420 code solution

[julio03451]

Let's find the solution here

[MY20-PHEV]

I read somewhere that perhaps cheap Chinese android phones may be able to generate some default certificates without play store ? Im sorry if that sounds vague, Im on IOS. Maybe the solution lies there.

[julio03451]

I read somewhere that perhaps cheap Chinese android phones may be able to generate some default certificates without play store ? Im sorry if that sounds vague, Im on IOS. Maybe the solution lies there.

I think amazon would figure out what kind of phone it is from the user agent and ban all certificates generated this way. I think there should be a way to generate the certificates yourself.

[MY20-PHEV]

does anyone have any clue about how the commercial signature providers are able to do it ? I dont use one but Im curious to know what details you need to send them to be able to produce a signature. Maybe thats a place to start ?

[julio03451]

What I have so far. Application sends a body with these parameters:

{
    "deviceId": "<deviceId>",
    "keyAttestation": ["cert1", "cert2", "cert3"]
}

And then got a response:

{
    "code": 201,
    "message": "Invalid attestation object"
}

I tried looking at the certificate using the command: openssl x509 -in cert1.pem -text -noout and what can I see:

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1 (0x1)
        Signature Algorithm: ecdsa-with-SHA256
        Issuer: CN = 37383053cbaecdadb5dcffa122cbb6c7, O = TEE
        Validity
            Not Before: Jan  1 00:00:00 1970 GMT
            Not After : Jan  1 00:00:00 2048 GMT
        Subject: CN = Android Keystore Key
        Subject Public Key Info:
            Public Key Algorithm: id-ecPublicKey
                Public-Key: (256 bit)
                pub:
                    88:63:92:bb:73:ad:78:b7:25:68:fc:78:8c:c1:c5:
                    e7:53:cd:19:ea:67:bd:59:8e:be:d9:44:f6:13:2a:
                    32:21:d6:11:04:6a:02:77:61:aa:5a:ca:19:4f:4c:
                    6c:7c:f5:31:b5:36:b7:a1:71:be:85:bd:aa:16:3b:
                    c7:b9:86:f4:g5
                ASN1 OID: prime256v1
                NIST CURVE: P-256
        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature
            1.3.6.1.4.1.11129.2.1.17: 
                0..%....
......
....ozSGSaxdQrh1VsOyXikrzk==..0....1.................1..............w.....=.....-.....>......@L0J. ...................................
... ..................................A........B........EE.C0A1.0...com.amazon.rabbit...H..1". /...(N.o..xaR...K!e2.......s.mv%..N......O....4..0.
    Signature Algorithm: ecdsa-with-SHA256
    Signature Value:
        99:18:5f:20:62:3e:4e:40:4a:66:49:68:17:f4:93:b6:29:52:
        51:b2:5c:08:67:f8:4c:66:5f:de:f4:45:55:d2:1d:f6:70:49:
        02:21:00:95:33:ee:9f:be:4f:48:5e:45:05:ad:8c:d5:6f:6f:
        f4:ce:a1:f4:3c:e7:9d:7f:54:25:06:f3:90:0e:39:74:29

ozSGSaxdQrh1VsOyXikrzk== is my nonce that I got from: https://prod.us-east-1.api.app-attestation.last-mile.amazon.dev/v1/nonce/id/

[julio03451]

does anyone have any clue about how the commercial signature providers are able to do it ? I dont use one but Im curious to know what details you need to send them to be able to produce a signature. Maybe thats a place to start ?

They don't work with a single users, only with commercial bots. So we don't know

[MY20-PHEV]

thats the 1st time ive seen one of the certs from a genuine request What happens if you substitute our own pub key in cert1 ? Also what is in the other 2 certs ?

[julio03451]

thats the 1st time ive seen one of the certs from a genuine request What happens if you substitute our own pub key in cert1 ? Also what is in the other 2 certs ?

I'm using an android emulator to see these certificates. Here's what cert3 looks like:

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            a2:c3:2b:a7:1b:4b:b7:03:90:b8:e7:89:c7:aa:55:c5
        Signature Algorithm: ecdsa-with-SHA256
        Issuer: CN = Droid Unregistered Device CA, O = Google Test LLC
        Validity
            Not Before: Mar  7 18:25:22 2024 GMT
            Not After : Apr 28 18:25:22 2024 GMT
        Subject: CN = Droid Unregistered Device CA, O = Google Test LLC
        Subject Public Key Info:
            Public Key Algorithm: id-ecPublicKey
                Public-Key: (256 bit)
                pub:
                    12:24:c6:71:d7:d4:9d:1a:a9:91:75:61:f3:82:7e:
                    b4:35:c0:ce:97:d0:0f:1b:0c:dd:15:a4:11:a6:cb:
                    62:a8:69:cc:4c:5c:2c:32:ae:64:b0:c4:de:c3:3b:
                    fe:a2:fe:0f:8b:52:ce:60:5b:ca:17:cc:0a:3c:7a:
                    f4:1a:c6:0c:9d
                ASN1 OID: prime256v1
                NIST CURVE: P-256
        X509v3 extensions:
            X509v3 Subject Key Identifier: 
                B6:30:C1:24:1A:37:9B:F8:46:8F:FF:48:DD:E6:70:95:A0:52:BA:0C
            X509v3 Authority Key Identifier: 
                B6:30:C1:24:1A:37:9B:F8:46:8F:FF:48:DD:E6:70:95:A0:52:BA:0C
            X509v3 Basic Constraints: critical
                CA:TRUE
            X509v3 Key Usage: critical
                Certificate Sign
            1.3.6.1.4.1.11129.2.1.30: 
                ...
    Signature Algorithm: ecdsa-with-SHA256
    Signature Value:
        bb:c6:a9:73:00:e2:0d:e7:33:55:f4:c5:ac:04:a4:13:b8:57:
        ec:af:4d:2b:65:74:dd:51:7a:21:86:8b:7c:f3:38:22:f1:89:
        59:02:21:00:80:de:d8:d2:4e:d8:11:4d:ea:05:5a:07:9e:7f:
        50:89:18:c6:99:64:20:e6:6a:c8:c9:93:09:e3:e8:d5:c1:aa:

[julio03451]

So first of all we need to find what valid certificates look like

[julio03451]

The cert2 and cert3 are always the same, as I see in my emulator, only cert1 changes. I think we need to find what a working cert1 looks like and try to generate the same one

[julio03451]

And also we need learn how to decode this. That's a lot of work for us to do heh. I need help here

1.3.6.1.4.1.11129.2.1.17: 
                0..%....
......
....ozSGSaxdQrh1VsOyXikrzk==..0....1.................1..............w.....=.....-.....>......@L0J. ...................................
... ..................................A........B........EE.C0A1.0...com.amazon.rabbit...H..1". /...(N.o..xaR...K!e2.......s.mv%..N......O....4..0.

[julio03451]

I managed to decode 1.3.6.1.4.1.11129.2.1.17. It wasn't too hard, if you google "1.3.6.1.4.1.11129.2.1.17" you will find all the necessary information.

Here's the information inside this extension:

KeyDescription:
 attestationVersion=200
 attestationSecurityLevel=Software
 keymasterVersion=200
 keymasterSecurityLevel=Software
 attestationChallenge=ozSGSaxdQrh1VsOyXikrzk==
 uniqueId=
 softwareEnforced=AuthorizationList:
  purpose=SetOf:
   2
  algorithm=3
  keySize=256
  digest=SetOf:
   4   6
  ecCurve=1
  noAuthRequired=
  creationDateTime=1710255346877
  origin=0
  rootOfTrust=RootOfTrust:
   verifiedBootKey=0x0000000000000000000000000000000000000000000000000000000000000000
   deviceLocked=False
   verifiedBootState=Unverified
   verifiedBootHash=0x0000000000000000000000000000000000000000000000000000000000000000

  osVersion=130000
  osPatchLevel=202211
  attestationApplicationId=0x3041311b30190411636f6d2e616d617a6f6e2e72616262697402041248d6f2312204202f19adeb284eb36f7f07786152b9a1d14b21653203ad0b04ebbf9c73ab6d7625
  vendorPatchLevel=0
  bootPatchLevel=20221101

 teeEnforced=AuthorizationList:

[MY20-PHEV]

Youve been busy. Is this from a rooted phone ?

[julio03451]

Youve been busy. Is this from a rooted phone ?

Yes, its Android Studio emulator with Magisk

[MY20-PHEV]

So I guess the next step is to find an emulator that can pass the root checks/playstore. I’m sorry if that’s not the right terminology I’m an iPhone man

[julio03451]

Yeah, that's the hardest part

[MY20-PHEV]

That’s why i think the focus should be on IOS. I think the iPhone gets its private key and keyid on install of the flex app and it’s stays through the life of xflexinstanceid. There’s no attestation traffic I’ve ever seen while the app is running. Plus IOS requests are easily intercepted with MITM without requiring the phone to be jailbroken.

[hoqua]

Hi guys, cool that you bring efforts to solve this issue.

I haven't figure out myself how they bypass it. But few guys in previous thread shared hint that it possible to get keys from some Android devices.

Couldn't amazon app save some certs in keystore. Can we just export those from keystore and provide for aws attestation? And we can generate multiple of those but reinstalling app or so? ( sorry I am not really into mobile tech)

I'll start to ding into it soon. I have few Android specialists in friend list they may help.

If you don't want to continue discussion here write me in telegram:@hoqua or email meat159@gmail.com Any help appreciated!

[FlavaClover]

If you don't want to continue discussion here write me in telegram:@hoqua or email meat159@gmail.com Any help appreciated!

Please discuss it here. Everyone will be grateful for your solutions

[vineet4183]

So I guess the next step is to find an emulator that can pass the root checks/playstore. I’m sorry if that’s not the right terminology I’m an iPhone man

I have a rooted android physical phone with play store. Let me know if you need some help.

[julio03451]

We're one step away from finding a solution. All we need is to find a way to see what certificates the flex app sends to app-attestation to get keyId.

[jczapatap]

I think that can be captured using charles proxy

On Sat, Mar 16, 2024 at 12:38 PM julio03451 @.***> wrote:

We're one step away from finding a solution. All we need is to find a way to see what certificates the flex app sends to app-attestation to get keyId.

— Reply to this email directly, view it on GitHub https://github.com/mdesilva/AmazonFlexUnlimited/issues/171#issuecomment-2002040527, or unsubscribe https://github.com/notifications/unsubscribe-auth/A6V47KYULLFU343CZPK5J7DYYRYPBAVCNFSM6AAAAABEQNSMV2VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDAMBSGA2DANJSG4 . You are receiving this because you are subscribed to this thread.Message ID: @.***>

[hstrauch]

Can anyone please tell us what exactly the 420 error means? It's not captcha at least in my case. Im sending the post request as exactly the real app send it, only change its of course the 'offer id' in the boy, and the 'X-Amz-Date' in the Header, first I was receiving 400 code {"errorCode":null,"message":null}, now I got 420 {"errorCode":null,"message":null}. Can somebody guide us where the problem is, so we can try to fix it. Thanks.

[rsyccd]

The cert2 and cert3 are always the same

because those are the intermediate certs. Amazon needs the whole chain to verify the key:

• the root cert signs the intermediate cert(s) using its public key
• the intermediate certs sign the leaf cert(s) using their public key
• the leaf is what Amazon is interested in (that's the one their app generates) but must check the entire chain to validate this leaf (e.g. is the leaf signed by a valid intermediate? Is that intermediate signed by a valid root? Check the public key signature, which Google has knowledge of since they're the issuer)

The root and intermediate are generally "static", they won't change unless expired or revoked for some reason. With that knowledge, all it takes for attestation to work is:

1. valid intermediate certs from an actual device (which you can pull straight of the keystore like any app does it, or just pull it from requests using charles proxy/mitm/etc.)
2. properly signed leaf

[julio03451]

1. valid intermediate certs from an actual device (which you can pull straight of the keystore like any app does it, or just pull it from requests using charles proxy/mitm/etc.)

That's our main problem right now. We don't know how to retrieve these certificates.

[julio03451]

rsyccd as I understand, you were able to get a valid certificate chain from the app. Can you share one such chain so we can see how it should look like?

[julio03451]

Finally found a certificate chain in one of the repositories on github and was able to get a valid keyId.

I am now 100% sure that there are some interested developers at Amazon. They left an incredible backdoor in the Key Attestation implementation. That couldn't have been left by accident. So don’t worry, there will always be "solutions".

[MY20-PHEV]

Finally found a certificate chain in one of the repositories on github and was able to get a valid keyId.

I am now 100% sure that there are some interested developers at Amazon. They left an incredible backdoor in the Key Attestation implementation. That couldn't have been left by accident. So don’t worry, there will always be "solutions".

Wow, thats awesome, are you saying that the certificate chain you found will work for any device ?

[julio03451]

Finally found a certificate chain in one of the repositories on github and was able to get a valid keyId. I am now 100% sure that there are some interested developers at Amazon. They left an incredible backdoor in the Key Attestation implementation. That couldn't have been left by accident. So don’t worry, there will always be "solutions".

Wow, thats awesome, are you saying that the certificate chain you found will work for any device ?

Yes, they don't verify this chain as it is written in Google best practices https://developer.android.com/privacy-and-security/security-key-attestation . It's insane haha

[MY20-PHEV]

I understand you may be reluctant to post the solution on here, there is the private telegram group if you feel more comfortable

[razrab34511]

private

Hi there!How to get in this group?

[MY20-PHEV]

private

Hi there!How to get in this group?

the telegram group owner is @sergggio0

Im not sure where the thread is on here that set the group up, but you could try sending him a message ?

[razrab34511]

private

Hi there!How to get in this group?

the telegram group owner is @sergggio0

Im not sure where the thread is on here that set the group up, but you could try sending him a message ?

Thank you🙌

[FlavaClover]

Finally found a certificate chain in one of the repositories on github and was able to get a valid keyId. I am now 100% sure that there are some interested developers at Amazon. They left an incredible backdoor in the Key Attestation implementation. That couldn't have been left by accident. So don’t worry, there will always be "solutions".

Wow, thats awesome, are you saying that the certificate chain you found will work for any device ?

Yes, they don't verify this chain as it is written in Google best practices https://developer.android.com/privacy-and-security/security-key-attestation . It's insane haha

Can you share the solution, please?

[biabock]

Why reluctant to post here? it really makes no sense. Amazon doest care that a small group of people that has the ability to run this script on their own has found the solution WHEN THERE ARE THOUSANDS of COMERCIAL BOT users.

By not posting the solution here you will only benefit those comercial bots that are making a fortune as parcel of our hard work.

[MY20-PHEV]

Why reluctant to post here? it really makes no sense. Amazon doest care that a small group of people that has the ability to run this script on their own has found the solution WHEN THERE ARE THOUSANDS of COMERCIAL BOT users.

By not posting the solution here you will only benefit those comercial bots that are making a fortune as parcel of our hard work.

Dont forget, most if not all the commercial bots are using signature services, so maybe posting the solution here would kill off the signature service companies ?

[FlavaClover]

Dont forget, most if not all the commercial bots are using signature services, so maybe posting the solution here would kill off the signature service companies ?

The vast majority of bots do not use these services. I've been doing reverse engineering with Charles and every commercial bot generates them on its own. At least the ones that are available in the Appstore and Google store.

[julio03451]

Dont forget, most if not all the commercial bots are using signature services, so maybe posting the solution here would kill off the signature service companies ?

I think commercial bots will continue to buy these signature solutions. They could have paid a freelancer $1000 a long time ago and he would have found them this solution, but it's easier for them to pay for signatures.

I think an android dev would have found them this solution in a few days

[julio03451]

Can you share the solution, please?

I will share but I need some time to implement this solution in the mdesilva code

[FlavaClover]

Can you share the solution, please?

I will share but I need some time to implement this solution in the mdesilva code

If you need help with the code, please contact ме(@claudbros). I will be glad to help

[Maxopenstudio]

Can you share the solution, please?

I will share but I need some time to implement this solution in the mdesilva code

I also can support integrate your solution in RE FLEX or this bot

[Maxopenstudio]

my telegram @account_owl

[MY20-PHEV]

@julio03451 Are we still generating our own EC keypair to go with this cert chain youve found ? or is there a specific keypair needed ?

[rsyccd]

That's our main problem right now. We don't know how to retrieve these certificates.

1. you pull it out of any device's keystore with a mock app using getCertificateChain(), just as any app does it (including Flex, see the createAttestationKey method in com.amazon.mobile.attestation )

2. you examine the requests made by Flex (currently needs rooted phone with magisk modules for bypassing root detection, SSL pinning, and getting around play integrity, and a proxy such as charles/mitm/frida etc.)

I would be hesitant about multi-instance usage & sharing of chains since again, the root is issued by Google and associated with a physical device, and there's no non-TOS-breaking reason for 50 accounts to be sending requests from what's perceived as being the same unique device. I don't know what commercial bots do, maybe there's a reason they all seem to use IOS, maybe they don't care that much about their users being emailed & deactivated, or maybe I'm being overcautious myself.

That being said, there are requests including chains posted in #144

[julio03451]

Okay, here's my solution: https://github.com/julio03451/AmazonFlexUnlimited420

As rsyccd said, you should avoid using the chain that is provided in chains.json. Get the chain from your device and use it instead. However, this chain is working for the moment.

Also when you get the chain from your device you can update osPatchLevel, vendorPatchLevel and bootPatchLevel to the current ones.

[julio03451]

@julio03451 Are we still generating our own EC keypair to go with this cert chain youve found ? or is there a specific keypair needed ?

Yeah, we still generate our own ec key

[MY20-PHEV]

Okay, here's my solution: https://github.com/julio03451/AmazonFlexUnlimited420

As rsyccd said, you should avoid using the chain that is provided in chains.json. Get the chain from your device and use it instead. However, this chain is working for the moment.

Also when you get the chain from your device you can update osPatchLevel, vendorPatchLevel and bootPatchLevel to the current ones.

Firstly can I just say Well Done. This is a great piece of work. And very generous of you to share.

One question I have, and bear with me if im getting any of this wrong, Im an IOS user not android. I was thinking that the flex app has SSL pinning to stop us sniffing out the cert chain using a MITM proxy. I was wondering, would it be possible to find a different android app of some description that uses attestation but doesnt have SSL pinning, and sniff the chain from that ?

Do you believe this would work ?

[julio03451]

Okay, here's my solution: https://github.com/julio03451/AmazonFlexUnlimited420 As rsyccd said, you should avoid using the chain that is provided in chains.json. Get the chain from your device and use it instead. However, this chain is working for the moment. Also when you get the chain from your device you can update osPatchLevel, vendorPatchLevel and bootPatchLevel to the current ones.

Firstly can I just say Well Done. This is a great piece of work. And very generous of you to share.

One question I have, and bear with me if im getting any of this wrong, Im an IOS user not android. I was thinking that the flex app has SSL pinning to stop us sniffing out the cert chain using a MITM proxy. I was wondering, would it be possible to find a different android app of some description that uses attestation but doesnt have SSL pinning, and sniff the chain from that ?

Do you believe this would work ?

Yeah, that should work. Or do as rsyccd suggested. Write a simple android app using chatgpt, which will have only one function to get the certificate chain from keystore and save it somewhere. getCertificateChain()

[julio03451]

Although maybe such an app is already somewhere in the Play Store haha. I haven't checked

[julio03451]

The most interesting thing is that when commercial bots raised their prices to $200/month, they argued that they needed some impressive computing power to solve 420 error. And that now it is not just python code, but something more complex haha. I wonder what else they are lying us about

[MY20-PHEV]

The most interesting thing is that when commercial bots raised their prices to $200/month, they argued that they needed some impressive computing power to solve 420 error. And that now it is not just python code, but something more complex haha. I wonder what else they are lying us about

I think it was the greedy signature providers that caused the price hikes.