raccoon4
raccoon4 copied to clipboard
onyxbits
Authentication Solution
I was having the same authentication issues as everyone has been reporting recently, but I solved them by enabling 2FA on my Google account and creating an app password for Raccoon. I think they view signing in from a strange application as less suspicious with a dedicated app password than with your normal password. You might consider updating the documentation to suggest this process if other people can replicate my results.
Made a note of this in my blogpost: https://raccoon.onyxbits.de/blog/bad-authentication-google-account-blocked/
Though I'm still looking for a better way. My current working theory is that Google partially rolled out an account manager update (A/B testing) that either dropped support for Jelly Bean (Raccoon mimics the JB TLS stack) or factors in something from the environment ("what else came from that IP address?") that results in blocked login attempts.
this kind of solution seems pretty unstable. way before, when i opened the first ticket about this problem i did try to auth using app password with no success. now it works very unpredicted behaviour...
Looks like google has fixed it. Is there any other way? plz.
yup, create app password not work anymore.
I really need Raccoon to work again. If you need to donate please tell me. I will help you somewhat.
What still works in general is to use a real/virtual rooted device, and sniff the network traffic while adding the Google account (requires to use an anti-TLS-pining tool).
From the sniffed network traffic you can extract the used authentication token for Play Store. Afterwards activate Air plane mode and perform a factory reset.
The extracted token can then be used instead of username/password. Unfortunately Raccoon does currently not allow to directly enter the token instead of username/password.
Made a note of this in my blogpost: https://raccoon.onyxbits.de/blog/bad-authentication-google-account-blocked/
Though I'm still looking for a better way. My current working theory is that Google partially rolled out an account manager update (A/B testing) that either dropped support for Jelly Bean (Raccoon mimics the JB TLS stack) or factors in something from the environment ("what else came from that IP address?") that results in blocked login attempts.
Any update?
What still works in general is to use a real/virtual rooted device, and sniff the network traffic while adding the Google account (requires to use an anti-TLS-pining tool).
From the sniffed network traffic you can extract the used authentication token for Play Store. Afterwards activate Air plane mode and perform a factory reset.
The extracted token can then be used instead of username/password. Unfortunately Raccoon does currently not allow to directly enter the token instead of username/password.
Hi Can you share an app name or any tutorials webpage to sniff network for get authentication token. Thanks
@babyquin I use a Magisk rooted device and installed the add-ons "Riru" + "Riru EdXposed". In EdXposed I use the addon TrustMeAlready to disable certificate pinning.
For intercepting the network data a proxy like mitmproxy, Fiddler, Charles is suitable.
Check for requests to https://android.googleapis.com/auth that contain the keyword com.android.vending. The request contains a Token in it's form data. It's value is what you usually get after authenticating with username/password in Raccoon (if it would still work).
Usually such tokens start with aas_et/.
Another way is to use the Auth= token from the response. It has to be prepended by Bearer to be used (instead of the "GoogleLogin auth=" which is prepended to the old token):
authorization: Bearer <Auth token>.
The Bearer token format is not yet supported by Raccoon. Real Android devices no only use this new token format. I only have made some tests using this new format to verify that it works at all, but I don't have much experience with it. Especially I don't know how long such tokens remain valid (old token format as well as the new bearer token format). based on my experiments the bearer token seems to be more a short-term token.
@GRodrig I have an e-mail account on gmx.de using the same username as on github.
Please try the latest (v4.19.0) version. It might solve the problem.
Hi, thanks for update. Can you update download link for windows version, it's not working. Link for linux version is ok.
ah, please update DummyDroid too, Can't login with old version (2.2)
Thanks much
Let us see how long the version increase to API level 17 (Android 4.2) will work.
After disabling Google services for pre 4.x devices Google seems to prepare the next step, now focusing on devices up to Android 4.3: https://www.androidauthority.com/android-jelly-bean-eol-1641403
Do I need to generate new profile to make it work with 4.19.0? I tried logging in with older profile and still get same error:
raccoon -Draccoon.playprofile=d***r --gp-auth
org.apache.http.client.ClientProtocolException: BadAuthentication
at com.akdeniz.googleplaycrawler.Identity.doPost(Identity.java:192)
at com.akdeniz.googleplaycrawler.Identity.signIn(Identity.java:153)
at com.akdeniz.googleplaycrawler.GooglePlayAPI.login(GooglePlayAPI.java:319)
at de.onyxbits.raccoon.cli.Play.auth(Play.java:371)
at de.onyxbits.raccoon.cli.Router.main(Router.java:137)
at de.onyxbits.raccoon.Main.main(Main.java:59)
v4.19.0 is available on the website as .jar and .exe files (https://raccoon.onyxbits.de/apk-downloader/), but the most current version on Github is still v4.18.0 (https://github.com/onyxbits/raccoon4/releases).