Closed matbrik closed 2 months ago
It looks like is is a problem related to the garbage collector, with frida disabling GarbageCollector::Run() prevents the crashes
Adding that two of my devices (Android 12 and Android 14) have the same issue, both of them have /apex/com.android.art@341711000
and did not have issues before.
In my case,
Currently the only working workaround is hooking the onLeave of the RunPhases of the art GC and refresh all the hooks. I've tried to do some debugging and commit diffing in libart but I couldn't find anything edit: this solution crashes the process after a while
I have tried to test frida-java-bridge but on a Pixel 6 (14.0.0 (AP2A.240605.024, Jun 2024) ) with the latest Google Play system update( open settings->search "Play system"->Google Play system update->check for update)
with the latest frida-server and frida-tools(both 16.4.2) on my mac this repo cloned exported the correct env variables
$ make check
[*] Running the test suite with optimizations disabled (interpreter mode).
/Users/foo/Downloads/Xcode.app/Contents/Developer/usr/bin/make -C test deploy
d8 \
--output build/tests.zip \
--classpath /Users/foo/Library/Android/sdk/platforms/android-33/android.jar \
--min-api 33 \
build/tests.jar
cd build && unzip tests.zip classes.dex
Archive: tests.zip
inflating: classes.dex
mv build/classes.dex build/tests.dex
adb shell "rm -rf /data/local/tmp/frida-java-bridge-tests && mkdir -p /data/local/tmp/frida-java-bridge-tests"
adb push build/arm64-v8a/runner build/tests.dex build/frida-java-bridge.js build/arm64-v8a/libartpalette.so /data/local/tmp/frida-java-bridge-tests
build/arm64-v8a/runner: 1 file pushed, 0 skipped. 90.3 MB/s (6644256 bytes in 0.070s)
build/tests.dex: 1 file pushed, 0 skipped. 270.4 MB/s (312744 bytes in 0.001s)
build/frida-java-bridge.js: 1 file pushed, 0 skipped. 318.0 MB/s (352730 bytes in 0.001s)
build/arm64-v8a/libartpalette.so: 1 file pushed, 0 skipped. 66.0 MB/s (4680 bytes in 0.000s)
4 files pushed, 0 skipped. 49.0 MB/s (7314410 bytes in 0.142s)
/Users/foo/Downloads/Xcode.app/Contents/Developer/usr/bin/make -C test run
adb shell "LD_PRELOAD=libart.so LD_LIBRARY_PATH='/apex/com.android.runtime/lib64:/apex/com.android.art/lib64:/data/local/tmp/frida-java-bridge-tests' /data/local/tmp/frida-java-bridge-tests/runner "
CANNOT LINK EXECUTABLE "/data/local/tmp/frida-java-bridge-tests/runner": cannot locate symbol "_ZN3fmt2v76detail7vformatENS0_17basic_string_viewIcEENS0_11format_argsE" referenced by "/apex/com.android.art/lib64/libart.so"...
make[2]: *** [run] Error 1
make[1]: *** [check-run] Error 2
make: *** [check] Error 2
Hooking a java method in system_server on a Samsung Android 13 S23 plus and A33 with the last updates causes a SIGSEGV/SEGV_MAPERR crash. On a S21 5G I cannot reproduce it. My hypothesis is a change in libart.so but looking at the source code and diffing the binaries I couldn't find a reason. p.s. not all methods seems to trigger the crash sha1sum: 7c9ef90838717ac4d792139f8b1f7ca9692d018e /apex/com.android.art@
341711000
/lib64/libart.so frida-gadget 16.2.5crashlog
reproducer script:
to trigger the crash you can open the Settings app and navigate in the app list.
the crash happens when the jvm tries to access the hooked method
artQuickGenericJniTrampoline: