Open MikBely opened 1 month ago
First of all, are you running this on affected Android version? In theory this exploit should work on Android 13 with patch level earlier than November 2022. If you're running on patched version LazyValue
won't be created when reading Bundle
while Parcel.hasReadWriteHelper()
is true
Second, try checking logcat and inspecting reply from setQueueBinder, there might be Exception message there
Third, it might be possible that RemoteView
-s or other object layout differs on tested device, for that you'd need to grab debugger and manually inspect created object(s), the "Manual testing" button allows launching testing ValueLeaker
primitive against simulated system process to which you can attach a debugger even on non-rooted device (simulated system will appear in process list as com.example.leakvalue:testservice
and will load same MediaSessionService
as real system_server
does (although will not include Binder
objects inside test transactions)
So, I tried to run this app. I have issue, in which I can't receive any leaked binders from
doAllStuff()
. I got an empty array listleakedBinders
. I think this happens, becauseParcel parcel = leaker.doLeak();
creates a null parcel. How can I fix this error?