Comments (5)
DeepflashX
commented on June 18, 2024
here output with debug enabed and proxy = 127.0.0.1
Navimow still brings certificate unpinning failure.
C:\Users\rogue\Downloads\unpinning>frida -U -l ./config.js -l ./native-connect-hook.js -l ./native-tls-hook.js -l ./android-proxy-override.js -l ./android-system-certificate-injection.js -lfrida -U -l ./config.js -l ./native-connect-hook.js -l ./native-tls-hook.js -l ./android-proxy-override.js -l ./android-system-certificate-injection.js -l ./android-certificate-unpinning.js -l ./android-certificate-unpinning-fallback.js -f com.segway.mower
____
/ _ | Frida 16.1.8 - A world-class dynamic instrumentation toolkit
| (| |
> _ | Commands:
// |_| help -> Displays the help system
. . . . object? -> Display information about 'object'
. . . . exit/quit -> Exit
. . . .
. . . . More info at https://frida.re/docs/home/
. . . .
. . . . Connected to IN2023 (id=6a027d3b)
Spawning com.segway.mower...
*** Starting scripts ***
== Redirecting all TCP connections to 127.0.0.1:8000 ==
[+] Patched 2 libssl.so verification methods
== Hooked native TLS lib libssl.so ==
Spawned com.segway.mower. Resuming main thread!
[IN2023::com.segway.mower ]-> Ignoring unix:dgram connection
== Proxy system configuration overridden to 127.0.0.1:8000 ==
Rewriting <class: sun.net.spi.DefaultProxySelector>
Rewriting <class: java.net.ProxySelector>
Rewriting <class: android.net.PacProxySelector>
== Proxy configuration overridden to 127.0.0.1:8000 ==
[+] Injected cert into com.android.org.conscrypt.TrustedCertificateIndex
[ ] Skipped cert injection for org.conscrypt.TrustedCertificateIndex (not present)
[ ] Skipped cert injection for org.apache.harmony.xnet.provider.jsse.TrustedCertificateIndex (not present)
== System certificate trust injected ==
=== Disabling all recognized unpinning libraries ===
[+] javax.net.ssl.HttpsURLConnection setDefaultHostnameVerifier
[+] javax.net.ssl.HttpsURLConnection setSSLSocketFactory
[+] javax.net.ssl.HttpsURLConnection setHostnameVerifier
[+] javax.net.ssl.SSLContext init(KeyManager;[], TrustManager;[], SecureRandom)
[ ] com.android.org.conscrypt.CertPinManager isChainValid
[+] com.android.org.conscrypt.CertPinManager checkChainPinning
[+] android.security.net.config.NetworkSecurityConfig $init() (0)
[+] android.security.net.config.NetworkSecurityConfig $init() (1)
[+] com.android.okhttp.internal.tls.OkHostnameVerifier verify(String, SSLSession)
[+] com.android.okhttp.Address $init(String, int, Dns, SocketFactory, SSLSocketFactory, HostnameVerifier, CertificatePinner, Authenticator, Proxy, List, List, ProxySelector)
[ ] com.android.okhttp.Address $init(String, int, SocketFactory, SSLSocketFactory, HostnameVerifier, CertificatePinner, Authenticator, Proxy, List, List, ProxySelector)
[ ] okhttp3.CertificatePinner *
[ ] com.squareup.okhttp.CertificatePinner *
[ ] com.datatheorem.android.trustkit.pinning.PinningTrustManager *
[ ] appcelerator.https.PinningTrustManager *
[ ] nl.xservices.plugins.sslCertificateChecker *
[ ] com.worklight.wlclient.api.WLClient *
[ ] com.worklight.wlclient.certificatepinning.HostNameVerifierWithCertificatePinning *
[ ] com.worklight.androidgap.plugin.WLCertificatePinningPlugin *
[ ] com.commonsware.cwac.netsecurity.conscrypt.CertPinManager *
[ ] io.netty.handler.ssl.util.FingerprintTrustManagerFactory *
[ ] com.silkimen.cordovahttp.CordovaServerTrust *
[ ] com.appmattus.certificatetransparency.internal.verifier.CertificateTransparencyHostnameVerifier *
[ ] com.appmattus.certificatetransparency.internal.verifier.CertificateTransparencyInterceptor *
[ ] com.appmattus.certificatetransparency.internal.verifier.CertificateTransparencyTrustManager *
== Certificate unpinning completed ==
== Unpinning fallback auto-patcher installed ==
*** Scripts completed ***
=> android.security.net.config.NetworkSecurityConfig $init() (0)
=> android.security.net.config.NetworkSecurityConfig $init() (0)
=> android.security.net.config.NetworkSecurityConfig $init() (0)
=> android.security.net.config.NetworkSecurityConfig $init() (0)
Process terminated
[IN2023::com.segway.mower ]->
Thank you for using Frida!
