Cannot run Shizuku generated rish

MakiseKurisu commented 7 months ago

Shizuku can generate a shell script called rish that can do something in terminal (not sure what since I haven't been able to run it yet). In this file there is a line calling the payload:

/system/bin/app_process -Djava.class.path="$DEX" /system/bin --nice-name=rish rikka.shizuku.shell.ShizukuShellLoader "$@"

I substitute /system/bin/app_process with /android/system/bin/linker64 /android/system/bin/app_process since that's how I got ping working. However, when I just tried to run it to see what happens, it fails:

-bash-5.2$ /android/system/bin/linker64 /android/system/bin/app_process           
CANNOT LINK EXECUTABLE "/android/system/bin/app_process": library "libnativeloader.so" not found

When running in adb shell it gets bit further, so the required library is in the system:

1|HWDVC-M:/ $ /system/bin/app_process                                                                                                                                                        
Error changing dalvik-cache ownership : Permission denied
Aborted
134|HWDVC-M:/ $

I tried to search the error message, which leads me to https://github.com/termux/termux-app/issues/1915. Since we also use proot, it might be relevent?

The updated script for that issue: https://github.com/nathaneltitane/dextop/blob/4cfafae5fe3c474c3685f39f5f974e2e99d8f9cc/proot-launch#L277

BTW I does not have this /linkerconfig/ld.config.txt in my phone when I checked in adb shell.

MakiseKurisu commented 7 months ago

This gives me some hint: https://github.com/nix-community/nix-on-droid/issues/221#issuecomment-1659956726

First off, I created a wrapper package to have /android/system/bin/ in my $PATH. Most important use case is actually ping (an alternative to #185) for me but this makes investigation easier.

I ran linker instead of linker64 for fun and got the following output:

nix-on-droid in 🌐 localhost in ~ 
❯ linker
error: "/apex/com.android.runtime/bin/linker" is 32-bit instead of 64-bit

After checking around, I found /apex/com.android.runtime/lib64/libnativeloader.so. However, LD_PRELOAD doesn't work, so I tried LD_LIBRARY_PATH and now it goes further:

nix-on-droid in 🌐 localhost in ~ 
❯ LD_LIBRARY_PATH=/apex/com.android.runtime/lib64/ app_process
ANDROID_DATA environment variable unset
/nix/store/wgn04nfyhl0fxil0z8i27dnmx3vdr26z-android-system-bin-wrapper/bin/app_process: line 24: 28338 Aborted                 /android/system/bin/linker64 "/android/system/bin/$CMD_NAME" "$@"

Gonna check if I can get rish working later today.

MakiseKurisu commented 7 months ago

So ANDROID_DATA environment variable unset was caused by running command within SSH session. Once I tried to run app_process in Android app I got the same error as in the adb shell.

Updated my wrapper to handle a few more edge cases as well as including LD_LIBRARY_PATH for linker64. I then modified Shizuku generated rish script to match our running environment:

#!/usr/bin/env bash
set -e
DEX="$HOME/downloads/rish_shizuku.dex"

if [ ! -f "$DEX" ]; then
  echo "Cannot find $DEX, please check the tutorial in Shizuku app"
  exit 1
fi

if [ $(getprop ro.build.version.sdk) -ge 34 ]; then
  if [ -w $DEX ]; then
    echo "On Android 14+, app_process cannot load writable dex."
    echo "Attempting to remove the write permission..."
    chmod 400 $DEX
  fi
  if [ -w $DEX ]; then
    echo "Cannot remove the write permission of $DEX."
    echo "You can copy to file to terminal app's private directory (/data/data/<package>, so that remove write permission is possible"
    exit 1
  fi
fi

# Replace "PKG" with the application id of your terminal app
[ -z "$RISH_APPLICATION_ID" ] && export RISH_APPLICATION_ID="com.termux.nix"
app_process -Djava.class.path="$DEX" /android/system/bin --nice-name=rish rikka.shizuku.shell.ShizukuShellLoader "$@"

Unfortunately, this script always returns 0 no matter what I passed in, nor is there any output.

azuwis commented 6 months ago

FYI, after https://github.com/nix-community/nix-on-droid/pull/353, commands like /system/bin/ping /system/bin/dumpsys /system/bin/app_process can be run directly.

expenses commented 3 weeks ago

I've managed to get this rish script working:

#!/system/bin/sh
BASEDIR=$(dirname "$0")                                           DEX="$BASEDIR"/rish_shizuku.dex

if [ ! -f "$DEX" ]; then
  echo "Cannot find $DEX, please check the tutorial in Shizuku app"
  exit 1
fi

if [ $(/system/bin/getprop ro.build.version.sdk) -ge 34 ]; then
  if [ -w $DEX ]; then
    echo "On Android 14+, app_process cannot load writable dex."
    echo "Attempting to remove the write permission..."
    chmod 400 $DEX
  fi
  if [ -w $DEX ]; then
    echo "Cannot remove the write permission of $DEX."
    echo "You can copy to file to terminal app's private directory (/data/data/<package>, so that remove write permission is possible"
    exit 1                                                          fi
fi

# Replace "PKG" with the application id of your terminal app
export RISH_APPLICATION_ID="com.termux.nix"
/system/bin/app_process -Djava.class.path="$DEX" /system/bin --nice-name=rish rikka.shizuku.shell.ShizukuShellLoader "$@"

nix-community / nix-on-droid

Cannot run Shizuku generated rish #348