This is a PoC demonstrating vulnerabilities in LG's LS970 RIL implementation which allow any app to include a few specially crafted JAR libraries to view and modify CDMA programming values (Phone Number, MIN, MIP Username, MEID, etc)
This vulnerability was discovered in my attempts to make programming the device for use on other carriers an easier goal to achieve. I studied LgSvcCmd.class and noticed the methods were both public and static...
It requires no permissions at all to accomplish any of this.
What was done:
- Used APKTool to extract classes.dex from /system/framework/lgsvcitems.jar
- Used dex2jar on extracted classes.dex to create lgsvcitems_d2j.jar
- Used APKTool to extract classes.dex from /system/framework/qcrilhook.jar
- Used dex2jar on extracted classes.dex to create qcrilhook.jar
- Added both _d2j libraries to a new Android Project
- Import and call LgSvcCmd methods, no reflection necessary
This is for educational use only as it can definitely change the Phone Number and other valuable programming information. I have NOT tested trying to write a new MEID value to the device. Please, if you choose to do so, do it AT YOUR OWN RISK as I have no idea the end result. I can confirm 100% that you can view/change:
Phone Number MIN MIP Username MSL