Frida 10.5.15 Android x86 Emulator crashes App while spawning

[jhscheer]

Hi,
while investigating another issue (frida/frida-java-bridge#29) I tested a lot of Android Emulators with the latest Frida version 10.5.15.
I was unable to find an x86 Emulator where Frida 10.5.15 was able to spawn -f an App without immediately crashing it.
However, I was able to pinpoint a few Frida versions, that worked :)
Basically, every Frida version after 10.2.3 running on an x86 emulator crashed the App with -f.
On ARM Emulators and on a real device, Frida version 10.5.15 worked without crashing the App!

Host: Linux x86_64, python3.6
APK: https://github.com/OWASP/owasp-mstg/tree/master/Crackmes/Android/Level_01/
More details here: frida/frida-java-bridge#29 (comment)

Tested:
Device:

• Nexus 5X - 6.0.1 - ARM64 - 10.5.15

AndroidStudio Emulator:

• Nexus 5 - 5.1.0 - API 22 ARM - 10.5.15
• Nexus 5 - 6.0.0 - API 23 ARM - 10.5.15
• Nexus 5X - 6.0.0 - API 23 ARM 10.2.3 -> emulator soft reset

Genymotion Emulator:

• Nexus 5X - 7.1.0 - API 25 x86 - 10.5.15 -> app crash
• Custom Phone - 7.1.0 - API 25 x86 - 10.5.15 -> emulator soft reset
• Nexus 7 2013 - 6.0.0 - API 23 x86 - 10.5.15 -> app crash
• Nexus 5X - 6.0.0 - API 23 x86 - 10.5.15-> app crash
• Galaxy S6 - 6.0.0 - API 23 x86 - 10.5.15-> app crash
• Pixel C - 6.0.0 - API 23 x86 - 10.5.15-> app crash
• Custom Phone - 6.0.0 - API 23 x86 - 10.5.15 -> app crash
• Custom Phone - 5.1.0 - API 22 x86 - 10.5.15 -> app crash
• Nexus 5X - 6.0.0 - API 23 x86 - 10.5.2 -> app crash
• Nexus 5X - 6.0.0 - API 23 x86 - 10.4.0 -> app crash
• Nexus 5X - 6.0.0 - API 23 x86 - 10.3.14 -> app crash
• Nexus 5X - 6.0.0 - API 23 x86 - 10.3.2-> app crash
• Nexus 5X - 6.0.0 - API 23 x86 - 10.3.1 -> app crash
• Nexus 5X - 6.0.0 - API 23 x86 - 10.3.0 -> app crash
• Nexus 5X - 6.0.0 - API 23 x86 - 10.2.3
• Nexus 5X - 6.0.0 - API 23 x86 - 10.2.2
• Nexus 5X - 6.0.0 - API 23 x86 - 10.2.1
• Nexus 5X - 6.0.0 - API 23 x86 - 10.2.0 -> app runs, but emulator froze after interacting with the app
• Nexus 5X - 6.0.0 - API 23 x86 - 10.1.6
• Nexus 5X - 6.0.0 - API 23 x86 - 10.1.5
• Nexus 7 2013 - 6.0.0 - API 23 x86 - 10.1.2
• Nexus 5X - 6.0.0 - API 23 x86 - 10.1.2
• Custom Phone - 5.1.0 - API 22 x86 - 10.1.2 -> app crash
• Custom Phone - 7.1.0 - API 25 x86 - 10.1.2 -> emulator soft reset
• Galaxy S6 - 6.0.0 - API 23 x86 - 10.1.2
• Pixel C - 6.0.0 - API 23 x86 - 10.1.2
• Custom Phone - 6.0.0 - API 23 x86 - 10.1.2
• Custom Phone - 5.1.0 - API 22 x86 - 10.1.0 -> app crash
• Custom Phone - 7.1.0 - API 25 x86 - 10.1.0 -> emulator soft reset
• Custom Phone - 6.0.0 - API 23 x86 - 9.1.16

adb logcat from Custom Phone - 6.0.0 - API 23 x86 - 10.5.15:

09-18 09:18:24.754  2945  3001 F libc    : Fatal signal 11 (SIGSEGV), code 1, fault addr 0x0 in tid 3001 (ndroid.systemui)
09-18 09:18:24.855   237   237 F DEBUG   : *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
09-18 09:18:24.856   237   237 F DEBUG   : Build fingerprint: 'Android/vbox86p/vbox86p:6.0/MRA58K/genymotion03201937:userdebug/test-keys'
09-18 09:18:24.856   237   237 F DEBUG   : Revision: '0'
09-18 09:18:24.856   237   237 F DEBUG   : ABI: 'x86'
09-18 09:18:24.856   237   237 E DEBUG   : AM write failed: Broken pipe
09-18 09:18:24.856   237   237 F DEBUG   : pid: 2945, tid: 3001, name: ndroid.systemui  >>> com.android.systemui <<<
09-18 09:18:24.856   237   237 F DEBUG   : signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0x0
09-18 09:18:24.866   237   237 F DEBUG   :     eax 00000000  ebx f740971c  ecx de17f8cc  edx 00000000
09-18 09:18:24.866   237   237 F DEBUG   :     esi de17f930  edi de17f970
09-18 09:18:24.866   237   237 F DEBUG   :     xcs 00000023  xds 0000002b  xes 0000002b  xfs 00000007  xss 0000002b
09-18 09:18:24.866   237   237 F DEBUG   :     eip 00000000  ebp de17f8d8  esp de17f8ac  flags 00210282
09-18 09:18:24.866   237   237 F DEBUG   : 
09-18 09:18:24.866   237   237 F DEBUG   : backtrace:
09-18 09:18:24.866   237   237 F DEBUG   :     #00 pc 00000000  <unknown>
09-18 09:18:24.866   237   237 F DEBUG   :     #01 pc 00060bc3  /system/lib/libc.so (offset 0x20000)
09-18 09:18:24.866   237   237 F DEBUG   :     #02 pc 00000b80  <unknown>
09-18 09:18:24.940   237   237 F DEBUG   : 
09-18 09:18:24.940   237   237 F DEBUG   : Tombstone written to: /data/tombstones/tombstone_05
09-18 09:18:24.941   639   656 I BootReceiver: Copying /data/tombstones/tombstone_05 to DropBox (SYSTEM_TOMBSTONE)
09-18 09:18:24.958   639   680 W InputDispatcher: channel '664c179 com.android.systemui.ImageWallpaper (server)' ~ Consumer closed input channel or an error occurred.  events=0x9
09-18 09:18:24.958   639   680 E InputDispatcher: channel '664c179 com.android.systemui.ImageWallpaper (server)' ~ Channel is unrecoverably broken and will be disposed!
09-18 09:18:24.958   639   680 W InputDispatcher: channel 'ef55e3c NavigationBar (server)' ~ Consumer closed input channel or an error occurred.  events=0x9
09-18 09:18:24.958   639   680 E InputDispatcher: channel 'ef55e3c NavigationBar (server)' ~ Channel is unrecoverably broken and will be disposed!
09-18 09:18:24.958   639   680 W InputDispatcher: channel 'b57660e AssistPreviewPanel (server)' ~ Consumer closed input channel or an error occurred.  events=0x9
09-18 09:18:24.958   639   680 E InputDispatcher: channel 'b57660e AssistPreviewPanel (server)' ~ Channel is unrecoverably broken and will be disposed!
09-18 09:18:24.958   639   680 W InputDispatcher: channel 'cb9c636 StatusBar (server)' ~ Consumer closed input channel or an error occurred.  events=0x9
09-18 09:18:24.958   639   680 E InputDispatcher: channel 'cb9c636 StatusBar (server)' ~ Channel is unrecoverably broken and will be disposed!
09-18 09:18:24.959   639  2833 D GraphicsStats: Buffer count: 1
09-18 09:18:24.959   639  1074 I WindowState: WIN DEATH: Window{cb9c636 u0 StatusBar}
09-18 09:18:24.959   639  1074 W InputDispatcher: Attempted to unregister already unregistered input channel 'cb9c636 StatusBar (server)'
09-18 09:18:24.960   639   701 D WifiService: Client connection lost with reason: 4
09-18 09:18:24.961   639  1082 W AudioService: Current remote volume controller died, unregistering
09-18 09:18:24.961   639   639 W WallpaperManagerService: Wallpaper service gone: ComponentInfo{com.android.systemui/com.android.systemui.ImageWallpaper}
09-18 09:18:24.961   639   639 V KeyguardServiceDelegate: *** Keyguard disconnected (boo!)
09-18 09:18:24.961   639   986 W libprocessgroup: failed to open /acct/uid_10016/pid_2945/cgroup.procs: No such file or directory
09-18 09:18:24.961   639   986 I ActivityManager: Process com.android.systemui (pid 2945) has died
09-18 09:18:24.961   639  1082 W VolumeController: Error calling dismiss
09-18 09:18:24.961   639  1082 W VolumeController: android.os.DeadObjectException
09-18 09:18:24.961   639  1082 W VolumeController: 	at android.os.BinderProxy.transactNative(Native Method)
[...]

