You’re almost there — sign up to start building in Notion today.
Sign up or login
Reverse Engineering
Developer Options

Developer Options

What is developer options?

Android provide some hidden features for developers to investigate certain things. This hidden features allow developer to have a better interaction with android OS. In another word, You can do a lot with Android from the device itself. But developers need more options. It would be a huge pain to manually move files between devices, run commands, and perform similar tasks all on the phone while developing. Instead, they use tools built into Android Studio and the Android SDK to streamline these processes.

How to enable developer options?

Settings —> About Phone —> Build Number —> Press 8 times

What I get if enable USB Debugging?

Enabling USB debugging grant us many options. For example:
Bluetooth HCI Snoop Log
If our application work with bluetooth we can log every single bit of data which is transferred. We can analysis this data via WireShark or similar tools.
Select mock location app
Android Mock Location is a feature that allows developers and other users to simulate location data for testing, geo-tagging, and other purposes. It enables apps to send mock location data to the Android location services, reporting that data to other apps and services as if it were real.
Not supported for all applications. For example we can’t mock location for
GApps
.
USB-Debugging
USB Debugging is a developer mode in Android phones that allows newly programmed apps to be copied via USB to the device for testing. It is a way for an Android device to communicate with the Android SDK (Software Developer Kit) over a USB connection. It allows an Android device to receive commands, files, and the like from the PC, and allows the PC to pull crucial information like log files from the Android.
Showing Pointer Location
Show us the coordinate of our touches on the screen.
We use this coordinates to write short scripts to interact with applications and do some automations.

USB Debugging Features

Screen Share

if you want to share screen of your device to your computer. For this we can use
scrcpy
which used ADB to share screen.
# In macOS brew install scrcpy # In linux apt update && apt install scrcpy
💡 Callout icon
In some device beside of enabling USB debugging you should allow file transfer tool

Creating Macro via ADB

If you open
adb shell
command you will getting a shell from your phone. In this state enter
input
and press
Enter
key.
To click on a point for example click on a coordinate to open call app, you can do this:
input touchscreen tap [x] [y]
But wait! How we can get x and y?
Go to developer options
Enable pointer location
Example: Going to apps list, opening Firefox, search for name and press Enter:
input touchscreen swipe 768 2105 816 128 100; input touchscreen tap 1258 1190;sleep 5;input touchscreen tap 619 2294;sleep 1; input touchscreen text "Mohammad Hossein Ashofte Yazdi";input touchpad keyevent ENTER;

Capturing BLE Log via ADB

To enabling bluetooth log do the following steps:
Settings → Developer Options → Enable Bluetooth HCI snoop log → Enabled
💡 Callout icon
A Bluetooth HCI (Host Controller Interface) snoop log is a log file that contains all the Bluetooth transmissions that you have made on your android gadget.
It’s usually stored in
/sdcard/btsnoop_hci.log
but it may be different on various devices.
Because this path variant in mobile devices it’s recommended to getting
bug-report
:
adb bugreport name.zip unzip name.zip # The file is loctated on: name/FS/data/misc/bluetooth/logs/btsnoop_hci.log.last
After that you can open this file via
Wireshark
tool.
💡 Callout icon
You don’t need to analysis all the packets. Just look at the part which is not related to host/controller.
As further analysis you can see in below picture how the phone command to the toy to change the antenna color to the white.
14 → Changing color of Antenna
ffffff → RGB → 3 Byte → White
If you want to make sure all this logs is for one connection look at the Handle number. In this example all the packets has same Handle id (
0x0026
).

How to Send And Receive Bluetooth Packets

In purpose of getting and sending messages via Bluetooth you need a application named
nRF
. You can download it from this link:
To hacking our sample device (furby) we should first connect to it. After that you can see list of services which is available for interact:
The UUID should be same as the one we found in Wireshark. Click on the service:
Now you can see all the characteristics available for interact. Click on send command button:
At the end set every RGB value you want:
the
14
number is constant and it’s refer to antenna color. The next 3 byte is for
RGB
.