Support Android 12 & latest Frida

[ViRb3]

Are you certain that this build prop exists on all ROMs? I totally get the idea, but if some manufacturer or custom ROM doesn't set this build prop, then frida will never run at all.

[enovella]

Good point, but I believe that this build property belongs to the AOSP codebase, especially the core part (https://source.android.com/devices/tech/perf/boot-times & https://android.googlesource.com/platform/system/core/+/master/rootdir/init.rc).

[enovella]

@ViRb3 This ticket was related to the same bug https://github.com/frida/frida/issues/1225. Not sure if you included this fix after this or not.

[Manouchehri]

Running into this issue as well.

[ViRb3]

Sorry guys, this PR slipped through me somehow. What is the situation now? Any fixes from Frida itself? Is this still happening on Android 12? I'm still worried about devices which don't have this build prop, because then Frida will never be loaded. @enovella could you please check if the build prop is set to 0 before it's set to 1? If that's the case, we can only activate the waiting logic if the property exists, not impacting any devices without it.

[enovella]

Hi guys,

Tested on Samsung, OnePlus, Xiaomi and Google Pixel devices and having this flag on all the ROMs.

[enovella]

@Manouchehri Which devices were you working on? Did my MR work out on your end? Regards mate.

[enovella]

@ViRb3 This is the order. You can play with Frida as well to see we're right

$ adb reboot && while true; do adb shell getprop sys.boot_completed; sleep 0.5;done
...
adb: no devices/emulators found
adb: no devices/emulators found
adb: no devices/emulators found
adb: no devices/emulators found
adb: no devices/emulators found
adb: no devices/emulators found
adb: no devices/emulators found
adb: no devices/emulators found
adb: no devices/emulators found
adb: no devices/emulators found
adb: no devices/emulators found
adb: no devices/emulators found
adb: no devices/emulators found
adb: no devices/emulators found
1
1
1
1
1
1
1
1

[enovella]

@ViRb3 Check this out https://github.com/frida/frida/issues/1225

[Manouchehri]

@Manouchehri Which devices were you working on? Did my MR work out on your end? Regards mate.

@enovella Sorry, I don't think I've tried your patch yet. 😅 I just remember running into the issue, and my "workaround" was to launch Frida manually myself after boot with adb.

[enovella]

@Manouchehri Which devices were you working on? Did my MR work out on your end? Regards mate.

@enovella Sorry, I don't think I've tried your patch yet. sweat_smile I just remember running into the issue, and my "workaround" was to launch Frida manually myself after boot with adb.

okay, no rush. Let us know when you've tested it.

[ViRb3]

Any changes here? At this point, I am willing to risk and merge this and see if people complain of broken Frida or not. Hopefully not :)

[enovella]

ETA?

[ViRb3]

Done. Please let me know if everything still works.

[enovella]

@ViRb3 Something went wrong with the double loop. On the other hand, I am developing another Magisk module and no have issues with Frida and Android 9/10/11/12.

[16:30 edu@xps ~] >  frida-ps -aUi
Failed to enumerate applications: unable to find process with name 'system_server'
[16:34 edu@xps ~] >  frida-ps -aUi
Failed to enumerate applications: unable to find process with name 'system_server'
[16:34 edu@xps ~] >  frida-ps -Uai
Failed to enumerate applications: unable to find process with name 'system_server'

[17:54 edu@xps ~] >  adb shell getprop ro.build.version.release
12
[17:54 edu@xps ~] >  adb shell su -c which frida-server
/system/bin/frida-server
[17:54 edu@xps ~] >  adb shell su -c ps -A | grep frida
root          3273     1 10918340 50340 do_sys_poll         0 S frida-server
root          3839  1723 10916976  3868 do_sys_poll         0 S frida-server
root          3844  3839       0      0 0                   0 Z [frida-server]
[17:54 edu@xps ~] >  frida-ps -Uai
Failed to enumerate applications: timeout was reached 

[enovella]

