Disassembling to find the radio
Using apktool to decode the Radio.apk, we can see that all the magic is done in libRadio.so, w/ native calls from Java through to it.
Running ‘strings’ on the libRadio.so, its relatively simple, and uses a combination of /dev/sbd, /sys/class/sbd/misc/source, and /data/sbd/radio_freqlist.
The libRadio.so has a single externally callable method, Java_com_sbd_hw_Radio_nativeSendCommand().
So it should be relatively easy to hook this and find that is being called, and use strace to see what is written to the driver files.