README.md
Rendering markdown...
// You need Android Emulator for Android 15, "Google APIs ARM 64 v8a System Image", version 9
// frida -D emulator-5554 -n com.google.android.bluetooth -l dumpbt.js
// frida -D emulator-5554 -W com.google.android.bluetooth -l dumpbt.js
Process.attachModuleObserver({
onAdded(module) {
if (module.name == "libbluetooth_jni.so") {
addHooks(module);
}
},
});
function addHooks(module) {
const sym_bta_hf_client_cb_arr_init = module.base.add(0x7ad4c4 - 0x100000);
/*
Interceptor.attach(sym_bta_hf_client_cb_arr_init, {
onEnter(args) {
console.log("bta_hf_client_cb_arr_init called");
},
});
*/
/*Memory.patchCode(sym_bta_hf_client_cb_arr_init, 0x4, code => {
code.writeUInt(0xdededede);
});*/
const sym_bta_hf_client_allocate_handle = module.base.add(
0x7ae370 - 0x100000,
);
/*Memory.patchCode(sym_bta_hf_client_allocate_handle, 0x4, code => {
code.writeUInt(0xdededede);
});*/
Interceptor.attach(sym_bta_hf_client_allocate_handle, {
onEnter(args) {
console.log("sym_bta_hf_client_allocate_handle called");
},
});
const sym_bta_hf_client_do_disc = module.base.add(0x7b2a08 - 0x100000);
Interceptor.attach(sym_bta_hf_client_do_disc, {
onEnter(args) {
console.log("bta_hf_client_do_disc called");
},
});
const sym_bta_hf_client_free_db = module.base.add(0x7b2cb4 - 0x100000);
/* Memory.patchCode(sym_bta_hf_client_free_db, 0x4, code => {
code.writeUInt(0xdededede);
});*/
Interceptor.attach(sym_bta_hf_client_free_db, {
onEnter(args) {
console.log("!!! === bta_hf_client_free_db called === !!!");
},
});
const sym_bta_hf_client_find_cb_by_handle = module.base.add(
0x7adea8 - 0x100000,
);
Interceptor.attach(sym_bta_hf_client_find_cb_by_handle, {
onEnter(args) {
console.log("bta_hf_client_find_cb_by_handle called", args[0]);
},
onLeave(result) {
console.log(
"bta_hf_client_find_cb_by_handle result",
result,
"p_disc_db",
result.add(0x8).readPointer(),
);
},
});
const sym_sdpu_find_ccb_by_cid = module.base.add(0xa6a394 - 0x100000);
Interceptor.attach(sym_sdpu_find_ccb_by_cid, {
onEnter(args) {
console.log("sdpu_find_ccb_by_cid called", args[0]);
},
onLeave(result) {
console.log(
"sdpu_find_ccb_by_cid result",
result,
"p_db",
result.isNull() ? "" : result.add(0x20).readPointer(),
);
},
});
/*
const sym_osi_malloc = module.base.add(0xc27428 - 0x100000);
Interceptor.attach(sym_osi_malloc, {
onEnter(args) {
this.size = args[0];
if (this.size.toInt32() === 0x1010) {
console.log('osi_malloc called from:\n' +
Thread.backtrace(this.context, Backtracer.FUZZY)
.map(DebugSymbol.fromAddress).join('\n') + '\n');
}
},
onLeave(result) {
console.log("osi_malloc(" + this.size + ") =", result);
}
});
const sym_osi_calloc = module.base.add(0xc27514 - 0x100000);
Interceptor.attach(sym_osi_calloc, {
onEnter(args) {
this.size = args[0];
if (this.size.toInt32() === 0x1010) {
console.log('osi_calloc called from:\n' +
Thread.backtrace(this.context, Backtracer.FUZZY)
.map(DebugSymbol.fromAddress).join('\n') + '\n');
}
},
onLeave(result) {
console.log("osi_calloc(" + this.size + ") =", result);
}
});
*/
const sym_malloc =
Process.findModuleByName("libc.so").findSymbolByName("malloc");
Interceptor.attach(sym_malloc, {
onEnter(args) {
this.size = args[0];
if (this.size.toInt32() === 0x1010) {
console.log(
"malloc called from:\n" +
Thread.backtrace(this.context, Backtracer.FUZZY)
.map(DebugSymbol.fromAddress)
.join("\n") +
"\n",
);
}
},
onLeave(result) {
if (this.size.toInt32() === 0x1010) {
console.log(
"[" + this.threadId + "] malloc(" + this.size + ") =",
result,
);
}
},
});
/*const sym_free = Process.findModuleByName("libc.so").findSymbolByName("free");
Interceptor.attach(sym_free, {
onEnter(args) {
console.log("[" + this.threadId + "] free(" + args[0]+ ")");
}
});
*/
const sym_sdp_copy_raw_data = module.base.add(0xa66c00 - 0x100000);
Interceptor.attach(sym_sdp_copy_raw_data, {
onEnter(args) {
const discoveryDb = args[0].add(0x20).readPointer();
console.log(
"sdp_copy_raw_data",
args[0],
args[1],
discoveryDb + "\n" + hexdump(discoveryDb, { length: 0x100 }),
);
},
});
console.log("hooked");
}