Author: admin

Reverse Engineering Android NDK Apps: Advanced Frida Native Function Overriding Techniques
Introduction to Android NDK Reverse Engineering with Frida

Android applications often leverage the Native Development Kit (NDK) to implement performance-critical code, integrate third-party libraries written in C/C++, or secure sensitive operations. This native layer, compiled into shared objects (.so files), is a treasure trove for reverse engineers, offering deeper insights into an app’s core logic, especially in areas like cryptography, anti-tampering, and obfuscation. However, analyzing and interacting with native code dynamically requires powerful tools.

Frida, a dynamic instrumentation toolkit, stands out as an indispensable asset for Android NDK reverse engineering. It allows you to inject custom scripts into running processes, hook into functions, inspect memory, and modify execution flow, making it perfect for both static analysis verification and dynamic behavioral analysis of native components.

The Necessity of Native Function Overriding

Why Override Native Functions?

Overriding native functions is a critical technique for various reverse engineering and security analysis tasks:
- Bypassing Security Checks: Many apps implement root detection, debugger detection, or license verification routines in native code. Overriding these functions can allow you to bypass these checks to proceed with analysis.
- Modifying Cryptographic Operations: Intercepting encryption/decryption routines to log keys, plaintext, or ciphertext can be invaluable for understanding proprietary protocols or recovering data.
- Observing Hidden Logic: Some functions might perform complex computations or interact with hardware in ways that are not obvious from static analysis. Overriding allows you to log inputs, outputs, and intermediate states.
- Patching and Vulnerability Research: Temporarily patching a vulnerable function or injecting custom payloads to test exploit scenarios is made simpler with dynamic overriding.
Challenges in NDK Reverse Engineering

Working with NDK apps presents unique challenges. Unlike Java/Kotlin code which can be decompiled to readable source, native code compiles to machine instructions (ARM or ARM64 assembly). Symbols might be stripped, making function identification difficult, and advanced obfuscation techniques can further complicate analysis. This is where Frida’s ability to operate at a low level, interacting directly with memory and CPU registers, becomes crucial.

Identifying Target Native Functions

Before you can override a native function, you must first locate its address. Several methods can be employed:
- Static Analysis with Disassemblers: Tools like IDA Pro or Ghidra are essential. Load the target .so file and look for exported functions, interesting string references, or cross-references to common Android APIs (e.g., JNI functions). Once identified, note the function’s offset within the module.
- Dynamic Symbol Enumeration with Frida: If the function is exported, Frida can easily list it.
```
Java.perform(function() {    var targetLibrary = "libnative-lib.so"; // Replace with your target .so name    var module = Module.findByName(targetLibrary);    if (module) {        console.log("Found module: " + module.name + " at base: " + module.base);        Module.enumerateExports(targetLibrary).forEach(function(exp) {            console.log("Exported function: " + exp.name + " at address: " + exp.address);        });    } else {        console.log("Module " + targetLibrary + " not found.");    }});
```
- Runtime Observation with dlopen/dlsym: Some libraries are loaded dynamically, and their functions resolved via dlsym. Hooking android_dlopen_ext or dlsym can reveal loaded libraries and their function pointers.
Frida’s Interceptor API: The Foundation

Basic Hooking with Interceptor.attach

The core of Frida’s native hooking capabilities lies in the Interceptor.attach API. It allows you to attach callbacks to a specific memory address, executing code before (onEnter) and after (onLeave) the original function.
```
Interceptor.attach(Module.findExportByName("libmymath.so", "add_numbers"), {    onEnter: function(args) {        console.log("add_numbers called!");        console.log("Argument 1: " + args[0].toInt32());        console.log("Argument 2: " + args[1].toInt32());    },    onLeave: function(retval) {        console.log("add_numbers returned: " + retval.toInt32());    }});
```
Advanced Overriding Techniques

Modifying Arguments and Return Values

One of the most powerful aspects of native overriding is the ability to change the inputs and outputs of a function. In onEnter, the args array (for ARM/ARM64, these correspond to general-purpose registers x0-xN or r0-rN) can be modified. Similarly, in onLeave, the retval can be changed.
```
Interceptor.attach(Module.findExportByName("libmymath.so", "add_numbers"), {    onEnter: function(args) {        this.original_arg1 = args[0].toInt32();        this.original_arg2 = args[1].toInt32();        console.log(`Original call: add_numbers(${this.original_arg1}, ${this.original_arg2})`);        // Modify arguments to always add 10 and 20        args[0] = ptr(10);        args[1] = ptr(20);        console.log(`Modified call: add_numbers(${args[0].toInt32()}, ${args[1].toInt32()})`);    },    onLeave: function(retval) {        console.log(`Original return was: ${retval.toInt32()}`);        // Override the return value to always be 999        retval.replace(ptr(999));        console.log(`Modified return is now: ${retval.toInt32()}`);    }});
```
Replacing Native Functions Entirely with Interceptor.replace

For more drastic changes, such as completely changing a function’s behavior or patching it out, Interceptor.replace is invaluable. This API replaces the target function’s entry point with your custom JavaScript function. Your replacement function will receive the original arguments directly.
```
var targetFunctionAddress = Module.findExportByName("libmymath.so", "add_numbers");Interceptor.replace(targetFunctionAddress, new NativeCallback(function(a, b) {    console.log(`Original add_numbers(${a}, ${b}) replaced!`);    // Perform custom logic instead of the original function    // For example, always return 42    return a + b + 100; // You can still use original args or custom logic}, 'int', ['int', 'int']));
```
In this example, `add_numbers` will no longer execute its original C/C++ code. Instead, it will execute the JavaScript logic provided in the `NativeCallback` function, which now adds 100 to the sum of its arguments.

Handling Calling Conventions (ARM32/ARM64)

Frida generally handles the underlying ARM32 or ARM64 calling conventions for you when using the args array in Interceptor.attach or passing arguments to NativeCallback. The args array will contain NativePointer objects representing the values passed in the argument registers (e.g., x0-x7 for ARM64, r0-r3 for ARM32). For arguments beyond the register limit, they are typically pushed onto the stack. For more advanced scenarios, such as inspecting floating-point registers or specific stack frames, you might need to directly interact with the this.context object within onEnter/onLeave, which exposes CPU registers (e.g., this.context.x0, this.context.r0, this.context.sp).
```
Interceptor.attach(targetFunctionAddress, {    onEnter: function(args) {        // Check architecture and access registers directly if needed        if (Process.pointerSize === 8) { // ARM64            console.log("x0: " + this.context.x0);            console.log("x1: " + this.context.x1);        } else { // ARM32            console.log("r0: " + this.context.r0);            console.log("r1: " + this.context.r1);        }    }});
```
Practical Example: Overriding a Simple NDK Function

Scenario: A native library libcalc.so with multiply_numbers(int a, int b).

Let’s assume we have a simple Android NDK application that exports a function called multiply_numbers. We want to override it to always return a fixed value or modify its input arguments before execution.

C/C++ Source for multiply_numbers (native-lib.cpp):
```
#include <jni.h>#include <string>extern "C" JNIEXPORT jint JNICALLJava_com_example_ndkcalculator_MainActivity_multiplyNumbers(        JNIEnv* env,        jobject /* this */,        jint a,        jint b) {    // For simplicity, we'll expose a direct C function from a JNI wrapper    // In a real scenario, you'd find this function via static analysis in the .so    // This example assumes 'multiply_numbers' is directly exported or findable.    return a * b;}extern "C" JNIEXPORT jint JNICALLmultiply_numbers(jint a, jint b) {    return a * b;}
```
Assume the multiply_numbers function is exported in libnative-lib.so (default for Android Studio NDK projects).

Frida Script to Modify Arguments and Return Value (hook.js):
```
Java.perform(function() {    var libName = "libnative-lib.so";    var funcName = "multiply_numbers";    var targetModule = Module.findByName(libName);    if (!targetModule) {        console.error("Library " + libName + " not found!");        return;    }    var targetFunctionPtr = targetModule.findExportByName(funcName);    if (!targetFunctionPtr) {        console.error("Function " + funcName + " not found in " + libName + "!");        return;    }    console.log("Hooking " + funcName + " at " + targetFunctionPtr);    Interceptor.attach(targetFunctionPtr, {        onEnter: function(args) {            this.original_a = args[0].toInt32();            this.original_b = args[1].toInt32();            console.log(`[onEnter] Original call: multiply_numbers(${this.original_a}, ${this.original_b})`);            // Modify arguments: change 'a' to 5 and 'b' to 10            args[0] = ptr(5);            args[1] = ptr(10);            console.log(`[onEnter] Modified call: multiply_numbers(${args[0].toInt32()}, ${args[1].toInt32()})`);        },        onLeave: function(retval) {            console.log(`[onLeave] Original return value before modification: ${retval.toInt32()}`);            // Modify the return value to always be 99            retval.replace(ptr(99));            console.log(`[onLeave] Modified return value: ${retval.toInt32()}`);        }    });    console.log("Hook deployed successfully for " + funcName + "!");});
```
Running the Hook:

First, set up Frida server on your Android device (root required or inject using Gadget):
```
adb push frida-server /data/local/tmp/adb shell "chmod 755 /data/local/tmp/frida-server"adb shell "/data/local/tmp/frida-server &"
```
Then, attach Frida to your running application (e.g., com.example.ndkcalculator) and load the script:
```
frida -U -l hook.js com.example.ndkcalculator
```
Now, whenever multiply_numbers is called in the app, Frida will intercept it, modify its arguments to 5 and 10, let the original function run with these new values, and then override the return value to 99, regardless of what the original function computed.

Conclusion

Frida provides unparalleled capabilities for reverse engineering Android NDK applications by enabling dynamic instrumentation and native function overriding. From basic interception to complete function replacement and intricate argument/return value manipulation, these advanced techniques empower reverse engineers to deeply analyze, debug, and modify the behavior of native code. Mastering these skills is essential for anyone serious about understanding the inner workings of complex Android applications and uncovering their secrets. Always remember to use these powerful tools ethically and responsibly for security research and legitimate analysis.
May 29, 2026
Troubleshooting Native Crashes: Using Frida Hooks for Android Debugging & Root Cause Analysis
Introduction to Native Crashes in Android

Native crashes on Android devices present a significant challenge for developers and reverse engineers alike. Unlike Java-level exceptions, which provide relatively clear stack traces, native crashes often manifest as cryptic signals like SIGSEGV (segmentation fault) or SIGABRT (abort), leaving behind a bewildering array of hexadecimal addresses and registers. These crashes typically occur in C/C++ code, often exposed through the Java Native Interface (JNI), and can be notoriously difficult to diagnose without proper tools and techniques. Traditional debugging methods involving GDB or LLDB can be cumbersome, especially on non-rooted devices or when dealing with obfuscated or stripped binaries. This article delves into how Frida, a dynamic instrumentation toolkit, can be leveraged to effectively debug and analyze the root cause of native crashes by setting advanced hooks.

