Control Which Frida-Server Version the Device Uses

At any point, you can downgrade or upgrade the version of Frida being used by rooted or jailbroken devices. This is useful if you require a specific Frida version for your testing.

Run a Custom frida-server on Android

1. Download the latest frida-server binary for the arm64 architecture. This can be built from source or you can download a precompiled package from the release tags on Frida's GitHub. Specifically, you're looking for frida-server-{RELEASE-NUMBER}-android-arm64.xz.

   wget https://github.com/frida/frida/releases/download/x.y.z/frida-server-x.y.z-android-arm64.xz

2. Decompress the file.

   xz -d frida-server-x.y.z-android-arm64.xz

3. Connect to the device using the adb connect command provided in the UI.

   adb connect {Services IP}:5001

4. Become super user.

   adb root

5. Push the frida-server file to the virtual device.

   note

   You can also drop frida-server into this path directly from the files tab if seeing slow adb uploads.

   adb push frida-server-x.y.z-android-arm64 /data/local/tmp

6. Make the file executable.

   adb shell chmod +x /data/local/tmp/frida-server-x.y.z-android-arm64

7. Before starting the frida-server you've pushed to the device, stop or remove the built-in frida-server to avoid conflicts.

   To stop:

   adb shell stop fridaserver

   To remove, you can find the path with:

   adb shell which frida-server

   Then remount the root filesystem as read-write:

   adb shell mount -o remount,rw /

   Then remove:

   adb shell rm /vendor/bin/frida-server

8. Start your uploaded frida-server.

   adb shell /data/local/tmp/frida-server-x.y.z-android-arm64 

   Optionally, specify the interface frida-server listens on, additionally adding a & to tell frida-server to run in the background. Frida-server listens on 127.0.0.1:27042 by default.

   For simplicity, we'll make frida-server listen on all interfaces:

   adb shell /data/local/tmp/frida-server-x.y.z-android-arm64 -l 0.0.0.0 &

   Confirm frida-server is running:

   netstat -tuln | grep 27042

9. With frida-server listening on all interfaces (0.0.0.0) and you have an Android device connected via adb, you can start spawning and attaching to apps.

   Webview spawn and attach example:

   % frida -U -f org.chromium.webview_shell
        ____
       / _  |   Frida 16.6.6 - A world-class dynamic instrumentation toolkit
      | (_| |
       > _  |   Commands:
      /_/ |_|       help      -> Displays the help system
      . . . .       object?   -> Display information about 'object'
      . . . .       exit/quit -> Exit
      . . . .
      . . . .   More info at https://frida.re/docs/home/
      . . . .
      . . . .   Connected to Corellium Generic (id=10.11.1.81:5001)
   Spawned `org.chromium.webview_shell`. Resuming main thread!             
   [Corellium Generic::org.chromium.webview_shell ]->

If you have more than one device connected to the host machine over adb, then the scripts and different commands may have issues identifying which device to talk to. When connecting to a device over TCP/IP, the "serial number" becomes the IP address and port. This means you can identify the devices using the Services IP for both adb and frida commands like below:

adb -s 10.30.71.1:5001 shell /data/local/tmp/frida-server -l {Host IP}

Example Script for Android

For usage in a Frida script, you'll need to utilize the Device Manager and assert which device you want to connect to.

Below is an example python script that would load a script against a specific package name.

#!/usr/bin/python3
# unpacker.py
import frida
import sys
device_ip = '10.x.x.x:5001'
script_name = 'emulator_cloak.js'
fd = open(script_name, 'r')
package_name = 'diff.strazzere.anti'
def on_message(message, data):
if message['type'] == 'send':
print('[*] {0}'.format(message['payload']))
else:
print(message)

dm = frida.get_device_manager()
device = dm.get_device(device_ip)
pid = device.spawn([package_name])
session = device.attach(pid)
script = session.create_script(fd.read())
fd.close()
script.on('message', on_message)
script.load()
device.resume(pid)
sys.stdin.read()

Replace the Built-In Frida Server on iOS

Complete the following steps to replace the frida-server binary for iOS.

1. Create the file and paste in the script below (recommended to first ssh into the device before attempting to edit the file).

   vim frida_update.sh

2. Make the script executable for your user.

   chmod u+x frida_update.sh

3. Run the script from the root directory of your iOS device and pass in the version of frida-server you would like to run.

   cd ~
   ./frida_update 16.0.5

4. You can verify the frida-server was updated.

   frida-server --version

You can now begin interacting with the device's frida-server.

Script to Replace the Version of frida-server on your iOS Device

#!/bin/bash
FRIDA_VER=$1
# contains plist
cd /Library/LaunchDaemons/
# move plist to root
mv re.frida.server.plist ~
cd ~
# unload service
launchctl unload re.frida.server.plist
# stash plist
mv re.frida.server.plist /Library/LaunchDaemons
mv /Library/LaunchDaemons/re.frida.server.plist /Library/LaunchDaemons/re.frida.server.backup
# fetch FRIDA
wget -O /tmp/frida_${FRIDA_VER}_iphoneos-arm.deb https://github.com/frida/frida/releases/download/${FRIDA_VER}/frida_${FRIDA_VER}_iphoneos-arm.deb
# update server, agent and plist
dpkg -i /tmp/frida_${FRIDA_VER}_iphoneos-arm.deb
# restore plist
mv /Library/LaunchDaemons/re.frida.server.backup /Library/LaunchDaemons/re.frida.server.plist
# launch service using new plist
launchctl load /Library/LaunchDaemons/re.frida.server.plist
# delete package
rm /tmp/frida_${FRIDA_VER}_iphoneos-arm.deb