Hello All!
In this post, we will explain how to setup Frida with Android through USB on MacOS. Let’s first prepare your environment.
Environment
You need:
- Rooted Android device or emulator, we like the Pixel 4a.
- brew
- Android SDK Platform-Tools
- Python (latest 3.x recommended)
- Frida
This guide targets Android 9.0 and later.
Developer mode
Enable developer mode by locating the Build Number
item in our system settings and tapping it 7 times.
This is found at: Settings > About Phone > Build Number. Once completed, you will see a You are now a developer!
message.
USB debugging
Enable USB debugging at: Settings > System > Advanced > Developer Options > USB debugging
Setup Tools
Install Android SDK Platform-Tools This is easy, thank you to brew:
$ brew install android-platform-tools
After installation, we will test the adb utility along with USB debugging on our Android device. If using a physical device, be sure that it’s connected to your computer over USB. Run the following command (we will use this output to select the right Frida server binary below):
$ adb shell uname -m
aarch64
Success, we have adb and USB debugging functioning. Also, we confirmed this device is running AArch64/ARM64.
Using adb shell <cmd>
, enables us to run a single command on our Android device and get output back. If we wanted to drop into a shell on our device, we would run adb shell
.
Common issues with adb can be resolved by stopping and starting the server:
$ adb kill-server
$ adb start-server
Setup Frida Server
Download the latest Frida server binary matching your devices architecture. In this example for the Pixel 4a, we use Arm64.
$ wget https://github.com/frida/frida/releases/download/14.2.3/frida-server-14.2.3-android-arm64.xz
Extract and rename the binary to frida-server
:
$ unxz frida-server-14.2.3-android-arm64.xz
$ mv frida-server-14.2.3-android-arm64 frida-server
Upload frida-server
to your Android device and mark it as executable:
$ adb push frida-server /data/local/tmp/
$ adb shell "chmod 755 /data/local/tmp/frida-server"
Get a shell, elevate to root
, execute and background frida-server
:
$ adb shell
sunfish:/ $ su
sunfish:/ # id
uid=0(root) gid=0(root) groups=0(root) context=u:r:magisk:s0
sunfish:/ # /data/local/tmp/frida-server &
[1] 9555
Verify frida-server
is running as root
:
$ adb shell
sunfish:/ $ ps -e | grep frida-server
root 9555 1 10851964 3636 do_sys_poll 0 S frida-server
Confirmed to be running as the root
user, let’s move on.
Setup Frida Tools
This can be accomplished with pip
, the Python package installer. Frida prefers Python3 and I have pip3
configured as the package installer for my Python3 environment.
$ pip3 install frida-tools
Frida Basics
Get list of running applications:
$ frida-ps -Ua
Should return something like:
PID Name Identifier
----- -------------------------- -----------------------------------------
1601 Android System android
2151 Bluetooth com.android.bluetooth
1601 Call Management com.android.server.telecom
5900 Carrier Services com.google.android.ims
2529 CneApp com.qualcomm.qti.cne
...
Attach to a process:
$ frida -U org.mozilla.firefox
Attach to a process and load Frida script:
$ frida -U org.mozilla.firefox -l script.js
That is all for now.
Thank you for reading and hope you enjoyed as an initial walkthrough or reference next time you need Frida up in a hurry. Have an issue or want to comment, tweet me.
All the best,
–Cale