Understanding the Nature of Native Crashes

Native crashes are primarily caused by memory access violations or other critical errors within the C/C++ codebase. Common scenarios include:
- Null Pointer Dereference: Attempting to access memory through a null pointer.
- Out-of-Bounds Access: Reading from or writing to memory outside the allocated buffer.
- Use-After-Free: Accessing memory that has already been deallocated.
- Double-Free: Attempting to deallocate memory that has already been freed.
- Stack Overflow: Recursive function calls or large local variables exhausting the stack memory.
When such an event occurs, the operating system’s kernel sends a signal to the crashing process. For example, SIGSEGV indicates an illegal memory access. The process’s default handler usually terminates the application, sometimes dumping a core file or generating a tombstone log. While tombstone logs provide some information, they often lack the granular detail needed for pinpoint root cause analysis, especially without symbols.

Frida Fundamentals for Native Debugging

Frida operates by injecting a JavaScript engine into target processes, allowing for runtime manipulation and introspection. Before diving into crash analysis, ensure you have Frida set up:
1. Install Frida on your host machine:pip install frida-tools
2. Run Frida server on your Android device:
```
# Download frida-server for your device's architecture (e.g., arm64) from GitHub releases.
adb push frida-server /data/local/tmp/
adb shell "chmod 755 /data/local/tmp/frida-server"
adb shell "/data/local/tmp/frida-server &"
```
For native debugging, Frida’s Interceptor API is invaluable. It allows you to attach callbacks before and after a target function executes, providing access to arguments, return values, and CPU registers.

Hooking Exported Functions

If the crashing function is exported by a shared library (e.g., from JNI RegisterNatives or declared with JNIEXPORT), hooking is straightforward:
```
Java.perform(function () {
    var lib_base = Module.findBaseAddress('libmyjni.so');
    if (lib_base) {
        console.log("libmyjni.so loaded at: " + lib_base);
        var target_function = Module.findExportByName('libmyjni.so', 'Java_com_example_myjni_MyClass_nativeCrashyFunction');
        if (target_function) {
            console.log("Hooking nativeCrashyFunction at: " + target_function);
            Interceptor.attach(target_function, {
                onEnter: function (args) {
                    console.log('[+] nativeCrashyFunction called!');
                    console.log('Arg 1 (JNIEnv*): ' + args[0]);
                    console.log('Arg 2 (jobject): ' + args[1]);
                    // Log other arguments as needed
                },
                onLeave: function (retval) {
                    console.log('[-] nativeCrashyFunction returned: ' + retval);
                }
            });
        } else {
            console.log("nativeCrashyFunction not found.");
        }
    } else {
        console.log("libmyjni.so not loaded.");
    }
});
```
Advanced Frida Hooks for Crash Root Cause Analysis

The real power of Frida for native crash analysis comes from its ability to hook unexported functions, inspect registers, and reconstruct call stacks.

Hooking Unexported Functions by Address

Many critical internal functions are not exported. To hook them, you’ll need their offset from the library’s base address. This can be found via static analysis (IDA Pro, Ghidra) or by observing execution flow:
```
Java.perform(function () {
    var lib_base = Module.findBaseAddress('libmyjni.so');
    if (lib_base) {
        console.log("libmyjni.so loaded at: " + lib_base);
        // Example: Assume 0x1234 is the offset of an internal function from lib_base
        var unexported_func_offset = new NativePointer(0x1234);
        var target_address = lib_base.add(unexported_func_offset);

        console.log("Hooking unexported_internal_function at: " + target_address);
        Interceptor.attach(target_address, {
            onEnter: function (args) {
                console.log('[+] unexported_internal_function entered!');
                console.log('Arg 1: ' + args[0]);
                this.original_args = args; // Store args for onLeave if needed
                this.backtrace = Thread.backtrace(this.context, Backtracer.ACCURATE)
                                  .map(DebugSymbol.fromAddress).join('n');
                console.log('Call Stack:n' + this.backtrace);
            },
            onLeave: function (retval) {
                console.log('[-] unexported_internal_function returned: ' + retval);
            }
        });
    } else {
        console.log("libmyjni.so not loaded.");
    }
});
```
In this example, Thread.backtrace(this.context, Backtracer.ACCURATE) is crucial. It generates a symbolic backtrace from the current CPU context (this.context), which is available in onEnter and onLeave. DebugSymbol.fromAddress attempts to resolve addresses to function names and offsets, dramatically improving readability.

Inspecting Registers at Crash Point

When a crash occurs, the state of the CPU registers (e.g., general-purpose registers, program counter `PC`, stack pointer `SP`) is vital. Frida allows you to capture this context. While you can’t *directly* hook the crash signal handler with userland Frida (as the kernel handles it), you can hook functions *leading up to* a potential crash and dump the context. Or, more effectively, use a crash handler library like Google’s `crashpad` or custom signal handlers in conjunction with Frida to get a more precise capture.

For preemptive analysis, within an onEnter or onLeave callback, this.context provides an object representing the CPU state:
```
onEnter: function (args) {
    console.log('[+] Function entered. Current context:');
    console.log('  PC: ' + this.context.pc);
    console.log('  SP: ' + this.context.sp);
    console.log('  LR: ' + this.context.lr); // Link Register for ARM/ARM64
    console.log('  X0: ' + this.context.x0); // ARM64 register
    // ... and so on for other registers relevant to your architecture
}
```
Memory Dumping Around the Crash

If a crash involves corrupt memory or an invalid pointer, dumping the surrounding memory region can provide crucial clues. You can use Memory.readByteArray(address, size):
```
onEnter: function (args) {
    // Let's say args[2] is a pointer that might be involved in a crash
    var suspect_ptr = args[2];
    if (suspect_ptr.isNull()) {
        console.log("WARNING: Suspect pointer is NULL!");
        // You might want to dump memory around a specific address, e.g., stack pointer
        var stack_dump_size = 0x100;
        try {
            var stack_dump = Memory.readByteArray(this.context.sp, stack_dump_size);
            console.log("Stack dump around SP: ");
            console.log(hexdump(stack_dump, { offset: 0, length: stack_dump_size, header: true, ansi: false }));
        } catch (e) {
            console.log("Error dumping stack: " + e);
        }
    }
}
```
The hexdump function (built into Frida) helps visualize the raw memory content.

Step-by-Step Scenario: Diagnosing a Null Pointer Dereference

Let’s imagine an Android NDK application has a native function that, under certain conditions, receives a null pointer and attempts to dereference it, leading to a SIGSEGV. We’ll simulate this and use Frida to find the culprit.

1. Identify the Target Library and Potential Crash Area

From crash logs (tombstones) or basic app analysis, we might infer that libnative_crash_app.so is involved. We suspect a function called process_data_internal, which isn’t exported, is the problem.

2. Write a Frida Script for Analysis

Our script will attach to the process, find the base address of libnative_crash_app.so, locate process_data_internal (by an assumed offset 0x5678), and hook it. We’ll log arguments, backtrace, and inspect registers.
```
var targetPackageName = 'com.example.nativecrashapp';
var libName = 'libnative_crash_app.so';
var internalFuncOffset = 0x5678; // Assumed offset, would be found via static analysis (IDA/Ghidra)

Java.perform(function () {
    var module = Process.findModuleByName(libName);
    if (!module) {
        console.error("Module '" + libName + "' not found. Exiting.");
        return;
    }
    
    console.log("['" + libName + "' loaded at base address: " + module.base + "]");
    
    var targetAddress = module.base.add(internalFuncOffset);
    console.log("Hooking 'process_data_internal' at: " + targetAddress);

    Interceptor.attach(targetAddress, {
        onEnter: function (args) {
            console.log("[--- Entering process_data_internal ---]");
            console.log("Function Address: " + targetAddress);
            console.log("Context PC: " + this.context.pc);
            console.log("Context SP: " + this.context.sp);
            console.log("Context X0 (arg0): " + this.context.x0); // Assuming ARM64 for demonstration
            console.log("Context X1 (arg1): " + this.context.x1);
            console.log("Argument 0: " + args[0]);
            console.log("Argument 1: " + args[1]);
            
            if (args[0].isNull()) {
                console.warn("!!! WARNING: Argument 0 (data_ptr) is NULL. Potential crash imminent!n");
                console.log("--- DUMPING CONTEXT BEFORE POTENTIAL CRASH ---");
                console.log("Current Thread ID: " + Process.getCurrentThreadId());
                
                var backtrace = Thread.backtrace(this.context, Backtracer.ACCURATE)
                                  .map(DebugSymbol.fromAddress)
                                  .filter(sym => sym.name || sym.address.compare(0) !== 0);
                console.log("Backtrace:n" + backtrace.join('n') + "n");

                // Optional: Dump memory around the null pointer's caller context
                // This part would depend on finding where the null ptr was passed from

                // If we know a specific problematic variable on the stack, we could dump it:
                // var problematicStackAddr = this.context.sp.add(some_offset);
                // var stackVarDump = Memory.readByteArray(problematicStackAddr, 16);
                // console.log("Problematic Stack Variable Dump: " + hexdump(stackVarDump));
            }
        },
        onLeave: function (retval) {
            console.log("[--- Leaving process_data_internal ---]");
            console.log("Return value: " + retval);
        }
    });
});
```
3. Execute the Script and Trigger the Crash

Run the Frida script against the target application:
```
frida -U -f com.example.nativecrashapp -l frida_crash_hook.js --no-pause
```
Now, interact with the application to trigger the native crash. When process_data_internal is called with a null argument, the Frida script’s onEnter hook will detect it, log the warning, and most importantly, print a detailed backtrace and register state *before* the crash actually occurs.

The output will show something like:
```
[--- Entering process_data_internal ---]
Function Address: 0x...5678
Context PC: 0x...5678
Context SP: 0x...STACK_PTR
Context X0 (arg0): 0x0
Context X1 (arg1): 0x...SOME_VAL
Argument 0: 0x0
Argument 1: 0x...SOME_VAL
!!! WARNING: Argument 0 (data_ptr) is NULL. Potential crash imminent!

--- DUMPING CONTEXT BEFORE POTENTIAL CRASH ---
Current Thread ID: 12345
Backtrace:
  libnative_crash_app.so!process_data_internal + 0x0 (0x...5678)
  libnative_crash_app.so!call_process_data + 0x30 (0x...5648)
  libnative_crash_app.so!Java_com_example_nativecrashapp_MainActivity_triggerCrash + 0x64 (0x...1234)
  ... (Java frames)
```
This output immediately tells us that process_data_internal received a null pointer as its first argument (args[0] and this.context.x0 are 0x0). The backtrace then reveals that call_process_data in libnative_crash_app.so was responsible for calling process_data_internal, and that in turn was called by the JNI function Java_com_example_nativecrashapp_MainActivity_triggerCrash. This chain of custody helps narrow down the problematic area to the code within call_process_data that prepares the arguments for process_data_internal, ultimately leading back to the Java side if the null originated there.

Conclusion

Frida offers an unparalleled level of introspection for debugging native Android applications. By combining basic hooking with advanced techniques like address-based hooking, register inspection, backtracing, and memory dumping, reverse engineers and developers can meticulously reconstruct the events leading up to a native crash. This allows for precise identification of the faulty code path, the state of variables, and the exact instruction that caused the termination, significantly reducing the time and effort required for root cause analysis. Mastering these advanced Frida techniques is essential for anyone dealing with complex native code issues on Android.
May 29, 2026
Demystifying JNI: Advanced Frida Hooks for Android Native Method Tracing & Manipulation
Introduction

The Android ecosystem, while largely Java/Kotlin-driven, frequently relies on native code for performance-critical operations, cryptographic functions, and low-level system interactions. This native layer, primarily exposed through the Java Native Interface (JNI), presents a unique challenge and opportunity for reverse engineers and security researchers. Understanding and manipulating these native calls is paramount for deep analysis, vulnerability research, and bypass techniques. While basic native hooking with Frida is common, truly demystifying JNI involves advanced techniques for tracing dynamically registered methods and manipulating complex data structures. This article delves into these expert-level Frida methodologies, empowering you to gain unprecedented control over Android’s native execution flow.

The Nuances of JNI & Native Libraries

JNI acts as a bridge, enabling Java code to call native functions (written in C/C++, assembly) and vice versa. When an Android application loads a native library (e.g., via System.loadLibrary("mylib")), the system maps the shared object (.so file) into the process memory space. Native methods exposed to Java can be registered in two primary ways:
- Static Registration: The native function’s name directly follows a specific JNI naming convention (e.g., Java_com_example_MyClass_myNativeMethod). The JVM resolves these names automatically when the Java method is first called.
- Dynamic Registration: Native functions are registered programmatically at runtime, typically within the JNI_OnLoad function, using the RegisterNatives JNI function. This allows developers to use arbitrary names for their native functions, making them harder to identify via static analysis.
Frida excels at interacting with both Java and native layers, making it the ideal tool for dissecting these interactions.

Basic Frida Native Hooking Revisited

Before diving into advanced JNI hooks, let’s quickly review the fundamental approach to hooking known native exports. This typically involves finding the base address of the module and then resolving the export by name.
```
Java.perform(function() {  // Ensure we are in a Java context for certain operations, though not strictly required for basic native hooks.    var targetLibrary = 'libmyjni.so';    var targetFunction = 'Java_com_example_MyClass_sayHello'; // Example of a statically registered JNI function    var libBase = Module.findBaseAddress(targetLibrary);    if (libBase) {        console.log("[+] Found libmyjni.so at: " + libBase);        var functionPtr = Module.findExportByName(targetLibrary, targetFunction);        if (functionPtr) {            console.log("[+] Hooking " + targetFunction + " at " + functionPtr);            Interceptor.attach(functionPtr, {                onEnter: function(args) {                    // args[0] is JNIEnv*, args[1] is jclass (for static) or jobject (for instance)                    // Subsequent args are the actual method parameters.                    var jniEnv = Java.vm.getEnv();                    var message = jniEnv.getStringUtfChars(args[2], null).readUtf8String();                    console.log("  [onEnter] Original Message: " + message);                },                onLeave: function(retval) {                    console.log("  [onLeave] Return Value: " + retval);                }            });        } else {            console.log("[-] Could not find export: " + targetFunction);        }    } else {        console.log("[-] Could not find library: " + targetLibrary);    }});
```
This example demonstrates hooking a statically registered JNI method, reading a jstring argument, and logging the return value. The key is Module.findExportByName.

Advanced JNI Function Hooking with Frida

Hooking Dynamically Registered JNI Functions

Dynamically registered native methods pose a challenge because their native function names are not exported in a predictable JNI format. The solution is to hook the RegisterNatives function itself. This function is part of the JNIEnv interface and is responsible for linking Java methods to their native implementations.

