Skip to content

Instantly share code, notes, and snippets.

@qwerty12

qwerty12/frida-arm32-androidtv-notes.md

Last active October 13, 2025 12:28
Show Gist options
  • Save qwerty12/e5f53947a42bfff695a9403a228660cb to your computer and use it in GitHub Desktop.
Save qwerty12/e5f53947a42bfff695a9403a228660cb to your computer and use it in GitHub Desktop.
Download ZIP
Notes on using Frida Gadget with an Android 12 32-bit ARM TV box
Raw
frida-arm32-androidtv-notes.md

  • APKEditor will merge split APKs: apkeditor m -i <folder_with_split_apks>

  • The only tool worth using to inject the Frida gadget is ksg97031's frida-gadget

  • The right argument to frida(.exe) to target the gadget is -n Gadget

    • I was mistakenly using -f instead which I guess worked at some point (ref. for the fix)...

    • Somewhere along Frida 13/14 and 16, the gadget's "process" name changed from re.frida.Gadget to just Gadget

      • I didn't know this was the case when I'd copied it from an old Batch file written in 2024. Had I just ran frida-ps -U sooner..

  • Frida 17.3.2 (and quite a few versions prior) is totally broken on ARM32 devices. The most basic of scripts using Java interop will cause errors like "Error: invalid instruction" and "cannot set property '_code' of null".

    • tl;dr, fix now: frida-gadget.exe --frida-version 16.7.13 and pip install frida==16.2.1 frida-tools==12.3.0

    • Thanks to TsaiHao for opening frida/frida-java-bridge#364 and finding out what bollocksed Frida up. The immediate version of Frida released before the date on the referenced commit is 16.7.13

    • Because it's one major version down, the latest frida-tools will not be able to communicate with this gadget. I don't know the absolute last version that work with gadget version 16.7.13 but kyle-lu's comment (repeated in tl;dr) frida/frida#2924 (comment) installs something compatible

      • if you're using pipx to install the Frida tools run pipx install --pip-args=frida==16.2.1 -- frida-tools==12.3.0

  • The frida-gadget tool will target the wrong activity when patching Android TV APKs. Use your favourite tool for reading an APK's AndroidManifest.xml (aapt/aapt2/apktool/jadx-gui etc.) and look for android.intent.category.LEANBACK_LAUNCHER. If there's a corresponding action of android.intent.action.MAIN, copy the value of android:name and use it as the value of frida-gadget --main-activity.

As an aside, you can install certs into the user certificate store on Android TV 12 but it's a whole process starting with disabling the default launcher.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment