forked from Justin42/XVoicePlus
-
Notifications
You must be signed in to change notification settings - Fork 3
Expand file tree
/
Copy pathXVoicePlus.java
More file actions
302 lines (252 loc) · 15.7 KB
/
XVoicePlus.java
File metadata and controls
302 lines (252 loc) · 15.7 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
package io.behindthemath.xvoiceplus;
import android.app.AndroidAppHelper;
import android.app.AppOpsManager;
import android.app.PendingIntent;
import android.content.Context;
import android.content.Intent;
import android.content.pm.PackageManager;
import android.content.res.XResources;
import android.os.Build;
import android.os.Bundle;
import android.os.Process;
import android.os.UserHandle;
import android.telephony.SmsManager;
import android.util.Log;
import com.crossbowffs.remotepreferences.RemotePreferenceAccessException;
import com.crossbowffs.remotepreferences.RemotePreferences;
import java.util.ArrayList;
import java.util.Set;
import de.robv.android.xposed.IXposedHookLoadPackage;
import de.robv.android.xposed.IXposedHookZygoteInit;
import de.robv.android.xposed.XC_MethodHook;
import de.robv.android.xposed.XposedBridge;
import de.robv.android.xposed.callbacks.XC_LoadPackage.LoadPackageParam;
import io.behindthemath.xvoiceplus.hooks.GCMListenerServiceHook;
import io.behindthemath.xvoiceplus.hooks.XSendSmsMethodHook;
import io.behindthemath.xvoiceplus.messages.SmsUtils;
import io.behindthemath.xvoiceplus.receivers.MessageEventReceiver;
import static de.robv.android.xposed.XposedHelpers.ClassNotFoundError;
import static de.robv.android.xposed.XposedHelpers.callMethod;
import static de.robv.android.xposed.XposedHelpers.callStaticMethod;
import static de.robv.android.xposed.XposedHelpers.findAndHookMethod;
import static de.robv.android.xposed.XposedHelpers.findClass;
import static de.robv.android.xposed.XposedHelpers.getObjectField;
import static de.robv.android.xposed.XposedHelpers.setIntField;
public class XVoicePlus implements IXposedHookZygoteInit, IXposedHookLoadPackage {
public static final String TAG = XVoicePlus.class.getSimpleName();
public static final String XVOICE_PLUS_PACKAGE = BuildConfig.APPLICATION_ID;
public static final String APP_NAME = TAG;
public static final String XVOICE_PLUS_PREFERENCES_FILE_NAME = XVOICE_PLUS_PACKAGE + "_preferences";
public static final String LEGACY_GOOGLE_VOICE_PACKAGE = "com.google.android.apps.googlevoice";
public static final String NEW_GOOGLE_VOICE_PACKAGE = "com.google.android.apps.voice";
private static final String NEW_GOOGLE_VOICE_GCM_PACKAGE = NEW_GOOGLE_VOICE_PACKAGE + ".backends.gcm";
private static final String BROADCAST_SMS_PERMISSION = "android.permission.BROADCAST_SMS";
public static boolean isEnabled() {
//return new XSharedPreferences(XVOICE_PLUS_PLUS_PACKAGE).getBoolean("settings_enabled", false);
Context appContext = AndroidAppHelper.currentApplication().getApplicationContext();
boolean settingsEnabled;
try {
settingsEnabled = new RemotePreferences(appContext, XVOICE_PLUS_PACKAGE, XVOICE_PLUS_PREFERENCES_FILE_NAME, true)
.getBoolean("settings_enabled", false);
} catch (RemotePreferenceAccessException e) {
Log.e(TAG, "Error accessing settings_enabled from RemotePreferences: ", e);
return false;
}
return settingsEnabled;
}
@Override
public void initZygote(StartupParam startupParam) {
// Hooks android.* packages
// Enable SMS on tablets
XResources.setSystemWideReplacement("android", "bool", "config_sms_capable", true);
hookSmsManager();
}
/**
* Hooks {@link SmsManager} to intercept outgoing messages.
*/
private void hookSmsManager() {
Log.d(TAG, "Attempting to hook SmsManager");
try {
findAndHookMethod(SmsManager.class, "sendTextMessage", String.class, String.class,
String.class, PendingIntent.class, PendingIntent.class, new XSendSmsMethodHook());
findAndHookMethod(SmsManager.class, "sendMultipartTextMessage", String.class, String.class,
ArrayList.class, ArrayList.class, ArrayList.class, new XSendSmsMethodHook());
Log.d(TAG, "Hooked SmsManager methods successfully");
} catch (ClassNotFoundError e) {
Log.e(TAG, "Class android.telephony.SmsManager not found", e);
} catch (NoSuchMethodError e) {
Log.e(TAG, "SmsManager methods not found", e);
}
}
@Override
public void handleLoadPackage(LoadPackageParam lpparam) throws ClassNotFoundException {
// Hooks com.android.* packages
if (lpparam.packageName.equals("android") && lpparam.processName.equals("android")) {
hookXVoicePlusPermissions(lpparam);
hookAppOps(lpparam);
if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.M) {
hookBroadcastPermissionCheck(lpparam);
}
}
if (LEGACY_GOOGLE_VOICE_PACKAGE.equals(lpparam.packageName)) {
hookGoogleVoice(lpparam);
}
}
/**
* In order to send the android.provider.Telephony.SMS_DELIVER and android.provider.Telephony.SMS_RECEIVED
* broadcast intents, the app requires the BROADCAST_SMS permission. However, since this permission
* is reserved for system packages, it cannot be declared in the manifest. This method hooks the
* PackageManagerService to grant the permission.
* @param lpparam
*/
private void hookXVoicePlusPermissions(LoadPackageParam lpparam) {
Log.d(TAG, "Hooking " + APP_NAME + " permissions");
final Class<?> packageManagerServiceClass = findClass("com.android.server.pm.PackageManagerService", lpparam.classLoader);
findAndHookMethod(packageManagerServiceClass, "grantPermissionsLPw", "android.content.pm.PackageParser.Package",
boolean.class, String.class, new XC_MethodHook() {
@SuppressWarnings("unchecked")
@Override
protected void afterHookedMethod(MethodHookParam param) throws Throwable {
final String pkgName = (String) getObjectField(param.args[0], "packageName");
if (XVOICE_PLUS_PACKAGE.equals(pkgName)) {
Log.d(TAG, "Fixing permissions for " + XVOICE_PLUS_PACKAGE);
// Returns: (PackageSetting) Object PackageParser$Package.mExtras
final Object extras = getObjectField(param.args[0], "mExtras");
// Returns: com.android.server.pm.Settings PackageManagerService.mSettings
final Object settings = getObjectField(param.thisObject, "mSettings");
// Returns: ArrayMap<String, BasePermission> Settings.mPermissions
final Object permissions = getObjectField(settings, "mPermissions");
// Returns: BasePermission
final Object broadcastSmsPermission = callMethod(permissions, "get",
BROADCAST_SMS_PERMISSION);
if ((Build.VERSION.SDK_INT == Build.VERSION_CODES.LOLLIPOP) || (Build.VERSION.SDK_INT == Build.VERSION_CODES.LOLLIPOP_MR1)) {
final Set<String> grantedPermissions = (Set<String>) getObjectField(extras, "grantedPermissions");
if (!grantedPermissions.contains(BROADCAST_SMS_PERMISSION)) {
grantedPermissions.add(BROADCAST_SMS_PERMISSION);
// Returns: ((PackageSetting) GrantedPermissions).gids
int[] grantedPermissionsGids = (int[]) getObjectField(extras, "gids");
// Returns: BasePermission.gids
int[] broadcastSmsPermissionGids = (int[]) getObjectField(broadcastSmsPermission, "gids");
callStaticMethod(param.thisObject.getClass(), "appendInts", grantedPermissionsGids, broadcastSmsPermissionGids);
Log.d(TAG, "Permission added: " + broadcastSmsPermission);
}
} else if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.M) {
// Based on https://github.com/wasdennnoch/AndroidN-ify/blob/ebb3a60a155b30dc177cf4968cb28d1254171851/app/src/main/java/tk/wasdennnoch/androidn_ify/utils/PermissionGranter.java#L74-#L89
// and https://github.com/GravityBox/GravityBox/blob/marshmallow/src/com/ceco/marshmallow/gravitybox/PermissionGranter.java
final Object permissionsState = callMethod(extras, "getPermissionsState");
if (!(boolean) callMethod(permissionsState, "hasInstallPermission", BROADCAST_SMS_PERMISSION)) {
// Try granting the permission
int ret = (int) callMethod(permissionsState, "grantInstallPermission", broadcastSmsPermission);
// com.android.server.pm.PermissionsState.PERMISSION_OPERATION_FAILURE
final int PERMISSION_OPERATION_FAILURE = -1;
if (ret != PERMISSION_OPERATION_FAILURE) {
Log.d(TAG, "Permission added: " + broadcastSmsPermission);
} else {
Log.w(TAG, "Error adding permission: " + broadcastSmsPermission);
}
}
}
}
}
});
}
private void hookAppOps(LoadPackageParam lpparam) {
Log.d(TAG, "Hooking App Ops");
XposedBridge.hookAllConstructors(findClass("com.android.server.AppOpsService.Op", lpparam.classLoader),
new XC_MethodHook() {
@Override
protected void afterHookedMethod(MethodHookParam param) throws Throwable {
if(XVOICE_PLUS_PACKAGE.equals(param.args[1]) &&
(Integer) param.args[2] == SmsUtils.OP_WRITE_SMS) {
Log.d(TAG, "App Ops hook: Setting OP_WRITE_SMS to MODE_ALLOWED");
setIntField(param.thisObject, "mode", AppOpsManager.MODE_ALLOWED);
}
}
});
}
/**
* Hooks com.android.server.am.ActivityManagerService.broadcastIntentLocked()
*
* Once we hooked the incoming message from Google Voice, we use the android.provider.Telephony.SMS_DELIVER
* intent to spoof an incoming SMS. However, in Marshmallow this is a protected broadcast, so
* it's only available to be sent by system packages. As a workaround, we hook the method that
* checks if the broadcast is protected, and spoof the broadcast as if it's coming from PHONE_UID.
*
* @param lpparam
*/
private void hookBroadcastPermissionCheck(final LoadPackageParam lpparam) {
Log.d(TAG, "Hooking broadcast permissions");
findAndHookMethod("com.android.server.am.ActivityManagerService", lpparam.classLoader, "broadcastIntentLocked",
"com.android.server.am.ProcessRecord", String.class, Intent.class, String.class,
"android.content.IIntentReceiver", int.class, String.class, Bundle.class, (new String[0]).getClass(),
int.class, Bundle.class, boolean.class, boolean.class, int.class, int.class, int.class,
new XC_MethodHook() {
@Override
protected void beforeHookedMethod(MethodHookParam param) throws Throwable {
// Index of the callingUid argument
final int ARGUMENT_INDEX_CALLING_UID = 14;
final int ARGUMENT_INDEX_INTENT = 2;
int callingUid = (int) param.args[ARGUMENT_INDEX_CALLING_UID];
Intent intent = (Intent) param.args[ARGUMENT_INDEX_INTENT];
// Get our UID
int appUid = AndroidAppHelper.currentApplication().getPackageManager()
.getApplicationInfo(XVOICE_PLUS_PACKAGE, PackageManager.GET_META_DATA).uid;
// If the broadcast is from us
if (intent.getAction().startsWith("android.provider.Telephony") &&
(boolean) callStaticMethod(UserHandle.class, "isSameApp", callingUid, appUid)) {
Log.d(TAG, "Hooking broadcast permissions: Overriding callingUid "
+ callingUid + " with Process.PHONE_UID (UID 1001)");
// Spoof the broadcast as if it's coming from PHONE_UID, so the system will let it through
param.args[ARGUMENT_INDEX_CALLING_UID] = Process.PHONE_UID;
}
}
});
}
/**
* Hooks incoming Google Voice messages.
* @param lpparam
*/
private void hookGoogleVoice(LoadPackageParam lpparam) {
Log.d(TAG, "Hooking Google Voice incoming push notifications");
// Try to hook GV 5.0+ first
try {
findAndHookMethod(NEW_GOOGLE_VOICE_GCM_PACKAGE + ".GcmListenerService", lpparam.classLoader,
"a", String.class, Bundle.class, new GCMListenerServiceHook());
} catch (NoSuchMethodError e) {
Log.e(TAG, "Error hooking GV 5.0+: ", e);
} catch (ClassNotFoundError e) {
Log.d(TAG, "GV 5.0+ was not found. Trying to hook legacy GV (version 0.4.7.10 or lower)");
// If we can't find GV 5.0+, try to hook the legacy version (0.4.7.10 or lower)
try {
findAndHookMethod(LEGACY_GOOGLE_VOICE_PACKAGE + ".PushNotificationReceiver", lpparam.classLoader,
"onReceive", Context.class, Intent.class, new XC_MethodHook() {
@Override
protected void beforeHookedMethod(MethodHookParam param) throws Throwable {
Log.d(TAG, "Received incoming Google Voice notification");
if (isEnabled()) {
Context context = (Context) param.args[0];
Intent gvIntent = (Intent) param.args[1];
if (gvIntent == null || gvIntent.getExtras() == null) {
Log.w(TAG, "Null intent when hooking incoming GV message");
} else if (gvIntent.getExtras().getString("sender_address") == null) {
Log.d(TAG, "sender_address == null, so this must be a dummy intent, so we'll ignore it");
} else {
// Send the incoming message to be processed
Intent intent = new Intent()
.setAction(MessageEventReceiver.INCOMING_VOICE)
.putExtras(gvIntent.getExtras());
context.sendOrderedBroadcast(intent, null);
}
} else {
Log.d(TAG, "Module is disabled, so ignoring the incoming message");
}
}
});
} catch (NoSuchMethodError error) {
Log.e(TAG, "Error hooking legacy GV (version 0.4.7.10 or lower): ", error);
} catch (ClassNotFoundError error) {
Log.e(TAG, "Google Voice could not be found. Incoming messages will not be intercepted", error);
}
}
}
}