Persistent Frida Scripts¶
FIRERPA provides you with the ability to persist Frida scripts. You can conveniently inject scripts through related interfaces, and FIRERPA’s script manager will automatically manage the injected scripts for you. Even if your script exits abnormally or the APP process exits, FIRERPA will still automatically reinject the script for you the next time your APP opens. This feature was introduced in version 7.80.
Installing Scripts¶
You can use this interface to install your scripts to the relevant application. The scripts you install to that application will be injected into the relevant application immediately after installation. The installed scripts will automatically enter the script manager, which will constantly monitor and reinject for you.
Attention
The script manager only allows one script to be injected for each APP at a time. You cannot inject multiple scripts into the same application at once.
app = d.application("com.android.settings")
app.attach_script(script, runtime=ScriptRuntime.RUNTIME_QJS, standup=5)
The script parameter is the content of the frida script you need to inject (supports bytecode), runtime is the corresponding runtime, default is qjs
, the standup parameter means to only inject after the APP process has been running for 5 seconds (time is calculated from when the process is created). This parameter is a minimum of 1 second and a maximum of 300 seconds, to avoid race condition issues such as crashes caused by injecting into the application process too early. In spawn mode, this parameter should always be 0.
This interface also supports spawn mode injection, but please note that using spawn mode may interrupt your UI operation flow (if you need to operate the UI at the same time), because once you use spawn mode, in the case of script injection abnormality or application exit, this mode will automatically reawaken the application, which will interfere with your interface operations. If you need to use spawn mode, please use the following parameters.
app = d.application("com.android.settings")
app.attach_script(script, runtime=ScriptRuntime.RUNTIME_QJS, spawn=True, standup=0)
It’s important to note the difference between spawn mode and normal mode. In normal mode, if the application exits for some reason, the normal mode will wait until the application starts before executing the injection, and will not start the application on its own. Therefore, you may need to start the application yourself through code or manually to continue the injection. In spawn mode, even if the application exits, it will automatically start the application and perform the injection.
Uninstalling¶
This interface will remove the Frida script that has been installed in the application. The script will also be detached from the application process, and FIRERPA’s script manager will no longer monitor the health status of the script, nor will it continue to reinject or perform related operations after the script abnormality.
app = d.application("com.android.settings")
app.detach_script()
Checking if Installed¶
This interface is used to check if a script has been installed in the application. You can check if you need to reinstall based on this status.
app = d.application("com.android.settings")
app.is_attached_script()
Checking if Injected¶
This interface is used to check if your installed script is currently injected into the application process. Because even if you have executed script installation, due to the application possibly not being started or script errors, the script may not be injected into the application process. You can determine whether you need to start the relevant application or check if the injection script has syntax errors based on its return value.
app = d.application("com.android.settings")
app.is_script_alive()
Viewing Script Logs¶
You can view console logs like console.log
and script error information in your script, but you need to set up in advance at startup. Please check the Viewing Logs
chapter to learn how to set up log files. Below, we assume you have correctly set the log file to /data/local/tmp/server.log
. This way, when you need to view script logs, execute the following command, which will filter out all injection script log information. You can also use commands like tail -f
to continuously track logs.
grep SCRIPT /data/local/tmp/server.log
Offline Persistence¶
Offline persistence means you can place your FRIDA scripts as configuration files on your phone, and FIRERPA will automatically load your FRIDA scripts after starting. You don’t need to use the above API interfaces for injection, cancellation, etc. at all. You just need to write the script file in a specific format and place it in a fixed directory. This feature supports directory monitoring, real-time loading, unloading, and updating scripts. Edits and modifications made directly in the script directory will also be applied in real-time. Here is a simple YAML script persistence configuration. The script content in the configuration below is console.log("Hello From Yaml Script")
.
enable: true
application: "com.android.settings"
version: "2.10"
user: 0
runtime: "qjs"
script: !!binary "Y29uc29sZS5sb2coIkhlbGxvIEZyb20gWWFtbCBTY3JpcHQiKQ=="
emit: "http://myserver/reportData"
encode: "none"
standup: 10
spawn: false
Detailed explanation of each configuration item in the above example script configuration:
Field | Description |
---|---|
enable | Whether to enable this script |
application | Application ID to inject the script (e.g., com.android.setting) |
version | Version of the application that the injection script supports ("N/A" means no version limit) |
user | If it's a multi-instance application, please specify the user ID of the multi-instance application (usually 999) |
script | Script content base64, supports text or binary (please write according to the template) |
runtime | Script runtime (qjs, v8) |
standup | Delayed injection time (calculated from process start time) |
spawn | Use spawn mode (will ignore standup) |
encode | If the script has data reporting, specify the encoding here (zlib/none) |
emit | If the script has data reporting, specify the destination here |
For more about the emit data reporting function, please check the Using Frida to Report Data
chapter.
The above is a complete offline script example. After writing, please save the above content as a file named {file_name}.yaml
and place it in the device’s /data/usr/modules/script
folder. The system will automatically load your configuration. The system will automatically detect changes to the /data/usr/modules/script
directory. If you update or delete a yaml configuration, the system will also automatically update or cancel the injection of your script.