安卓手机root+magisk安装证书+抓取https请求
先讲一下有这篇文章的背景吧,在使用安卓手机+fiddler抓包时,即使信任了证书,并且手机也安装了证书,但是还是无法捕获https请求的问题,最开始不知道原因,后来慢慢了解到现在有的app为了防止抓包,把证书放在了app应用里面(称为证书绑定(也称作SSL pinning)的技术),这样就导致即使手机信任了fiddler的证书,也会导致无法抓取到https请求。
在网上看到了帖子,说可以先将手机root,然后将证书安装到root之后的手机系统证书里面,所以就按照这个思路开始了手机root之旅。
一、安卓手机root
我只有一个多年未用的redmi note手机,所以就以这个说明,借鉴了B站UP主Good_idea的视频:
2021安卓手机root?不要到处找了,看这一个就够了,刷面具 刷Magisk获得root_哔哩哔哩_bilibili
不要找了!B站最纯净的,小米root刷面具root教程科普视频_哔哩哔哩_bilibili
感觉讲的很详细,请大家自己观看操作,刷机这里我也不是很懂。
二、root之后还是无法捕获 https请求
手机root之后,按照把 charles,Fiddler 证书安装到安卓根目录,解决安卓微信 7.0 版本以后安装证书也无法抓包问题,需要 root - 宠你的鑫 - 博客园
这个贴的说明来操作,但是执行
adb root
执行这个命令之后,报错如下:
adbd cannot run as root in production builds
于是又在网上搜各种解决方法,有说要下载超级adb.apk的(adbd-insecure.apk)帖子链接如下:
Android问题adb cannot run as root in production builds解决_adbd cannot run as root in production builds-CSDN博客
但是这个方法对我无效果。也有说通过adb shell切换root权限的
adb shell
su
但是这种方法获取到root权限之后,还是不能重新挂载/system目录,并且看到有帖子说现在安卓12都是动态分区,修改/system挂载方式已经行不通了。
然后网上看到这个贴子,有人说可以,但是感觉帖子里面缺相关文件,所以也没有去试过:[Closed] Universal SystemRW / SuperRW feat. MakeRW / ro2rw (read-only-2-read/write super partition converter) | XDA Forums
也就是说想通过修改/system目录挂载方式为读写方式,估计很难实现了,这时候已经弄了很久了,打算放弃了,但是又不甘心,后面又看到一个帖子说可以通过magisk方式模拟之前直接修改/system目录挂载方式的方法:
帖子链接:https://blog.chara.pub/2022/09/15/fiddler-android-cacert/
为防止以后帖子失效,将内容复制一份出来:
安卓7和以上,https抓包需要将ca证书安装为系统证书,即把pem格式的证书放到/system/etc/security/cacerts/<证书hash>.0
路径。部分手机可能有限制,无法修改system分区,可以用magisk模块的方式不修改system分区安装系统证书。
注意,安装magisk一般需要手机可以解锁bootloader。
-
如果证书是cer格式,转换成pem格式
openssl x509 -inform DER -in FiddlerRoot.cer -out FiddlerRoot.pem
-
读取证书hash,将证书文件名改为”<hash>.0”
$ openssl x509 -inform PEM -subject_hash_old -in FiddlerRoot.pem 0725b47c -----BEGIN CERTIFICATE----- MIIDyTCCArGgAwIBAgIQAItdUx/5OTFKbUpO3rGMnTANBgkqhkiG9w0BAQsFADB9 MSswKQYDVQQLDCJDcmVhdGVkIGJ5IGh0dHA6Ly93d3cuZmlkZGxlcjIuY29tMSEw HwYDVQQKDBhQcm9ncmVzcyBUZWxlcmlrIEZpZGRsZXIxKzApBgNVBAMMIkZpZGRs ZXIgUm9vdCBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMjQxMTA0MTYwMDAwWhcN MzQxMTEyMTUyMzExWjB9MSswKQYDVQQLDCJDcmVhdGVkIGJ5IGh0dHA6Ly93d3cu ZmlkZGxlcjIuY29tMSEwHwYDVQQKDBhQcm9ncmVzcyBUZWxlcmlrIEZpZGRsZXIx
上面的输出结果第一行是几个数字,将原FiddlerRoot.pem文件重命名为0725b47c.0为名
$ cp FiddlerRoot.pem 0725b47c.0
FiddlerRoot.pem这个文件就是从fiddler中导出的文件,可能名字不一样,根据自己的名字进行修改:
-
下载这个magisk模块模板。
echo 'UEsDBBQAAAAIAEg7LlVJNhk5yQQAAIUPAAAJAAAAY29uZmlnLnNozVdrb9MwFP2eX3EZSDxUtvGWKkAqbIhJjFZrQeJT5SY3jSGxg+20K4j/zrHj9DEQD4lKeN3mOL733HN9H+71vY0EP3Qu5tJ+wmS2Iqfrj7pQywaP+EwKaQkfQY6ruhSO6YusKdeGMl5wqWs21ivZ29irak/xTFlnmtRJrWy/Xbp3SKNSpEwr3RjKZclwgnKa7MrCD6BfZmzoVsYlwyOuYKr9/sKvtwK3oeb+Ib2SZQnRVlGls6bkm15XroPCuHRYG11D4MEhvdQql/PGtFotOyfV3EvgWdqgmm6luqq0OkrD3kNbeLCHAMOpiGwhVMoZ5Swc1NgeljKyBcMQLydU1pJpAVIjaxcpNspb3yr3nsCotXV3c3s3E04AqAeLzEKmjDk2PGox00KoOcwkT6MFDIT9RHq/ivIIRGUuOQt7ogGRRuvUzgf7PO996r5OJ5xLxXafIEB5O5yc9tu8rIVxVAhL8OWM4e2PDTyZ+cdcuvYI9FKRYs5s0mXz0ofkLMRXF8hKVBxP/6gKxaDbbAvdlBmJ0upOxvrNAPVzmW2CexPJ3oDaoDwoRz5GG4sYSM6HJ2cnz3KZZSWbFNliXDBqzM4LIAehL/fKgsF+jZWYlRzqU0rnulHOVyuEpEcDk2BbKT9B0LVOiCJZMng3GZ4P372dPPOKf4NTapHRdhiOLoajV2dvTp/lYP4r6Z0EidmUjIbjyavxyWAy+L28L6lT63CSXWp1Wt4MJqfjyeBiMj69eH/2Mtqy5xj2xVCUMAonRudsrZjzPhGjZ5aFcMEnS6G8n3zcLbHKimRrEcrLOs6SpDYoIFNMfeTeuk1fE6JGTsMyHdz59TjY2UwYsQPSeYhhmnStDuPg7zR/2/P5XHBoNAh66/aJBKg3gCB4njJpOHXaSLbbZxTXyxWZ1qi2SXFMJGh4scIlIRdN6aKD29pTsZlvt1asuiJIAmMu0S02Kk422IEzMqZgNEeEB+qL6XXVbGNMhTLht8UGl2qDJlhrla15rK4YCpgPoJVpddN1JQGcKr1oCx5fCsQDA6XUy55fskwLUTa8KabYa5ZGOoeIna3WpTfYvH2NUp225OJ09GaArD5IYgM8EnV9BENcM+P1GuJucde/GIfnd2c/eRPvCOs3uUFSLLX5lBx4bi91vODsWhX82EPhDBzWBHYoQ/raydC3nGtrh4BJKGBXPdZFATiusEnNe1SyWITSjHxyK/QMP4e40sst+gd7TpkRm0pa34L+39aMe9603tgZKxrCP6bP1rtedPsmQCts7RRMEeKNsRJv6AY67mgweU103H6ePHqEv48fPkyC8qFCulhdIRFqTqUo23SE5s+NNHE1l+k2uhcEQ+TbD5Z1lwXPd651hlasm3kRvitUvmenwrJtocdAXX+jWMdT4cNFadwqWPiW0FYZ3Q8yP6X4FDntW8BzujKewrlsntPTudFN/Txs3JiKZ091ZyHVKBuXzj6nW5Fbn5q+nn1EzZiafptbUy/Wt8e3vUW/dHqXjKWcRZOOd/7H41iPzcFs9FJr5i7B3zL9V6x+5DKTyhcpNEOd4mrw4P4Wm/vHx8dXWW0jfVnNNW46fMkpkP4AKOPL+xohEMZfAEW5P0TC8fhfZOuh1T8e1OZgviXfAVBLAwQKAAAIAACyrShUAAAAAAAAAAAAAAAACQAAAE1FVEEtSU5GL1BLAwQKAAAIAACyrShUAAAAAAAAAAAAAAAADQAAAE1FVEEtSU5GL2NvbS9QSwMECgAACAAAsq0oVAAAAAAAAAAAAAAAABQAAABNRVRBLUlORi9jb20vZ29vZ2xlL1BLAwQKAAAIAACyrShUAAAAAAAAAAAAAAAAHAAAAE1FVEEtSU5GL2NvbS9nb29nbGUvYW5kcm9pZC9QSwMECgAACAgADQBrUzP3pRU9AQAAVAIAACkAAABNRVRBLUlORi9jb20vZ29vZ2xlL2FuZHJvaWQvdXBkYXRlLWJpbmFyeZWQTUsCURSG9+dXnMZB+kDvOLkLg0gNKTH6WhRxGZ1rXrxzp5y5FqTLILO2rQyCFm2i2kUL/00T/oxGJci0qLM8533fc84TmSJekUviVQAi3wsiGJzfBPft4PJ6whSUY3lVNEwT+sqL2163q3wuaFnJks9d6b29toPWFShOD2tc+tMzeIqsVHFR0xPaAjYBauxI8Rqjkh1TxzrgXrUvAsRPD2qzv5c2Isbe00vw2OrdnWF+EId104gn56ZQ+28oO+E+JqA5AcwXQO+dh6DzjKN/x0OcP5ugsL2VTad0E3Zz69ncWialzwM4rgoPI7blW2guEpvViVRCAOxhrDzsE8sukiElMrYQ97HRwHGeEP+DOVyi55dWcpurdCezQZcL6QzGhI+mkTSMMDkanZQMXHq+JQR1XFsJBgNiBnwAUEsDBAoAAAgIAA0Aa1N7C25iCgAAAAgAAAAqAAAATUVUQS1JTkYvY29tL2dvb2dsZS9hbmRyb2lkL3VwZGF0ZXItc2NyaXB0U/Z1dPcM9uYCAFBLAwQUAAAACAD4Oi5VMul08UgAAAB2AAAACwAAAG1vZHVsZS5wcm9wZYtBDoAwCATv/U0fwMmHNAQwkmgxgH2/Jqan3jazM8qwK/MpTkjiGaXjJZM1wvbTIR5qHUadczMWqAWfPMzXgCXI9c7PXM8XUEsDBAoAAAgAALKtKFQAAAAAAAAAAAAAAAAHAAAAc3lzdGVtL1BLAwQKAAAIAACyrShUAAAAAAAAAAAAAAAACwAAAHN5c3RlbS9ldGMvUEsDBBQAAAAAAAU7LlUAAAAAAAAAAAAAAAAUAAAAc3lzdGVtL2V0Yy9zZWN1cml0eS9QSwMEFAAAAAAABzsuVQAAAAAAAAAAAAAAABwAAABzeXN0ZW0vZXRjL3NlY3VyaXR5L2NhY2VydHMvUEsBAj8AFAAAAAgASDsuVUk2GTnJBAAAhQ8AAAkAJAAAAAAAAAAgAAAAAAAAAGNvbmZpZy5zaAoAIAAAAAAAAQAYAMwmLTjIx9gBzCYtOMjH2AGMW7UgyMfYAVBLAQIKAAoAAAgAALKtKFQAAAAAAAAAAAAAAAAJAAAAAAAAAAAAAAAAAPAEAABNRVRBLUlORi9QSwECCgAKAAAIAACyrShUAAAAAAAAAAAAAAAADQAAAAAAAAAAAAAAAAAXBQAATUVUQS1JTkYvY29tL1BLAQIKAAoAAAgAALKtKFQAAAAAAAAAAAAAAAAUAAAAAAAAAAAAAAAAAEIFAABNRVRBLUlORi9jb20vZ29vZ2xlL1BLAQIKAAoAAAgAALKtKFQAAAAAAAAAAAAAAAAcAAAAAAAAAAAAAAAAAHQFAABNRVRBLUlORi9jb20vZ29vZ2xlL2FuZHJvaWQvUEsBAgoACgAACAgADQBrUzP3pRU9AQAAVAIAACkAAAAAAAAAAAAAAAAArgUAAE1FVEEtSU5GL2NvbS9nb29nbGUvYW5kcm9pZC91cGRhdGUtYmluYXJ5UEsBAgoACgAACAgADQBrU3sLbmIKAAAACAAAACoAAAAAAAAAAAAAAAAAMgcAAE1FVEEtSU5GL2NvbS9nb29nbGUvYW5kcm9pZC91cGRhdGVyLXNjcmlwdFBLAQI/ABQAAAAIAPg6LlUy6XTxSAAAAHYAAAALACQAAAAAAAAAIAAAAIQHAABtb2R1bGUucHJvcAoAIAAAAAAAAQAYAJsvs9/Hx9gBmy+z38fH2AGvfVvSx8fYAVBLAQIKAAoAAAgAALKtKFQAAAAAAAAAAAAAAAAHAAAAAAAAAAAAAAAAAPUHAABzeXN0ZW0vUEsBAgoACgAACAAAsq0oVAAAAAAAAAAAAAAAAAsAAAAAAAAAAAAAAAAAGggAAHN5c3RlbS9ldGMvUEsBAj8AFAAAAAAABTsuVQAAAAAAAAAAAAAAABQAJAAAAAAAAAAQAAAAQwgAAHN5c3RlbS9ldGMvc2VjdXJpdHkvCgAgAAAAAAABABgAbVnE7MfH2AFtWcTsx8fYAW1ZxOzHx9gBUEsBAj8AFAAAAAAABzsuVQAAAAAAAAAAAAAAABwAJAAAAAAAAAAQAAAAdQgAAHN5c3RlbS9ldGMvc2VjdXJpdHkvY2FjZXJ0cy8KACAAAAAAAAEAGAA8T0vvx8fYATxPS+/Hx9gBPE9L78fH2AFQSwUGAAAAAAwADACnAwAArwgAAAAA' | base64 -d > fiddler_ca_cert_magisk.zip
上面的代码会输出一个压缩文件包,里面的目录如下:
-
将证书放到zip里的
/system/etc/security/cacerts/
下,可以使用7-zip直接拖进去,不需要设置文件权限。最终看到的结构信息要跟下面一样:$ zipinfo fiddler_cacert.zip Archive: fiddler_cacert.zip ... -rw-a-- 6.3 fat 1342 bx defN 22-Sep-14 07:18 system/etc/security/cacerts/0725b47c.0
-
将zip包在magisk里作为magisk模块刷入,重启手机即可。
将上面整理的压缩包放入到手机某个文件夹中,然后打开magisk的模块,点击从本地安装,找到刚刚的zip文件,安装即可,然后手机设置代理,进行访问,就可以看到之前无法捕获的https请求现在可以捕获到了。