Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Certificates rejected with app saying system trusted enabled #18

Open
ThePedroo opened this issue Jan 26, 2024 · 41 comments
Open

Certificates rejected with app saying system trusted enabled #18

ThePedroo opened this issue Jan 26, 2024 · 41 comments

Comments

@ThePedroo
Copy link

Hello.

I'm trying to use HTTPToolkit, together with KernelSU. I've installed the app, granted root permissions via ksu app to both shell and the app itself, opened the desktop app and clicked the connect via adb, Android.

However, it still doesn't capture, giving certificates rejected for anything besides Chrome.

Here are the logs:

Android command [ 'su', '-c', 'sh', '/data/local/tmp/htk-root-test.sh' ] returned `root`
Android command [ 'su', '-c', 'sh /data/local/tmp/htk-root-test.sh' ] returned `root`
Android command [ 'su', 'root', 'sh', '/data/local/tmp/htk-root-test.sh' ] threw Timeout for ADB command su,root,sh,/data/local/tmp/htk-root-test.sh
Error: Timeout for ADB command su,root,sh,/data/local/tmp/htk-root-test.sh
    at /opt/HTTP Toolkit/resources/httptoolkit-server/bundle/index.js:944:19743
    at runNextTicks (node:internal/process/task_queues:60:5)
    at listOnTimeout (node:internal/timers:540:9)
    at process.processTimers (node:internal/timers:514:7)
    at async Promise.all (index 3)
    at async e.getRootCommand (/opt/HTTP Toolkit/resources/httptoolkit-server/bundle/index.js:944:21622)
    at async e.AndroidAdbInterceptor.injectSystemCertIfPossible (/opt/HTTP Toolkit/resources/httptoolkit-server/bundle/index.js:944:30549)
    at async e.AndroidAdbInterceptor.activate (/opt/HTTP Toolkit/resources/httptoolkit-server/bundle/index.js:944:28377)
    at async e.ApiModel.activateInterceptor (/opt/HTTP Toolkit/resources/httptoolkit-server/bundle/index.js:890:742658)
    at async /opt/HTTP Toolkit/resources/httptoolkit-server/bundle/index.js:944:3509
    at async /opt/HTTP Toolkit/resources/httptoolkit-server/bundle/index.js:944:2198
Android command [ 'su', 'root', 'sh /data/local/tmp/htk-root-test.sh' ] threw Timeout for ADB command su,root,sh /data/local/tmp/htk-root-test.sh
Error: Timeout for ADB command su,root,sh /data/local/tmp/htk-root-test.sh
    at /opt/HTTP Toolkit/resources/httptoolkit-server/bundle/index.js:944:19743
    at async Promise.all (index 4)
    at async e.getRootCommand (/opt/HTTP Toolkit/resources/httptoolkit-server/bundle/index.js:944:21622)
    at async e.AndroidAdbInterceptor.injectSystemCertIfPossible (/opt/HTTP Toolkit/resources/httptoolkit-server/bundle/index.js:944:30549)
    at async e.AndroidAdbInterceptor.activate (/opt/HTTP Toolkit/resources/httptoolkit-server/bundle/index.js:944:28377)
    at async e.ApiModel.activateInterceptor (/opt/HTTP Toolkit/resources/httptoolkit-server/bundle/index.js:890:742658)
    at async /opt/HTTP Toolkit/resources/httptoolkit-server/bundle/index.js:944:3509
    at async /opt/HTTP Toolkit/resources/httptoolkit-server/bundle/index.js:944:2198
Cert already installed, nothing to do
Android command [ 'rm', '-f', '/data/local/tmp/htk-root-test.sh' ] returned ``
Android command [ 'su', '-c', 'sh /data/local/tmp/htk-set-chrome-flags.sh' ] returned `Chrome flags script completed`
Chrome flags script completed

Android command [ 'su', '-c', 'am force-stop com.android.chrome' ] returned ``
Android Chrome flags set
Error: Aborted
    at IncomingMessage.o (/opt/HTTP Toolkit/resources/httptoolkit-server/bundle/index.js:890:38413)
    at Object.onceWrapper (node:events:632:28)
    at IncomingMessage.emit (node:events:530:35)
    at IncomingMessage.emit (node:domain:488:12)
    at IncomingMessage._destroy (node:_http_incoming:224:10)
    at _destroy (node:internal/streams/destroy:121:10)
    at IncomingMessage.destroy (node:internal/streams/destroy:83:5)
    at abortIncoming (node:_http_server:793:9)
    at socketOnClose (node:_http_server:787:3)
    at Socket.emit (node:events:530:35)
    at Socket.emit (node:domain:488:12)
    at TCP.<anonymous> (node:net:337:12)
Failed to handle request: aborted
INFO: Unparseable URL: http://
Android command [ 'sh', '/data/local/tmp/htk-root-test.sh' ] returned `shell`
Android command [ 'su', '-c', 'sh /data/local/tmp/htk-root-test.sh' ] returned `root`
Android command [ 'su', '-c', 'sh', '/data/local/tmp/htk-root-test.sh' ] returned `root`
Android command [ 'su', 'root', 'sh', '/data/local/tmp/htk-root-test.sh' ] threw Timeout for ADB command su,root,sh,/data/local/tmp/htk-root-test.sh
Error: Timeout for ADB command su,root,sh,/data/local/tmp/htk-root-test.sh
    at /opt/HTTP Toolkit/resources/httptoolkit-server/bundle/index.js:944:19743
    at runNextTicks (node:internal/process/task_queues:60:5)
    at listOnTimeout (node:internal/timers:540:9)
    at process.processTimers (node:internal/timers:514:7)
    at async Promise.all (index 3)
    at async e.getRootCommand (/opt/HTTP Toolkit/resources/httptoolkit-server/bundle/index.js:944:21622)
    at async e.AndroidAdbInterceptor.injectSystemCertIfPossible (/opt/HTTP Toolkit/resources/httptoolkit-server/bundle/index.js:944:30549)
    at async e.AndroidAdbInterceptor.activate (/opt/HTTP Toolkit/resources/httptoolkit-server/bundle/index.js:944:28377)
    at async e.ApiModel.activateInterceptor (/opt/HTTP Toolkit/resources/httptoolkit-server/bundle/index.js:890:742658)
    at async /opt/HTTP Toolkit/resources/httptoolkit-server/bundle/index.js:944:3509
    at async /opt/HTTP Toolkit/resources/httptoolkit-server/bundle/index.js:944:2198
Android command [ 'su', 'root', 'sh /data/local/tmp/htk-root-test.sh' ] threw Timeout for ADB command su,root,sh /data/local/tmp/htk-root-test.sh
Error: Timeout for ADB command su,root,sh /data/local/tmp/htk-root-test.sh
    at /opt/HTTP Toolkit/resources/httptoolkit-server/bundle/index.js:944:19743
    at async Promise.all (index 4)
    at async e.getRootCommand (/opt/HTTP Toolkit/resources/httptoolkit-server/bundle/index.js:944:21622)
    at async e.AndroidAdbInterceptor.injectSystemCertIfPossible (/opt/HTTP Toolkit/resources/httptoolkit-server/bundle/index.js:944:30549)
    at async e.AndroidAdbInterceptor.activate (/opt/HTTP Toolkit/resources/httptoolkit-server/bundle/index.js:944:28377)
    at async e.ApiModel.activateInterceptor (/opt/HTTP Toolkit/resources/httptoolkit-server/bundle/index.js:890:742658)
    at async /opt/HTTP Toolkit/resources/httptoolkit-server/bundle/index.js:944:3509
    at async /opt/HTTP Toolkit/resources/httptoolkit-server/bundle/index.js:944:2198
Cert already installed, nothing to do
Android command [ 'rm', '-f', '/data/local/tmp/htk-root-test.sh' ] returned ``
Android command [ 'su', '-c', 'sh /data/local/tmp/htk-set-chrome-flags.sh' ] returned `Chrome flags script completed`
Chrome flags script completed

Android command [ 'su', '-c', 'am force-stop com.android.chrome' ] returned ``
Android Chrome flags set

As said in the logs, root is available.

Android 14, A53 5G with custom OneUI ROM.

@pimterry
Copy link
Member

Interesting, thanks for the report @ThePedroo

Cert already installed, nothing to do

This line means that it got root access, but then the cert seems to already be installed so it did nothing.

Can you reboot the device, rerun the ADB setup, and then share the resulting logs? That should provide more details here about the actual certificate installation.

You can see how the cert installation is supposed to work here: https://github.com/httptoolkit/httptoolkit-server/blob/a801ad5950bc8855072634a9c71355e16b7e7292/src/interceptors/android/adb-commands.ts#L256

In general, once the device is set up you should be able to find your CA cert within /system/etc/security/cacerts/ (always) and /apex/com.android.conscrypt/cacerts (on Android 14+), and that should be visible from all apps. For each app, that's where it should be looking to find CA certs to trust by default. If the cert is in place but it's not being trusted, then either there's certificate pinning going on (not uncommon for one-off specific cases, but not if all traffic is blocked) or something very unusual is going on with your setup.

@ThePedroo
Copy link
Author

I'll give a try. I must also say that besides the automatic certificate injection, I also tried to do manual injection as I couldn't see it within Security tab.

@ThePedroo
Copy link
Author

I'm unsure what you meant with rerun the ADB setup, so I restarted the phone, cleared the ADB trusted keys, connected & trusted my PC, and clicked on the setup with adb device.

Here are the logs from app startup till the finalization of setup:

--- Launching HTTP Toolkit desktop v1.14.9 ---
INFO: Initialising UI (version d23b6a186d0c0e929fb5067a2e805e5a08540492)
INFO: Account store initialized
INFO: UI store initialized
INFO: Proxy settings loaded
INFO: Server initialization failed TypeError: Failed to fetch
INFO: API store initialized
INFO: Server initialization failed TypeError: Failed to fetch
INFO: Server initialization failed TypeError: Failed to fetch
INFO: Server initialization failed TypeError: Failed to fetch
Config checked in 37 ms
Certificates setup in 14 ms
Standalone server started in 10 ms
Server started in 28 ms
Total startup took 89 ms
(node:99873) Warning: Using insecure HTTP parsing
(Use `node --trace-warnings ...` to show where the warning was created)
Mock session started, http on port 8000, webrtc enabled
Docker not available: connect EACCES /var/run/docker.sock
INFO: Server started
Webextension installed at /tmp/httptoolkit-webextension
INFO: Config loaded
INFO: Server started on port 8000
INFO: Proxy store initialized (server version 1.14.9)
INFO: Rules store initialized
INFO: Events store initialized
INFO: Send store initialized
INFO: Interceptor store initialized
INFO: App started, rendering
httptoolkit-server: Updating CLI... fetching manifest
INFO: Service worker loaded
httptoolkit-server: Updating CLI... !
Browser cache updated
Android command [ 'sh', '/data/local/tmp/htk-root-test.sh' ] returned `shell`
Android command [ 'su', '-c', 'sh /data/local/tmp/htk-root-test.sh' ] returned `root`
Android command [ 'su', '-c', 'sh', '/data/local/tmp/htk-root-test.sh' ] returned `root`
Android command [ 'su', 'root', 'sh', '/data/local/tmp/htk-root-test.sh' ] threw Timeout for ADB command su,root,sh,/data/local/tmp/htk-root-test.sh
Error: Timeout for ADB command su,root,sh,/data/local/tmp/htk-root-test.sh
    at /opt/HTTP Toolkit/resources/httptoolkit-server/bundle/index.js:944:19743
    at runNextTicks (node:internal/process/task_queues:60:5)
    at listOnTimeout (node:internal/timers:540:9)
    at process.processTimers (node:internal/timers:514:7)
    at async Promise.all (index 3)
    at async e.getRootCommand (/opt/HTTP Toolkit/resources/httptoolkit-server/bundle/index.js:944:21622)
    at async e.AndroidAdbInterceptor.injectSystemCertIfPossible (/opt/HTTP Toolkit/resources/httptoolkit-server/bundle/index.js:944:30549)
    at async e.AndroidAdbInterceptor.activate (/opt/HTTP Toolkit/resources/httptoolkit-server/bundle/index.js:944:28377)
    at async e.ApiModel.activateInterceptor (/opt/HTTP Toolkit/resources/httptoolkit-server/bundle/index.js:890:742658)
    at async /opt/HTTP Toolkit/resources/httptoolkit-server/bundle/index.js:944:3509
    at async /opt/HTTP Toolkit/resources/httptoolkit-server/bundle/index.js:944:2198
Android command [ 'su', 'root', 'sh /data/local/tmp/htk-root-test.sh' ] threw Timeout for ADB command su,root,sh /data/local/tmp/htk-root-test.sh
Error: Timeout for ADB command su,root,sh /data/local/tmp/htk-root-test.sh
    at /opt/HTTP Toolkit/resources/httptoolkit-server/bundle/index.js:944:19743
    at async Promise.all (index 4)
    at async e.getRootCommand (/opt/HTTP Toolkit/resources/httptoolkit-server/bundle/index.js:944:21622)
    at async e.AndroidAdbInterceptor.injectSystemCertIfPossible (/opt/HTTP Toolkit/resources/httptoolkit-server/bundle/index.js:944:30549)
    at async e.AndroidAdbInterceptor.activate (/opt/HTTP Toolkit/resources/httptoolkit-server/bundle/index.js:944:28377)
    at async e.ApiModel.activateInterceptor (/opt/HTTP Toolkit/resources/httptoolkit-server/bundle/index.js:890:742658)
    at async /opt/HTTP Toolkit/resources/httptoolkit-server/bundle/index.js:944:3509
    at async /opt/HTTP Toolkit/resources/httptoolkit-server/bundle/index.js:944:2198
Adding cert file as /data/local/tmp/4f74014f.0
Android command [ 'rm', '-f', '/data/local/tmp/htk-root-test.sh' ] returned ``
Cannot read properties of undefined (reading 'message')
Failed to check for updates: Cannot read properties of undefined (reading 'message')
httptoolkit-server: Updating CLI... fetching manifest
INFO: Previous server version was 1.14.9
httptoolkit-server: Updating CLI... !
Error reporting timed out
Android command [ 'su', '-c', 'sh /data/local/tmp/htk-inject-system-cert.sh' ] returned `System cacerts setup completed
Injecting certificates into APEX cacerts
Zygote APEX certificates remounted
APEX certificates remounted for 108 apps
System cert successfully injected`
Cert injected
Android command [ 'su', '-c', 'sh /data/local/tmp/htk-set-chrome-flags.sh' ] returned `Chrome flags script completed`
Chrome flags script completed

Android command [ 'su', '-c', 'am force-stop com.android.chrome' ] returned ``
Android Chrome flags set
Cannot read properties of undefined (reading 'statusCode')
Failed to check for updates: Cannot read properties of undefined (reading 'statusCode')

@pimterry
Copy link
Member

Hmm, ok, that all looks broadly correct (except the 'check for updates' errors, but I think those are unrelated and unimportant).

I assume that despite that, the HTTP Toolkit app says "System trusted enabled" but your apps still don't allow interception? This is very odd.

Can you open an ADB shell, run su, then ls -Zl /apex/com.android.conscrypt/cacerts, and share the output here?

That's should be the system directory used for CA certificates on this device, and AFAIK it should always be trusted if it's present there.

If you look in the trusted system CA certificates UI (system certs, not user certs) within the Settings app (normally under Security -> Advanced -> Encryption & Credentials, or similar) do you see HTTP Toolkit's CA in there? Is it enabled?

I'm not sure of the details of how KernelSU works, but one thing that could break this would be if it somehow messes around with the file system view used... To debug that further, you'd probably need to use a test app (either build your own, or use a terminal app) and then try to work out from there exactly what the app sees in those directories. Presumably (I guess???) it won't see the certificate in those folders, and that will cause this? It's really hard to know to be honest though.

If you can have a dig around on your device, and see if those certificates exist, and see if there are any notable differences to how they're stored or how they appear from the POV of other apps, that will hopefully provide a clue to resolve this.

@ThePedroo
Copy link
Author

ThePedroo commented Jan 29, 2024

ls -Zl command output:

total 944
-rw-r--r-- 1 system system u:object_r:system_security_cacerts_file:s0  2886 1969-12-31 21:00 01419da9.0
-rw-r--r-- 1 system system u:object_r:system_security_cacerts_file:s0  2929 1969-12-31 21:00 04f60c28.0
-rw-r--r-- 1 system system u:object_r:system_security_cacerts_file:s0  2357 1969-12-31 21:00 0d69c7e1.0
-rw-r--r-- 1 system system u:object_r:system_security_cacerts_file:s0  4624 1969-12-31 21:00 10531352.0
-rw-r--r-- 1 system system u:object_r:system_security_cacerts_file:s0  2616 1969-12-31 21:00 1ae85e5e.0
-rw-r--r-- 1 system system u:object_r:system_security_cacerts_file:s0  7073 1969-12-31 21:00 1b0f7e5c.0
-rw-r--r-- 1 system system u:object_r:system_security_cacerts_file:s0  4930 1969-12-31 21:00 1df5a75f.0
-rw-r--r-- 1 system system u:object_r:system_security_cacerts_file:s0  4537 1969-12-31 21:00 1e1eab7c.0
-rw-r--r-- 1 system system u:object_r:system_security_cacerts_file:s0  4342 1969-12-31 21:00 1e8e7201.0
-rw-r--r-- 1 system system u:object_r:system_security_cacerts_file:s0  7226 1969-12-31 21:00 1ec40989.0
-rw-r--r-- 1 system system u:object_r:system_security_cacerts_file:s0  7072 1969-12-31 21:00 1f58a078.0
-rw-r--r-- 1 system system u:object_r:system_security_cacerts_file:s0  4721 1969-12-31 21:00 219d9499.0
-rw-r--r-- 1 system system u:object_r:system_security_cacerts_file:s0  4756 1969-12-31 21:00 23f4c490.0
-rw-r--r-- 1 system system u:object_r:system_security_cacerts_file:s0  2700 1969-12-31 21:00 252252d2.0
-rw-r--r-- 1 system system u:object_r:system_security_cacerts_file:s0  2694 1969-12-31 21:00 2add47b6.0
-rw-r--r-- 1 system system u:object_r:system_security_cacerts_file:s0  7012 1969-12-31 21:00 2d9dafe4.0
-rw-r--r-- 1 system system u:object_r:system_security_cacerts_file:s0  7919 1969-12-31 21:00 302904dd.0
-rw-r--r-- 1 system system u:object_r:system_security_cacerts_file:s0  7006 1969-12-31 21:00 304d27c3.0
-rw-r--r-- 1 system system u:object_r:system_security_cacerts_file:s0  4898 1969-12-31 21:00 31188b5e.0
-rw-r--r-- 1 system system u:object_r:system_security_cacerts_file:s0  7431 1969-12-31 21:00 33ee480d.0
-rw-r--r-- 1 system system u:object_r:system_security_cacerts_file:s0  7333 1969-12-31 21:00 35105088.0
-rw-r--r-- 1 system system u:object_r:system_security_cacerts_file:s0  4631 1969-12-31 21:00 399e7759.0
-rw-r--r-- 1 system system u:object_r:system_security_cacerts_file:s0  4371 1969-12-31 21:00 3ad48a91.0
-rw-r--r-- 1 system system u:object_r:system_security_cacerts_file:s0  7414 1969-12-31 21:00 3c860d51.0
-rw-r--r-- 1 system system u:object_r:system_security_cacerts_file:s0  2891 1969-12-31 21:00 3c899c73.0
-rw-r--r-- 1 system system u:object_r:system_security_cacerts_file:s0  8627 1969-12-31 21:00 3c9a4d3b.0
-rw-r--r-- 1 system system u:object_r:system_security_cacerts_file:s0  4790 1969-12-31 21:00 3e7271e8.0
-rw-r--r-- 1 system system u:object_r:system_security_cacerts_file:s0  2846 1969-12-31 21:00 41a3f684.0
-rw-r--r-- 1 system system u:object_r:system_security_cacerts_file:s0  4829 1969-12-31 21:00 455f1b52.0
-rw-r--r-- 1 system system u:object_r:system_security_cacerts_file:s0  7449 1969-12-31 21:00 48a195d8.0
-rw-r--r-- 1 system system u:object_r:system_security_cacerts_file:s0  7078 1969-12-31 21:00 4be590e0.0
-rw-r--r-- 1 system system u:object_r:system_security_cacerts_file:s0  2834 1969-12-31 21:00 4c3982f2.0
-rw-r--r-- 1 system system u:object_r:system_security_cacerts_file:s0  7427 1969-12-31 21:00 5046c355.0
-rw-r--r-- 1 system system u:object_r:system_security_cacerts_file:s0  7072 1969-12-31 21:00 52b525c7.0
-rw-r--r-- 1 system system u:object_r:system_security_cacerts_file:s0  7109 1969-12-31 21:00 53a1b57a.0
-rw-r--r-- 1 system system u:object_r:system_security_cacerts_file:s0  7463 1969-12-31 21:00 583d0756.0
-rw-r--r-- 1 system system u:object_r:system_security_cacerts_file:s0  4842 1969-12-31 21:00 5a3f0ff8.0
-rw-r--r-- 1 system system u:object_r:system_security_cacerts_file:s0  2655 1969-12-31 21:00 5acf816d.0
-rw-r--r-- 1 system system u:object_r:system_security_cacerts_file:s0  7347 1969-12-31 21:00 5f47b495.0
-rw-r--r-- 1 system system u:object_r:system_security_cacerts_file:s0  2896 1969-12-31 21:00 5f9a69fa.0
-rw-r--r-- 1 system system u:object_r:system_security_cacerts_file:s0  2598 1969-12-31 21:00 5fdd185d.0
-rw-r--r-- 1 system system u:object_r:system_security_cacerts_file:s0  4836 1969-12-31 21:00 60afe812.0
-rw-r--r-- 1 system system u:object_r:system_security_cacerts_file:s0  7090 1969-12-31 21:00 6187b673.0
-rw-r--r-- 1 system system u:object_r:system_security_cacerts_file:s0  6975 1969-12-31 21:00 63a2c897.0
-rw-r--r-- 1 system system u:object_r:system_security_cacerts_file:s0  4651 1969-12-31 21:00 69105f4f.0
-rw-r--r-- 1 system system u:object_r:system_security_cacerts_file:s0  2655 1969-12-31 21:00 6b03dec0.0
-rw-r--r-- 1 system system u:object_r:system_security_cacerts_file:s0  7123 1969-12-31 21:00 6f7454b3.0
-rw-r--r-- 1 system system u:object_r:system_security_cacerts_file:s0  4898 1969-12-31 21:00 75680d2e.0
-rw-r--r-- 1 system system u:object_r:system_security_cacerts_file:s0  4987 1969-12-31 21:00 76579174.0
-rw-r--r-- 1 system system u:object_r:system_security_cacerts_file:s0  3041 1969-12-31 21:00 7892ad52.0
-rw-r--r-- 1 system system u:object_r:system_security_cacerts_file:s0  2285 1969-12-31 21:00 7a7c655d.0
-rw-r--r-- 1 system system u:object_r:system_security_cacerts_file:s0  7341 1969-12-31 21:00 7a819ef2.0
-rw-r--r-- 1 system system u:object_r:system_security_cacerts_file:s0  4682 1969-12-31 21:00 81b9768f.0
-rw-r--r-- 1 system system u:object_r:system_security_cacerts_file:s0  7012 1969-12-31 21:00 82223c44.0
-rw-r--r-- 1 system system u:object_r:system_security_cacerts_file:s0  2678 1969-12-31 21:00 83e9984f.0
-rw-r--r-- 1 system system u:object_r:system_security_cacerts_file:s0  4581 1969-12-31 21:00 85cde254.0
-rw-r--r-- 1 system system u:object_r:system_security_cacerts_file:s0  4291 1969-12-31 21:00 86212b19.0
-rw-r--r-- 1 system system u:object_r:system_security_cacerts_file:s0  2699 1969-12-31 21:00 869fbf79.0
-rw-r--r-- 1 system system u:object_r:system_security_cacerts_file:s0  2683 1969-12-31 21:00 8794b4e3.0
-rw-r--r-- 1 system system u:object_r:system_security_cacerts_file:s0  4272 1969-12-31 21:00 882de061.0
-rw-r--r-- 1 system system u:object_r:system_security_cacerts_file:s0  3020 1969-12-31 21:00 88950faa.0
-rw-r--r-- 1 system system u:object_r:system_security_cacerts_file:s0  2915 1969-12-31 21:00 89c02a45.0
-rw-r--r-- 1 system system u:object_r:system_security_cacerts_file:s0  4489 1969-12-31 21:00 8d6437c3.0
-rw-r--r-- 1 system system u:object_r:system_security_cacerts_file:s0  7234 1969-12-31 21:00 9282e51c.0
-rw-r--r-- 1 system system u:object_r:system_security_cacerts_file:s0  7996 1969-12-31 21:00 9339512a.0
-rw-r--r-- 1 system system u:object_r:system_security_cacerts_file:s0  7491 1969-12-31 21:00 93851c9e.0
-rw-r--r-- 1 system system u:object_r:system_security_cacerts_file:s0  3023 1969-12-31 21:00 9479c8c3.0
-rw-r--r-- 1 system system u:object_r:system_security_cacerts_file:s0  7054 1969-12-31 21:00 9576d26b.0
-rw-r--r-- 1 system system u:object_r:system_security_cacerts_file:s0  7290 1969-12-31 21:00 9591a472.0
-rw-r--r-- 1 system system u:object_r:system_security_cacerts_file:s0  4521 1969-12-31 21:00 95aff9e3.0
-rw-r--r-- 1 system system u:object_r:system_security_cacerts_file:s0  4160 1969-12-31 21:00 9685a493.0
-rw-r--r-- 1 system system u:object_r:system_security_cacerts_file:s0  7235 1969-12-31 21:00 985c1f52.0
-rw-r--r-- 1 system system u:object_r:system_security_cacerts_file:s0  7050 1969-12-31 21:00 99e1b953.0
-rw-r--r-- 1 system system u:object_r:system_security_cacerts_file:s0  2953 1969-12-31 21:00 9aef356c.0
-rw-r--r-- 1 system system u:object_r:system_security_cacerts_file:s0  7219 1969-12-31 21:00 9d6523ce.0
-rw-r--r-- 1 system system u:object_r:system_security_cacerts_file:s0  7184 1969-12-31 21:00 a2c66da8.0
-rw-r--r-- 1 system system u:object_r:system_security_cacerts_file:s0  4294 1969-12-31 21:00 a3896b44.0
-rw-r--r-- 1 system system u:object_r:system_security_cacerts_file:s0  3248 1969-12-31 21:00 a716d4ed.0
-rw-r--r-- 1 system system u:object_r:system_security_cacerts_file:s0  4405 1969-12-31 21:00 a81e292b.0
-rw-r--r-- 1 system system u:object_r:system_security_cacerts_file:s0  6993 1969-12-31 21:00 a9d40e02.0
-rw-r--r-- 1 system system u:object_r:system_security_cacerts_file:s0  4343 1969-12-31 21:00 ab5346f4.0
-rw-r--r-- 1 system system u:object_r:system_security_cacerts_file:s0  7169 1969-12-31 21:00 ab59055e.0
-rw-r--r-- 1 system system u:object_r:system_security_cacerts_file:s0  6859 1969-12-31 21:00 b0ed035a.0
-rw-r--r-- 1 system system u:object_r:system_security_cacerts_file:s0  4378 1969-12-31 21:00 b0f3e76e.0
-rw-r--r-- 1 system system u:object_r:system_security_cacerts_file:s0  3248 1969-12-31 21:00 b30d5fda.0
-rw-r--r-- 1 system system u:object_r:system_security_cacerts_file:s0  3170 1969-12-31 21:00 b3fb433b.0
-rw-r--r-- 1 system system u:object_r:system_security_cacerts_file:s0  2781 1969-12-31 21:00 b74d2bd5.0
-rw-r--r-- 1 system system u:object_r:system_security_cacerts_file:s0  4365 1969-12-31 21:00 b7db1890.0
-rw-r--r-- 1 system system u:object_r:system_security_cacerts_file:s0  4568 1969-12-31 21:00 b872f2b4.0
-rw-r--r-- 1 system system u:object_r:system_security_cacerts_file:s0  7245 1969-12-31 21:00 b92fd57f.0
-rw-r--r-- 1 system system u:object_r:system_security_cacerts_file:s0  7217 1969-12-31 21:00 b936d1c6.0
-rw-r--r-- 1 system system u:object_r:system_security_cacerts_file:s0  4525 1969-12-31 21:00 bc3f2570.0
-rw-r--r-- 1 system system u:object_r:system_security_cacerts_file:s0  7397 1969-12-31 21:00 bd43e1dd.0
-rw-r--r-- 1 system system u:object_r:system_security_cacerts_file:s0  4726 1969-12-31 21:00 bdacca6f.0
-rw-r--r-- 1 system system u:object_r:system_security_cacerts_file:s0  5234 1969-12-31 21:00 bf64f35b.0
-rw-r--r-- 1 system system u:object_r:system_security_cacerts_file:s0  7097 1969-12-31 21:00 c44cc0c0.0
-rw-r--r-- 1 system system u:object_r:system_security_cacerts_file:s0  2792 1969-12-31 21:00 c491639e.0
-rw-r--r-- 1 system system u:object_r:system_security_cacerts_file:s0  7056 1969-12-31 21:00 c559d742.0
-rw-r--r-- 1 system system u:object_r:system_security_cacerts_file:s0  2735 1969-12-31 21:00 c7f1359b.0
-rw-r--r-- 1 system system u:object_r:system_security_cacerts_file:s0  4469 1969-12-31 21:00 c90bc37d.0
-rw-r--r-- 1 system system u:object_r:system_security_cacerts_file:s0  7315 1969-12-31 21:00 cb1c3204.0
-rw-r--r-- 1 system system u:object_r:system_security_cacerts_file:s0  2604 1969-12-31 21:00 ccc52f49.0
-rw-r--r-- 1 system system u:object_r:system_security_cacerts_file:s0  4718 1969-12-31 21:00 cf701eeb.0
-rw-r--r-- 1 system system u:object_r:system_security_cacerts_file:s0  4537 1969-12-31 21:00 d06393bb.0
-rw-r--r-- 1 system system u:object_r:system_security_cacerts_file:s0  7534 1969-12-31 21:00 d16a5865.0
-rw-r--r-- 1 system system u:object_r:system_security_cacerts_file:s0  7538 1969-12-31 21:00 d16a5865.1
-rw-r--r-- 1 system system u:object_r:system_security_cacerts_file:s0  7064 1969-12-31 21:00 d18e9066.0
-rw-r--r-- 1 system system u:object_r:system_security_cacerts_file:s0  7228 1969-12-31 21:00 d39b0a2c.0
-rw-r--r-- 1 system system u:object_r:system_security_cacerts_file:s0  2614 1969-12-31 21:00 d41b5e2a.0
-rw-r--r-- 1 system system u:object_r:system_security_cacerts_file:s0  7319 1969-12-31 21:00 d4c339cb.0
-rw-r--r-- 1 system system u:object_r:system_security_cacerts_file:s0  4369 1969-12-31 21:00 d59297b8.0
-rw-r--r-- 1 system system u:object_r:system_security_cacerts_file:s0  4964 1969-12-31 21:00 d7746a63.0
-rw-r--r-- 1 system system u:object_r:system_security_cacerts_file:s0  7006 1969-12-31 21:00 d96b65e2.0
-rw-r--r-- 1 system system u:object_r:system_security_cacerts_file:s0  7069 1969-12-31 21:00 da7377f6.0
-rw-r--r-- 1 system system u:object_r:system_security_cacerts_file:s0  6995 1969-12-31 21:00 dbc54cab.0
-rw-r--r-- 1 system system u:object_r:system_security_cacerts_file:s0  4373 1969-12-31 21:00 dbff3a01.0
-rw-r--r-- 1 system system u:object_r:system_security_cacerts_file:s0  7414 1969-12-31 21:00 dc99f41e.0
-rw-r--r-- 1 system system u:object_r:system_security_cacerts_file:s0  4592 1969-12-31 21:00 dfc0fe80.0
-rw-r--r-- 1 system system u:object_r:system_security_cacerts_file:s0  7358 1969-12-31 21:00 e13665f9.0
-rw-r--r-- 1 system system u:object_r:system_security_cacerts_file:s0  7072 1969-12-31 21:00 e442e424.0
-rw-r--r-- 1 system system u:object_r:system_security_cacerts_file:s0  4295 1969-12-31 21:00 e48193cf.0
-rw-r--r-- 1 system system u:object_r:system_security_cacerts_file:s0  2669 1969-12-31 21:00 e7c037b4.0
-rw-r--r-- 1 system system u:object_r:system_security_cacerts_file:s0  4857 1969-12-31 21:00 e8651083.0
-rw-r--r-- 1 system system u:object_r:system_security_cacerts_file:s0  2775 1969-12-31 21:00 ed39abd0.0
-rw-r--r-- 1 system system u:object_r:system_security_cacerts_file:s0  7317 1969-12-31 21:00 edcbddb5.0
-rw-r--r-- 1 system system u:object_r:system_security_cacerts_file:s0  2663 1969-12-31 21:00 ee532fd5.0
-rw-r--r-- 1 system system u:object_r:system_security_cacerts_file:s0  7056 1969-12-31 21:00 f013ecaf.0
-rw-r--r-- 1 system system u:object_r:system_security_cacerts_file:s0  7200 1969-12-31 21:00 f058632f.0
-rw-r--r-- 1 system system u:object_r:system_security_cacerts_file:s0  7595 1969-12-31 21:00 f0cd152c.0
-rw-r--r-- 1 system system u:object_r:system_security_cacerts_file:s0  4452 1969-12-31 21:00 f459871d.0
-rw-r--r-- 1 system system u:object_r:system_security_cacerts_file:s0  7278 1969-12-31 21:00 f8fc53da.0
-rw-r--r-- 1 system system u:object_r:system_security_cacerts_file:s0  7018 1969-12-31 21:00 fb5fa911.0
-rw-r--r-- 1 system system u:object_r:system_security_cacerts_file:s0  4304 1969-12-31 21:00 fd08c599.0
-rw-r--r-- 1 system system u:object_r:system_security_cacerts_file:s0  4695 1969-12-31 21:00 fde84897.0

