For some work I'm doing, I want to have an emulated GSM modem which will communicate with an Android-x86 virtual machine over a Unix socket. The VM should see the emulator as a real modem and use it to send SMS (as the first pass of functionality).
So far, I've put something together which handles some AT commands and just replies "OK" to all the rest. For some commands, like "AT+CRSM", I just have a table of responses gathered from running the official Android emulator and looking at the radio log. For others, I maintain some state and construct answers; those commands include:
CFUN?
CPIN?
CGREG?
CGREG?
COPS?
CGREG=
CREG=
CPIN=
COPS=
CRSM=
CSMS=
CGSN
CIMI
CSQ
Android will boot, and send commands to my emulated modem, which answers, however it doesn't seem to be fully functional. Android doesn't detect any radio signal strength, for instance, just showing an "x" in the signal bar.
Does anyone know of a similar project, or just what AT commands are absolutely necessary to get some basic functionality?
Well, I'll answer another of my own questions, it's easier that way.
I ended up implementing an emulator which maintains a little bit of state, such as whether or not unsolicited CREG and CGREG messages are enabled, the network registration status & network name format (for the COPS command), and a message reference counter for SMS.
It supports the following commands:
CFUN?
CPIN?
CGREG?
CREG?
COPS?
CGREG=
CREG=
CPIN=
COPS=
CRSM=
CSMS=
CMGS=
CGSN
CIMI
CSQ
All other messages just get an "OK" response.
With the stock AOSP Android source running in an emulator with the "-radio unix:/tmp/phone" switch, I can send SMS messages and decode the binary PDUs into real messages. I will continue to add functionality so SMS messages can be injected back to Android, and hopefully open-source the code at some point.
Related
I'm developing an adaptation for an android app, to communicate with a remote control, which has some pre defined commands.
I've followed this implementation to do the Bluetooth communication and it's working fine for sometime.
This app should communicate with the remote control every 5 minutes or less, and I've been using the app for almost 6 months now. The last week I've some command clashes problem and looking at the logs I couldn't identify why did that happened. The last time that this had happened the app was running for more than 24h, communicating with the remote control, without any communication issue.
Two of it's commands have some similar characters, the first one that have to be done, to establish the connection.
OK_CONN
And an sniffer command which keeps the pilot awake listening for some sensor data:
N
Looking at the logs I can see the answer for command N, after applying the command OK_CONN.
Is it possible for a Bluetooth command to lost part of it's data, during an established communication or am I doing something wrong when writing to a characteristic? Should I change the command names to avoid this kind of clash?
I'm using android 9, at a Sony XPeria XZ phone.
Edit to clarify #Emil comment
07:02:12.880 [BleThread] writing <OK+CONN> to characteristic
07:02:12.368 [Binder:19249_F] [onCharacteristicChanged():274]:
n command confirme
Looking at the logs I see that the last written command as an ok_conn but it has written only the N, this is been show as the last line, it has confirmed to receive the n command alone, instead of receiving the full data of ok_conn.
By name clashes I mean that maybe the last N of the ok_conn command is been accepted as the command.
I just realized what's going on, you can post that as an answer #Emil, my problem was at the logic that sends the first command, sometimes I send this command and the micro controller is not started yet, that's probably the reason of it getting only part of the command.
Not sure what you mean by name clashes, but Android will always write what you told it to write, without packet loss, as long as you follow the rules to never have more than one outstanding operation (always wait for callback before you send the next operation) and that your data must fit within the maximum length for the corresponding operation.
How can we listen for special BT device commands like redial from our app? For now, I'm only able to listen to the only one - play/pause/start/end call button (KeyEvent.KEYCODE_MEDIA_PLAY_PAUSE).
Using common BroadcastReceiver for "android.intent.action.MEDIA_BUTTON" doesn't help.
Solution with BluetoothSocket, BluetoothServerSocket won't help too since it requires our code to be invoked on BT device side.
During my redial button tests I see the next line in the logs:
01-20 05:52:30.486 942-1060/com.android.bluetooth E/bt-rfcomm: PORT_DataInd, p_port:0x5526c200, p_data_co_callback is null
It looks like there is something sending an event from BT device to the android device. But how can we catch it on app side, what should we use? I work on some system app by the way and theoretically can do very specific, low-level and system things, so maybe there could be some solution.
afaik, this isn't possible, sadly...
I've been working on custom handling BT headset keys, like VOL UP, DOWN, eventually ANSWER/DISCONNECT/REDIAL. Even made rich question, but without single answer or comment...
After some research (days, weeks...) and digging into Android source I've found that these buttons are sending some AT commands. I've also found methods which are checking these AT commands and if system is able to respond/handle them then it TRY to do it and further won't pass any event to any app/socket/rfcomm/anything... E.g. under VOL UP button we have some well-known AT command, system can handle it, so try to do so, even when we already have volume set to max. Any app won't be noticed that this happened...
btw. I don't think this logcat line posted in question is strictly relevant to button press (but may be indirectly), but you have bt-rfcomm keyword in there, so you may try to establish some RFCOMM connection with Bluetooth device, maybe you will get some luck on this topic... (personally I gave up...)
All,
I am attempting to communicate, over an SPP profile, with an RN4678 Bluetooth chip connected to a microcontroller.
I never have a problem with the Android app. I can always pair (if not paired), connect, send messages to the chip, and disconnect. An example session is below:
%CONNECT,AB9876543210%
%RFCOMM_OPEN%
%TEST% <-- Message sent using the keyboard ("Byte Stream Mode" option)
%RFCOMM_CLOSE%
%DISCONN%
With the iOS app, I can always pair (if not paired), connect, and disconnect. However, if I cannot send a message to the chip. An example session is below:
%LCONNECT,499B107AB1B5,1%
%LSECURED%
<-- Here I try to send a message, but it is never received
%DISCONN%
The funny thing is that if I first connect/disconnect using the Android, and then I connect using the iPhone/iPad, reception is successful !!!!
%LCONNECT,499B107AB1B5,1%
%LSECURED%
%TEST% <-- Yeah !!! Microcontroller receives the message
%DISCONN%
As far as I know, that path for the processing is the same ... In other words:
if(msg equals "RFCOMM_OPEN" or msg equals "LSECURED")
go to state that monitors incoming messages
I, therefore, kindly ask the following:
1 - Have you encountered anything similar? Do you have any hints? What could the Android App possibly do that the iPhone app is not doing? What am I overlooking or not understanding?
2 - Are you aware of an app that works for both iOS and Android? What I mean, designed by the SAME guy/company?
If you need more info, please ask. I simply did not want to be too 'verbose'.
Thank you for your assistance.
Sincerely,
Vincenzo
All,
At my job we have been playing with two RN modules: the RN4677 (we started with this module) and the RN4678.
The module allows the user to enter (and exit) a command mode. The RN4677 allows bidirectional communication with a manager while still in command mode. The RN4678 does NOT allow bidirectional communication with a manager while still in command mode.
All I needed to do was exit command mode (by issuing the command '---\r'). Now both modules work with Windows/Android/iOS ...
To summarize:
command "$$$\r" to enter command mode
various commands, requests for settings, ...
command "---\r" to exit command mode (a must for RN4678)
Everything will now work fine for both modules
I must say ... that was painful to troubleshoot ...
Sincerely,
Vincenzo
I am currently developing an android app and i want to send data message with audio file attached to it. One of the arguments of the sendDataMessage() methods is "destination port".
I know its the port i want to send the message via, but I am not sure what to put there, is there a default port for sending data messages? I have looked for it but every example I have seen uses different port. However, whichever port I use, I get Null PDU exception.
I am using HTC for running and testing the app btw.
Default is 8091. Most devices don't support port filtering very well, though:
SmsManager.sendDataMessage(..., onSpecificPort , ...,.. ) Is not Filtering SMS On Port Basis
Your null PDU is probably not because of a port selection problem, though.
I would like to know high level idea of how Android Modem code will call/pass message to Android application layer. Say we take SMS for example. If network sends SMS and Modem (say Qualcomm C code parses it) how is it transmitted to Android Application layer?
Is there always a JNI call happening? as interface between modem and Android? Can you please share the information with us. Thanks
In almost all android source base as found in the AOSP/CAF/CM source (Android Open Source Project, CodeAurora Forum, Cyanogenmod respectively), will have C code called the rild, (Radio Interface Layer Daemon). This is commonly found within the /hardware/ril of the source tree.
