Frida version: 17.8.3
Device: Infinix X6870, XOS Android 15, SDK 35, arm64-v8a
Build fingerprint: Infinix/X6870-IN/Infinix-X6870:15/AP3A.240905.015.A2/145004:user/release-keys
Error:
Failed to spawn: unable to locate android.os.Process.setArgV0() slot; please file a bug
Command used:
frida -R
-f delivery.samurai.android
--aux="aslr=(bool)false"
--aux="spawn-timeout=(int)60"
--aux="emulated-agent-thread=(bool)true"
-l script.js
Root cause:
In framework.jar (classes3.dex) on this device, android.os.Process has:
slot 67: setArgV0 → NOT native (pure Java wrapper)
slot 68: setArgV0Native → NATIVE (registered via RegisterNatives)
setArgV0 is a Java wrapper that calls setArgV0Native internally.
setArgV0Native is the actual JNI method, registered dynamically.
In /system/lib64/libandroid_runtime.so:
2899: 00000000001ac700 428 FUNC GLOBAL DEFAULT 16
_Z27android_os_Process_setArgV0P7_JNIEnvP8_jobjectP8_jstring
3573: 00000000000efb30 116 FUNC GLOBAL DEFAULT 16
_ZN7android14AndroidRuntime8setArgv0EPKcb
setArgV0Native → present as string only, NOT an exported symbol.
Registered dynamically via RegisterNatives at runtime.
Failure flow in do_prepare_zymbiote_injection:
-
enumerate_exports finds _Z27android_os_Process_setArgV0 at 0x1ac700
→ original_setargv0 is set correctly, no error here
-
heap memmem scan through boot.art / boot-framework.art / dalvik-LinearAlloc
looks for a pointer whose value == original_setargv0
-
Because setArgV0 is NOT native in the dex, ART never registers
_Z27android_os_Process_setArgV0 as a JNI function pointer in the heap.
ART only stores a pointer to the setArgV0Native trampoline (runtime address,
not statically knowable).
-
memmem returns null → setargv0_slot == 0
→ "Unable to locate android.os.Process.setArgV0() slot" thrown
Summary:
Frida scans the heap for a pointer to _Z27android_os_Process_setArgV0,
but on this OEM build ART never writes that pointer to the heap because
setArgV0 is not declared native in the dex. The actual native
(setArgV0Native) is registered via RegisterNatives and its ART trampoline
address is only known at runtime.
strings output from classes3.dex:
setArgV0
setArgV0Native
readelf output from /system/lib64/libandroid_runtime.so:
2899: 00000000001ac700 428 FUNC GLOBAL DEFAULT 16
_Z27android_os_Process_setArgV0P7_JNIEnvP8_jobjectP8_jstring
3573: 00000000000efb30 116 FUNC GLOBAL DEFAULT 16
_ZN7android14AndroidRuntime8setArgv0EPKcb
Frida version: 17.8.3
Device: Infinix X6870, XOS Android 15, SDK 35, arm64-v8a
Build fingerprint: Infinix/X6870-IN/Infinix-X6870:15/AP3A.240905.015.A2/145004:user/release-keys
Error:
Failed to spawn: unable to locate android.os.Process.setArgV0() slot; please file a bug
Command used:
frida -R
-f delivery.samurai.android
--aux="aslr=(bool)false"
--aux="spawn-timeout=(int)60"
--aux="emulated-agent-thread=(bool)true"
-l script.js
Root cause:
In framework.jar (classes3.dex) on this device, android.os.Process has:
slot 67: setArgV0 → NOT native (pure Java wrapper)
slot 68: setArgV0Native → NATIVE (registered via RegisterNatives)
setArgV0 is a Java wrapper that calls setArgV0Native internally.
setArgV0Native is the actual JNI method, registered dynamically.
In /system/lib64/libandroid_runtime.so:
2899: 00000000001ac700 428 FUNC GLOBAL DEFAULT 16
_Z27android_os_Process_setArgV0P7_JNIEnvP8_jobjectP8_jstring
3573: 00000000000efb30 116 FUNC GLOBAL DEFAULT 16
_ZN7android14AndroidRuntime8setArgv0EPKcb
setArgV0Native → present as string only, NOT an exported symbol.
Registered dynamically via RegisterNatives at runtime.
Failure flow in do_prepare_zymbiote_injection:
enumerate_exports finds _Z27android_os_Process_setArgV0 at 0x1ac700
→ original_setargv0 is set correctly, no error here
heap memmem scan through boot.art / boot-framework.art / dalvik-LinearAlloc
looks for a pointer whose value == original_setargv0
Because setArgV0 is NOT native in the dex, ART never registers
_Z27android_os_Process_setArgV0 as a JNI function pointer in the heap.
ART only stores a pointer to the setArgV0Native trampoline (runtime address,
not statically knowable).
memmem returns null → setargv0_slot == 0
→ "Unable to locate android.os.Process.setArgV0() slot" thrown
Summary:
Frida scans the heap for a pointer to _Z27android_os_Process_setArgV0,
but on this OEM build ART never writes that pointer to the heap because
setArgV0 is not declared native in the dex. The actual native
(setArgV0Native) is registered via RegisterNatives and its ART trampoline
address is only known at runtime.
strings output from classes3.dex:
setArgV0
setArgV0Native
readelf output from /system/lib64/libandroid_runtime.so:
2899: 00000000001ac700 428 FUNC GLOBAL DEFAULT 16
_Z27android_os_Process_setArgV0P7_JNIEnvP8_jobjectP8_jstring
3573: 00000000000efb30 116 FUNC GLOBAL DEFAULT 16
_ZN7android14AndroidRuntime8setArgv0EPKcb