I developed an android app that sends data (text, binary, hex..etc) using bluetooth communication. I want to test my app, what methods are there?
Is there a method on mac to receive what is sent ?
There is an app called LightBlue on the Mac (and iOS) App Stores which is very useful when developing with BLE. It allows you to scan, see advertisement data (iOS version only), connect, list services and characteristics, subscribe to a notify / indicate characteristic and read or write a characteristic's value.
For classic Bluetooth, if using SPP you will need a serial terminal. First you need to connect to your device from the Bluetooth System Preferences. This will create a device file in /dev, its name follows the pattern /dev/cu.<DEVICE_NAME>-SPPDev where DEVICE_NAME is the advertised Local Name. This is a character device that you can use with any program that can read(2) and write(2) to a file. For instance the simplest way with default tools, if your device file is /dev/cu.XXXX, is to run cat /dev/cu.XXXX in one terminal window (or cat /dev/cu.XXXX | hexdump -C for hex output), then in another terminal window run echo -n "my command" > /dev/cu.XXXX. Then in the first terminal window you will see the response from your device. For hex input you can use the -e switch and backslash escapes, for instance to send 0x01 0x02, you would run echo -ne "\x01\x02" > /dev/cu.XXXX.
There are programs that are specialized in this sort of communication, called serial terminals. These also let you change the serial port configuration, although the one selected by osx is generally good. I personally use cutecom for this. In cutecom, you need to input the device file name (/dev/cu.XXXX) in the "Device" text field, then configure the desired serial port parameters. To use those that osx selected, just uncheck the "Apply settings when opening" checkbox. Then click on "Open device". You can then input text or hex and see output as text or hex also. If you get gibberish on the output that means that the serial port parameters are not good. If you don't know the right parameters for your device you can experiment, but a typical configuration would be Baud rate : 115200; Data bits : 8; Stop bits : 1; Parity : None, and no handshake.
Related
I am new to android studios and I have the task to develop an app which transfers data from an app (Acceleration sensor data - i have created this app already which shows the data) to matlab (on the pc).
I don't really know how I should do this. I've experimented a bit with bluetooth apps, but I don't have a clue how to connect to Matlab.
I would be greatful for your help.
Thanks in advance,
Annika
Unfortunately I can not speak to the android side of things, but MatLab can connect to generic devices with the UART interface, which is fairly low level.
The process with some microprocessors that I am using is to connect the device to the PC, and then note the Outgoing com port.
(In windows 10, these can be found in Bluetooth settings -> More Bluetooth options)
Then you can use
s = serial('COM<what you found in settings>');
s.Baudrate=115200;
s.InputBufferSize = 100;
fopen(s{i});
serials = instrfindall;
to open an connection. The critical command is serial, the other parameters depend on your device/ configuration. Sometimes there can be issues, in which case one options is to build a loop that tries again until it works.
You then collect the data sent via UART via
flushinput(serials);
temp = fscanf(serials,'%s');
and then split the string. If data is sent continuously, you wrap this into a while loop.
After you are done, you can clean up via
fclose(s{i});
delete(instrfind)
instrreset
It should be noted, that establishing a connection takes longer, the more enabled COM ports there are. So it might be worth disabling all those you don't need.
For more specific things matlab can do, check out What Is the MATLAB Serial Port Interface
I'm doing some Android malware research for MMS based attacks. And I'm looking for a manual way to retrieve or download a received MMS message. I was hoping to find some curl or wget lines to be able to do so, but have not found anything useful.
So far I have got some MMS info from the internal databases, found by:
# find / -iname "*.db" |grep -iE "mms|sms"
...
/data/data/com.android.providers.telephony/databases/mmssms.db
/data/data/com.google.android.gms/databases/icing_mmssms.db
/data/data/com.android.mms/databases/message.db
/data/data/com.android.mms/databases/message_glance.db
# cd /data/data/com.android.providers.telephony/databases/
# echo "select * from pdu;" | sqlite3 -header mmssms.db
...
# echo "select date,sub,ct_l,tr_id from pdu;" | sqlite3 -header mmssms.db
date|sub|ct_l|tr_id
1495xxxxxx|Download this message|http://mmsc32:10021/mmsc/3_2?Ae_xxxx_xxxxx-xxx|Ae_xxxx_xxxxx-xxx
How to interpret the mmsc32:10021 part?
Then looking in the message settings for the MMSC, Proxy and port, I want to build a working CLI one-liner or browser request, to download the file for inspection.
In the phone settings settings we can find the MMSC via:
Settings > More > Mobile network > Access Point Names > MMS: <your operator>
MMSC: http://mms.company.net:8002/
MMS Proxy: 194.xx.xx.xx
MMS Port: 8080
How can I download the MMS file from shell command line (or an external browser)?
PS. Obviously the phone is rooted and have both busybox and sqlite3, and perhaps also curl or wget installed. The AOS is 5.0+.
Addendum: 2017-11-09
From here:
MMS (Multimedia Messaging Service) messages are sent using a
combination of SMS and WAP technologies. When an MMS message is sent,
a mobile device receives an MMS notification message via SMS. When
this MMS notification message is received by the mobile device, the
mobile device automatically initiates a WAP gateway connection to
download the content of the MMS message.
To send an MMS message, you must first create an MMS message file. The
format of an MMS message file is documented in the MMS Encapsulation
Protocol specification published by the Open Mobile Alliance
(http://www.openmobilealliance.org) and/or the WAP Forum
(http://www.wapforum.org). The MMS message file format consists of an
MMS message binary header, followed by a multipart MIME message where
the multipart message is encoded in a binary multipart format as
defined by the WAP Wireless Session Protocol (WSP) specification. This
binary MMS message file is stored on a web server using a MIME type of
application/vnd.wap.mms-message and an MMS message type of
m-retrieve-conf. A subset of the binary MMS header is sent as an MMS
notification message (MMS message type m-notification-ind) via SMS to
the mobile device together with a URL pointer to the location of the
complete message.
Also, smartphones does not download the MMS or SMS content to SIM any more. That is how "feature" phones used to do it.
Addendum: 2017-11-13
Looking at the API-23 (M) sources for the SQLite3 tables shown in Telephony.java, we find that
CONTENT_LOCATION = "ct_l";, so we can search for its other uses here. To briefly summarize our findings:
date # The message delivery time.
sub # The subject of the message, if present.
ct_l # The Content-Location of the message. A field in interface:Telephony.BaseMmsColumns
tr_id # The transaction-id of the message.
Thus we might expect that the URI in ct_l can be interpreted as follows:
http://mmsc32:10021 is the server (IP:PORT) masked by the MMS proxy (shown) above
/mmsc/3_2 is the WAP URL to the message processor
?Ae_xxxx_xxxxx-xxx is telling the message processor to retrieve the message given by the "transaction id": Ae_xxxx_xxxxx-xxx`
Therefore, using the proxy (APN) settings, and using the URL extracted from the message DB (mmssms.db), one should be able to retrieve and download the content of the MMS, using a carefully crafted curl statement.
Perhaps something like:
# curl -x http://proxy_server:proxy_port --proxy-user username:password -L http://url
curl -v -x http://194.xx.xx.xx:8080 -L http://mmsc32:10021/mmsc/3_2?Ae_xxxx_xxxxx-xxx
# Or from outside local net:
curl -v -x http://mms.company.net:8002 -L http://mmsc32:10021/mmsc/3_2?Ae_xxxx_xxxxx-xxx
The first one obviously wouldn't work from outside the phone environment as it refers to an IP class C, only visible within the mobile assigned IP.
I hope you get an answer to this. I'm not the one, but will throw in my 2 cents worth of advice...
Short version
You can't have texts skipping the "send to" SIM card and auto-diverting to some computer.
Make an Android app to install on your phone, make sure its job is to detect and divert copies of new inbox messages to your computer.
Use a USB dongle for the SIM. When plugged into computer, then you're receiving messages directly to your computer without the phone being involved.
