Frida server throwing error in Pixel 5 device

[shruti-94]

I am getting an error while running the frida server on my pixel 5 device. As soon as i ran it, it throws a "Runtime.jni_ids_indirection" error and does not works. I am not sure what this error is about. I tested the same in pixel 4 XL device and works properly without any issues.

Device Info :Pixel 5, Android 10

[ebaygan]

I am also getting the same error on my pixel 5. I have not found a solution yet, but will let you know if I do.

[nscottsol]

I'm getting the same error "Error: Unable to determine Runtime.jni_idsindirection offset" on Pixel 5, Android 11. Anyone know of any solutions yet?

[ArsenyLL]

same error for me on Pixel 5 Android 11 tried frida server 12.11.18 and 14.2.6 (both arm64) build redfin-rd1a.201105.003.c1

[oleavr]

/cc @muhzii

[oleavr]

This fails here. Assuming Process.arch === 'arm64', it's this logic that's failing to find the ldr instruction that reveals the offset we're after. Could one of you please provide a disassembly of your libart.so's _ZN3art7Runtime12SetJniIdTypeENS_9JniIdTypeE function?

[ArsenyLL]

I hope I got it right (used objdump):

000000000055d8e4 _ZN3art7Runtime12SetJniIdTypeENS_9JniIdTypeE:
  55d8e4: ff 03 01 d1                   sub sp, sp, frida/frida#64
  55d8e8: fd 7b 01 a9                   stp x29, x30, [sp, frida/frida#16]
  55d8ec: f5 13 00 f9                   str x21, [sp, frida/frida#32]
  55d8f0: f4 4f 03 a9                   stp x20, x19, [sp, frida/frida#48]
  55d8f4: fd 43 00 91                   add x29, sp, frida/frida#16
  55d8f8: 55 d0 3b d5                   mrs x21, TPIDR_EL0
  55d8fc: a8 16 40 f9                   ldr x8, [x21, frida/frida#40]
  55d900: f3 03 00 aa                   mov x19, x0
  55d904: e8 07 00 f9                   str x8, [sp, frida/frida#8]
  55d908: 08 44 45 b9                   ldr w8, [x0, frida/frida#1348]
  55d90c: f4 03 01 2a                   mov w20, w1
  55d910: 1f 09 00 71                   cmp w8, frida/frida#2
  55d914: 41 02 00 54                   b.ne    frida/frida#72 <_ZN3art7Runtime12SetJniIdTypeENS_9JniIdTypeE+0x78>
  55d918: 1f 01 14 6b                   cmp w8, w20
  55d91c: e0 00 00 54                   b.eq    frida/frida#28 <_ZN3art7Runtime12SetJniIdTypeENS_9JniIdTypeE+0x54>
  55d920: 74 46 05 b9                   str w20, [x19, frida/frida#1348]
  55d924: fb b4 f8 97                   bl  #-1911828 <_ZN3art9JNIEnvExt18ResetFunctionTableEv>
  55d928: 48 d0 3b d5                   mrs x8, TPIDR_EL0
  55d92c: 08 1d 40 f9                   ldr x8, [x8, frida/frida#56]
  55d930: 00 6d 40 f9                   ldr x0, [x8, frida/frida#216]
  55d934: 17 ef 02 94                   bl  #769116 <_ZN3art16WellKnownClasses21HandleJniIdTypeChangeEP7_JNIEnv>
  55d938: a8 16 40 f9                   ldr x8, [x21, frida/frida#40]
  55d93c: e9 07 40 f9                   ldr x9, [sp, frida/frida#8]
  55d940: 1f 01 09 eb                   cmp x8, x9
  55d944: 41 04 00 54                   b.ne    frida/frida#136 <_ZN3art7Runtime12SetJniIdTypeENS_9JniIdTypeE+0xe8>
  55d948: f4 4f 43 a9                   ldp x20, x19, [sp, frida/frida#48]
  55d94c: f5 13 40 f9                   ldr x21, [sp, frida/frida#32]
  55d950: fd 7b 41 a9                   ldp x29, x30, [sp, frida/frida#16]
  55d954: ff 03 01 91                   add sp, sp, frida/frida#64
  55d958: c0 03 5f d6                   ret
  55d95c: 81 da ff b0                   adrp    x1, #-4911104
  55d960: 21 f0 21 91                   add x1, x1, #2172
  55d964: e0 03 00 91                   mov x0, sp
  55d968: c2 7a 81 52                   mov w2, #3030
  55d96c: c3 00 80 52                   mov w3, frida/frida#6
  55d970: e4 03 1f aa                   mov x4, xzr
  55d974: 05 00 80 12                   mov w5, #-1
  55d978: 7a 9d 04 94                   bl  #1209832 <_ZN7android4base10LogMessageC1EPKcjNS0_11LogSeverityES3_i@plt>
  55d97c: e0 03 00 91                   mov x0, sp
  55d980: 7c 9d 04 94                   bl  #1209840 <_ZN7android4base10LogMessage6streamEv@plt>
  55d984: a1 da ff 90                   adrp    x1, #-4898816
  55d988: 21 bc 31 91                   add x1, x1, #3183
  55d98c: e2 03 80 52                   mov w2, frida/frida#31
  55d990: df 19 f1 97                   bl  #-3905668 <_ZNSt3__124__put_character_sequenceIcNS_11char_traitsIcEEEERNS_13basic_ostreamIT_T0_EES7_PKS4_m>
  55d994: c1 d9 ff d0                   adrp    x1, #-5005312
  55d998: 21 2c 2d 91                   add x1, x1, #2891
  55d99c: 22 00 80 52                   mov w2, frida/frida#1
  55d9a0: db 19 f1 97                   bl  #-3905684 <_ZNSt3__124__put_character_sequenceIcNS_11char_traitsIcEEEERNS_13basic_ostreamIT_T0_EES7_PKS4_m>
  55d9a4: c1 da ff 90                   adrp    x1, #-4882432
  55d9a8: 21 64 08 91                   add x1, x1, frida/frida#537
  55d9ac: c2 03 80 52                   mov w2, frida/frida#30
  55d9b0: d7 19 f1 97                   bl  #-3905700 <_ZNSt3__124__put_character_sequenceIcNS_11char_traitsIcEEEERNS_13basic_ostreamIT_T0_EES7_PKS4_m>
  55d9b4: e0 03 00 91                   mov x0, sp
  55d9b8: 72 9d 04 94                   bl  #1209800 <_ZN7android4base10LogMessageD1Ev@plt>
  55d9bc: 68 46 45 b9                   ldr w8, [x19, frida/frida#1348]
  55d9c0: 1f 01 14 6b                   cmp w8, w20
  55d9c4: e1 fa ff 54                   b.ne    #-164 <_ZN3art7Runtime12SetJniIdTypeENS_9JniIdTypeE+0x3c>
  55d9c8: dc ff ff 17                   b   #-144 <_ZN3art7Runtime12SetJniIdTypeENS_9JniIdTypeE+0x54>
  55d9cc: 71 9d 04 94                   bl  #1209796 <__stack_chk_fail@plt>

