In a rare bit of reassurance for Pixel owners who want to use unofficial means to activate Voice over LTE and Wi-Fi calling on Verizon, you now have permission. When Google silently patched the exploit that apps from r/Android tried to attack in order to force-enable VoLTE and VoWiFi on carriers (even those who don’t support it), one developer responsible for the well-known “Pixel 1 IMS” utility launched a fresh fix ensuring affected users can once again benefit from said toggles.
What Google Shuttered Behind the Scenes in Android
The change is due to Android’s carrier configuration system. The platform checks a set of carrier-provided keys to determine if features such as VoLTE and Wi-Fi calling ought to be enabled. The stock internal telephony API can override those keys for testing, but this one requires the very powerful MODIFY_PHONE_STATE permission which is only available to system apps.
Pixel IMS used to get to that non-public API by using the “shell” user (through Shizuku, an open-source app which gives apps ADB-like access). Since the shell profile is utilized by platform engineers for debugging, it comes with MODIFY_PHONE_STATE — which until recently meant a very convenient back door.
Google’s patch did not kill the permission completely, but added a caller check inside the internal override path and rejected if these requests were coming from shell context.
The pragmatic effect for users was straightforward: trying to send a command that toggled VoLTE or VoWiFi in Pixel IMS suddenly started failing, with logs indicating a “Permission denied” error on a call from the shell user.
How the New Workaround Revives VoLTE and VoWiFi
The new version of the app avoids triggering the guardrail, because it proxies the “dangerous” call through an Instrumentation component. Instead of calling the cutoff API directly as the shell, the app runs an instrumentation that makes the call for it. Since the system doesn’t consider the shell as the actual caller anymore, the previous block is never executed.
It’s the same in practice for users: devices that lost their VoLTE and VoWiFi toggles regain them, even on carriers that do not officially certify Pixel models. But it’s hardly a bulletproof solution. The approach is still relying on the shell profile having something about MODIFY_PHONE_STATE in the call chain. Should Google remove that permission from the shell, add signature checks to the particular override API, or further restrict how instrumentation inherits permissions, that door could suddenly slam shut.
On the security side, Google has labeled this route a privilege escalation danger. Through its Risk-Based Update System, mitigations can land without notice outside of a public bulletin if they don’t reach some threshold of broad exposure. For developers, that means anything relying on shell-level entitlements might not stick around for long.
Why This Matters If You’re a Pixel Owner
In many cases around the world, VoLTE isn’t a nice-to-have — it’s an absolute necessity to make consistent voice calls in places where 3G is no more and 2G is patchy. According to GSMA Intelligence, over 100 operators are now actively investing in VoLTE upgrades with the recent wave of network decommissioning and sunsetting also underway across North America, Europe, and some parts of Asia. When a carrier hasn’t certified a specific Pixel SKU, the phone could drop back to network bands that don’t exist in certain regions or voice might not work until the user takes manual action.
Even those who bring Pixels in from overseas as gray-market units — as well as tourists using local eSIMs to avoid roaming fees — frequently encounter this issue. Carrier whitelists and OEM certification pipelines can fall behind device launches, and regional SKUs do not always correspond to radio profiles or policy databases. Tools like Pixel IMS fill that gap, making HD voice and Wi-Fi calling available when carrier configs say it should be disabled — a kind of saving grace for expats, world travelers, and the conversationally misconnected.
There are trade-offs. Changing carrier settings without the official process may be a breach of terms of service, and incorrect setup could result in emergency services or roaming not working as expected. The Android Open Source Project documentation even warns us that “carrier settings touch core network attach and calling logic,” so be careful when modifying these settings, and return them to a stable state if they ever get unwieldy.
What Could Happen Next for Pixel VoLTE Workarounds
Google has a number of easy options to stop this cat-and-mouse game: remove MODIFY_PHONE_STATE from the shell profile, bake signature-level checking into those overridden APIs, restrict instrumentation access so it cannot pick up telephony calls. Any of those would blow up the current approach.
On the user side, the long-term solution is official support. The more they certify Pixel models for carriers, the faster they can push carrier-config updates through Carrier Services and fix up roaming profiles, which would mean fewer people need workarounds. Until that happens, as an industry we can bet the more savvy users out there will keep coming up with new ingenious ways to run around flipping their regular old phone and carrier’s VoLTE or VoWiFi switches.
