Try using --ssl_version="boringssl 1.1.1" flag.

nothing happens ...

把关于设备的页面发一下看看

0.7.0 可以获取 keylog 吗

Try using --ssl_version="boringssl 1.1.1" flag.

佬，我之前提的问题应该也是和这个情况一样的，用0.61版本就可以抓到https报文，我内核是6.1.57

#622

Versions 0.8.12 and 0.9 still don't work properly

0.6.1 can work，but i want the higher version

在最新版上会报错

没有相关硬件设备，无法重现。

@dosu

Hello, @cfc4n! I'm here to help you with any issues you're facing. If you need assistance with bugs, have questions, or want to become a contributor, I'm here to assist you while waiting for a human maintainer.

It seems that there are issues with eCapture version 0.8.9 on Android kernel 6.1.99, while version 0.6.1 works fine. A similar issue was discussed in a GitHub issue where users faced challenges capturing HTTPS packets on an Android device with kernel version 6.1.57. They suggested using the --ssl_version="boringssl 1.1.1" flag, which might help resolve SSL-related errors [[id=622]].

Additionally, eCapture utilizes eBPF to capture SSL/TLS traffic by hooking into specific functions in OpenSSL/BoringSSL libraries. Potential points of failure could include kernel version compatibility, library version detection, and eBPF program loading issues ^[1].

If the --ssl_version flag does not resolve the issue, it might be worth checking if the correct libraries are being hooked and ensuring compatibility with the specific kernel and library versions on your device.

To continue talking to Dosu, mention @dosu.

^{Help Dosu learn! Give it feedback: Great Response | Irrelevant Answer | Incorrect Sources | Too Verbose | Hallucination | Other}

Maybe i meet seem problem with aosp 14. Kernel Info=6.1.68 AMD64

Maybe i meet seem problem with aosp 14. Kernel Info=6.1.68 AMD64

I don't have these mobile devices and can't reproduce. Are you using an emulator? How can I reproduce this issue?

Maybe i meet seem problem with aosp 14. Kernel Info=6.1.68 AMD64

I don't have these mobile devices and can't reproduce. Are you using an emulator? How can I reproduce this issue?

Thank for your reply. i working on aosp and it real board. in android using boringssl in folder apex/conscypt/lib64 maybe. i think log is the same

@mrprona92 Can you provide an SSH account for remote access?

@mrprona92 Can you provide an SSH account for remote access?

Unfortunately. I working on Project with high security and cant provide SSH account for you. On android i think can try with generic system image for emulator. Can you give a try with version aosp_arm64-exp-UQ1A.231205.015-11084887-e291b838.zip on https://developer.android.com/topic/generic-system-image/releases?

And i think have some changes from android target 14 for SSLKEYLOG

@cfc4n today i tried with android target 13. It working. but nothing happen when try with android target 14. I think android version 14 is main problem.

@cfc4n today i tried with android target 13. It working. but nothing happen when try with android target 14. I think android version 14 is main problem.

Thank you for letting me know, but I don’t have an android 14 device, so I can‘t reproduce it.

I can try to fix it. Can you test it for me?

@cfc4n today i tried with android target 13. It working. but nothing happen when try with android target 14. I think android version 14 is main problem.

Thank you for letting me know, but I don’t have an android 14 device, so I can‘t reproduce it.

I can try to fix it. Can you test it for me?

sure. just send me your fix. i can try

@mrprona92 try #723

@mrprona92 try #723

do you have an builded file ecapture. or how i can build your change on the source code to ecapture file?

@mrprona92 https://github.com/cfc4n/ecapture/releases/tag/v0.9.4

@mrprona92 https://github.com/cfc4n/ecapture/releases/tag/v0.9.4

i tried. but seem nothing happen when ssl handshake

26|device_now:/data/local/tmp # ./ecapture tls -m keylog -keylogfile=openssl_keylog.log
2024-12-23T06:08:25Z INF AppName="eCapture(旁观者)"
2024-12-23T06:08:25Z INF HomePage=https://ecapture.cc
2024-12-23T06:08:25Z INF Repository=https://github.com/gojue/ecapture
2024-12-23T06:08:25Z INF Author="CFC4N [email protected]"
2024-12-23T06:08:25Z INF Description="Capturing SSL/TLS plaintext without a CA certificate using eBPF. Supported on Linux/Android kernels for amd64/arm64."
2024-12-23T06:08:25Z INF Version=androidgki_arm64:v0.9.4:6.5.0-1025-azure
2024-12-23T06:08:25Z INF Listen=localhost:28256
2024-12-23T06:08:25Z INF eCapture running logs logger=
2024-12-23T06:08:25Z INF the file handler that receives the captured event eventCollector=
2024-12-23T06:08:25Z INF listen=localhost:28256
2024-12-23T06:08:25Z INF https server starting...You can upgrade the configuration file via the HTTP interface.
2024-12-23T06:08:25Z INF Kernel Info=6.1.68 Pid=24998
2024-12-23T06:08:25Z WRN Your environment is like a container. We won't be able to detect the BTF configuration.
If eCapture fails to run, try specifying the BTF mode. use -b 2 to specify non-CORE mode.
2024-12-23T06:08:25Z INF BTF bytecode mode: CORE. btfMode=0
2024-12-23T06:08:25Z INF master key keylogger has been set. eBPFProgramType=KeyLog keylogger=eylogfile=openssl_keylog.log
2024-12-23T06:08:25Z INF module initialization. isReload=false moduleName=EBPFProbeOPENSSL
2024-12-23T06:08:25Z INF Module.Run()
2024-12-23T06:08:25Z ERR OpenSSL/BoringSSL version not found, used default version.If you want to use the specific version, please set the sslVersion parameter with "--ssl_version='boringssl_a_13'" , "--ssl_version='boringssl_a_14'", or use "ecapture tls --help" for more help.
2024-12-23T06:08:25Z ERR bpfFile=boringssl_a_14_kern.o sslVersion=android_default
2024-12-23T06:08:25Z INF HOOK type:Openssl elf ElfType=2 binrayPath=/apex/com.android.conscrypt/lib64/libssl.so masterHookFuncs=["SSL_in_init"]
2024-12-23T06:08:25Z INF target all process.
2024-12-23T06:08:25Z INF target all users.
2024-12-23T06:08:25Z INF setupManagers eBPFProgramType=KeyLog
2024-12-23T06:08:25Z INF BPF bytecode file is matched. bpfFileName=user/bytecode/boringssl_a_14_kern_core.o
2024-12-23T06:08:25Z INF perfEventReader created mapSize(MB)=4
2024-12-23T06:08:25Z INF module started successfully. isReload=false moduleName=EBPFProbeOPENSSL

^C2024-12-23T06:18:52Z INF module close.
2024-12-23T06:18:52Z INF Module closed,message recived from Context
2024-12-23T06:18:52Z INF iModule module close
2024-12-23T06:18:52Z INF bye bye.
device_now:/data/local/tmp # ^C
130|device_now:/data/local/tmp # ^C
130|device_now:/data/local/tmp # ^C
130|device_now:/data/local/tmp # ./ecapture tls -m keylog -keylogfile=openssl_keylog.log
2024-12-23T06:18:56Z INF AppName="eCapture(旁观者)"
2024-12-23T06:18:56Z INF HomePage=https://ecapture.cc
2024-12-23T06:18:56Z INF Repository=https://github.com/gojue/ecapture
2024-12-23T06:18:56Z INF Author="CFC4N [email protected]"
2024-12-23T06:18:56Z INF Description="Capturing SSL/TLS plaintext without a CA certificate using eBPF. Supported on Linux/Android kernels for amd64/arm64."
2024-12-23T06:18:56Z INF Version=androidgki_arm64:v0.9.4:6.5.0-1025-azure
2024-12-23T06:18:56Z INF Listen=localhost:28256
2024-12-23T06:18:56Z INF eCapture running logs logger=
2024-12-23T06:18:56Z INF the file handler that receives the captured event eventCollector=
2024-12-23T06:18:56Z INF listen=localhost:28256
2024-12-23T06:18:56Z INF https server starting...You can upgrade the configuration file via the HTTP interface.
2024-12-23T06:18:56Z INF Kernel Info=6.1.68 Pid=23183
2024-12-23T06:18:56Z WRN Your environment is like a container. We won't be able to detect the BTF configuration.
If eCapture fails to run, try specifying the BTF mode. use -b 2 to specify non-CORE mode.
2024-12-23T06:18:56Z INF BTF bytecode mode: CORE. btfMode=0
2024-12-23T06:18:56Z INF master key keylogger has been set. eBPFProgramType=KeyLog keylogger=eylogfile=openssl_keylog.log
2024-12-23T06:18:56Z INF module initialization. isReload=false moduleName=EBPFProbeOPENSSL
2024-12-23T06:18:56Z INF Module.Run()
2024-12-23T06:18:56Z ERR OpenSSL/BoringSSL version not found, used default version.If you want to use the specific version, please set the sslVersion parameter with "--ssl_version='boringssl_a_13'" , "--ssl_version='boringssl_a_14'", or use "ecapture tls --help" for more help.
2024-12-23T06:18:56Z ERR bpfFile=boringssl_a_14_kern.o sslVersion=android_default
2024-12-23T06:18:56Z INF HOOK type:Openssl elf ElfType=2 binrayPath=/apex/com.android.conscrypt/lib64/libssl.so masterHookFuncs=["SSL_in_init"]
2024-12-23T06:18:56Z INF target all process.
2024-12-23T06:18:56Z INF target all users.
2024-12-23T06:18:56Z INF setupManagers eBPFProgramType=KeyLog
2024-12-23T06:18:56Z INF BPF bytecode file is matched. bpfFileName=user/bytecode/boringssl_a_14_kern_core.o
2024-12-23T06:18:57Z INF perfEventReader created mapSize(MB)=4
2024-12-23T06:18:57Z INF module started successfully. isReload=false moduleName=EBPFProbeOPENSSL
^C2024-12-23T06:19:27Z INF module close.
2024-12-23T06:19:27Z INF Module closed,message recived from Context
2024-12-23T06:19:27Z INF iModule module close
2024-12-23T06:19:27Z INF bye bye.
device_now:/data/local/tmp # ^C
130|device_now:/data/local/tmp # ^C
130|device_now:/data/local/tmp # ./ecapture tls -m keylog -keylogfile=openssl_keylog.log -d --ssl_version='boringssl_a_14'
2024-12-23T06:19:43Z INF AppName="eCapture(旁观者)"
2024-12-23T06:19:43Z INF HomePage=https://ecapture.cc
2024-12-23T06:19:43Z INF Repository=https://github.com/gojue/ecapture
2024-12-23T06:19:43Z INF Author="CFC4N [email protected]"
2024-12-23T06:19:43Z INF Description="Capturing SSL/TLS plaintext without a CA certificate using eBPF. Supported on Linux/Android kernels for amd64/arm64."
2024-12-23T06:19:43Z INF Version=androidgki_arm64:v0.9.4:6.5.0-1025-azure
2024-12-23T06:19:43Z INF Listen=localhost:28256
2024-12-23T06:19:43Z INF eCapture running logs logger=
2024-12-23T06:19:43Z INF the file handler that receives the captured event eventCollector=
2024-12-23T06:19:43Z INF Kernel Info=6.1.68 Pid=27414
2024-12-23T06:19:43Z WRN Your environment is like a container. We won't be able to detect the BTF configuration.
If eCapture fails to run, try specifying the BTF mode. use -b 2 to specify non-CORE mode.
2024-12-23T06:19:43Z INF listen=localhost:28256
