frida-java-bridge icon indicating copy to clipboard operation
frida-java-bridge copied to clipboard
verified publisher icon frida

Android 15, unable to perform state transition

Open matbrik opened this issue 1 year ago • 3 comments

Device Pixel 6 Android 15 beta AP31.240617.015 rooted with Magisk

 ./frida-inject-16.5.1-android-arm64 -p 1437 -i -s test.js                                                                                                                                                                                           
{"type":"error","description":"Error: Unable to perform state transition; please file a bug","stack":"Error: Unable to perform state transition; please file a bug
    at bt (frida/node_modules/frida-java-bridge/lib/android.js:578)
    at <anonymous> (frida/node_modules/frida-java-bridge/lib/class-model.js:115)
    at build (frida/node_modules/frida-java-bridge/lib/class-model.js:7)
    at _make (frida/node_modules/frida-java-bridge/lib/class-factory.js:168)
    at use (frida/node_modules/frida-java-bridge/lib/class-factory.js:62)
    at <anonymous> (frida/node_modules/frida-java-bridge/index.js:224)
    at <anonymous> (frida/node_modules/frida-java-bridge/lib/vm.js:12)
    at _performPendingVmOpsWhenReady (frida/node_modules/frida-java-bridge/index.js:244)
    at perform (frida/node_modules/frida-java-bridge/index.js:204)
    at <eval> (/test.js:17)","fileName":"frida/node_modules/frida-java-bridge/lib/android.js","lineNumber":578,"columnNumber":1}

I get the same error using a frida-server

How can I debug this? I cannot match the line numbers in the stacktrace with a relevant code in the source files

matbrik avatar Sep 16 '24 08:09 matbrik

It's frida bug.

If the ROM is equipped with a Google Play System Update version before August 2024, the workaround in the link below can be applied. However, if the ROM is equipped after August 2024, the workaround may cannot be applied, and this is something that Frida developers need to fix.

https://github.com/frida/frida/issues/2958

pig837 avatar Sep 16 '24 18:09 pig837

I found the issue and I've tested an "hardcoded" version of frida. Basically at https://github.com/frida/frida-java-bridge/blob/main/lib/android.js#L3929 frida looks for the address of ExceptionClear but the address found is wrong. Setting the correct address of ExceptionClear (found through diffing 2 libart) Frida works again. Next week I'll try to find the new offset in the vtable for exceptionclear and commit the fix

matbrik avatar Sep 20 '24 16:09 matbrik

@matbrik same issue, have you solved it?

QingShiLuoGu avatar Oct 22 '24 09:10 QingShiLuoGu

This temporary solution https://github.com/frida/frida/issues/2958#issuecomment-2488844579 worked for me on android 15

Hamza-Megahed avatar Nov 22 '24 11:11 Hamza-Megahed