About viewing via Settings in the phone, I can't find any certificate that has any HTTP keyword on it.

Also, KernelSU works similar to Magisk, even some modules works on both, the difference is that it provides kernel based rooting. It doesn't really reach the file system, although it provides access to anything.

I think since not even Settings can see the certificate, not even testing APPs will be able to see, but maybe you have a clue about what it is through the ls command. Thanks for the help anyway!

@pimterry
Copy link
Member

Hmm - two interesting things here:

  • The 4f74014f.0 certificate file doesn't actually appear, which is odd given that the output above confirms that it was injected.
    • This output is while HTTP Toolkit is (in theory) intercepting the device, right?
    • What happens if you look in /system/etc/security/cacerts/ instead?
  • The SELinux security context used doesn't quite match what we expect: we set it (here) to u:object_r:system_file:s0, which is what's used on most devices (and seems to be working everywhere else!) but your setting is u:object_r:system_security_cacerts_file:s0

Point 2 definitely seems wrong, and we can probably fairly easily change (with some kind of 'detect the current label' logic) but if the certificate's not there at all then that's more surprising...

One way to debug this further would be to try manually running the steps in the script, and try to work out why the certificate isn't visible in this directory. To do that:

At the end, use ls and see if the cert file has ended up in the /apex/com.android.conscrypt/cacerts and /system/etc/security/cacerts/ as expected.

If it's there but still not working (e.g. not appearing in Settings on Android) it would be interested to try the chcon step from that script again, but using u:object_r:system_security_cacerts_file:s0, to see if that works for you.

@ThePedroo
Copy link
Author

image

Soo.. third column.. we can observe in non-apex directory, it appears there, but in the apex directory, it doesn't seem to move to there.

I've manually executed all commands as you described, none seems to give any error.

@pimterry
Copy link
Member

pimterry commented Feb 1, 2024

Let's try some more options. After setup has completed, can you try running the below from a root ADB shell:

  • mount --bind /system/etc/security/cacerts /apex/com.android.conscrypt/cacerts
  • chcon u:object_r:system_security_cacerts_file:s0 /system/etc/security/cacerts/*

Does either of those help?

Hopefully one does, because otherwise I think I'm a bit out of ideas now! With those complete, both directories should contain the certificate, with the exact same settings as any normal certificate on your device...

In general, these directories should fully control certificate trust, unless there's something different about this certificate vs the others. Android's code powering this is pretty unambiguous that this is where certs come from: https://android.googlesource.com/platform/frameworks/base/+/refs/heads/main/core/java/android/security/net/config/SystemCertificateSource.java.

One thing you could try is rebooting the device, running ls -Z <dir> for both directories, then running the ADB setup and the two commands above, and then running the same ls. If you can see any differences in the properties (other than a single extra cert added) then that's a possible cause.

Ah, one more idea! The Apex injection works by mounting that path in the mount namespace (basically isolated/containerized views of the mounted files) of the Zygote processes (zygote and zygote64 - the processes which launch apps) and all their children (all already running apps). Can you run ps -A on your device and share the output? If you have some unusual zygote process there (e.g. just using a different name) then those would be missed here (their mount namespaces would be ignored and unmodified) which could cause this.

@pimterry
Copy link
Member

pimterry commented Feb 1, 2024

Oh, and if this still doesn't work and you need a workaround, I'd suggest using the standard Android emulators instead. These are well-tested and widely used and should definitely work unless there's something truly weird going with some other detail of your setup (which would be quite interesting in itself).

There's a full walkthrough for that here: https://httptoolkit.com/blog/inspect-any-android-apps-http/

@ThePedroo
Copy link
Author

I'll keep the emulator in mind, as this is only for my projects that require reverse engineering. Thanks!

Also, I've tried your first commands. While it works -- both directories now contain the same amount of certificates -- it neither appears on the UI nor apps "like" it.

I'm curious, should 2 other HTTP Toolkit certificates appear? One for VPN and other in the same place as the HTTP Toolkit should appear but in user section?

@pimterry
Copy link
Member

pimterry commented Feb 5, 2024

No, there should only be one certificate that appears, in the system CA certificates section. A user cert should only be installed if system cert installation fails. The VPN very isn't required at all that's a different thing I think mostly used for VPN authentication.

Did you try the ps -A command? It would be interesting to know if you have any other Zygote processes, since that could cause this.

Otherwise,do you have any other test devices? Can you reproduce this same behaviour elsewhere? I haven't seen this before, but maybe if we can find multiple devices with the same issue we can work out what triggers this.

@ThePedroo
Copy link
Author

ThePedroo commented Feb 5, 2024

Here's the ps command result:

USER           PID  PPID        VSZ    RSS WCHAN            ADDR S NAME         
root             1     0   12572768   5332 do_epoll_+          0 S init
root             2     0          0      0 kthreadd            0 S [kthreadd]
root             3     2          0      0 rescuer_t+          0 I [rcu_gp]
root             4     2          0      0 rescuer_t+          0 I [rcu_par_gp]
root             8     2          0      0 rescuer_t+          0 I [mm_percpu_w+
root            10     2          0      0 rcu_tasks+          0 S [rcu_tasks_k+
root            11     2          0      0 rcu_tasks+          0 S [rcu_tasks_t+
root            12     2          0      0 smpboot_t+          0 S [ksoftirqd/0]
root            13     2          0      0 rcu_gp_fq+          0 I [rcu_preempt]
root            14     2          0      0 rcu_boost+          0 S [rcub/0]
root            15     2          0      0 smpboot_t+          0 S [rcuc/0]
root            16     2          0      0 smpboot_t+          0 S [migration/0]
root            17     2          0      0 smpboot_t+          0 S [cpuhp/0]
root            18     2          0      0 smpboot_t+          0 S [cpuhp/1]
root            19     2          0      0 smpboot_t+          0 S [migration/1]
root            20     2          0      0 smpboot_t+          0 S [rcuc/1]
root            21     2          0      0 smpboot_t+          0 S [ksoftirqd/1]
root            24     2          0      0 smpboot_t+          0 S [cpuhp/2]
root            25     2          0      0 smpboot_t+          0 S [migration/2]
root            26     2          0      0 smpboot_t+          0 S [rcuc/2]
root            27     2          0      0 smpboot_t+          0 S [ksoftirqd/2]
root            30     2          0      0 smpboot_t+          0 S [cpuhp/3]
root            31     2          0      0 smpboot_t+          0 S [migration/3]
root            32     2          0      0 smpboot_t+          0 S [rcuc/3]
root            33     2          0      0 smpboot_t+          0 S [ksoftirqd/3]
root            36     2          0      0 smpboot_t+          0 S [cpuhp/4]
root            37     2          0      0 smpboot_t+          0 S [migration/4]
root            38     2          0      0 smpboot_t+          0 S [rcuc/4]
root            39     2          0      0 smpboot_t+          0 S [ksoftirqd/4]
root            42     2          0      0 smpboot_t+          0 S [cpuhp/5]
root            43     2          0      0 smpboot_t+          0 S [migration/5]
root            44     2          0      0 smpboot_t+          0 S [rcuc/5]
root            45     2          0      0 smpboot_t+          0 S [ksoftirqd/5]
root            48     2          0      0 smpboot_t+          0 S [cpuhp/6]
root            49     2          0      0 smpboot_t+          0 S [migration/6]
root            50     2          0      0 smpboot_t+          0 S [rcuc/6]
root            51     2          0      0 smpboot_t+          0 S [ksoftirqd/6]
root            54     2          0      0 smpboot_t+          0 S [cpuhp/7]
root            55     2          0      0 smpboot_t+          0 S [migration/7]
root            56     2          0      0 smpboot_t+          0 S [rcuc/7]
root            57     2          0      0 smpboot_t+          0 S [ksoftirqd/7]
root            60     2          0      0 rescuer_t+          0 I [netns]
root            69     2          0      0 kauditd_t+          0 S [kauditd]
root            70     2          0      0 watchdog            0 S [khungtaskd]
root            71     2          0      0 oom_reaper          0 S [oom_reaper]
root            72     2          0      0 rescuer_t+          0 I [writeback]
root            73     2          0      0 kcompactd           0 S [kcompactd0]
root           118     2          0      0 rescuer_t+          0 I [kblockd]
root           119     2          0      0 rescuer_t+          0 I [blkcg_punt_+
root           120     2          0      0 rescuer_t+          0 I [edac-poller]
root           121     2          0      0 rescuer_t+          0 I [devfreq_wq]
root           122     2          0      0 kthread_w+          0 S [watchdogd]
root           145     2          0      0 0                   0 R [kswapd0]
root           147     2          0      0 kthread_w+          0 S [erofs_worke+
root           156     2          0      0 deferred_+          0 S [dmabuf-defe+
root           157     2          0      0 rescuer_t+          0 I [uas]
root           158     2          0      0 rescuer_t+          0 I [uether]
root           159     2          0      0 rescuer_t+          0 I [dm_bufio_ca+
root           161     2          0      0 rescuer_t+          0 I [ipv6_addrco+
root           164     2          0      0 rescuer_t+          0 I [acpm_update+
root           165     2          0      0 irq_wait_+          0 S [irq/107-119+
root           166     2          0      0 irq_wait_+          0 S [irq/151-s2m+
root           167     2          0      0 irq_wait_+          0 S [irq/152-s2m+
root           168     2          0      0 irq_wait_+          0 S [irq/153-s2m+
root           169     2          0      0 irq_wait_+          0 S [irq/154-s2m+
root           170     2          0      0 irq_wait_+          0 S [irq/155-s2m+
root           171     2          0      0 irq_wait_+          0 S [irq/156-s2m+
root           172     2          0      0 irq_wait_+          0 S [irq/157-s2m+
root           173     2          0      0 irq_wait_+          0 S [irq/158-s2m+
root           174     2          0      0 irq_wait_+          0 S [irq/159-s2m+
root           175     2          0      0 irq_wait_+          0 S [irq/160-s2m+
root           176     2          0      0 irq_wait_+          0 S [irq/161-s2m+
root           177     2          0      0 irq_wait_+          0 S [irq/162-s2m+
root           178     2          0      0 irq_wait_+          0 S [irq/163-s2m+
root           179     2          0      0 irq_wait_+          0 S [irq/164-s2m+
root           180     2          0      0 irq_wait_+          0 S [irq/165-s2m+
root           181     2          0      0 irq_wait_+          0 S [irq/166-s2m+
root           182     2          0      0 irq_wait_+          0 S [irq/167-s2m+
root           183     2          0      0 irq_wait_+          0 S [irq/168-s2m+
root           184     2          0      0 irq_wait_+          0 S [irq/169-s2m+
root           185     2          0      0 irq_wait_+          0 S [irq/170-s2m+
root           186     2          0      0 irq_wait_+          0 S [irq/171-s2m+
root           187     2          0      0 irq_wait_+          0 S [irq/172-s2m+
root           188     2          0      0 irq_wait_+          0 S [irq/173-s2m+
root           189     2          0      0 irq_wait_+          0 S [irq/174-exy+
root           190     2          0      0 irq_wait_+          0 S [irq/123-118+
root           196     2          0      0 rescuer_t+          0 I [sec_audio_d+
root           197     2          0      0 rescuer_t+          0 I [sec_abc_wq]
root           198     2          0      0 rescuer_t+          0 I [typec_manag+
root           199     2          0      0 rescuer_t+          0 I [typec_manag+
root           200     2          0      0 irq_wait_+          0 S [irq/292-117+
root           201     2          0      0 irq_wait_+          0 S [irq/293-117+
root           202     2          0      0 irq_wait_+          0 S [irq/294-117+
root           203     2          0      0 irq_wait_+          0 S [irq/295-117+
root           204     2          0      0 irq_wait_+          0 S [irq/296-117+
root           205     2          0      0 irq_wait_+          0 S [irq/297-117+
root           206     2          0      0 irq_wait_+          0 S [irq/298-117+
root           207     2          0      0 irq_wait_+          0 S [irq/299-117+
root           208     2          0      0 irq_wait_+          0 S [irq/300-117+
root           209     2          0      0 irq_wait_+          0 S [irq/301-117+
root           210     2          0      0 exynos_dm+          0 S [fast_switch+
root           211     2          0      0 exynos_dm+          0 S [fast_switch+
root           212     2          0      0 kthread_w+          0 S [thermal_BIG]
root           213     2          0      0 kthread_w+          0 S [thermal_hot+
root           214     2          0      0 kthread_w+          0 S [thermal_LIT+
root           215     2          0      0 kthread_w+          0 S [thermal_G3D]
root           216     2          0      0 kthread_w+          0 S [thermal_ISP]
root           217     2          0      0 kthread_w+          0 S [thermal_NPU]
root           218     2          0      0 kthread_w+          0 S [thermal_CP]
root           219     2          0      0 kthread_w+          0 S [fast_switch+
root           220     2          0      0 kthread_w+          0 S [fast_switch+
root           221     2          0      0 rescuer_t+          0 I [g3d_dvfs]
root           222     2          0      0 rescuer_t+          0 I [kbase_job_f+
root           224     2          0      0 devfreq_c+          0 S [simpleinter+
root           225     2          0      0 devfreq_c+          0 S [simpleinter+
root           226     2          0      0 devfreq_c+          0 S [simpleinter+
root           227     2          0      0 devfreq_c+          0 S [simpleinter+
root           228     2          0      0 devfreq_c+          0 S [simpleinter+
root           229     2          0      0 devfreq_c+          0 S [simpleinter+
root           230     2          0      0 devfreq_c+          0 S [simpleinter+
root           231     2          0      0 devfreq_c+          0 S [simpleinter+
root           232     2          0      0 rescuer_t+          0 I [cpif_tpmon_+
root           233     2          0      0 rescuer_t+          0 I [cpif_tpmon_+
root           234     2          0      0 rescuer_t+          0 I [shmem_tx_wq]
root           235     2          0      0 irq_wait_+          0 S [irq/177-tza+
root           236     2          0      0 irq_wait_+          0 S [irq/178-tza+
root           237     2          0      0 irq_wait_+          0 S [irq/179-ppm+
root           238     2          0      0 irq_wait_+          0 S [irq/180-ppm+
root           239     2          0      0 add_hwgen+          0 S [hwrng]
root           240     2          0      0 irq_wait_+          0 S [irq/62-14c5+
root           241     2          0      0 irq_wait_+          0 S [irq/63-14c5+
root           242     2          0      0 irq_wait_+          0 S [irq/64-1511+
root           243     2          0      0 irq_wait_+          0 S [irq/65-1511+
root           244     2          0      0 rescuer_t+          0 I [abox_ipc]
root           245     2          0      0 irq_wait_+          0 S [irq/66-1514+
root           246     2          0      0 irq_wait_+          0 S [irq/67-1514+
root           247     2          0      0 irq_wait_+          0 S [irq/68-1517+
root           248     2          0      0 irq_wait_+          0 S [irq/69-1517+
root           249     2          0      0 irq_wait_+          0 S [irq/70-151a+
root           250     2          0      0 irq_wait_+          0 S [irq/71-151a+
root           251     2          0      0 irq_wait_+          0 S [irq/72-1558+
root           252     2          0      0 irq_wait_+          0 S [irq/73-1558+
root           253     2          0      0 irq_wait_+          0 S [irq/74-1548+
root           254     2          0      0 irq_wait_+          0 S [irq/75-1548+
root           255     2          0      0 irq_wait_+          0 S [irq/76-153a+
root           256     2          0      0 irq_wait_+          0 S [irq/77-153a+
root           257     2          0      0 rescuer_t+          0 I [abox_qos]
root           258     2          0      0 irq_wait_+          0 S [irq/78-153d+
root           260     2          0      0 irq_wait_+          0 S [irq/79-153d+
root           261     2          0      0 irq_wait_+          0 S [irq/80-12cd+
root           262     2          0      0 irq_wait_+          0 S [irq/81-12cd+
root           263     2          0      0 irq_wait_+          0 S [irq/82-10b5+
root           264     2          0      0 irq_wait_+          0 S [irq/83-10b5+
root           265     2          0      0 irq_wait_+          0 S [irq/84-10b8+
root           266     2          0      0 irq_wait_+          0 S [irq/85-10b8+
root           267     2          0      0 irq_wait_+          0 S [irq/86-1490+
root           268     2          0      0 irq_wait_+          0 S [irq/87-1490+
root           269     2          0      0 irq_wait_+          0 S [irq/88-149d+
root           270     2          0      0 irq_wait_+          0 S [irq/89-149d+
root           271     2          0      0 irq_wait_+          0 S [irq/90-1568+
root           272     2          0      0 irq_wait_+          0 S [irq/91-1568+
root           274     2          0      0 irq_wait_+          0 S [irq/92-156b+
root           275     2          0      0 irq_wait_+          0 S [irq/93-156b+
root           276     2          0      0 irq_wait_+          0 S [irq/94-12e7+
root           277     2          0      0 irq_wait_+          0 S [irq/95-12e7+
root           279     2          0      0 rescuer_t+          0 I [panel0:disp+
root           280     2          0      0 rescuer_t+          0 I [panel0:pcd]
root           281     2          0      0 rescuer_t+          0 I [panel0:err-+
root           282     2          0      0 rescuer_t+          0 I [panel0:conn+
root           283     2          0      0 rescuer_t+          0 I [panel0:pane+
root           284     2          0      0 rescuer_t+          0 I [panel0:pane+
root           285     2          0      0 panel_vrr+          0 S [panel-vrr-b+
root           286     2          0      0 panel_bl_+          0 S [panel-bl-th+
root           288     2          0      0 dmabuf_rb+          0 S [rbin]
root           289     2          0      0 dmabuf_rb+          0 S [rbin_shrink]
root           290     2          0      0 kthread_w+          0 S [crtc0_kthre+
root           291     2          0      0 kthread_w+          0 S [crtc1_kthre+
root           292     2          0      0 kthread_w+          0 S [card0-crtc0]
root           293     2          0      0 kthread_w+          0 S [card0-crtc1]
root           294     2          0      0 rescuer_t+          0 I [wq_vsync]
root           295     2          0      0 rescuer_t+          0 I [wq_fsync]
root           296     2          0      0 rescuer_t+          0 I [wq_dispon]
root           297     2          0      0 rescuer_t+          0 I [wq_panel_pr+
root           298     2          0      0 rescuer_t+          0 I [log_collect+
root           299     2          0      0 rescuer_t+          0 I [failure_wq]
root           300     2          0      0 rescuer_t+          0 I [syserr_reco+
root           301     2          0      0 rescuer_t+          0 I [fm_client_w+
root           302     2          0      0 tz_worker+          0 D [tz_worker_t+
root           303     2          0      0 tz_worker+          0 D [tz_worker_t+
root           304     2          0      0 tz_worker+          0 D [tz_worker_t+
root           305     2          0      0 tz_worker+          0 D [tz_worker_t+
root           306     2          0      0 tz_worker+          0 D [tz_worker_t+
root           307     2          0      0 tz_worker+          0 D [tz_worker_t+
root           308     2          0      0 tz_worker+          0 D [tz_worker_t+
root           309     2          0      0 tz_worker+          0 D [tz_worker_t+
root           310     2          0      0 tz_iwsock+          0 D [ree_time]
root           311     2          0      0 tz_iwlog_+          0 D [tz_iwlog_th+
root           312     2          0      0 tz_iwsock+          0 D [tz_iwsock]
root           314     2          0      0 tz_iwsock+          0 D [connecting_+
root           315     2          0      0 rescuer_t+          0 I [wifilogger]
root           316     2          0      0 rescuer_t+          0 I [wifilogger]
root           317     2          0      0 rescuer_t+          0 I [wifilogger]
root           318     2          0      0 rescuer_t+          0 I [wifilogger]
root           321     2          0      0 rescuer_t+          0 I [cfg80211]
root           322     2          0      0 rescuer_t+          0 I [conn_logger]
root           323     2          0      0 rescuer_t+          0 I [usb_notify]
root           324     2          0      0 rescuer_t+          0 I [s2mpu13-wqu+
root           325     2          0      0 irq_wait_+          0 S [irq/306-s2m+
root           326     2          0      0 rescuer_t+          0 I [power-keys-+
root           327     2          0      0 rescuer_t+          0 I [s2mpu14-wqu+
root           328     2          0      0 irq_wait_+          0 S [irq/353-sec+
root           329     2          0      0 scsi_erro+          0 S [scsi_eh_0]
root           330     2          0      0 rescuer_t+          0 I [scsi_tmf_0]
root           331     2          0      0 ufs_perf_+          0 D [ufs_perf_0]
root           332     2          0      0 rescuer_t+          0 I [ufs_eh_wq_0]
root           333     2          0      0 rescuer_t+          0 I [ufs_clk_gat+
root           334     2          0      0 rescuer_t+          0 I [usb_int_qos+
root           335     2          0      0 rescuer_t+          0 I [usb_tpmon_w+
root           337     2          0      0 irq_wait_+          0 S [irq/393-sm5+
root           338     2          0      0 rescuer_t+          0 I [SEC_WB_wq]
root           348     2          0      0 rescuer_t+          0 I [srpmb_wq]
root           349     2          0      0 rescuer_t+          0 I [samsung_mob+
root           350     2          0      0 rescuer_t+          0 I [sm5714-char+
root           351     2          0      0 rescuer_t+          0 I [pdic_irq_ev+
root           352     2          0      0 irq_wait_+          0 S [irq/394-sm5+
root           354     2          0      0 rescuer_t+          0 I [mfc/inst_mi+
root           355     2          0      0 rescuer_t+          0 I [mfc/butler]
root           356     2          0      0 irq_wait_+          0 S [irq/395-12e+
root           357     2          0      0 rescuer_t+          0 I [mfc_core/me+
root           358     2          0      0 rescuer_t+          0 I [mfc_core/id+
root           359     2          0      0 rescuer_t+          0 I [mfc_core/bu+
root           360     2          0      0 rescuer_t+          0 I [mfc_core/qo+
root           361     2          0      0 rescuer_t+          0 I [dw-mci-card]
root           362     2          0      0 rescuer_t+          0 I [dw_mci_clk_+
root           363     2          0      0 handle_lo+          0 D [chub_log_kt+
root           364     2          0      0 irq_wait_+          0 S [irq/268-11a+
root           365     2          0      0 rescuer_t+          0 I [npu_exynos]
root           366     2          0      0 rescuer_t+          0 I [fingerprint+
root           367     2          0      0 rescuer_t+          0 I [bootc_wq]
root           368     2          0      0 rescuer_t+          0 I [sm5451-PD-D+
root           369     2          0      0 irq_wait_+          0 S [irq/398-cer+
root           370     2          0      0 irq_wait_+          0 S [irq/397-hal+
root           371     2          0      0 irq_wait_+          0 S [irq/399-SX9+
root           372     2          0      0 kthread_w+          0 S [sec_vibrato+
root           373     2          0      0 rescuer_t+          0 I [pass-throug+
root           374     2          0      0 rescuer_t+          0 I [shub_dev_wq]
root           375     2          0      0 rescuer_t+          0 I [shub_debug_+
root           377     2          0      0 rescuer_t+          0 I [sec_input_i+
root           378     2          0      0 rescuer_t+          0 I [mmc_complet+
root           379     2          0      0 rescuer_t+          0 I [goodix_ts_i+
root           380     2          0      0 irq_wait_+          0 S [irq/400-goo+
root           381     2          0      0 irq_wait_+          0 S [irq/401-tfa+
root           382     2          0      0 irq_wait_+          0 S [irq/402-tfa+
root           388     2          0      0 kjournald2          0 S [jbd2/sda26-+
root           389     2          0      0 rescuer_t+          0 I [ext4-rsv-co+
root           390     2          0      0 rescuer_t+          0 I [kdmflush]
root           391     2          0      0 rescuer_t+          0 I [kdmflush]
root           392     2          0      0 rescuer_t+          0 I [kdmflush]
root           393     2          0      0 rescuer_t+          0 I [kdmflush]
root           394     2          0      0 rescuer_t+          0 I [kdmflush]
root           395     2          0      0 issue_dis+          0 S [f2fs_discar+
root           396     2          0      0 issue_dis+          0 S [f2fs_discar+
root           397     2          0      0 issue_dis+          0 S [f2fs_discar+
root           398     2          0      0 issue_dis+          0 S [f2fs_discar+
root           399     2          0      0 rescuer_t+          0 I [ext4-rsv-co+
root           400     2          0      0 rescuer_t+          0 I [ext4-rsv-co+
root           403     1   12484332   1508 do_sys_po+          0 S init
root           404     1   12445036   2988 do_sys_po+          0 S ueventd
root           421     2          0      0 rescuer_t+          0 I [kdmflush]
root           422     2          0      0 rescuer_t+          0 I [kdmflush]
root           423     2          0      0 rescuer_t+          0 I [kdmflush]
root           424     2          0      0 rescuer_t+          0 I [kdmflush]
root           425     2          0      0 rescuer_t+          0 I [kdmflush]
root           426     2          0      0 rescuer_t+          0 I [kdmflush]
root           427     2          0      0 rescuer_t+          0 I [kdmflush]
root           428     2          0      0 rescuer_t+          0 I [kdmflush]
root           429     2          0      0 rescuer_t+          0 I [kdmflush]
root           430     2          0      0 rescuer_t+          0 I [kdmflush]
root           432     2          0      0 rescuer_t+          0 I [kdmflush]
root           433     2          0      0 rescuer_t+          0 I [kdmflush]
root           434     2          0      0 rescuer_t+          0 I [kdmflush]
root           435     2          0      0 rescuer_t+          0 I [kdmflush]
root           437     2          0      0 rescuer_t+          0 I [kdmflush]
root           440     2          0      0 rescuer_t+          0 I [kdmflush]
root           441     2          0      0 rescuer_t+          0 I [kdmflush]
root           444     2          0      0 rescuer_t+          0 I [kdmflush]
root           446     2          0      0 rescuer_t+          0 I [kdmflush]
root           447     2          0      0 rescuer_t+          0 I [kdmflush]
root           449     2          0      0 rescuer_t+          0 I [kdmflush]
root           452     2          0      0 rescuer_t+          0 I [kdmflush]
root           453     2          0      0 rescuer_t+          0 I [kdmflush]
root           463     2          0      0 kthread_w+          0 S [loop0]
root           464     2          0      0 kthread_w+          0 S [loop1]
root           465     2          0      0 kthread_w+          0 S [loop2]
root           466     2          0      0 kthread_w+          0 S [loop3]
root           467     2          0      0 kthread_w+          0 S [loop4]
root           469     2          0      0 rescuer_t+          0 I [ext4-rsv-co+
root           470     2          0      0 rescuer_t+          0 I [ext4-rsv-co+
root           471     2          0      0 rescuer_t+          0 I [ext4-rsv-co+
root           472     2          0      0 rescuer_t+          0 I [ext4-rsv-co+
root           473     2          0      0 rescuer_t+          0 I [ext4-rsv-co+
root           475     2          0      0 rescuer_t+          0 I [tfa98xx]
root           476     2          0      0 rescuer_t+          0 I [tfacal]
root           478     2          0      0 rescuer_t+          0 I [tfa98xx]
root           479     2          0      0 rescuer_t+          0 I [tfacal]
root           480     1   12572768    584 __arm64_s+          0 S init
prng_seeder    488     1   12423664   2008 do_epoll_+          0 S prng_seeder
root           490     2          0      0 worker_th+          0 I [kworker/5:1+
logd           496     1   12626808   7852 __do_sys_+          0 S logd
lmkd           497     1   12414456   2824 do_epoll_+          0 S lmkd
system         498     1   12537524   2472 do_epoll_+          0 S servicemanag+
system         499     1   12405428   2444 do_epoll_+          0 S hwserviceman+
system         500     1   12521176   1952 do_epoll_+          0 S vndservicema+
root           502     2          0      0 0                   0 R [psimon]
root           515     1   12388380   1420 __arm64_s+          0 S watchdogd
root           516     1   12722348   2968 binder_wa+          0 S vold
root           518     2          0      0 kjournald2          0 S [jbd2/sda34-+
root           519     2          0      0 rescuer_t+          0 I [ext4-rsv-co+
root           522     2          0      0 kjournald2          0 S [jbd2/sda1-8]
root           523     2          0      0 rescuer_t+          0 I [ext4-rsv-co+
root           527     2          0      0 rescuer_t+          0 I [kdmflush]
root           533     2          0      0 kjournald2          0 S [jbd2/sda33-+
root           534     2          0      0 rescuer_t+          0 I [ext4-rsv-co+
root           536     2          0      0 kjournald2          0 S [jbd2/sda2-8]
root           537     2          0      0 rescuer_t+          0 I [ext4-rsv-co+
root           540     1   12431532   1516 __arm64_s+          0 S iod
system         545     1   12391240   1736 do_sys_po+          0 S tzdaemon
system         548     1   12575292   1380 futex_wai+          0 S tzts_daemon
system         555     1   12610164   3324 binder_wa+          0 S android.syst+
keystore       556     1   12793252   7696 binder_wa+          0 S keystore2
system         557     1   12442612   3304 binder_wa+          0 S android.hard+
system         558     1   12449220   2128 binder_wa+          0 S vendor.samsu+
system         559     1   12435776   1988 binder_wa+          0 S vendor.samsu+
system         560     1   12411652   1996 binder_wa+          0 S vendor.samsu+
root           576     2          0      0 issue_che+          0 S [f2fs_ckpt-2+
root           577     2          0      0 issue_dis+          0 S [f2fs_discar+
root           578     2          0      0 gc_thread+          0 S [f2fs_gc-254+
system         579     1   12462008   1632 do_epoll_+          0 S vendor.samsu+
system         580     1   12418232   1896 __skb_wai+          0 S vaultkeeperd
system         581     1   12382268   1520 binder_wa+          0 S vendor.samsu+
tombstoned     586     1   12392836   1252 do_epoll_+          0 S tombstoned
root           625     2          0      0 kthread_w+          0 S [loop5]
root           636     2          0      0 kthread_w+          0 S [loop6]
root           637     2          0      0 kthread_w+          0 S [loop7]
root           638     2          0      0 kthread_w+          0 S [loop8]
root           639     2          0      0 kthread_w+          0 S [loop9]
root           640     2          0      0 kthread_w+          0 S [loop10]
root           641     2          0      0 kthread_w+          0 S [loop11]
root           642     2          0      0 kthread_w+          0 S [loop12]
root           643     2          0      0 kthread_w+          0 S [loop13]
root           644     2          0      0 kthread_w+          0 S [loop14]
root           645     2          0      0 kthread_w+          0 S [loop15]
root           646     2          0      0 kthread_w+          0 S [loop16]
root           648     2          0      0 kthread_w+          0 S [loop17]
root           649     2          0      0 kthread_w+          0 S [loop18]
root           650     2          0      0 kthread_w+          0 S [loop19]
root           651     2          0      0 kthread_w+          0 S [loop20]
root           652     2          0      0 kthread_w+          0 S [loop21]
root           653     2          0      0 kthread_w+          0 S [loop22]
root           654     2          0      0 kthread_w+          0 S [loop23]
root           655     2          0      0 kthread_w+          0 S [loop24]
root           656     2          0      0 rescuer_t+          0 I [ext4-rsv-co+
root           657     2          0      0 kthread_w+          0 S [loop25]
root           658     2          0      0 rescuer_t+          0 I [ext4-rsv-co+
root           659     2          0      0 kthread_w+          0 S [loop26]
root           660     2          0      0 rescuer_t+          0 I [ext4-rsv-co+
root           661     2          0      0 rescuer_t+          0 I [ext4-rsv-co+
root           662     2          0      0 rescuer_t+          0 I [kverityd]
root           663     2          0      0 kthread_w+          0 S [loop27]
root           664     2          0      0 rescuer_t+          0 I [ext4-rsv-co+
root           665     2          0      0 rescuer_t+          0 I [ext4-rsv-co+
root           666     2          0      0 rescuer_t+          0 I [kverityd]
root           667     2          0      0 rescuer_t+          0 I [kverityd]
root           668     2          0      0 rescuer_t+          0 I [ext4-rsv-co+
root           669     2          0      0 rescuer_t+          0 I [ext4-rsv-co+
root           670     2          0      0 rescuer_t+          0 I [ext4-rsv-co+
root           671     2          0      0 kthread_w+          0 S [loop28]
root           673     2          0      0 rescuer_t+          0 I [ext4-rsv-co+
root           674     2          0      0 rescuer_t+          0 I [kverityd]
root           675     2          0      0 rescuer_t+          0 I [kverityd]
root           676     2          0      0 rescuer_t+          0 I [ext4-rsv-co+
root           677     2          0      0 rescuer_t+          0 I [ext4-rsv-co+
root           678     2          0      0 kthread_w+          0 S [loop29]
root           679     2          0      0 rescuer_t+          0 I [kverityd]
root           680     2          0      0 rescuer_t+          0 I [ext4-rsv-co+
root           681     2          0      0 kthread_w+          0 S [loop30]
root           682     2          0      0 kthread_w+          0 S [loop31]
root           683     2          0      0 rescuer_t+          0 I [kverityd]
root           684     2          0      0 rescuer_t+          0 I [ext4-rsv-co+
root           685     2          0      0 kthread_w+          0 S [loop32]
root           686     2          0      0 rescuer_t+          0 I [ext4-rsv-co+
root           687     2          0      0 rescuer_t+          0 I [ext4-rsv-co+
root           688     2          0      0 kthread_w+          0 S [loop33]
root           689     2          0      0 rescuer_t+          0 I [kverityd]
root           690     2          0      0 rescuer_t+          0 I [ext4-rsv-co+
root           691     2          0      0 kthread_w+          0 S [loop34]
root           692     2          0      0 kthread_w+          0 S [loop35]
root           693     2          0      0 rescuer_t+          0 I [ext4-rsv-co+
root           694     2          0      0 kthread_w+          0 S [loop36]
root           695     2          0      0 rescuer_t+          0 I [kverityd]
root           696     2          0      0 rescuer_t+          0 I [ext4-rsv-co+
root           697     2          0      0 rescuer_t+          0 I [kverityd]
root           698     2          0      0 rescuer_t+          0 I [kverityd]
root           699     2          0      0 kthread_w+          0 S [loop37]
root           700     2          0      0 rescuer_t+          0 I [ext4-rsv-co+
root           701     2          0      0 kthread_w+          0 S [loop38]
root           702     2          0      0 rescuer_t+          0 I [ext4-rsv-co+
root           703     2          0      0 kthread_w+          0 S [loop39]
root           704     2          0      0 kthread_w+          0 S [loop40]
root           705     2          0      0 rescuer_t+          0 I [ext4-rsv-co+
root           706     2          0      0 kthread_w+          0 S [loop41]
root           707     2          0      0 kthread_w+          0 S [loop42]
root           708     2          0      0 kthread_w+          0 S [loop43]
root           709     2          0      0 kthread_w+          0 S [loop44]
root           710     2          0      0 rescuer_t+          0 I [kverityd]
root           711     2          0      0 rescuer_t+          0 I [kverityd]
root           712     2          0      0 rescuer_t+          0 I [kverityd]
root           713     2          0      0 kthread_w+          0 S [loop45]
root           714     2          0      0 rescuer_t+          0 I [ext4-rsv-co+
root           715     2          0      0 kthread_w+          0 S [loop46]
root           716     2          0      0 rescuer_t+          0 I [kverityd]
root           717     2          0      0 rescuer_t+          0 I [ext4-rsv-co+
root           718     2          0      0 rescuer_t+          0 I [ext4-rsv-co+
root           719     2          0      0 rescuer_t+          0 I [ext4-rsv-co+
root           720     2          0      0 rescuer_t+          0 I [ext4-rsv-co+
root           721     2          0      0 rescuer_t+          0 I [kverityd]
root           722     2          0      0 rescuer_t+          0 I [kverityd]
root           723     2          0      0 rescuer_t+          0 I [kverityd]
root           724     2          0      0 rescuer_t+          0 I [ext4-rsv-co+
root           725     2          0      0 rescuer_t+          0 I [kverityd]
root           726     2          0      0 rescuer_t+          0 I [ext4-rsv-co+
root           727     2          0      0 rescuer_t+          0 I [ext4-rsv-co+
root           728     2          0      0 rescuer_t+          0 I [ext4-rsv-co+
root           729     2          0      0 rescuer_t+          0 I [ext4-rsv-co+
root           730     2          0      0 rescuer_t+          0 I [ext4-rsv-co+
root           731     2          0      0 rescuer_t+          0 I [kverityd]
root           732     2          0      0 rescuer_t+          0 I [ext4-rsv-co+
root           733     2          0      0 rescuer_t+          0 I [kverityd]
root           734     2          0      0 rescuer_t+          0 I [ext4-rsv-co+
root           735     2          0      0 rescuer_t+          0 I [ext4-rsv-co+
root           736     2          0      0 rescuer_t+          0 I [ext4-rsv-co+
root           737     2          0      0 rescuer_t+          0 I [ext4-rsv-co+
root           738     2          0      0 rescuer_t+          0 I [ext4-rsv-co+
root           739     2          0      0 rescuer_t+          0 I [kverityd]
root           740     2          0      0 rescuer_t+          0 I [ext4-rsv-co+
root           741     2          0      0 rescuer_t+          0 I [kverityd]
root           742     2          0      0 rescuer_t+          0 I [ext4-rsv-co+
root           761     2          0      0 kthread_w+          0 S [loop47]
root           762     2          0      0 kjournald2          0 S [jbd2/loop47+
root           763     2          0      0 rescuer_t+          0 I [ext4-rsv-co+
system         774     1   17916176  31840 do_epoll_+          0 S lspd
root           793     1   12376236   1548 do_epoll_+          0 S zygisk-ptrac+
system         812     1   12436096   1564 futex_wai+          0 S cass
system         813     1   12453848   2428 binder_wa+          0 S emservice
statsd         831     1   12515884   4308 do_epoll_+          0 S statsd
root           832     1   12801888   7204 binder_wa+          0 S netd
root           833     1   16443180  50928 do_sys_po+          0 S zygote64
root           834   793   12354152   1684 __skb_wai+          0 S zygiskd64
root           837     1    1805904  15052 do_sys_po+          0 S zygote
root           838   793      16116    656 __skb_wai+          0 S zygiskd32
system         851     1   12391200   2044 binder_wa+          0 S android.hidl+
audioserver    852     1      76964   6848 binder_wa+          0 S android.hard+
bluetooth      853     1   12478364   1972 binder_wa+          0 S android.hard+
media          854     1   12459700   1684 binder_wa+          0 S android.hard+
media          855     1   12562264   1928 binder_wa+          0 S android.hard+
system         856     1   12413792   1844 binder_wa+          0 S android.hard+
system         857     1   12495688   2628 binder_wa+          0 S android.hard+
system         858     1   12931520   4188 binder_wa+          0 S android.hard+
root           859   832   12372388   1712 pipe_read+          0 S iptables-res+
root           860   832   12460452   1624 pipe_read+          0 S ip6tables-re+
system         862     1   12478768   2344 do_epoll_+          0 S android.hard+
system         863     1   13504076  11644 binder_wa+          0 S android.hard+
system         864     1   12632876   2500 binder_wa+          0 S android.hard+
root           865     1   12504764   2236 binder_wa+          0 S android.hard+
wifi           866     1   12524140   2680 binder_wa+          0 S android.hard+
system         873     1   12532260   2764 binder_wa+          0 S vendor.samsu+
system         876     1   12611928   3064 binder_wa+          0 S vendor.samsu+
system         879     1   12507092   2140 binder_wa+          0 S vendor.samsu+
nobody         880     1   12525080   2016 binder_wa+          0 S android.hard+
system         881     1   12499664   2100 binder_wa+          0 S android.hard+
nobody         882     1   12447660   2056 binder_wa+          0 S android.hard+
mediacodec     890     1   13312640   9460 binder_wa+          0 S samsung.hard+
mediacodec     894     1   12863008   2496 binder_wa+          0 S samsung.soft+
cameraserver   923     1   13894800   6160 binder_wa+          0 S vendor.samsu+
system         931     1   12373796   2052 binder_wa+          0 S vendor.samsu+
system         933     1   12582260   1752 binder_wa+          0 S vendor.samsu+
system         937     1   12413288   1976 binder_wa+          0 S vendor.samsu+
system         938     1   12433908   2520 binder_wa+          0 S vendor.samsu+
system         939     1   12442300   2384 binder_wa+          0 S vendor.samsu+
wifi           941     1   12403564   1920 binder_wa+          0 S vendor.samsu+
system         942     1   12367368   2144 binder_wa+          0 S vendor.samsu+
system         943     1   12476856   1684 binder_wa+          0 S vendor.samsu+
system         944     1   13098528  11584 binder_wa+          0 S vendor.samsu+
system         946     1   12407152   2000 binder_wa+          0 S vendor.samsu+
audioserver    947     1   13460356  17952 binder_wa+          0 S audioserver
credstore      949     1   12419540   1960 binder_wa+          0 S credstore
gpu_service    951     1   12532044   2276 binder_wa+          0 S gpuservice
system_kumi+   954     1   13095656   3444 binder_wa+          0 S kumiho.decod+
system         957     1   12723692   2020 do_epoll_+          0 S perfmond
system         960     1   13683260  45524 do_epoll_+          0 S surfacefling+
u0_a237        972   833   18847000 106424 do_epoll_+          0 S com.google.a+
drm           1009     1      44260   1076 binder_wa+          0 S drmserver
root          1010     2          0      0 rescuer_t+          0 I [kbase_event]
system        1017     1   12357128   1732 __skb_wai+          0 S ewlogd
root          1030     2          0      0 rescuer_t+          0 I [kbase_event]
nobody        1037     1   12439156   1448 do_sys_po+          0 S traced_probes
nobody        1038     1   12373032   1576 do_sys_po+          0 S traced
cameraserver  1091     1   13180320   4316 binder_wa+          0 S cameraserver
system        1092     1   12406744   1920 binder_wa+          0 S fabric_crypto
system        1100     1   12424964   1652 binder_wa+          0 S imsd
incidentd     1105     1   12483240   1904 do_epoll_+          0 S incidentd
system        1114     1   12414636   1956 __arm64_s+          0 S smdexe
system        1115     1   12487932   1408 __skb_wai+          0 S diagexe
system        1117     1   12522676   1604 __skb_wai+          0 S ddexe
system        1118     1   12470420   1800 do_select           0 S connfwexe
root          1123     1   12713964   2776 binder_wa+          0 S installd
mediaex       1125     1   12985468   5352 binder_wa+          0 S media.extrac+
media         1126     1   12611164  10672 binder_wa+          0 S media.metrics
media         1127     1   13745780  10764 binder_wa+          0 S mediaserver
system        1133     1   12456844   1860 binder_wa+          0 S speg_helper
system        1136     1   12391100   1952 binder_wa+          0 S spqr_service
root          1138     1   12497248   3280 binder_wa+          0 S storaged
wifi          1140     1   12390948   2884 do_epoll_+          0 S wificond
