在Android14上,会发现依然存在证书错误的问题,这是因为Android14上面,存放证书的地址变了。归根究底,就是原先的路径 /system/etc/security/cacerts 在android14上无法使用了,android14开始使用 /apex/com.android.conscrypt/cacerts/
必须要做的:下载证书
1、手机必须root
2、先按照这个操作一下,不要出错,目的就是为了下载下来一个证书文件
方案:证书挂载
下面就介绍如何不修改代码进行网络数据抓包。灵感来源:book.hacktricks.xyz/v/cn/mobile…
由于文件夹/apex/com.android.conscrypt/cacerts/的安全问题,无法通过命令直接push一个文件进去,所以需要把/apex/com.android.conscrypt/cacerts/文件夹挂载到一个临时文件夹,把证书放到这个临时文件夹。思路是这样,按照下面几个步骤严格执行就行了,不需要管什么文件夹
第1步:
把上面下载的证书bf6596fc.0和脚本android14-root-ca-inject.sh放在目录/data/local/tmp/
android14-root-ca-inject.sh
# Create a separate temp directory, to hold the current certificates
# Otherwise, when we add the mount we can't read the current certs anymore.
mkdir -p -m 700 /data/local/tmp/tmp-ca-copy
# Copy out the existing certificates
cp /apex/com.android.conscrypt/cacerts/* /data/local/tmp/tmp-ca-copy/
# Create the in-memory mount on top of the system certs folder
mount -t tmpfs tmpfs /system/etc/security/cacerts
# Copy the existing certs back into the tmpfs, so we keep trusting them
mv /data/local/tmp/tmp-ca-copy/* /system/etc/security/cacerts/
# Copy our new cert in, so we trust that too
mv /data/local/tmp/bf6596fc.0 /system/etc/security/cacerts/
# Update the perms & selinux context labels
chown root:root /system/etc/security/cacerts/*
chmod 644 /system/etc/security/cacerts/*
chcon u:object_r:system_file:s0 /system/etc/security/cacerts/*
# Deal with the APEX overrides, which need injecting into each namespace:
# First we get the Zygote process(es), which launch each app
ZYGOTE_PID=$(pidof zygote || true)
ZYGOTE64_PID=$(pidof zygote64 || true)
# N.b. some devices appear to have both!
# Apps inherit the Zygote's mounts at startup, so we inject here to ensure
# all newly started apps will see these certs straight away:
for Z_PID in "$ZYGOTE_PID" "$ZYGOTE64_PID"; do
if [ -n "$Z_PID" ]; then
nsenter --mount=/proc/$Z_PID/ns/mnt -- \
/bin/mount --bind /system/etc/security/cacerts /apex/com.android.conscrypt/cacerts
fi
done
# Then we inject the mount into all already running apps, so they
# too see these CA certs immediately:
# Get the PID of every process whose parent is one of the Zygotes:
APP_PIDS=$(
echo "$ZYGOTE_PID $ZYGOTE64_PID" | \
xargs -n1 ps -o 'PID' -P | \
grep -v PID
)
# Inject into the mount namespace of each of those apps:
for PID in $APP_PIDS; do
nsenter --mount=/proc/$PID/ns/mnt -- \
/bin/mount --bind /system/etc/security/cacerts /apex/com.android.conscrypt/cacerts &
done
wait # Launched in parallel - wait for completion here
echo "System certificate injected"
第2步:
使用git(有的adb窗口也可以)打开操作窗口,运行脚本android14-root-ca-inject.sh
(1) adb shell
(2) chmod +x /data/local/tmp/android14-root-ca-inject.sh
(3)./data/local/tmp/android14-root-ca-inject.sh
(1)如果你使用的证书是自己的,那这里要在脚本里面改下证书名称,再保存
(2)需要安装python运行环境
结果:
这时候就可以使用Charles抓包了
说明:有部分Android14系统可能采用这个方式依然不行,换个手机吧
