Solve cert related issues

[shirshak55]

Remount and add certificate if we can't do it "normally"

Magisk seems to be buggy. I created a module, used certs, etc. But, it always gives some weird error. So, I have returned back to a simple idea.

[pimterry]

Interesting! I'd still prefer to use Magisk modules if we can, but yes if that's not possible this is definitely a good fallback approach.

What exactly is the "weird error" that the Magisk module gives on your device?

With this change, does everything now work correctly on your device?

[shirshak55]

@pimterry actually I tried to use the Magisk module, but it was not working. The weird error or bug is I can't see certs in that folder. You can see that I did try to use magisk

And, I wasn't even able to remove the module. Clicking on the remove button did nothing. And, even if the module was running, I still wasn't able to see certs in the directory.

And, yes it worked perfectly in my folder. In fact here is the console log.

You can see there are no certs at the beginning. After 2nd round, there is a cert.

[pimterry]

Just to update here: this looks good and I am very interested in this as an option, but I think I'm going to have to get a Magisk device set up myself to properly investigate everything first. I'll try to do that later this week - watch this space!

[shirshak55]

@pimterry no problem. You can root with magisk on any device including the current you have (however you may lose data )

[infernix]

Just to update here: this looks good and I am very interested in this as an option, but I think I'm going to have to get a Magisk device set up myself to properly investigate everything first. I'll try to do that later this week - watch this space!

See https://github.com/NVISOsecurity/MagiskTrustUserCerts for yet another approach

[pimterry]

@shirshak55 sorry for the massive delay here - I never managed to fully investigate this before, but I've finally managed to find some time to properly get back into testing and debugging this now.

I've set up Magisk just like you described in httptoolkit/httptoolkit-android#8, and I see similar behaviour, but the certificate is still injected successfully (as long as rooted ADB access is allowed - otherwise I see a Magisk prompt to allow root shell access).

I'm using the latest Magisk release (v25.1), which has replaced Magisk Hide with Zygisk.

If you update Magisk, are you still seeing this issue?

(I think there's some other Magisk-related improvements we can make, to prompt users if they have ADB root access actively disabled, but I'll look into those separately)

[shirshak55]

@pimterry hmm Yes, root shell access is required because we need to write at the root partition. Is there a better way to fix this issue?

[pimterry]

Yes, root shell access is required because we need to write at the root partition

Yes, that's true and it'd be nice to handle better, but that's a separate issue.

On this specific issue though: if you update Magisk to the latest version, does the original problem from httptoolkit/httptoolkit-android#8 still happen for you?

The original problem was that even when root shell access is enabled, system certificates don't get installed and system interception doesn't work (even though HTTP Toolkit's log output says cert installation was OK).

[shirshak55]

@pimterry unfortunately, I don't have that phone.

However, if I encounter any new issues, I will let you know.

[pimterry]

Ok, that's totally fine, no worries 👍 For now I'm going to assume this is indeed fixed by more recent Magisk releases, but we can reopen this PR and investigate further if we do see any new reports of this later on. Thanks for the report & PR though, it's been very useful to be able to properly test & investigate this.