Capturing QUIC Keys

[SinghSek]

Hello! I posted a similar question on my previous issue, but have not been able to figure it out and was advised to make a separate post. I have successfully captured TLS keys using FriTap, but my ultimate goal is to decrypt QUIC packets. In wireshark, under QUIC Protocols, I noticed one of the fields is QUIC Ports, and was wondering if there is a way to capture what ports are used when running the FriTap Command.

Additionally, I've read that QUIC may have it's own keys on top of TLS, and would like to ask if anyone has had luck decrypting QUIC (maybe capturing the QUIC Keys) using this tool.

Any advice is greatly appreciated!

[SinghSek]

For more context, I am trying to capture packets from the android Messages app to analyze RCS packets, which from what I can tell using a pixel 9 device, use either UDP or QUIC.

[monkeywave]

Hi @SinghSek

thank you for your detailed question and for providing additional context—it’s much appreciated :-)

QUIC and TLS Keys

QUIC derives its encryption keys from the secrets negotiated during the TLS 1.3 handshake. These derived keys are used to secure QUIC traffic (cf. Using Transport Layer Security (TLS) to Secure QUIC). The good news is that Wireshark doesn’t require the derived QUIC keys directly—it can compute them using the TLS secrets (e.g., keys.log) captured by friTap. See Wireshark source file.

However, there are some considerations:

1. QUIC Ports:

   • Wireshark uses the QUIC port information to associate decrypted packets with the correct streams.
   • friTap doesn’t explicitly log the ports in use, but you can identify the ports by analyzing the packet capture (e.g., log.pcap) generated by friTap. Filter for UDP traffic in Wireshark to see the source and destination ports being used.

2. Decrypting QUIC:

   • Ensure that Wireshark is configured correctly:
     • Set the SSLKEYLOGFILE environment variable to point to the keys.log file generated by friTap.
   • Once the correct TLS secrets are applied, Wireshark should be able to decrypt the QUIC packets as long as the packets and keys match.

---

In recent versions of friTap, including 1.2.8.5, we’ve introduced some minor improvements that might help with your use case. There was also a bug in previous versions that could have affected key extraction in certain scenarios. I recommend updating to the latest version and trying again. You can update friTap using:

pip install friTap --upgrade

RCS Packets and friTap

Since you’re analyzing RCS packets from the Android Messages app on a Pixel 9 device:

• Protocol Insight: RCS typically uses QUIC or UDP for communication, as you noted. Capturing and decrypting QUIC packets with friTap should work as long as the keys are correctly extracted and applied.
• If friTap does not detect and log the necessary keys, this could indicate that additional hooks are required for specific libraries or functions used by the Messages app. In that case I would suggest to run BoringSecretHunter against all modules being loaded.

All the best

Daniel

[SinghSek]

Thank you for your breakdown, I am now encountering an issue where the keys do not get logged at all, FriTap runs perfectly fine, but after the process is finished, the keys.log file is empty. Any idea how I might overcome this?

[monkeywave]

Hi @SinghSek,

I'm a little confused— in your initial post, you mentioned that you were able to log some TLS keys but couldn't decrypt the traffic. Am I mistaken, or is this a new issue where no keys are being logged at all?

Also, are you still testing with the same app? Which Android version are you currently running? Which version of friTap you are using?

To better assist you, we’ll need more context. Could you provide details about how you're running friTap (e.g., command used, output logs, version number) so we can investigate further?
Best would be if you can include the debug output -do -v as well :-)

Looking forward to your response :-)

All the best

Daniel

[SinghSek]

Sorry for the confusion, I was initially testing with both a pixel 9 running android 14 and a samsung s21 running android 11. Previously the keys were logged but traffic was not decrypted.

Now I am only using the S21 with the same set up on the same app, and keys are not being logged. I verified decryption works on a pixel 5 as after every UDP and QUIC packet, http packets with the option to decrypt are present (choosing to decrypt QUIC packets show a random string of characters, but I think that is a separate issue for another time).

I am running this command: fritap -m -p log.pcap --full_capture -k keys.log 27944

Here is the debug output:

[] capturing whole traffic of target app
[] Attaching to the first available USB device...
[] Successfully attached to the mobile device.
[] doing full capture on Android
[] loading friTap frida script: _ssl_log.js
[] Running Script on Android
[] libssl.so found & will be hooked on Android!
[] The module "libssl.so" has 525 exports.
[] Found SSL_read 0x71cd9c0b84
[] Found SSL_write 0x71cd9c0f90
[] Found SSL_get_fd 0x71cd9c192c
[] Found SSL_get_session 0x71cd9c7c58
[] Found SSL_SESSION_get_id 0x71cd9c7864
[] Found SSL_new 0x71cd9bfeb4
[] Found SSL_CTX_set_keylog_callback 0x71cd9c33ec
[] Found getpeername 0x74d9c2e700
[] Found getsockname 0x74d9c2e6e0
[] Found ntohs 0x74d9c29130
[] Found ntohl 0x74d9c29128
[] libconscrypt_gmscore_jni.so found & will be hooked on Android!
[] The module "libconscrypt_gmscore_jni.so" has 2 exports.
[] Found getpeername 0x74d9c2e700
[] Found getsockname 0x74d9c2e6e0
[] Found ntohs 0x74d9c29130
[] Found ntohl 0x74d9c29128
[---] error: skipping module libconscrypt_gmscore_jni.so
[---] Loader error: Error: missing argument
[] libcronet.133.0.6876.3.so found & will be hooked on Android!
[] Found getpeername 0x74d9c2e700
[] Found getsockname 0x74d9c2e6e0
[] Found ntohs 0x74d9c29130
[] Found ntohl 0x74d9c29128
[] Trying Pattern: {"primary":"3F 23 03 D5 FF C3 01 D1 FD 7B 04 A9 F6 57 05 A9 F4 4F 06 A9 FD 03 01 91 08 34 40 F9 08 1? 41 F9 ?8 0? 00 B4","fallback":"3F 23 03 D5 FF 03 02 D1 FD 7B 04 A9 F7 2B 00 F9 F6 57 06 A9 F4 4F 07 A9 FD 03 01 91 08 34 40 F9 08 ?? 41 F9 E8 0F 00 B4"}
[] Module Base Address: 0x714b780000
[] Module Size: 6029312
[---] There was an error scanning memory: access violation accessing 0x714bd21000
[---] Trying to rescan memory with permissions in mind
[] trying to scan only readable parts of libcronet.133.0.6876.3.so ...
[] Primary pattern failed, trying fallback pattern...
[] Android dynamic loader hooked.
[] Logging pcap to log.pcap
[] Logging keylog file to keys.log
[] Pattern found at (fallback_pattern) address: 0x714bb928ac
[] Pattern based hooks installed.
[***] Remaining: AndroidNSSP version 1.0,AndroidOpenSSL version 1.0,CertPathProvider version 1.0,AndroidKeyStoreBCWorkaround version 1.0,BC version 1.61,HarmonyJSSE version 1.0,AndroidKeyStore version 1.0,KnoxAndroidKeyStore version 1.0,TimaKeyStore version 1.0

[] Ctrl+C detected. Cleaning up...
[] pulling capture from device:
[] full mobile capture safed to _log.pcap
[] remember that the full capture won't contain any decrypted TLS traffic. In order to decrypt it use the logged keys from keys.log
[] friTap not trace the sockets in use (--socket_tracing option not enabled)
[] The resulting PCAP _log.pcap will contain all trafic from the device.
[] Attempting to detach from Frida process...
[] Successfully detached from Frida process.
[*] Detached friTap from process successfully.

Thx for using friTap
Have a great day

Thank you for your continued help so far, for reference, I am trying to find the plaintext content of an RCS packet to verify the RCS standard is being used.

[monkeywave]

Hey @SinghSek ,

thx for the detailed outpout :-)
I just tried the latest version of friTap (version 1.2.8.8) against the Android Messages App on my Pixel 5 with Android 13 and I was able to extract the keys. Maybe the latest updates are aleady resolving your issue :-)

If its still not working can you connect to the target app with frida and provide us the output of the following command:

Process.enumerateModules().forEach( (element) => { if(JSON.stringify(Process.getModuleByName(element.name).enumerateExports().filter(exports => exports.name.toLowerCase().includes("ssl_ctx_new"))).length > 2){ console.log(element.name + " : \n" + JSON.
stringify(Process.getModuleByName(element.name).enumerateExports().filter(exports => exports.name.toLowerCase().includes("ssl_ctx_new"))));} });

All the best

Daniel

[SinghSek]

Hey Daniel, thanks so much for the response, as I am using the commands in the terminal, how would I go about connecting to the android messages app via frida, would I just grab the PID? and how would I run the command, you have wrote, would that just be in a python file? Sorry, I'm still a little new to this type of analysis, and your help is really appreciated!

Also, I have just verified that, even on the newest version of FriTap, the S21 running android 11 still results in an empty keys.log file when running the fritap command. I've been able to collect the keys off of a pixel 5 running Android 11 however.