gojue/ecapture

Android 12 + Kernel 5.4, but capture tls return all 0

HorseLuke opened this issue · 3 comments

HorseLuke commented

Describe the bug
I have a android device with Android 12 + Kernel 5.4, but capture tls return all 0.
Device is Moto g71s (XT2225-2)

To Reproduce

rhodep:/system/bin/ecapture-nocore # zcat /proc/config.gz |grep CONFIG_DEBUG_INFO_BTF
# CONFIG_DEBUG_INFO_BTF is not set

rhodep:/system/bin/ecapture-nocore # ./ecapture -v
ecapture version:       androidgki_aarch64:0.4.11-20230107-7b66305:5.4.0-104-generic

rhodep:/system/bin/ecapture-nocore # ./ecapture tls

Expected behavior

caputre tls return cleartext

Screenshots

rhodep:/system/bin/ecapture-nocore # ./ecapture tls
tls_2023/01/17 16:14:41 ECAPTURE :: ecapture Version : androidgki_aarch64:0.4.11-20230107-7b66305:5.4.0-104-generic
tls_2023/01/17 16:14:41 ECAPTURE :: Pid Info : 662
tls_2023/01/17 16:14:41 ECAPTURE :: Kernel Info : 5.4.147
tls_2023/01/17 16:14:41 EBPFProbeOPENSSL        module initialization
tls_2023/01/17 16:14:41 EBPFProbeOPENSSL        master key keylogger: ecapture_masterkey.log
tls_2023/01/17 16:14:41 EBPFProbeOPENSSL        Module.Run()
tls_2023/01/17 16:14:41 EBPFProbeOPENSSL        UPROBE MODEL
tls_2023/01/17 16:14:41 EBPFProbeOPENSSL        OpenSSL/BoringSSL version not found, used default version :android_default
tls_2023/01/17 16:14:41 EBPFProbeOPENSSL        HOOK type:2, binrayPath:/apex/com.android.conscrypt/lib64/libssl.so
tls_2023/01/17 16:14:41 EBPFProbeOPENSSL        Hook masterKey function:SSL_in_init
tls_2023/01/17 16:14:41 EBPFProbeOPENSSL        target all process.
tls_2023/01/17 16:14:41 EBPFProbeOPENSSL        target all users.
tls_2023/01/17 16:14:41 EBPFProbeOPENSSL        BPF bytecode filename:user/bytecode/boringssl_1_1_1_kern.o
tls_2023/01/17 16:14:41 EBPFProbeOPENSSL        module started successfully.
tls_2023/01/17 16:14:41 ECAPTURE ::     start 1 modules
tls_2023/01/17 16:14:45 UUID:987_1244_pool-5-thread-1_0_1, Name:DefaultParser, Type:0, Length:1972
tls_2023/01/17 16:14:45
00000000  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000010  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000020  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000030  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000040  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000050  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000060  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000070  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000080  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000090  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
000000a0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
000000b0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
000000c0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
000000d0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
000000e0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
000000f0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000100  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000110  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000120  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000130  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000140  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000150  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000160  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000170  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000180  00 00 00 00 00 00 00 00  00 00 00 00 00           |.............|

Linux Server/Android (please complete the following information):

  • Env: [run make env to get the environment variables]
  • OS: Android 12
  • Arch: aarch64
  • Kernel Version: 5.4.147-moto
  • Version: v0.4.11 NOCORE

Additional context
I read some issues (link: #293 (comment) ), is that kernel 5.4 is not supported on aarch64?

cfc4n commented

I read some issues (link: #293 (comment) ), is that kernel 5.4 is not supported on aarch64?

you are right.

incorret , Linux kernel Arm64(aarch64) supported this feature with bpf_probe_read_user at https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.5

so, you need used Android (linux) kernel 5.5 or newer to used eCapture on arm64(aarch64) .

HorseLuke commented

OK, thanks

HorseLuke commented

Open discussion: #308