-
Notifications
You must be signed in to change notification settings - Fork 71
Open
Description
I have a empty binder-trace GUI, A13, adb over usb
What I may missing on android configuration to see events?
Host frida
version
$ pip list | grep frida
frida 17.2.4
the frida
server
/data/local/tmp # ./frida-server --version
17.2.4
/data/local/tmp # ./frida-server -v
# nothing is printed
the PC:
$ binder-trace -d <id> -a 13 -n <java_process>
$ cat binder_trace-log.txt
2025-06-25 15:23:33,449: INFO Starting injector
2025-06-25 15:23:33,450: INFO Injector started
2025-06-25 15:23:33,523: INFO Injector waiting for stop event
2025-06-25 15:23:47,788: INFO Q pressed. App exiting.
2025-06-25 15:23:47,932: INFO Stopping injector
2025-06-25 15:23:47,933: INFO Stop event received
2025-06-25 15:23:47,952: INFO Script unloaded
2025-06-25 15:23:47,952: INFO Injector stopped
2025-06-25 15:23:47,952: INFO Injector stopped.
Device logcat
06-25 09:18:03.613 4334 10060 D linker : dlopen(name="/proc/self/fd/106", flags=0x1, extinfo=(null), caller="/apex/com.android.runtime/lib64/bionic/libc.so", caller_ns=(default)@0x7afed2f5e0, targetSdkVersion=29) ...
06-25 09:18:03.614 4334 10060 D linker : find_libraries(ns=(default)): task=/proc/self/fd/106, is_dt_needed=0
06-25 09:18:03.614 4334 10060 D linker : load_library(ns=(default), task=/proc/self/fd/106, flags=0x1, search_linked_namespaces=1): calling open_library
06-25 09:18:03.615 4334 10060 D linker : load_library(ns=(default), task=/proc/self/fd/106, flags=0x1, realpath=/memfd:frida-agent-64.so (deleted), search_linked_namespaces=1)
06-25 09:18:03.615 4334 10060 D linker : load_library(ns=(default), task=/proc/self/fd/106): Adding DT_NEEDED task: libm.so
06-25 09:18:03.615 4334 10060 D linker : load_library(ns=(default), task=/proc/self/fd/106): Adding DT_NEEDED task: liblog.so
06-25 09:18:03.615 4334 10060 D linker : load_library(ns=(default), task=/proc/self/fd/106): Adding DT_NEEDED task: libdl.so
06-25 09:18:03.615 4334 10060 D linker : load_library(ns=(default), task=/proc/self/fd/106): Adding DT_NEEDED task: libc.so
06-25 09:18:03.615 4334 10060 D linker : find_libraries(ns=(default)): task=libm.so, is_dt_needed=1
06-25 09:18:03.615 4334 10060 D linker : find_library_internal(ns=(default), task=libm.so): Already loaded (by soname): /apex/com.android.runtime/lib64/bionic/libm.so
06-25 09:18:03.615 4334 10060 D linker : find_libraries(ns=(default)): task=liblog.so, is_dt_needed=1
06-25 09:18:03.616 4334 10060 D linker : find_library_internal(ns=(default), task=liblog.so): Already loaded (by soname): /system/lib64/liblog.so
06-25 09:18:03.616 4334 10060 D linker : find_libraries(ns=(default)): task=libdl.so, is_dt_needed=1
06-25 09:18:03.616 4334 10060 D linker : find_library_internal(ns=(default), task=libdl.so): Already loaded (by soname): /apex/com.android.runtime/lib64/bionic/libdl.so
06-25 09:18:03.616 4334 10060 D linker : find_libraries(ns=(default)): task=libc.so, is_dt_needed=1
06-25 09:18:03.616 4334 10060 D linker : find_library_internal(ns=(default), task=libc.so): Already loaded (by soname): /apex/com.android.runtime/lib64/bionic/libc.so
06-25 09:18:03.620 4334 10060 D linker : ... dlopen calling constructors: realpath="/memfd:frida-agent-64.so (deleted)", soname="libfrida-agent-raw.so", handle=0x353998bc341754f9
06-25 09:18:03.621 4334 10060 D linker : ... dlopen successful: realpath="/memfd:frida-agent-64.so (deleted)", soname="libfrida-agent-raw.so", handle=0x353998bc341754f9
06-25 09:18:03.622 4334 10060 D linker : dlsym(handle=0x353998bc341754f9("/memfd:frida-agent-64.so (deleted)"), sym_name="frida_agent_main", sym_ver="(null)", caller="/apex/com.android.runtime/lib64/bionic/libc.so", caller_ns=(default)@0x7afed2f5e0) ...
06-25 09:18:03.622 4334 10060 D linker : ... dlsym successful: sym_name="frida_agent_main", sym_ver="(null)", found in="libfrida-agent-raw.so", address=0x772d754050
06-25 09:18:03.654 4334 10060 D linker : dlsym(handle=0x0("n/a"), sym_name="open", sym_ver="(null)", caller="/memfd:frida-agent-64.so (deleted)", caller_ns=(default)@0x7afed2f5e0) ...
06-25 09:18:03.654 4334 10060 D linker : ... dlsym successful: sym_name="open", sym_ver="(null)", found in="libc.so", address=0x7afc3eb74c
06-25 09:18:03.656 4334 10060 D linker : dlsym(handle=0xffffffffffffffff("n/a"), sym_name="exit", sym_ver="(null)", caller="/memfd:frida-agent-64.so (deleted)", caller_ns=(default)@0x7afed2f5e0) ...
06-25 09:18:03.656 4334 10060 D linker : ... dlsym successful: sym_name="exit", sym_ver="(null)", found in="libc.so", address=0x7afc43d5fc
06-25 09:18:03.656 4334 10060 D linker : dlopen(name="/apex/com.android.runtime/lib64/bionic/libc.so", flags=0x104, extinfo=(null), caller="/system/bin/app_process64", caller_ns=(default)@0x7afed2f5e0, targetSdkVersion=29) ...
06-25 09:18:03.657 4334 10060 D linker : find_libraries(ns=(default)): task=/apex/com.android.runtime/lib64/bionic/libc.so, is_dt_needed=0
06-25 09:18:03.657 4334 10060 D linker : load_library(ns=(default), task=/apex/com.android.runtime/lib64/bionic/libc.so, flags=0x104, search_linked_namespaces=1): calling open_library
06-25 09:18:03.657 4334 10060 D linker : load_library(ns=(default), task=/apex/com.android.runtime/lib64/bionic/libc.so, flags=0x104, realpath=/apex/com.android.runtime/lib64/bionic/libc.so, search_linked_namespaces=1)
06-25 09:18:03.657 4334 10060 D linker : load_library(ns=(default), task=/apex/com.android.runtime/lib64/bionic/libc.so): Already loaded under different name/path "/apex/com.android.runtime/lib64/bionic/libc.so" - will return existing soinfo
06-25 09:18:03.657 4334 10060 D linker : ... dlopen calling constructors: realpath="/apex/com.android.runtime/lib64/bionic/libc.so", soname="libc.so", handle=0x93ccd08c44db9715
06-25 09:18:03.657 4334 10060 D linker : ... dlopen successful: realpath="/apex/com.android.runtime/lib64/bionic/libc.so", soname="libc.so", handle=0x93ccd08c44db9715
06-25 09:18:03.657 4334 10060 D linker : dlsym(handle=0x93ccd08c44db9715("/apex/com.android.runtime/lib64/bionic/libc.so"), sym_name="exit", sym_ver="(null)", caller="/apex/com.android.runtime/lib64/bionic/libc.so", caller_ns=(default)@0x7afed2f5e0) ...
06-25 09:18:03.657 4334 10060 D linker : ... dlsym successful: sym_name="exit", sym_ver="(null)", found in="libc.so", address=0x7afc43d5fc
06-25 09:18:03.658 4334 10060 D linker : dlsym(handle=0x93ccd08c44db9715("/apex/com.android.runtime/lib64/bionic/libc.so"), sym_name="_exit", sym_ver="(null)", caller="/apex/com.android.runtime/lib64/bionic/libc.so", caller_ns=(default)@0x7afed2f5e0) ...