RegisterNatives is typically found within libart.so (for ART runtime) or libdvm.so (for Dalvik). Its signature is jint RegisterNatives(JNIEnv* env, jclass clazz, const JNINativeMethod* methods, jint numMethods).
```
Java.perform(function() {    var registerNativesPtr = Module.findExportByName('libart.so', 'RegisterNatives');    if (registerNativesPtr) {        console.log("[+] Hooking RegisterNatives at " + registerNativesPtr);        Interceptor.attach(registerNativesPtr, {            onEnter: function(args) {                var env = args[0];                var javaClass = args[1];                var methodsPtr = args[2];                var numMethods = args[3].toInt32();                var jniEnv = Java.vm.getEnv();                console.log("  [RegisterNatives] Class: " + jniEnv.get,
```
May 29, 2026
Hands-on Frida: Unveiling Hidden Android Native API Calls via Targeted Interceptors Introduction to Frida and Native Android Reversing Frida, the dynamic instrumentation toolkit, stands as an indispensable tool in the arsenal of any serious Android reverse engineer. While many focus on Java-level hooks, the true power of an Android application, especially those designed for performance, security, or obfuscation, often lies deep within its native libraries (.so files). These libraries, typically written in C/C++ and interacting with Java through the Java Native Interface (JNI), house critical logic, cryptographic operations, and anti-tampering mechanisms that are invisible to Java-only analysis. Targeting native API calls allows us to bypass Java obfuscation, understand low-level operations, and even interact with system libraries that are not directly exposed to the Java layer. This guide will walk you through setting up your environment, identifying target functions, and crafting advanced Frida scripts to precisely intercept these elusive native calls. Setting Up Your Android Reversing Environment Prerequisites Rooted Android Device or Emulator: Necessary for running frida-server with full permissions. ADB (Android Debug Bridge): For communication with your device. Frida-Tools: The Python client for Frida. Install via pip install frida-tools. Frida-Server: The agent running on the Android device. Download the correct architecture (e.g., arm64, x86) from Frida Releases. A Sample Native Application: An Android app that uses a native library. You can build a simple Android Studio NDK project or use a target application. A Decompiler/Disassembler: Tools like Ghidra or IDA Pro are invaluable for analyzing native binaries and identifying function offsets. Installing and Running Frida-Server First, push the downloaded frida-server binary to your device and make it executable. Ensure you pick the correct version (e.g., frida-server-*-android-arm64). adb push /path/to/frida-server-16.x.x-android-arm64 /data/local/tmp/frida-server adb shell "chmod 755 /data/local/tmp/frida-server" adb shell "/data/local/tmp/frida-server &" Verify that Frida is running by listing processes: frida-ps -U If you see a list of processes, your setup is correct. Identifying Native Functions for Targeted Interception Initial Reconnaissance with readelf and nm Before dynamic analysis, static analysis helps identify potential targets. You can pull the target application’s native library from the device and use tools like readelf or nm to list exported symbols. # Find the .so library path (replace with your app's package name and library name) adb shell "find /data/app/ -name 'libnative-lib.so'" # Example pull command adb pull /data/app/~~com.example.appname-XYZ/lib/arm64/libnative-lib.so . # List exported symbols readelf -s libnative-lib.so | grep -E "FUNC|GLOBAL" nm -D libnative-lib.so This will show you functions explicitly exported by the library, often JNI functions like Java_com_example_app_MainActivity_stringFromJNI, or other utility functions that the library author chose to make public. Decompilers: Ghidra and IDA Pro For unexported functions, or to understand the internal logic and calling conventions of any function, a decompiler is essential. Load your .so file into Ghidra or IDA Pro. These tools will help you: Identify unexported (internal) functions. Determine function signatures (number and types of arguments, return type). Understand the control flow and logic. Pinpoint exact offsets of functions relative to the library’s base address. Crafting Your First Frida Native Hook Hooking a Simple, Exported Function Let’s start with a common scenario: hooking a JNI function. Consider a simple Android NDK project with a native method: // native-lib.cpp #include <jni.h> #include <string> extern "C" JNIEXPORT jstring JNICALL Java_com_example_myapp_MainActivity_stringFromJNI(JNIEnv* env, jobject /* this */) { std::string hello = "Hello from C++"; return env->NewStringUTF(hello.c_str()); } A basic Frida script can intercept this using Module.findExportByName: // hook_jni.js Java.perform(function() { var targetLib = "libnative-lib.so"; var targetFunction = "Java_com_example_myapp_MainActivity_stringFromJNI"; var funcPtr = Module.findExportByName(targetLib, targetFunction); if (funcPtr) { console.log("Found " + targetFunction + " at " + funcPtr); Interceptor.attach(funcPtr, { onEnter: function (args) { console.log("[*] " + targetFunction + " called!"); // args[0] is JNIEnv*, args[1] is jobject (this) // For JNI methods, the actual arguments start from args[2] }, onLeave: function (retval) { console.log("[*] " + targetFunction + " returned: " + new NativePointer(retval).readUtf8String()); } }); console.log("Hooked " + targetFunction + " successfully."); } else { console.log("Error: " + targetFunction + " not found in " + targetLib); } }); Run this script using: frida -U -f com.example.myapp --no-pause -l hook_jni.js Advanced Interception: Unveiling Unexported or Obscure Native Calls Understanding Library Base Addresses and Offsets Native libraries on Android are loaded into memory at different base addresses each time an application starts (due to ASLR – Address Space Layout Randomization). To hook an unexported function, we need its address in memory, which is calculated as: Base Address of Library + Function Offset. Frida can find the base address of a loaded module: // find_base_address.js Java.perform(function() { var lib_module = Process.findModuleByName("libmycustomlib.so"); if (lib_module) { console.log("libmycustomlib.so base address: " + lib_module.base); console.log("libmycustomlib.so size: " + lib_module.size); } else { console.log("libmycustomlib.so not found!"); } }); The May 29, 2026
Uncovering Unlisted I2C Devices: Advanced Address Probing on Android Introduction: The Hidden World of Android I2C Devices The Inter-Integrated Circuit (I2C) bus is a cornerstone of modern embedded systems, and Android devices are no exception. From sensors like accelerometers and gyroscopes to power management ICs (PMICs), camera modules, and touch controllers, countless components communicate with the SoC via I2C. While many of these devices are well-documented and appear in system logs or device tree configurations, a subset remains ‘unlisted’ – either dynamically loaded, proprietary, or simply not enumerated in standard system interfaces. This article delves into advanced techniques for uncovering these hidden I2C devices on Android, providing a crucial skill for hardware reverse engineers, security researchers, and custom ROM developers. Understanding I2C on Android On Android, like other Linux-based systems, I2C communication is managed by the kernel. User-space applications and drivers interact with I2C buses through device files typically found in /dev/i2c-*. Each file represents a distinct I2C bus controller on the SoC. The kernel’s I2C subsystem handles the low-level clock stretching, start/stop conditions, and acknowledgment bits, exposing a simpler interface for higher-level drivers. Identifying I2C Bus Controllers The first step in any I2C investigation is to identify the available buses. You can do this by listing the device files: adb shell ls -l /dev/i2c-* This command typically reveals a list like /dev/i2c-0, /dev/i2c-1, and so on. The number of buses varies significantly between devices, depending on the SoC and its peripheral integration. To gain context about what each bus might be connected to, examining kernel boot logs is invaluable: adb shell dmesg | grep -i "i2c" Look for messages indicating I2C adapter registration, driver probes, and device attachments. These logs can often hint at which buses are active and what devices are expected to be on them. The Challenge of Unlisted Devices Why would an I2C device be ‘unlisted’? Common reasons include: Proprietary Drivers: Manufacturers may use custom drivers that don’t fully expose device information through standard sysfs interfaces. Dynamic Enumeration: Devices might be probed and configured only when specific conditions are met (e.g., camera power-up). Kernel Configuration: The I2C client device might not be statically defined in the kernel’s device tree or board files. Security Obscurity: In some cases, vendors might intentionally make it harder to identify certain sensitive components. Advanced Probing Techniques 1. Leveraging i2cdetect (If Available) The standard Linux tool for I2C device probing is i2cdetect. It scans a specified I2C bus for devices at all possible 7-bit addresses and reports any acknowledgments. However, i2cdetect is rarely pre-installed on production Android devices due to its diagnostic nature. If you have a rooted device or can compile custom binaries, it’s a powerful tool. Compiling i2cdetect for Android: You’ll need the Android NDK and a cross-compilation environment. Here’s a simplified approach: # Download i2c-tools source (e.g., from kernel.org)tar -xf i2c-tools-*.tar.gzcd i2c-tools-*# Set up NDK environmentexport NDK_ROOT=/path/to/android-ndk-rXXexport PATH=$PATH:$NDK_ROOT/toolchains/llvm/prebuilt/linux-x86_64/binexport TARGET_HOST=aarch64-linux-androidXX # Adjust based on Android API level and arch# Compile (adjust makefile or use direct GCC/Clang commands)make CC=${TARGET_HOST}-clang BUILD_STATIC=y -C tools/i2cgetmake CC=${TARGET_HOST}-clang BUILD_STATIC=y -C tools/i2csetmake CC=${TARGET_HOST}-clang BUILD_STATIC=y -C tools/i2cdetect# Push to deviceadb push tools/i2cdetect/i2cdetect /data/local/tmp/adb shell chmod +x /data/local/tmp/i2cdetect Once on the device, you can run: adb shell /data/local/tmp/i2cdetect -y [BUS_NUMBER] For example, to scan bus 1: adb shell /data/local/tmp/i2cdetect -y 1 An output showing hex values (not --) indicates a device acknowledged at that address. 2. Manual Probing with i2c-dev (C Code) When i2cdetect is not an option or for more granular control, writing a simple C program to manually probe addresses is the most robust method. This involves opening the I2C device file, setting the slave address, and attempting a dummy read or write. Probing C Code Example: #include <stdio.h>#include <stdlib.h>#include <string.h>#include <fcntl.h>#include <unistd.h>#include <errno.h>#include <sys/ioctl.h>#include <linux/i2c-dev.h> // Required for I2C_SLAVE#define I2C_BUS_PATH_FORMAT "/dev/i2c-%d"int main(int argc, char *argv[]) { int fd; char filename[20]; int i2c_bus_num; if (argc < 2) { fprintf(stderr, "Usage: %s <i2c_bus_number>n", argv[0]); return 1; } i2c_bus_num = atoi(argv[1]); if (i2c_bus_num < 0) { fprintf(stderr, "Invalid I2C bus number.n"); return 1; } snprintf(filename, sizeof(filename), I2C_BUS_PATH_FORMAT, i2c_bus_num); fd = open(filename, O_RDWR); if (fd < 0) { fprintf(stderr, "Failed to open I2C bus %s: %sn", filename, strerror(errno)); return 1; } printf("Scanning I2C bus %d (0x03-0x77):n", i2c_bus_num); printf(" 0 1 2 3 4 5 6 7 8 9 a b c d e fn"); for (int addr = 0x00; addr <= 0x77; addr++) { if (addr % 16 == 0) { printf("%02x:", addr); } // Skip reserved addresses and general call address if (addr <= 0x02 || addr >= 0x78) { printf(" "); continue; } if (ioctl(fd, I2C_SLAVE, addr) < 0) { // This is expected for non-existent devices, // but a successful ioctl doesn't mean device exists either. // We need to attempt a read/write. // fprintf(stderr, "Warning: ioctl failed for address 0x%02x: %sn", addr, strerror(errno)); printf(" --"); // ioctl failure is usually not a device present if (addr % 16 == 15) printf("n"); continue; } // Attempt a dummy read. A successful read indicates presence. // Write can also be used, but read is generally safer. char buffer[1]; if (read(fd, buffer, 0) == 0) { // Read 0 bytes to just check ACK printf(" %02x", addr); } else { // If read fails for any reason (e.g., NACK, I/O error), no device here. printf(" --"); } if (addr % 16 == 15) printf("n"); } close(fd); return 0;} To compile and run this on Android: # Compile (using your NDK setup from above)${TARGET_HOST}-clang -o i2c_scanner i2c_scanner.c -static# Push to deviceadb push i2c_scanner /data/local/tmp/adb shell chmod +x /data/local/tmp/i2c_scanner# Run (e.g., scan bus 1)adb shell /data/local/tmp/i2c_scanner 1 This program iterates through all possible 7-bit I2C addresses (0x03 to 0x77), attempts to set the slave address using I2C_SLAVE ioctl, and then performs a zero-byte read. If the read returns 0 (indicating a successful transaction with no data transfer, just an ACK from the slave), it means a device is present at that address. The output format mimics i2cdetect. 3. Analyzing Kernel Device Tree (DTB) The Device Tree Blob (DTB) is a critical component on modern Linux systems, including Android. It describes the hardware components connected to the SoC, including I2C devices and their addresses. Even if a device doesn’t show up via dynamic probing, it might be statically defined in the DTB. Extracting and Decompiling the DTB: Obtain boot.img: This usually requires unlocking the bootloader or finding stock firmware. Extract DTB: Use tools like Adb-Fastboot-Tool or magiskboot to extract the DTB blob from the boot.img. The DTB is often located in the boot image or a separate dtbo.img partition. Decompile DTB: Use the Device Tree Compiler (dtc) to convert the binary DTB into a human-readable Device Tree Source (DTS) file. dtc -I dtb -O dts -o device_tree.dts [path/to/extracted/dtb_blob] Once you have the .dts file, open it and search for I2C-related nodes. Look for nodes similar to this: i2c@78b5000 { compatible = "qcom,i2c-qcom-geni"; reg = <0x0 0x78b5000 0x0 0x1000>; clocks = <&clock_gcc RPMH_BCR_QUPV3_I2C_APPS_CLK>; #address-cells = <1>; #size-cells = <0>; status = "ok"; my_hidden_sensor@1a { compatible = "vendor,my-hidden-sensor"; reg = <0x1a>; interrupt-parent = <&tlmm>; interrupts = <95 0x2>; status = "okay"; };}; In this example, my_hidden_sensor@1a explicitly defines an I2C device with address 0x1a. The compatible string is crucial as it indicates the kernel driver expected to bind to this device. Even if this device isn’t probed by your manual scanner (perhaps due to being dynamically turned on), its presence in the DTB confirms its existence and expected address. Conclusion Uncovering unlisted I2C devices on Android is a vital skill for anyone delving into low-level hardware analysis. By combining systematic bus identification, intelligent use of tools like i2cdetect, robust manual probing with custom C code, and meticulous analysis of the kernel device tree, you can bring these hidden components to light. This advanced methodology not only aids in reverse engineering proprietary hardware but also strengthens security assessments by revealing undocumented attack surfaces and helps in building truly custom Android experiences. Remember to always proceed with caution and respect for device integrity when performing such deep-level analysis. May 29, 2026
Rooted Android I2C: Dump EEPROM Data & Register Configurations Introduction The I2C (Inter-Integrated Circuit) bus is a ubiquitous serial communication protocol found in nearly every modern electronic device, including Android smartphones and tablets. It’s the backbone for communication between the system-on-chip (SoC) and a multitude of peripherals like sensors (accelerometers, gyroscopes), power management ICs (PMICs), camera modules, audio codecs, and especially EEPROMs (Electrically Erasable Programmable Read-Only Memory) which store vital configuration data or device firmware. Understanding and interacting with the I2C buses on a rooted Android device opens up a powerful avenue for hardware reverse engineering, diagnostics, and even custom hardware integration. This expert-level tutorial will guide you through the process of enumerating I2C devices, dumping the contents of attached EEPROMs, and inspecting or modifying device register configurations on a rooted Android device. We will leverage standard Linux `i2c-tools` to achieve these objectives, providing practical, step-by-step commands suitable for security researchers, hardware enthusiasts, and embedded developers. Prerequisites A rooted Android device (required for shell access to `/dev/i2c-*` nodes and installing tools). ADB (Android Debug Bridge) installed and configured on your host machine. Basic familiarity with the Linux command line. A terminal emulator (e.g., Termux) on the Android device, or primarily using `adb shell`. Understanding I2C on Android’s Linux Kernel Android’s underlying Linux kernel exposes I2C buses as character devices, typically found under `/dev/i2c-*`. Each number represents a distinct I2C bus master controlled by the SoC. The kernel also provides a sysfs interface at `/sys/bus/i2c/devices/`, where you can find more information about detected I2C adapters and attached devices, though direct interaction with devices usually occurs via the `/dev` nodes. The `i2c-tools` suite is a collection of utilities designed to interact with I2C devices from the Linux command line. Key tools include `i2cdetect` for bus scanning, `i2cdump` for reading memory blocks (like EEPROMs), `i2cget` for reading specific registers, and `i2cset` for writing to registers. Step 1: Establish Rooted ADB Shell Access Ensure your device is rooted and ADB is set up. We’ll start by gaining a root shell on the device. adb rootadb shell If `adb root` fails, your device’s root solution (e.g., Magisk) might require you to use `su` within a non-root `adb shell` session: adb shellsu Confirm you have root privileges by checking the user ID: whoami You should see `root`. Step 2: Identifying Available I2C Buses First, identify which I2C buses are present on your device. These are usually named `i2c-0`, `i2c-1`, etc., corresponding to `/dev/i2c-0`, `/dev/i2c-1`, and so on. ls /dev/i2c* You might see output similar to: /dev/i2c-0/dev/i2c-1/dev/i2c-2/dev/i2c-3/dev/i2c-4/dev/i2c-5 Each of these represents a distinct I2C bus controller on your SoC. The number of buses varies significantly between devices. Step 3: Installing I2C Tools on Android Most Android devices do not come with `i2c-tools` pre-installed. You’ll need to obtain ARM/ARM64 static binaries and push them to your device. Pre-compiled binaries can often be found in custom ROM repositories, Magisk modules, or you can cross-compile them yourself from the `i2c-tools` source code. For simplicity, let’s assume you have a static `i2cdetect`, `i2cdump`, `i2cget`, and `i2cset` binary (e.g., for `arm64`) on your host machine in the current directory. adb push i2cdetect /data/local/tmp/adb push i2cdump /data/local/tmp/adb push i2cget /data/local/tmp/adb push i2cset /data/local/tmp/ Now, on your device’s shell, make them executable: chmod +x /data/local/tmp/i2cdetectchmod +x /data/local/tmp/i2cdumpchmod +x /data/local/tmp/i2cgetchmod +x /data/local/tmp/i2cset You can now execute them directly using their full path, e.g., `/data/local/tmp/i2cdetect`. Step 4: Enumerating I2C Devices with `i2cdetect` Now, we can scan each identified I2C bus for connected devices. `i2cdetect` attempts to probe common 7-bit I2C addresses and reports which ones respond. The `-y` flag disables interactive prompts, and `<bus_number>` is the numerical part from `/dev/i2c-<bus_number>`. Let’s scan bus 0 as an example: /data/local/tmp/i2cdetect -y 0 The output is a grid showing detected device addresses. `UU` indicates a device detected, while `–` means no device responded at that address. `0x` is the standard prefix for hexadecimal numbers. 0 1 2 3 4 5 6 7 8 9 a b c d e f00: -- -- -- -- -- -- -- -- -- -- -- -- --10: -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --20: -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --30: -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --40: -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --50: UU -- -- -- -- -- -- -- -- -- -- -- -- -- -- --60: -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --70: -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- In this example, a device is detected at address `0x50` on bus 0. This is a common address for I2C EEPROMs. Repeat this process for all identified buses (e.g., `i2cdetect -y 1`, `i2cdetect -y 2`, etc.) to get a full picture of connected I2C peripherals. Step 5: Dumping EEPROM Data with `i2cdump` Once you’ve identified a potential EEPROM (e.g., at `0x50`), you can dump its contents. `i2cdump` allows reading a block of memory from an I2C device. Syntax: `/data/local/tmp/i2cdump -y <bus_number> <device_address> [mode]` Common modes: `b`: Byte mode (default, reads 8-bit registers). `w`: Word mode (reads 16-bit registers). `c`: Combined mode (byte mode with `read_word_data` for 16-bit addressing, common for larger EEPROMs). `i`: I2C mode (uses specific I2C transactions, often required for certain PMICs or sensors). For a typical EEPROM, byte mode (`b`) is usually sufficient, possibly `c` for larger ones. Let’s dump the device at `0x50` on bus 0: /data/local/tmp/i2cdump -y 0 0x50 b The output will be a hexadecimal dump, typically 256 bytes by default, showing memory addresses on the left and data bytes on the right, along with an ASCII representation (if printable). For a 24Cxxx series EEPROM, this would look like: 0 1 2 3 4 5 6 7 8 9 a b c d e f 0123456789abcdef00: 41 6E 64 72 6F 69 64 20 45 45 50 52 4F 4D 20 44 Android EEPROM D10: 75 6D 70 00 01 02 03 04 05 06 07 08 09 0a 0b 0c ump.............20: 0d 0e 0f 10 11 12 13 14 15 16 17 18 19 1a 1b 1c ................... (continues for 16 lines or more) To save the dump to a file on your device and then pull it to your host machine: /data/local/tmp/i2cdump -y 0 0x50 b > /data/local/tmp/eeprom_bus0_addr50.bindb pull /data/local/tmp/eeprom_bus0_addr50.bin . You can then analyze `eeprom_bus0_addr50.bin` with a hex editor (like `HxD` or `GHex`) or use tools like `strings` to look for readable text. Step 6: Reading and Writing Register Configurations with `i2cget` and `i2cset` Beyond dumping contiguous memory, `i2cget` and `i2cset` allow precise interaction with individual device registers. This is crucial for understanding device states, configuring sensors, or debugging PMICs. **Warning: Incorrect use of `i2cset` can cause device instability or damage. Always consult the device’s datasheet before writing to registers.** Reading a Register with `i2cget` To read a specific register from an I2C device, you need to know its register address (often 8-bit or 16-bit). This information is typically found in the device’s datasheet. Let’s assume a device at `0x42` on bus 1 has a status register at `0x01`. Syntax: `/data/local/tmp/i2cget -y <bus_number> <device_address> <register_address> [mode]` /data/local/tmp/i2cget -y 1 0x42 0x01 b Output will be a single hexadecimal byte, e.g., `0xAA`. Writing to a Register with `i2cset` To modify a register, you use `i2cset`. This requires knowing the register address and the desired value, all in hexadecimal. Again, *exercise extreme caution*. Syntax: `/data/local/tmp/i2cset -y <bus_number> <device_address> <register_address> <value> [mode]` Let’s write `0x55` to register `0x01` of the device at `0x42` on bus 1: /data/local/tmp/i2cset -y 1 0x42 0x01 0x55 b Some devices might require 16-bit word writes or specific bit-mask operations; consult the datasheet for details. The `i2cset` tool supports various modes (e.g., `w` for 16-bit words) and can handle combined reads/writes for certain register types. Advanced Considerations While `i2c-tools` are powerful, some advanced scenarios might require further steps: Kernel Drivers: Sometimes, I2C devices are tightly controlled by kernel drivers, making direct `i2c-tools` access difficult or leading to conflicts. You might need to unload the driver temporarily (if possible and safe). Device Tree Overlays: On modern Android kernels, I2C devices are often defined in the device tree. Analyzing `/proc/device-tree/` or decompiling `dtb` files can reveal device addresses, register maps, and driver bindings. Hardware Sniffing: For protocols that are not standard I2C or where direct interaction is failing, a logic analyzer can be used to sniff I2C communication directly on the hardware pins, providing an unbiased view of the data. Conclusion Mastering I2C interaction on a rooted Android device is an essential skill for anyone involved in hardware reverse engineering, security research, or embedded systems development. By following the steps outlined in this tutorial, you can effectively enumerate I2C devices, dump critical EEPROM data, and read/write device register configurations. This capability provides deep insights into the low-level operation of your Android device’s peripherals, paving the way for advanced analysis, custom modifications, and understanding proprietary hardware implementations. Always proceed with caution, especially when writing to device registers, and prioritize understanding the target hardware’s specifications. May 29, 2026
Reverse Engineering Android Sensors: A Practical Guide to I2C Bus Sniffing Introduction: Unlocking the Android Sensor Ecosystem Modern Android devices are replete with a myriad of sensors—accelerometers, gyroscopes, magnetometers, barometers, and more—that provide the contextual awareness essential for many applications. These sensors often communicate with the device’s main System-on-Chip (SoC) via serial protocols, with I2C (Inter-Integrated Circuit) being one of the most prevalent. Reverse engineering these I2C communications can reveal valuable insights into device hardware, sensor configurations, and even potential vulnerabilities. This guide provides a practical, expert-level walkthrough on sniffing and analyzing I2C bus traffic to enumerate and understand Android sensors. Understanding I2C Fundamentals in an Android Context The I2C protocol is a two-wire serial bus (SDA for data, SCL for clock) that allows a master device (typically the SoC) to communicate with multiple slave devices (sensors, PMICs, etc.). Each slave device has a unique 7-bit or 10-bit address. On Android, the Linux kernel manages these I2C buses and devices, typically exposing them through the `/sys/bus/i2c/devices` filesystem path or directly interacting with I2C client drivers. Understanding this interaction is key to correlating observed bus traffic with software events. I2C Bus Enumeration via Android Shell Before physical sniffing, it’s beneficial to inspect what the Android kernel already knows. Root access is typically required. adb shellsu# ls /sys/bus/i2c/devices/i2c-*# i2cdetect -l The `ls` command lists the available I2C adapters (buses), e.g., `i2c-0`, `i2c-1`. The `i2cdetect -l` command (if available in your `busybox` or toolbox build) can list the detected buses. Furthermore, you can try to probe for devices on a specific bus: # i2cdetect -y 0 This command probes bus 0 and displays a grid of addresses. Any address shown as `UU` indicates a device is present and responding. Required Tools and Setup Hardware Android Device: The target for reverse engineering. Logic Analyzer: A multi-channel logic analyzer (e.g., Saleae Logic series, Openbench Logic Sniffer) is essential for capturing and decoding I2C signals. Ensure it supports at least 4 channels (SDA, SCL, GND, VCC/optional for voltage reference). Fine-tipped Probes/Test Clips: Essential for connecting to small PCB traces. Soldering may be required for reliable connections. Multimeter: For identifying GND, VCC, and checking continuity. Magnifying Glass/Microscope: To aid in locating tiny traces. Software Logic Analyzer Software: The proprietary software for your logic analyzer (e.g., Saleae Logic 2). ADB (Android Debug Bridge): For shell access and device interaction. Locating the I2C Bus on the PCB This is often the most challenging step. I2C lines are typically routed from the SoC to sensor chips. Common locations to search include: Near Sensors: Physically locate known sensor chips (e.g., accelerometer packages are often small, square, and marked with a manufacturer logo like ST, Bosch, InvenSense). Nearby traces are strong candidates for I2C lines. Power Management ICs (PMICs): PMICs often use I2C for configuration, and their proximity to the SoC makes them good starting points. Schematics/Board Views: If you’re fortunate enough to find leaked schematics or board views for your device, they are invaluable for identifying I2C lines. Once potential traces are identified, use a multimeter in continuity mode to trace them back to the SoC or a known I2C controller test point. The SDA and SCL lines will typically be adjacent or near each other, often pulled up to VCC via resistors. Connecting the Logic Analyzer Identify SDA, SCL, and GND: Carefully locate these three points on your PCB. GND is crucial for a common reference. Power Down: Always power down the device before making physical connections to avoid short circuits. Connect Probes: Connect logic analyzer GND to a reliable ground point on the Android PCB. Connect one logic analyzer input channel to SDA. Connect another logic analyzer input channel to SCL. Power On: Boot the Android device. Capturing and Analyzing I2C Traffic With the logic analyzer connected, open its software and configure it: Channel Assignment: Map your SDA and SCL inputs to the correct channels in the software. Voltage Threshold: Set the correct voltage threshold (e.g., 1.8V or 3.3V, depending on your device’s I2C bus voltage, typically determined by VCC where the pull-up resistors are connected). Sample Rate: Set a sufficiently high sample rate (e.g., 20-50 MS/s) to accurately capture I2C clock speeds (typically 100 kHz, 400 kHz, or 1 MHz). Triggering: Configure a trigger on either SDA or SCL for a start condition (SCL high, SDA falling edge). This ensures you capture complete transactions. Start Capture: Begin recording data. Interact with Sensors: While capturing, interact with the Android device to generate sensor activity. For instance, open a sensor testing app, rotate the device, shake it, or cover the proximity sensor. This will generate I2C traffic related to the sensors. Stop Capture: Once sufficient data is collected, stop the capture. Decoding I2C Data Most logic analyzer software includes an I2C protocol decoder. Apply this decoder to your captured SDA and SCL channels. The decoder will automatically parse the raw waveforms into human-readable data packets, showing: Slave Address: The 7-bit or 10-bit address of the device being communicated with. Read/Write Bit: Whether the master is reading from or writing to the slave. Register Address: For write operations, this often indicates the internal register address within the slave device. Data Bytes: The actual data being read or written. Example logic analyzer output snippet: I2C Transaction:0x68 (Write), Address: 0x01, Data: 0x00I2C Transaction:0x68 (Write), Address: 0x03, Data: 0x0C, 0x03I2C Transaction:0x68 (Read), Address: 0x75, Data: 0x68I2C Transaction:0x68 (Read), Data: 0x00, 0x01, 0x88, 0x02, 0x00, 0x00 In this example, `0x68` is a common address for certain IMUs. The `0x75` register is often a May 29, 2026
Android Kernel’s I2C Subsystem: Tracing Device Probes and Driver Bindings Introduction to I2C in Android and its Significance The I2C (Inter-Integrated Circuit) bus is a ubiquitous serial communication protocol foundational to modern embedded systems, including Android devices. It’s the silent workhorse connecting countless low-speed peripheral components such as sensors (accelerometers, gyroscopes, magnetometers), touch screen controllers, power management ICs (PMICs), and various other embedded controllers to the System-on-Chip (SoC). For anyone involved in Android hardware reverse engineering, security research, or custom kernel development, a deep understanding of how the Linux kernel’s I2C subsystem enumerates devices and binds drivers is absolutely crucial. This article delves into the mechanisms of I2C device probing and driver binding within the Android kernel, providing expert-level guidance on how to trace and analyze these critical interactions. The I2C Subsystem in the Linux Kernel In the Linux kernel, the I2C subsystem abstracts the complexities of the hardware, presenting a clean API for both bus controllers (adapters) and client devices (peripherals). An I2C adapter represents the physical I2C bus master, typically integrated into the SoC, responsible for generating clock signals and data transfers. I2C client devices are the peripherals connected to this bus, each identified by a unique 7-bit or 10-bit slave address. The Linux kernel uses a bus/device/driver model for I2C, where a driver binds to an I2C device found on an I2C adapter. A critical component in Android and other embedded Linux systems is the Device Tree (DT). The DT describes the hardware components of a system to the kernel, including I2C buses and the devices connected to them. For I2C devices, the DT entry typically specifies the device’s slave address, its compatible string, and any other configuration properties needed by its driver. I2C Devices and Drivers I2C drivers are kernel modules (or built-in) responsible for interacting with specific I2C client devices. A key part of an I2C driver is its ability to ‘probe’ for a device. When an I2C device is registered with the kernel, or when an I2C bus is scanned, the kernel attempts to find a matching driver. This matching often relies on the compatible string defined in the Device Tree or a predefined struct i2c_device_id in the driver code. The probe function within an I2C driver is executed upon a successful match and binding, allowing the driver to initialize the hardware, register character devices or other kernel interfaces, and make the device functional within the system. Identifying I2C Buses on an Android Device The first step in analyzing I2C activity is to identify the available I2C buses (adapters) on your target Android device. The Linux kernel exposes information about these buses through the sysfs virtual filesystem. You can access this information via adb shell. To list the I2C adapters and their associated devices: adb shell ls -l /sys/bus/i2c/devices/ This command will show entries like i2c-0, i2c-1, and so on, representing different I2C buses. Within each adapter directory, you’ll find symbolic links to the devices connected to that bus, named after their bus and address (e.g., 0-0068 for an I2C device at address 0x68 on bus 0). To get the human-readable name of an I2C adapter: adb shell cat /sys/class/i2c-adapter/i2c-0/name This might output something like msm-i2c-0 or i2c-msm-1, indicating the specific controller hardware. Tracing I2C Device Probes with ftrace ftrace is the Linux kernel’s powerful internal tracing mechanism, invaluable for understanding dynamic kernel behavior without recompiling. It allows you to trace function calls, events, and much more. For I2C device probing, ftrace can reveal exactly when and how drivers attempt to bind to devices. Setting up ftrace for I2C Probes Access ftrace through the debugfs filesystem. You’ll need root access on your Android device. adb shell su echo 0 > /sys/kernel/debug/tracing/tracing_on # Disable tracing echo function > /sys/kernel/debug/tracing/current_tracer # Set tracer to function echo 'i2c_probe_device' > /sys/kernel/debug/tracing/set_ftrace_filter # Filter for I2C probe function # You can also filter for specific driver probe functions, e.g., # echo 'my_sensor_probe' >> /sys/kernel/debug/tracing/set_ftrace_filter echo 1 > /sys/kernel/debug/tracing/tracing_on # Enable tracing # Now trigger the probe (e.g., reboot device, or hot-plug a USB-to-I2C device if supported) # If tracing during boot, execute the above commands, then reboot and quickly pull the trace. cat /sys/kernel/debug/tracing/trace # Read the trace buffer echo 0 > /sys/kernel/debug/tracing/tracing_on # Disable tracing echo > /sys/kernel/debug/tracing/trace # Clear trace buffer The trace output will show a chronological list of calls to i2c_probe_device and any other functions you’ve filtered, along with the calling context. This allows you to see which I2C devices are being probed and which drivers are initiating the probe attempts. Analyzing dmesg Output for I2C Probes A simpler, though less granular, method to observe I2C probes is by examining the kernel message buffer using dmesg. Many I2C drivers print messages during their probe routine, indicating success or failure, device identification, or initial configuration. adb shell dmesg | grep -E 'i2c|probe|sensor' Look for lines containing keywords like i2c, probe, the name of a known sensor, or a specific I2C address. For example, you might see output like: [ 5.123456] msm_i2c msm_i2c.0: i2c-0: SCL:400 KHz [ 5.124567] imu_sensor 0-0068: probe successful [ 5.125678] lsm6ds3tr 0-006a: Initializing LSM6DS3TR sensor [ 5.126789] power_monitor 1-0034: Device ID 0x34 found This indicates that a driver named imu_sensor successfully probed a device at address 0x68 on bus 0, and another driver lsm6ds3tr initialized at 0x6a on the same bus. Understanding I2C Driver Binding Mechanisms The kernel’s ability to match an I2C device with its corresponding driver is central to the I2C subsystem. This binding process ensures that the correct software logic handles the hardware. Device Tree Bindings For most embedded Linux systems like Android, the Device Tree is the primary method for describing I2C devices. An I2C device node in the DT will typically have a compatible property and a reg property (for the slave address). i2c@78b5000 { compatible = "qcom,msm-i2c"; reg = <0x78b5000 0x1000>; #address-cells = <1>; #size-cells = <0>; touchscreen@38 { compatible = "vendor,touch-controller"; reg = <0x38>; interrupt-parent = <&gpio>; interrupts = <42 IRQ_TYPE_EDGE_FALLING>; reset-gpios = <&gpio 43 GPIO_ACTIVE_LOW>; }; accelerometer@68 { compatible = "bosch,bma250"; reg = <0x68>; interrupt-parent = <&gpio>; interrupts = <44 IRQ_TYPE_EDGE_FALLING>; }; }; In this example, an I2C bus controller at a specific memory address is defined. On this bus, two devices are declared: a touchscreen at address 0x38 with compatible = "vendor,touch-controller" and an accelerometer at 0x68 with compatible = "bosch,bma250". Driver-Side Matching On the driver side, an I2C driver declares its compatibility with devices using either an of_match_table (for Device Tree-based systems) or a id_table (for legacy non-DT systems). The of_match_table is an array of struct of_device_id entries, where each entry contains a compatible string that must match the one in the Device Tree. // Example I2C driver structure static const struct of_device_id bma250_of_match[] = { { .compatible = "bosch,bma250" }, { } // Sentinel entry }; MODULE_DEVICE_TABLE(of, bma250_of_match); // Export for module auto-loading static int bma250_probe(struct i2c_client *client, const struct i2c_device_id *id) { // Driver initialization logic for the BMA250 sensor pr_info("BMA250 accelerometer probe successful at addr 0x%xn", client->addr); // ... further device specific initialization ... return 0; } static struct i2c_driver bma250_driver = { .driver = { .name = "bma250", .of_match_table = bma250_of_match, }, .probe = bma250_probe, .remove = bma250_remove, }; module_i2c_driver(bma250_driver); When the kernel processes the Device Tree, it looks for an I2C device with compatible = "bosch,bma250". If found, it then searches for an I2C driver that has a matching entry in its of_match_table. Upon finding the bma250_driver, its bma250_probe function is called, passing the i2c_client structure representing the specific device instance. Practical Example: Reverse Engineering a Sensor on Android Let’s consider a scenario where you’re trying to understand an unknown I2C sensor on an Android device: Identify I2C Buses and Devices: First, list all I2C buses and known devices: adb shell ls -l /sys/bus/i2c/devices/ Note any unfamiliar device entries (e.g., 0-0068, 1-0034) that haven’t been previously identified. Monitor Kernel Logs: Reboot the device and immediately start monitoring dmesg: adb reboot # As soon as device comes up adb shell dmesg | grep -E 'i2c|probe|unknown_device_addr' Look for probe messages related to the addresses you’ve identified or any new sensor-like names. This can often reveal the driver name or a vendor/model identifier. Use ftrace for Detailed Probe Tracing: If dmesg is insufficient, use ftrace to target the i2c_probe_device function as described earlier. This will show every attempt by any I2C driver to probe a device. If you see an address of interest being probed and then a specific driver’s probe function being called, you’ve found your driver. For example, if you see i2c_probe_device(client=0-0068) followed by my_unknown_sensor_probe, you’ve identified the driver. Locate Driver Source Code: Once you have a potential driver name (e.g., my_unknown_sensor) or a compatible string from the Device Tree, you can search for its source code. If you have access to the device’s kernel source (often available for open-source Android devices or through manufacturer SDKs), search for the driver name or the compatible string within the kernel tree, typically under drivers/i2c/ or drivers/misc/. Analyze the Driver’s Probe Function: Within the driver’s source code, pay close attention to the probe function. This function usually performs crucial initialization steps, such as: Reading device ID registers to verify the device. Configuring device registers for desired operating modes (e.g., sample rates, interrupt settings). Registering platform devices or input devices with the kernel. By understanding what the driver writes to which registers, you can deduce the sensor’s capabilities, its communication protocol, and how it’s being configured by the system. This provides a roadmap for interacting with the sensor directly, even without the original driver. Conclusion Mastering the I2C subsystem and its tracing methodologies is an indispensable skill for Android hardware analysis. By leveraging tools like sysfs, dmesg, and especially ftrace, you can gain deep insights into how the kernel identifies and initializes I2C peripherals. Understanding driver binding through Device Tree compatible strings and driver-side of_match_table entries completes the picture, allowing you to effectively reverse engineer unknown I2C components, debug hardware issues, and even develop custom kernel modules for unique peripherals on Android devices. This knowledge empowers you to move beyond black-box analysis and truly comprehend the hardware-software interface of embedded systems. May 29, 2026
Frida Native Hooking Masterclass: Intercepting Android C/C++ Functions Deep Dive Introduction to Android Native Hooking with Frida Android applications often leverage native code (C/C++) for performance-critical operations, low-level system interactions, or to protect sensitive logic from easy reverse engineering. While Java/Kotlin code can be decompiled relatively easily, native libraries present a greater challenge. This is where Frida, a dynamic instrumentation toolkit, shines. Frida allows security researchers and developers to inject custom scripts into running processes, enabling powerful runtime analysis and modification, including deep dives into native C/C++ functions. The Power of Frida in Native Reverse Engineering Native hooking with Frida provides unparalleled capabilities for understanding and manipulating how an Android application interacts with its underlying system and third-party libraries. It’s an indispensable technique for: Security Research: Uncovering vulnerabilities in native code, analyzing cryptographic implementations, or understanding anti-tampering mechanisms. Reverse Engineering: Deobfuscating protected logic, tracing data flows, and reconstructing complex algorithms implemented in C/C++. Bypassing Controls: Modifying function behavior to bypass license checks, unlock features, or circumvent security measures in a controlled environment. Setting the Stage: Prerequisites and Tools Before diving into native hooking, ensure you have a proper environment set up: Rooted Android Device or Emulator: Necessary for running the Frida server. Frida Server: Running on your Android device. Frida Tools: Installed on your host machine (pip install frida-tools). ADB: Android Debug Bridge for interacting with the device. Disassembler/Decompiler: Tools like Ghidra or IDA Pro are crucial for static analysis of native libraries (.so files) to identify target functions and understand their signatures. Identifying Target Native Functions The first step in native hooking is to accurately identify the C/C++ functions you want to intercept. This often involves a combination of static and dynamic analysis. JNI Exports and Dynamic Analysis Many native functions in Android are exposed via the Java Native Interface (JNI). Java methods declared with the native keyword link to C/C++ functions within a shared library. You can often find these mappings by examining the Java code or using tools that list JNI exports. For example, if a Java method is public native boolean checkLicense(String key);, its corresponding C/C++ function will typically follow a JNI naming convention like Java_com_example_app_NativeUtils_checkLicense. You can also use Frida itself to enumerate exports of loaded modules: Java.perform(function() { var lib = Module.findBaseAddress("libnative-lib.so"); if (lib) { console.log("Base address of libnative-lib.so: " + lib); Module.enumerateExportsSync("libnative-lib.so").forEach(function(exp) { console.log(" Export: " + exp.name + " @ " + exp.address); }); } else { console.log("libnative-lib.so not found."); }}); Static Analysis with Disassemblers For functions not directly exported via JNI or for deeper understanding, a disassembler like Ghidra or IDA Pro is essential. Load the target .so file into these tools to: Identify internal functions not exposed by JNI. Determine function signatures (number and types of arguments, return value). Understand calling conventions (e.g., ARM32 vs. ARM64, where arguments are passed in registers or on the stack). Locate specific code blocks or offsets within a function for fine-grained hooking. Understanding the ABI (Application Binary Interface) for your target architecture (e.g., AArch64) is critical to correctly interpret arguments and return values. For ARM64, the first eight arguments are typically passed in registers X0-X7, with subsequent arguments on the stack. Return values are usually in X0. Frida’s Core for Native Interception Frida provides two primary mechanisms for interacting with native code: Module.findExportByName and Interceptor.attach. Module.findExportByName and Interceptor.attach Module.findExportByName(moduleName, exportName): This function is used to find the memory address of an exported function within a loaded module (shared library). If you know the module name (e.g., libnative-lib.so) and the exact name of the exported function (e.g., Java_com_example_app_NativeUtils_checkLicense or a simple C function like custom_function), this is your primary way to get its address. Interceptor.attach(address, callbacks): Once you have the address, Interceptor.attach allows you to insert your own code before (onEnter) and after (onLeave) the original function execution. var funcAddress = Module.findExportByName("libmygame.so", "check_integrity");if (funcAddress) { Interceptor.attach(funcAddress, { onEnter: function (args) { // 'this' refers to the invocation context console.log("check_integrity called! Arg 0 (pointer): " + args[0]); // Example: read a string argument // var strArg = args[0].readUtf8String(); // console.log(" Arg 0 as string: " + strArg); }, onLeave: function (retval) { console.log("check_integrity returned: " + retval); // Example: modify return value to always be true (1) // retval.replace(ptr(1)); } }); console.log("Hooked check_integrity at " + funcAddress);} else { console.log("check_integrity not found!");} Practical Example: Hooking a C/C++ Function Let’s consider a common scenario: an application that performs a license check in native code. We’ll create a simple shared library and an Android app to demonstrate hooking. Scenario: Intercepting a Hypothetical License Check Imagine you have a native library (libnative-lib.so) with a C function like this: // native-lib.cpp#include #include extern "C" JNIEXPORT jboolean JNICALLJava_com_example_fridanativehook_MainActivity_checkLicense( JNIEnv* env, jobject /* this */, jstring licenseKey) { const char* keyCStr = env->GetStringUTFChars(licenseKey, 0); std::string validKey = "SUPER_SECRET_KEY"; bool isValid = (std::string(keyCStr) == validKey); env->ReleaseStringUTFChars(licenseKey, keyCStr); return isValid;}`} Our goal is to always make checkLicense return true, regardless of the provided key. Step-by-Step Hook Implementation First, compile and deploy your Android app with this native library. Ensure the app calls this JNI method. Then, we write our Frida script: // frida_script.jsJava.perform(function() { var moduleName = "libnative-lib.so"; var functionName = "Java_com_example_fridanativehook_MainActivity_checkLicense"; var moduleBase = Module.findBaseAddress(moduleName); if (!moduleBase) { console.log("Module " + moduleName + " not loaded yet or not found."); return; } console.log("Module " + moduleName + " base address: " + moduleBase); var targetFunction = Module.findExportByName(moduleName, functionName); if (!targetFunction) { console.log("Function " + functionName + " not found in " + moduleName + "."); return; } console.log("Target function " + functionName + " found at: " + targetFunction); Interceptor.attach(targetFunction, { onEnter: function(args) { // In JNI functions, args[0] is JNIEnv*, args[1] is jobject (this) // Subsequent args are the actual method parameters. // For ARM64: X0, X1, X2... // Our licenseKey is the third argument passed to the JNI function. // In Frida's 'args' array, this maps to args[2]. this.licenseKeyPtr = args[2]; var key = Java.vm.get === 'android' ? Java.string(this.licenseKeyPtr) : "Not an Android JNIEnv"; // Helper for converting jstring to JS string console.log("Intercepted checkLicense with key: " + key); // Optionally modify the license key before it's used // var newKey = env.newStringUtf("ALWAYS_VALID"); // args[2] = newKey; // This might require more complex JNIEnv interaction // For simplicity, we'll just modify the return value. }, onLeave: function(retval) { console.log("Original return value: " + retval); // Force the return value to true (jboolean is 1 for true) retval.replace(ptr(1)); console.log("Modified return value to: " + retval); } }); console.log("Hooked successfully!");}); To run this script, use: frida -U -l frida_script.js -f com.example.fridanativehook --no-pause You will observe the original license key being printed, and then the return value being forcibly changed to `1` (true), effectively bypassing the license check. Advanced Native Hooking Techniques Modifying Arguments and Return Values Dynamically Beyond simple `retval.replace()`, Frida allows intricate manipulation: Reading/Writing Memory: Use `Memory.readUtf8String(ptr)` or `Memory.writeUtf8String(ptr, string)` to interact with strings, or `Memory.writeInt`, `Memory.writeFloat`, etc., for other data types at given memory addresses. Register Context: The `this.context` object in `onEnter` and `onLeave` provides access to CPU registers (e.g., `this.context.x0`, `this.context.sp`). You can read or even modify these registers, though this requires a deep understanding of the architecture's calling conventions. Overloading and Multiple Hooks You can attach multiple interceptors to the same function address. Frida will execute them in the order they were attached. This can be useful for A/B testing different hooking logic or for modularizing your analysis. Bypassing Anti-Frida Mechanisms (Brief Mention) Sophisticated applications often employ anti-Frida measures, such as checking for Frida's presence (e.g., specific files, running processes, injected libraries, or CPU instruction patterns). Bypassing these requires more advanced techniques, often involving patching Frida's own code or using stealthier injection methods. This is a vast topic on its own, but understanding native hooking is a prerequisite. Conclusion Frida's native hooking capabilities are a cornerstone of advanced Android reverse engineering and security analysis. By mastering `Module.findExportByName` and `Interceptor.attach`, understanding ABI conventions, and effectively utilizing memory manipulation and register context, you gain unparalleled control over an application's native execution flow. This masterclass has provided a solid foundation, from identifying target functions to implementing practical hooks. Remember to always use these powerful tools responsibly and ethically in your research and development endeavors. May 29, 2026
Craft Your Own I2C Tools: Native NDK Binaries for Android Hardware Analysis Introduction: Unlocking Android’s Hidden Hardware with I2C and NDK Android devices are marvels of integration, packed with sensors, power management ICs, audio codecs, and countless other components. Many of these critical hardware elements communicate internally using the Inter-Integrated Circuit (I2C) bus, a simple, two-wire serial protocol. While high-level Android APIs abstract away much of this complexity, directly interacting with I2C devices offers an unparalleled level of insight into a device’s true hardware configuration, crucial for reverse engineering, debugging, or custom hardware integration. Traditional Linux systems offer powerful I2C utilities like i2cdetect, i2cdump, and i2cget/i2cset. However, these tools are often absent or outdated on Android, and building them directly on-device can be cumbersome. This article will guide you through crafting your own native I2C discovery and analysis tools for Android using the Native Development Kit (NDK). By leveraging the NDK, you can compile C/C++ binaries that run directly on the Android kernel, bypassing Java layers and gaining direct hardware access. Prerequisites for Native I2C Exploration A rooted Android device: Direct I2C bus access requires root privileges. Android SDK and NDK installed on your development machine. Basic familiarity with C/C++ programming and Linux command line. ADB (Android Debug Bridge) configured and working. I2C on Linux and Android: The /dev/i2c-X Interface In the Linux kernel, I2C buses are exposed as character devices under /dev/i2c-X, where X is the bus number (e.g., /dev/i2c-0, /dev/i2c-1). These files provide a standard interface for user-space programs to interact with I2C controllers. The primary mechanism for communication is through ioctl() calls, which allow you to set the slave address, read, write, and query bus capabilities. Before diving into code, let’s identify the available I2C buses on your rooted Android device: adb shellsufind /dev -name "i2c-*" This command will list all available I2C bus devices. You might see several, as modern SoCs typically integrate multiple I2C controllers for different peripheral groups. Building Your I2C Detector: The Native NDK Approach We’ll create a simple C program that mimics i2cdetect, scanning a specified I2C bus for active devices by attempting to communicate with each possible 7-bit I2C address. Step 1: The C Source Code (i2c_detect.c) This program opens an I2C bus, iterates through all 7-bit addresses (0x03 to 0x77), and attempts to send a dummy byte. If the operation succeeds, it indicates a device is present at that address. #include <stdio.h>#include <stdlib.h>#include <fcntl.h>#include <unistd.h>#include <errno.h>#include <sys/ioctl.h>#include <linux/i2c.h>#include <linux/i2c-dev.h>int main(int argc, char *argv[]) { int fd; char *bus_path; int i, res; if (argc < 2) { fprintf(stderr, "Usage: %s </dev/i2c-X>n", argv[0]); return 1; } bus_path = argv[1]; fd = open(bus_path, O_RDWR); if (fd < 0) { perror("Failed to open I2C bus"); return 1; } printf("Scanning I2C bus: %sn", bus_path); printf(" 0 1 2 3 4 5 6 7 8 9 a b c d e fn"); printf("00: -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --n"); for (i = 0x03; i < 0x78; i++) { // 7-bit addresses 0x03 to 0x77 if ((i & 0x0F) == 0) { // New line every 16 addresses printf("%02x:", i); } // Set the I2C slave address if (ioctl(fd, I2C_SLAVE, i) < 0) { // If we can't even set the address, skip this one printf(" --"); fflush(stdout); continue; } // Attempt a dummy read to check for ACK // A simple read_byte_data operation can serve as a presence check // Note: some devices might not respond well to dummy reads or might require specific commands // For a more robust check, you might attempt a write with a single byte // For this simple detector, we'll try to read a register 0x00 unsigned char val; res = i2c_smbus_read_byte_data(fd, 0x00); if (res < 0) { // Error - device not present or not responding printf(" --"); } else { // Success - device found printf(" %02x", i); } fflush(stdout); if ((i & 0x0F) == 0x0F) { printf("n"); } } if ((i & 0x0F) != 0) { printf("n"); } close(fd); return 0;} Step 2: Configuring the NDK Build (Android.mk) Create a file named Android.mk in the same directory as i2c_detect.c. This file tells the NDK how to build your executable. LOCAL_PATH := $(call my-dir)include $(CLEAR_VARS)LOCAL_MODULE := i2c_detectLOCAL_SRC_FILES := i2c_detect.cLOCAL_CFLAGS := -WallLOCAL_LDLIBS := -lloginclude $(BUILD_EXECUTABLE) Step 3: Building the Native Binary Navigate to your project directory (where i2c_detect.c and Android.mk are located) in your terminal. Ensure your NDK environment variables are set up (often by sourcing a script or having the NDK path in your system PATH). Then, run ndk-build: cd /path/to/your/i2c_projectndk-build This command will compile your C code for various Android architectures (ARM, ARM64, x86, x86_64) and place the executables in the libs/<architecture>/ subdirectories. Step 4: Pushing to Device and Execution Choose the appropriate architecture for your device (e.g., arm64-v8a for modern 64-bit phones) and push the binary to a temporary location on your rooted Android device: adb push libs/arm64-v8a/i2c_detect /data/local/tmp/adb shellsuchmod 755 /data/local/tmp/i2c_detect Now, execute the tool, specifying one of the I2C bus paths you identified earlier (e.g., /dev/i2c-1): /data/local/tmp/i2c_detect /dev/i2c-1 The output will be a grid, similar to i2cdetect, showing the addresses of detected I2C devices. An address appearing in the grid (e.g., 50, 68) indicates a device is likely present and responding at that 7-bit address. Interpreting Results and Further Analysis Once you’ve identified an I2C address, you can start to infer what device might be there. Common I2C addresses are often associated with specific types of hardware: 0x50-0x57: EEPROMs, sometimes used for storing device configuration. 0x68, 0x69: Motion sensors (accelerometers, gyroscopes). 0x76, 0x77: Barometric pressure sensors. 0x48: Analog-to-digital converters (ADCs). To go beyond simple detection, you’d extend your C program using other ioctl() commands and functions from <linux/i2c-dev.h>, such as: i2c_smbus_read_byte_data(fd, register_address): Reads a byte from a specific register. i2c_smbus_write_byte_data(fd, register_address, value): Writes a byte to a specific register. i2c_smbus_read_word_data(fd, register_address): Reads a 16-bit word. By reading datasheets for common I2C components and experimenting with register addresses, you can begin to dump configuration registers or even modify device behavior. Always proceed with caution when writing to registers, as incorrect values can lead to system instability or hardware damage. Security Considerations and Caveats Root Access is Mandatory: Direct access to /dev/i2c-X files requires root privileges. This means any tool you build and run has full control over your device’s hardware, so use it responsibly. Hardware Damage Potential: Improper I2C writes can potentially damage components or render your device inoperable. Always backup important data and understand the implications of your commands. Kernel Version Differences: While the I2C kernel interface is relatively stable, minor differences between Android versions or custom kernels might exist. Busy Buses: Some I2C buses might be constantly active, making it difficult to probe without interfering with ongoing communications. Conclusion Developing native I2C tools with the Android NDK provides a powerful avenue for low-level hardware analysis and interaction. This guide demonstrated how to build a simple I2C device detector, laying the groundwork for more sophisticated tools. By understanding the I2C protocol, leveraging the Linux kernel’s character device interface, and compiling with the NDK, you gain unprecedented control and insight into the hidden hardware world within your Android device. This expertise is invaluable for hardware enthusiasts, reverse engineers, and embedded systems developers looking to truly understand and master their devices. May 29, 2026


	
	
		
	
	
	
	
		
			←Previous Page
			1
…
675
676
677
678
679
…
705
			Next Page→

Author: admin

Introduction to Android NDK Reverse Engineering with Frida

The Necessity of Native Function Overriding

Why Override Native Functions?

Challenges in NDK Reverse Engineering

Identifying Target Native Functions

Frida’s Interceptor API: The Foundation

Basic Hooking with Interceptor.attach

Advanced Overriding Techniques

Modifying Arguments and Return Values

Replacing Native Functions Entirely with Interceptor.replace

Handling Calling Conventions (ARM32/ARM64)

Practical Example: Overriding a Simple NDK Function

Scenario: A native library libcalc.so with multiply_numbers(int a, int b).

C/C++ Source for multiply_numbers (native-lib.cpp):

Frida Script to Modify Arguments and Return Value (hook.js):

Running the Hook:

Conclusion

Introduction to Native Crashes in Android

Understanding the Nature of Native Crashes

Frida Fundamentals for Native Debugging

Hooking Exported Functions

Advanced Frida Hooks for Crash Root Cause Analysis

Hooking Unexported Functions by Address

Inspecting Registers at Crash Point

Memory Dumping Around the Crash

Step-by-Step Scenario: Diagnosing a Null Pointer Dereference

1. Identify the Target Library and Potential Crash Area

2. Write a Frida Script for Analysis

3. Execute the Script and Trigger the Crash

Conclusion

Introduction

The Nuances of JNI & Native Libraries

Basic Frida Native Hooking Revisited

Advanced JNI Function Hooking with Frida

Hooking Dynamically Registered JNI Functions

Introduction to Frida and Native Android Reversing

Setting Up Your Android Reversing Environment

Prerequisites

Installing and Running Frida-Server

Identifying Native Functions for Targeted Interception

Initial Reconnaissance with readelf and nm

Decompilers: Ghidra and IDA Pro

Crafting Your First Frida Native Hook

Hooking a Simple, Exported Function

Advanced Interception: Unveiling Unexported or Obscure Native Calls

Understanding Library Base Addresses and Offsets

Introduction: The Hidden World of Android I2C Devices

Understanding I2C on Android

Identifying I2C Bus Controllers

The Challenge of Unlisted Devices

Advanced Probing Techniques

1. Leveraging i2cdetect (If Available)

Compiling i2cdetect for Android:

2. Manual Probing with i2c-dev (C Code)

Probing C Code Example:

3. Analyzing Kernel Device Tree (DTB)

Extracting and Decompiling the DTB:

Conclusion

Introduction

Prerequisites

Understanding I2C on Android’s Linux Kernel

Step 1: Establish Rooted ADB Shell Access

Step 2: Identifying Available I2C Buses

Step 3: Installing I2C Tools on Android

Step 4: Enumerating I2C Devices with `i2cdetect`

Step 5: Dumping EEPROM Data with `i2cdump`

Step 6: Reading and Writing Register Configurations with `i2cget` and `i2cset`

Reading a Register with `i2cget`

Writing to a Register with `i2cset`

Advanced Considerations

Conclusion

Introduction: Unlocking the Android Sensor Ecosystem

Understanding I2C Fundamentals in an Android Context

I2C Bus Enumeration via Android Shell

Required Tools and Setup

Hardware

Software

Locating the I2C Bus on the PCB

Connecting the Logic Analyzer

Basic Hooking with `Interceptor.attach`

Replacing Native Functions Entirely with `Interceptor.replace`

Scenario: A native library `libcalc.so` with `multiply_numbers(int a, int b)`.

C/C++ Source for `multiply_numbers` (`native-lib.cpp`):

Frida Script to Modify Arguments and Return Value (`hook.js`):

Initial Reconnaissance with `readelf` and `nm`

1. Leveraging `i2cdetect` (If Available)

Compiling `i2cdetect` for Android:

2. Manual Probing with `i2c-dev` (C Code)

Tracing I2C Device Probes with `ftrace`

Setting up `ftrace` for I2C Probes

Analyzing `dmesg` Output for I2C Probes

Use `ftrace` for Detailed Probe Tracing: