-
-
Save pwlin/8a0d01e6428b7a96e2eb to your computer and use it in GitHub Desktop.
https://code.google.com/p/android/issues/detail?id=32696#c5 | |
If you have a certificate that is not | |
trusted by Android, when you add it, it goes in the personal cert store. | |
When you add a cert in this personal cert store, the system requires a | |
higher security level to unlock the device. But if you manage to add your | |
cert to the system store then you don't have this requirement. Obviously, | |
root is required to add a certificate to the system store, but it is quiet | |
easy. | |
Here is how to do it : | |
1 - add your cert normally, it will be stored in your personal store and | |
android will ask you a pin/password... Proceed | |
2 - With a file manager with root capabilities, browse files | |
in /data/misc/keychain/cacerts-added. You should see a file here, it's the | |
certificate you have added at step 1. If you can not find it in that path, look in /data/misc/user/0/cacerts-added/ | |
3 - Move this file to system/etc/security/cacerts (you will need to mount | |
the system partition r/w) | |
4 - Reboot the phone | |
5 - You are now able to clear the pin/password you have set to unlock the | |
device. | |
I Think that this will only work for Root or Intermediate CA. | |
I got the idea by reading this : | |
http://nelenkov.blogspot.fr/2011/12/ics-trust-store-implementation.html |
The cacerts-added directory didn't exist in my phone. If anyone is having this issue, it worked with openssl.
1 - use openssl to get your certificate.pem hash : openssl x509 -inform PEM -subject_hash_old -in certificate.pem | head -n -1
2 - rename your certificate.pem to the hash you got with the extension .0 (for example 2d00226e.0)
3 - move your hash.0 somewhere on your phone
4 - open a terminal on your phone (ex : termux app) or use adb shell
5 - remount your /system in rw : mount -o rw,remount,rw /system
6 - move your hash.0 to the cacerts directory : mv hash.0 /system/etc/security/cacerts/
7 - give it some perms : chmod 644 /system/etc/security/cacerts/hash.0
8 - remount your /system in ro : mount -o ro,remount,ro /system
Voila !
The cacerts-added directory didn't exist in my phone. If anyone is having this issue, it worked with openssl.
1 - use openssl to get your certificate.pem hash :
openssl x509 -inform PEM -subject_hash_old -in certificate.pem | head -n -1
2 - rename your certificate.pem to the hash you got with the extension .0 (for example 2d00226e.0)
3 - move your hash.0 somewhere on your phone
4 - open a terminal on your phone (ex : termux app) or use adb shell
5 - remount your /system in rw :mount -o rw,remount,rw /system
6 - move your hash.0 to the cacerts directory :mv hash.0 /system/etc/security/cacerts/
7 - give it some perms :chmod 644 /system/etc/security/cacerts/hash.0
8 - remount your /system in ro :mount -o ro,remount,ro /system
Voila !
You are moving the file to the system partition. Does this brick the phone if dm-verity is enabled?
Anyone figured out how to do this on Android 10 with system-as-root read-only no matter what yet?
What Efpophis said...
For android 10 use twrp to mount system partition as r/w then use adb shell or terminal within the recovery itself. I was able to transfer and (chmod 644 cert.0) change permissions but my certificate didn't showed up in system trusted credentials 🤔. I mean it is there (/system/etc/security/cacerts/) but it is not showing up after reboot. I also found that Certificates in /system/etc/security/cacerts/ are in pem format starting with ----- BEGIN CERTIFICATE ----- and ending with ----- END CERTIFICATE ----- whereas certificate in /data/misc/user/0/cacerts-added are encrypted as they are in .crt format. Now I am going to sleep...
You can't mount /system
in android 10+ without disabling dm-verity. You can still however mount a tempfs on system/etc/security/cacerts
to make this work temporarily (ie until you reboot). Your device still needs to be rooted to make this work.