Long version
Rather than command line tools, you're better off making an actual app (via Android SDK) that checks for received messages and forwards some data to you (eg: via email, or sockets, or however you like). Also "some data" meaning either a full copy of the message itself, or just sends feedback of [in-app]
message analysis (eg: number of images detected, the hex printout of image bytes and so on).
Looking at Android's SmsManager API it even tells you:
For information about how to behave as the default SMS app on Android
4.4 (API level 19) and higher, see Telephony.
Also look at that API's downloadMultimediaMessage command. It's doing what you need. Telephony page has the information and links to start, but independent blog articles and tutorials (one such example) about this topic are out there too.
Anyways, onto your post...
(1)
"I just want to download the message to a file, without the phone processing it, as it could contain malware"
How do you imagine "without the phone processing it" to work? The phone holds the sim that your operator (via a service centre) will forward messages to, after receiving from sender's own provider's service centre. You and curl are out of this loop. You'll only know of a text when your SIM receives it and the phone OS alerts you.
Technically the phone has processed this message, you just haven't opened it yet.
(2)
"How can I download the MMS file from shell command line or an external browser?"
You have to download that entire mmssms.db file and extract the specific message from it. You treat the .db like any other online database (eg: using SQL/PHP type queries, etc).
See this tutorial for useful advice : http://cheeky4n6monkey.blogspot.co.uk/2013/02/
An alternative for future incoming messages is to just get a (USB) SIM dongle that takes your card. Once plugged into the computer it can receive/send messages since the SIM is live/active inside the dongle (as proxy of phone).
The dongles come with own software (example image of such) for managing web connections and read/write SMS/MMS messages. It's like just having SIM working not in phone but on desktop.
I just used your addendum to get it working, but had to change it slightly.
Note that I'm running this from linux with a PPP interface defined via a connected USB modem. Obviously the connection this executes from has to be "on net" for the carrier that delivered the MMS push.
curl --interface ppp0 -v -x 10.202.2.60:8080 --output mms.pdu http://pxt-get.vodafone.net.au:8080/mmsc?xxxxxxxxxxx
where:
ppp0 is the interface defined by the modem connection, and:
http://pxt-get.vodafone.net.au:8080/mmsc?xxxxxxxxxxx
was the URL passed in the original MMS push notification, and:
10.202.2.60 is the MMS proxy given by my carrier, and:
8080 is the MMS port given by my carrier.
This saves the MMS to the file mms.pdu.
The config files:
/etc/ppp/options:
debug
4000000
modem
crtscts
lock
connect /etc/ppp/net-connect
asyncmap 0
defaultroute
:
mtu 1400
/etc/ppp/net-chat:
#!/bin/sh
/usr/sbin/chat -v -t 60 -f /etc/ppp/net-chat
/etc/ppp/net-connect:
ABORT 'ERROR'
ABORT 'BUSY'
ABORT 'NO CARRIER'
'' AT
OK ATE0
OK AT+IPR=4000000
OK AT+CGDCONT=1,"IP","live.vodafone.com"
OK AT&S1
OK AT&F
OK AT&W
OK AT+CNMP=14
OK AT&W
OK ATE0
OK ATD*99***1#
CONNECT
Finally connect, by doing: /usr/sbin/pppd /dev/ttyUSB3
I am logging GPS data on a Raspberry Pi (Raspbian OS) by forwarding text from an Android phone connected by USB. The app ShareGPS correctly dumps several lines of text every second to port 50000. On the Pi I run adb to forward the port to the Pi.
From there I redirect the socket using a pseudo path to a file descriptor and then redirect the descriptor to a text file.
adb forward tcp:50000 tcp:50000
exec 3<>/dev/tcp/localhost/50000
cat &3 >> dump-file.txt
To me this seems a very convoluted route. Is there a more efficient way record from a port on the phone to a text file on the Pi?
Phone setup and adb reference http://ubuntuforums.org/showthread.php?t=2145434
Socket redirection http://hacktux.com/bash/socket
If you don't need back-and-forth communications, you don't have to open a separate FD:
cat < /dev/tcp/localhost/50000 > dump-file.txt
One way or another, there will need to be a process that listens to the port and writes to the file as there is no built-in O/S function to do so.
So, really, there isn't going to be a more efficient way to run that. You might be able to save some startup cost by turning the script into a program, but I wouldn't bother - the savings will be tiny.
I am capturing packets over 3G on Android and I get an output that is bizarre. I see mac addresses instead of IP addresses and have no clue how to decode it. I see the IP addresses when I run the same capture over WIFI. It appears as if the link type needs to be changed for 3G interface.
Currently, I only see "EN10MB (Ethernet)" option under the list of Data link types (tcpdump -L). I see different link types on tcpdump website (http://www.tcpdump.org/linktypes.html) and I think probably I somehow need to recompile the source, so that I get "LINKTYPE_GPRS_LLC" under Data link types to get the right capture.
Does anyone know how to do this? I have the source for libpcap (v0.9.8) and tcpdump (v3.9.8) (one that comes along with AOSP 4.2.1 source).
Thanks and I really look forward to hear from you guys.
Here is a sample output that I get for a capture over 3G interface:
ping google.com
tcpdump -vvvs 0
22:11:51.450906 40:00:40:11:12:18 (oui Unknown) > 45:00:00:38:66:22 (oui Unknown), ethertype Unknown (0x1528), length 56:
0x0000: 4a4b 4201 2107 bad2 0035 0024 5a5e 140c JKB.!.��.5.$Z^..
0x0010: 0100 0001 0000 0000 0000 0667 6f6f 676c ...........googl
0x0020: 6503 636f 6d00 0001 0001 e.com.....
22:11:52.363748 00:00:fd:11:0c:9c (oui Unknown) > 45:00:00:e8:ed:ed (oui Unknown), ethertype Unknown (0x4201), length 232:
So, here's what solved the problem.
Looks like when we explicitly specify the interface name (cdma_rmnet4 in my case) or do not specify any interface (in this case it automatically assumes the interface to be cdma_rmnet4), it gives the same garbled output.
But when we capture it with “-i any” flag, it does capture on some “LINUX_SLL” interface, which gives the correct output. I googled it and found out that LINUX_SLL is Linux cooked mode capture by libpcap to capture from the "any" device and to capture on some devices where the native link layer header isn't available or can't be used, which is the case with 3G/mobile packets.
If by "Currently, I only see "EN10MB (Ethernet)" option under the list of Data link types (tcpdump -L)." you mean that, when you run tcpdump -L, that means that, on the interface on which you're capturing, the only link-layer header type it claims that it can supply are Ethernet headers.
If that's what it's supplying, tcpdump should be reporting the right packet data.
If that's not what it's supplying, then the driver or networking stack on the version of the Linux kernel your mobile phone/tablet is running is broken - it's supplying the wrong ARPHRD_ value to libpcap, which is then passing that lie on to tcpdump or whatever other program is using libpcap.
The best way to fix this would be to fix the driver or whatever is supplying ARPHRD_ETHER. Unfortunately, a quick look at the 3.11 kernel's include/uapi/linux/if_arp.h doesn't show an ARPHRD_ value that appears to be intended for this.
Note, however, that this is NOT necessarily LINKTYPE_GPRS_LLC! That LINKTYPE_ value is for GPRS LLC frames, as described in 3GPP TS 04.64; those can encapsulate Subnetwork Dependent Convergence Protocol frames, which can encapsulate IP frames (at least according to the Wireshark dissector for GPRS LLC frames), but Android might be using some completely different link-layer headers. GPRS is NOT a 3G service; I think 3G data uses a different link layer.
Tcpdump does not know how to dissect GPRS LLC frames, so, IF that's what the driver is supplying, that wouldn't help without changes to tcpdump to understand GPRS LLC and the Subnetwork Dependent Convergence Protocol.
A quick look at tcpdump's output, and at this similar Wireshark question, suggests that the link-layer type might be LINKTYPE_RAW - the first octet of an Ethernet frame is the first octet of the destination address, so it appears that the first octet of those frames is 0x45, which is also the value that the first octet of an IPv4 frame without options would have (IP version 4, header length 5 32-bit words or 20 bytes).
