If you take a look at the code generated by the AIDL compiler, you will see that RPC via Binder calls methods by sequential number. Every method in the interface gets number assigned, like:
SIZE = ::android::IBinder::FIRST_CALL_TRANSACTION + 0,
SETSIZE = ::android::IBinder::FIRST_CALL_TRANSACTION + 1,
READ = ::android::IBinder::FIRST_CALL_TRANSACTION + 2,
WRITE = ::android::IBinder::FIRST_CALL_TRANSACTION + 3,
SYNC = ::android::IBinder::FIRST_CALL_TRANSACTION + 4,
This number is then used by the calling side to map called method to flat Parcel buffer and by receiving side of IPC to select the generated method to unmarshall the serialized parameters data and finally call the real implementation.
Thus if you replace the method number 1
definition on the calling side, but still have old implementation on the receiving side, you will call the old implementation with completely bogus data. There is no type information in the serialized Parcel data of method arguments (besides the method number itself), so it will happily deserialize new method call parameters buffer as old ones and try to call implementation.