Credits/Source: HTTPToolkit, HTTPToolkit Script
I tested the following steps on a rooted Android 11 via adb:
- Superuser (Grant permission to shell on your phone)
$ adb shell
$ su
# whoami
root
- Create a separate temp directory, to hold the current certificates
mkdir -m 700 /wherever/you/want
- Copy the existing certificates
cp /system/etc/security/cacerts/* /wherever/you/want/
- Create an in-memory mount
mount -t tmpfs tmpfs /system/etc/security/cacerts
- Copy the existing certs back into the tmpfs mount
mv /whereever/you/want/* /system/etc/security/cacerts/
- Copy the new certificate, the cert file should be named in the hash.0 format (See @gcaillet 's comment)
mv /path/to/cert/hash.0 /system/etc/security/cacerts/
- Update the perms & selinux context labels, so everything is as readable as before
chown root:root /system/etc/security/cacerts/*
chmod 644 /system/etc/security/cacerts/*
chcon u:object_r:system_file:s0 /system/etc/security/cacerts/*
- Don't reboot
@snehalbaghel it can be done with a shell script ?
I have tried this on Android 10.
@snehalbaghel Thanks bro, this works. I think, only this method works on latest android version. However I wonder how does httpcanary is able to make its certificate persistent 🤔. It remains in system store even after reboot and even if we uninstall the app. App is at, https://play.google.com/store/apps/details?id=com.guoshi.httpcanary&hl=en&gl=US do check it out once.
Hey, I am able to make the changes persistent. You just need to:
- Reboot to recovery (You need twrp to be installed, I have not tried on other ones).
- Mount /system partition in twrp.
- Connect usb to be able to use adb.
- Then transfer your hash.0 cert file to /system/etc/security/cacerts/ .
- At last just run these commands one by one:
chown root:root /system/etc/security/cacerts/*
chmod 644 /system/etc/security/cacerts/*
chcon u:object_r:system_file:s0 /system/etc/security/cacerts/* - Now your installed cert(hash.0) will remain even after reboot!.
Please note location of these certs will be /data/adb/modules/movecert/system/etc/security/cacerts/ (in my case atleast)
I have tried this before also but,
this last command did the magic.
chcon u:object_r:system_file:s0 /system/etc/security/cacerts/*
@pswalia2u That's great! Thanks for the tip.
For android 10, which uses system-as-root, the only way I've found is to use a magisk overlay module. Fortunately, I have created one of those to install my self-signed CA cert. Find it here: https://github.com/Efpophis/Efpophis_Net_Magisk
@pswalia2u can you send me httpcanary's certificate? I would like to try the app but it doesn't support Android 11's manual certificate installation. (https://github.com/MegatronKing/HttpCanary/issues/133)
@Efpophis Exposed had a lot of modules that did exactly this. I was surprised Magisk didn't. Thanks for making one :)
@pswalia2u can you send me httpcanary's certificate? I would like to try the app but it doesn't support Android 11's manual certificate installation. (MegatronKing/HttpCanary#133)
sent you via email. You can download certificate from within the app settings also.
@vsTerminus your process worked for me using Emulator on Nexus S with Android 9.0, tried loads of others which did not work
I have compiled some methods here, https://pswalia2u.medium.com/install-burpsuites-or-any-ca-certificate-to-system-store-in-android-10-and-11-38e508a5541a
This is how I did it on my Sony Xperia z5 Android 10 (rooted)
- Install MTIMPROXY
cd ~/.mitmproxy
and thenopenssl x509 -inform PEM -subject_hash_old -in mitmproxy-ca-cert.cer | head -1
adb root
adb shell
mount -o rw,remount /
- Open a vim in the shell and copy paste the content of file in step 2.
- Save the file in
system/etc/security/cacerts/FILENAME.0
find the file name in step 2 chmod 644 system/etc/security/cacerts/FILENAME.0
mount -o ro,remount /
- Reboot
- Open MITMPROXY on PC and set the proxy on android.
Now I can see all HTTP or HTTPS traffic. The only traffic that I can not see is the CA-pinned traffic (Facebook for example) for those you need to decompile APK, change the res file, compile it again and install it on your android device.
For Magisk users I can also recommend this addon, if you only have your own user certificates. Technically it should also be possible to create an own Magisk Module only containing your certificate, but this was easier to setup quickly.
5 - Move the cert. Replace "cert.0" with whatever the filename is. eg
c7451f0d.0
adb ls /data/misc/user/0/cacerts-added adb pull /data/misc/user/0/cacerts-added/cert.0 adb push cert.0 /system/etc/security/cacerts/
@vsTerminus I'm stuck on the 3rd command from step 5. Getting this error:
adb: error: failed to copy '13e3ab67.0' to '/system/etc/security/cacerts/13e3ab67.0': remote couldn't create file: Read-only file system`
When I run adb root
it says 'adbd is already running as root'.
Any help will be appreciated.
Thanks.
@sabbirrahman I guess you forgot to remount root as read-write.
# mount -o rw,remount /
Some of you guys are missing a critical detail. Since Android 10, and possibly earlier, Google has gone with a ”system-as-root” approach. This means you cannot remount the /system position as read/write, and you can't modify it directly, even as root. The magisk add-ons mentioned are now pretty much the only game in town.
Fsck Google
user certs location in my device:
/data/misc/user/0/cacerts-added
Meizu 16s also located here. Thanks :)
you can read System CA on Android Emulator from mitmproxy:
3. Insert certificate into system certificate store
Now we have to place our CA certificate inside the system certificate store located at /system/etc/security/cacerts/
in the Android filesystem. By default, the /system
partition is mounted as read-only. The following steps describe how to gain write permissions on the /system
partition and how to copy the certificate created in the previous step.
Instructions for API LEVEL > 28
Starting from API LEVEL 29 (Android 10), it seems to be impossible to mount the "/" partition as read-write. Google provided a workaround for this issue using OverlayFS. Unfortunately, at the time of writing this (11. April 2021), the instructions in this workaround will result in your emulator getting stuck in a boot loop. Some smart guy on Stackoverflow found a way to get the /system
directory writable anyway.
Keep in mind: You always have to start the emulator using the -writable-system
option if you want to use your certificate. Otherwise Android will load a "clean" system image.
Tested on emulators running API LEVEL 29 and 30
Instructions
- List your AVDs:
emulator -list-avds
(If this yields an empty list, create a new AVD in the Android Studio AVD Manager) - Start the desired AVD:
emulator -avd <avd_name_here> -writable-system
(add-show-kernel
flag for kernel logs) - restart adb as root:
adb root
- disable secure boot verification:
adb shell avbctl disable-verification
- reboot device:
adb reboot
- restart adb as root:
adb root
- perform remount of partitions as read-write:
adb remount
. (If adb tells you that you need to reboot, reboot againadb reboot
and runadb remount
again.) - push your renamed certificate from step 2:
adb push <path_to_certificate> /system/etc/security/cacerts
- set certificate permissions:
adb shell chmod 664 /system/etc/security/cacerts/<name_of_pushed_certificate>
- reboot device:
adb reboot
I managed to put the cert (.0 file) in /system/etc/security/cacerts/ using a Magisk module, but still can't get it to work, permissions seem to be the same for all certs there
I managed to put the cert (.0 file) in /data/misc/user/0/cacerts-added
. By doing that it will recognize as a user-imported certificate, and no remount/reboot is necessary. adb root
is still necessary though.
Note: It works right away by using adb push
from the host machine. If you use adb shell cp
from another location inside the device, you'll need to chmod
the cert file for it to work.
Is it possible to retain certificate added to system store after unrooting?
Tested on API 28
adb root
adb disable-verity
adb reboot
adb root
adb remount
adb push FILENAME.0 /system/etc/security/cacerts
adb shell chmod 664 /system/etc/security/cacerts/FILENAME.0
Has anyone managed to do this with AVD with Google Play (NOT Google API's) and Android 11 installed? I realize I've sort of shot myself in the foot here, but if anyone knows of a way to root such a device please let me know using Android Studio.
So I recently needed to do this on an emulated android device to sniff traffic with mitmproxy. For anyone who stumbles on this in the future, it worked with a few modifications!
1 - When you create the AVD you'll have a choice between "(Google Play)" and "(Google APIs)" in the Target (android version). You must choose "(Android APIs)" or you will not be able to get adb root access.
2 - Do not launch the emulator from Android Studio, instead you'll want to launch it from the command line so you can pass the
-writable-system
flag to it.Go to your
AndroidStudio/Sdk/emulator
folder and run:emulator.exe -list-avds
and note the one you created in Step 1. For example, mine wasPixel_2_API_28
.Launch it with
emulator.exe -avd Pixel_2_API_28 -writable-system
3 - Remount the system partition as writable
4 - Install the cert as normal
5 - Move the cert. Replace "cert.0" with whatever the filename is. eg
c7451f0d.0
6 - Now go remove the user cert you installed in Step 4.