mediacodec    1142     1      50116    908 binder_wa+          0 S media.codec
system        1145     1   12393440   1472 __arm64_s+          0 S argosd
radio         1147     1   12417136   1560 do_sys_po+          0 S cbd
gps           1149     1   12608952   3916 __arm64_s+          0 S gpsd
system        1150     1   12452488   1444 futex_wai+          0 S epic
root          1152     1   12390148   1436 do_sys_po+          0 S memlogd
system        1153     1   12671532   3028 binder_wa+          0 S vendor.samsu+
radio         1156     1   13349788   5532 binder_wa+          0 S rild
wifi          1159     1   12421552   1576 __skb_wai+          0 S wlbtd
mediacodec    1160     1   13378588   3780 binder_wa+          0 S media.swcodec
system        1163     1   12431408   2332 binder_wa+          0 S gatekeeperd
root          1175     2          0      0 rescuer_t+          0 I [kbase_event]
audioserver   1184     1   12395104   1400 do_epoll_+          0 S abox_log
system        1187     1   12473912  18324 binder_wa+          0 S vendor.samsu+
radio         1334     1   12588984   2420 __arm64_s+          0 S multiclientd
system        1344   833   27619540 335944 do_epoll_+          0 S system_server
root          1353     1   12573680   3652 do_sys_po+          0 S zygiskd64-zy+
root          1369     1   12394144   1836 do_sys_po+          0 S zygiskd64-zy+
root          1373     1   12393036   1556 do_sys_po+          0 S zygiskd64-Pi+
radio         1793   833   19360560  77920 do_epoll_+          0 S com.android.+
root          1842     2          0      0 rescuer_t+          0 I [fwhdr_crc_w+
u0_a48        1861   833   21190712 373348 do_epoll_+          0 S com.android.+
network_sta+  1897   833   18323276  56688 do_epoll_+          0 S com.android.+
system        1916   833   18494136  42688 do_epoll_+          0 S com.sec.epdg
root          2018     1      19072    652 do_sys_po+          0 S zygiskd32-zy+
root          2098     1      15544    624 do_sys_po+          0 S zygiskd32-zy+
root          2127     1      13768    608 do_sys_po+          0 S zygiskd32-Pi+
webview_zyg+  2212   833   18476544  29960 do_sys_po+          0 S webview_zygo+
u0_i9035      2272  2212  246420612  47116 do_epoll_+          0 S com.google.a+
root          2322     2          0      0 rescuer_t+          0 I [kbase_event]
system        2385   833   18275272  39432 do_epoll_+          0 S com.sec.sve
nfc           2392   833   18232056  46140 do_epoll_+          0 S com.android.+
system        2407   833   20825348  49852 do_epoll_+          0 S com.sec.imss+
secure_elem+  2411   833   18021336  38296 do_epoll_+          0 S com.android.+
system        2428   833   18072812  39580 do_epoll_+          0 S com.samsung.+
u0_a138       2448   833   19993060 150688 do_epoll_+          0 S com.sec.andr+
u0_a278       2473   833   18625380  54724 do_epoll_+          0 S com.google.a+
nfc           2762     1   12535224   2204 binder_wa+          0 S sec.android.+
root          2802     2          0      0 rescuer_t+          0 I [kbase_event]
u0_a237       2991   833   19863576 190204 do_epoll_+          0 S com.google.a+
u0_a54        3063   833   18461804  57484 do_epoll_+          0 S android.proc+
system        3135   833   18055804  42592 do_epoll_+          0 S com.samsung.+
shell         3167     1   12577120   3732 do_epoll_+          0 S adbd
system        3182     1   12507896   1632 futex_wai+          0 S ss_conn_daem+
root          3183     2          0      0 irq_wait_+          0 S [irq/190-dwc+
u0_a74        3208   833   18321388  44896 do_freeze+          0 S com.samsung.+
oem_5013      3216   833   18147624  53504 do_epoll_+          0 S com.sec.loca+
system        3251     1   12438792   1952 do_select           0 S perfsdkserver
root          3284     2          0      0 kthread_w+          0 S [loop48]
root          3312     2          0      0 zram_wbd            0 S [zram0_wbd]
system        3319     1   12548904   2784 do_epoll_+          0 S pageboostd
bluetooth     3405   833   18955700  66320 do_epoll_+          0 S com.android.+
u0_a328       3411   833   19402276  59736 do_epoll_+          0 S com.samsung.+
root          3532     2          0      0 worker_th+          0 I [kworker/7:6+
root          3539     2          0      0 mxmgmt_th+          0 S [mxmgmt_thre+
root          3540     2          0      0 mxlog_thr+          0 S [mxlog_threa+
root          3624     2          0      0 worker_th+          0 I [kworker/7:3+
system        3669   833   18019904  37232 do_epoll_+          0 S com.sec.andr+
root          3748     2          0      0 worker_th+          0 I [kworker/0:1+
root          3749     2          0      0 worker_th+          0 I [kworker/0:3+
u0_a113       3752   833   18179748  46464 do_epoll_+          0 S com.samsung.+
root          4337     1   17752244  26964 do_epoll_+          0 S shizuku_serv+
root          4447     2          0      0 worker_th+          0 I [kworker/7:0+
u0_a279       4657   833   19064844  70124 do_epoll_+          0 S com.google.a+
u0_a114       4665   833   18530456  52472 do_epoll_+          0 S com.samsung.+
u0_a227       4672   833   18624144  45904 do_epoll_+          0 S com.google.a+
u0_a238       4679   833   19543692  63156 do_epoll_+          0 S com.google.a+
u0_a235       4702   833   18566568  60344 do_epoll_+          0 S com.google.a+
root          4728     2          0      0 worker_th+          0 I [kworker/0:4+
root          4751     2          0      0 worker_th+          0 I [kworker/4:2+
system        4779   833   18196772  54556 do_epoll_+          0 S com.sec.andr+
system        4855   833   19047416  80912 do_epoll_+          0 S com.sec.andr+
u0_a87        4884   833   18324328  54872 do_epoll_+          0 S com.samsung.+
root          5093     2          0      0 mxmgmt_th+          0 S [mxmgmt_thre+
root          5095     2          0      0 mxlog_thr+          0 S [mxlog_threa+
root          5097     2          0      0 rescuer_t+          0 I [hip4_work]
root          5132     2          0      0 rescuer_t+          0 I [kbase_event]
u0_a184       5444   833   19885664  82708 do_epoll_+          0 S com.samsung.+
u0_a238       5687   833   38538744 213700 do_epoll_+          0 S com.google.a+
u0_a322       6190   833   18837976  61376 do_epoll_+          0 S com.tribalfs+
root          6214     2          0      0 worker_th+          0 I [kworker/3:1+
u0_a328       6300   833   19017252  39952 do_epoll_+          0 S com.samsung.+
u0_a360       6342   833   18489732  49452 do_epoll_+          0 S com.musixmat+
u0_a209       6402   833   18042460  39800 do_epoll_+          0 S com.samsung.+
root          6462     2          0      0 worker_th+          0 I [kworker/6:0+
root          6485     2          0      0 worker_th+          0 I [kworker/u17+
u0_a322       6632  6190   12386152   1304 pipe_read+          0 S sh
u0_a256       6643   833   26269436 187248 0                   0 R com.google.a+
root          7166     1   12360196   1560 do_sys_po+          0 S zygiskd64-pl+
u0_a62        7323   833   18438440  56888 do_epoll_+          0 S android.proc+
u0_a77        7604   833   18942752  67008 do_epoll_+          0 S org.proninya+
root          7643     2          0      0 rescuer_t+          0 I [kbase_event]
root          7646     2          0      0 rescuer_t+          0 I [kbase_event]
u0_a67        7884   833   18233852  49468 do_epoll_+          0 S com.samsung.+
root          8016     2          0      0 worker_th+          0 I [kworker/1:2+
root          8033     2          0      0 rescuer_t+          0 I [kbase_event]
root          8098     2          0      0 worker_th+          0 I [kworker/7:1+
root          8139     2          0      0 worker_th+          0 I [kworker/2:1+
root          8376     2          0      0 worker_th+          0 I [kworker/3:0+
system        8403     1   12370832   1880 binder_wa+          0 S vendor.samsu+
vendor_cmhs+  8627   833   19438608  48688 do_epoll_+          0 S com.samsung.+
u0_a234       8960   833   18114148  45772 do_epoll_+          0 S com.google.a+
u0_a333       9041   833   19893344  72940 do_epoll_+          0 S br.com.timbr+
root          9149     2          0      0 worker_th+          0 I [kworker/6:2+
u0_a237       9318   833   18147140  42932 do_epoll_+          0 S com.google.p+
root          9373     2          0      0 worker_th+          0 I [kworker/4:1+
root          9465     2          0      0 worker_th+          0 R [kworker/u16+
root          9484     2          0      0 worker_th+          0 I [kworker/u17+
system        9840   833   18133020  38588 do_epoll_+          0 S com.samsung.+
root          9848     2          0      0 worker_th+          0 I [kworker/7:3+
u0_a305       9864   833   20376084 103052 do_epoll_+          0 S com.whatsapp
root          9926     2          0      0 worker_th+          0 I [kworker/5:2+
root         10083     1   12353384   1300 __refrige+          0 D sh
u0_a237      10164   833   18007792  43504 do_freeze+          0 S com.google.p+
u0_a131      10507   833   18058788  45216 do_epoll_+          0 S com.sec.andr+
root         10647     2          0      0 worker_th+          0 I [kworker/1:0+
root         10698     2          0      0 worker_th+          0 I [kworker/7:0+
root         10707     2          0      0 worker_th+          0 I [kworker/3:1+
u0_a114      10718   833   18266812  52144 do_freeze+          0 S com.samsung.+
u0_a108      10724   833   18920776  56972 do_epoll_+          0 S com.samsung.+
root         10768     2          0      0 worker_th+          0 I [kworker/2:0+
u0_a235      10989   833   18709960 120284 do_epoll_+          0 S com.google.a+
u0_a255      11485   833   38569852 224600 __down_re+          0 D com.google.a+
u0_a48       11545   833   18559108  66700 do_epoll_+          0 S com.android.+
u0_a296      11596   833   18432492  47168 do_epoll_+          0 S com.gms.kill
root         11624     2          0      0 rescuer_t+          0 I [kbase_event]
root         11675     2          0      0 rescuer_t+          0 I [kbase_event]
root         11731     2          0      0 worker_th+          0 I [kworker/4:0+
root         11736     2          0      0 worker_th+          0 I [kworker/6:1+
root         11744     2          0      0 worker_th+          0 I [kworker/7:1+
root         11746     2          0      0 worker_th+          0 I [kworker/7:2+
root         11747     2          0      0 worker_th+          0 I [kworker/7:4+
root         11750     2          0      0 rescuer_t+          0 I [kbase_event]
u0_a249      11820   833   18074836  45820 do_epoll_+          0 S com.google.a+
u0_i9069     11850  2212  246409224  79692 do_epoll_+          0 S com.google.a+
root         12038     2          0      0 worker_th+          0 I [kworker/0:0+
root         12211     2          0      0 worker_th+          0 I [kworker/7:5+
u0_a347      12217   833   36250944 228268 do_epoll_+          0 S com.github.a+
root         12313     2          0      0 rescuer_t+          0 I [kbase_event]
root         12394     2          0      0 worker_th+          0 I [kworker/5:0+
u0_i9070     12413  2212  246369060  71000 do_epoll_+          0 S com.google.a+
root         12482     2          0      0 worker_th+          0 I [kworker/0:0+
root         12500     2          0      0 worker_th+          0 I [kworker/6:3+
u0_a320      12504   833   20987204  70696 do_epoll_+          0 S com.spotify.+
root         12528     2          0      0 worker_th+          0 I [kworker/u16+
root         12529     2          0      0 worker_th+          0 I [kworker/u16+
root         12530     2          0      0 worker_th+          0 I [kworker/u16+
root         12534     2          0      0 worker_th+          0 I [kworker/u16+
root         12535     2          0      0 worker_th+          0 I [kworker/u16+
root         12557     2          0      0 worker_th+          0 I [kworker/u16+
root         12558     2          0      0 worker_th+          0 I [kworker/u16+
root         12559     2          0      0 worker_th+          0 I [kworker/u16+
root         12560     2          0      0 worker_th+          0 I [kworker/u16+
root         12561     2          0      0 worker_th+          0 I [kworker/u16+
root         12567     2          0      0 worker_th+          0 I [kworker/u16+
root         12569     2          0      0 worker_th+          0 I [kworker/u16+
root         12570     2          0      0 worker_th+          0 I [kworker/u16+
root         12574     2          0      0 worker_th+          0 I [kworker/u16+
root         12575     2          0      0 worker_th+          0 I [kworker/u16+
root         12576     2          0      0 worker_th+          0 I [kworker/7:2+
root         12577     2          0      0 worker_th+          0 I [kworker/0:1+
root         12606     2          0      0 rescuer_t+          0 I [kbase_event]
u0_a204      12712   833   18447904  73624 do_epoll_+          0 S com.sec.andr+
root         13017     2          0      0 worker_th+          0 I [kworker/2:2+
root         13030     2          0      0 worker_th+          0 I [kworker/6:1+
root         13031     2          0      0 worker_th+          0 I [kworker/6:3+
root         13033     2          0      0 kthread_w+          0 S [erofs_worke+
root         13034     2          0      0 kthread_w+          0 S [erofs_worke+
root         13036     2          0      0 kthread_w+          0 S [erofs_worke+
root         13037     2          0      0 kthread_w+          0 S [erofs_worke+
root         13039     2          0      0 kthread_w+          0 S [erofs_worke+
root         13040     2          0      0 kthread_w+          0 S [erofs_worke+
root         13041     2          0      0 kthread_w+          0 S [erofs_worke+
root         13042     2          0      0 worker_th+          0 I [kworker/u16+
root         13081     2          0      0 worker_th+          0 I [kworker/1:3+
root         13098     2          0      0 worker_th+          0 I [kworker/4:3+
system       13112   833   18323640  47560 do_epoll_+          0 S com.samsung.+
system       13156   833   18907332  48660 do_epoll_+          0 S com.sec.andr+
artd         13170     1   12475320   5620 binder_wa+          0 S artd
root         13175     2          0      0 rescuer_t+          0 I [kbase_event]
u0_a128      13217   833   18307028  47676 do_freeze+          0 S com.samsung.+
u0_a244      13340   833   18577952  43676 do_epoll_+          0 S com.google.a+
root         13344     2          0      0 worker_th+          0 I [kworker/5:3+
system       13348   833   18403492  50256 do_epoll_+          0 S com.samsung.+
shell        13578  3167   12394344   2292 __do_sys_+          0 S sh
root         13591 13578   12363624   2332 __do_sys_+          0 S sh
root         13619     2          0      0 worker_th+          0 I [kworker/0:2+
root         13620     2          0      0 worker_th+          0 I [kworker/0:4+
root         13622     2          0      0 worker_th+          0 I [kworker/2:2+
u0_a234      13628   833   18448736  46900 do_epoll_+          0 S com.google.a+
root         13667 13591   12422076   3120 0                   0 R ps
vendor_bcmgr 14014   833   18144072  43364 do_epoll_+          0 S com.samsung.+
root         14639     2          0      0 rescuer_t+          0 I [kbase_event]
root         15219     2          0      0 worker_th+          0 I [kworker/u17+
root         16840     2          0      0 rescuer_t+          0 I [dio/dm-46]
root         16912     2          0      0 worker_th+          0 I [kworker/u16+
root         17066     1   12518688   3016 do_epoll_+          0 S libwebserver+
u0_a247      18142   833   36491648 139416 do_epoll_+          0 S com.android.+
root         18187     2          0      0 rescuer_t+          0 I [kbase_event]
u0_a247      18231   833   17591220  29728 do_sys_po+          0 S com.android.+
u0_i3        18920 18231  245608692  56424 do_epoll_+          0 S com.android.+
system       20479     1   12419244   1932 binder_wa+          0 S vendor.samsu+
u0_a269      20595   833   18359868  46144 do_epoll_+          0 S com.google.a+
u0_a332      22018   833   42693640 480964 do_epoll_+          0 S com.zhiliaoa+
system       22062   833   18611204  83208 do_epoll_+          0 S com.samsung.+
root         22125     2          0      0 rescuer_t+          0 I [kbase_event]
root         22146     2          0      0 rescuer_t+          0 I [kbase_event]
u0_a48       22148   833   18939788  49072 do_epoll_+          0 S com.samsung.+
root         22354     2          0      0 worker_th+          0 I [kworker/0:2+
u0_a332      22484   833   37180596 106512 do_epoll_+          0 S com.zhiliaoa+
u0_a108      22598   833   19336944  53732 do_epoll_+          0 S com.samsung.+
radio        22718   833   18037448  38792 do_epoll_+          0 S com.sec.phone
u0_a236      23094   833   20356620 143444 do_epoll_+          0 S com.android.+
root         23156     2          0      0 rescuer_t+          0 I [kbase_event]
u0_a247      23428   833   35578308  62040 do_epoll_+          0 S com.android.+
root         23512     2          0      0 rescuer_t+          0 I [kbase_event]
root         23526     2          0      0 rescuer_t+          0 I [kbase_event]
root         23544     2          0      0 rescuer_t+          0 I [kbase_event]
u0_a319      23646   833   39083784 184420 __refrige+          0 D com.twitter.+
root         23733     2          0      0 rescuer_t+          0 I [kbase_event]
root         23758     2          0      0 worker_th+          0 I [kworker/2:0+
root         23784     2          0      0 rescuer_t+          0 I [kbase_event]
u0_i42       23998 18231  245464688  44300 do_epoll_+          0 S com.android.+
u0_a61       24251   833   18361692  48608 do_epoll_+          0 S com.samsung.+
u0_a339      24257   833   19681332  52372 do_epoll_+          0 S org.forkclie+
u0_a334      24543   833   19772420 117616 do_epoll_+          0 S com.kieronqu+
root         25285     2          0      0 worker_th+          0 I [kworker/5:2+
root         25644     2          0      0 worker_th+          0 I [kworker/4:2+
root         25779     2          0      0 worker_th+          0 I [kworker/4:1+
u0_a329      26303   833   19112696  82612 do_epoll_+          0 S com.kieronqu+
root         26462     1   18278944  45508 do_epoll_+          0 S com.kieronqu+
root         27064     2          0      0 worker_th+          0 I [kworker/5:1+
root         27310     2          0      0 rescuer_t+          0 I [kbase_event]
wifi         28238     1   12579972   4276 do_select           0 S wpa_supplica+
u0_a89       28241   833   18354636  53364 do_epoll_+          0 S com.samsung.+
system       29339   833   18970540  67360 do_epoll_+          0 S com.android.+
root         29394     2          0      0 worker_th+          0 I [kworker/6:0+
root         29615     2          0      0 worker_th+          0 I [kworker/1:1+
root         29800     2          0      0 worker_th+          0 I [kworker/u16+
root         29812     2          0      0 worker_th+          0 I [kworker/u16+
root         29822     2          0      0 worker_th+          0 I [kworker/6:2+
root         29923     2          0      0 worker_th+          0 I [kworker/u17+
root         30116     2          0      0 worker_th+          0 I [kworker/1:1+
root         30134     2          0      0 rescuer_t+          0 I [kbase_event]
root         30411     2          0      0 worker_th+          0 I [kworker/2:5+
root         30413     2          0      0 worker_th+          0 I [kworker/3:2+
system       30952   833   18100532  38880 do_epoll_+          0 S android:drmS+
root         31276     2          0      0 worker_th+          0 I [kworker/2:1+
root         31277     2          0      0 worker_th+          0 I [kworker/1:0+
root         31297     2          0      0 worker_th+          0 I [kworker/3:2+
u0_a100      31477   833   18656768  66852 do_epoll_+          0 S com.samsung.+
system       31640   833   18055560  38868 do_epoll_+          0 S com.samsung.+
root         31643     2          0      0 rescuer_t+          0 I [kbase_event]
vendor_sams+ 31754   833   18446528  52908 do_epoll_+          0 S com.samsung.+
system       32196   833   18676172  67788 do_epoll_+          0 S com.samsung.+
system       32200   833   18580216  64904 do_epoll_+          0 S com.samsung.+
u0_a237      32387   833   36828220 179984 do_epoll_+          0 S com.google.a+
root         32585     2          0      0 rescuer_t+          0 I [kbase_event]
root         32656     2          0      0 rescuer_t+          0 I [kbase_event]

