It is stuck on Injecting Frida

[rootcstar]

Hello,
I am running the command android-unpinner all httptoolkit-pinning-demo.apk but it is stuck on Inject frida gadget message. Could you tell me why ?

[omidshm]

I have the same issue on the Galaxy A54 running Android 14 (and my virtual machine is Ubuntu 23.10). What's your Android version? I think this happened because of my Android version.

On my phone app was started and raised Crash error and I guess my phone killed the process immediately

[brianfife]

I think it is related to this frida/frida-core#383 (comment) based on looking at logcat

[noghartt]

Is there any update on this?

Seeing the code, it seems that already exist an interaction listen on the gadget config.

android-unpinner/android_unpinner/vendor/frida/gadget-config-listen.json

Line 3 in f0822d0

"type": "listen"

[CrossAcid]

I just modify this to "type": "script", then it work out, but the certificate is still not be ignired...

[Himan10]

Hi there,
I am facing the exact same issue. After injecting the Frida gadget, the application gets stuck and does not perform any further processing.

Any solutions or recommendations on how to resolve this issue ?

[k7000i]

Hello im stuck with the same problem. I tried more verbose logs and updated frida gadget so. It seems the jdwp INVOKE_METHOD not get the correct response.

[11:54:44] Target: com.own.testapp.android.release
[11:54:44] Reusing existing file: android-unpinner/Home_Connect_9.5.0_APKPure.unpinned.apk
About to install patched APK. This removes the existing app with all its data. Continue? [y/N]: y
[11:54:56] Uninstall existing app...
[11:54:57] Installing com.own.testapp.android.release...
[11:55:04] Detect architecture...
[11:55:04] Copying matching gadget: frida-gadget-16.2.5-android-arm64.so...
[11:55:04] Copying builtin Frida scripts to /data/local/tmp/android-unpinner...
[11:55:04] Active frida scripts: ['hide-debugger.js', 'httptoolkit-unpinner.js']
[11:55:04] Start app (suspended)...
[11:55:04] Obtain process id...
[11:55:06] A Local_port=62980
[11:55:06] Establish Java Debug Wire Protocol Connection over ADB...
[11:55:06] Packet repr: <bound method Packet.__bytes__ of Commd(0x0000, GET_ID_SIZES, b'')>
[11:55:06] Packet repr: <bound method Packet.__bytes__ of Commd(0x0001, VERSION, b'')>
[11:55:06] Advance until android.app.Activity.onCreate...
[11:55:06] Packet repr: <bound method Packet.__bytes__ of Commd(0x0002, CLASSES_BY_SIGNATURE, b'\x00\x00\x00\x16Landroid/app/Activity;')>
[11:55:06] Packet repr: <bound method Packet.__bytes__ of Commd(0x0003, METHODS, b'\x00\x00\x00\x00\x00\x00\x00\x01')>
[11:55:06] Packet repr: <bound method Packet.__bytes__ of Commd(0x0004, SET_BREAKPOINT,
           b'\x02\x02\x00\x00\x00\x01\x07\x01\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00r\r\xa7\x90\x00\x00\x00\x00\x00\x00\x00\x00')>
[11:55:06] Packet repr: <bound method Packet.__bytes__ of Commd(0x0005, RESUME_VM, b'')>
[11:55:21] Copy Frida gadget into app...
[11:55:21] Packet repr: <bound method Packet.__bytes__ of Commd(0x0006, CLASSES_BY_SIGNATURE, b'\x00\x00\x00\x13Ljava/lang/Runtime;')>
[11:55:21] Packet repr: <bound method Packet.__bytes__ of Commd(0x0007, METHODS, b'\x00\x00\x00\x00\x00\x00\x00\x03')>
[11:55:21] Packet repr: <bound method Packet.__bytes__ of Commd(0x0008, INVOKE_STATIC_METHOD,
           b'\x00\x00\x00\x00\x00\x00\x00\x03\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x0c\xc1\x00\x00\x00\x00\x00\x00\x00\x00')>
[11:55:21] Packet repr: <bound method Packet.__bytes__ of Commd(0x0009, CREATE_STRING, b'\x00\x00\x00\\cp /data/local/tmp/libgadget.so /data/data/com.own.testapp.android.release/libgadget.so')>
[11:55:21] Packet repr: <bound method Packet.__bytes__ of Commd(0x000a, INVOKE_METHOD,
           b'\x00\x00\x00\x00\x00\x00\x00\x04\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x03\x00\x00\x00\x00\x00\x00\xca\x8d\x00\x00\x00\x01L\x00\x00\x00\x00\x00\x00\x00\x05\x00\x00\x00\x00')>
[11:55:21] Packet repr: <bound method Packet.__bytes__ of Commd(0x000b, CLASSES_BY_SIGNATURE, b'\x00\x00\x00\x13Ljava/lang/Process;')>
[11:55:21] Packet repr: <bound method Packet.__bytes__ of Commd(0x000c, METHODS, b'\x00\x00\x00\x00\x00\x00\x00\x07')>
[11:55:21] Packet repr: <bound method Packet.__bytes__ of Commd(0x000d, INVOKE_METHOD,
           b'\x00\x00\x00\x00\x00\x00\x00\x06\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x07\x00\x00\x00\x00\x00\x00\xca\xf7\x00\x00\x00\x00\x00\x00\x00\x00')>
[11:55:21] Packet repr: <bound method Packet.__bytes__ of Commd(0x000e, INVOKE_STATIC_METHOD,
           b'\x00\x00\x00\x00\x00\x00\x00\x03\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x0c\xc1\x00\x00\x00\x00\x00\x00\x00\x00')>
[11:55:21] Packet repr: <bound method Packet.__bytes__ of Commd(0x000f, CREATE_STRING, b'\x00\x00\x00jcp /data/local/tmp/libgadget.config.so /data/data/com.own.testapp.android.release/libgadget.config.so')>
[11:55:21] Packet repr: <bound method Packet.__bytes__ of Commd(0x0010, INVOKE_METHOD,
           b'\x00\x00\x00\x00\x00\x00\x00\x04\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x03\x00\x00\x00\x00\x00\x00\xca\x8d\x00\x00\x00\x01L\x00\x00\x00\x00\x00\x00\x00\x08\x00\x00\x00\x00')>
[11:55:21] Packet repr: <bound method Packet.__bytes__ of Commd(0x0011, INVOKE_METHOD,
           b'\x00\x00\x00\x00\x00\x00\x00\t\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x07\x00\x00\x00\x00\x00\x00\xca\xf7\x00\x00\x00\x00\x00\x00\x00\x00')>
[11:55:21] Inject Frida gadget...
[11:55:21] Packet repr: <bound method Packet.__bytes__ of Commd(0x0012, INVOKE_STATIC_METHOD,
           b'\x00\x00\x00\x00\x00\x00\x00\x03\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x0c\xc1\x00\x00\x00\x00\x00\x00\x00\x00')>
[11:55:21] Packet repr: <bound method Packet.__bytes__ of Commd(0x0013, CREATE_STRING, b'\x00\x00\x00</data/data/com.own.testapp.android.release/libgadget.so')>
[11:55:21] runtime_id: b'\x00\x00\x00\x00\x00\x00\x00\x04', threadid: b'\x00\x00\x00\x00\x00\x00\x00\x02', path: /data/data/com.own.testapp.android.release/libgadget.so args:
           b'\x00\x00\x00\x01L\x00\x00\x00\x00\x00\x00\x00\n', cmd_str: b'\x00\x00\x00\x00\x00\x00\x00\n'
[11:55:21] Packet repr: <bound method Packet.__bytes__ of Commd(0x0014, INVOKE_METHOD,
           b'\x00\x00\x00\x00\x00\x00\x00\x04\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x03\x00\x00\x00\x00\x00\x00\xca\xa5\x00\x00\x00\x01L\x00\x00\x00\x00\x00\x00\x00\n\x00\x00\x00\x00')>

[lostdusty]

Same here too, even created an issue on the main repo thinking it was the right place...
mitmproxy/mitmproxy#7009

[weeebdev]

Any workarounds?

[tim-tx]

I ended up using objection to unpin. apk-mitm was also failing.

[sorasful]

Could you detail a bit more about your workaround ? I tried Android Unpinner, but it's still stuck on injecting Frida Gadget.

[tim-tx]

Stopped using android-unpinner entirely. objection is mentioned in the readme of this repo. Did something like this:
https://3os.org/android/ssl-pinning-bypass/#installation

[DentFuse]

Repo looks abandoned, doesn't look like we'll be getting any help.

[SilverBeamx]

READ HERE FOR THE FIX

For anyone wondering, the issue is that, whenever listen mode got added, it was mistakenly enabled for the "all" command. This meant that Frida was stuck waiting for the scripts remotely. To fix the issue, remove the "@listen_option" decorator found in line 250 of the __main__.py file.

I have tested it with the example and traffic is now intercepted correctly (for most of the options)

[mhils]

@SilverBeamx: PRs are welcome!

[SilverBeamx]

@mhils Sure, i can open one rn on the fly! I wrote here because i tought the project was not currently being mantained

[mhils]

I don't have the capacity and interest to provide support, but I'm happy to merge PRs that fix things.

[SilverBeamx]

@mhils PR is up with the relevant explanation. I have not extensively tested the results of the Frida scripts, but as i wrote previously, requests are now correctly intercepted for the most part, while others fail. I think this is more up to some domains used in the demo going offline, but i am not 100% sure