[18:27 edu@xps ~] >  frida-ps -Uai
Failed to enumerate applications: unable to find process with name 'system_server'
[18:27 edu@xps ~] >  frida-ps -Uai
Failed to enumerate applications: unable to find process with name 'system_server'
[18:27 edu@xps ~] >  frida-ps -Uai
Failed to enumerate applications: unable to find process with name 'system_server'
[18:27 edu@xps ~] >  frida-ps -Uai
Failed to enumerate applications: unable to find process with name 'system_server'
[18:27 edu@xps ~] >  frida-ps -Uai
Failed to enumerate applications: unable to find process with name 'system_server'
[18:28 edu@xps ~] >  frida-ps -Uai
Failed to enumerate applications: unable to find process with name 'system_server'
[18:28 edu@xps ~] >  frida-ps -Uai
Failed to enumerate applications: unable to find process with name 'system_server'
[18:28 edu@xps ~] >  adb shell su -c which frida-server
/system/bin/frida-server
[18:28 edu@xps ~] >  adb shell su -c ps -A | grep frida
root          3569     1 10900908 51204 do_sys_poll         0 S frida-server
root          4681  1814 10873968  4340 do_sys_poll         0 S frida-server
root          4682  4681       0      0 0                   0 Z [frida-server]
root          4761     1   23408   3568 do_sys_poll         0 S frida-helper-32
[18:28 edu@xps ~] >  frida-ps -Uai
Failed to enumerate applications: unable to find process with name 'system_server'

Removing the infinite loop and with a delay of 2 (to be sure)

[18:28 edu@xps ~] >  adb shell 
sunfish:/data/adb/modules/magisk-frida # /data/adb/magisk/busybox vi service.sh                                                                              
sunfish:/data/adb/modules/magisk-frida # reboot                                                                                                              
[18:30 edu@xps ~] >  adb shell su -c ps -A | grep frida
root          3309     1 10940776 10396 0                   0 R frida-server
root          4455     1   23408   2040 do_sys_poll         0 S frida-helper-32
[18:32 edu@xps ~] >  frida-ps -Uai
  PID  Name                          Identifier                             
-----  ----------------------------  ---------------------------------------
10234  Any.do                        com.anydo                              
11346  Calendar                      com.google.android.calendar            
 8400  Contacts                      com.google.android.contacts            
11427  Gmail                         com.google.android.gm                  
 3788  Google                        com.google.android.googlequicksearchbox
 4896  Google Play Store             com.android.vending                    
10391  Guidelines                    com.esccardio.escpocketguidelines      
10649  Magisk                        com.topjohnwu.magisk                   
10561  Maps                          com.google.android.apps.maps           
 3434  Messages                      com.google.android.apps.messaging      
10467  NowSecure Workstation Agent   com.viaforensics.androidagent          
11167  Phone                         com.google.android.dialer              
10829  Photos                        com.google.android.apps.photos         
11572  Settings                      com.android.settings                   
10506  WireGuard                     com.wireguard.android                  
 9701  YouTube                       com.google.android.youtube             
10928  YouTube Music                 com.google.android.apps.youtube.music  
    -  1Password                     com.agilebits.onepassword              
    -  Amazon Shopping               com.amazon.mShop.android.shopping    

@ViRb3 Conclusion: the 2nd loop is breaking the launching

[enovella]

sunfish:/data/adb/modules/magisk-frida # cat service.sh

#!/system/bin/sh
# Do NOT assume where your module will be located.
# ALWAYS use $MODDIR if you need to know where this script
# and module is placed.
# This will make sure your module will still work
# if Magisk change its mount point in the future
MODDIR=${0%/*}

# This script will be executed in late_start service mode
while [ "$(getprop sys.boot_completed)" != 1 ]; do
    sleep 1
done

sleep 5 && frida-server -D

If you dont delay some time Frida, there are some crashes on the Google camera app. Took me some time to find out.

[ViRb3]

@enovella Hmm, I find it impossible to believe that it's the loop at fault. I am pretty sure it's the extra delay that fixed it. I added sleep 5 in this commit and made a release, please test it.

[enovella]

It doesnt work. As you can see, it works for a 1-2secs and later reboots the graphical UI after crashing system_server

[11:37 edu@xps ]  (master)>  frida-ps -Uai
 PID  Name                          Identifier                             
----  ----------------------------  ---------------------------------------
3959  Android Auto                  com.google.android.projection.gearhead 
4572  Chrome                        com.android.chrome                     
4672  Clock                         com.google.android.deskclock           
3720  Google                        com.google.android.googlequicksearchbox
3410  Messages                      com.google.android.apps.messaging      
2728  Settings                      com.android.settings                   
3829  YouTube                       com.google.android.youtube             
3823  YouTube Music                 com.google.android.apps.youtube.music  
...                 
[11:37 edu@xps ]  (master)>  frida-ps -Uai
Failed to enumerate applications: unable to find process with name 'system_server'
[11:37 edu@xps ]  (master)>  frida-ps -Uai
Failed to enumerate applications: unable to find process with name 'system_server'
[11:37 edu@xps ]  (master)>  frida-ps -Uai
Failed to enumerate applications: unable to find process with name 'system_server'
[11:37 edu@xps ]  (master)>  frida-ps -Uai
Failed to enumerate applications: unable to find process with name 'system_server'
[11:37 edu@xps ]  (master)>  frida-ps -Uai
Failed to enumerate applications: unable to find process with name 'system_server'
[11:38 edu@xps ]  (master)>  frida-ps -Uai
Failed to enumerate applications: unable to find process with name 'system_server'
[11:38 edu@xps ]  (master)>  frida-ps -Uai
Failed to enumerate applications: unable to find process with name 'system_server'
[11:38 edu@xps ]  (master)>  frida-ps -Uai
Failed to enumerate applications: unable to find process with name 'system_server'
[11:38 edu@xps ]  (master)>  frida-ps -Uai
Failed to enumerate applications: unable to find process with name 'system_server'
[11:38 edu@xps ]  (master)>  frida-ps -Uai
Failed to enumerate applications: unable to find process with name 'system_server'
[11:38 edu@xps ]  (master)>  frida-ps -Uai
Failed to enumerate applications: unable to find process with name 'system_server'
[11:38 edu@xps ]  (master)>  frida-ps -Uai
Failed to enumerate applications: unable to find process with name 'system_server'
[11:38 edu@xps ]  (master)>  frida-ps -Uai
Failed to enumerate applications: unable to find process with name 'system_server'
[11:38 edu@xps ]  (master)>  frida-ps -Uai
Failed to enumerate applications: unable to find process with name 'system_server'

[enovella]

This is what your fix does:

[11:43 edu@xps]  (master)>  adb shell su -c ps -A | grep frida
root          4178     1 10919340 50432 do_sys_poll         0 S frida-server
root          4541  1828 10863728  4060 do_sys_poll         0 S frida-server
root          4543  4541       0      0 0                   0 Z [frida-server]
root          4718     1   23408   3068 do_sys_poll         0 S frida-helper-32

[ViRb3]

Yikes.... I just spotted a very significant issue:

frida-server -D

From docs:

-D, --daemonize                       Detach and become a daemon

We are basically restarting the daemon over and over, since it never blocks. Could you please test if the same Magisk module without the -D flag works? That was the intended way anyway. I would rather keep the loop to provide that crash restart feature.

EDIT: You beat me to it with 30 seconds :P

[enovella]

@ViRb3 Choose one. Both work well. I'd prefer the daemon, but as you wish. The delay of 5 secs is unclear if required. A bug with Magisk/Frida is that in Google devices the camera crashes with Magisk-Frida. I've seen that on Android 11/12 so far.

# restart on crash
while true; do
    frida-server
    sleep 1
done

# restart on crash
frida-server -D

[ViRb3]

I pulled out my old Android phone and ran a thorough test as well. Removing the -D flag and keeping the second loop works good. Killing the server (simulating a crash) then properly restarts it:

dumpling:/ # pidof frida-server
7544
dumpling:/ # pkill frida-server
dumpling:/ # pidof frida-server
1|dumpling:/ # pidof frida-server
7594
dumpling:/ #

If I remove the loop and keep the -D flag, then killing the server does not restart it:

dumpling:/ # pidof frida-server
3699
dumpling:/ # pkill frida-server
dumpling:/ # pidof frida-server
1|dumpling:/ # pidof frida-server
1|dumpling:/ # pidof frida-server
1|dumpling:/ # pidof frida-server

I think I definitely prefer the auto-restart approach, since otherwise you have to reboot your phone if something happens to Frida.

I will leave the 5 seconds delay just in case, it doesn't hurt since it only happens once during early boot. Does Camera crash even with the 5 second delay? I thought that fixed it.

Thanks a lot for the help with tracking this down, I do not currently use Android and this was a nasty bug that sneaked in.

[ViRb3]

@enovella I just released 15.1.14-4, but in Magisk Manager the latest one is 15.1.14-1 (December 2021). Seems like none of the patch releases are being shown. This is weird, because I definitely updated both the version and versionCode: https://github.com/Magisk-Modules-Repo/magisk-frida/commit/2c338de7dbef9503c33b2729e638ba3b4c2c244d. I remember some changes coming to Magisk repo, has it been deprecated?

EDIT: Yup... https://github.com/topjohnwu/Magisk/releases/tag/v24.0, big changes to this project will be required. I will try to rework everything soon.

EDIT2: Tracked in #20.