Otherwise,do you have any other test devices?
Yes and no. I do have 2 more BL unlocked devices, only one rooted, but they have old Android versions and are not with me now. I have other devices like a s20 FE but it is BL locked and with a broken screen, making rooting them dangerous.

I'm not in a hurry though, I only made this issue I want to help the project. I could easily get an emulator but I don't see why not helping if it's possible

@ThePedroo
Copy link
Author

ThePedroo commented Feb 6, 2024

I haven't commented: If I give HTTPToolkit app, it says the certificate is system-trusted, but if it's unrooted, it says it's not.

EDIT: Seems like giving root permission to the app makes it trust the certificate (???) I'll use this as a workaround as YouTube doesn't detect rooting, but this is definetely interesting.

@pimterry
Copy link
Member

pimterry commented Feb 6, 2024

Seems like giving root permission to the app makes it trust the certificate

This is very interesting!

What's happening is that we mount a tmpfs directory containing the modified set of certificate files inside the mount namespace of each target app process (and also the system more widely). My best guess is that for some reason, the apps can't actually see these files regardless, because there's some other isolation between the apps and the 'real' filesystem from the point of view of the ADB shell.

One thing that would definitely cause this is if the rooting mechanism is changing what files the app can see at some other level (not just changing the apps permissions, but showing it an entirely different version of the same paths). There's a lot of ways that could work though and I don't know anything about KernelSU's internals.

The https://kernelsu.org/ website do make it clear that it can do something broadly like this, using overlayfs to modify the view of the filesystem generally:

Modules may modify /system systemlessly using overlayfs enabling great power.

I think this is the point where we need to talk to the KernelSU team, and work out how this actually works under the hood and what we can do to integrate with that. I'll open an issue there.

@ThePedroo
Copy link
Author

That's wonderful to know. kSU implements rooting in a way that can be the future of more sophisticated Android rooting. Adding support for it is wonderful! Thanks!

@ThePedroo
Copy link
Author

ThePedroo commented Feb 7, 2024

So the best solution for now is to display a warning for kSU users to disable "unmount all apps by default". I still didn't test if it works that way though, but probably yes.

@pimterry
Copy link
Member

pimterry commented Feb 7, 2024

In your ADB shell, are any of the vars from https://kernelsu.org/guide/module.html#variables set? Or is there anything else related to kSU if you run env? It's not clear whether those can be used for detection here (probably not, but good to check).

The general challenge is that it's actually going to be quite difficult to detect this. Anywhere where HTTP Toolkit is running as root, everything works fine, and when it's not then nothing works but it's not clear why (because rooting techniques like this carefully hide their changes from running apps by design).

There are solutions, but working out which one specifically is the right choice is challenging...

I'm going to do some more testing and investigating, but I'm hoping that my last comment on the KernelSU repo eventually leads us towards some kind of solution.

In the meantime though, yes I think disabling "unmount all apps by default" is the correct workaround. It would be very helpful if you could test that and confirm though when you have a minute.

@ThePedroo
Copy link
Author

Weirdly, no, none of those variables are set.

If HTTPToolkit can't see which is the rooting method: display an option of kSU or Magisk, and if the person presses kSU, display a guide for them talking about the need of unmounting apps.

HTTPToolkit shouldn't umount apps automatically, as the kSU owner said, can lead to root being detected by apps. So it's better to just knowledge the user & let it decide.

I've also tested and works flawlessly umounting the apps.

@pimterry
Copy link
Member

Weirdly, no, none of those variables are set.

Yeah, I think it looks those are set for installed kSU modules, but presumably not accessible to the ADB shell then. That's quite unfortunate! Unless there's another mechanism somewhere, that might mean that detecting kSU via ADB is impossible.

If HTTPToolkit can't see which is the rooting method: display an option of kSU or Magisk, and if the person presses kSU, display a guide for them talking about the need of unmounting apps.

I'd really rather not. Right now, the main value of the tool is that it 'just works' with zero interaction or setup required, so I really don't want to add a whole extra manual set that would affect all users (since this would have to show even for Magisk users - the vast majority - where no setup is required).

If you can find a way to detect kSU via ADB then I'm open to exploring some options to use that, but otherwise manual setup like this isn't great tbh. I've done some looking at it seems the usage of kSU is really tiny compared to Magisk, so for now overall the better result is leaving it broken to avoid breaking the Magisk workflow (even though I know that's very frustrating!)

I do think there are good options (see my last comment on the kSU issue) but there's been no other response there from the kSU team.


What device are you using for testing? I can see a list of officially-unsupported-but-maybe-working devices, but no actual list of officially supported devices. Any idea what the cheapest 2nd hand device I could buy to test KernelSU would be? It would be good to be able to look at this more closely myself to find some options.

Are you open to helping test the --move approach I suggested on the other issue? I think to make this work, you'd need to:

  • adb root
    adb push 4f74014f.0 /data/local/tmp/4f74014f.0 # With your CA cert, as before
  • Then, in a single ADB shell session:
    • mkdir /system-moved
      mount --move /system /system-moved
      
    • Then manually run the commands from HTTP Toolkit's normal setup script here, using /data/local/tmp/4f74014f.0 as certificatePath and modifying the chcon here to u:object_r:system_security_cacerts_file:s0 instead.
    • Then mount --move /system-moved /system

That should leave you in a state where normal apps (without root access) do trust the CA certificate. In fact, I think it might mean that only normal apps trust it (while rooted apps do not). Will be interesting anyway, even just seeing the file appearing on disk in the cert directory unlike before would be helpful. I wouldn't be surprised if this doesn't quite work first try, but any errors you can share would also be very useful.

This approach is a bit weird, and doing it manually like this might leave your device in a strange place while that's running (between the two mount move commands, you've sort of disabled KernelSU's overlay filesystem from ADB's point of view). All these mount changes are temporary though, so if anything goes wrong you can always reset it all by rebooting your device.

@ThePedroo
Copy link
Author

What device are you using for testing? I can see a list of officially-unsupported-but-maybe-working devices

Technically any device with modern Linux is supported. Currently, I'm using ExynosUnbound kernel with a Samsung Galaxy A53 5g (E version)

Any idea what the cheapest 2nd hand device I could buy to test KernelSU would be?
I'm unsure, probably any device that matches its minimum requirements, like a modern kernel, but I'm open for any testing if that helps you in any way.

adb root
As that's my main device, the ROM itself has the root hidden, so adb root will never work, in that case, I'll assume you mean "get root somehow"

I'll give a try soon, I've lost my cable

(I'm very sorry for the delay, I actually forgot to respond twice, my apologies!)

@ThePedroo
Copy link
Author

Also, I must point out that without giving the app Shell root access, it won't work too. (obviously, just saying if someone ever gets this issue) Mounting all apps by default + Rooting shell seems to work perfectly temporarily.

Also, should I try those commands with unmounting or without unmounting?

@pimterry
Copy link
Member

Also, I must point out that without giving the app Shell root access, it won't work too. (obviously, just saying if someone ever gets this issue)

Yep! Of course it would be neat if that worked, but yes it's OK that it might not because it'll generally result in a prompt on the device that should be obvious to the user (Magisk pops up a "root required by adb shell" toast, for example). And if that doesn't work, HTTP Toolkit will also try adb root which may well work instead automatically (though I don't know if that's true for KernelSU specifically).

Also, should I try those commands with unmounting or without unmounting?

I'm not sure exactly what you mean. The commands above should be the whole full list to follow for a fresh device (e.g. after a reboot).

The idea is basically just: use mount --move ... before running all the normal HTTP Toolkit steps (with tiny tweak for chcon etc, as noted above) and then undo the --move afterwards, and see if that makes apps without root access work even without the automatic unmounting workaround.

@ThePedroo
Copy link
Author

HTTP Toolkit will also try adb root which may well work instead automatically (though I don't know if that's true for KernelSU specifically).

adb root won't work for most Magisk & kSU devices, as for ROMs that try to fake not being rooted, adb root is not available. And in the case, Shell as rooted is required, or else you can't elevate there.

I'm not sure exactly what you mean. The commands above should be the whole full list to follow for a fresh device (e.g. after a reboot).

kSU is unmount by default -- not unmounting is dangerous though, but makes it work. In the case I suppose it's with the default, which is unmount by default.

I'll give a try.

@ThePedroo
Copy link
Author

a53x:/ # mkdir /system-moved
mkdir: '/system-moved': Read-only file system

I'm unsure if I'm missing something here, but I also believe / itself is read-only, no?

@pimterry
Copy link
Member

Ah, yes - this will be possible but that means you'll need to set up the mountpoint somewhere else, and there might be other issues... All surmountable, but it's a bit tricky.

I've just found a good test device at a reasonable price, so I'm going to set that up and investigate this myself. I appreciate the help and thanks again for reporting this issue, but I think trying to debug this line by line back and forth like this is going to much slower & trickier than being able to see it all myself up close! I should have the device here later this week, and then I'll set up KernelSU and start working on it next week, watch this space.

@ThePedroo
Copy link
Author

Awesome! Thanks for the support. If anything, let me know

@pimterry
Copy link
Member

Took much longer than I expected - but I do now have a working test device with KernelSU installed!

Unfortunately, in my case, it all seems to work as expected 😆 that makes it a bit tricky to fix this.

I'm testing using an A33 5G with ExynosUnbound (kernel 5.10.177-XyUnbound-v2.0), and KernelSU v11366 (manager app 0.8.1-20), otherwise all stock. How closely does that match your setup?

All I've done is enable root access for the shell, and then run HTTP Toolkit's ADB setup, and it seems to work and I can immediately see traffic from e.g. Google Maps, Youtube, etc (which isn't visible without system interception). And the cert appears in the device certificate settings, and the HTTP Toolkit app says it's installed, even without it having root access.

I'll keep testing, but let me know if there's anything I'm missing or if you have any ideas.

@ThePedroo
Copy link
Author

How closely does that match your setup?
Pretty close! Besides the fact I'm using a custom OneUI rom (only available to A53 5G, however it only touches the system partition, so it should be fine to assume it's a stock behavior)

However I'm confused, did you turn on the setting to make kSU umount any modifications by default?

Also, which Zygisk are you using? I was using the official ZygiskNext by the time I created the issue, but now I use a fork of it as they closed its source in the next released.

@pimterry
Copy link
Member

However I'm confused, did you turn on the setting to make kSU umount any modifications by default?

No - umounting is enabled like normal (just using the default settings) and it works perfectly! Seems like the KernelSU mounting issue may have been a red herring, and actually HTTP Toolkit's mount setup does normally persist despite that configuration.

Also, which Zygisk are you using? I was using the official ZygiskNext by the time I created the issue, but now I use a fork of it as they closed its source in the next released.

I'm not using Zygisk or anything else at all. Literally just flashed ExynosUnbound, enabled root for the shell process, and HTTP Toolkit ADB setup seems to work straight away.

Can you share the exact Zygisk version you're using and the specific steps you followed to set it up? Would be good to test that too, maybe that's the real problem here.

@ThePedroo
Copy link
Author

Soo.. how can I say this... the fork of ZygiskNext I used stop existing... So, I'll link the zip I used in mine, but using the original Zygisk Next, last release as open source should work fine if you don't want to use the zip.

@ThePedroo
Copy link
Author

@pimterry
Copy link
Member

I set up ZygiskNext, using that specific version, and I've tested everything I can think of, and it all still works perfectly in my case. For example I can:

  • Reboot the device
  • See that mount | grep cacerts via adb shell returns nothing - no certs trusted
  • See the KernelSU app show:
    • Version: 11366, manager: v0.9.2, SELinux: Enforcing
    • Zygisk Next enabled on the modules tab
    • Only 'Shell' on superuser tab shows 'Root', all other apps show 'Umount' (default settings)
  • Opening an app without interception (e.g. Duolingo is a convenient example, but really anything should work) works as expected
  • Testing SafetyNext via YASNAC shows "Basic integrity: Pass" (CTS fail for hardware backed evaluation, but that's expected)
  • Run ADB setup from my computer
  • mount | grep cacerts in a new ADB shell now shows the expected mount
  • "Test interception" button in HTTP Toolkit Android app opens Chrome, which shows the expected page and traffic appears on the computer
  • Going back to the already running test app immediately starts showing traffic
  • "HTTP Toolkit CA" now appears in the device's trusted system CA certificates
  • Opening new apps (e.g. Google Maps) immediately shows traffic

Anything else I should test? Anything else unusual installed on your device that could cause this? Any other apps using root or device configuration or anything like that? Really all seems to be working fine here when using just KernelSU + ZygiskNext.

As an extreme case, it would be interesting to reflash your phone, and then set it back up from scratch, check it works just like mine, and then try to see what breaks this process... I understand if you don't want to wipe your working phone though, that would be a lot of hassle.

Anyway, I'm very happy to investigate further, but for now it really does look like KernelSU actually works just fine and there's no issues I can reproduce here.

@ThePedroo
Copy link
Author

Interesting.. I don't think it's specific to my device as kernelSU owner itself didn't deny that this would indeed happen.. weird. I don't use much modules myself, and the most aggressive one I can think is PIF, which shouldn't modify anything related to certificates (maybe LSPosed for Zygisk?).

Since the start of this issue, I accidentally killed my ROM few times, so I had to re-flash both partially and fully, however still nowadays I need to disable umount by default.

It would be pretty interesting to investigate further how apps are seeing those changes made even though ksu should be umounting them.

@pimterry
Copy link
Member

Can you share links to all the modules you're using? Preferably the exact versions. I think the umount behaviour depends on how mounts are used within the modules themselves, so reproducing that configuration is probably what's missing.

@ThePedroo
Copy link
Author

ThePedroo commented Mar 27, 2024

Some of them I don't have the URLs anymore, others are from Telegram.

This is a full list of modules I use (later I'll update with links)

  1. Fix NFC and Camera v6 by OST (OST ROM specific)
  2. Google photos unlimited backup v1 by Pixelify
  3. PIF v15.6.9 by chiteroman
  4. Fix round corners by OST
  5. Samsung Camera HAL enhancer by MDNSSKNGHT
  6. ZygiskNext fork by Yervant7 (deleted/privated)
  7. Zygisk LSPosed by ??? (couldn't find)

@ThePedroo
Copy link
Author

I'm extremely sorry for the delay, I updated with the links of the ones I could find. Most relevant ones I couldn't find are just forks, and the original implementation should have the same results

@pimterry
Copy link
Member

Thanks @ThePedroo. Unfortunately I still can't reproduce this. I think it's not related to modules - my best bet is that somehow we're using a slightly different kernel versions/ROMs and mine has broken this somehow maybe? I've tested with a separate terminal app (with umount enabled, as default) and https://github.com/symbuzzer/systemless-hosts-KernelSU-module and I can clearly see the mount for that module so something is just not working correctly at all. That definitely shouldn't appear. Very frustrating though! I'd really like to avoid rebuilding the entire kernel for myself to test this 😆

Can you share a screenshot of the home page in your kernelSU app? That should show the exact kernel & kernelsu app versions. Do you know exactly where your ROM came from and which version it is?

@ThePedroo
Copy link
Author

ThePedroo commented Apr 11, 2024

Screenshot_20240411_002508_KernelSU

Also, it's important to note out this is UnboundKernel however built in newer versions of kSU. This shouldn't make any difference as by the time I made the issue I was using the official one.

Edit while I was typing this: I'm unsure if it's because of the kernel which I changed (or ROM?), but seems like it does work without unmounting apps, which is curious..

EDIT: About the ROM, I was using OST's ROM in its most recent version (by the time I'm typing this)

@ThePedroo
Copy link
Author

(Also, this may be related to a previous broken installation of the OS maybe? Although if it were to break something, I highly doubt it would only affect a small part of the system)

@aldesrahim
Copy link

Hi, hope this helps. I cloned magisk module from reqable app and replace the required file. I've tried it and it works (System Trusted Enabled - Check)

htk-magisk.zip

Just install as module (please be sure that zygisk module installed), and reboot.

@ThePedroo
Copy link
Author

We can get httptoolkit to work with just not umounting. The issue relies on it reverting the app's state if it is meant to be umounted.

A "solution" could be force changing default umount state:

And warning the user about the change

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants