androidシミュレータのIMEI、IMSI、SIM card serial numberの変更方法
2013-03-08 10:56:09|分類:android逆テクニック|通報|番号購読
携帯電話がIMEIとIMSIを使用してGSMネットワークに登録した場合、GSMネットワーク側がIMSIと携帯電話番号(MSISDN)にマッピングし、反対方向のマッピングを行う.
(一)、SIMカード番号の修正:
SIM card号はSIMに印刷された一連の数字です.
SIMカード番号を読むATコマンドは次のとおりです.
AT+CRSM=176,12258,0,0,10
したがって、andoridシミュレーションのソースコードでATコマンドが見つかりました.sim_card.c中:
const char* asimcard_io( ASimCard sim, const char* cmd ) { int nn; #if ENABLE_DYNAMIC_RECORDS int command, id, p1, p2, p3; #endif static const struct { const char* cmd; const char* answer; } answers[] = { { "+CRSM=192,28436,0,0,15", "+CRSM: 144,0,000000146f1404001aa0aa01020000" }, { "+CRSM=176,28436,0,0,20", "+CRSM: 144,0,416e64726f6964ffffffffffffffffffffffffff" }, { "+CRSM=192,28433,0,0,15", "+CRSM: 144,0,000000016f11040011a0aa01020000" }, { "+CRSM=176,28433,0,0,1", "+CRSM: 144,0,55" }, { "+CRSM=192,12258,0,0,15", "+CRSM: 144,0,0000000a2fe204000fa0aa01020000" }, { "+CRSM=176,12258,0,0,10", "+CRSM: 144,0,98101430121181157002" },
...
...
因此用UE二进制方式打开emulator-arm.exe 或 emulator-x86.exe,并搜索字符串“
98101430121181157002”,然后将其修改成需要的SIM card号。
00209a00h: 31 30 00 00 2B 43 52 53 4D 3A 20 31 34 34 2C 30 ; 10..+CRSM: 144,0 00209a10h: 2C 39 38 31 30 31 34 33 30 31 32 31 31 38 31 31 ; ,981014301211811 00209a20h: 35 37 30 30 32 00 2B 43 52 53 4D 3D 31 39 32 2C ; 57002.+CRSM=192,
(二)、IMEI、IMSI号的修改:
TelephonyManager manager = (TelephonyManager)getSystemService(TELEPHONY_SERVICE);
String imei = manager.getDeviceId();
String imsi = manager.getSubscriberId();
在android的源码树中找到类
TelephonyManager的实现:
/** * Returns the unique device ID, for example, the IMEI for GSM and the MEID * or ESN for CDMA phones. Return null if device ID is not available. * *
Requires Permission:
* {@link android.Manifest.permission#READ_PHONE_STATE READ_PHONE_STATE} */ public String getDeviceId() { try { return getSubscriberInfo().getDeviceId(); } catch (RemoteException ex) { return null; } catch (NullPointerException ex) { return null; } } 成员函数
getSubscriberId:
/** * Returns the unique subscriber ID, for example, the IMSI for a GSM phone. * Return null if it is unavailable. * * Requires Permission: * {@link android.Manifest.permission#READ_PHONE_STATE READ_PHONE_STATE} */ public String getSubscriberId() { try { return getSubscriberInfo().getSubscriberId(); } catch (RemoteException ex) { return null; } catch (NullPointerException ex) { // This could happen before phone restarts due to crashing return null; } }
上面两个成员函数最终调用共同的一个私有成员函数getSubscriberInfo():
private IPhoneSubInfo getSubscriberInfo() { // get it each time because that process crashes a lot return IPhoneSubInfo.Stub.asInterface(ServiceManager.getService("iphonesubinfo")); }
而上面私有函数
getSubscriberInfo获取的手机IMSI和IMEI号被硬编码在文件
android_modem.c中:
/* the Android GSM stack checks that the operator's name has changed
* when roaming is on. If not, it will not update the Roaming status icon
*
* this means that we need to emulate two distinct operators:
* - the first one for the 'home' registration state, must also correspond
* to the emulated user's IMEI
*
* - the second one for the 'roaming' registration state, must have a
* different name and MCC/MNC
*/
#define OPERATOR_HOME_INDEX 0
#define OPERATOR_HOME_MCC 310
#define OPERATOR_HOME_MNC 260
#define OPERATOR_HOME_NAME "Android"
#define OPERATOR_HOME_MCCMNC STRINGIFY(OPERATOR_HOME_MCC) \
STRINGIFY(OPERATOR_HOME_MNC)
#define OPERATOR_ROAMING_INDEX 1
#define OPERATOR_ROAMING_MCC 310
#define OPERATOR_ROAMING_MNC 295
#define OPERATOR_ROAMING_NAME "TelKila"
#define OPERATOR_ROAMING_MCCMNC STRINGIFY(OPERATOR_ROAMING_MCC) \
STRINGIFY(OPERATOR_ROAMING_MNC)/* a function used to deal with a non-trivial request */typedef const char* (*ResponseHandler)(const char* cmd, AModem modem); static const struct { const char* cmd;/* command coming from libreference-ril.so, if first character is '!', then the rest is a prefix only */ const char* answer;/* default answer, NULL if needs specific handling or if OK is good enough */ ResponseHandler handler;/* specific handler, ignored if 'answer' is not NULL, NULL if OK is good enough */} sDefaultResponses[] = { /* see onRadioPowerOn() */ { "%CPHS=1", NULL, NULL }, { "%CTZV=1", NULL, NULL }, ... { "!+VTS=", NULL, handleSetDialTone }, { "+CIMI", OPERATOR_HOME_MCCMNC "000000000", NULL },/* request internation subscriber identification number */ { "+CGSN", "000000000000000", NULL },/* request model version */ { "+CUSD=2",NULL, NULL },/* Cancel USSD */
...
/* end of list */ {NULL, NULL, NULL}
};
従って、UEのバイナリ方式でemulator-armを開く.exeまたはemulator-x 86.exe、文字列の検索
「+CGSN」を必要なIMEI番号に変更します.「+CIMI」が必要なIMSI番号に変更されたことを検索します.注意しなければならないのは
IMSI
番号の最初の6つの数字「310660」は変更できません.そうしないと、シミュレータはネットワークに接続できません.
例:
001fc700h: 33 00 41 00 48 00 21 2B 56 54 53 3D 00 2B 43 49 ; 3.A.H.!+VTS=.+CI 001fc710h: 4D 49 00 33 31 30 32 36 30 30 30 30 30 30 30 30 ; MI.3102600000000 001fc720h: 30 30 00 2B 43 47 53 4E 00 30 30 30 30 30 30 30 ; 00.+CGSN.0000000 001fc730h: 30 30 30 30 30 30 30 30 00 2B 43 55 53 44 3D 32 ; 00000000.+CUSD=2
付録:
http://blog.codepainters.com/2010/09/06/android-emulator-and-the-sim-card-serial-number/
http://blog.codepainters.com/2009/12/11/android-imei-number-and-the-emulator/
https://www.anywi.com/3g/wiki/AtCommandIccid
AT+CGSN GSMモジュールのIMEI番号を取得(国際移動機器識別)
AT+CIMI取得ISMI(国際移動署名者ID)