Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Android 12 + Kernel 5.4, but capture tls return all 0 #296

Closed
HorseLuke opened this issue Jan 17, 2023 · 3 comments
Closed

Android 12 + Kernel 5.4, but capture tls return all 0 #296

HorseLuke opened this issue Jan 17, 2023 · 3 comments
Labels
question Further information is requested

Comments

@HorseLuke
Copy link

HorseLuke commented Jan 17, 2023

Describe the bug
I have a android device with Android 12 + Kernel 5.4, but capture tls return all 0.
Device is Moto g71s (XT2225-2)

To Reproduce

rhodep:/system/bin/ecapture-nocore # zcat /proc/config.gz |grep CONFIG_DEBUG_INFO_BTF
# CONFIG_DEBUG_INFO_BTF is not set

rhodep:/system/bin/ecapture-nocore # ./ecapture -v
ecapture version:       androidgki_aarch64:0.4.11-20230107-7b66305:5.4.0-104-generic

rhodep:/system/bin/ecapture-nocore # ./ecapture tls

Expected behavior

caputre tls return cleartext

Screenshots

rhodep:/system/bin/ecapture-nocore # ./ecapture tls
tls_2023/01/17 16:14:41 ECAPTURE :: ecapture Version : androidgki_aarch64:0.4.11-20230107-7b66305:5.4.0-104-generic
tls_2023/01/17 16:14:41 ECAPTURE :: Pid Info : 662
tls_2023/01/17 16:14:41 ECAPTURE :: Kernel Info : 5.4.147
tls_2023/01/17 16:14:41 EBPFProbeOPENSSL        module initialization
tls_2023/01/17 16:14:41 EBPFProbeOPENSSL        master key keylogger: ecapture_masterkey.log
tls_2023/01/17 16:14:41 EBPFProbeOPENSSL        Module.Run()
tls_2023/01/17 16:14:41 EBPFProbeOPENSSL        UPROBE MODEL
tls_2023/01/17 16:14:41 EBPFProbeOPENSSL        OpenSSL/BoringSSL version not found, used default version :android_default
tls_2023/01/17 16:14:41 EBPFProbeOPENSSL        HOOK type:2, binrayPath:/apex/com.android.conscrypt/lib64/libssl.so
tls_2023/01/17 16:14:41 EBPFProbeOPENSSL        Hook masterKey function:SSL_in_init
tls_2023/01/17 16:14:41 EBPFProbeOPENSSL        target all process.
tls_2023/01/17 16:14:41 EBPFProbeOPENSSL        target all users.
tls_2023/01/17 16:14:41 EBPFProbeOPENSSL        BPF bytecode filename:user/bytecode/boringssl_1_1_1_kern.o
tls_2023/01/17 16:14:41 EBPFProbeOPENSSL        module started successfully.
tls_2023/01/17 16:14:41 ECAPTURE ::     start 1 modules
tls_2023/01/17 16:14:45 UUID:987_1244_pool-5-thread-1_0_1, Name:DefaultParser, Type:0, Length:1972
tls_2023/01/17 16:14:45
00000000  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000010  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000020  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000030  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000040  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000050  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000060  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000070  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000080  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000090  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
000000a0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
000000b0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
000000c0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
000000d0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
000000e0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
000000f0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000100  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000110  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000120  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000130  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000140  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000150  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000160  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000170  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000180  00 00 00 00 00 00 00 00  00 00 00 00 00           |.............|

Linux Server/Android (please complete the following information):

  • Env: [run make env to get the environment variables]
  • OS: Android 12
  • Arch: aarch64
  • Kernel Version: 5.4.147-moto
  • Version: v0.4.11 NOCORE

Additional context
I read some issues (link: #293 (comment) ), is that kernel 5.4 is not supported on aarch64?

@HorseLuke HorseLuke changed the title Android 12 + Kernel 5.4, but caputre tls return all 0 Android 12 + Kernel 5.4, but capture tls return all 0 Jan 17, 2023
@cfc4n cfc4n added the question Further information is requested label Jan 18, 2023
@cfc4n
Copy link
Member

cfc4n commented Jan 18, 2023

I read some issues (link: #293 (comment) ), is that kernel 5.4 is not supported on aarch64?

you are right.

incorret , Linux kernel Arm64(aarch64) supported this feature with bpf_probe_read_user at https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.5

so, you need used Android (linux) kernel 5.5 or newer to used eCapture on arm64(aarch64) .

cfc4n added a commit that referenced this issue Jan 18, 2023
@HorseLuke
Copy link
Author

OK, thanks

cfc4n added a commit that referenced this issue Jan 19, 2023
@HorseLuke
Copy link
Author

Open discussion: #308

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
question Further information is requested
Projects
None yet
Development

No branches or pull requests

2 participants