file was fetched from /apex/com.android.art/lib64/libart.so sharing the binary: https://gofile.io/d/KPt2ff

my 5 cents: According to what I understood from the code we're looking for a "ldr" followed by "cmp" and we have 2 such examples, both at offset longer than 20 instructions (which is the upper bound for the loop the searches for this). I wanted to build frida with this patch, but had some trouble with env set up :(

[muhzii]

Hi, I have submitted a fix for this.

Could someone test the PR out using https://gist.github.com/oleavr/cae76c895eb7d227216ed3ffe9dbbeb3?

[ArsenyLL]

@muhzii thank you for the quick response and fix!!!!

I tried to follow the instructions via the link you provided, but got stuck with the following error:

frida-java-playground myusername$ npm run watch

> frida-java-playground@1.0.0 watch
> frida-compile agent -o _agent.js -w

node:internal/modules/cjs/loader:928
  throw err;
  ^

Error: Cannot find module '/Users/myusername/Documents/dev/frida-java-playground/agent'
Require stack:
- /Users/myusername/Documents/dev/frida-java-playground/node_modules/frida-compile/bin/compile.js
    at Function.Module._resolveFilename (node:internal/modules/cjs/loader:925:15)
    at Function.resolve (node:internal/modules/cjs/helpers:98:19)
    at Object.<anonymous> (/Users/myusername/Documents/dev/frida-java-playground/node_modules/frida-compile/bin/compile.js:28:27)
    at Module._compile (node:internal/modules/cjs/loader:1108:14)
    at Object.Module._extensions..js (node:internal/modules/cjs/loader:1137:10)
    at Module.load (node:internal/modules/cjs/loader:973:32)
    at Function.Module._load (node:internal/modules/cjs/loader:813:14)
    at Function.executeUserEntryPoint [as runMain] (node:internal/modules/run_main:76:12)
    at node:internal/main/run_main_module:17:47 {
  code: 'MODULE_NOT_FOUND',
  requireStack: [
    '/Users/myusername/Documents/dev/frida-java-playground/node_modules/frida-compile/bin/compile.js'
  ]
}
npm ERR! code 1
npm ERR! path /Users/myusername/Documents/dev/frida-java-playground
npm ERR! command failed
npm ERR! command sh -c frida-compile agent -o _agent.js -w

npm ERR! A complete log of this run can be found in:
npm ERR!     /Users/myusername/.npm/_logs/2021-01-19T12_02_28_321Z-debug.log

I should note I have no experience with node at all :/

is it possible to build from the main frida git module by using the targets gum-android-arm64 or core-android-arm64? I'm confused :(

[ArsenyLL]

@oleavr quick question: I have also tried directly patching the binary with return 1348; in the function tryDetectJniIdsIndirectionOffset just to check if it works, but it didn't. Did I misunderstand the patch from @muhzii or is the JS layer is pre-compiled inside frida-server binary (in addition to the clear-text I see inside the file, twice for some reason)?

[ArsenyLL]

@muhzii I managed to build frida-bridge-java with your patch. How do I proceed to build a frida-server-X.X.X-android-arm64 binary with the patch integrated? Otherwise I'm not sure the test you linked actually tests the patch on the device...

[oleavr]

@ArsenyLL Thanks!

Did I misunderstand the patch from @muhzii or is the JS layer is pre-compiled inside frida-server binary

It depends. For the QuickJS runtime (the default) it's compiled to byte-code, and for V8 it's used in text form.

How do I proceed to build a frida-server-X.X.X-android-arm64 binary with the patch integrated?

In Makefile.{linux,macos}.mk look for $(NPM) install and append && $(NPM) link /path/to/your/frida-java-bridge-repo. Then proceed to build with make core-android-arm64. This will build build/frida-android-arm64/bin/frida-server. (Wipe the build/ directory in case you've already built it and want to make sure nothing is stale.)

[oleavr]

@ArsenyLL Looking at the objdump output and carefully examining the proposed fix by @muhzii, I'm fairly confident that it is the correct fix. Just tagged Frida 14.2.7 with the fix included. Please let me know if it solves the issue for you. (Not able to test this on Pixel 5 as the closest device I've got is a Pixel 3.)

[nscottsol]

Yes, just loaded frida-server 14.2.7 on my pixel 5 and so far it's working great. Thanks so much for the quick fix!!