# Note to self

Wednesday, October 28, 2020

A test account just produced a HTTP 404 - Unauthorized while requesting an apk download from Google Play. Turns out, its session cookie had expired. The session in question was created May 30 01:15 (I need to stop pulling these all- nighters) and lasted till today(ish - pretty sure, it was in use yesterday). So, the session TTL for Google accounts seems to be around 150 days.

Not sure if there’s a renewal mechanism, other than running through the login process again (highly doubt it, though). Android users typically won’t notice when their session expires. The system’s account manager just automatically logs in again.

Sunday, October 4, 2020

HOWTO: Hacker's Garlic Dip

Because cold pizza and hot coffee only gets you so far…

Saturday, October 3, 2020

How to bypass age restrictions on YouTube

Please sign in to confirm your age - No thanks.

Tuesday, June 30, 2020

Aww shit! Following up on yesterdays post, there are actually quite a number of optional URL parameters that can be specified when making a HTTP request to the FDFE API. So far, I found:

  • ipCountryOverride
  • mccmncOverride
  • skipCache
  • showStagingData
  • p13n

Their values are configured globally in the playstore app. When set, they are appended to the URL in the order above on every HTTP GET or POST request to the DFE API. The later three take a true or false as a value. Not sure what they are suppose to do, though.

I should probably add support for adding arbitrary URL parameters in the coon-mothership library.

Monday, June 29, 2020

The (F)DFE API supports an URL parameter called “ipCountryOverride”. It can be enabled in a “secret” developer dialog. I always suspected that this is somehow used by Google engineers when they need to bypass geo blocking, but I could never figure out what to pass as a value. Booleans as well as locales don’t work and obviously, you cannot use an IP address to represent a country. What’s even more curious is that dialog loads data from a CSV file (which, of course, isn’t publicly available)!

You connect to a host called android.clients.google.com, when talking to the Playstore. That’s actually a DNS CNAME and can resolve to a number of different IP addresses. The Playstore is not a single/central server system! Google likely runs a separate instance of it in a local datacenter in every country in the world.

So, maybe the value for the ipCountryOvveride parameter is the IP address of the (country) instance behind the load balancer then?

Tuesday, June 9, 2020

A bit of research on the GSF ID and the elusive DF-DFERH-01 error

Huh, just discovered a couple of things about the GSF ID.

Tuesday, April 14, 2020

Ross Anderson explaining why contact tracing apps are bullshit.

Actually, I wonder why we are still discussing this. Contact tracing/tracking is something you do before it becomes an epidemic. We are way past that point.

Friday, April 3, 2020

Direct download links for the latest version of the Android platform tools (adb, fastboot, sqlite3):

Saturday, February 29, 2020

Never use SVG graphics, containing text objects, on websites. They look fine on your computer, scale great and break horribly if a visitor doesn’t have the right font installed. Stupid Patrick, really stupid!

Solution: always transform object to path.

Sunday, October 27, 2019