server/NotificationManagerService;->mPendingPulseNotification:Z
please, add credits to nedlar in first post
Click to expand...
Click to collapse
Hi there sicopat,
I never took any credits from anyone. As said in first post, the credits DO NOT belong to me but to the original author.
The implementation that I used had more changes to the code. I am glad that Neldar himself came up with a better solution.
Please see attached file.
Please correct your statement.
Thank you,
Best regards.
no.one.writeme said:
Hi there sicopat,
I never took any credits from anyone. As said in first post, the credits DO NOT belong to me but to the original author.
The implementation that I used had more changes to the code. I am glad that Neldar himself came up with a better solution.
Please see attached file.
Please correct your statement.
Thank you,
Best regards.
Click to expand...
Click to collapse
I know you didn't take the credit for you And my mistack it wasn't Nedlar who made the above modification to Services.jar
I tried the modification above and it worked well
YOU ARE THE ONE WHO TRIED WITH SUCCESS THIS I9000 MOD,
thanks for that
sicopat said:
I know you didn't take the credit for you And my mistack it wasn't Nedlar who made the above modification to Services.jar
I tried the modification above and it worked well
YOU ARE THE ONE WHO TRIED WITH SUCCESS THIS I9000 MOD,
thanks for that
Click to expand...
Click to collapse
Thanks for tracking the original author. Credits updated on first post.
Best regards.
@no.one.writeme
Can you also tell in the first post that the attached files are updated?
Otherwise people will ask if the files contain the updated services.jar.
Great work. Creating Nandroid as we type...
mccune said:
@no.one.writeme
Can you also tell in the first post that the attached files are updated?
Otherwise people will ask if the files contain the updated services.jar.
Great work. Creating Nandroid as we type...
Click to expand...
Click to collapse
Hi,
The attached services.7z file is the original file of which I based the port I made. I believe it from a XXJVQ firmware from the SGS Galaxy S.
The MOD files for the SGS II are only in the first post.
Best regards,

[REQ][ICS]How to add Screenshot and Recovery and Reboot on power menu ???

hi baX
i want to have Reboot and Recovery and Screenshot on Power menu of ICS .13 Rom...
how i can add them to Power menu?
is here any body that can help me?
Use this guide
http://forum.xda-developers.com/showthread.php?t=2125196
If u dont get it, remind me tomorrow and i will do it fr u
Sent from my LT18i
Any body???
any body is not here that can help me????
Sahaab said:
Use this guide
http://forum.xda-developers.com/showthread.php?t=2125196
If u dont get it, remind me tomorrow and i will do it fr u
Sent from my LT18i
Click to expand...
Click to collapse
its for JB
i want this in ICS .13 my good friend
Realy no one ??????????????????????
s.bluedreams said:
Realy no one ??????????????????????
Click to expand...
Click to collapse
eaglebooy's MOD for UHD has those, if you're using that rom, check it out
http://d-h.st/oM3
schlager P. said:
eaglebooy's MOD for UHD has those, if you're using that rom, check it out
http://d-h.st/oM3
Click to expand...
Click to collapse
yeah his mod include this and its is very very good and nice but i need my phone for game and mod uses much more ram...
s.bluedreams said:
hi baX
i want to have Reboot and Recovery and Screenshot on Power menu of ICS .13 Rom...
how i can add them to Power menu?
is here any body that can help me?
Click to expand...
Click to collapse
I want it too(for stock ics) can anyone help us?
poria1999 said:
I want it too(for stock ics) can anyone help us?
Click to expand...
Click to collapse
i searched very much
it seems its very hard work
i found one Tut and do it but not Works...
s.bluedreams said:
i searched very much
it seems its very hard work
i found one Tut and do it but not Works...
Click to expand...
Click to collapse
http://lmgtfy.com/?q=how+to+add+reboot+to+power+menu+ics
1st result.
Someguyfromhell said:
http://lmgtfy.com/?q=how+to+add+reboot+to+power+menu+ics
1st result.
Click to expand...
Click to collapse
Doesnt works
Tested !
Originally Posted by s.bluedreams<br />
i searched very much <br />
it seems its very hard work<br />
i found one Tut and do it but not Works...
Click to expand...
Click to collapse
<br />
<br />
http://lmgtfy.com/?q=how+to+add+reboot+to+power+menu+ics<br />
<br />
1st result.
Click to expand...
Click to collapse
Nice link
But the first resuly does not work on Arc
Arc needs a framework.jar edit as well
I some how got it added on my Rom, followed many guides and was very very hard
And even harder to explain
Sent from my LT18i
Sahaab said:
Nice link
But the first resuly does not work on Arc
Arc needs a framework.jar edit as well
I some how got it added on my Rom, followed many guides and was very very hard
And even harder to explain
Sent from my LT18i
Click to expand...
Click to collapse
Plz explain for the sake of god,we need this ...
poria1999 said:
Plz explain for the sake of god,we need this ...
Click to expand...
Click to collapse
I. Might add the framework.jar file
Rest u can edit urself
Sent from my LT18i
Sahaab said:
I. Might add the framework.jar file
Rest u can edit urself
Sent from my LT18i
Click to expand...
Click to collapse
Tnx,but it's not all of my problem...
The lines that is pointed to them(in android.policy.jar) in the same giude doesn't match with the lines in my android.policy.jar(stock 587)...
Sent from my LT18i using Tapatalk 2
poria1999 said:
Tnx,but it's not all of my problem...
The lines that is pointed to them(in android.policy.jar) in the same giude doesn't match with the lines in my android.policy.jar(stock 587)...
Sent from my LT18i using Tapatalk 2
Click to expand...
Click to collapse
That u jst have to find out by looking at other stuff near em and matching
Sent from my LT18i
Its so friggin easy damn guys use beyond compare not a single line of code needs to be redone move your lazy ass and spend some effort into it, if you want to do it, you can do it.
jader13254 said:
Its so friggin easy damn guys use beyond compare not a single line of code needs to be redone move your lazy ass and spend some effort into it, if you want to do it, you can do it.
Click to expand...
Click to collapse
+1
use 'power button' with 'volume down button', together, dont be fast
jader13254 said:
Its so friggin easy damn guys use beyond compare not a single line of code needs to be redone move your lazy ass and spend some effort into it, if you want to do it, you can do it.
Click to expand...
Click to collapse
@jader13254
Hi buddy...
I used ur advice and I tried reverse engineering :laugh: from Aeon world smallapp but I get bootloop all time or when i press power button my phone shutdown auto automatically...
this is all of change that i did :
i modified framework_res.apk(add strings & add pngs to drawable-hdpi(ic_lock_reboot.png) and i copy the ids(from public.xml) to GlobalActions.smali....
i changed this part of this file
android.policy.jar\classout\com\android\internal\policy\impl\GlobalActions.smali
from this:
Code:
.line 163
iget-object v0, p0, Lcom/android/internal/policy/impl/GlobalActions;->mItems:Ljava/util/ArrayList;
new-instance v1, Lcom/android/internal/policy/impl/GlobalActions$2;
const v2, 0x1080030
const v3, 0x1040155
invoke-direct {v1, p0, v2, v3}, Lcom/android/internal/policy/impl/GlobalActions$2;-><init>(Lcom/android/internal/policy/impl/GlobalActions;II)V
invoke-virtual {v0, v1}, Ljava/util/ArrayList;->add(Ljava/lang/Object;)Z
.line 183
iget-object v0, p0, Lcom/android/internal/policy/impl/GlobalActions;->mItems:Ljava/util/ArrayList;
iget-object v1, p0, Lcom/android/internal/policy/impl/GlobalActions;->mAirplaneModeOn:Lcom/android/internal/policy/impl/GlobalActions$ToggleAction;
invoke-virtual {v0, v1}, Ljava/util/ArrayList;->add(Ljava/lang/Object;)Z
to this:
Code:
.line 163
iget-object v0, p0, Lcom/android/internal/policy/impl/GlobalActions;->mItems:Ljava/util/ArrayList;
new-instance v1, Lcom/android/internal/policy/impl/GlobalActions$2;
const v2, 0x1080030
const v3, 0x1040155
invoke-direct {v1, p0, v2, v3}, Lcom/android/internal/policy/impl/GlobalActions$2;-><init>(Lcom/android/internal/policy/impl/GlobalActions;II)V
invoke-virtual {v0, v1}, Ljava/util/ArrayList;->add(Ljava/lang/Object;)Z
.line 181
iget-object v0, p0, Lcom/android/internal/policy/impl/GlobalActions;->mItems:Ljava/util/ArrayList;
new-instance v1, Lcom/android/internal/policy/impl/GlobalActions$8;
const v2, 0x1040548
invoke-direct {v1, p0, p2, v2}, Lcom/android/internal/policy/impl/GlobalActions$8;-><init>(Lcom/android/internal/policy/impl/GlobalActions;II)V
invoke-virtual {v0, v1}, Ljava/util/ArrayList;->add(Ljava/lang/Object;)Z
.line 182
iget-object v0, p0, Lcom/android/internal/policy/impl/GlobalActions;->mItems:Ljava/util/ArrayList;
new-instance v1, Lcom/android/internal/policy/impl/GlobalActions$9;
after that i copy GlobalActions$8.smali &GlobalActions$9.smali to the same folder...
and i replaced this file from aeon mod...
framework.jar\classout\com\android\internal\app\ShutdownThread.smali
to stuck...
now can u or anyone else tell me where is the problem???
tnx

[MOD]Native Hotspot Hack[ALL OTAs + LP][Odex][DeOdex]

HUGE Thanks to Metalboy94 for his vigorous attempts to get this working for us Sprint users. He doesn't even own a Sprint device, so please show him some love!
How to Install
- Download File based on ROM type.
- Flash File via TWRP or Philz recovery.
- Wipe Cache/Davlik.
- Reboot System
- Upon boot, update Profile/PRL and reboot again to ensure functionality.
- Profit!
Mirrors
Mediafire
Contributors
Justinswidebody, Bullghost, Metalboy94, Ascertion, SaintZ93, Lefty1409,
Tabp0le
Version Information
Status: Stable
Created 2013-12-25
Last Updated 2015-4-28
Mine.
Yay time to paypal
Sent from my LG-LS980 using XDA Premium 4 mobile app
Errr
Sent from my LG-LS980 using XDA Premium 4 mobile app
fatboypup said:
Errr
Sent from my LG-LS980 using XDA Premium 4 mobile app
Click to expand...
Click to collapse
Are you on v8 based ROM?
I just tried the same zip and it's working for me.
Sent from my LG-LS980
Ascertion said:
HUGE Thanks to Metalboy94 for his vigorous attempts to get this working for us Sprint users. He doesn't even own a Sprint device, so please show him some love!
Click to expand...
Click to collapse
And thanks to you for all your testing! Any chance we can get an odexed version for those of us still running the stock ROM? (I'll look into converting deodexed to odexed, but no experience w/ it yet).
Great job guys! Merry Christmas!
Errr **** im on the odex rom time to flash to ice
Sent from my LG-LS980 using XDA Premium 4 mobile app
fatboypup said:
Errr **** im on the odex rom time to flash to ice
Sent from my LG-LS980 using XDA Premium 4 mobile app
Click to expand...
Click to collapse
Lol. I'd recommend flashing the v1.1 test. Page 5 of IceROM. Then the Email fix. 100% awesome combo.
Sent from my LG-LS980
Ascertion said:
Lol. I'd recommend flashing the v1.1 test. Page 5 of IceROM. Then the Email fix. 100% awesome combo.
Sent from my LG-LS980
Click to expand...
Click to collapse
will do
Guide - Make your own native hotspot mod
I will try to keep it as simple as possible.
1. Decompile /system/framework/services.jar (or services.odex) with your favorite smali tool.
2. Inside the folder where you decompiled it, go to com/android/server/connectivity and open TetherNetwork.smali with a text editor (preferably Notepad++).
3. Replace the following:
Code:
.line 118
const/4 v0, -0x1
with
Code:
.line 118
const/4 v0, 0x1
and
Code:
.line 718
const/4 v0, -0x1
with
Code:
.line 718
const/4 v0, 0x1
and
Code:
.method public isTetherNetworkAvail()Z
.locals 1
.prologue
.line 331
iget-object v0, p0, Lcom/android/server/connectivity/TetherNetwork;->mTetherNetworkDataTrans:Lcom/android/server/connectivity/TetherNetworkDataTransition;
if-eqz v0, :cond_0
.line 332
iget-object v0, p0, Lcom/android/server/connectivity/TetherNetwork;->mTetherNetworkDataTrans:Lcom/android/server/connectivity/TetherNetworkDataTransition;
invoke-virtual {v0}, Lcom/android/server/connectivity/TetherNetworkDataTransition;->isPamPdnDataProfileEnabled()Z
move-result v0
.line 334
:goto_0
return v0
:cond_0
const/4 v0, 0x1
goto :goto_0
.end method
with
Code:
.method public isTetherNetworkAvail()Z
.locals 1
.prologue
.line 331
const/4 v0, 0x1
return v0
.end method
BONUS: If you want to be sure you removed (at least aesthetically) the tethering plan dialog, replace:
Code:
invoke-direct {p0, v0, v1}, Lcom/android/server/connectivity/TetherNetwork;->showDialog(Landroid/content/Context;I)V
with
Code:
#invoke-direct {p0, v0, v1}, Lcom/android/server/connectivity/TetherNetwork;->showDialog(Landroid/content/Context;I)V
4. Recompile services.jar/odex(odexed ROM users, there are a few guides on XDA on how to use dexopt-wrapper to recompile framework stuff with odexes)
5. Push it back to the phone (make sure you set the right permissions)
6. Reboot and enjoy.
Will this work with a stock rooted rom? I just flash it?
Will definitely donate.. Ive been wanting this since day 1.
Sent from my LG-LS980 using xda app-developers app
Omg thank you!!
o0adam0o said:
Will this work with a stock rooted rom? I just flash it?
Will definitely donate.. Ive been wanting this since day 1.
Sent from my LG-LS980 using xda app-developers app
Click to expand...
Click to collapse
Nope
Sent from my LG-LS980 using xda premium
mchlbenner said:
Nope
Sent from my LG-LS980 using xda premium
Click to expand...
Click to collapse
I'm working on a version that will work w/ the stock rom, but being somewhat of a n00b to all this, I'm currently stuck trying to re-odex the classes.dex file I obtained from smali. I don't have a fully rooted device (only root adb shell via g2_security), so I don't have busybox on my phone in order to run dexopt-wrapper .... I also don't have a nandroid since I haven't rooted, so I'm a bit weary of [semi]bricking my phone if I don't get this just right ... trying to follow some tutorials online. Anyone else here have experience editing services.odex files?
I'm working on it. Give me a few
Sent from my LG-LS980 using XDA Premium 4 mobile app
James7Bond007 said:
I'm working on a version that will work w/ the stock rom, but being somewhat of a n00b to all this, I'm currently stuck trying to re-odex the classes.dex file I obtained from smali. I don't have a fully rooted device (only root adb shell via g2_security), so I don't have busybox on my phone in order to run dexopt-wrapper .... I also don't have a nandroid since I haven't rooted, so I'm a bit weary of [semi]bricking my phone if I don't get this just right ... trying to follow some tutorials online. Anyone else here have experience editing services.odex files?
Click to expand...
Click to collapse
I think you can sideload busybox and then use dexopt-wrapper.. Would be a lot easier then trying to do it from PC. That said, I'm sure someone is working on it already, but if not, I'll try doing it after work tomorrow.
souleman said:
I think you can sideload busybox and then use dexopt-wrapper.. Would be a lot easier then trying to do it from PC. That said, I'm sure someone is working on it already, but if not, I'll try doing it after work tomorrow.
Click to expand...
Click to collapse
That worked fine ... I now have a hacked services.odex, so theoretically I could just replace it with my existing one and I'd be good to go. Only problem is that when I decompiled the hacked services.odex and compared what I got with what I had in the decompiled original services.odex file, there are over 400 files that are now different (I was hoping for just the TetherNetwork.smali to have changed). Ah well, I think I'll be a bit patient and try to figure out the reason for all the differences while waiting for justinswidebody.
Update: reason for the files being different was there are now extra comments in the smali files for the deodexed version ... so maybe it's time to give this thing a shot!
What did you use to odex? I keep getting errors
Sent from my LG-LS980 using XDA Premium 4 mobile app
Great work. Looking forward to seeing native hotspot mod on the stock rom.
Sent from my LG G2 LS980 using Tapatalk
justinswidebody said:
What did you use to odex? I keep getting errors
Click to expand...
Click to collapse
I used the tools from here:
http://dl.xda-developers.com/attach...3/6/8/1/4/0/8/all_for_deodexing_reodexing.zip
I used this line to decompile services.odex:
java -jar ..\baksmali-2.0.2.jar -d . -x services.odex
and then edited the smali file per MetalBoy's instructions.
After running
java -jar ..\smali-2.0.2.jar out
...to create the .dex file, I used 7zip to put the classes.dex file into services.jar. I then copied the new services.jar to the phone and ran:
dexopt-wrapper ./services.jar ./services.odex
...and received the lines you're supposed to (according to http://forum.xda-developers.com/showthread.php?t=1208320):
--- BEGIN '/system/framework/android.policy.jar' (bootstrap=0) ---
--- waiting for verify+opt, pid=7194
--- would reduce privs here
--- END '/system/framework/android.policy.jar' (success) ---
...I then did the line:
dd if=/system/framework/services.odex of=./services.odex bs=1 count=20 skip=52 seek=52 conv=notrunc
and verified the response was:
20+0 records in
20+0 records out
20 bytes (20B) copied, 0.002042 seconds, 9.6KB/s
...I then used baksmali-2.0.2 to decompile the odex'ed services.odex and KDiff3 to compare the hacked service.odex to the original to verify everything was kosher.
The wife said I can use her phone to try this out on, so ... here goes nothing!
Update: well, it didn't work ....phone didn't boot up (just a black screen with pulsating LED). But at least I didn't brick her phone. At first when I ran adb shell I didn't get a root shell, which got the heart racing a bit since I was thinking WTF am I going to do to restore the services.odex backup I had made. I then tried an adb reboot recovery and that gave me the root shell again. Phew! I think I'm a bit [way] in over my head, but at least I can go to bed without worrying about a bricked phone / staying up all night to learn how to use LG's flash tools (coming from the Samsung GS2, it seemed a lot easier to just boot into download mode and flash ROMs with Odin)

[Q] Hide Lockscreen Statusbar

I tried to follow this guide: http://forum.xda-developers.com/showthread.php?t=2384892
But resulted on a bootloop, restored back to the og android.policy.jar
Could anyone find what code to mod or make a mod to hide it. And nope I'm not using WIdgetLocker because I want the Ripple/Watercolor effects on my Note. Any help or ideas would be welcome thanks!
Dwyan3Wad3 said:
I tried to follow this guide: http://forum.xda-developers.com/showthread.php?t=2384892
But resulted on a bootloop, restored back to the og android.policy.jar
Could anyone find what code to mod or make a mod to hide it. And nope I'm not using WIdgetLocker because I want the Ripple/Watercolor effects on my Note. Any help or ideas would be welcome thanks!
Click to expand...
Click to collapse
Looks like a bit has changed since that source post.
I haven't tested this, but you could try this:
In android.policy -
go to com/android/internal/policy/impl/keyguard/KeyguardViewManager.smali
and look for
Code:
.method public declared-synchronized show(Landroid/os/Bundle;)V
within that method you should find a line that looks like this:
Code:
invoke-virtual {v4, v3}, Landroid/widget/FrameLayout;->setSystemUiVisibility(I)V
I think if you add const/4 v3, 0x4 right above it you should have a fullscreen lockscreen... not sure, but I think so
so it should look like:
Code:
const/4 v3, 0x4
invoke-virtual {v4, v3}, Landroid/widget/FrameLayout;->setSystemUiVisibility(I)V
Let me know if that works, and apologies if it doesn't (keep that backup android.policy handy!)
Great info here, thanks for tip....I will give it a try...been wondering the same thing, how to remove the status bar on the lockscreen.
TheAxman said:
Great info here, thanks for tip....I will give it a try...been wondering the same thing, how to remove the status bar on the lockscreen.
Click to expand...
Click to collapse
No prob - let me know if it works!
dwitherell said:
No prob - let me know if it works!
Click to expand...
Click to collapse
Will try later, Imma see what happens.
TheAxman said:
Great info here, thanks for tip....I will give it a try...been wondering the same thing, how to remove the status bar on the lockscreen.
Click to expand...
Click to collapse
If it work lmk too
Hi guys, sorry if I hop in but I was curious did above method work?
dwitherell said:
Looks like a bit has changed since that source post.
I haven't tested this, but you could try this:
In android.policy -
go to com/android/internal/policy/impl/keyguard/KeyguardViewManager.smali
and look for
Code:
.method public declared-synchronized show(Landroid/os/Bundle;)V
within that method you should find a line that looks like this:
Code:
invoke-virtual {v4, v3}, Landroid/widget/FrameLayout;->setSystemUiVisibility(I)V
I think if you add const/4 v3, 0x4 right above it you should have a fullscreen lockscreen... not sure, but I think so
so it should look like:
Code:
const/4 v3, 0x4
invoke-virtual {v4, v3}, Landroid/widget/FrameLayout;->setSystemUiVisibility(I)V
Let me know if that works, and apologies if it doesn't (keep that backup android.policy handy!)
Click to expand...
Click to collapse
@dwitherell
This method looked promising however it did not work for our build.
It didn't seem to make any difference.
Anyone get this working properly to remove lockscreen statusbar?
tdunham said:
@dwitherell
This method looked promising however it did not work for our build.
It didn't seem to make any difference.
Anyone get this working properly to remove lockscreen statusbar?
Click to expand...
Click to collapse
Out of curiosity - did the edit do anything, or was there no change? I assume this was a 4.3 build yes? If it didn't break anything but elicited no change, perhaps the rabbit hole runs a bit deeper then... or we gotta poke that method with a different forced entry (even though given this it sure seems like 0x4 was the right value).
dwitherell said:
Out of curiosity - did the edit do anything, or was their no change? I assume this was a 4.3 build yes? If it didn't break anything but elicited no change, perhaps the rabbit hole runs a bit deeper than... or we gotta poke that method with a different forced entry (even though given this it sure seems like 0x4 was the right value).
Click to expand...
Click to collapse
Yes, this is for 4.3. I'm not as proficient at smali as others but I don't see anything obvious either.
It didn't seem to have any affect at all. I even tried 0x0 thru 0x4 just for the sake of it to go through some other registers as well.

[DEVS][Safestrap][How-To] Reboot To Safestrap Recovery Via Power Menu

So First; we must thank @Hashcode for hos wonderful Safestrap Recovery That allows us to flash custom ROMs even though we have a locked Bootloader
In this Guide I will show you how to edit your power menu to change the reboot recovery from going to the recovery partition to going to Safestrap
This is independent of the safestrap app, IF AND ONLY IF the safestrap image is on the phone already
This is only for devs who want to incorporate this into their rom and I will not be answering questions on how to do this as even a beginner dev can manage this
I only ask that credit be given to @Hashcode, @Goldie @RErick and AllianceROM and that the supplied script not be changed or modified in anyway,
This is being shared freeley and a little thanks goes a long way
First thing is first
You will need to Decompile android,policy,jar
Look for globalactions$99$1.smali
Inside this smali file you will need to find
.method public onClick(Landroid/content/DialogInterface;I)V
and then look for this set of lines its at the very top
Code:
const/4 v2, 0x1
const/4 v3, 0x0
sget v0, Lcom/android/internal/policy/impl/GlobalActions$SinglePressAction;->rebootMode:I
const/4 v1, -0x1
if-le v0, v1, :cond_0
sget v0, Lcom/android/internal/policy/impl/GlobalActions$SinglePressAction;->rebootMode:I
Directly underneath that last line above add these lines
Code:
const/4 v1, 0x3
if-eq v0, v1, :cond_4
Now, at the very bottom of the same method, directly above the line that says
Code:
goto :goto_1
You will add these lines
Code:
goto :goto_1
:cond_4
const-string v1, "su -c /system/bin/recrbt.sh"
invoke-static {}, Ljava/lang/Runtime;->getRuntime()Ljava/lang/Runtime;
move-result-object v2
invoke-virtual {v2, v1}, Ljava/lang/Runtime;->exec(Ljava/lang/String;)Ljava/lang/Process;
Thats it for the jar file. Save and recompile and then I have attached a zip with the needed script inside that needs to be placed in
/system/bin and permissions set to 0755
Or if on a clean flash, dont worry about permissions.
:good:
Great job :thumbup:
Sent from my SCH-I545 using XDA Premium 4 mobile app
Surge1223 said:
Great job :thumbup:
Sent from my SCH-I545 using XDA Premium 4 mobile app
Click to expand...
Click to collapse
Thanks Bro!
This is one of those things that will benefit the entire community and shouldnt be kept to
ourselves. This shouldnt be an Alliance exclusive as much as I want it to be.:good:
Surge1223 said:
Great job :thumbup:
Sent from my SCH-I545 using XDA Premium 4 mobile app
Click to expand...
Click to collapse
Oh, and you need to get an AllianceROM dev signature like the rest of us:highfive::good:
Nice write up, appreciate this...I never implemented the 4-way reboot method just because of Safestrap. Appreciate you sharing
Edit: Just put this together and tested, works as advertised...thanks again. Interesting that the OS asks for root privileges for this action.
Excellent write up!
If this was implemented into Roms what effect would it have on DE users who are not strapped to SS?
awesome ryan and u shared!!
ps it wont work for dev editions u gotta get creative and have both in there
BeansTown106 said:
awesome ryan and u shared!!
ps it wont work for dev editions u gotta get creative and have both in there
Click to expand...
Click to collapse
Did younever get that figured out?
oh, a crafty dev could also make TWO ROMs. The only difference being the ap jar
RErick said:
Did younever get that figured out?
oh, a crafty dev could also make TWO ROMs. The only difference being the ap jar
Click to expand...
Click to collapse
OR....:sly:
Sent from my SCH-I545 using XDA Premium 4 mobile app
Surge1223 said:
OR....:sly:
Sent from my SCH-I545 using XDA Premium 4 mobile app
Click to expand...
Click to collapse
Hey! I need that! Optimize ftw!
NIce on RErick!!
This is sweet. Thank you.
Wanted to add, I did this on a S4 and worked perfectly.
Just wondering if this would work on a aosp rom made for s4 safestrap. I got it to work on tw for safestrap. Just wondering if any one has tried.
Surge1223 said:
OR....:sly:
Sent from my SCH-I545 using XDA Premium 4 mobile app
Click to expand...
Click to collapse
If you don't mind me asking, what Optimize System script are you using and also could you possibly share that script?
Nice
Good deal. Thanks for this. Gonna get this working today on DB

Categories

Resources