Android 16: unable to capture TLS master keys

[jeromekleinen]

Important

You can mention the @dosu AI robot, which can quickly answer your questions.

Describe the bug
ecapture fails to capture the TLS master keys on Android 16

To Reproduce
Steps to reproduce the behavior:

1. run ecapture tls -m keylog
2. observe no keys are being logged

Linux Server/Android (please complete the following information):

• Device: Pixel 6a
• Kernel Info: Linux localhost 6.1.124-android14-11-g8d713f9e8e7b-ab13202960 #1 SMP PREEMPT Wed Mar 12 13:40:07 UTC 2025 aarch64 Toybox
• eCapture Version: ecapture 1.5.1

Additional context
Tracing with a debug build shows bpf_trace_printk: bpf_probe_read ssl_s3_st_ptr pointer failed, ret :-14

I've tried commenting out the return instruction, but this naive fix doesn't work, it seems the value is really required. I've also looked into the offsets and regenerated the header file, but the offset seems to be correct and is used in several other projects as well (f.e. frida based TLS master key capturing tools).

[dosubot]

This is a known issue on Android 16 (Pixel 6a, kernel 6.1.124) with ecapture: the error bpf_probe_read ssl_s3_st_ptr pointer failed, ret :-14 means the eBPF probe can't read the ssl->s3 pointer, which is required for TLS master key extraction. The offset for this pointer (0x30) is correct and matches other tools, so the problem is not with the offset itself.

Recent updates added explicit support for Android 16 BoringSSL and adjusted offsets and probe logic, but users still report that only HTTP responses are captured—TLS master keys and requests are not, and the same bpf_probe_read failures persist. This suggests the root cause is likely new kernel or Android security features (like pointer authentication or stricter memory access controls) that block eBPF from accessing the required memory, even with correct offsets. There is no confirmed workaround yet, and the issue is actively being investigated by maintainers and users.

If you haven't already, make sure you're running the latest ecapture build with Android 16 support, but be aware that full TLS master key extraction may not be possible until further updates address these kernel and security changes. You can follow ongoing discussion and technical details in this issue and recent PRs for updates.

To reply, just mention @dosu.

---

^{How did I do? Good | Irrelevant | Incorrect | Verbose | Hallucination | Report 🐛 | Other}