How to request a ref from context manager in Android Binder using ioctl?

Question

Referring to this link:

https://androidoffsec.withgoogle.com/posts/attacking-android-binder-analysis-and-exploitation-of-cve-2023-20938/#binder-context-manager

There is a paragraph that says:

"For instance, a process Client 1 sends a Node (e.g. 0xbeef) to the Context Manager, which in turn receives a Ref (0xbeef). Then, another third process Client 2 initiates a transaction to the Context Manager asking for that Ref (0xbeef). Context Manager responds to the request by returning the Ref (0xbeef). Consequently, this establishes a connection between two processes as Client 2 can now send transactions to Client 1 using the Ref (0xbeef)."

Question:

I understand that Client 1 is able to send a node to Context Manager by using BINDER_WRITE_READ ioctl. From my understanding, this is probably by sending a flat_binder_object with header type BINDER_TYPE_BINDER.

From the paragraph, there are two things after sending a Node:

1. Client 1 in turn receives a Ref (0xbeef) from Context Manager after sending a Node.
2. Client 2 initiates a transaction to the Context Manager asking for that Ref (0xbeef).

What I hope to understand is how both of the above are carried out in code?

For (1), I think that the Ref is in the flat_binder_object that is included in the BR_REPLY after executing the BINDER_WRITE_READ ioctl call. However, I did not receive any non-zero values in the flat_binder_object I received

For (2), I just am not sure how the client can "ask" for that ref. Do we simply specify a 0xbeef somewhere or do we need the name of client 1 or something?

Any help is appreciated.