Capturing QUIC Keys #41
Comments
|
For more context, I am trying to capture packets from the android Messages app to analyze RCS packets, which from what I can tell using a pixel 9 device, use either UDP or QUIC. |
|
Hi @SinghSek thank you for your detailed question and for providing additional context—it’s much appreciated :-) QUIC and TLS KeysQUIC derives its encryption keys from the secrets negotiated during the TLS 1.3 handshake. These derived keys are used to secure QUIC traffic (cf. Using Transport Layer Security (TLS) to Secure QUIC). The good news is that Wireshark doesn’t require the derived QUIC keys directly—it can compute them using the TLS secrets (e.g., keys.log) captured by friTap. See Wireshark source file. However, there are some considerations:
In recent versions of friTap, including 1.2.8.5, we’ve introduced some minor improvements that might help with your use case. There was also a bug in previous versions that could have affected key extraction in certain scenarios. I recommend updating to the latest version and trying again. You can update friTap using: pip install friTap --upgradeRCS Packets and friTapSince you’re analyzing RCS packets from the Android Messages app on a Pixel 9 device:
All the best Daniel |
|
Thank you for your breakdown, I am now encountering an issue where the keys do not get logged at all, FriTap runs perfectly fine, but after the process is finished, the keys.log file is empty. Any idea how I might overcome this? |
|
Hi @SinghSek, I'm a little confused— in your initial post, you mentioned that you were able to log some TLS keys but couldn't decrypt the traffic. Am I mistaken, or is this a new issue where no keys are being logged at all? Also, are you still testing with the same app? Which Android version are you currently running? Which version of friTap you are using? To better assist you, we’ll need more context. Could you provide details about how you're running friTap (e.g., command used, output logs, version number) so we can investigate further? Looking forward to your response :-) All the best Daniel |
|
Sorry for the confusion, I was initially testing with both a pixel 9 running android 14 and a samsung s21 running android 11. Previously the keys were logged but traffic was not decrypted. Now I am only using the S21 with the same set up on the same app, and keys are not being logged. I verified decryption works on a pixel 5 as after every UDP and QUIC packet, http packets with the option to decrypt are present (choosing to decrypt QUIC packets show a random string of characters, but I think that is a separate issue for another time). I am running this command: fritap -m -p log.pcap --full_capture -k keys.log 27944 Here is the debug output: [] capturing whole traffic of target app [] Ctrl+C detected. Cleaning up... Thx for using friTap Thank you for your continued help so far, for reference, I am trying to find the plaintext content of an RCS packet to verify the RCS standard is being used. |
|
Hey @SinghSek , thx for the detailed outpout :-) If its still not working can you connect to the target app with frida and provide us the output of the following command: Process.enumerateModules().forEach( (element) => { if(JSON.stringify(Process.getModuleByName(element.name).enumerateExports().filter(exports => exports.name.toLowerCase().includes("ssl_ctx_new"))).length > 2){ console.log(element.name + " : \n" + JSON.
stringify(Process.getModuleByName(element.name).enumerateExports().filter(exports => exports.name.toLowerCase().includes("ssl_ctx_new"))));} });All the best Daniel |
|
Hey Daniel, thanks so much for the response, as I am using the commands in the terminal, how would I go about connecting to the android messages app via frida, would I just grab the PID? and how would I run the command, you have wrote, would that just be in a python file? Sorry, I'm still a little new to this type of analysis, and your help is really appreciated! Also, I have just verified that, even on the newest version of FriTap, the S21 running android 11 still results in an empty keys.log file when running the fritap command. I've been able to collect the keys off of a pixel 5 running Android 11 however. |
|
Hi @SinghSek , thx for your fast response :-) $ frida-ps -Uai
PID Name Identifier
----- ---------------------- -----------------------------------------
11246 Android Auto com.google.android.projection.gearhead
11453 Chrome com.android.chrome
10843 Einstellungen com.android.settings
32185 Firefox org.mozilla.firefox
23750 Google com.google.android.googlequicksearchbox
10444 Google Play Store com.android.vending
8949 Kamera com.google.android.GoogleCamera
8183 Maps com.google.android.apps.maps
6940 Messages com.google.android.apps.messagingThan we cann connect to the Messages App using frida the following ways: frida -U 6940
____
/ _ | Frida 16.6.6 - A world-class dynamic instrumentation toolkit
| (_| |
> _ | Commands:
/_/ |_| help -> Displays the help system
. . . . object? -> Display information about 'object'
. . . . exit/quit -> Exit
. . . .
. . . . More info at https://frida.re/docs/home/
. . . .
. . . . Connected to Pixel 5 (id=09011FDD4007DJ)
[Pixel 5::PID::6940 ]->or direct via its name: $ frida -U Messages
____
/ _ | Frida 16.6.6 - A world-class dynamic instrumentation toolkit
| (_| |
> _ | Commands:
/_/ |_| help -> Displays the help system
. . . . object? -> Display information about 'object'
. . . . exit/quit -> Exit
. . . .
. . . . More info at https://frida.re/docs/home/
. . . .
. . . . Connected to Pixel 5 (id=09011FDD4007DJ)
[Pixel 5::Messages ]-> Process.enumerateModules().forEach( (element) => { if(JSON.stringify(Process.getModuleByName(element.name).enumerateExports().filter(exports => exports.name.toLowerCase().includes("ssl_ctx_new"))).length > 2){ console.log(element.name + " : \n" + JSON
.
stringify(Process.getModuleByName(element.name).enumerateExports().filter(exports => exports.name.toLowerCase().includes("ssl_ctx_new"))));} });
libssl.so :
[{"type":"function","name":"SSL_CTX_new","address":"0x6db848f1a4"}]
[Pixel 5::Messages ]->As you can see I just paste the command I provided to the frida REPL terminal. Hope that already helps :-) All the best Daniel |
|
Thanks so much! Here is the output of that command: Process.enumerateModules().forEach( (element) => { if(JSON.stringify(Process.getModuleBy And this is on the S21 running android 11 |
|
I've just verified that the same thing occurs with a pixel 9 running the latest version of frida and android 11. Both were tested using my windows laptop, could there be a windows reason keys aren't getting logged, like adb blocking a pull? For reference, it pulls the traces just fine, only the keys.log file is empty. the command I am using is: fritap -m -p log.pcap --full_capture -k keys.log Thank you so much for your continued help! |
|
I've now tried it with a second machine and on both the latest version of frida and frida 16.6.4 on the rooted pixel 9 running android 15, and still no luck. The traces are captured, but the keys aren't logged, I also made sure to turn rcs off and on to ensure the register process. Sorry this has been going on so long, but this seems to not want to work for me right now xD |
|
I've noticed something interesting, on the pixel 9, keys were logged for some sessions, but not another. The sessions that the keys were logged for had the PlayIntegrityFix module disabled, but RCS still enabled (not re-registered, so still active), this allowed the keys to be logged for that one instance. As soon as the PlayIntegrityFix module was activated and RCS re-registered, no keys were logged for that session. I tried to recreate this by disabling PlayIntegrityFix and re-registering RCS, and still no-dice. Could there be some interaction between the PlayIntegrityFix module and FriTap not being able to log the keys? |
|
In the same way, when testing a Motorola phone running android 12, the keys are sometimes captured, and sometimes not. I'd say about a quarter of the time keys are captured for this phone. I've also verified this behaviour with the pixel 9 on a third system, this time running the Frida and FriTap commands in cmd instead of the terminal in pycharm |
|
Hi @SinghSek, thanks for all the detailed information. Unfortunately, I can only test friTap on the devices I have available. From your output, it looks like the friTap hooks are working as expected. The fact that you see SSL_CTX_new being enumerated indicates that friTap is installing its hook correctly; this function is used to set up the keylog callback via BoringSSL. To further investigate whether the underlying problem is related to friTap and its handling of Frida hooks, I created AndroidTLSKeylogger on codeshare.frida.re. chromium.webview_shell
(env) friTap main frida -U --codeshare monkeywave/androidtlskeylogger 6940
____
/ _ | Frida 16.6.6 - A world-class dynamic instrumentation toolkit
| (_| |
> _ | Commands:
/_/ |_| help -> Displays the help system
. . . . object? -> Display information about 'object'
. . . . exit/quit -> Exit
. . . .