06-25 09:18:03.658 4334 10060 D linker : ... dlsym successful: sym_name="_exit", sym_ver="(null)", found in="libc.so", address=0x7afc433d30
06-25 09:18:03.658 4334 10060 D linker : dlsym(handle=0x93ccd08c44db9715("/apex/com.android.runtime/lib64/bionic/libc.so"), sym_name="abort", sym_ver="(null)", caller="/apex/com.android.runtime/lib64/bionic/libc.so", caller_ns=(default)@0x7afed2f5e0) ...
06-25 09:18:03.658 4334 10060 D linker : ... dlsym successful: sym_name="abort", sym_ver="(null)", found in="libc.so", address=0x7afc3df70c
06-25 09:18:03.658 4334 10060 D linker : dlsym(handle=0x93ccd08c44db9715("/apex/com.android.runtime/lib64/bionic/libc.so"), sym_name="signal", sym_ver="(null)", caller="/apex/com.android.runtime/lib64/bionic/libc.so", caller_ns=(default)@0x7afed2f5e0) ...
06-25 09:18:03.658 4334 10060 D linker : ... dlsym successful: sym_name="signal", sym_ver="(null)", found in="libc.so", address=0x7afc3eedbc
06-25 09:18:03.659 4334 10060 D linker : dlsym(handle=0x93ccd08c44db9715("/apex/com.android.runtime/lib64/bionic/libc.so"), sym_name="sigaction", sym_ver="(null)", caller="/apex/com.android.runtime/lib64/bionic/libc.so", caller_ns=(default)@0x7afed2f5e0) ...
06-25 09:18:03.659 4334 10060 D linker : ... dlsym successful: sym_name="sigaction", sym_ver="(null)", found in="libc.so", address=0x7afc3ee74c
06-25 09:18:03.706 4334 10064 D linker : dlsym(handle=0x93ccd08c44db9715("/apex/com.android.runtime/lib64/bionic/libc.so"), sym_name="pthread_exit", sym_ver="(null)", caller="/apex/com.android.runtime/lib64/bionic/libc.so", caller_ns=(default)@0x7afed2f5e0) ...
06-25 09:18:03.708 4334 10064 D linker : ... dlsym successful: sym_name="pthread_exit", sym_ver="(null)", found in="libc.so", address=0x7afc447878
the android's trace
# tail /sys/kernel/tracing/trace
HwBinder:4334_1-4519 [003] .... 9928.036307: binder_update_page_range: proc=4334 allocate=0 offset=0 size=4096
HwBinder:4334_1-4519 [003] .... 9928.036309: binder_free_lru_start: proc=4334 page_index=0
HwBinder:4334_1-4519 [003] .... 9928.036313: binder_free_lru_end: proc=4334 page_index=0
HwBinder:4334_1-4519 [003] .... 9928.036316: binder_write_done: ret=0
HwBinder:4334_1-4519 [003] .... 9928.036318: binder_ioctl_done: ret=0
HwBinder:4334_1-4519 [003] .... 9928.036372: binder_ioctl: cmd=0xc0306201 arg=0x77607dba68
HwBinder:4334_1-4519 [003] .... 9928.036378: binder_command: cmd=0x40086303 BC_FREE_BUFFER
HwBinder:4334_1-4519 [003] .... 9928.036386: binder_transaction_buffer_release: transaction=340352 data_size=52 offsets_size=0 extra_buffers_size=0
HwBinder:4334_1-4519 [003] .... 9928.036394: binder_write_done: ret=0
HwBinder:4334_1-4519 [003] .... 9928.036400: binder_wait_for_work: proc_work=1 transaction_stack=0 thread_todo=0
frida trace:
# frida-trace -D 32-00004e7371b8 <process>
Started tracing 0 functions. Web UI available at http://localhost:42087/
Then I tried perfetto, but it does not understand logs :/
perfetto -c /data/local/tmp/binder_config.pbtxt -o /data/misc/perfetto-traces/binder_trace.perfetto-trace
[590.475] perfetto_cmd.cc:580 The trace config is invalid, bailing out.
my kernel is 5.4
Metadata
Metadata
Assignees
Labels
No labels