'Coon Cave

Finally! Got past the login CAPTCHA - on Linux, this time

Yeah, I know, no blog updates in two months. Sorry about that, but there wasn't really anything to write about.

Ha! Success. Got past the CAPTCHA prompt

Good news is, I managed to log into my test account. Bad news are, it doesn't work on a PC (yet). But by trying to lock non-droids out, Google might have told us more about the login internals than intended.

Bypassing phone verification for Google accounts.

For your security, Google wants to make sure that it's really you. Google will send a text message with a 6-digit verification code. Standard bullshit applies.

This whole CAPTCHA nonsense might, of course, be (in part) IP address related. At least there’s https://accounts.google.com/DisplayUnlockCaptcha. Not sure how that is actually suppose to work, no useful documentation on it either (surprise!). Anyway, I decided to work on proxy support in the setup wizard.

HTTP(S) is fairly unproblematic. Just a ton of boilerplate code, but you can easily switch between proxy hosts on a per request basis (e.g. if you want to bypass geo blocking). What’s giving me headaches is SOCKS5 (Tor, SSH tunnel). For this one you basically have to reboot the entire network code when switching hosts (killing transfers). I guess, I’ll postpone that for now, though SSH tunneling could be real handy.

I’m not sure if the HTTP User-Agent header matters for the login service (it does matter for market service), in case it makes a difference, here’s how to come up with one:

  APPNAME/VERSION (DEVICE ID)

Use either “GoogleLoginService” (earlier Android versions) or “GoogleAuth” (later Android versions) as APPNAME. I don’t know exactly when it got renamed, but it must have happened after SDK 16 and before SDK 19. VERSION may be “1.2” or “1.3” for “GoogleLoginService” and “1.4” for “GoogleAuth”.

DEVICE and ID are ro.product.device and ro.build.id from your 📁 /system/build.prop file.

Just a quick one for everybody wanting to have a go at the CAPTCHA problem, but lacks Java skills:

The whole login process is actually just good ol’ HTTP. So, if you know how to operate curl, you are good to go. You’ll also need this commandline tool (source code included in the jar) to generate encrypted passwords.

Progress report: Adding CAPTCHA Support to the Setup Wizard

Why the hell is it taking so long?!

Gnarg! I had android.clients.google.com hardcoded in my 📁 /etc/hosts file the whole time! No idea why. Best case scenario: it didn’t matter at all. Worst case scenario: it raised alerts on my test accounts and/or IP address. Stupid problem: no way of finding out which.

This calls half of last weeks work into question.

In other news: I got an email about a CAPTCHA affected Raccoon instance recovering automatically. Appears as if you can sit this out. Not that you’d want to or that this is practible a solution.

Time for a progress report:

• As mentioned in my last post, I lost considerable time due to a parser bug. This put me behind schedule.
• I have the framework of the new setup wizard largely ready. The CAPTCHA support makes it an obnoxious beast with a rather complicated state transition diagram. Once it is fully functional, there will be some major work integrating it into Raccoon (I’m developing it seperately from Raccoon since firing up the database for every testrun and clicking through the menu for each test run would take too much time).
• Getting the CAPTCHA image and sending it back works. But I still seem to be missing a piece as I only get another CAPTCHA request.
• I absolutely hate CAPTCHAs!!! Especially the ones Google throws at you where “i”, “r”, “n”, “m” and “l” blend so perfectly into each other that you can’t really tell them apart. I have to solve each CAPTCHA at least twice to be reasonably sure that I’m not getting a new CAPTCHA bescause I mistyped. That’s costing a tremendous amount of time.

Update on the Captcha problem: It looks like this is not actually a captcha issue at all. Just the error code for it. The image you are suppose to solve contains a message instead.