This daemon runs from the moment Android boots up, and creates a socket called /dev/socket/rild and /dev/socket/rild-debug. There will be a proprietary library coming from Qualcomm, HTC, that gets dynamically loaded at run time upon boot. It is that proprietary library that in turn, communicates to the radio firmware. And the rild's hooks for the call-backs into the proprietary library is established there and then.
At the rild layer, via the aforementioned socket, is how the Android layer (found in the source tree, frameworks/base/telephony/com/android/internal/telephony/RIL.java) communicates.
On the Java side, it opens the socket for reading/writing, along with establishing intents and setting up delegates for broadcasting/receiving events via this socket.
For example, an incoming call, the proprietary library, invokes a callback hook as set up by rild. The rild writes standard generic AT Hayes modem commands to the socket, on the Java side, it reads and interprets the modem commands, and from there, the PhoneManager broadcasts CALL_STATE_RINGING, in which Phone application (found in the source packages/apps/Phone) has registered a receiver and kickstarts the User interface, and that is how you get to answer the call.
Another example, making an outgoing call, you dial a number on Android, the intent gets created and which in turn the PhoneManager (This is the root of it all, here, cannot remember top of my head, think its in frameworks/base/core/java somewhere in the source tree) receives the intent, convert it into either a sequence of AT Hayes modem commands, write it out to the socket, the rild then invokes a callback to the proprietary library, the proprietary library in turn delegates to the radio firmware.
Final example, sending text messages, from the Messaging (found in packages/apps/Mms source tree) application, the text you type, gets shoved into an intent, the PhoneManager receives the intent, converts the text into GSM-encoded using 7-bit GSM letters (IIRC), gets written out to the socket, the rild in turn invokes a callback to the proprietary library, the proprietary library in turn delegates to the radio firmware and the text has now left the domain of the handset and is in the airwaves somewhere... :) Along with sending a broadcast message within Android itself, provided that READ_PHONE_STATE permission is used and specified in the AndroidManifest.xml.
Likewise conversely, when receiving a text message, it is in the reverse, radio firmware receives some bytes, the proprietary library invokes the callback to the rild, and thus writes out the bytes to the socket. On the Java side, it reads from it, and decodes the sequence of bytes, converts it to text as we know of, fires a broadcast with a message received notification. The Messaging application in turn, has registered receivers for the said broadcast, and sends an intent to the notification bar to say something like "New message received from +xxxxxx"
The intents are found in frameworks/base/telephony/java/com/android/internal/telephony/TelephonyIntents.java
That is the gist of how the telephony system works, the real beauty is, that it uses generic AT Hayes modem commands thusly simplifying and hiding the real proprietary mechanisms.
As for the likes of Qualcomm, HTC, forget about it in thinking they'd ever open source the library in question because the radio telephony layer is embedded within the S-o-C (System on a Chip) circuitry!
Which is also, as a side note, why its risky to flash radio firmware, some handsets provide the capability to do it, flash the wrong firmware (such as an incompatible or not suitable for handset), kiss the handset good-bye and use that as a door stopper or paper-weight! :)
It should be noted, that there is zero JNI mechanisms involved.
This is from my understanding of how it works, from what I can tell is this, the radio firmware is loaded into a memory address somewhere where the linux kernel has reserved the address space and does not touch it, something like back in the old PC days when DOS booted up, there was reserved addresses used by the BIOS, I think, its similar here, the addresses marked as reserved are occupied by the firmware, in which the proprietary radio library talks to it - and since the library is running in the address space owned by the kernel, a lá owned by root with root privileges, it can "talk" to it, if you think of using the old BASIC dialect of peek and poke, I'd guess you would not be far off the mark there, by writing a certain sequence of bytes to that address, the radio firmware acts on it, almost like having a interrupt vector table... this am guessing here how it works exactly. :)
Continuing from the explanation by t0mm13b, When we talk about a smartphone, think of 3 layer operations wrt to SMS/Calls.
RIL (User level) <-> AP <-> CP
AP : Application Processor(Where your Android OS runs. Think of games, songs, videos, camera etc running on this processor)
CP : Cellular Processor (Which actually deals with Air-interface for incoming/outgoing calls/sms, interacts with Network Tower etc ..)
Now let say some data is received at CP side (It could be internet data/sms/call). Now there are certain logical channels between AP and CP. So CP will push the data received to a corresponding channel based on type of data. This data will be received by AP. AP will send this data back to RIL/App. RIL will decode this data (specially call/sms data). Based on that gives notification to User about SMS/Call.