FRIDA Access Violation Error in Intercepting HermesRuntimeImpl::call

I am currently working on intercepting calls to HermesRuntimeImpl::call in a react native Android application using Frida. My goal is to extract arguments passed to this function and perform additional operations. However, I encountered an access violation error while attempting to call a function (valueToString) within the interception.

let libhermesBaseAddress = Module.findBaseAddress("libhermes.so");
let hermesRuntimeImplCallAddress = libhermesBaseAddress.add(0x1f3931 - 0x00100000);
let runtimePtr = Module.findExportByName("libhermes.so", "_ZN8facebook6hermes17makeHermesRuntimeERKN6hermes2vm13RuntimeConfigE");
let valueToStringAddr = Module.findExportByName("libjsi.so", "_ZNK8facebook3jsi5Value8toStringERNS0_7RuntimeE");

Interceptor.attach(hermesRuntimeImplCallAddress, {
    onEnter: function (args) {
        console.log("HermesRuntimeImpl::call intercepted");

        // Extracting arguments
        let func = args[1]; // jsi::Function
        let jsThis = args[2]; // jsi::Value
        let jsArgs = args[3]; // jsi::Value
        let count = args[4]; // size_t count
        
        // Logging arguments
        console.log(`Function: ${func}`);
        console.log(`jsThis: ${jsThis}`);
        console.log(`jsArgs: ${jsArgs}`);
        console.log(`Count: ${count}`);
        console.log(`runtimePtr: ${runtimePtr}`);
        console.log(`valueToStringAddr: ${valueToStringAddr}`);

        // Get the valueToString function address
        let valueToString = new NativeFunction(valueToStringAddr, 'pointer', ['pointer', 'pointer']);
        
        // Call the valueToString function with jsThis and runtimePtr
        let resultPtr = valueToString(jsThis, runtimePtr);
        
        // Convert the result pointer to a JavaScript string
        let resultString = Memory.readUtf8String(resultPtr);
        
        console.log("Value to String Result:", resultString);
    }
}); 

Error: access violation accessing 0x500000cf0

hook react native function calls by hooking it's call handler on Hermes: jsi::Value HermesRuntimeImpl::call.

Unfortunately this method is not exported, so have to manually open libhermes.so and identify it's address. It is one of two methods that use the string HermesRuntimeImpl::call: Unable to call function: stack overflow so finding it is not too complicated (the other method is for executing constructors, so it may be worth hooking both methods).

So this is my starting point:

Interceptor.attach(Module.findBaseAddress("libhermes.so").add(0x001267d8 - 0x00100000), {
    onEnter: function (args) {
        let func = args[1]; // jsi::Function
        let jsThis = args[2]; // jsi::Value
        let jsArgs = args[3]; // jsi::Value
        let count; // = args[4]; // size_t count
        console.log(`HermesRuntimeImpl::call ${func} ${jsThis} ${jsArgs} ${count}`);
    }
});

jsi::Function and jsi::Value seem to be defined in libjsi.so. But for calling them you need a HermesRuntime instance.

I tried to get a string from one of the arguments using jsi::Value::toString(Runtime):

let valueToStringAddr = Module.findExportByName("libjsi.so", "_ZNK8facebook3jsi5Value8toStringERNS0_7RuntimeE");
let valueToString = new NativeFunction(valueToStringAddr, 'pointer', ['pointer']);

But that requires a Runtime (HermesRuntime?) instance. The only way to get one I found so far is hooking the function makeHermesRuntime Module.findExportByName("libhermes.so", "_ZN8facebook6hermes17makeHermesRuntimeERKN6hermes2vm13RuntimeConfigE").

But in my environment it is not called.