Hansgrohe Home App also still says "Connection problems"
C:\Users\rogue\Downloads\unpinning>frida -U -l ./config.js -l ./native-connect-hook.js -l ./native-tls-hook.js -l ./android-proxy-override.js -l ./android-system-certificate-injection.js -l ./android-certificate-unpinning.js -l ./android-certificate-unpinning-fallback.js -f com.hansgrohe.poseidon
____
/ _ | Frida 16.1.8 - A world-class dynamic instrumentation toolkit
| (| |
> _ | Commands:
// |_| help -> Displays the help system
. . . . object? -> Display information about 'object'
. . . . exit/quit -> Exit
. . . .
. . . . More info at https://frida.re/docs/home/
. . . .
. . . . Connected to IN2023 (id=6a027d3b)
Spawning com.hansgrohe.poseidon...
*** Starting scripts ***
== Redirecting all TCP connections to 127.0.0.1:8000 ==
[+] Patched 2 libssl.so verification methods
== Hooked native TLS lib libssl.so ==
Spawned com.hansgrohe.poseidon. Resuming main thread!
[IN2023::com.hansgrohe.poseidon ]-> Ignoring unix:dgram connection
== Proxy system configuration overridden to 127.0.0.1:8000 ==
Rewriting <class: sun.net.spi.DefaultProxySelector>
Rewriting <class: java.net.ProxySelector>
Rewriting <class: android.net.PacProxySelector>
== Proxy configuration overridden to 127.0.0.1:8000 ==
[+] Injected cert into com.android.org.conscrypt.TrustedCertificateIndex
[ ] Skipped cert injection for org.conscrypt.TrustedCertificateIndex (not present)
[ ] Skipped cert injection for org.apache.harmony.xnet.provider.jsse.TrustedCertificateIndex (not present)
== System certificate trust injected ==
=== Disabling all recognized unpinning libraries ===
[+] javax.net.ssl.HttpsURLConnection setDefaultHostnameVerifier
[+] javax.net.ssl.HttpsURLConnection setSSLSocketFactory
[+] javax.net.ssl.HttpsURLConnection setHostnameVerifier
[+] javax.net.ssl.SSLContext init(KeyManager;[], TrustManager;[], SecureRandom)
[ ] com.android.org.conscrypt.CertPinManager isChainValid
[+] com.android.org.conscrypt.CertPinManager checkChainPinning
[+] android.security.net.config.NetworkSecurityConfig $init() (0)
[+] android.security.net.config.NetworkSecurityConfig $init() (1)
[+] com.android.okhttp.internal.tls.OkHostnameVerifier verify(String, SSLSession)
[+] com.android.okhttp.Address $init(String, int, Dns, SocketFactory, SSLSocketFactory, HostnameVerifier, CertificatePinner, Authenticator, Proxy, List, List, ProxySelector)
[ ] com.android.okhttp.Address $init(String, int, SocketFactory, SSLSocketFactory, HostnameVerifier, CertificatePinner, Authenticator, Proxy, List, List, ProxySelector)
[+] okhttp3.CertificatePinner check(String, List)
[ ] okhttp3.CertificatePinner check(String, Certificate)
[+] okhttp3.CertificatePinner check(String, Certificate;[])
[+] okhttp3.CertificatePinner check$okhttp
[ ] com.squareup.okhttp.CertificatePinner *
[ ] com.datatheorem.android.trustkit.pinning.PinningTrustManager *
[ ] appcelerator.https.PinningTrustManager *
[ ] nl.xservices.plugins.sslCertificateChecker *
[ ] com.worklight.wlclient.api.WLClient *
[ ] com.worklight.wlclient.certificatepinning.HostNameVerifierWithCertificatePinning *
[ ] com.worklight.androidgap.plugin.WLCertificatePinningPlugin *
[ ] com.commonsware.cwac.netsecurity.conscrypt.CertPinManager *
[ ] io.netty.handler.ssl.util.FingerprintTrustManagerFactory *
[ ] com.silkimen.cordovahttp.CordovaServerTrust *
[ ] com.appmattus.certificatetransparency.internal.verifier.CertificateTransparencyHostnameVerifier *
[ ] com.appmattus.certificatetransparency.internal.verifier.CertificateTransparencyInterceptor *
[ ] com.appmattus.certificatetransparency.internal.verifier.CertificateTransparencyTrustManager *
== Certificate unpinning completed ==
== Unpinning fallback auto-patcher installed ==
*** Scripts completed ***
Manually intercepting connection to ::ffff:192.168.178.42:8000
Ignoring unix:stream connection
Ignoring unix:stream connection
Connected tcp6 fd 116 to null (-1)
Manually intercepting connection to ::ffff:52.212.83.48:443
Ignoring unix:stream connection
Ignoring unix:stream connection
Connected tcp6 fd 116 to null (-1)
Manually intercepting connection to ::ffff:52.215.12.96:443
Ignoring unix:stream connection
Ignoring unix:stream connection
Connected tcp6 fd 117 to null (-1)
Manually intercepting connection to ::ffff:192.168.178.42:8000
Ignoring unix:stream connection
Ignoring unix:stream connection
Connected tcp6 fd 149 to null (-1)
Manually intercepting connection to ::ffff:142.251.37.10:443
Ignoring unix:stream connection
Ignoring unix:stream connection
Connected tcp6 fd 149 to null (-1)
Manually intercepting connection to ::ffff:142.251.36.170:443
Ignoring unix:stream connection
Ignoring unix:stream connection
Connected tcp6 fd 149 to null (-1)
Manually intercepting connection to ::ffff:142.251.36.202:443
Ignoring unix:stream connection
Ignoring unix:stream connection
Connected tcp6 fd 149 to null (-1)
Manually intercepting connection to ::ffff:142.251.36.234:443
Ignoring unix:stream connection
Ignoring unix:stream connection
Connected tcp6 fd 149 to null (-1)
Manually intercepting connection to ::ffff:172.217.16.170:443
Ignoring unix:stream connection
Ignoring unix:stream connection
Connected tcp6 fd 149 to null (-1)
Manually intercepting connection to ::ffff:192.168.178.42:8000
Ignoring unix:stream connection
Ignoring unix:stream connection
Connected tcp6 fd 149 to null (-1)
Manually intercepting connection to ::ffff:192.168.178.42:8000
Ignoring unix:stream connection
Ignoring unix:stream connection
Connected tcp6 fd 149 to null (-1)
Manually intercepting connection to ::ffff:192.168.178.42:8000
Ignoring unix:stream connection
Ignoring unix:stream connection
Connected tcp6 fd 149 to null (-1)
from frida-interception-and-unpinning.
