Reflection to access advanced telephony features

I am trying to use reflection to access some unpublished features of the telephony API. Currently I am having trouble instantiating a serviceManager object that is needed to get the "phone" service as a binder which I can then use to instantiate a telephony object which is needed to make a call, end call, etc...

currently when I make the call

serviceManagerObject = tempInterfaceMethod.invoke(null, new Object[] { new Binder() });

it returns a nullPointerException. I believe this has to do with creating a new Binder instead of sending the appropriate binder (which I am unsure of which one is appropriate)

public void placeReflectedCall() throws ClassNotFoundException,
        SecurityException, NoSuchMethodException, IllegalArgumentException,
        IllegalAccessException, InvocationTargetException,
        InstantiationException {
    String serviceManagerName = "android.os.IServiceManager";
    String serviceManagerNativeName = "android.os.ServiceManagerNative";
    String telephonyName = "com.android.internal.telephony.ITelephony";

    Class telephonyClass;
    Class telephonyStubClass;
    Class serviceManagerClass;
    Class serviceManagerStubClass;
    Class serviceManagerNativeClass;
    Class serviceManagerNativeStubClass;

    Method telephonyCall;
    Method telephonyEndCall;
    Method telephonyAnswerCall;
    Method getDefault;

    Method[] temps;
    Constructor[] serviceManagerConstructor;

    // Method getService;
    Object telephonyObject;
    Object serviceManagerObject;
    String number = "1111111111";

    telephonyClass = Class.forName(telephonyName);
    telephonyStubClass = telephonyClass.getClasses()[0];
    serviceManagerClass = Class.forName(serviceManagerName);
    serviceManagerNativeClass = Class.forName(serviceManagerNativeName);

    Method getService = // getDefaults[29];
    serviceManagerClass.getMethod("getService", String.class);

    Method tempInterfaceMethod = serviceManagerNativeClass.getMethod(
            "asInterface", IBinder.class);
    // this does not work
    serviceManagerObject = tempInterfaceMethod.invoke(null,
            new Object[] { new Binder() });

    IBinder retbinder = (IBinder) getService.invoke(serviceManagerObject,
            "phone");
    Method serviceMethod = telephonyStubClass.getMethod("asInterface",
            IBinder.class);
    telephonyObject = serviceMethod
            .invoke(null, new Object[] { retbinder });

    telephonyCall = telephonyClass.getMethod("call", String.class);
    telephonyEndCall = telephonyClass.getMethod("endCall");
    telephonyAnswerCall = telephonyClass.getMethod("answerRingingCall");

    telephonyCall.invoke(telephonyObject, number);

}

Solution 1:

By doing the following

Binder tmpBinder = new Binder();
tmpBinder.attachInterface(null, "fake");
serviceManagerObject = tempInterfaceMethod.invoke(null,  new Object[] { tmpBinder });

you will get a ServiceManagerProxy instance, then the next issue happens on the line

telephonyCall.invoke(telephonyObject, number);

Solution 2:

I have a solution. Change:

String serviceManagerName = "android.os.IServiceManager"; 

to:

String serviceManagerName = "android.os.ServiceManager";