Riru only does one thing, inject into zygote in order to allow modules to run their codes in apps or the system server.
The name, Riru, comes from a character. (https://www.pixiv.net/member_illust.php?mode=medium&illust_id=74128856)
由于 Riru
平台的实现原理并不完全依赖 Magisk
所以可以自行编写脚本实现 免 Magisk
手动刷入
不过真机对于系统文件有保护等乱七八糟的东西, 并且一旦出问题必定炸鸡
所以 !!!! 请不要在真机上运行 !install.sh
手动刷入脚本 !!!!
手动刷入脚本
食用教程: Riru-Shell 刷入教程
- 使用
安卓7
以上带ROOT
的全新ROM
- 安装
MT管理器
或其他带终端的文件管理器, 并且导入刷入包
进行解压 - 进入解压出来的文件夹, 以
ROOT
权限执行!install.sh
脚本
-
刷入包(zip) GitHub release
-
"Riru" 应用程序(状态显示器) Download
Android 6.0+ devices rooted with Magisk
-
From Magisk Manager
- Search "Riru" in Magisk Manager
- Install the module named "Riru"
The Magisk version requirement is enforced by Magisk Manager. At the time of the release of Magisk v21.1, the requirement is v20.4.
-
Manually
- Download the zip from the GitHub release
- Install in Magisk Manager (Modules - Install from storage - Select downloaded zip)
-
"Riru" app (show Riru status)
If you are using other modules that change ro.dalvik.vm.native.bridge
, Riru will not work. (Riru will automatically set it back)
A typical example is, some "optimize" modules change this property. Since changing this property is meaningless for "optimization", their quality is very questionable. In fact, changing properties for optimization is a joke.
- When the file
/data/adb/riru/disable
exists, Riru will do nothing - When the file
/data/adb/riru/enable_hide
exists, the hidden mechanism will be enabled (also requires the support of the modules)
-
How to inject into the zygote process?
Before v22.0, we use the method of replacing a system library (libmemtrack) that will be loaded by zygote. However, it seems to cause some weird problems. Maybe because libmemtrack is used by something else.
Then we found a super easy way, the "native bridge" (
ro.dalvik.vm.native.bridge
). The specific "so" file will be automatically "dlopen-ed" and "dlclose-ed" by the system. This way is from here. -
How to know if we are in an app process or a system server process?
Some JNI functions (
com.android.internal.os.Zygote#nativeForkAndSpecialize
&com.android.internal.os.Zygote#nativeForkSystemServer
) is to fork the app process or the system server process. So we need to replace these functions with ours. This part is simple, hookjniRegisterNativeMethods
since all Java native methods inlibandroid_runtime.so
is registered through this function. Then we can call the originaljniRegisterNativeMethods
again to replace them.
From v22.0, Riru provides a hidden mechanism (idea from Haruue Icymoon), make the memory of Riru and module to anonymous memory to hide from "/proc/maps
string scanning".
Run gradle task :riru:assembleRelease
task from Android Studio or the terminal, zip will be saved to out
.
https://github.com/RikkaApps/Riru-ModuleTemplate
https://github.com/RikkaApps/Riru-ModuleTemplate/blob/master/README.md#api-changes