问题
I would like to rec each time I have a conversation with the MobilePhone App. My device is jailbroken, so no problem about the appStore restrictions.
Of course I guess the public framework will provide nothing. Also, I've been looking at the private frameworks, but haven't seen anything useful.
Currently I am able to rec from the microphone, but when a conversation starts, it takes the microphone in exclusive mode, and the data is no longer received.
Any guidance?
回答1:
"Audio Recorder" is indeed a very simple tweak. The author tried to obfuscate important parts of his tweak (which function is being hooked), but here is what I found.
Tweak basically hooks just one function - AudioConverterConvertComplexBuffer from AudioToolbox.framework. Tweak is loaded in mediaserverd daemon at startup.
First, we need to find out when we should start recording because AudioConverterConvertComplexBuffer is called even when you just playing regular audio files. To achieve that tweak is listening to kCTCallStatusChangeNotification notification from CTTelephonyCenter.
Second, AudioConverterConvertComplexBuffer implementation. I didn't finished it yet so I will post what I have so far. Here is somewhat working example that will get you started.
Helper class to keep track of AudioConverterRef - ExtAudioFileRef pairs
@interface ConverterFile : NSObject
@property (nonatomic, assign) AudioConverterRef converter;
@property (nonatomic, assign) ExtAudioFileRef file;
@property (nonatomic, assign) BOOL failedToOpenFile;
@end
@implementation ConverterFile
@end
ConverterFile objects container
NSMutableArray* callConvertersFiles = [[NSMutableArray alloc] init];
AudioConverterConvertComplexBuffer original implementation
OSStatus(*AudioConverterConvertComplexBuffer_orig)(AudioConverterRef, UInt32, const AudioBufferList*, AudioBufferList*);
AudioConverterConvertComplexBuffer hook declaration
OSStatus AudioConverterConvertComplexBuffer_hook(AudioConverterRef inAudioConverter, UInt32 inNumberPCMFrames, const AudioBufferList *inInputData, AudioBufferList *outOutputData);
Hooking
MSHookFunction(AudioConverterConvertComplexBuffer, AudioConverterConvertComplexBuffer_hook, &AudioConverterConvertComplexBuffer_orig);
AudioConverterConvertComplexBuffer hook definition
OSStatus AudioConverterConvertComplexBuffer_hook(AudioConverterRef inAudioConverter, UInt32 inNumberPCMFrames, const AudioBufferList *inInputData, AudioBufferList *outOutputData)
{
//Searching for existing AudioConverterRef-ExtAudioFileRef pair
__block ConverterFile* cf = nil;
[callConvertersFiles enumerateObjectsUsingBlock:^(ConverterFile* obj, NSUInteger idx, BOOL *stop){
if (obj.converter == inAudioConverter)
{
cf = obj;
*stop = YES;
}
}];
//Inserting new AudioConverterRef
if (!cf)
{
cf = [[[ConverterFile alloc] init] autorelease];
cf.converter = inAudioConverter;
[callConvertersFiles addObject:cf];
}
//Opening new audio file
if (!cf.file && !cf.failedToOpenFile)
{
//Obtaining input audio format
AudioStreamBasicDescription desc;
UInt32 descSize = sizeof(desc);
AudioConverterGetProperty(cf.converter, kAudioConverterCurrentInputStreamDescription, &descSize, &desc);
//Opening audio file
CFURLRef url = CFURLCreateWithFileSystemPath(NULL, (CFStringRef)[NSString stringWithFormat:@"/var/mobile/Media/DCIM/Call%u.caf", [callConvertersFiles indexOfObject:cf]], kCFURLPOSIXPathStyle, false);
ExtAudioFileRef audioFile = NULL;
OSStatus result = ExtAudioFileCreateWithURL(url, kAudioFileCAFType, &desc, NULL, kAudioFileFlags_EraseFile, &audioFile);
if (result != 0)
{
cf.failedToOpenFile = YES;
cf.file = NULL;
}
else
{
cf.failedToOpenFile = NO;
cf.file = audioFile;
//Writing audio format
ExtAudioFileSetProperty(cf.file, kExtAudioFileProperty_ClientDataFormat, sizeof(desc), &desc);
}
CFRelease(url);
}
//Writing audio buffer
if (cf.file)
{
ExtAudioFileWrite(cf.file, inNumberPCMFrames, inInputData);
}
return AudioConverterConvertComplexBuffer_orig(inAudioConverter, inNumberPCMFrames, inInputData, outOutputData);
}
This is roughly how it's done in the tweak. But why it's done like that? When phone call is in progress AudioConverterConvertComplexBuffer_hook will be called continuously. But inAudioConverter argument will be different. I've found that there can be more than nine different inAudioConverter objects passed to our hook during one phone call. They will have different audio formats so we can't write everything in one file. This is why we building array of AudioConverterRef-ExtAudioFileRef pairs - to keep track of what is being saved to where. This code will create as many file as there is AudioConverterRef objects. All files will containt different audio - one or two will be the speaker sound. Others - microphone. I've tested this code on iPhone 4S with iOS 6.1 and it works. Unfortunately, call recording on 4S can be done only when speaker is turned on. There is no such limitation on iPhone 5. This is mentioned in tweak's description.
Only thing left is to find out how we can find just two specific inAudioConverter objects - one for speaker audio and one for microphone. Everything else is not a problem.
And one last thing - mediaserverd process is sandboxed so as our tweak. We can't save files anywhere we want. This is why I chose that file path - it can be written even from the inside of the sandbox.
PS Even though I've posted this code credit has to go to Elias Limneos. He's done it.
回答2:
You want to count calls or you want to record audio from these calls? Former is very simple and requires just one notification. For the latter I didn't find anything. I did research and didn't found any API that could help me record audio while phone call is in progress. I don't know anyone who's done it.
Only thing I can think of is CommCenter. This daemon communicates with baseband and probably sends him audio stream from the microphone. This is just a guess but looking at the CommCenter disassembly I have found clues that it's responsible for redirecting audio streams. Newer Qualcomm basebands and iOS talk to each other only through USB pipes using proprietary QMI protocol. One of the things that this protocol does is handling audio streams during phone calls - it's called Core sound driver service. So only thing I can think of is disassembling CommCenter and finding a way to redirect audio streams through your handler where you will be recording them. This is obviously requires extensive knowledge of reverse engineering, QMI protocol, IOKit for talking to USB devices etc etc etc. I don't think there is an API that will do this for you or that you can do this with a simple hooking techniques. We are talking about C++ code which is much more difficult to reverse engineer than obj-c and much more difficult to hook into.
来源:https://stackoverflow.com/questions/19356453/rec-ios-conversations-where-to-start