r2frida icon indicating copy to clipboard operation
r2frida copied to clipboard
verified publisher icon nowsecure

[Linux / Android] Cannot set breakpoint via `:db [addr]`

Open JingMatrix opened this issue 5 months ago • 8 comments

Hello, this is my first time using r2frida. I complied a hello_world C program on my Linux x86_64, and inspected it with r2frida.

My frida version is 17.2.14 and my radare2 version is 5.9.8.

No matter which address I set with the :db [addr] command, it always failed with response:

ERROR: error: cannot read property 'setHardwareBreakpoint' of undefined

Regarding this issue, I would also like to ask if hardware breakpoint is the only type of breakpoint I can set with r2frida. If there are other alternatives, how could I set them?

Concerning the hardware breakpoint, is it implemented via the debug registers?

JingMatrix avatar Aug 12 '25 13:08 JingMatrix

works fine on macos and ios at least. if its a bug its a linux specific issue

trufae avatar Aug 12 '25 17:08 trufae

ah i see, the problem is that the process is not running so you can't set a breakpoint because there's no thread to work on. this is a linux specific issue and that could be considered a bug in frida because the behaviour is inconsistent between ios and android. you can see how that works if you do :dc and then :db ...

trufae avatar Aug 12 '25 17:08 trufae

You were right about the resuming issue, which is in the latest commit. Resuming the process will allow us to set break point.

However, this introduces a timing issue. The commad :dc ; :db [addr] excludes the possibility of hooking address near the entry point. Do you have any idea of solving this?

JingMatrix avatar Aug 12 '25 19:08 JingMatrix

@JingMatrix use the Frida API instead of using traditional breakpoints

enovella avatar Aug 13 '25 06:08 enovella

@enovella there are several solutions to this problem. r2frida allows to run commands when threads are created, so you can enqueue the breakpoint to be executed after that.

i think i can add support for setting breakpoints before any thread exist. but ideally it's something that should be addressed in Frida itself. Also, r2frida assumes the breakpoint will be attached to the very first thread. which sometimes is not what we want..

Another design problem in Frida is that breakpoints are tied to threads, so you can't have them to work on multiple threads unless you handle that from the agent logic. We can address all this in r2frida but the Frida API doesn't solve the problem by itself

trufae avatar Aug 13 '25 10:08 trufae

@enovella Indeed, I already tried using directly the Frida API, see https://github.com/frida/frida-gum/issues/1059.

Note: it is possible to use hardware breakpoint as illustrated in https://github.com/nowsecure/r2frida/pull/732#issuecomment-3189573331.

JingMatrix avatar Aug 13 '25 11:08 JingMatrix

@JingMatrix did you had a chance to start working on the new db command?

trufae avatar Aug 30 '25 06:08 trufae

@trufae Ah, not yet, too many projects at hand to finish. The Android rooting community needs me a lot.

JingMatrix avatar Aug 30 '25 06:08 JingMatrix