RSAP with Audi A7 MMI 3G+ firmware K0700

Discussions about running the rSAP app on Sony Xperia phones
GaPhi
Posts:21
Joined:Thu Apr 09, 2015 9:26 pm
Re: RSAP with Audi A7 MMI 3G+ firmware K0700

Post by GaPhi » Tue Dec 15, 2015 5:26 pm

Without your code, it is very difficult to find, but the pcap you analyze let see an inexistant file access attempt if I remember well.
During my code maturation I also get same kind of error but it was due to a badly formated APDU data content (I put spaces between bytes in string).
Yours might be in APDU data content too (very probable), either in RIL->SAP ou SAP->RIL convertions.

Check you do not share any buffer between calls or different threads.


Another possibility, linked to an observation (network bars appear again while SAP is connected), is that you do not fully lock RILJ access :
- I switch radio off when SAP connects
- I then send RIL_UNSOL_RESPONSE_RADIO_STATE_CHANGED to RILJ
- I then reply RIL_E_RADIO_NOT_AVAILABLE to any RILJ request (in same call/thread)
- I then reply RADIO_STATE_OFF when RILJ calls onStateRequest
Then, if RILJ is not blocked, it can do some SIM access and change the current SIM path and corrupt further SAP SIM accesses.


Let have a look at those ideas...

admin
Site Admin
Posts:4139
Joined:Wed Mar 23, 2011 4:12 pm

Re: RSAP with Audi A7 MMI 3G+ firmware K0700

Post by admin » Tue Dec 15, 2015 5:33 pm

Is it possible that the Audi phone deviates from the usual request/response scheme, e.g. sends some unrequested state change? Maybe related with the TERMINAL pdus? Then there may be a race condition in my receive code. I'll check it...

GaPhi
Posts:21
Joined:Thu Apr 09, 2015 9:26 pm

Re: RSAP with Audi A7 MMI 3G+ firmware K0700

Post by GaPhi » Wed Dec 16, 2015 9:47 am

No, it does not.
I strictly implemented SAP specifications v1.1 we can find on Internet.
The only addition to the spec is to define parameters order to the one of the tables of the spec ; It is not specified that this is a requirement but it is necessary for Audi...

admin
Site Admin
Posts:4139
Joined:Wed Mar 23, 2011 4:12 pm

Re: RSAP with Audi A7 MMI 3G+ firmware K0700

Post by admin » Fri Dec 18, 2015 6:26 pm

So I checked your issue again and found out the following:

It's only the Xperia Z3 that freaks out when it gets the invalid application id a0000000871002000000000000000000, I can reproduce this with my phone. The Qualcomm lib returns an "Internal Error" and the phone does no longer properly work. When I send the same data to a Nexus 5 it returns an error code and happily continues. I still don't understand why the Audi tries to select this application, this also seems to be a bug. The combination of both is causing real trouble.

I'll mail you a special plugin which simply intercepts the application selection and returns a "normal" error. Let's see what the Audi makes of this...

I couldn't find a buffer overwrite in my code. I guess "your" rSAP works because you use a different interface for the SIM access which does not freak out because of the invalid application id.

admin
Site Admin
Posts:4139
Joined:Wed Mar 23, 2011 4:12 pm

Re: RSAP with Audi A7 MMI 3G+ firmware K0700

Post by admin » Sat Dec 26, 2015 2:47 pm

OMG... It's really embarrassing for me that I did not remember, but 3 years is a long time :oops:
This plugin should also help: viewtopic.php?f=16&t=444

Post Reply

Return to “Sony Xperia”