Disassembling to find the radio

Using apktool to decode the Radio.apk, we can see that all the magic is done in libRadio.so, w/ native calls from Java through to it.

Running ‘strings’ on the libRadio.so, its relatively simple, and uses a combination of /dev/sbd, /sys/class/sbd/misc/source, and /data/sbd/radio_freqlist.

The libRadio.so has a single externally callable method, Java_com_sbd_hw_Radio_nativeSendCommand().

So it should be relatively easy to hook this and find that is being called, and use strace to see what is written to the driver files.

Leave a Reply

Your email address will not be published.