2024-12-23T06:19:43Z INF https server starting...You can upgrade the configuration file via the HTTP interface.
2024-12-23T06:19:43Z INF BTF bytecode mode: CORE. btfMode=0
2024-12-23T06:19:43Z INF master key keylogger has been set. eBPFProgramType=KeyLog keylogger=eylogfile=openssl_keylog.log
2024-12-23T06:19:43Z INF module initialization. isReload=false moduleName=EBPFProbeOPENSSL
2024-12-23T06:19:43Z INF Module.Run()
2024-12-23T06:19:43Z INF OpenSSL/BoringSSL version found sslVersion=boringssl_a_14
2024-12-23T06:19:43Z INF HOOK type:Openssl elf ElfType=2 binrayPath=/apex/com.android.conscrypt/lib64/libssl.so masterHookFuncs=["SSL_in_init"]
2024-12-23T06:19:43Z INF target all process.
2024-12-23T06:19:43Z INF target all users.
2024-12-23T06:19:43Z INF setupManagers eBPFProgramType=KeyLog
2024-12-23T06:19:43Z INF BPF bytecode file is matched. bpfFileName=user/bytecode/boringssl_a_14_kern_core.o
2024-12-23T06:19:43Z DBG upgrade check failed: error getting latest version: API request failed: Get "https://image.cnxct.com/ecapture/releases/latest?ver=androidgki_arm64:v0.9.4:6.5.0-1025-azure": dial tcp: lookup image.cnxct.com on [::1]:53: read udp [::1]:47211->[::1]:53: read: connection refused
2024-12-23T06:19:44Z INF perfEventReader created mapSize(MB)=4
2024-12-23T06:19:44Z INF module started successfully. isReload=false moduleName=EBPFProbeOPENSSL
^C2024-12-23T06:20:07Z INF module close.
2024-12-23T06:20:07Z INF Module closed,message recived from Context
2024-12-23T06:20:07Z INF iModule module close
2024-12-23T06:20:07Z INF bye bye.
device_now:/data/local/tmp # ./ecapture tls -m keylog -keylogfile=openssl_keylog.log -d --ssl_version='boringssl_a_15'
2024-12-23T06:20:19Z INF AppName="eCapture(旁观者)"
2024-12-23T06:20:19Z INF HomePage=https://ecapture.cc
2024-12-23T06:20:19Z INF Repository=https://github.com/gojue/ecapture
2024-12-23T06:20:19Z INF Author="CFC4N [email protected]"
2024-12-23T06:20:19Z INF Description="Capturing SSL/TLS plaintext without a CA certificate using eBPF. Supported on Linux/Android kernels for amd64/arm64."
2024-12-23T06:20:19Z INF Version=androidgki_arm64:v0.9.4:6.5.0-1025-azure
2024-12-23T06:20:19Z INF Listen=localhost:28256
2024-12-23T06:20:19Z INF eCapture running logs logger=
2024-12-23T06:20:19Z INF the file handler that receives the captured event eventCollector=
2024-12-23T06:20:19Z INF listen=localhost:28256
2024-12-23T06:20:19Z INF https server starting...You can upgrade the configuration file via the HTTP interface.
2024-12-23T06:20:19Z INF Kernel Info=6.1.68 Pid=30605
2024-12-23T06:20:19Z WRN Your environment is like a container. We won't be able to detect the BTF configuration.
If eCapture fails to run, try specifying the BTF mode. use -b 2 to specify non-CORE mode.
2024-12-23T06:20:19Z INF BTF bytecode mode: CORE. btfMode=0
2024-12-23T06:20:19Z INF master key keylogger has been set. eBPFProgramType=KeyLog keylogger=eylogfile=openssl_keylog.log
2024-12-23T06:20:19Z INF module initialization. isReload=false moduleName=EBPFProbeOPENSSL
2024-12-23T06:20:19Z INF Module.Run()
2024-12-23T06:20:19Z INF OpenSSL/BoringSSL version found sslVersion=boringssl_a_15
2024-12-23T06:20:19Z INF HOOK type:Openssl elf ElfType=2 binrayPath=/apex/com.android.conscrypt/lib64/libssl.so masterHookFuncs=["SSL_in_init"]
2024-12-23T06:20:19Z INF target all process.
2024-12-23T06:20:19Z INF target all users.
2024-12-23T06:20:19Z INF setupManagers eBPFProgramType=KeyLog
2024-12-23T06:20:19Z INF BPF bytecode file is matched. bpfFileName=user/bytecode/boringssl_a_15_kern_core.o
2024-12-23T06:20:19Z DBG upgrade check failed: error getting latest version: API request failed: Get "https://image.cnxct.com/ecapture/releases/latest?ver=androidgki_arm64:v0.9.4:6.5.0-1025-azure": dial tcp: lookup image.cnxct.com on [::1]:53: read udp [::1]:53742->[::1]:53: read: connection refused
2024-12-23T06:20:19Z INF perfEventReader created mapSize(MB)=4
2024-12-23T06:20:19Z INF module started successfully. isReload=false moduleName=EBPFProbeOPENSSL

@r0ysue can you try 0.9.4 can working on your side?

I verified it on the Android 13 (Kernel 5.15) of the Android Studio simulator.

emu64a:/ $ su
emu64a:/ # cd /da
data/          data_mirror/
emu64a:/ # cd /data/loca                                                                                                  
local.prop  local/
emu64a:/ # cd /data/local                                                                                                 
local.prop  local/
emu64a:/ # cd /data/local/t                                                                                               
tests/   tmp/     traces/
emu64a:/ # cd /data/local/tmp/                                                                                            
emu64a:/data/local/tmp # ls 
11.keylog  a.pcapng  ecapture
emu64a:/data/local/tmp # ls -al
total 24876
drwxrwx--x 3 shell shell     4096 2025-01-24 19:13 .
drwxr-x--x 5 root  root      4096 2024-01-21 13:51 ..
drwxr-xr-x 2 shell shell     4096 2025-01-24 19:08 .studio
-rw------- 1 root  root      3112 2024-11-12 19:07 11.keylog
-rw-r--r-- 1 root  root    810568 2024-11-12 19:35 a.pcapng
-rwxrwxrwx 1 shell shell 24617968 2025-01-22 23:27 ecapture
emu64a:/data/local/tmp # ./ecapture tls                                                                                   
2025-01-24T11:13:53Z INF AppName="eCapture(旁观者)"
2025-01-24T11:13:53Z INF HomePage=https://ecapture.cc
2025-01-24T11:13:53Z INF Repository=https://github.com/gojue/ecapture
2025-01-24T11:13:53Z INF Author="CFC4N <[email protected]>"
2025-01-24T11:13:53Z INF Description="Capturing SSL/TLS plaintext without a CA certificate using eBPF. Supported on Linux/Android kernels for amd64/arm64."
2025-01-24T11:13:53Z INF Version=androidgki_arm64:v0.9.4:6.5.0-1025-azure
2025-01-24T11:13:53Z INF Listen=localhost:28256
2025-01-24T11:13:53Z INF eCapture running logs logger=
2025-01-24T11:13:53Z INF the file handler that receives the captured event eventCollector=
2025-01-24T11:13:53Z INF listen=localhost:28256
2025-01-24T11:13:53Z INF https server starting...You can upgrade the configuration file via the HTTP interface.
2025-01-24T11:13:53Z INF Kernel Info=5.15.41 Pid=5406
2025-01-24T11:13:53Z WRN Your environment is like a container. We won't be able to detect the BTF configuration.
If eCapture fails to run, try specifying the BTF mode. use `-b 2` to specify non-CORE mode.
2025-01-24T11:13:53Z INF BTF bytecode mode: CORE. btfMode=0
2025-01-24T11:13:53Z INF master key keylogger has been set. eBPFProgramType=Text keylogger=
2025-01-24T11:13:53Z INF module initialization. isReload=false moduleName=EBPFProbeOPENSSL
2025-01-24T11:13:53Z INF Module.Run()
2025-01-24T11:13:53Z ERR OpenSSL/BoringSSL version not found, used default version.If you want to use the specific version, please set the sslVersion parameter with "--ssl_version='boringssl_a_13'" , "--ssl_version='boringssl_a_14'", or use "ecapture tls --help" for more help.
2025-01-24T11:13:53Z ERR bpfFile=boringssl_a_13_kern.o sslVersion=android_default
2025-01-24T11:13:53Z INF Hook masterKey function ElfType=2 Functions=["SSL_in_init"] binrayPath=/apex/com.android.conscrypt/lib64/libssl.so
2025-01-24T11:13:53Z INF target all process.
2025-01-24T11:13:53Z INF target all users.
2025-01-24T11:13:53Z INF setupManagers eBPFProgramType=Text
2025-01-24T11:13:53Z INF BPF bytecode file is matched. bpfFileName=user/bytecode/boringssl_a_13_kern_core.o
2025-01-24T11:13:53Z INF perfEventReader created mapSize(MB)=4
2025-01-24T11:13:53Z INF perfEventReader created mapSize(MB)=4
2025-01-24T11:13:53Z INF module started successfully. isReload=false moduleName=EBPFProbeOPENSSL
2025-01-24T11:14:19Z ??? UUID:2229_2940_ThreadPoolForeg_0_1_0.0.0.0:0-0.0.0.0:0, Name:HTTPRequest, Type:1, Length:886
POST /service/update2 HTTP/1.1
Host: update.googleapis.com
Accept-Encoding: gzip
Connection: Keep-Alive
Content-Length: 615
Content-Type: application/x-www-form-urlencoded
User-Agent: Dalvik/2.1.0 (Linux; U; Android 13; sdk_gphone64_arm64 Build/TE1A.220922.034)

<?xml version='1.0' encoding='UTF-8' standalone='yes' ?><request protocol="3.0" updater="Android" updaterversion="103.0.5060.71" updaterchannel="chrome" ismachine="1" requestid="{45a06597-6a1a-4755-af9b-97ce77994453}" sessionid="{10b1872a-5cdf-44b0-9ab0-23e27c8adcb4}" installsource="system_image" dedup="cr"><os platform="android" version="13" arch="arm" /><app brand="" client="ms-unknown" appid="{387E11AD-7109-45F6-83CF-CAA241ADC9DF}" version="103.0.5060.71" nextversion="" lang="en-US" installage="73" ap="chrome;google;sdk_gphone64_arm64"><updatecheck /><ping active="1" ad="6555" rd="6555" /></app></request>
2025/01/24 11:14:20 [http response] Chunked response body
2025-01-24T11:14:20Z ??? UUID:2229_2940_ThreadPoolForeg_0_0_0.0.0.0:0-0.0.0.0:0, Name:HTTPResponse, Type:3, Length:896
HTTP/1.1 200 OK
Transfer-Encoding: chunked
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Content-Encoding: gzip
Content-Security-Policy: script-src 'report-sample' 'none';report-uri https://csp.withgoogle.com/csp/clientupdate-aus/1
Content-Type: text/xml; charset=UTF-8
Date: Fri, 24 Jan 2025 11:14:18 GMT
Expires: Mon, 01 Jan 1990 00:00:00 GMT
Pragma: no-cache
Server: GSE
X-Content-Type-Options: nosniff
X-Daynum: 6598
X-Daystart: 11658
X-Frame-Options: SAMEORIGIN
X-Xss-Protection: 1; mode=block

<?xml version="1.0" encoding="UTF-8"?><response protocol="3.0" server="prod"><daystart elapsed_days="6598" elapsed_seconds="11658"/><app appid="{387E11AD-7109-45F6-83CF-CAA241ADC9DF}" cohort="1:hyx:" cohortname="Stable Chrome" status="ok"><updatecheck status="noupdate"/><ping status="ok"/></app></response>

However, I cannot verify on Android 15 because the emulator's image cannot gain root access.