Command \dl does not work on Android

[enovella]

iOS/macOS

GNU/Linux

[0x00000000]> \dl /home/edu/radare2/shlr/sdb/src/libsdb.so
0x7f4e3400f7a0
[0x00000000]> \il~libsdb
0x00007f4e48576000 libsdb.so.1.3.0
[0x00000000]> \iE libsdb.so.1.3.0~ae
0x7f4e485861ae f ht_uu_update
0x7f4e4858eae4 f sdb_lock_wait
0x7f4e48584ae1 f ls_merge_sort
0x7f4e48583dae f buffer_putflush
0x7f4e48597ae9 f ht_pp_find

Android

[0x7f81462c18]> \dl /path/bins/frida-gadget.so
Failed to load: /path/bins/frida-gadget.so

[enovella]

The issue might be related to this new path policy:

static constexpr const char * kPublicNativeLibrariesSystemConfigPathFromRoot =
         "/etc/public.libraries.txt" ;
 static constexpr const char * kPublicNativeLibrariesVendorConfig =
         "/vendor/etc/public.libraries.txt" ;

https://source.android.com/devices/architecture/vndk/linker-namespace

Different paths

OnePlus3:/system/vendor/lib64 # md5sum  libsecureui.so 
30ed0fd669dcac6847144755fddb8f95  libsecureui.so
OnePlus3:/system/vendor/lib64 # md5sum  /data/local/tmp/libsecureui.so                            
30ed0fd669dcac6847144755fddb8f95  /data/local/tmp/libsecureui.so

Working

[0x00000000]> \dl /system/vendor/lib64/libsecureui.so
RTLD_GLOBAL:8
RTLD_LAZY  :1
0x6f77659619bd7165

[0x00000000]> \dl /data/local/tmp/libsecureui.so
RTLD_GLOBAL:8
RTLD_LAZY  :1
Failed to load: /data/local/tmp/libsecureui.so

[enovella]

Related: frida/frida#448 (comment)

AFAIK, in Android 7, Google introduced "namespaces" for dlopen, you can't load any dynamic library outside the app namespace or it will fault. Frida itself get around this using a neat trick, take a look at the android injection code for a reference, maybe you can adopt that to your hooking logic.
Sorry I can't link to the code, I'm on my phone

[maqsoodahmadjan]

\dl doesn't work on Android at all. I tried with both 12.5.x and 12.6.1.

With \dl, I get:
Failed to load: libX.so

With \dl2, it shows "done", but then the process crashes with an error:
CrashReport: *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
Build fingerprint: 'google/angler/angler:8.0.0/OPR5.170623.007/4302479:user/release-keys'
Revision: '0'
ABI: 'arm'
pid: 14684, tid: 16372, name: .example >>> com.example <<<
signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0x0
Cause: null pointer dereference
r0 f2dd4360 r1 d5f7f928 r2 d5f7f92c r3 d5f7fdf4
r4 00000000 r5 1c285171 r6 f2dd4000 r7 00000032
r8 0000395c r9 f2dd4000 sl f2dd3081 fp 0000000b
ip 00000000 sp d5f7f928 lr f2dd30d1 pc 00000000 cpsr 400f0010

backtrace:
#00 pc 00000000
#1 pc 000000cf anonymous:f2dd3000

[enovella]

\dl doesn't work on Android at all. I tried with both 12.5.x and 12.6.1.

Have you tried Android 4.4 or Android 6.x? The issue comes after Android 7.0 with the namespaces.

With \dl2, it shows "done", but then the process crashes with an error:
CrashReport: *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
Build fingerprint: 'google/angler/angler:8.0.0/OPR5.170623.007/4302479:user/release-keys'
Revision: '0'
ABI: 'arm'
pid: 14684, tid: 16372, name: .example >>> com.example <<<
signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0x0
Cause: null pointer dereference
r0 f2dd4360 r1 d5f7f928 r2 d5f7f92c r3 d5f7fdf4
r4 00000000 r5 1c285171 r6 f2dd4000 r7 00000032
r8 0000395c r9 f2dd4000 sl f2dd3081 fp 0000000b
ip 00000000 sp d5f7f928 lr f2dd30d1 pc 00000000 cpsr 400f0010

backtrace:
#00 pc 00000000
#1 pc 000000cf anonymous:f2dd3000

Try to recompile Frida without stripping to get a symbolicated backtrace. If you want, I can share the latest Frida server compiled with symbols.

[enovella]

Closed due to #149