Intercepting Windows Subsystem for Android (WSA) with HTTP Toolkit

[chasevis]

Unable to start http toolkit on windows subsystem for Android on windows 11 . Getting the following error

Anyway to resolve it?

[pimterry]

This probably means that WSA hasn't implemented Android's VPN APIs. That's annoying but not especially surprising (implementing an Android-only VPN subsystem within Windows sounds hard and not widely relevant, better to just skip it).

That is awkward, and it will break HTTP Toolkit's automatic interception, but you should still be able to intercept WSA by manually configuring it instead. You'll need to configure the proxy settings there and make it trust HTTP Toolkit's certificate. The settings you'll need are available in the 'Anything' interception option in HTTP Toolkit.

I've never actually tried WSA myself, so I don't know how to do that, but I'm sure there will be options somewhere. If you make any progress, or you hit any clear problems, can you share an update here? I'd be happy to help investigate further, or to write up the steps in the docs for others if you get this working.

[ethan-xd]

@pimterry would doing this lead to full trust and functionality of httptoolkit being able to see everything (that isnt pinned)?

[ethan-xd]

HTTP Toolkit Full System Trust WSA
Steps designed for Windows

Involves rooting WSA then installing a system certificate manually. You can skip steps you've already done in regards to rooting.

Note: You may not need to actually root WSA (I haven't tested it without root) but I reckon it's a good thing to have and it's not that hard.

You will need:

• HTTP Toolkit :^)
• No currently installed copy of WSA
• adb.exe from Android Platform Tools (https://developer.android.com/studio/releases/platform-tools)
• openssl.exe (found in C:\Program Files\Git\usr\bin\openssl.exe)
• A installed copy of Ubuntu WSL

You should add adb.exe and openssl.exe to your path to make this way easier. Otherwise, you'll need to use the full form of the path when executing it in folders.

---

1. Create directory C:\WSA.
2. Navigate to https://store.rg-adguard.net.
3. Search ProductID, 9P3395VX91NR, Retail (I don't know if this works on Fast yet (Android 12), you're welcome to try Fast but no promises). EDIT: Apparently Retail is now on Android 12 and apparently the kernel file replacement for rooting this guide does no longer works. You might have to look into another method.
4. Download the file named like MicrosoftCorporationII.WindowsSubsystemForAndroid...msixbundle at the bottom, to your C:\WSA folder.
5. Rename it to .zip and open it.
6. There will be 2 large MSIX files >500MB. Extract the one that's named after your architecture to C:\WSA.
7. Extract that MSIX file you just extracted as a folder in C:\WSA. It will be named something like "WsaPackage_2203.40000.3.0_x64_Release-Nightly". I will reference this folder as {msix-folder} for the rest of the guide.
8. Open C:\WSA\{msix-folder}.
9. Delete AppxBlockMap.xml, AppxSignature.p7x and [Content_Types].xml.
10. Delete AppxMetadata folder.
11. Navigate to https://github.com/WSA-Community/WSAGAScript/tree/main/misc.
12. There will be 2 kernel files. Download the one that matches your architecture to C:\WSA\{msix-folder}\Tools.
13. In that directory, rename the PRE-EXISTING "kernel" file to "kernel.old".
14. Rename the JUST DOWNLOADED "kernel-x86_64" OR "kernel-arm64" file to "kernel".
15. Go to Windows Search to find Developer Settings.
16. Enable Developer Mode in the Developer Settings.
17. Open Windows Powershell as Administrator and run Add-AppxPackage -Register C:\WSA\{msix-folder}\AppxManifest.xml.
18. Start Windows Subsystem for Android in your Start Menu.
19. Enable Developer mode on WSA Settings.
20. Open the Files app within WSA Settings to boot WSA.
21. When it has fully opened, go back to the WSA Settings and click Refresh next to IP address, then Copy. The IP address will be something like "172.31.245.207". I will reference the copied IP address as {ip-address}.
22. Open a Command Prompt Terminal.
23. Run adb connect {ip-address} (It may say failed to authenticate, just try again, it should say already connected).
24. Run adb shell.
25. Run su.
26. Run whoami. It should say "root". If it doesn't, something went wrong. You maybe missed a step or this has gone out of date.
27. Run exit twice.
28. Open HTTP Toolkit on Windows and click Android device via ADB. It will open the Android app, but say VPN setup failed. This is OK! Close it.
29. Go back to the terminal and run adb shell appops set tech.httptoolkit.android.v1 ACTIVATE_VPN allow.
30. Go back to HTTP Toolkit on Windows.
31. Click Anything, then click Export CA certificate and save it as C:\WSA\http-toolkit-ca-certificate.crt.
32. Fully close Windows Subsystem for Android by clicking Turn off in the WSA Settings window then close the settings window.
33. Go back to the terminal and run openssl x509 -inform PEM -subject_hash_old -in C:\WSA\http-toolkit-ca-certificate.crt| head -1.
34. Note down the series of numbers it returned. It will look something like "91511479". I will refer to this as {cert-hash} for the rest of the guide.
35. Run copy C:\WSA\http-toolkit-ca-certificate.crt C:\WSA\{cert-hash}.0.
36. Run copy C:\WSA\{msix-folder}\system.img C:\WSA\{msix-folder}\system.img.old. Remember that {msix-folder} refers to the folder name you made via extraction in step 7.
37. Open your WSL Ubuntu Terminal.
38. Run sudo mkdir /mnt/sysimg.
39. Run sudo mount -o loop /mnt/c/WSA/{msix-folder}/system.img /mnt/sysimg.
40. Run cd /mnt/sysimg/system/etc/security/cacerts.
41. Run sudo cp /mnt/c/WSA/{cert-hash}.0 {cert-hash}.0.
42. Run sudo chmod 644 {cert-hash}.0.
43. Run sudo chown root:root {cert-hash}.0.
44. Run cd /.
45. Run sudo umount /mnt/sysimg. You can close WSL now if you like.
46. Start Windows Subsystem for Android in your Start Menu.
47. Open the Files app within WSA Settings to boot WSA.
48. When it has fully opened, go back to the WSA Settings and click Refresh next to IP address, then Copy. The IP address will be something like "172.31.245.207". I will reference the copied IP address as {ip-address}.
49. Go back to your Command Prompt terminal.
50. Run adb kill-server.
51. Run adb connect {ip-address} (It may say failed to authenticate, just try again, it should say already connected).
52. Open HTTP Toolkit on Windows and click Android device via ADB. It should successfully start without complaining about VPN (if it does check step 29) and without complaining about not being allowed to install certificates. You can now sniff all HTTPS traffic on WSA with a fully trusted system certificate.

[pimterry]

Wow, amazing work @ethan-xd! Thanks so much for writing that all up, that's super useful 👍

[YuenSzeHong]

to conclude, you run adb shell appops set <tech.httptoolkit.android.v1> ACTIVATE_VPN allow on a rooted (maybe not) WSA instance before doing the intercept / connecting to VPN
replace content in <> for your VPN app

[blaconix]

@ethan-xd Hey, thanks a lot for the in-depth guide. I'm currently trying to get it to work on the latest Retail WSA, which is actually Android 12 (2204.40000.19). Currently, rooting doesn't work (as per WSA-Community/WSA-Linux-Kernel#7 and having tried it myself), but I still went on. The problem that I'm actually encountering is that the certificate doesn't actually work even after copying it to /cacerts and giving it perms. The only thing I could think of is that it won't have the SELinux context like the other certs u:object_r:system_security_cacerts_file:s0 but can't really imagine that as the reason (also can't assign a context in WSL unfortunately).

The only thing that I haven't tried yet is getting an older version of WSA, but will have to look into 3rd party sources.

[YuenSzeHong]

@ethan-xd Hey, thanks a lot for the in-depth guide. I'm currently trying to get it to work on the latest Retail WSA, which is actually Android 12 (2204.40000.19). Currently, rooting doesn't work (as per WSA-Community/WSA-Linux-Kernel#7 and having tried it myself), but I still went on. The problem that I'm actually encountering is that the certificate doesn't actually work even after copying it to /cacerts and giving it perms. The only thing I could think of is that it won't have the SELinux context like the other certs u:object_r:system_security_cacerts_file:s0 but can't really imagine that as the reason (also can't assign a context in WSL unfortunately).

The only thing that I haven't tried yet is getting an older version of WSA, but will have to look into 3rd party sources.

https://github.com/LSPosed/MagiskOnWSA

you can get a rooted instance here

[YuenSzeHong]

maybe it is a older version tho

[ethan-xd]

@blaconix Unfortunate to hear that the kernel file no longer works on Android 12. At the time I wrote it Retail was on 11.

You can look into MagiskOnWSA like what @YuenSzeHong said, but be careful: it broke my Windows 11 install by not loading WSA ever again no matter how much I uninstalled and reinstalled components of it. I had to reinstall Windows to fix it. LSPosed/MagiskOnWSA#396 for more info on my error.

Have you tried installing the certificate via the WSL mounting steps without rooting it? I'm not sure the whole process requires root, but I haven't tried it. Sorry I saw you did try that.

Also, @YuenSzeHong: I only just saw your previous message from 2 weeks ago, and the certificate auto-install on HTTP Toolkit didn't work for me even after I rooted. I had to install the certificate manually, because apparently the current versions of Android don't support installing the system certificates, but I could be wrong.

[YuenSzeHong]

to conclude, you run adb shell appops set <tech.httptoolkit.android.v1> ACTIVATE_VPN allow on a rooted (maybe not) WSA instance before doing the intercept / connecting to VPN
replace content in <> for your VPN app

if you mean that method, thas unfortunate, because that was working for me back then, and i did the same to my destop, also had rooted wsa installed

[blaconix]

adb shell appops set tech.httptoolkit.android.v1 ACTIVATE_VPN allow still works to set HTTPToolkit as a VPN, but I believe their cert injection script (https://github.com/httptoolkit/httptoolkit-server/blob/main/src/interceptors/android/adb-commands.ts#L208-L262) doesn't work on Android 12

That's where the manual setup comes in to mount /cacerts into WSL and add the certificate manually, however that still has no effect (here's me hoping I didn't do something stupid, but a ls -la on that folder shows HTTPToolkit's cert with correct perms). I think I'll just try and find an old WSA version somewhere on the internet before trying to root with https://github.com/LSPosed/MagiskOnWSA since bricking the whole WSA feels like a bad choice.

[pimterry]

I believe their cert injection script doesn't work on Android 12

That cert injection script (for system cert injection) does work on Android 12, everywhere I've tested (although I haven't tested WSL myself).

Those scripts require root access though. The error there that only occurs in cases where HTTP Toolkit can't detect the root access it expects to be able to run that script in the first place. In which case it falls back to installing user certificates, which is semi-automatic (a single prompt) in Android <11, and then mostly manual via those instructions in Android 12+.

Does that make sense? This means if you can set up WSL to give HTTP Toolkit root access, the system cert setup script should work automatically. It tests for root by running each of "su root whoami", "su -c whoami" and "adb root" + "whoami" via adb shells, and looking for the command that works and prints "root". I don't know how WSL handles all that though.

[blaconix]

Thanks for clarifying! I rooted with https://github.com/LSPosed/MagiskOnWSA, then just ran HTTPToolkit with ADB and everything works without additional setup.

PS: I had to disable Advanced Networking in WSA Settings for HTTPToolkit to work correctly.

[popiazaza]

Rooted WSA can now be found at https://github.com/LSPosed/MagiskOnWSALocal and I can confirm that it is working great out of the box.

PS. For non-root WSA, you may use Microsoft Launcher (or other launcher) to go to setting and manually install CA cert (enable User Trust), but that's all I can do.

[mikuhl-dev]

As the above reply says you can use MagiskOnWSALocal to install WSA with Magisk, you then can open Magisk and enable Superuser on shell, which will then allow HTTP Toolkit to install the certificate without warning you about Android 12.

[mahmozilla]

it worked for me by using https://github.com/MustardChef/WSABuilds to get wsa build with magisk already setup. then getting platform tools to use adb. I made sure to enable developer settings and bridge debugging in android settings. I connect adb then run adb shell appops set tech.httptoolkit.android.v1 ACTIVATE_VPN allow . then I go to httptoolkit desktop app and press start intercepting with adb and it worked for me.

[pimterry]

It seems that Microsoft are now officially killing WSA (https://www.osnews.com/story/138718/microsoft-kills-windows-subsystem-for-android/) and it will fully unsupported & unavailable for new users from March 2025. Given that, I don't think it's worth adding extra support for this, so I'm going to close this issue.

If you do want to use HTTP Toolkit with WSA regardless, see the instructions above for the best workaround in the meantime.