tombstone:
tombstone_05.txt

This issue #308 looks to be related.

[oleavr]

Fixed in 10.6.12. Cheers!

[jhscheer]

Hi @oleavr,
thanks a lot for fixing this!

Spawning with -f works now.
However, in my tests on Emulators, the App always crashes when I trigger a hooked function while interacting with the App on the device.
On a real Device everything works fine (except early instrumentation) :(
I tested frida-server and frida-gadget version 10.6.13 on Emulators and on a real device.
For me, frida version 10.2.3 is still the most stable version to use for Android Emulators.

Frida-Server

Real Device:

Google Nexus 5X - 6.0.1
everything works, except early instrumentation

Emulators:

Google Nexus 5 - 8.0.0 - API 26
works:
frida-ps -U
soft reset:
frida-ps -U -a
frida -U -f name.apk -l name.js --no-pause
app crash:
frida -U name.apk -l name.js --no-pause

Google Nexus 5 - 7.1.1 - API 25
works:
frida-ps -U
frida-ps -U -a
soft reset:
frida -U -f name.apk -l name.js --no-pause
works until hooked methods are triggered while interactiing with the app:
frida -U name.apk -l name.js --no-pause

Google Nexus 5 - 6.0.0- API 23
works:
frida-ps -U
frida-ps -U -a
works until hooked methods are triggered while interacting with the app:
frida -U -f name.apk -l name.js --no-pause
frida -U name.apk -l name.js --no-pause

Frida-Gadget

Real Device:

Google Nexus 5X - 6.0.1
everything works, exept early instrumentation

Emulators:

Google Nexus 5 - 6.0.0- API 23 & Google Nexus 5 - 7.1.1 - API 25 & Google Nexus 5 - 8.0.0 - API 26
works:
frida-ps -U
frida-ps -U -a
works until hooked methods are triggered while interactiing with the app:
frida -U Gadget -l name.js --no-pause

adb logcat from Emulator 6.0.0:

10-20 12:33:07.533  1597  1608 I ActivityManager: START u0 {act=android.intent.action.MAIN cat=[android.intent.category.LAUNCHER] flg=0x10200000 cmp=sg.vantagepoint.uncrackable1/.MainActivity bnds=[12,870][276,1167] (has extras)} from uid 10009 on display 0
10-20 12:33:07.557  1597  2149 I ActivityManager: Start proc 4513:sg.vantagepoint.uncrackable1/u0a66 for activity sg.vantagepoint.uncrackable1/.MainActivity
10-20 12:33:07.578  4513  4519 E art     : Failed writing handshake bytes (-1 of 14): Broken pipe
10-20 12:33:07.578  4513  4519 I art     : Debugger is no longer active
10-20 12:33:07.609  4513  4527 I Frida   : Listening on 127.0.0.1 TCP port 27042
10-20 12:34:53.227  4513  4544 D OpenGLRenderer: Use EGL_SWAP_BEHAVIOR_PRESERVED: true
10-20 12:34:53.232  4513  4513 D         : HostConnection::get() New Host Connection established 0xaa3fc580, tid 4513
10-20 12:34:53.234  4513  4513 W         : Unrecognized GLES max version string in extensions: ANDROID_EMU_CHECKSUM_HELPER_v1 ANDROID_EMU_dma_v1 
10-20 12:34:53.317  4513  4544 D         : HostConnection::get() New Host Connection established 0xaa3fcf00, tid 4544
10-20 12:34:53.320  4513  4544 W         : Unrecognized GLES max version string in extensions: ANDROID_EMU_CHECKSUM_HELPER_v1 ANDROID_EMU_dma_v1 
10-20 12:34:53.335  4513  4544 I OpenGLRenderer: Initialized EGL, version 1.4
10-20 12:34:53.337  4513  4544 W OpenGLRenderer: Failed to choose config with EGL_SWAP_BEHAVIOR_PRESERVED, retrying without...
10-20 12:34:53.350  4513  4544 D EGL_emulation: eglCreateContext: 0xafec90c0: maj 2 min 0 rcv 2
10-20 12:34:53.361  4513  4544 D EGL_emulation: eglMakeCurrent: 0xafec90c0: ver 2 0 (tinfo 0xaa3c2940)
10-20 12:34:53.398  4513  4544 D EGL_emulation: eglMakeCurrent: 0xafec90c0: ver 2 0 (tinfo 0xaa3c2940)
10-20 12:34:53.500  4513  4544 D EGL_emulation: eglMakeCurrent: 0xafec90c0: ver 2 0 (tinfo 0xaa3c2940)
10-20 12:34:53.552  4513  4544 D EGL_emulation: eglMakeCurrent: 0xafec90c0: ver 2 0 (tinfo 0xaa3c2940)
10-20 12:34:53.633  4513  4544 D EGL_emulation: eglMakeCurrent: 0xafec90c0: ver 2 0 (tinfo 0xaa3c2940)
10-20 12:34:53.708  1597  1616 I ActivityManager: Displayed sg.vantagepoint.uncrackable1/.MainActivity: +1m46s164ms
10-20 12:34:53.710  4513  4544 D EGL_emulation: eglMakeCurrent: 0xafec90c0: ver 2 0 (tinfo 0xaa3c2940)
10-20 12:34:53.726  4513  4544 D EGL_emulation: eglMakeCurrent: 0xafec90c0: ver 2 0 (tinfo 0xaa3c2940)
10-20 12:34:54.892  4513  4544 D EGL_emulation: eglMakeCurrent: 0xafec90c0: ver 2 0 (tinfo 0xaa3c2940)
10-20 12:34:55.081  4513  4544 D EGL_emulation: eglMakeCurrent: 0xafec90c0: ver 2 0 (tinfo 0xaa3c2940)
10-20 12:34:55.095  4513  4544 D EGL_emulation: eglMakeCurrent: 0xafec90c0: ver 2 0 (tinfo 0xaa3c2940)
10-20 12:34:55.567  4513  4544 D EGL_emulation: eglMakeCurrent: 0xafec90c0: ver 2 0 (tinfo 0xaa3c2940)
10-20 12:34:59.054  4513  4544 D EGL_emulation: eglMakeCurrent: 0xafec90c0: ver 2 0 (tinfo 0xaa3c2940)
10-20 12:34:59.070  4513  4544 D EGL_emulation: eglMakeCurrent: 0xafec90c0: ver 2 0 (tinfo 0xaa3c2940)
10-20 12:34:59.090  4513  4544 D EGL_emulation: eglMakeCurrent: 0xafec90c0: ver 2 0 (tinfo 0xaa3c2940)
10-20 12:34:59.169  4513  4544 D EGL_emulation: eglMakeCurrent: 0xafec90c0: ver 2 0 (tinfo 0xaa3c2940)
10-20 12:34:59.170  4513  4544 E Surface : getSlotFromBufferLocked: unknown buffer: 0xb403c8a0
10-20 12:34:59.177  4513  4544 D OpenGLRenderer: endAllStagingAnimators on 0xa11c3500 (RippleDrawable) with handle 0xa0f7f180
10-20 12:34:59.207  4513  4544 D EGL_emulation: eglMakeCurrent: 0xafec90c0: ver 2 0 (tinfo 0xaa3c2940)
