1,在charles中Help -> SSL Proxying -> Save Charles Root Certificate->下载证书
2,将下载的证书计算其哈希值,并改名
openssl x509 -subject_hash_old -in xxx.pem
mv xxx.pem xxx.0
3,常规方法将使用将证书导入到/system/etc/securtiy/cacerts,但Android14已经将证书位置更改为/apex下面,正常使用chmod 644将证书push到system下面已经不再好用,可以尝试将权限更改为777,一般情况下都是可以抓到数据包的。
4,临时创建映射apex下
临时创建目录将证书映射到apex下面,不过该方法不是永久的导入到该目录,每次重启设备需要重新导入,可以做成脚本,方便使用。该方法能够将整数添加到设备的系统信任证书根目录下,真正实现系统信任机制
①.创建cmd命令方便将整数以及脚本导入到设备中
adb root
adb push set_ca_android14.sh脚本位置 /data/local/tmp/
adb shell chmod 777 /data/local/tmp/set_ca_android14.sh
adb push 工具证书位置 /data/local/tmp/
adb shell /data/local/tmp/set_ca_android14.sh
pause
eg:
adb root
adb push E:\set_ca_android14.sh /data/local/tmp/
adb shell chmod 777 /data/local/tmp/set_ca_android14.sh
adb push E:\9a5ba575.0 /data/local/tmp/
adb shell /data/local/tmp/set_ca_android14.sh
pause
set_ca_android14.sh脚本
mkdir -p -m 700 /data/local/tmp/tmp-ca-copy
cp /apex/com.android.conscrypt/cacerts/* /data/local/tmp/tmp-ca-copy/
mount -t tmpfs tmpfs /system/etc/security/cacerts
mv /data/local/tmp/tmp-ca-copy/* /system/etc/security/cacerts/
cp /data/local/tmp/269953fb.0 /system/etc/security/cacerts/
cp /data/local/tmp/9a5ba575.0 /system/etc/security/cacerts/
cp /data/local/tmp/6e39a726.0 /system/etc/security/cacerts/
chown root:root /system/etc/security/cacerts/*
chmod 644 /system/etc/security/cacerts/*
chcon u:object_r:system_file:s0 /system/etc/security/cacerts/*
ZYGOTE_PID=$(pidof zygote || true)
ZYGOTE64_PID=$(pidof zygote64 || true)
for Z_PID in "$ZYGOTE_PID" "$ZYGOTE64_PID"; do
if [ -n "$Z_PID" ]; then
nsenter --mount=/proc/$Z_PID/ns/mnt -- \
/bin/mount --bind /system/etc/security/cacerts /apex/com.android.conscrypt/cacerts
fi
done
APP_PIDS=$(
echo "$ZYGOTE_PID $ZYGOTE64_PID" | \
xargs -n1 ps -o 'PID' -P | \
grep -v PID
)
for PID in $APP_PIDS; do
nsenter --mount=/proc/$PID/ns/mnt -- \
/bin/mount --bind /system/etc/security/cacerts /apex/com.android.conscrypt/cacerts &
done
wait # Launched in parallel - wait for completion here
echo "System certificate injected"