Start
After the installation of Brida and of its requirements, in order to be able to use Brida (and also Frida) if you are not inspecting an application running on your local operating system you have to run frida-server on your target device with root privileges. Alternately, if you have the IPA of your iOS application or the APK of your Android application, you can patch it with the Frida library, in order to be able to use Frida also on non-jailbroken/non-rooted devices.
- Download the right version of the frida server binary from the official repository (for example frida-server-XX.X.X-ios-arm64.xz if you have a 64-bit iOS device or frida-server-XX.X.X-ios-arm.xz otherwise)
- Copy the frida-server binary on the device using SCP (depending on the type of Jailbreak, you may need to put frida-server in a binaries folder /bin, /sbin, /usr/bin, etc. or to execute some operations on the binary)
- Execute the frida-server binary on the device using SSH
- The Frida client on your computer must be able to reach the Frida server on the mobile device. This task can be accomplished in two different ways:
- Via USB, simply connecting your iOS device to your computer (not all OSes are supported)
- Remotely. In this case you have to connect to your device using SSH, forwarding the local TCP port 27042. On Linux this task can be accomplished with the following command: "ssh -L 27042:127.0.0.1:27042 #IP_OF_IOS_DEVICE". On Windows you can use Putty and configure the connection as follows:
The Frida server binary can also be installed from a Cydia repository, but we prefer to manually download the binary and upload it on the device to have more control over the process.
Additional requirements: the IPA of the application and unfortunately a Mac computer/VM
If you want to use Brida and Frida on a non-Jailbroken device you must have the IPA of the application. You need to patch the application with the Frida library ("Frida Gadget") and then install the patched application on your device. The most comfortable way to accomplish this task is to use the great Objection tool, released by Leon Jacobs. You can find a detailed guide on how patch the application here.
After patching the application, you can install and execute it following this guide.
After launching the application, it remains stuck waiting for Frida. Now you can follow the Brida spawn procedure, setting re.frida.Gadget as Application ID.
- Download the right version of the Frida server binary from the official repository (frida-server-XX.X.X-android-arm64.xz if you have a 64-bit ARM Android device, frida-server-XX.X.X-android-arm.xz if you have a 32-bit ARM Android device, frida-server-XX.X.X-android-x86_64.xz if you have a 64-bit x86 Android device and frida-server-XX.X.X-android-x86_64.xz if you have a 32-bit x86 Android device)
- Copy the frida-server binary on the device using ADB
- $ adb root
- $ adb push frida-server /data/local/tmp/
- $ adb shell "chmod 755 /data/local/tmp/frida-server"
- Execute the frida-server binary on the device using ADB $ adb shell "/data/local/tmp/frida-server &"
- The Frida client on your computer must be able to reach the Frida server on the mobile device. This task can be accomplished in two different ways:
- Via USB, simply connecting your iOS device to your computer
- Remotely. In this case you have to redirect some ports using adb:
- adb forward tcp:27042 tcp:27042
- adb forward tcp:27043 tcp:27043
Additional requirements: the APK of the application
If you want to use Brida and Frida on a non-rooted device, you must have the APK of the application. You need to patch the application with the Frida library ("Frida Gadget") and then install the patched application on your device. The most comfortable way to accomplish this task is to use the great Objection tool, released by Leon Jacobs. You can find a detailed guide on how patch the application here.
After patching the application, you can install it using adb ("adb install app-patched.apk").
After launching the application by clicking it in the device, it remains stuck waiting for Frida. Now you can follow the Brida spawn procedure, setting re.frida.Gadget as Application ID.
Now that you have configured your testing environment, it’s time to configure Brida itself. Let’g go to the “Configurations” tab of Brida.
Here, you have to supply the following configuration parameters:
- "Python binary path" is the path of the python binary. You can use Python 2.7 or Python 3.X
- "Pyro host" and "Pyro port" are the host and port on which the Pyro server (used by Brida to bridge Burp Suite and Frida) will be started. In most cases you can leave the default values and Pyro server will be started on localhost:9999.
- "frida-compile path" is the path of the binary of frida-compile. Brida uses a lot of Frida code and we added frida-compile in order to make the user able to put his hooks/functions/exportswork on a small Frida JS file
- "Frida JS files folder" is the path of the folder that contains Frida instrumentation JavaScript files with all the Frida and Brida hooks and exports. To properly use Brida you have to start from Brida default files (you can save those files using the "Load default JS files button") and add your own JS code to "brida.js" file. You don't need to edit other JS files, but you can't remove them because they are used by Brida components. We will explain it in more detail in a moment.
- "Application ID (spawn) / PID (attach)": you have to insert application ID of the application you are going to analyze (if you want to spawn the application) or the PID of the application (if you want to attach to the application). We will explain in a moment how to obtain this information from the device. If you patched the application with the Frida gadget you have to insert the value re.frida.Gadget.
- "Frida Remote"/"Frida USB"/"Frida Local": if you are using Frida USB mode of operation you have to select the "Frida USB" option; if you are using the port forwarding mode you have to choose "Frida Remote"; if you are inspecting an application on you local operating system you have to choose "Frida Local".
-
Android:
- frida-ps -Uai (assuming frida USB)
- You can extract that information from the APK of the application itself (file: AndroidManifest.xml (decoded), attribute package of tag manifest)
-
iOS:
- frida-ps -Rai (assuming frida remote, but sometimes it does not work very well...)
- You can extract that information from the IPA of the application itself (file: Payload/XXX.app/Info.plist, entry: CFBundleIdentifier)
N.B. If you are using frida gadget the PID is always re.frida.Gadget
-
Android:
- Launch target application
- frida-ps -U (assuming frida USB)
-
iOS:
- Launch target application
- frida-ps -R (assuming frida remote)
Brida, in order to work properly, needs many Frida JS hooks packed in the following four JS files:
- brida.js: this file imports all the hooks from the other Brida JS files and it is the default location for the custom hooks/functions/exports of the user. This is the only file that the user usually should edit
- bridaFunctions.js: this file includes all the hooks used by the various components of the Brida engine
- androidDefaultHooks.js: this file includes many hooks for Android to handle/bypass common security features that can be enabled in the "Hooks and functions" tab of Brida
- iosDefaultHooks.js: this file includes many hooks for iOS to handle/bypass common security features that can be enabled in the "Hooks and functions" tab of Brida
All these files are compiled with frida-compile on compile&spawn/compile&attach operations and the resulting JS file is loaded in target process (if the compiled file is not present in the folder the compilation is executed also on spawn/attach operations).
When the user starts the analysis on a new application, he should click on "Load default JS files" to load these files in a target directory as follows:
The user could add his own hooks/functions/exports to brida.js file and after closing and reopening Burp Suite he can use the "Select folder" button to load the edited Brida JS files.
To execute our application with Brida we simply need to click first on "Start Server", which starts the Pyro4 server, and then we have to click on "Spawn application"/"Complie & Spanwn" if we want to spawn the application or on "Attach application"/"Compile & Attach" if you want to attach to a running application. Brida uses frida-compile to allow the user to work on a "thin" JS file but consequently it needs to compile his own JS files (copied using the "Load default JS files" button) before starting/attaching to the application. If the compiled JS file is not present in the working folder Brida automatically compiles before spawning/attaching. Then, if the user modifies one of the JS files and want to use his modifications he has to use on of the "Compile & ..." buttons. Otherwise older compiled file will be used (the user has the choice to recompile or not because compilation requires many seconds and if the users did not modify anything it is a waste of time to recompile on any spawn/attach operation).
From the same button panel, we can:
- Kill or detach application
- Reload JS file without killing/detaching application (with or without recompilation)
- Detach ALL the frida hooks (but the Frida function called does not work reliably...)
- Clear Brida console
Brida automatically remembers the last configurations values between Burp Suite startups and shutdowns. Anyhow, it can be useful to save settings in order to be able to save and reload settings when working with different projects. You can save and load settings using "Save settings to file" and "Load settings from file" buttons.