Allow for Runtime._instrumentation being pointer

[hsorbo]

The instrumentation field in the Runtime class in some android 15 and all android 16 is now a pointer.
https://android.googlesource.com/platform/art/+/17c7ed2de734cf892b005b1d15b3db9855506f14

This should fix #368

arm64

sub     sp, sp, #0x40
stp     fp, lr, [sp, #0x20]
stp     x20, x19, [sp, #0x30]
add     fp, sp, #0x20
mrs     x20, tpidr_el0
mov     x19, x0
adrp    x9, 0xe19000
add     x9, x9, #0xd98
ldr     x8, [x20, #0x28]
add     x1, sp, #0x8
stur    x8, [fp, #-0x8
ldr     x8, [x0, #0x328] <- picking this
ldr     x0, [x0, #0x258]
stp     x9, x8, [sp, #0x8]

[comed-ian]

Great patch! Fixes my problem. However, I had this problem arise on a Samsung Galaxy S20+ running Android 13. It appears from the parsed instructions that this is a candidate for tryDetectInstrumentationPointer and artInstrumentation.readPointer() despite not fulfilling the apiLevel > 35 check.

sub sp, sp, #0x40
stp x29, x30, [sp, #0x20]
stp x20, x19, [sp, #0x30]
add x29, sp, #0x20
mrs x20, tpidr_el0
mov x19, x0
adrp x9, #0x7adf019000
add x9, x9, #0xd98
ldr x8, [x20, #0x28]
add x1, sp, #8
stur x8, [x29, #-8]
ldr x8, [x0, #0x328]     # < -- same instruction
ldr x0, [x0, #0x258]
stp x9, x8, [sp, #8]

I applied the following diff, for your consideration. It is a bit crude in that it checks DetectInstrumentationPointer(api)'s return value as a fallback if the API level does not match. In effect, any library that passes the parseArm64InstrumentationPointer check then leverages the pointer operations. This was sufficient for my device.

diff --git a/lib/android.js b/lib/android.js
index b03152a..4ea9190 100644
--- a/lib/android.js
+++ b/lib/android.js
@@ -462,7 +462,7 @@ function _getApi () {
     const instrumentationOffset = runtimeOffset.instrumentation;
     let artInstrumentation = (instrumentationOffset !== null) ? artRuntime.add(instrumentationOffset) : null;
     // TODO: Figure out better detection of https://android.googlesource.com/platform/art/+/17c7ed2de734cf892b005b1d15b3db9855506f14
-    const instrumentationIsPointer = apiLevel > 35;
+    const instrumentationIsPointer = runtimeSpec.instrumentationIsPointer;
     if (instrumentationIsPointer && artInstrumentation !== null) {
       artInstrumentation = artInstrumentation.readPointer();
     }
@@ -699,8 +699,8 @@ function _getArtRuntimeSpec (api) {
   }
 
   // todo: figure out better detection of https://android.googlesource.com/platform/art/+/17c7ed2de734cf892b005b1d15b3db9855506f14
-  const instrumentationIsPointer = apiLevel > 35;
-  spec.offset.instrumentation = instrumentationIsPointer
+  spec.instrumentationIsPointer = apiLevel > 35 || tryDetectInstrumentationPointer(api);
+  spec.offset.instrumentation = spec.instrumentationIsPointer
     ? tryDetectInstrumentationPointer(api)
     : tryDetectInstrumentationOffset(api);

[hsorbo]

@comed-ian Thanks. Im working on detecting ART APEX version here: #373 Would you mind sharing which version of ART you have? adb shell dumpsys package com.google.android.art | grep Version

[comed-ian]

@comed-ian Thanks. Im working on detecting ART APEX version here: #373 Would you mind sharing which version of ART you have? adb shell dumpsys package com.google.android.art | grep Version

Sure! Pasting the results below from only the active APEX version.

$ adb shell dumpsys package com.google.android.art | grep Version
    Version: 360729160
      enabled=true minSdkVersion=31 targetSdkVersion=36 versionCode=360729160 targetSandboxVersion=1

[Redict]

Tried latest push

Error: Unable to find Instrumentation class in ART; please file a bug
    at <anonymous> (node_modules/frida-java-bridge/lib/android.js:3923)
    at onThreadStateTransitionComplete (node_modules/frida-java-bridge/lib/android.js:1500)

>  .\adb shell dumpsys package com.google.android.art | Select-String -Pattern "Version"
    Version: 360729140
    Version: 331813100
    Version: 331813100

>  .\adb shell getprop ro.product.cpu.abi
    arm64-v8a

[hsorbo]

Tried latest push

Error: Unable to find Instrumentation class in ART; please file a bug
    at <anonymous> (node_modules/frida-java-bridge/lib/android.js:3923)
    at onThreadStateTransitionComplete (node_modules/frida-java-bridge/lib/android.js:1500)

>  .\adb shell dumpsys package com.google.android.art | Select-String -Pattern "Version"
   Version: 360729140
   Version: 331813100
   Version: 331813100

>  .\adb shell getprop ro.product.cpu.abi
   arm64-v8a

Thanks for feedback. This MR will probably still see a few changes throughout the day. Is it still broken for you on 4659a6d? If so, which android version are you running?

[Redict]

Thanks for feedback. This MR will probably still see a few changes throughout the day. Is it still broken for you on 4659a6d? If so, which android version are you running?

Thank you, it's working fine now, except Java.scheduleOnMainThread, which is terminating application, but I don't know if that's related to coming changes. Switching to Java.perform resolved an issue.

P.S. My main testing device is Android 12. I am using frida-portal to connect to device.