. . . . More info at https://frida.re/docs/home/
. . . .
. . . . Connected to Android Emulator 5554 (id=emulator-5554)
Attaching...
Hello! This is the first time you're running this particular snippet, or the snippet's source code has changed.
Project Name: AndroidTLSKeylogger
Author: @monkeywave
Slug: monkeywave/androidtlskeylogger
Fingerprint: 64a11842936672a341e6846a49fe395a9d211ebcc7d69203081482ca7bfbfbe8
URL: https://codeshare.frida.re/@monkeywave/androidtlskeylogger
Are you sure you'd like to trust this project? [y/N] y
Adding fingerprint 64a11842936672a341e6846a49fe395a9d211ebcc7d69203081482ca7bfbfbe8 to the trust store! You won't be prompted again unless the code changes.
[*] libssl.so is already loaded. Installing hooks.
[*] Found SSL_CTX_new in libssl.so at 0x7160152a00
...If the keylogger functions correctly even when PlayIntegrityFix is enabled, that could indicate a bug within friTap. However, if you observe the same behavior regardless, it is more likely that the issue stems from how Frida and PlayIntegrityFix interact. All the best, Daniel |
|
When running frida -U --codeshare monkeywave/androidtlskeylogger 3764 (3764 being the PID for the Messages app), I get this output: (Fritap37) PS C:\Users\Jared\Desktop\pythonProject> frida -U --codeshare monkeywave/androidtlskeylogger 3764 Project Name: AndroidTLSKeylogger Are you sure you'd like to trust this project? [y/N] y It ends with the Frida terminal and I have to exit. Are the keys supposed to be collected upon exiting, so: [moto g stylus 5G 2022 ::PID::3764 ]-> exit Thank you for using Frida! Or is something else supposed to happen? If exiting collects keys, then this still resulted in the same issue, with no keys being collected. The interesting thing is that, when testing calling through the messages app, keys were collected in a different trace. Thank you for your help so far! Jared |
|
Hi Jared, thanks for reaching out again :-) The AndroidTLSKeylogger project is designed to print the extracted keys directly to the terminal while Frida is running. You shouldn’t need to exit for the keys to appear—they should be displayed in real-time as they are logged. From your output, I can see that the necessary hooks have been applied correctly, which means that the script is properly attaching to the target process. However, the fact that no keys are being printed suggests that the hooked functions are not getting executed, which is quite strange. At this point, I’m not exactly sure why this is happening—especially since you mentioned that keys were collected in a different trace when making a call. Unfortunately, I am unable to reproduce this issue on my available test systems, so I can’t provide a concrete fix. That said, I have just updated the script on Frida Codeshare. This update might help, but it’s more of a guess than a confirmed fix. Let me know if you notice any changes after testing again :-) All the best Daniel |
Hello! I posted a similar question on my previous issue, but have not been able to figure it out and was advised to make a separate post. I have successfully captured TLS keys using FriTap, but my ultimate goal is to decrypt QUIC packets. In wireshark, under QUIC Protocols, I noticed one of the fields is QUIC Ports, and was wondering if there is a way to capture what ports are used when running the FriTap Command.
Additionally, I've read that QUIC may have it's own keys on top of TLS, and would like to ask if anyone has had luck decrypting QUIC (maybe capturing the QUIC Keys) using this tool.
Any advice is greatly appreciated!
The text was updated successfully, but these errors were encountered: