ecapture icon indicating copy to clipboard operation
ecapture copied to clipboard
verified publisher icon gojue

三星s24使用tls模式重启

Open arkdnz opened this issue 7 months ago • 7 comments

[!IMPORTANT]
You can mention the @dosu AI robot, which can quickly answer your questions.

Describe the bug 面具root,三星s24,kernel 6.1.57

To Reproduce Steps to reproduce the behavior:

1../ecapture tls -m pcap --pcapfile tttt.pcap -u 10285 2. 3.

Screenshots If applicable, add screenshots to help explain your problem.

Linux Server/Android (please complete the following information):

  • Device: 三星s24
  • Kernel Info: Linux localhost 6.1.57-android14-11-1838882
  • eCapture Version: androidgki_arm64:v1.1.0:6.8.0-1027-azure

Additional context 手机直接卡死,无其他信息

arkdnz avatar Jun 12 '25 02:06 arkdnz

Hi @arkdnz! I'm Dosu and I’m helping the ecapture team.

三星S24(Android 14, kernel 6.1.57)在用 eCapture TLS 模式时重启,核心原因很可能是兼容性问题:目前 eCapture 只提供了 ARM64 5.10 系列的 eBPF/vmlinux 支持文件,没有适配 6.1.x 版本。内核结构或符号的变化会导致 eBPF 程序加载失败、探针挂载错误,甚至直接导致系统卡死或重启。这在 ARM64 6.1.x 设备(如 S24)上风险极高【参考: 代码分析和README】。

你可以尝试以下方法排查和规避:

  • 启动时加上 -b 2 参数,强制使用 non-CORE BTF 模式【参考: issue 727】。
  • 明确指定 SSL 版本,比如 --ssl_version='boringssl_a_14',或用 --libssl 指定实际 SO 路径,避免自动检测失败【参考: issue 752】。
  • 编译 DEBUG 版本,运行后用 cat /sys/kernel/debug/tracing/trace_pipe 查看内核日志,定位具体崩溃点【参考: issue 729】。
  • 检查你的内核 eBPF 配置,确认所有 eBPF 相关选项已启用。

但由于缺少 6.1.x 的 vmlinux 支持文件,eCapture 在 S24 这类新机型上极易出现系统级崩溃,目前没有现成的解决方案。如果必须在该设备上使用,建议等待官方适配或尝试自行提取并适配 6.1.57 的 vmlinux 文件。

To reply, just mention @dosu.

How did I do? Good | Irrelevant | Incorrect | Verbose | Hallucination | Report 🐛 | Other  Join Discord Share on X

dosubot[bot] avatar Jun 12 '25 02:06 dosubot[bot]

请给一些执行/ecapture tls -m pcap --pcapfile tttt.pcap -u 10285命令后的输出。

cfc4n avatar Jun 12 '25 16:06 cfc4n 

e1q:/data/local/tmp # ./ecapture tls -m pcap --pcapfile tttt.pcap -u 10285
2025-06-13T01:22:50Z INF AppName="eCapture(旁观者)"
2025-06-13T01:22:50Z INF HomePage=https://ecapture.cc
2025-06-13T01:22:50Z INF Repository=https://github.com/gojue/ecapture
2025-06-13T01:22:50Z INF Author="CFC4N <[email protected]>"
2025-06-13T01:22:50Z INF Description="Capturing SSL/TLS plaintext without a CA certificate using eBPF. Supported on Linux/Android kernels for amd64/arm64."
2025-06-13T01:22:50Z INF Version=androidgki_arm64:v1.1.0:6.8.0-1027-azure
2025-06-13T01:22:50Z INF Listen=localhost:28256
2025-06-13T01:22:50Z INF eCapture running logs logger=
2025-06-13T01:22:50Z INF the file handler that receives the captured event eventCollector=
2025-06-13T01:22:50Z INF Kernel Info=6.1.57 Pid=31716
2025-06-13T01:22:50Z INF TruncateSize=0 Unit=bytes
2025-06-13T01:22:50Z WRN Your environment is like a container. We won't be able to detect the BTF configuration.
If eCapture fails to run, try specifying the BTF mode. use `-b 2` to specify non-CORE mode.
2025-06-13T01:22:50Z INF BTF bytecode mode: CORE. btfMode=0
2025-06-13T01:22:50Z INF listen=localhost:28256
2025-06-13T01:22:50Z INF https server starting...You can upgrade the configuration file via the HTTP interface.
2025-06-13T01:22:50Z INF module initialization. isReload=false moduleName=EBPFProbeOPENSSL
2025-06-13T01:22:50Z INF Module.Run()
2025-06-13T01:22:50Z ERR OpenSSL/BoringSSL version not found, used default version.If you want to use the specific version, please set the sslVersion parameter with "--ssl_version='boringssl_a_13'" , "--ssl_version='boringssl_a_14'", or use "ecapture tls --help" for more help.
2025-06-13T01:22:50Z ERR bpfFile=boringssl_a_14_kern.o sslVersion=android_default
2025-06-13T01:22:50Z INF HOOK type:Openssl elf ElfType=2 IFindex=37 IFname=wlan0 PcapFilter= binrayPath=/apex/com.android.conscrypt/lib64/libssl.so
2025-06-13T01:22:50Z INF Hook masterKey function Functions=["SSL_in_init"]
2025-06-13T01:22:50Z INF target all process.
2025-06-13T01:22:50Z INF target user. target UID=10285
2025-06-13T01:22:50Z INF setupManagers eBPFProgramType=PcapNG
2025-06-13T01:22:50Z INF BPF bytecode file is matched. bpfFileName=user/bytecode/boringssl_a_14_kern_core.o
2025-06-13T01:22:50Z INF packets saved into pcapng file. pcapng path=/data/local/tmp/tttt.pcap

之后就重启了

arkdnz avatar Jun 13 '25 01:06 arkdnz

e1q:/data/local/tmp # ./ecapture tls -m pcap --pcapfile tttt.pcap -u 10285 2025-06-13T01:22:50Z INF AppName="eCapture(旁观者)" 2025-06-13T01:22:50Z INF HomePage=https://ecapture.cc 2025-06-13T01:22:50Z INF Repository=https://github.com/gojue/ecapture 2025-06-13T01:22:50Z INF Author="CFC4N [email protected]" 2025-06-13T01:22:50Z INF Description="Capturing SSL/TLS plaintext without a CA certificate using eBPF. Supported on Linux/Android kernels for amd64/arm64." 2025-06-13T01:22:50Z INF Version=androidgki_arm64:v1.1.0:6.8.0-1027-azure 2025-06-13T01:22:50Z INF Listen=localhost:28256 2025-06-13T01:22:50Z INF eCapture running logs logger= 2025-06-13T01:22:50Z INF the file handler that receives the captured event eventCollector= 2025-06-13T01:22:50Z INF Kernel Info=6.1.57 Pid=31716 2025-06-13T01:22:50Z INF TruncateSize=0 Unit=bytes 2025-06-13T01:22:50Z WRN Your environment is like a container. We won't be able to detect the BTF configuration. If eCapture fails to run, try specifying the BTF mode. use -b 2 to specify non-CORE mode. 2025-06-13T01:22:50Z INF BTF bytecode mode: CORE. btfMode=0 2025-06-13T01:22:50Z INF listen=localhost:28256 2025-06-13T01:22:50Z INF https server starting...You can upgrade the configuration file via the HTTP interface. 2025-06-13T01:22:50Z INF module initialization. isReload=false moduleName=EBPFProbeOPENSSL 2025-06-13T01:22:50Z INF Module.Run() 2025-06-13T01:22:50Z ERR OpenSSL/BoringSSL version not found, used default version.If you want to use the specific version, please set the sslVersion parameter with "--ssl_version='boringssl_a_13'" , "--ssl_version='boringssl_a_14'", or use "ecapture tls --help" for more help. 2025-06-13T01:22:50Z ERR bpfFile=boringssl_a_14_kern.o sslVersion=android_default 2025-06-13T01:22:50Z INF HOOK type:Openssl elf ElfType=2 IFindex=37 IFname=wlan0 PcapFilter= binrayPath=/apex/com.android.conscrypt/lib64/libssl.so 2025-06-13T01:22:50Z INF Hook masterKey function Functions=["SSL_in_init"] 2025-06-13T01:22:50Z INF target all process. 2025-06-13T01:22:50Z INF target user. target UID=10285 2025-06-13T01:22:50Z INF setupManagers eBPFProgramType=PcapNG 2025-06-13T01:22:50Z INF BPF bytecode file is matched. bpfFileName=user/bytecode/boringssl_a_14_kern_core.o 2025-06-13T01:22:50Z INF packets saved into pcapng file. pcapng path=/data/local/tmp/tttt.pcap 之后就重启了

尝试过-b 2 参数吗

zenyanle avatar Jun 13 '25 02:06 zenyanle

试过,也试过core模式,都是一样的结果。 同时pixel 7出现了master secret length is too long, truncate to 64 bytes, but it may cause keylog file error,密钥过长的问题,怀疑是我系统的原因,因为前2天没问题,分析一个apk开了算法助手后才出现,但没有什么好的办法排查

arkdnz avatar Jun 13 '25 03:06 arkdnz

我想你可以尝试一下在三星手机里面自己加载一个类似的uprobe 程序然后观察下

zenyanle avatar Jun 13 '25 03:06 zenyanle

你可以自己编译一个DEBUG版本的,再查看一下系统的日志。

# 编译
DEBUG=1 ANDROID=1 make nocore

# 查看ebpf 调试日志

echo 1 > /sys/kernel/tracing/tracing_on
cat  /sys/kernel/tracing/trace_pipe

cfc4n avatar Jun 13 '25 16:06 cfc4n

Long time no response, closed

cfc4n avatar Aug 23 '25 12:08 cfc4n