frida-interception-and-unpinning icon indicating copy to clipboard operation
frida-interception-and-unpinning copied to clipboard
verified publisher icon httptoolkit

unable to bypass youtube pinning

Open HDCLovers opened this issue 4 months ago • 2 comments

hello can this script bypass youtube pinning ?

because on the YouTube for Android TV 5.30.301 it seems to not work properly (https://www.apkmirror.com/apk/google-inc/youtube-for-android-tv-android-tv/youtube-for-android-tv-5-30-301-release/)

it only works upto

   . . . .   Connected to Android Emulator 5554 (id=emulator-5554)
Spawning `com.google.android.youtube.tv`...

== Redirecting all TCP connections to 127.0.0.1:8000 ==

 !!! Hooking native TLS lib libssl.so failed - no verification methods found
== Disabled Android root detection ==
Spawned `com.google.android.youtube.tv`. Resuming main thread!
[Android Emulator 5554::com.google.android.youtube.tv ]-> == Proxy system configuration overridden to 127.0.0.1:8000 ==
== Proxy configuration overridden to 127.0.0.1:8000 ==
== System certificate trust injected ==
== Certificate unpinning completed ==
== Unpinning fallback auto-patcher installed ==
Blocking QUIC connection to [20:1:48:60:48:60:0:0:0:0:0:0:0:0:88:88]:443
Blocking QUIC connection to 127.0.0.1:443
Blocking QUIC connection to [20:1:48:60:48:60:0:0:0:0:0:0:0:0:88:88]:443
Blocking QUIC connection to 127.0.0.1:443
Blocking QUIC connection to [20:1:48:60:48:60:0:0:0:0:0:0:0:0:88:88]:443
Blocking QUIC connection to 127.0.0.1:443

then on the app it shows "Can't connect right now" error after freezing for 10 seconds

HDCLovers avatar Jul 31 '25 23:07 HDCLovers

YouTube for Android TV likely uses custom TLS implementations (like BoringSSL or statically linked code), so Frida can't hook libssl.so — as seen from the no verification methods found message.

Even though certificate trust injection and QUIC blocking are successful, the app may still enforce hardcoded certificate pinning, and fail to gracefully fall back from QUIC to HTTPS. Also, since you're using an emulator, some Google apps might block or limit network features altogether.

You could try:

  • Testing on a real rooted Android device
  • Using an older APK (v4.x) with weaker protections
  • Inspecting the APK for manual pinning checks (X509_check_*, memcmp, etc.) (too advanced)
  • Ensuring your cert is properly injected into the system trust store

kaifcodec avatar Aug 01 '25 02:08 kaifcodec

You can try disabling QUIC blocking if you like (set BLOCK_HTTP3 to false in config.js) which will probably fix the connection issue. Unfortunately it will probably create new challenges, because in most setups you still won't actually see the HTTP/3 traffic that's being blocked here, so some requests will be invisible. On the plus side though the app will be able to connect, and you may be able to intercept other traffic that does give you the information you need.

pimterry avatar Aug 01 '25 14:08 pimterry