Android Spawn() Causes Device to Reboot

[su-vikas]

Frida Version: 9.0.5 Android: 5.1.1 (32 bit) and 6.0.1 (64 bit)

I am trying to perform early hooking for an Android application using spawn() method of Frida. But this crashes and eventually leads to device being rebooted. The details are below.

Frida python script I am using is:

device = frida.get_device_manager().enumerate_devices()[-1]
pid = device.spawn[("com.sample.app")]
session = device.attach(pid)
.....
device.resume(pid)

Following error message is given on executing script:

Traceback (most recent call last):
  File "frida_setup.py", line 23, in <module>
    pid = device.spawn(["com.sample.app"])
  File "/usr/lib64/python3.5/site-packages/frida/core.py", line 85, in spawn
    return self._impl.spawn(argv)
frida.ProcessNotFoundError: unable to find process with name 'com.android.systemui'

Following is the crash log on the device:

ABI: 'arm'
pid: 3822, tid: 10352, name: main  >>> zygote <<<
signal 6 (SIGABRT), code -6 (SI_TKILL), fault addr --------
Abort message: 'frida-gum/gum/arch-arm/gumthumbwriter.c:370:gum_thumb_writer_put_argument_list_setup: code should not be reached'
    r0 00000000  r1 00002870  r2 00000006  r3 f4180978
    r4 f4180980  r5 f4180930  r6 00000000  r7 0000010c
    r8 f4012161  r9 00000172  sl f3faeb98  fp 00000000
    ip 00000006  sp f41805ec  lr f6db8f85  pc f6dbb374  cpsr 400b0010
    d0  ffffffffffffffff  d1  656220746f6e2064
    d2  2020202020202063  d3  2020202020202068
    d4  2020202020202020  d5  6d65747379732f20
    d6  62696c2f62696c2f  d7  0a6f732e69757768
    d8  0000000000000000  d9  0000000000000000
    d10 0000000000000000  d11 0000000000000000
    d12 0000000000000000  d13 0000000000000000
    d14 0000000000000000  d15 0000000000000000
    d16 0000000000000000  d17 0000000000000000
    d18 0000000000000000  d19 408f400000000000
    d20 402a000000000000  d21 3f8a9fbe76c8b439
    d22 3f6293aba995d593  d23 bf66c11c34a12eec
    d24 3f11562ac78a4541  d25 3ebbbd41c5d26bf1
    d26 400a934f00000000  d27 bf5224a5191957e0
    d28 bf5224a5191957d2  d29 c00061e92c09fa6e
    d30 3c4baf4e740749c8  d31 3f626e5eeee26ac0
    scr 80000010

Not pasted full tombstone dump for brevity.

As per my understanding, Frida 9.x support spawn() on ART.

If the fix does not involve detailed understanding of Frida, I would be more than happy to do so.

[max01203]

Hi, In my opinion the problem is that the process that you want to find is not find. I think that spawn a system process makes it crash. But it is just my opinion.

Thanks,

[max01203]

Can you check if the issue is still here with the latest version ?

[max01203]

And ensure that the process name 'com.android.systemui' is correct

Thanks

[bengardiner-at-irdeto]

I'm trying spawn() and I think I'm hitting this issue.

Here I have Android 4.4.4 (CM), frida-server-9.1.22-android-arm and frida.version == '9.1.11' on the host.

using this script:

#!/usr/bin/env python

import sys
import frida

if __name__ == '__main__':
    device = frida.get_usb_device()
    pid = device.spawn(["the.unamed.app"])
    session = device.attach(pid)
    ss = '''
           console.log("hello")
    '''    
    script = session.create_script(ss)
    script.load()
    device.resume(pid)
    session.detach()

[bengardiner-at-irdeto]

Same with Android 6.0 (nexus 5X, arm64).

[bkerler]

I can confirm the same behaviour with Android 5.1 and 6.0 with Nexus 5, arm32, frida-server-9.1.22-android-arm. On spawn, it crashes.

[nioncode]

For me (Galaxy Nexus, LineageOS 13, Android 6.0.1, frida-server 9.1.28) it works most of the time. Sometimes, I have the same behavior though and my device reboots.

[poxyran]

Same with Android 6.0.0 (Galaxy J5 2016), Frida 11.0.0, frida-server 11.0.0.

[Hurshid88]

Same issue with Samsung Galaxy-J2 Android version 5.1.1. Frida version 15.2.2 Any solutions in 2022?