Frida is a dynamic code instrumentation toolkit for developing, researching, and reversing applications.

Corellium Frida

For ease of use, we’ve included a Frida daemon in all iOS and Android VMs. To activate the included frida-server, simply navigate to the FRIDA tab, as shown shown below, and select a process to get started.

You can either use the Corellium user interface, or you can connect directly to the frida-server. In the Corellium user interface, you can upload, edit, download, and execute scripts, as well as attach to processes and receive a frida console.

To interface directly with the frida-server from your local machine, you must first connect to the VPN provided on the CONNECT tab (for cloud users). Then, you must connect to the device.

For example, on Android, you must connect to adb. Once the device is connected and the local machine can see it, Frida will forward the necessary ports and connect using adb, which you can test using the frida-ps -U command:

$ frida-ps -U PID Name ---- ------------------------------------------------------------- 396 adbd 1433 android.ext.services 240 [email protected] 315 android.hardware.audio.service 316 [email protected] 419 [email protected] 420 [email protected] 317 [email protected] ...

For iOS, to use the -U argument, make sure you have USBFlux running. If you want to connect without USBFlux using -H/--host, you should add a new entry 27042->27042 to the PORT FORWARDING tab of your VM and then use:

frida-ps -H [VM IP ADDRESS]:27042

To use the FRIDA tab in the Corellium user interface, you must first select a process. When you click Select a Process, you will be provided with all valid attachable processes on the device that are currently running. The list is explicitly filtered to exclude any processes that would render an error, such as processes that are statically linked or do not include libc. Below is an example of what you will see on the Select a Process prompt. You can quickly filter the list by searching in the magnifying glass field in the top-right-hand corner.

Select a Process prompt

One command which is explicitly different from the stock frida cli is the %load command. If you push a file to the VM, such as /data/local/tmp, and want to load it into the console, you should use this command.

____ / _ | Frida 12.11.17 - A world-class dynamic instrumentation toolkit | (_| | > _ | Commands: /_/ |_| help -> Displays the help system . . . . object? -> Display information about 'object' . . . . exit/quit -> Exit . . . . . . . . More info at https://www.frida.re/docs/home/ [Remote::PID::320]-> %load /data/local/tmp/hook_java.js [+] Hook android.webkit.WebView.loadUrl()... [Remote::PID::320]->

Replacing the Built-in Frida Server on Android

If you want to replace the built-in frida server, to run a different version or a customized frida server:

  • Make sure you're not looking at the Frida tab in the UI. (Under the hood, it's trying to make sure that the Frida server is running.)

  • In a root shell: run setprop ctl.stop fridaserver to stop the Frida server.

  • On Android 7, run mount -o rw,remount /system to remount the vendor partition read-write.
    On later Android versions, run mount -o rw,remount /vendor to remount the system partition read-write.

  • Replace /vendor/bin/frida-server with your Frida server.

  • Run setprop ctl.start fridaserver to start the Frida server (or navigate back to the Frida tab in the UI).

Replacing the Built-in Frida Server on iOS

  • Make sure you're not looking at the Frida tab in the UI. (Under the hood, it's trying to make sure that the Frida server is running.)

  • On the Files tab, go to the /usr/local/bin/ folder

  • Remove frida-server binary

  • Upload your custom binary (make sure the name is "frida-server")

  • Reboot VM

Did this answer your question?