Riru

Inject into zygote process

4,988

583

4,988

Top Related Projects

Quick Overview

Riru is an open-source project that provides a way to inject custom code into Android's system server process and apps' processes. It allows developers to modify the behavior of Android systems and apps without changing the system files, making it particularly useful for creating Xposed-like modules and other system modifications.

Pros

Enables powerful system-level modifications without altering system files
Supports a wide range of Android versions (from Android 6.0 to 13)
Provides a framework for creating modules that can run in both system and app processes
Minimal performance impact due to its lightweight design

Cons

Requires root access, which may void device warranty and introduce security risks
Can potentially cause system instability if modules are not properly implemented
Limited documentation and examples, which may make it challenging for new developers
Dependent on specific device architectures and Android versions, limiting its universal applicability

Getting Started

To use Riru, follow these steps:

Root your Android device
Install Magisk (a popular root management tool)
Download the latest Riru release from the GitHub repository
Flash the Riru zip file through Magisk Manager
Reboot your device
Install Riru modules as needed

Note: Detailed instructions and compatibility information can be found in the project's README file on GitHub.

Competitor Comparisons

Magisk

51,615

The Magic Mask for Android

Pros of Magisk

More comprehensive root solution with built-in module system
Actively maintained with frequent updates and improvements
Larger user base and community support

Cons of Magisk

More complex and potentially intrusive system modifications
Higher risk of bootloops or system instability if not used carefully
Requires more frequent updates to maintain compatibility

Code Comparison

Magisk (init.cpp):

static int magisk_main(int argc, char *argv[]) {
    umask(0);
    setup_klog();
    cmdline_logging();
    init_argv0(argc, argv);
    return main_handler(argc, argv);
}

Riru (main.cpp):

static int riru_main(int argc, char *argv[]) {
    android::base::InitLogging(argv, android::base::LogdLogger(android::base::SYSTEM));
    LOGI("Riru %s (%d) initializing...", RIRU_VERSION_NAME, RIRU_VERSION_CODE);
    return init();
}

Both projects aim to modify Android systems, but Magisk offers a more comprehensive solution for root access and system modifications, while Riru focuses on providing a framework for modules to modify the Android runtime. Magisk has a larger feature set and community, but may introduce more system-wide changes. Riru is generally less intrusive but more limited in scope.

LSPosed

19,993

LSPosed Framework

Pros of LSPosed

More user-friendly with a graphical interface for module management
Supports a wider range of Android versions (8.1-13)
Offers more advanced features like module scope control and dynamic module loading

Cons of LSPosed

Requires more system resources due to its expanded feature set
May have compatibility issues with some older Xposed modules
More complex setup process for developers creating modules

Code Comparison

LSPosed uses a more modern approach to hooking:

XposedHelpers.findAndHookMethod(
    "android.app.ActivityThread",
    classLoader,
    "handleBindApplication",
    "android.app.ActivityThread$AppBindData",
    new XC_MethodHook() {
        @Override
        protected void beforeHookedMethod(MethodHookParam param) throws Throwable {
            // Hook implementation
        }
    }
);

Riru, being a lower-level framework, typically requires more manual setup:

static void forkAndSpecializePre(
    JNIEnv *env, jclass clazz, jint *uid, jint *gid, jintArray *gids,
    jint *runtime_flags, jobjectArray *rlimits, jint *mount_external,
    jstring *se_info, jstring *nice_name, jintArray *fds_to_close,
    jintArray *fds_to_ignore, jboolean *is_child_zygote,
    jstring *instruction_set, jstring *app_data_dir) {
    // Pre-fork implementation
}

Both projects aim to extend Android's functionality, but LSPosed provides a higher-level abstraction for developers, while Riru offers more low-level control at the cost of increased complexity.

Convert designs to code with AI

Introducing Visual Copilot: A new AI model to turn Figma designs to high quality code using your components.

Try Visual Copilot

README

Deprecated

All Riru users and Riru modules should migrate to Zygisk.

Riru

Riru only does one thing, inject into zygote in order to allow modules to run their codes in apps or the system server.

The name, Riru, comes from a character. (https://www.pixiv.net/member_illust.php?mode=medium&illust_id=74128856)

Requirements

Android 6.0+ devices rooted with Magisk

Guide

Install

From Magisk Manager
1. Search "Riru" in Magisk Manager
2. Install the module named "Riru"
The Magisk version requirement is enforced by Magisk Manager. You can check Magisk's module installer script.
Manually
1. Download the zip from the GitHub release
2. Install in Magisk Manager (Modules - Install from storage - Select downloaded zip)

Common problems

Third-party ROMs have incorrect SELinux rule

https://github.com/RikkaApps/Riru/wiki/Explanation-about-incorrect-SELinux-rules-from-third-party-ROMs-cause-Riru-not-working
Have low quality module that changes ro.dalvik.vm.native.bridge installed

If you are using other modules that change ro.dalvik.vm.native.bridge, Riru will not work. (Riru will automatically set it back)

A typical example is, some "optimize" modules change this property. Since changing this property is meaningless for "optimization", their quality is very questionable. In fact, changing properties for optimization is a joke.

How Riru works?

How to inject into the zygote process?

Before v22.0, we use the method of replacing a system library (libmemtrack) that will be loaded by zygote. However, it seems to cause some weird problems. Maybe because libmemtrack is used by something else.

Then we found a super easy way, the "native bridge" (ro.dalvik.vm.native.bridge). The specific "so" file will be automatically "dlopen-ed" and "dlclose-ed" by the system. This way is from here.
How to know if we are in an app process or a system server process?

Some JNI functions (com.android.internal.os.Zygote#nativeForkAndSpecialize & com.android.internal.os.Zygote#nativeForkSystemServer) is to fork the app process or the system server process. So we need to replace these functions with ours. This part is simple, hook jniRegisterNativeMethods since all Java native methods in libandroid_runtime.so is registered through this function. Then we can call the original jniRegisterNativeMethods again to replace them.

How does Hide works?

From v22.0, Riru provides a hidden mechanism (idea from Haruue Icymoon), make the memory of Riru and module to anonymous memory to hide from "/proc/maps string scanning".

Build

Gradle tasks:

:riru:assembleDebug/Release

Generate Magisk module zip to out.
:riru:pushDebug/Release

Push the zip with adb to /data/local/tmp.
:riru:flashDebug/Release

Flash the zip with adb shell su -c magisk --install-module.
:riru:flashAndRebootDebug/Release

Flash the zip and reboot the device.

Module template

https://github.com/RikkaApps/Riru-ModuleTemplate

Module API changes

https://github.com/RikkaApps/Riru-ModuleTemplate/blob/master/README.md#api-changes