Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Cannot run Shizuku generated rish #348

Open
MakiseKurisu opened this issue Apr 23, 2024 · 4 comments
Open

Cannot run Shizuku generated rish #348

MakiseKurisu opened this issue Apr 23, 2024 · 4 comments

Comments

@MakiseKurisu
Copy link

MakiseKurisu commented Apr 23, 2024

Shizuku can generate a shell script called rish that can do something in terminal (not sure what since I haven't been able to run it yet). In this file there is a line calling the payload:

/system/bin/app_process -Djava.class.path="$DEX" /system/bin --nice-name=rish rikka.shizuku.shell.ShizukuShellLoader "$@"

I substitute /system/bin/app_process with /android/system/bin/linker64 /android/system/bin/app_process since that's how I got ping working. However, when I just tried to run it to see what happens, it fails:

-bash-5.2$ /android/system/bin/linker64 /android/system/bin/app_process           
CANNOT LINK EXECUTABLE "/android/system/bin/app_process": library "libnativeloader.so" not found

When running in adb shell it gets bit further, so the required library is in the system:

1|HWDVC-M:/ $ /system/bin/app_process                                                                                                                                                        
Error changing dalvik-cache ownership : Permission denied
Aborted
134|HWDVC-M:/ $

I tried to search the error message, which leads me to termux/termux-app#1915. Since we also use proot, it might be relevent?

The updated script for that issue: https://github.com/nathaneltitane/dextop/blob/4cfafae5fe3c474c3685f39f5f974e2e99d8f9cc/proot-launch#L277

BTW I does not have this /linkerconfig/ld.config.txt in my phone when I checked in adb shell.

@MakiseKurisu
Copy link
Author

This gives me some hint: #221 (comment)

First off, I created a wrapper package to have /android/system/bin/ in my $PATH. Most important use case is actually ping (an alternative to #185) for me but this makes investigation easier.

I ran linker instead of linker64 for fun and got the following output:

nix-on-droid in 🌐 localhost in ~ 
❯ linker
error: "/apex/com.android.runtime/bin/linker" is 32-bit instead of 64-bit

After checking around, I found /apex/com.android.runtime/lib64/libnativeloader.so. However, LD_PRELOAD doesn't work, so I tried LD_LIBRARY_PATH and now it goes further:

nix-on-droid in 🌐 localhost in ~ 
❯ LD_LIBRARY_PATH=/apex/com.android.runtime/lib64/ app_process
ANDROID_DATA environment variable unset
/nix/store/wgn04nfyhl0fxil0z8i27dnmx3vdr26z-android-system-bin-wrapper/bin/app_process: line 24: 28338 Aborted                 /android/system/bin/linker64 "/android/system/bin/$CMD_NAME" "$@"

Gonna check if I can get rish working later today.

@MakiseKurisu
Copy link
Author

So ANDROID_DATA environment variable unset was caused by running command within SSH session. Once I tried to run app_process in Android app I got the same error as in the adb shell.

Updated my wrapper to handle a few more edge cases as well as including LD_LIBRARY_PATH for linker64. I then modified Shizuku generated rish script to match our running environment:

#!/usr/bin/env bash
set -e
DEX="$HOME/downloads/rish_shizuku.dex"

if [ ! -f "$DEX" ]; then
  echo "Cannot find $DEX, please check the tutorial in Shizuku app"
  exit 1
fi

if [ $(getprop ro.build.version.sdk) -ge 34 ]; then
  if [ -w $DEX ]; then
    echo "On Android 14+, app_process cannot load writable dex."
    echo "Attempting to remove the write permission..."
    chmod 400 $DEX
  fi
  if [ -w $DEX ]; then
    echo "Cannot remove the write permission of $DEX."
    echo "You can copy to file to terminal app's private directory (/data/data/<package>, so that remove write permission is possible"
    exit 1
  fi
fi

# Replace "PKG" with the application id of your terminal app
[ -z "$RISH_APPLICATION_ID" ] && export RISH_APPLICATION_ID="com.termux.nix"
app_process -Djava.class.path="$DEX" /android/system/bin --nice-name=rish rikka.shizuku.shell.ShizukuShellLoader "$@"

Unfortunately, this script always returns 0 no matter what I passed in, nor is there any output.

@azuwis
Copy link
Contributor

azuwis commented May 11, 2024

FYI, after #353, commands like /system/bin/ping /system/bin/dumpsys /system/bin/app_process can be run directly.

@expenses
Copy link

expenses commented Nov 1, 2024

I've managed to get this rish script working:

#!/system/bin/sh
BASEDIR=$(dirname "$0")                                           DEX="$BASEDIR"/rish_shizuku.dex

if [ ! -f "$DEX" ]; then
  echo "Cannot find $DEX, please check the tutorial in Shizuku app"
  exit 1
fi

if [ $(/system/bin/getprop ro.build.version.sdk) -ge 34 ]; then
  if [ -w $DEX ]; then
    echo "On Android 14+, app_process cannot load writable dex."
    echo "Attempting to remove the write permission..."
    chmod 400 $DEX
  fi
  if [ -w $DEX ]; then
    echo "Cannot remove the write permission of $DEX."
    echo "You can copy to file to terminal app's private directory (/data/data/<package>, so that remove write permission is possible"
    exit 1                                                          fi
fi

# Replace "PKG" with the application id of your terminal app
export RISH_APPLICATION_ID="com.termux.nix"
/system/bin/app_process -Djava.class.path="$DEX" /system/bin --nice-name=rish rikka.shizuku.shell.ShizukuShellLoader "$@"

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants