Introduction

r2frida is a plugin for radare2 that connects to a Frida server in order to combine static and dynamic analysis bringing the best of both worlds to you!

As long as it is an IO plugin, it's main purpose is to read/write memory from a process and provides extended functionalities via the : command which runs command thru the IO API.

Installation

From r2 package manager:

r2pm -ci r2frida

Android & iOS Connection

Retrieve the device id using frida-ls-devices and the name of the app using frida-ps. The package name may be preferable if the display name contains spaces.

If a deviceid is not specified, it will use the default one found by Frida.

Devices

You can retrieve the available devices using r2frida:

r2 frida://launch//
Id                                          Type Name
-----------------------------------------------------
14c0ce8df9d2ac3c1c42f17e4c0f5b2acfec3829     usb iPad
barebone                                  remote GDB Remote Stub
local                                      local Local System
socket                                    remote Local Socket

List Processes and Application identifiers

Retrieve process list and application identifiers:

r2 frida://launch/usb//
PID           Name Identifier
-----------------------------
-            Books com.apple.iBooks
-           Camera com.apple.camera
-            Clock com.apple.mobiletimer
-         Contacts com.apple.MobileAddressBook
-         FaceTime com.apple.facetime
-            Files com.apple.DocumentsApp
-          Find My com.apple.findmy
-         Freeform com.apple.freeform
-             Home com.apple.Home
-        Magnifier com.apple.Magnifier
-             Mail com.apple.mobilemail
-             Maps com.apple.Maps
-          Measure com.apple.measure
-         Messages com.apple.MobileSMS
-            Music com.apple.Music
-      Photo Booth com.apple.Photo-Booth
-           Photos com.apple.mobileslideshow
-         Podcasts com.apple.podcasts
-        Reminders com.apple.reminders
-           Safari com.apple.mobilesafari
-        Shortcuts com.apple.shortcuts
-           Stocks com.apple.stocks
-               TV com.apple.tv
-             Tips com.apple.tips
-        Translate com.apple.Translate
-      Voice Memos com.apple.VoiceMemos
-          Weather com.apple.weather
-        helloObjC me.murphy.helloObjC.helloObjC
-     iTunes Store com.apple.MobileStore
281       palera1n com.llsc12.palera1nLoader
282      App Store com.apple.AppStore
311          Notes com.apple.mobilenotes
451       Calendar com.apple.mobilecal
2018         Sileo org.coolstar.SileoStore
4376      Settings com.apple.Preferences
4429  syscallstrap me.murphy.syscallstrap

Attach

Attach to a running app using the display name.

r2 frida://attach/usb/device-id/processName

To attach to a running app, you can specify the process name or the PID of the target process.

Attach to the Frida Gadget:

r2 frida://attach/usb//Gadget

Spawn

Spawn an app using two // and the package name (Android) or bundle id (iOS). This will NOT resume the application once spawned.

r2 frida://spawn/usb/device-id/bundle-id

Or without entering the device-id:

r2 frida://spawn/usb//bundle-id

Launch

Launch an app using two // and the package name (Android) or bundle id (iOS). This will resume the application once spawned.

r2 frida://launch/usb/device-id/bundle-id

Or without entering the device-id:

r2 frida://launch/usb//bundle-id