Android Multisim Pre-5.1

NOTE if you’re just looking for a library to use, there’s MultiSim. I’ve never used this so I can’t guarantee anything about it. It also only supports SIM information and not SMS.

Phones that can take multiple SIM cards are quite popular in the Philippines. The two major telecoms would have unlimited SMS packages for messages within their networks. It was quite common to have a SIM for each telco and use the appropriate one depending on who you were sending to.

Android’s API only officially supported multiple SIM cards in 5.1 (API level 22) but Android phones with dual-SIM (and even triple-SIM) capabilities were already available at least as far back as 2.3 (API level 10) when I first needed to support it. Since there was no official API for this, the manufacturers just invented their own and of course each one implemented it in a different way.


The first phone we started working on was a Lenovo A60 which used a Mediatek SOC. We somehow got a library from the manufacturer that let us use the dual-SIM functionality, but it was quite a pain to get working as there was limited documentation and we were quite new to Android development at the time.

When we disassembled the library that they gave us, we noticed that the names they used for the additional functions were quite interesting. They were all the TelephonyManager and SmsManager methods with a Gemini suffix and they would take an additional int parameter in addition to the original.

It turned out that these were available on the standard TelephonyManager instance and could be accessed via reflection. The SmsManager was a bit trickier but we ended up figuring out that there was a android.telephony.gemini.GeminiSmsManager class that had the functionality.

In a different phone with a Mediatek SOC, this got renamed to com.mediatek.telephony.gemini.SmsManager for some reason and dropped the Gemini suffix only for the SmsManager.


It was also around this time that Intel started making SOCs for smartphones. We had an ASUS Fonepad 7. Unlike with the Mediatek device, we didn’t have a library to use here and had to use reflection to find the hidden classes / methods.

What we found was that instead of having a single instance with every method taking a sim parameter, they instead had separate instances of TelephonyManager and SmsManager for each SIM. You would call TelephonyManager.get2ndTm() and SmsManager.get2ndSmsManager() to have access to the 2nd SIM.


The last phone I looked at was a dual-SIM Moto G. What’s interesting about this one is that the API completely changed in the upgrade from 4.4 to 5.0.

On Android 4.4, the API was pretty close to the Mediatek one. You had a single instance that could dispatch to other SIMs by having an extra parameter on all the methods. These were in android.telephony.MSimTelephonyManager and android.telephony.MSimSmsManager.

On Android 5.0, the API was a weird mix of all the above and also the introduction of android.telephony.SubscriptionManager which was quite close but not exactly the same as what ended up in the official API. Instead of getActiveSubscriptionInfoList there was getActiveSubIdList which only returned long[].

For the information that would normally exist in SubscriptionInfo, you had to query the main TelephonyManager instance which had methods with an extra long parameter for the subscription id. The SmsManager was simpler with just getSmsManagerForSubscriber.

With Android 5.1, I assume they just switched to using the official API so this phone would have gone through 3 different multi-SIM APIs over the course of it’s life.


Around the release of Android 5.1, we stopped work on the app so I never actually got to use the official API myself ironically. We also never really got a big deployment so while I saw quite the variety of multi-SIM implementations, that’s probably not all that’s been out in the wild.

| Comments

ISP Issues

At the first office I worked at, we had 2 different ISPs. This was supposed to be for reliability, as one was fast but spotty, and the other was slow but reliable. Since they weren’t too expensive, we just went and got both.

We have monitoring setup to watch our office IPs from the outside so we could see how often the connection goes down. The interesting thing we found was that the fast and spotty connection had perfect uptime. Even when there was clearly no internet from the office, it was still “up” according to our monitoring.

So we tried pinging our office IP using the other connection and to our surprise it was indeed up. There was even a webserver running on it (we only have VPN exposed). Apparently, it was someone elses CCTV admin page. We could actually see a hallway with people walking by sometimes!

Apparently someone else had our IP address and nothing good comes from an IP conflict. This was completely baffling as our internet line was supposed to be a “business line” and that came with a static IP address. So the only scenarios where this could happen is, the ISP mistakenly gave the same IP to 2 different lines or the ISP allows some clients to freely set their own IP.

We complained to the ISP and eventually got it resolved. They just gave us an entirely new IP address, but they never explained what went wrong. We already had quite a negative opinion of that particular ISP though, and they somehow managed to outdo themselves.

| Comments


Sometime around 2013 I wrote a clone of the GBA game bit Generations SoundVoyager called audventure. SoundVoyager is actually a collection of mini-games where sound is the main focus. You can actually play the game blind, and at some point, that’s pretty much what happens.

sound catcher

The signature mini-game in SoundVoyager is sound catcher. In the mini-game, you can only move left and right at the bottom of the stage, while a “sound” falls from the top. Your goal is to catch the sound which is signified by a green dot. When you catch it, the sound or beat becomes part of the BGM and a new dot appears with a different sound.

You can of course use your eyes and move accordingly, but if you put on earphones, you can actually hear where the dot is, either on your left or right, with it getting louder as it gets close to you. As you collect more sounds, the dot gets more and more transparent. Eventually (and this is where it gets fun), you won’t be able to see the sounds anymore and will have to rely mostly on your ears.

You can see what the original game looks like in this video or you can play it under sound safari in audventure.

WebAudio vs Flash

At the time I wrote audventure, only Chrome supported WebAudio. Also, the API looked (and still looks) quite complicated. Flash on the other hand, was starting to die, but still well-supported so I went with that. For the most part, it worked okay though Chrome actually had timing issues when playing sounds. Now, it doesn’t work in any browser. I tried to debug the issues but ultimately ended up just rewriting it to use WebAudio instead.

For the game, I needed to simulate the source of the sound in 2D/3D space. Flash only really gives you stereo panning and volume control. With some maths, we can actually get an acceptable solution. Less importantly, I needed to be able to get frequency data of the currently playing “sound” to pulse the background. For this, I actually had to implement the feature in the Flash library I was using.

With WebAudio, spatial audio is already built-in and you can simply give it the coordinates of the sounds and the listener. There are some other options to tweak, but for the most part, no complex math is needed. Getting frequency data for a sound is also actually built-in and didn’t take too long to integrate.

Overall, I was impressed by how much you can do with WebAudio out-of-the-box. I kind of understand why it’s complicated, but there’s some simple functionality that I wish was included. For example, there is no API to pause and then resume playing an audio buffer. You have to manually save the elapsed time and play from there.

Other mini-games

So far I’ve only actually implemented the sound catcher mini-game. There are around 4 different categories with slight variations in between.

sound catcher / sound slalom

I’ve explained sound catcher a while ago; sound slalom is a minor variation on that. Instead of waiting for the “sound” to reach you, you now have to guide yourself in between 2 “poles” of sound, as in slalom skiing. But this time, you can also accelerate forward. The goal is to finish the course before the time runs out.

sound drive / sound chase

In sound drive, you’re driving against the flow on a 5 lane road. You have to avoid oncoming cars, trucks and animals until you reach the end. You’re allowed to change lanes and accelerate, and the game tracks your best time. Sound chase is pretty much the same, except you’re trying to catch up to a “sound”.

sound cannon

In sound cannon, you’re immobile but can rotate within a 180 degree angle. Your goal is too shoot down “sounds” which are heading your way. If a sound reaches you, it’s game over. You win when you kill all the sounds.

sound picker / sound cock

In sound picker, you can move in a giant square field where various sounds are scattered around. Your goal is to pick up all the sounds within the time limit. Sound cock is similar, except the sounds are chickens and you have to chase them around.

Source Code

If you want to see the source code, you can check it out here. The sound files aren’t in the repo though, since I’m not quite sure about the licensing. If you want to contribute music or sound effects, I’d gladly appreciate it.

| Comments


Smart electronics and IoT (Internet of Things) are all the rage these days. You have a lot of companies sprout up trying to make the next big thing, which also leads to a lot of failures big and small. Pebble, the maker of my smartwatch, got bought out by Fitbit recently. This left watch owners without any official support, but thankfully, community members stepped up to continue maintaining it.

Another casualty of the IoT boom was the Orange Chef Prep Pad. It’s a bluetooth connected weighing scale to make it easy to track your calories and carb/fat/protein intake. My dad bought it last year only to find out that the app was incredibly buggy. The search function doesn’t work which makes the whole thing practically useless. I also found out later that you can’t even download the app to use the scale anymore.

Note I just found out as I was writing this post that it may get supported by another company.

So the app is useless, but at least you can use it as a scale, right?

Prep Pad

Nope. The device has no display whatsoever. The only controls on it are the on/off button and a green LED that isn’t even that useful at telling you whether it’s on or not. At this point, it’s just a giant paperweight.

Reverse Engineering

Since I essentially had nothing to lose, I tried poking at the thing to figure out how it works. I didn’t really have experience with bluetooth besides trying to get my bluetooth mouse connected on Linux. The main thing I used then was bluetoothctl which is essentially a CLI for managing bluetooth devices so I started there.

I started up bluetoothctl and turned on the Prep Pad. And it showed up!

[bluetooth]# power on
[CHG] Controller ... Class: 0x00010c
Changing power on succeeded
[CHG] Controller ... Powered: yes
[bluetooth]# scan on
Discovery started
[CHG] Device 1C:BA:8C:21:7C:BB RSSI: -51
[CHG] Device 1C:BA:8C:21:7C:BB Name: CHSLEEV_00
[CHG] Device 1C:BA:8C:21:7C:BB Alias: CHSLEEV_00

I then connected to it, which was surprisingly easy.

[bluetooth]# connect 1C:BA:8C:21:7C:BB
Attempting to connect to 1C:BA:8C:21:7C:BB
[CHG] Device 1C:BA:8C:21:7C:BB Connected: yes
[CHG] Device 1C:BA:8C:21:7C:BB Name: CH BTScale_00
[CHG] Device 1C:BA:8C:21:7C:BB Alias: CH BTScale_00

Now normally, when you turn the device on, the green light flashes occasionally. Once I connected to it, the green light stayed on permanently. Clearly, I was making progress. A lot of services were also discovered but I had no idea what those things were at that point.

After a lot of poking around, I could check the general device information. You could get the hardware, software and firmware version. There’s also the device serial number which was nowhere on the actual physical device.

[CHSLEEV_00]# select-attribute /org/bluez/hci0/dev_1C_BA_8C_21_7C_BB/service0010/char0017
[CH BTScale_00:/service0010/char0017]# attribute-info
Characteristic - Firmware Revision String
	UUID: 00002a26-0000-1000-8000-00805f9b34fb
	Service: /org/bluez/hci0/dev_1C_BA_8C_21_7C_BB/service0010
	Value: 0x31
	Value: 0x2e
	Value: 0x31
	Value: 0x33
	Value: 0x41
	Value: 0x00
	Flags: read
[CH BTScale_00:/service0010/char0017]# read
Attempting to read /org/bluez/hci0/dev_1C_BA_8C_21_7C_BB/service0010/char0017
[CHG] Attribute /org/bluez/hci0/dev_1C_BA_8C_21_7C_BB/service0010/char0017 Value: 0x31
[CHG] Attribute /org/bluez/hci0/dev_1C_BA_8C_21_7C_BB/service0010/char0017 Value: 0x2e
[CHG] Attribute /org/bluez/hci0/dev_1C_BA_8C_21_7C_BB/service0010/char0017 Value: 0x31
[CHG] Attribute /org/bluez/hci0/dev_1C_BA_8C_21_7C_BB/service0010/char0017 Value: 0x33
[CHG] Attribute /org/bluez/hci0/dev_1C_BA_8C_21_7C_BB/service0010/char0017 Value: 0x41
[CHG] Attribute /org/bluez/hci0/dev_1C_BA_8C_21_7C_BB/service0010/char0017 Value: 0x00
  31 2e 31 33 41 00                                1.13A.
[CH BTScale_00:/service0010/char0017]#

There was also a service which contained Accel Enable, Accel Range, Accel X-Coordinate, Accel Y-Coordinate, and Accel Z-Coordinate. I guess it stands for accelerometer, which is probably what it uses to weigh things.

[CHSLEEV_00]# select-attribute /org/bluez/hci0/dev_1C_BA_8C_21_7C_BB/service0023/char0024/desc0026
[CH BTScale_00:/service0023/char0024/desc0026]# read
Attempting to read /org/bluez/hci0/dev_1C_BA_8C_21_7C_BB/service0023/char0024/desc0026
[CHG] Attribute /org/bluez/hci0/dev_1C_BA_8C_21_7C_BB/service0023/char0024/desc0026 Value: 0x41
[CHG] Attribute /org/bluez/hci0/dev_1C_BA_8C_21_7C_BB/service0023/char0024/desc0026 Value: 0x63
[CHG] Attribute /org/bluez/hci0/dev_1C_BA_8C_21_7C_BB/service0023/char0024/desc0026 Value: 0x63
[CHG] Attribute /org/bluez/hci0/dev_1C_BA_8C_21_7C_BB/service0023/char0024/desc0026 Value: 0x65
[CHG] Attribute /org/bluez/hci0/dev_1C_BA_8C_21_7C_BB/service0023/char0024/desc0026 Value: 0x6c
[CHG] Attribute /org/bluez/hci0/dev_1C_BA_8C_21_7C_BB/service0023/char0024/desc0026 Value: 0x20
[CHG] Attribute /org/bluez/hci0/dev_1C_BA_8C_21_7C_BB/service0023/char0024/desc0026 Value: 0x45
[CHG] Attribute /org/bluez/hci0/dev_1C_BA_8C_21_7C_BB/service0023/char0024/desc0026 Value: 0x6e
[CHG] Attribute /org/bluez/hci0/dev_1C_BA_8C_21_7C_BB/service0023/char0024/desc0026 Value: 0x61
[CHG] Attribute /org/bluez/hci0/dev_1C_BA_8C_21_7C_BB/service0023/char0024/desc0026 Value: 0x62
[CHG] Attribute /org/bluez/hci0/dev_1C_BA_8C_21_7C_BB/service0023/char0024/desc0026 Value: 0x6c
[CHG] Attribute /org/bluez/hci0/dev_1C_BA_8C_21_7C_BB/service0023/char0024/desc0026 Value: 0x65
  41 63 63 65 6c 20 45 6e 61 62 6c 65              Accel Enable

I couldn’t read from any of the Accel Coordinates. It kept saying permission denied. I could however, notify on them. But that didn’t yield anything as well. What I could read was Accel Enable, which was set to 00. I guess that means it was off. After writing 01 to Accel Enable, I found I could get values out of Accel X-Coordinate! Also, the green LED which was permanently on turned off.

[CHSLEEV_00]# select-attribute /org/bluez/hci0/dev_1C_BA_8C_21_7C_BB/service0023/char0024
[CH BTScale_00:/service0023/char0024]# write 01
Attempting to write /org/bluez/hci0/dev_1C_BA_8C_21_7C_BB/service0023/char0024
[CH BTScale_00:/service0023/char0024]# select-attribute /org/bluez/hci0/dev_1C_BA_8C_21_7C_BB/service0023/char002a
[CH BTScale_00:/service0023/char002a]# notify on
[CHG] Attribute /org/bluez/hci0/dev_1C_BA_8C_21_7C_BB/service0023/char002a Notifying: yes
Notify started
[CHG] Attribute /org/bluez/hci0/dev_1C_BA_8C_21_7C_BB/service0023/char002a Value: 0x5b
[CHG] Attribute /org/bluez/hci0/dev_1C_BA_8C_21_7C_BB/service0023/char002a Value: 0xa3
[CHG] Attribute /org/bluez/hci0/dev_1C_BA_8C_21_7C_BB/service0023/char002a Value: 0x02
[CHG] Attribute /org/bluez/hci0/dev_1C_BA_8C_21_7C_BB/service0023/char002a Value: 0x00
[CHG] Attribute /org/bluez/hci0/dev_1C_BA_8C_21_7C_BB/service0023/char002a Value: 0x55
[CHG] Attribute /org/bluez/hci0/dev_1C_BA_8C_21_7C_BB/service0023/char002a Value: 0xa3
[CHG] Attribute /org/bluez/hci0/dev_1C_BA_8C_21_7C_BB/service0023/char002a Value: 0x02
[CHG] Attribute /org/bluez/hci0/dev_1C_BA_8C_21_7C_BB/service0023/char002a Value: 0x00
[CHG] Attribute /org/bluez/hci0/dev_1C_BA_8C_21_7C_BB/service0023/char002a Value: 0x59
[CHG] Attribute /org/bluez/hci0/dev_1C_BA_8C_21_7C_BB/service0023/char002a Value: 0xa3
[CHG] Attribute /org/bluez/hci0/dev_1C_BA_8C_21_7C_BB/service0023/char002a Value: 0x02
[CHG] Attribute /org/bluez/hci0/dev_1C_BA_8C_21_7C_BB/service0023/char002a Value: 0x00

I tried pressing the scale down a few times, and the values changed accordingly. Now, I just had to figure out how to convert the values into grams. It looked like the values were 32-bit integers sent as 4 bytes. In the above example it would be 0x0002a35b, 0x0002a355, 0x0002a359 or 172891, 172855, 172899. The values also decrease as you exert more effort on the scale. So assuming you take the initial value as tare, you simply subtract any succeeding value from that tare and you get the “weight”.

The values I got didn’t seem to be in grams though. After weighing some things on an actual scale and comparing the values I got, I found I can just divide the values by 14 and get something in grams. That 14 is entirely a magic number though and I have no idea whether other Prep Pad’s would have the same constant.


With all that figured out, I went ahead and made a simple CLI application to interface with the Prep Pad. Ironically, node was the simplest thing I found that had nice bluetooth library support so that’s what I wrote it in. I also added most of the technical details in the README for that as well.

While this is all well and cool, I doubt the intersection of Linux users and people who got ripped off bought the Prep Pad is anyone besides me. In light of that, I’m in the process of making a React Native version of the app, but that’s still a work in progress. Who knows, if the new owners of Prep Pad are good, I might not even need to finish it.

| Comments