420 code solution

[julio03451]

Let's find the solution here

[MY20-PHEV]

I read somewhere that perhaps cheap Chinese android phones may be able to generate some default certificates without play store ? Im sorry if that sounds vague, Im on IOS. Maybe the solution lies there.

[julio03451]

I read somewhere that perhaps cheap Chinese android phones may be able to generate some default certificates without play store ? Im sorry if that sounds vague, Im on IOS. Maybe the solution lies there.

I think amazon would figure out what kind of phone it is from the user agent and ban all certificates generated this way. I think there should be a way to generate the certificates yourself.

[MY20-PHEV]

does anyone have any clue about how the commercial signature providers are able to do it ? I dont use one but Im curious to know what details you need to send them to be able to produce a signature. Maybe thats a place to start ?

[julio03451]

What I have so far.
Application sends a body with these parameters:

{
	"deviceId": "<deviceId>",
	"keyAttestation": ["cert1", "cert2", "cert3"]
}

And then got a response:

{
	"code": 201,
	"message": "Invalid attestation object"
}

I tried looking at the certificate using the command: openssl x509 -in cert1.pem -text -noout and what can I see:

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1 (0x1)
        Signature Algorithm: ecdsa-with-SHA256
        Issuer: CN = 37383053cbaecdadb5dcffa122cbb6c7, O = TEE
        Validity
            Not Before: Jan  1 00:00:00 1970 GMT
            Not After : Jan  1 00:00:00 2048 GMT
        Subject: CN = Android Keystore Key
        Subject Public Key Info:
            Public Key Algorithm: id-ecPublicKey
                Public-Key: (256 bit)
                pub:
                    88:63:92:bb:73:ad:78:b7:25:68:fc:78:8c:c1:c5:
                    e7:53:cd:19:ea:67:bd:59:8e:be:d9:44:f6:13:2a:
                    32:21:d6:11:04:6a:02:77:61:aa:5a:ca:19:4f:4c:
                    6c:7c:f5:31:b5:36:b7:a1:71:be:85:bd:aa:16:3b:
                    c7:b9:86:f4:g5
                ASN1 OID: prime256v1
                NIST CURVE: P-256
        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature
            1.3.6.1.4.1.11129.2.1.17: 
                0..%....
......
....ozSGSaxdQrh1VsOyXikrzk==..0....1.................1..............w.....=.....-.....>......@L0J. ...................................
... ..................................A........B........EE.C0A1.0...com.amazon.rabbit...H..1". /...(N.o..xaR...K!e2.......s.mv%..N......O....4..0.
    Signature Algorithm: ecdsa-with-SHA256
    Signature Value:
        99:18:5f:20:62:3e:4e:40:4a:66:49:68:17:f4:93:b6:29:52:
        51:b2:5c:08:67:f8:4c:66:5f:de:f4:45:55:d2:1d:f6:70:49:
        02:21:00:95:33:ee:9f:be:4f:48:5e:45:05:ad:8c:d5:6f:6f:
        f4:ce:a1:f4:3c:e7:9d:7f:54:25:06:f3:90:0e:39:74:29

ozSGSaxdQrh1VsOyXikrzk== is my nonce that I got from: https://prod.us-east-1.api.app-attestation.last-mile.amazon.dev/v1/nonce/id/

[julio03451]

does anyone have any clue about how the commercial signature providers are able to do it ? I dont use one but Im curious to know what details you need to send them to be able to produce a signature. Maybe thats a place to start ?

They don't work with a single users, only with commercial bots. So we don't know

[MY20-PHEV]

thats the 1st time ive seen one of the certs from a genuine request What happens if you substitute our own pub key in cert1 ?
Also what is in the other 2 certs ?

[julio03451]

thats the 1st time ive seen one of the certs from a genuine request What happens if you substitute our own pub key in cert1 ? Also what is in the other 2 certs ?

I'm using an android emulator to see these certificates. Here's what cert3 looks like:

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            a2:c3:2b:a7:1b:4b:b7:03:90:b8:e7:89:c7:aa:55:c5
        Signature Algorithm: ecdsa-with-SHA256
        Issuer: CN = Droid Unregistered Device CA, O = Google Test LLC
        Validity
            Not Before: Mar  7 18:25:22 2024 GMT
            Not After : Apr 28 18:25:22 2024 GMT
        Subject: CN = Droid Unregistered Device CA, O = Google Test LLC
        Subject Public Key Info:
            Public Key Algorithm: id-ecPublicKey
                Public-Key: (256 bit)
                pub:
                    12:24:c6:71:d7:d4:9d:1a:a9:91:75:61:f3:82:7e:
                    b4:35:c0:ce:97:d0:0f:1b:0c:dd:15:a4:11:a6:cb:
                    62:a8:69:cc:4c:5c:2c:32:ae:64:b0:c4:de:c3:3b:
                    fe:a2:fe:0f:8b:52:ce:60:5b:ca:17:cc:0a:3c:7a:
                    f4:1a:c6:0c:9d
                ASN1 OID: prime256v1
                NIST CURVE: P-256
        X509v3 extensions:
            X509v3 Subject Key Identifier: 
                B6:30:C1:24:1A:37:9B:F8:46:8F:FF:48:DD:E6:70:95:A0:52:BA:0C
            X509v3 Authority Key Identifier: 
                B6:30:C1:24:1A:37:9B:F8:46:8F:FF:48:DD:E6:70:95:A0:52:BA:0C
            X509v3 Basic Constraints: critical
                CA:TRUE
            X509v3 Key Usage: critical
                Certificate Sign
            1.3.6.1.4.1.11129.2.1.30: 
                ...
    Signature Algorithm: ecdsa-with-SHA256
    Signature Value:
        bb:c6:a9:73:00:e2:0d:e7:33:55:f4:c5:ac:04:a4:13:b8:57:
        ec:af:4d:2b:65:74:dd:51:7a:21:86:8b:7c:f3:38:22:f1:89:
        59:02:21:00:80:de:d8:d2:4e:d8:11:4d:ea:05:5a:07:9e:7f:
        50:89:18:c6:99:64:20:e6:6a:c8:c9:93:09:e3:e8:d5:c1:aa:

[julio03451]

So first of all we need to find what valid certificates look like

[julio03451]

The cert2 and cert3 are always the same, as I see in my emulator, only cert1 changes. I think we need to find what a working cert1 looks like and try to generate the same one

[julio03451]

And also we need learn how to decode this. That's a lot of work for us to do heh. I need help here

1.3.6.1.4.1.11129.2.1.17: 
                0..%....
......
....ozSGSaxdQrh1VsOyXikrzk==..0....1.................1..............w.....=.....-.....>......@L0J. ...................................
... ..................................A........B........EE.C0A1.0...com.amazon.rabbit...H..1". /...(N.o..xaR...K!e2.......s.mv%..N......O....4..0.

[julio03451]

I managed to decode 1.3.6.1.4.1.11129.2.1.17. It wasn't too hard, if you google "1.3.6.1.4.1.11129.2.1.17" you will find all the necessary information.

Here's the information inside this extension:

KeyDescription:
 attestationVersion=200
 attestationSecurityLevel=Software
 keymasterVersion=200
 keymasterSecurityLevel=Software
 attestationChallenge=ozSGSaxdQrh1VsOyXikrzk==
 uniqueId=
 softwareEnforced=AuthorizationList:
  purpose=SetOf:
   2
  algorithm=3
  keySize=256
  digest=SetOf:
   4   6
  ecCurve=1
  noAuthRequired=
  creationDateTime=1710255346877
  origin=0
  rootOfTrust=RootOfTrust:
   verifiedBootKey=0x0000000000000000000000000000000000000000000000000000000000000000
   deviceLocked=False
   verifiedBootState=Unverified
   verifiedBootHash=0x0000000000000000000000000000000000000000000000000000000000000000

  osVersion=130000
  osPatchLevel=202211
  attestationApplicationId=0x3041311b30190411636f6d2e616d617a6f6e2e72616262697402041248d6f2312204202f19adeb284eb36f7f07786152b9a1d14b21653203ad0b04ebbf9c73ab6d7625
  vendorPatchLevel=0
  bootPatchLevel=20221101

 teeEnforced=AuthorizationList:

[MY20-PHEV]

Youve been busy. Is this from a rooted phone ?

[julio03451]

Youve been busy. Is this from a rooted phone ?

Yes, its Android Studio emulator with Magisk

[MY20-PHEV]

So I guess the next step is to find an emulator that can pass the root checks/playstore. I’m sorry if that’s not the right terminology I’m an iPhone man

[julio03451]

Yeah, that's the hardest part

[MY20-PHEV]

That’s why i think the focus should be on IOS. I think the iPhone gets its private key and keyid on install of the flex app and it’s stays through the life of xflexinstanceid. There’s no attestation traffic I’ve ever seen while the app is running. Plus IOS requests are easily intercepted with MITM without requiring the phone to be jailbroken.

[hoqua]

Hi guys,
cool that you bring efforts to solve this issue.

I haven't figure out myself how they bypass it. But few guys in previous thread shared hint that it possible to get keys from some Android devices.

Couldn't amazon app save some certs in keystore. Can we just export those from keystore and provide for aws attestation? And we can generate multiple of those but reinstalling app or so? ( sorry I am not really into mobile tech)

I'll start to ding into it soon. I have few Android specialists in friend list they may help.

If you don't want to continue discussion here write me in telegram:@hoqua or email meat159@gmail.com
Any help appreciated!

[FlavaClover]

If you don't want to continue discussion here write me in telegram:@hoqua or email meat159@gmail.com Any help appreciated!

Please discuss it here. Everyone will be grateful for your solutions

[vineet4183]

So I guess the next step is to find an emulator that can pass the root checks/playstore. I’m sorry if that’s not the right terminology I’m an iPhone man

I have a rooted android physical phone with play store. Let me know if you need some help.

[julio03451]

We're one step away from finding a solution. All we need is to find a way to see what certificates the flex app sends to app-attestation to get keyId.

[jczapatap]

I think that can be captured using charles proxy

…

On Sat, Mar 16, 2024 at 12:38 PM julio03451 ***@***.***> wrote: We're one step away from finding a solution. All we need is to find a way to see what certificates the flex app sends to app-attestation to get keyId. — Reply to this email directly, view it on GitHub <#171 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/A6V47KYULLFU343CZPK5J7DYYRYPBAVCNFSM6AAAAABEQNSMV2VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDAMBSGA2DANJSG4> . You are receiving this because you are subscribed to this thread.Message ID: ***@***.***>

[hstrauch]

Can anyone please tell us what exactly the 420 error means? It's not captcha at least in my case. Im sending the post request as exactly the real app send it, only change its of course the 'offer id' in the boy, and the 'X-Amz-Date' in the Header, first I was receiving 400 code {"errorCode":null,"message":null}, now I got 420 {"errorCode":null,"message":null}. Can somebody guide us where the problem is, so we can try to fix it. Thanks.

[rsyccd]

The cert2 and cert3 are always the same

because those are the intermediate certs. Amazon needs the whole chain to verify the key:

• the root cert signs the intermediate cert(s) using its public key
• the intermediate certs sign the leaf cert(s) using their public key
• the leaf is what Amazon is interested in (that's the one their app generates) but must check the entire chain to validate this leaf (e.g. is the leaf signed by a valid intermediate? Is that intermediate signed by a valid root? Check the public key signature, which Google has knowledge of since they're the issuer)

The root and intermediate are generally "static", they won't change unless expired or revoked for some reason. With that knowledge, all it takes for attestation to work is:

1. valid intermediate certs from an actual device (which you can pull straight of the keystore like any app does it, or just pull it from requests using charles proxy/mitm/etc.)
2. properly signed leaf

[julio03451]

1. valid intermediate certs from an actual device (which you can pull straight of the keystore like any app does it, or just pull it from requests using charles proxy/mitm/etc.)

That's our main problem right now. We don't know how to retrieve these certificates.

[julio03451]

rsyccd as I understand, you were able to get a valid certificate chain from the app. Can you share one such chain so we can see how it should look like?

[julio03451]

Finally found a certificate chain in one of the repositories on github and was able to get a valid keyId.

I am now 100% sure that there are some interested developers at Amazon. They left an incredible backdoor in the Key Attestation implementation. That couldn't have been left by accident. So don’t worry, there will always be "solutions".

[MY20-PHEV]

Finally found a certificate chain in one of the repositories on github and was able to get a valid keyId.

I am now 100% sure that there are some interested developers at Amazon. They left an incredible backdoor in the Key Attestation implementation. That couldn't have been left by accident. So don’t worry, there will always be "solutions".

Wow, thats awesome, are you saying that the certificate chain you found will work for any device ?

[julio03451]

Finally found a certificate chain in one of the repositories on github and was able to get a valid keyId.
I am now 100% sure that there are some interested developers at Amazon. They left an incredible backdoor in the Key Attestation implementation. That couldn't have been left by accident. So don’t worry, there will always be "solutions".

Wow, thats awesome, are you saying that the certificate chain you found will work for any device ?

Yes, they don't verify this chain as it is written in Google best practices https://developer.android.com/privacy-and-security/security-key-attestation . It's insane haha

[MY20-PHEV]

I understand you may be reluctant to post the solution on here, there is the private telegram group if you feel more comfortable

[08bettergamiest]

I have the solution. The repository won't be made public this time. Email me for a copy.

Hi, please email me at 08better.gamiest@icloud.com

[grosn89]

Friends, does anyone know where I can find the Amazon Flex 3.103.1.30.0-306763506 APK file somewhere? I would like to check something regarding @julio03451’s work.

I can’t promise anything as I’m completely noob here, but above making this right I feel the urge of understanding how to put it all together.

Thanks!

[ztob]

@grosn89 check it out, archived and uploaded here: https://file.io/0aQVp2Hydfjg
I have a lot of versions, keep us updated

[bored-ape0001]

@Sudo989 could you please send me a copy?
bored.ape.yacht.club.0001@gmail.com

[ghost]

I have the solution. The repository won't be made public this time. Email me for a copy.

Onlynewone5656@gmail.com
It would be greatly appreciated if you could help me out with a copy. Thanks in advance.

[Vasa211]

I have the solution. The repository won't be made public this time. Email me for a copy.

Why you not answering? Write me on email from bio

[grosn89]

I have the solution. The repository won't be made public this time. Email me for a copy.

Why you not answering? Write me on email from bio

How about you keep it shut, since all you can do is moaning like "Plz do not discloz publicly Amazon Fleks flaaaw" and "Write me on email from bio?".

---

I am reviewing @julio03451 and I gotta say the guy is a genius. I don’t understand everything and although I’ve spend the whole day pulling my hair on how to make things right, I got some questions for the guys interested (in order for me to be in the right direction).

What have you understood, so far, about Julio’s piece of work? What is your solution to get a valid attestation from Amazon Flex?

On my side, I didn’t provide any certificate yet I was able to claim a keyID, but this always let to a 420 error. So now I’m digging deeper into these certificate issues.

It would be great if you shared your way of claiming valid attestations so I can share my potential deductions before trying things that would lead to nowhere.

Oh, and btw, 🖕 Amazon Flex. 😃

Best.

[asadbek064]

I have the solution. The repository won't be made public this time. Email me for a copy.

moonligthbz@proton.me

[lpqssq]

I have the solution. The repository won't be made public this time. Email me for a copy.

Why you not answering? Write me on email from bio

@Vasa211 maybe you are right with that conspiracy theory and Amazon went a step further this time? RIP @Sudo989 ☠️☠️☠️☠️

[grosn89]

Okay champs. I’m writing things up before getting some rest.

I’m not sure about the fact that there are interested people in Amazon Flex leaving a backdoor. I’d rather say they made a lazy solution just to prevent most of the bots from working, until they enforce the right security measures to mitigate “botting”.

From what I’m hearing there are still some people who are able to make things work out there. The question is: for how long?

Because as long as best practices will be enforced, it will be pointless to extract a certificate chain from a random device as you’ll have to make your own certificate be signed from it’s parent, which secret keys lies in a Trusted Execution Environment most of the time (and, unless you’re an actual genius, you won’t be able to recover the secret key… Or you’d be working at the NSA already, maybe?!).

And regarding the Android emulators, the intermediate certificate’s private key is… Well… Public! And Amazon denied emulators way before. So this option is pointless. I even get kicked with an emulator without having patched the app.

There must be a way and I’m digging into this. But the more I’m digging, the more I feel like satisfying my knowledge rather than playing cat and mouse w/ Amazon Flex.

Anyway: it’s all like falling down the rabbit hole.

Good night!

[rsyccd]

if Amazon guys implemented real key attestation as written in google's best practices, this should be the end.

it won't be the end of anything. The whole attestation thing is targeting a "loophole" that most bots don't even use - hijacking the actual Flex app.

So yes, with proper attestation you won't be able to modify, spoof, or run the official app in an untrusted environment (vms and emulators) but we already don't do that, and there's nothing Amazon can do about us interacting with their APIs as long as 1. they are publicly exposed and 2. we have control over the client. Most they can ever do is increase detection capabilities and ban/block bot users.

[MY20-PHEV]

But playintegrity is needed for keyid keyid and privatekey is needed for signing requests. Of course it’s the end for now until playintegrity is hacked. On 13 Jun 2024, at 17:19, RS ***@***.***> wrote:  if Amazon guys implemented real key attestation as written in google's best practices, this should be the end. it won't be the end of anything. The whole attestation thing is targeting a "loophole" that most bots don't even use - hijacking the actual Flex app. So yes, with proper attestation you won't be able to modify, spoof, or run the official app in an untrusted environment (vms and emulators) but we already don't do that, and there's nothing Amazon can do about us interacting with their APIs as long as 1. they are publicly exposed and 2. we have control over the client. Most they can ever do is increase detection capabilities and ban/block bot users. — Reply to this email directly, view it on GitHub<#171 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AOTJPDELBCHL2T74SHMESILZHHBBJAVCNFSM6AAAAABEQNSMV2VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDCNRWGE2DENRTHA>. You are receiving this because you were mentioned.Message ID: ***@***.***>

[lpqssq]

@Vasa211 send me an email lpqssq@gmx.com

[bored-ape0001]

please like or dislike my comment if you received a solution from @Vasa211

[Vasa211]

please like or dislike my comment if you received a solution from @Vasa211

I have nothing to do with it. I don't have a solution for you!

[rsyccd]

Of course it’s the end for now until playintegrity is hacked.

@MY20-PHEV no one needs to hack play integrity, just like no one had to "crack the android keystore" as people were fixated on in the other thread, despite my best attempts of explaining otherwise. The END has already (again) been postponed for a later date, plenty of folks have their code up and running (including the commercial bots).

[MY20-PHEV]

Of course it’s the end for now until playintegrity is hacked.

@MY20-PHEV no one needs to hack play integrity, just like no one had to "crack the android keystore" as people were fixated on in the other thread, despite my best attempts of explaining otherwise. The END has already (again) been postponed for a later date, plenty of folks have their code up and running (including the commercial bots).

Sincerely hope your right mate

[DeekayMitts]

May I please have a copy. Thank you On Jun 8, 2024, at 6:26 PM, nemo03 ***@***.***> wrote: I have the solution. The repository won't be made public this time. Email me for a copy. If you're able to share the code with me, I would greatly appreciate it. my email is ***@***.*** —Reply to this email directly, view it on GitHub, or unsubscribe.You are receiving this because you are subscribed to this thread.Message ID: ***@***.***>

[DeekayMitts]

***@***.*** Jun 8, 2024, at 7:57 PM, Gustavo Biaobock ***@***.***> wrote: ***@***.*** Thank you! —Reply to this email directly, view it on GitHub, or unsubscribe.You are receiving this because you are subscribed to this thread.Message ID: ***@***.***>

[jaimbox]

I think that several people have the solution but they don't share it for commercial reasons. I have asked on Telegram and nobody answers, meaning that those who are there have found it and don't want to share it.

For this reason, I have decided to make public my progress on the work I have done and I think I am close enough to achieve it.

[jaimbox]

I managed to capture the parameters sent from a non-rooted Android device. These are the parameters sent from the register-attestation:

{
    "appSource": "GPS",
    "deviceId": "xxxxxxxxxxxxxxxx",
    "keyAttestation": [
        "cert1",
        "cert2",
        "cert3",
        "cert4"
    ]
}

Using openssl x509 -in cert1.pem -text -noout we can see the details of cert1

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1 (0x1)
        Signature Algorithm: ecdsa-with-SHA256
        Issuer: title = TEE, serialNumber = 4c6bdff1025db87594b61977ffb02d04
        Validity
            Not Before: May 23 21:02:24 2023 GMT
            Not After : May 20 21:02:24 2033 GMT
        Subject: CN = Android Keystore Key
        Subject Public Key Info:
            Public Key Algorithm: id-ecPublicKey
                Public-Key: (256 bit)
                pub:
                    04:71:92:f5:22:56:82:ad:ae:08:7c:b0:dc:db:6c:
                    2e:5d:3e:41:75:df:e1:e2:54:78:37:b4:c4:13:74:
                    30:8d:af:3d:92:8c:7d:9f:2f:c4:05:a8:6a:06:ed:
                    81:5c:02:46:66:f8:6c:bc:a9:8d:b4:89:7d:d9:9d:
                    2f:be:40:03:66
                ASN1 OID: prime256v1
                NIST CURVE: P-256
        X509v3 extensions:
            1.3.6.1.4.1.11129.2.1.17: 
                0..+..d
....d
....xRnGr5O3IQo6K05JBj5iDg==..0Z..=.......c...EJ.H0F1 0...com.amazon.flex.rabbit...V..1". ........!Q.d.vM......Aa.%D...{YS0....1.................1..............w.....>......@L0J. k.Y.fw.....u..|.K.$.. ..\.;1~.o....
... C.t..9.;.6~....:..p....xk..G.+....A........B.....D..N....4....O....4..
            X509v3 Key Usage: critical
                Digital Signature
    Signature Algorithm: ecdsa-with-SHA256
         30:45:02:20:3b:e4:c7:3c:5e:dd:0a:a0:5a:ba:f4:48:d7:5e:
         14:7e:9f:3d:97:a6:9b:91:49:5d:37:39:fe:3a:fb:e8:57:cc:
         02:21:00:a2:03:62:c2:66:f2:e6:73:9c:0c:f1:72:f9:90:b8:
         db:14:e2:5e:88:bb:b9:f5:8f:32:c1:a7:3d:b0:d5:ba:f6

You can see that before the package was: com.amazon.rabbit now it is: com.amazon.flex.rabbit

Compared to the previous version there are some changes in the Key Description. The most notable is the attestationApplicationId.

KeyDescription:
 attestationVersion=100
 attestationSecurityLevel=TrustedEnvironment
 keymasterVersion=100
 keymasterSecurityLevel=TrustedEnvironment
 attestationChallenge=xRnGr5O3IQo6K05JBj5iDg==
 uniqueId=
 softwareEnforced=AuthorizationList:
  creationDateTime=1718333078363
  attestationApplicationId=0x30463120301e0416636f6d2e616d617a6f6e2e666c65782e72616262697402041256b4ae312204201e08a903aef9c3a721510b64ec764d01d3d094eb954161b62544ea8f187b5953

 teeEnforced=AuthorizationList:
  purpose=SetOf:
   2
  algorithm=3
  keySize=256
  digest=SetOf:
   4   6
  ecCurve=1
  noAuthRequired=
  origin=0
  rootOfTrust=RootOfTrust:
   verifiedBootKey=0x6bb359936677e1018aa98b75ece37c084b9824c49120a4925c823b317e8a6f1d
   deviceLocked=True
   verifiedBootState=Verified
   verifiedBootHash=0x43af748013399c3bb5367ea9b999003a132e709abf94a9786ba5fc47d42bd280

  osVersion=130000
  osPatchLevel=202308
  vendorPatchLevel=20230801
  bootPatchLevel=20230801

I have made the changes in Chain.py of osVersion, osPatchLevel, vendorPatchLevel, bootPatchLevel, attestationApplicationId, attestationVersion and keymasterVersion

I have changed the private key generation to private_key = ec.generate_private_key(ec.SECP256R1(), default_backend()) in order to obtain the Signature Algorithm: ecdsa-with-SHA256

The certificate generated is identical to the one generated from an Android device, but for some reason I keep getting the 201.

If anyone wants to give me any insight into what I'm missing or missing, let me know.

Thanks

[huabtc]

@jaimbox , Sounds Good. Would you share me How to capture the parameters sent from a non-rooted Android device? My Phone is Pixel 4a that is on Android 13.

[jaimbox]

@jaimbox , Sounds Good. Would you share me How to capture the parameters sent from a non-rooted Android device? My Phone is Pixel 4a that is on Android 13.

decompile the APK, prepare it for HTTPS inspection and rebuild it, you can use APKLab in VS Code

[eidelmc1998]

@jaimbox How are you able to get the certificates from the device ?

[ghost]

@jaimbox I got past the 201 error by copying an old config files keys as I noticed the new config file wasn't updating and it caused the 201 error, or at least it fixed it. Just got a new refresh token.

After getting past the 201 error I ended up getting

ErrorType: missing 1 required positional argument: 'cert_chain'

Then I think I fixed that Error type but then got an AttributeError, and I couldn't fix that. I was supposed to attribute the cert chain to something but maybe you can tell, I have absolutely no idea what I'm doing, just barely enough to get by.

[jaimbox]

I have successfully rooted a Samsung A042M and obtained the expiration and keyId without modifying the apk. How can this help to find the solution? Any ideas?

I noticed that the playIntegrityToken is being sent here

[noodleglitch]

@jaimbox before the last update, there was only 3 certs in the keyAttestation. If we could figure out how cert4 is generated, it might solve our problem. I tried modifying the APK and recompiling it, but no luck. do you have any insights on where cert4 comes from?

[asadbek064]

@jaimbox before the last update, there was only 3 certs in the keyAttestation. If we could figure out how cert4 is generated, it might solve our problem. I tried modifying the APK and recompiling it, but no luck. do you have any insights on where cert4 comes from?

cert4 certificate is a part of the response from the Play Integrity API.

The process begins by creating a request that includes a nonce (a unique, random string). This nonce is crucial because it ensures that each request is unique and prevents replay attacks. cert4 is included in certification chain. Basically client generates a random string, referred to as a nonce. The docs recommend nonce to be comprised a combination of random data or session-specific information from client device.
​
Nonce spec says it to be a URL-safe, Base64-encoded string of 16 to 500 characters​. They suggest them by hashing the request details or any relevant data and generate using SHA-256.

We need to try combination of all the headers and see which works.
Hope this helps cheers

[Vasa211]

How annoying you are!
Write to me on email (in bio) yours telegram nickname so that I can add you to the private group in telegram. AND DON'T POST ANYTHING ELSE HERE!!!! IF WE FIND A SOLUTION AND POST IT HERE, AMAZON WILL FIX IT AGAIN WITHIN A MONTH.

[ThangNguyen66]

Please email me, if you are signature service

mr.byn123@gmail.com