Crash on Samsung Galaxy S23 (Android 14) when running ecapture tls (v1.4.1)

[p3n7a90n]

Desc
Mobile is crashing when running the ecapture. I have tried mentioning the ssl_version as well by using --ssl_version=boringssl_a_14

Steps to reproduce the behavior:

dm1q:/data/local/tmp/ecapture-v1.4.1-android-arm64 # ./ecapture tls
2025-09-02T07:24:48Z INF AppName="eCapture(旁观者)"
2025-09-02T07:24:48Z INF HomePage=https://ecapture.cc
2025-09-02T07:24:48Z INF Repository=https://github.com/gojue/ecapture
2025-09-02T07:24:48Z INF Author="CFC4N cfc4ncs@gmail.com"
2025-09-02T07:24:48Z INF Description="Capturing SSL/TLS plaintext without a CA certificate using eBPF. Supported on Linux/Android kernels for amd64/arm64."
2025-09-02T07:24:48Z INF Version=androidgki_arm64:v1.4.1:6.8.0-1031-azure
2025-09-02T07:24:48Z INF Listen=localhost:28256
2025-09-02T07:24:48Z INF Listen for eCaptureQ=
2025-09-02T07:24:48Z INF eCapture running logs logger=
2025-09-02T07:24:48Z INF the file handler that receives the captured event eventCollector=
2025-09-02T07:24:48Z INF listen=localhost:28256
2025-09-02T07:24:48Z INF https server starting...You can upgrade the configuration file via the HTTP interface.
2025-09-02T07:24:48Z INF Kernel Info=5.15.123 Pid=7985
2025-09-02T07:24:48Z INF TruncateSize=0 Unit=bytes
2025-09-02T07:24:48Z WRN Your environment is like a container. We won't be able to detect the BTF configuration.
If eCapture fails to run, try specifying the BTF mode. use -b 2 to specify non-CORE mode.
2025-09-02T07:24:48Z INF BTF bytecode mode: CORE. btfMode=0
2025-09-02T07:24:48Z INF master key keylogger has been set. eBPFProgramType=Text keylogger=
2025-09-02T07:24:48Z INF module initialization. isReload=false moduleName=EBPFProbeOPENSSL
2025-09-02T07:24:48Z INF Module.Run()
2025-09-02T07:24:48Z WRN bpfFile=boringssl_a_14_kern.o sslVersion=android_default
2025-09-02T07:24:48Z INF Hook masterKey function ElfType=2 Functions=["SSL_in_init"] binrayPath=/apex/com.android.conscrypt/lib64/libssl.so
2025-09-02T07:24:48Z INF target all process.
2025-09-02T07:24:48Z INF target all users.
2025-09-02T07:24:48Z INF setupManagers eBPFProgramType=Text
2025-09-02T07:24:48Z INF BPF bytecode file is matched. bpfFileName=user/bytecode/boringssl_a_14_kern_core.o

• Device: Samsung Galaxy S23
• Kernel Info: dm1q:/ # uname -a Linux localhost 5.15.123-android13-8-28577312-abS911BXXS4CXD8 #1 SMP PREEMPT Fri Apr 26 09:41:16 UTC 2024 aarch64 Toybox

[dosubot]

Hi @p3n7a90n! I'm Dosu and I’m helping the ecapture team.

Crashes on Samsung Galaxy S23 (Android 14, kernel 5.15.123) when running ecapture tls are likely due to kernel/eBPF compatibility issues or probe attachment failures. This is a known risk on newer Android devices and kernels, especially when ecapture can't detect BTF configuration or loads an incompatible BPF bytecode file.

You can try these troubleshooting steps:

• Run ecapture with -b 2 to force non-CORE BTF mode, which sometimes avoids probe failures in container-like or restricted environments source.
• Explicitly specify both --ssl_version=boringssl_a_14 and the actual SSL library path with --libssl=/apex/com.android.conscrypt/lib64/libssl.so to avoid autodetection issues source.
• On kernel 5.15, some kprobe symbols (like tcp_sendmsg) may have aliases; if you see errors about missing probe symbols, you may need to manually identify the correct symbol name and update the code source.
• If the device crashes or reboots, compile a DEBUG version of ecapture and check kernel logs via /sys/kernel/debug/tracing/trace_pipe to pinpoint the crash source.
• Make sure all eBPF kernel options are enabled.

There are no device-specific fixes for Samsung Galaxy S23 or Android 14, and some kernel/library combinations may remain incompatible until official support is added. If you continue to see crashes, collecting kernel logs and crash details will help diagnose the exact failure point.

To reply, just mention @dosu.

---

^{How did I do? Good | Irrelevant | Incorrect | Verbose | Hallucination | Report 🐛 | Other}    

[cfc4n]

Mobile is crashing when running the ecapture. I have tried mentioning the ssl_version as well by using --ssl_version=boringssl_a_14

What crashed? ecapture program? Mobile ROM? An app that uses libssl?

[p3n7a90n]

When I try to run ./ecapture tls, device restarts @cfc4n

[zenyanle]

same #795

[wabailu]

When I try to run ./ecapture tls, device restarts @cfc4n
@p3n7a90n try update kernel to 5.15.189 , then it's ok to run

[cfc4n]

@wabailu Have you ever encountered this issue? Looks like a kernel flaw in SamSung?

[p3n7a90n]

./ecapture tls                                                                                                          
2025-09-10T17:12:23Z INF AppName="eCapture(旁观者)"
2025-09-10T17:12:23Z INF HomePage=https://ecapture.cc
2025-09-10T17:12:23Z INF Repository=https://github.com/gojue/ecapture
2025-09-10T17:12:23Z INF Author="CFC4N <cfc4ncs@gmail.com>"
2025-09-10T17:12:23Z INF Description="Capturing SSL/TLS plaintext without a CA certificate using eBPF. Supported on Linux/Android kernels for amd64/arm64."
2025-09-10T17:12:23Z INF Version=androidgki_arm64:v1.4.1:6.8.0-1031-azure
2025-09-10T17:12:23Z INF Listen=localhost:28256
2025-09-10T17:12:23Z INF Listen for eCaptureQ=
2025-09-10T17:12:23Z INF eCapture running logs logger=
2025-09-10T17:12:23Z INF the file handler that receives the captured event eventCollector=
2025-09-10T17:12:23Z INF listen=localhost:28256
2025-09-10T17:12:23Z INF https server starting...You can upgrade the configuration file via the HTTP interface.
2025-09-10T17:12:23Z INF Kernel Info=5.15.78 Pid=19605
2025-09-10T17:12:23Z INF TruncateSize=0 Unit=bytes
2025-09-10T17:12:23Z WRN Your environment is like a container. We won't be able to detect the BTF configuration.
If eCapture fails to run, try specifying the BTF mode. use `-b 2` to specify non-CORE mode.
2025-09-10T17:12:23Z INF BTF bytecode mode: CORE. btfMode=0
2025-09-10T17:12:23Z INF master key keylogger has been set. eBPFProgramType=Text keylogger=
2025-09-10T17:12:23Z INF module initialization. isReload=false moduleName=EBPFProbeOPENSSL
2025-09-10T17:12:23Z INF Module.Run()
2025-09-10T17:12:23Z WRN bpfFile=boringssl_a_13_kern.o sslVersion=android_default
2025-09-10T17:12:23Z INF Hook masterKey function ElfType=2 Functions=["SSL_in_init"] binrayPath=/apex/com.android.conscrypt/lib64/libssl.so
2025-09-10T17:12:23Z INF target all process.
2025-09-10T17:12:23Z INF target all users.
2025-09-10T17:12:23Z INF setupManagers eBPFProgramType=Text
2025-09-10T17:12:23Z INF BPF bytecode file is matched. bpfFileName=user/bytecode/boringssl_a_13_kern_core.o
2025-09-10T17:12:24Z INF perfEventReader created mapSize(MB)=4
2025-09-10T17:12:24Z INF perfEventReader created mapSize(MB)=4

I tried it on a Galaxy A54 device running kernel 5.15.78, and it’s working as expected. Thanks for the help.

@cfc4n @wabailu