Try, as an experiment, a version of tcpdump that treats DLT_EN10MB as if it were DLT_RAW; if that works with the 3G interface, then either the drivers or networking stack need to be changed to supply ARPHRD_NONE to libpcap or libpcap needs to look at the device name and, for the Android device or devices in question, map ARPHRD_ETHER to DLT_RAW rather than DLT_EN10MB. What's the name of the device on which you're capturing, i.e., the argument to the -i flag? If you didn't pass an argument to -i, what is the output of ifconfig -a on Android?
Is there any way to add IMEI to AndroVM (now Genymotion) or any other Android Emulator. And also I want MAC address for wlan0 port. We already have emulators which contain MAC at lan0 port but not for wlan.
How can we do so?
if someone in your acquaintances has done so please ask them to contribute.
Details:
I am trying to build a cloud based Android App testing center as my pre final year college project for partial fulfillment towards my Bachelor of Technology (Computer Science) degree.
I am wondering how we can get more configurations for Genymotion.
Or if you can provide me with more device configurations and if it is possible to build configurations for genymotion for different devices very quickly.
Secondly, How to add MAC addresses and IMEI number to the builds?
We are trying to emulate a mobile device (non Google nexus) to make a cloud based testing centre.
For this we are trying to use androVM (Genymotion) and we are facing a few problems
What have we done so far
Building the androVm source code in "VBOX86tp-userdebug" mode from the scratch after following the steps given on official Android website.
After building the source code on a virtual ec2 server, typing the emulator command runs but its blank.
And if possible can AndroVm be run in "Fastboot" mode so that we can install it on the device.
We have been working on "building the androVm" from source code and trying to accomplish few tasks like
Running it with the img's available after the building process is complete.
Making it portable ie creating an iso/ova out of all the stuff found in the out directory.
What we have tried till now
Downloading of the AndroVm source code
initializing the repo using repo init
Downloading the source code using repo sync
choosing the lunch menu using lunch
choosing vbox86tp-userdebug
Other menus full-eng didn't work so discontinued
Few errors that came our way
Make errors: they were pretty straightforward so resolved
system.img was not being generated: resolved by making it again
bin/bash jar command error: happened to be the path error resolved by the exporting the path to jar command.
Few Questions
What an OVA file consits of and how can it be created? From what I have seen it contains few VMDK's and few configurations files attached to it,
How to convert the platform specific image files(system.img ramdisk.img userdata.img) into an OVA or ISO file.
If at all we are missing few files to give to the emulator, can you just name them.
Also how to add IMEI number
We already have MAC for eth0/1 port but we want it on wlan port
Now to make things interesting
This is the reply I got from Genymotion Team:
I want my project to cover various configurations but for starters if i can get something like Samsung Galaxy phones and tab or as a
start if I can get Samsung galaxy tab 2.
You can change the screen size and DPI for each virtual device. You
can toggle navigation bar and virtual keyboard. However, we cannot
provide virtual devices that contains proprietary applications like
Samsung.
Now here what we get is the MAC address of eth0/1 port. What if I need wlan MAC.
Unless one of the two network interface have been disabled, there
should be 2 interfaces, 2 IP, and 2 MAC addresses: adb shell ip a. 2:
eth0: mtu 1500 qdisc pfifo_fast
state UP qlen 1000
link/ether 08:00:27:d4:fe:e0 brd ff:ff:ff:ff:ff:ff
inet 192.168.56.101/24 brd 192.168.56.255 scope global eth0
inet6 fe80::a00:27ff:fed4:fee0/64 scope link
valid_lft forever preferred_lft forever 3: eth1: mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 08:00:27:c8:37:e7 brd ff:ff:ff:ff:ff:ff
inet 10.0.3.15/24 brd 10.0.3.255 scope global eth1
inet6 fe80::a00:27ff:fec8:37e7/64 scope link .
