Not able to work on common-android15-6.6 kernel

[FredyR4zox]

Hello. First of all, thank you for developing this tool!

I am trying to use eCapture on the Cuttlefish emulator using a custom built kernel (I just added KernelSU to the normal kernel). I gave my shell all the capabilities that are available and built the tool using the latest commit, which adds support for BoringSSL on Android 15. But I still cannot do it. I've seen that the application I'm trying to test uses the default libssl library.

I tried to use -b 0, 1, and 2, but nothing worked.

I can intercept traffic but when viewing it on Wireshark it's always encrypted. Adding a keylog file to output does not work because no output is done to it.

• Command I'm using: ./ecapture tls -m pcap -i buried_eth0 --pcapfile=ecapture.pcapng --keylogfile="ecapture_openssl_key.log" --libssl=/apex/com.android.conscrypt/lib64/libssl.so --ssl_version="boringssl_a_15"
• Device: Cuttlefish emulator with Android 15
• Kernel Info: Linux localhost 6.6.58-android15-8-maybe-dirty #1 SMP PREEMPT Thu Jan 1 00:00:00 UTC 1970 x86_64 Toybox
• eCapture Version: linux_amd64:v0.9.3-20250206-4fc023c:6.12.11-1-MANJARO

Screenshots:

Do you think that using bpftrace is a good alternative?

Thank you in advance.

[dosubot]

Hello @FredyR4zox! I'm here to assist you with any bugs, questions, or contributions you may have.

To address the issue of encrypted traffic in Wireshark and the lack of output to the keylog file, here are some steps and considerations:

1. Verify SSL Library Path: Ensure that the --libssl parameter is correctly pointing to the SSL library used by the application. You've specified /apex/com.android.conscrypt/lib64/libssl.so, which should match the library used by the application. Double-check this by examining the memory mappings of the process to confirm the correct library is being used.

2. SSL Version Mapping: Make sure that the --ssl_version parameter is correctly set to match the BoringSSL version used by your Android 15 setup. You've used boringssl_a_15, which should be correct for Android 15, but verify that this matches the version in use.

3. Kernel Compatibility: Since you're using a custom-built kernel with KernelSU, ensure that all necessary eBPF features are enabled and compatible with eCapture. Custom kernels can sometimes lack certain configurations required for eBPF to function correctly.

4. Keylog File Output: If the keylog file is not being generated, check the permissions of the directory where the file is being written. Ensure that the ecapture process has the necessary permissions to write to the specified location.

5. Troubleshooting Encrypted Traffic: If the captured traffic remains encrypted, verify that eCapture is correctly hooking into the SSL library used by the application. You can use ldd on the application binary to confirm the linked libraries and ensure they match the path specified in --libssl.

6. Alternative Tools: Using bpftrace could be an alternative, but it requires writing custom scripts to achieve similar functionality. It might be more complex and less straightforward than using eCapture, which is specifically designed for capturing SSL/TLS plaintext.

If these steps do not resolve the issue, consider reviewing the kernel configuration and ensuring that all necessary eBPF and network capture features are enabled.

To continue talking to Dosu, mention @dosu.

---

^{Help Dosu learn! Give it feedback: Great Response | Irrelevant Answer | Incorrect Sources | Too Verbose | Hallucination | Other}

[cfc4n]

This is a known bug #659, fixed in PR #723, but no new version has been released yet. You can download https://github.com/cfc4n/ecapture/releases/tag/v0.9.4 to verify.

A new version is expected to be released at the end of February, please be patient.

[FredyR4zox]

I've compiled it with that PR. That's why I'm using the option ssl_version="boringssl_a_15" and it's valid.
Nevertheless, I've downloaded the version you linked but the same problem is occurring :/

[cfc4n]

As can be seen from the screenshot, the TLS key is captured. Although /apex/com.android.conscrypt/lib64/libssl.so is used in the maps of PID 5892, it is not certain that it will be used after all encrypted communications. For example, a process has multiple encryption class libraries, one is compiled at statically, etc.

Alternatively, you can compile the DEBUG version and after startup, check the kernel log cat /sys/kernel/debug/tracing/trace_pipe.

DEBUG=1 ANDROID=1 make

PS: On android, the kernel's debug log directory may be /sys/kernel/tracing/trace_pipe.

[FredyR4zox]

Thank you, but the debug flag (-d and also with the newly compiled binary with DEBUG=1 ANDROID=1) only shows an additional line: that it was not possible to check for an updated version.
The file on /sys/kernel/tracing/trace_pipe never gets populated.

I also tried using another application but without success :/

Is SSL_in_init the right function to hook?

Also, using the Cuttlefish emulator with the default kernel does not work.

[cfc4n]

The log printed by the eBPF program will appear in /sys/kernel/tracing/trace_pipe. If there is no output information, then this HOOK point may not be triggered.

Also, I'm not sure if your kernel environment will have an impact on eBPF programs. I'm not familiar with KernelSu.

[cfc4n]

My environment is Android Studio arm64

via #659 (comment)