Skip to content

Android strace guide

steadfasterX edited this page Dec 5, 2024 · 10 revisions

The ultimate strace guide

download + installation

The following is a precompiled strace binary made for arm64 devices without any lib dependencies: strace.bin . This is not a special strace binary and meant as a fallback only if you don't have any included in your OS etc.

Installation:

  1. adb root
  2. adb remount
  3. adb push strace.bin /system/bin/strace
  4. adb shell chmod +x /system/bin/strace

tracing a process/binary

the following is assumed for all commands before:

adb shell
ps |grep whateverproc

--> get the pid (FILLINPID in the next steps)

execute a binary by strace and output to a file

strace -tt -y -ff -a 120 -s 600 -o /tmp/strace.log <BINARY>

the following allows to filter before:

strace -tt -y -ff -a 120 -s 600 <BINARY> 2>&1 |grep -v ppoll > /tmp/strace.log

attach to a running single pid and output to a file

strace -tt -y -ff -a 120 -s 600 -p FILLINPID -o /tmp/strace.log

the following allows to filter before:

strace -tt -y -ff -a 120 -s 600 -p FILLINPID 2>&1 |grep -v ppoll > /tmp/strace.log

multiple pids (non-forked ones) at the same time

check "ARGS EXPLAINED" bc usually this is not needed due to -ff

strace -tt -y -a 120 -s 600 -ff -p FILLINPID1 -p FILLINPID2 -o /tmp/strace.log

again here with a filter:

strace -tt -y -a 120 -s 600 -ff -p FILLINPID1 -p FILLINPID2 2>&1 |grep -v ppoll > /tmp/strace.log

dynamic pid

<FILL-IN-COMMAND> is what you see in "ps" output:

strace -y -ff -a 120 -s 600 -tt -p $(ps -A -o pid,command | grep '<FILL-IN-COMMAND>' | grep -E -o '[0-9]+')

or without adb shell before (beware of the quotes! the following cmd expects running on linux):

adb shell "strace -y -ff -a 120 -s 600 -tt -p \$(ps -A -o pid,command | grep '<FILL-IN-COMMAND>' | grep -E -o '[0-9]+')" 2>&1 | grep -E -v "ppoll|nanosl|dbfifo"

PIPE grep (| grep) for all files accessed

strace ... 2>&1 | grep -vE "ppoll|unfinished|resume|clock_gettime|_IOC_READ" | grep -E "faccessat|fstatat64|openat|denied|fail|unlink"

tracing a service

  1. prepare service, yes even start it!
stop <service-name>
setprop ctl.sigstop_on <service-name>
start <service-name>
  1. find sigstopped init and attach strace to it
ps -A |grep stop (find the sigstopped init PID : "do_signal_stop")

or if that does not show anything try (WCHAN is the important column here):
ps -A -o PID,CMD,ARGS,COMMAND,WCHAN | grep stop

strace -tt -y -a 120 -s 600 -ff -p <PID>

or if you want to save the output to a file:

strace -tt -y -a 120 -s 600 -ff -p <PID> -o /sdcard/Download/strace_service.log

  1. continue starting the service by opening a NEW adb shell and:

kill -SIGCONT <pid of the above sigstopped init>

The service will continue as usual but completely strace'd.

  1. revert the sigstop -> either just reboot or set:
setprop ctl.sigstop_off <service-name>
start <service-name>

strace args explained

-y    : print paths associated with file descriptor arguments
-tt   : print absolute timestamp with usecs
-ff   : follow forks with output into separate files (mainly for "-o" only)
-a    : alignment COLUMN for printing syscall results (default 40)
-s    : limit length of print strings to STRSIZE chars (default 32)
-p    : pid of the process we want to attach to
-o    : output everything to a give file instead of stdin (-ff is recommended then, too)