20

I am trying to use reflection to access some unpublished features of the telephony API. Currently I am having trouble instantiating a serviceManager object that is needed to get the "phone" service as a binder which I can then use to instantiate a telephony object which is needed to make a call, end call, etc...

currently when I make the call 

serviceManagerObject = tempInterfaceMethod.invoke(null, new Object[] { new Binder() });

it returns a nullPointerException. I believe this has to do with creating a new Binder instead of sending the appropriate binder (which I am unsure of which one is appropriate)

public void placeReflectedCall() throws ClassNotFoundException,
        SecurityException, NoSuchMethodException, IllegalArgumentException,
        IllegalAccessException, InvocationTargetException,
        InstantiationException {
    String serviceManagerName = "android.os.IServiceManager";
    String serviceManagerNativeName = "android.os.ServiceManagerNative";
    String telephonyName = "com.android.internal.telephony.ITelephony";

    Class telephonyClass;
    Class telephonyStubClass;
    Class serviceManagerClass;
    Class serviceManagerStubClass;
    Class serviceManagerNativeClass;
    Class serviceManagerNativeStubClass;

    Method telephonyCall;
    Method telephonyEndCall;
    Method telephonyAnswerCall;
    Method getDefault;

    Method[] temps;
    Constructor[] serviceManagerConstructor;

    // Method getService;
    Object telephonyObject;
    Object serviceManagerObject;
    String number = "1111111111";

    telephonyClass = Class.forName(telephonyName);
    telephonyStubClass = telephonyClass.getClasses()[0];
    serviceManagerClass = Class.forName(serviceManagerName);
    serviceManagerNativeClass = Class.forName(serviceManagerNativeName);

    Method getService = // getDefaults[29];
    serviceManagerClass.getMethod("getService", String.class);

    Method tempInterfaceMethod = serviceManagerNativeClass.getMethod(
            "asInterface", IBinder.class);
    // this does not work
    serviceManagerObject = tempInterfaceMethod.invoke(null,
            new Object[] { new Binder() });

    IBinder retbinder = (IBinder) getService.invoke(serviceManagerObject,
            "phone");
    Method serviceMethod = telephonyStubClass.getMethod("asInterface",
            IBinder.class);
    telephonyObject = serviceMethod
            .invoke(null, new Object[] { retbinder });

    telephonyCall = telephonyClass.getMethod("call", String.class);
    telephonyEndCall = telephonyClass.getMethod("endCall");
    telephonyAnswerCall = telephonyClass.getMethod("answerRingingCall");

    telephonyCall.invoke(telephonyObject, number);

}
nneonneo
  • 171,345
  • 36
  • 312
  • 383
Ty Smith
  • 2,594
  • 2
  • 23
  • 29
  • "Currently I am having trouble instantiating a serviceManager object" is the only information you are giving about the error or problem. You've given us the code. Now tell us what it is doing or not doing that is unexpected, and how you know that it's not working correctly. – Adam Davis Jan 04 '10 at 18:14

3 Answers3

5

By doing the following

Binder tmpBinder = new Binder();
tmpBinder.attachInterface(null, "fake");
serviceManagerObject = tempInterfaceMethod.invoke(null,  new Object[] { tmpBinder });

you will get a ServiceManagerProxy instance, then the next issue happens on the line

telephonyCall.invoke(telephonyObject, number);
nneonneo
  • 171,345
  • 36
  • 312
  • 383
david
  • 1,311
  • 12
  • 32
3

I have a solution. Change:

String serviceManagerName = "android.os.IServiceManager";

to:

String serviceManagerName = "android.os.ServiceManager";
Paul Lammertsma
  • 37,593
  • 16
  • 136
  • 187
brad
  • 31
  • 1
2

Yes, it's possible! I spent 24 hours of investigating and discovering, and I've found "fresh" solution!

// "cheat" with Java reflection to gain access to
// TelephonyManager's ITelephony getter
Class c = Class.forName(tm.getClass().getName());
Method m = c.getDeclaredMethod("getITelephony");
m.setAccessible(true);
telephonyService = (ITelephony) m.invoke(tm);

Anyone who wants to develop their call-control software visit this start point:
http://www.google.com/codesearch/p?hl=en#zvQ8rp58BUs/trunk/phone/src/i4nc4mp/myLock/phone/CallPrompt.java&q=itelephony%20package:http://mylockforandroid%5C.googlecode%5C.com&d=0

There is a project. and there are important comments (and credits).

In short: copy aidl file, add permissions to manifest, copy-paste source for telephony management.

Some more info for you: You can only send AT commands if you are rooted. Then you can kill system process and send commands but you will need a reboot to allow your phone to receive and send calls.

I'm very happy! Now my Shake2MuteCall will get an update!

Paul Lammertsma
  • 37,593
  • 16
  • 136
  • 187
foryou
  • 1,799
  • 2
  • 11
  • 4
  • 2
    hi. i'm the developer of mylock. i just wanted to inform you that this no longer works on 2.3 and we're researching how we can accomplish the same result assuming super user root permission. i didn't come up with this method, a friend of mine Tedd came across it and worked out the way to apply the reflection to the itelephony. – mylock Feb 12 '11 at 06:25
  • Hey @AlBeebe Above link is not working now, Can you please share aidl files & source for telephony management? It will help me a lot. – Mr. Sajid Shaikh Jun 25 '15 at 04:58