Sorry, but we do not provide support for specific ROM. However, I
strongly recommend you to visit the community at:
https://groups.google.com/forum/#!forum/genymotion-users
1. What an OVA file consits of and how can it be created ?From what i have seen it contains few VMDK's and few configurations files
attached to it,
"The entire directory can be distributed as an OVA package, which is a
tar archive file with the OVF directory inside."
(http://en.wikipedia.org/wiki/Open_Virtualization_Format)
2. How to convert the platform specific image files(system.img ramdisk.img userdata.img) into an OVA or ISO file.
If at all we are missing few files to give to the emulator, can you just name them.
Please read the community tutorials
3. Also how to add IMEI number
There is currently no way to add IMEI number. This feature will come
in the near future
4. We already have MAC for eth0 port but we want it on wlan port
There is 2 interfaces: eth0 and eth1. Eth0 is used for Genymotion
application widgets. If this network connection is broken, Genymotion
would not be able to start anymore. Eth1 is used for network current
access (fake WiFi connection). You can change this network
configuration as you want.
It is a common practice for mobile applications to identify the user by IMSI number (associated with the SIM card) or IMEI number (unique ID of the device). Of course, it is also possible on Android:
TelehponyManager manager = (TelehponyManager)getSystemService(TELEPHONY_SERVICE);
String imei = manager.getDeviceId();
String imsi = manager.getSubscriberId();
This code works perfectly fine on a real device, however under emulator IMEI is always all-zero and it’s not configurable. It quickly becomes awkward when debugging a network-enabled application which uses IMEI as a user ID.
Trying to resolve the problem I first looked at the TelephonyManager service, just to find the following snippet:
private IPhoneSubInfo getSubscriberInfo() {
// get it each time because that process crashes a lot
return IPhoneSubInfo.Stub.asInterface(ServiceManager.getService("iphonesubinfo"));
}
Fair comment, isn’t it? It really made my day :)
Anyway, code analysis shows that IMEI/IMSI request goes down through all the telephony layers (see the diagram), eventually getting to the baseband device. In case of emulated system, rild daemon is used together with libreference-ril.so – reference Vendor RIL library which talks to the baseband modem device using plain, old AT commands.
The modem device itself is emulated outside the Android system, as part of qemu (which is the heart of the emulator). Details of the communication between the emulator and the Android system running inside the emulator are interesting on its own (all the communication goes through a virtual serial port, Android system’s qemud daemon is used to (de)multiplex the data). I’ll try to post a brief introduction to the topic soon.
Virtual modem implementation can be found in external/qemu/telephony/android_modem.c. The most important part of the file is this function:
const char* amodem_send( AModem modem, const char* cmd );
This function is called for each received AT command. For each command sDefaultResponses array is searched for a given command and either predefined response is sent, or a command handler is executed. The array itself looks like:
static const struct {
const char* cmd; /* command coming from libreference-ril.so, if first
character is '!', then the rest is a prefix only */
const char* answer; /* default answer, NULL if needs specific handling or
if OK is good enough */
ResponseHandler handler; /* specific handler, ignored if 'answer' is not NULL,
NULL if OK is good enough */
} sDefaultResponses[] =
{
/* ... */
{ "+CIMI", OPERATOR_HOME_MCCMNC "000000000", NULL }, /* request internation subscriber identification number */
{ "+CGSN", "000000000000000", NULL }, /* request model version */
/* ... */
};
Two array rows cited above are responsible for IMSI and IMEI retrieval. As you can see, both values are hardcoded and there is no chance to modify them without recompiling the emulator.
However, an old-school hack comes in handy. The emulator binary is not encrypted nor compressed, so the string literals should be visible inside the emulator binary. In fact they are, and IMEI number can be modified in a few simple steps:
** backup the emulator binary
** open the binary with your favourite hex editor
** search for +CGSN string followed by a null byte, it should be followed by 15 digits of the IMEI number
** edit the number, be careful not to change the number of digits
** save the file, that’s all!
Sure, it’s not a perfectly comfortable solution, yet better than nothing. In the next part I’ll explain how to make IMEI number a configurable option. Enjoy!