10-20 12:35:02.823  4513  4544 D EGL_emulation: eglMakeCurrent: 0xafec90c0: ver 2 0 (tinfo 0xaa3c2940)
10-20 12:35:02.830  4513  4544 E Surface : getSlotFromBufferLocked: unknown buffer: 0xb403da20
10-20 12:35:04.674  1597  2759 I ActivityManager: START u0 {act=android.intent.action.MAIN cat=[android.intent.category.LAUNCHER] flg=0x10200000 cmp=sg.vantagepoint.uncrackable1/.MainActivity bnds=[12,870][276,1167] (has extras)} from uid 10009 on display 0
10-20 12:35:04.696  4513  4513 D AndroidRuntime: Shutting down VM
10-20 12:35:04.700  4513  4513 E AndroidRuntime: FATAL EXCEPTION: main
10-20 12:35:04.700  4513  4513 E AndroidRuntime: Process: sg.vantagepoint.uncrackable1, PID: 4513
10-20 12:35:04.700  4513  4513 E AndroidRuntime: java.lang.RuntimeException: Unable to resume activity {sg.vantagepoint.uncrackable1/sg.vantagepoint.uncrackable1.MainActivity}: android.util.SuperNotCalledException: Activity {sg.vantagepoint.uncrackable1/sg.vantagepoint.uncrackable1.MainActivity} did not call through to super.onStart()
10-20 12:35:04.700  4513  4513 E AndroidRuntime: 	at android.app.ActivityThread.performResumeActivity(ActivityThread.java:3103)
10-20 12:35:04.700  4513  4513 E AndroidRuntime: 	at android.app.ActivityThread.handleResumeActivity(ActivityThread.java:3134)
10-20 12:35:04.700  4513  4513 E AndroidRuntime: 	at android.app.ActivityThread$H.handleMessage(ActivityThread.java:1388)
10-20 12:35:04.700  4513  4513 E AndroidRuntime: 	at android.os.Handler.dispatchMessage(Handler.java:102)
10-20 12:35:04.700  4513  4513 E AndroidRuntime: 	at android.os.Looper.loop(Looper.java:148)
10-20 12:35:04.700  4513  4513 E AndroidRuntime: 	at android.app.ActivityThread.main(ActivityThread.java:5417)
10-20 12:35:04.700  4513  4513 E AndroidRuntime: 	at java.lang.reflect.Method.invoke(Native Method)
10-20 12:35:04.700  4513  4513 E AndroidRuntime: 	at com.android.internal.os.ZygoteInit$MethodAndArgsCaller.run(ZygoteInit.java:726)
10-20 12:35:04.700  4513  4513 E AndroidRuntime: 	at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:616)
10-20 12:35:04.700  4513  4513 E AndroidRuntime: Caused by: android.util.SuperNotCalledException: Activity {sg.vantagepoint.uncrackable1/sg.vantagepoint.uncrackable1.MainActivity} did not call through to super.onStart()
10-20 12:35:04.700  4513  4513 E AndroidRuntime: 	at android.app.Activity.performStart(Activity.java:6255)
10-20 12:35:04.700  4513  4513 E AndroidRuntime: 	at android.app.Activity.performRestart(Activity.java:6299)
10-20 12:35:04.700  4513  4513 E AndroidRuntime: 	at android.app.Activity.performResume(Activity.java:6304)
10-20 12:35:04.700  4513  4513 E AndroidRuntime: 	at android.app.ActivityThread.performResumeActivity(ActivityThread.java:3092)
10-20 12:35:04.700  4513  4513 E AndroidRuntime: 	... 8 more
10-20 12:35:04.710  1597  2165 W ActivityManager:   Force finishing activity sg.vantagepoint.uncrackable1/.MainActivity
10-20 12:35:05.222  1597  1611 W ActivityManager: Activity pause timeout for ActivityRecord{7d7a288 u0 sg.vantagepoint.uncrackable1/.MainActivity t50 f}
10-20 12:35:15.344  1597  1611 W ActivityManager: Activity destroy timeout for ActivityRecord{7d7a288 u0 sg.vantagepoint.uncrackable1/.MainActivity t50 f}
10-20 12:35:52.479  4513  4513 I Process : Sending signal. PID: 4513 SIG: 9
10-20 12:35:52.534  1597  2149 I ActivityManager: Process sg.vantagepoint.uncrackable1 (pid 4513) has died

[ghost]

Can we reopen this please?
I'm getting Unable to resume activity