DeepflashX
commented on June 18, 2024
error in Navimow:
from frida-interception-and-unpinning.
pimterry
commented on June 18, 2024
Hmm, that is definitely a certificate pinning failure. That suggests that all your config is correct, but the current scripts don't work for those apps. Unfortunately it seems that the fallback script isn't providing any info here though, which is quite unusual. In most cases, even if the unpinning doesn't work that normally gives some clues (it hooks all standard SSL errors, so it can at least report where they're thrown, and try to auto-patch them if they're recognized, even if they're obfuscated).
To find out more you'll need to do some reverse engineering (guide here: https://httptoolkit.com/blog/android-reverse-engineering/)
For the error in the screenshot at least, it looks like the pinning is based on OkHttp, because this error message exactly matches theirs here. I'm not sure why that wouldn't be matched by the existing hooks for OkHttp though (which are being applied - you can see the [x] okhttp3.CertificatePinner lines) so there must be something unusual (some kind of obfuscation or weird class loading or something) going on there.
from frida-interception-and-unpinning.
DeepflashX
commented on June 18, 2024
could it be that in the original apk are several apks included?
Anything about the Hansgrohe App?
from frida-interception-and-unpinning.
pimterry
commented on June 18, 2024
Hi @DeepflashX. It could be that there are multiple APKs (these are generally delivered in an XAPK file, which is just a zip of APKs) but that shouldn't make any difference AFAIK.
The same explanation above also applies for Hansgrohe - there must some certificate pinning technique being used that isn't covered by the scripts for some reason, although in that case there's even less info on the specific error.
To find out what's happening here, you'll need to follow the guide and reverse engineer the internals of these apps for yourself. This will be a substantial project that will take some work (you will need to use the decompiled code and Frida to understand how the app actually works) but I'm afraid I can't offer personal support step-by-step through projects like this. As you might imagine, I get hundreds of requests like this and I'm already quite busy running HTTP Toolkit.
You'll need to reverse engineer this yourself, or hire somebody to do so (I'd recommend marketplaces like Fiverr or Upwork, which have plenty of people offering these services).
To start with though, take a look through the guide and see how you get on doing this yourself. If you have any specific quick questions, or any thoughts on the actual content of the scripts in this repo, do let me know and I'm happy to explain those details.
from frida-interception-and-unpinning.
Related Issues (20)
- Kayo Sports - au.com.kayosports.tv HOT 5
- SSL error when trying to bypass Youtube pinning HOT 2
- I have an app that has certificate transparency failed, is there any script that I can use? HOT 1
- SSLPeerUnverifiedException: Certificate transparency failed HOT 1
- Frida: The 'argv' option is not supported when spawnin HOT 1
- Nigloland App: Certificate transparency failed HOT 5
- Hi
- Not Work = Raw Custom-Pinned Resquest HOT 3
- [FIXED] Not working with bereal HOT 3
- [ ] Unrecognized TLS error - this must be patched manually HOT 8
- Fishing Clash app. Some super-duper pinning protection. HOT 2
- Ignorar detectar VPN httptoolkit HOT 5
- Bypass la fijación SSL de IOS 15-16 con httptoolkit + script frida HOT 3
- Error: access violation accessing 0x5d8 HOT 1
- this script fails with com.audioteka but another works HOT 2
- Error with file : android-certificate-unpinning.js HOT 1
- error native-connect-hook.js HOT 1
- not able to sniff com.peacocktv.peacockandroid HOT 6
- Not working with com.bumble.app HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from frida-interception-and-unpinning.