In this post, we are going to:
- Root BlueStacks 10
- Make BlueStacks 10 root file system writable
- Install our Proxy's Root Certificate to Trusted Root Certificates
- By using ADB, we will set global HTTP proxy (and set port forwarding)
Required Tools:
- adb (https://developer.android.com/tools/releases/platform-tools)
- openssl (https://wiki.openssl.org/index.php/Binaries)
Note: By Default BlueStack's Data directory is located at %PROGRAMDATA%\BlueStacks_nxt\
In my installation, it's located at: C:\ProgramData\BlueStacks_nxt\
Root BlueStacks 10
- Go to BlueStack's Data directory and open bluestacks.conf file with a Text Editor. (C:\ProgramData\BlueStacks_nxt\bluestacks.conf)
- Find the keys using the keywords "rooting" and "enable_root_access" and change their value to "1"
In my case, I had to change the value of "bst.feature.rooting" and "bst.instance.Pie64.enable_root_access" to "1"
That's all. Your BlueStacks is now Rooted!
Make BlueStacks 10 root file system writable
Step 1 (Mount Disk as Writable in the HCS/VirtualBox configuration file):
BlueStacks uses different VM Configuration files based on your system settings. If you have HyperV enabled then it is Windows Host Compute System (HCS) otherwise it is VirtualBox Configuration File.
Note: You need to close the BlueStacks App Player before changing these files.
If HyperV is enabled:
You need to edit the Windows Host Compute Service(HCS) Configuration file if HyperV is enabled on your Windows. Configuration file is located at: <Bluestacks-Data-Directory>\Engine\<OS-and-Architecture>\HypervVM.json
I was using Android Pie 64bit Version Therefore file is located at: C:\ProgramData\BlueStacks_nxt\Engine\Pie64\HypervVm.json
It's a JSON file, so you can edit it with any Text Editor. Open that file and search for the string "Root.vhd". You will find the place where it is configured to mount as Read-Only Disk. Remove the line "ReadOnly": true entirely.
You need to edit the VirtualBox Configuration file if HyperV is disabled on your Windows. Configuration files are located at these locations. Please edit all(Different versions use different files. So edit them all).
- <Bluestacks-Data-Directory>\Engine\<OS-and-Architecture>\Android.bstk.in
- <Bluestacks-Data-Directory>\Engine\<OS-and-Architecture>\<OS-and-Architecture>.bstk
- <Bluestacks-Data-Directory>\Engine\<OS-and-Architecture>\<OS-and-Architecture>.bstk-prev
I was using Android Pie 64bit Version Therefore I had to edit these files:
- C:\ProgramData\BlueStacks_nxt\Engine\Pie64\Android.bstk.in
- C:\ProgramData\BlueStacks_nxt\Engine\Pie64\Pie64.bstk
- C:\ProgramData\BlueStacks_nxt\Engine\Pie64\Pie64.bstk-prev
Those are XML files, so you can edit them with any Text Editor. Open those files and search for the string "Root.vhd". You will find the place where it is configured to mount as Read-Only Disk. Change type="Readonly" to type="Normal" like below in all those three files.
Step 2 (Mount file system as Writable):
- Open BlueStacks App Player.
- Turn on ADB on BlueStacks App Player:
Click on Hamburger Icon >>> Settings >>> Advanced >>> Then enable Android Debug Bridge (ADB) as shown below. (Please note that the port will be changed if you restart the App Player, we will discuss keeping the same port in another post.) - Then click on Save Changes.
- Hereafter I will provide the sample commands using the IP and Port as shown in the above picture(127.0.0.1:49959) Assuming you have already installed Android SDK on your Windows PC and added binary path to the Environment Variable.
- Open the command prompt and connect to the App Player using the below command:
adb connect 127.0.0.1:49959 - Once connected you will get an output saying "connected to 127.0.0.1:49959"
- Then you can open a shell using the below command:
adb -s 127.0.0.1:49959 shell
(Argument -s 127.0.0.1:49959 is optional if you are connected to this device only) - Then you will be logged into the system using the "shell" user. You can confirm by using the "whoami" command
- Use "su" command to switch the user to "root"
- There are two paths mounted as read-only, which must be changed to writable in order for us to work without any limitations. Use the below commands to remount it as read-write file system.
- Root file system:
mount -o remount,rw rootfs / - /system file system(System files are Symlinked to the files in this disk)
mount -o remount,rw /dev/sda1 /system
Note: The default disk name is /dev/sda1 however, it may change. If you get any error, then execute df -h command to check the mounted file system.
Here is my output:
You need to look at the Disk name(Filesystem) of the mounted path /boot/android .# df -h Filesystem Size Used Avail Use% Mounted on rootfs 1.9G 7.1M 1.9G 1% / /dev/sda1 7.7G 1.5G 6.1G 21% /boot/android /dev/sdb1 126G 3.0G 123G 3% /data tmpfs 1.9G 332K 1.9G 1% /dev tmpfs 1.9G 0 1.9G 0% /mnt none 1.9G 0 1.9G 0% /cache Documents 476G 338G 138G 72% /mnt/windows/Documents Pictures 476G 338G 138G 72% /mnt/windows/Pictures BstSharedFolder 476G 338G 138G 72% /mnt/windows/BstSharedFolder /dev/fuse 126G 3.0G 123G 3% /mnt/runtime/default/emulated /dev/fuse 126G 3.0G 123G 3% /mnt/runtime/read/emulated /dev/fuse 126G 3.0G 123G 3% /mnt/runtime/write/emulated
In my case it is /dev/sda1 That's why I have used /dev/sda1 in the above command. - If you didn't get any output, then that means, the command was executed Successfully(You can use mount command to confirm it). Please note that you need to perform these steps again if you restart the App Player(Only needed if you are going to make changes to the root file system - Currently we are going to install our CA Cert). If you don't want to do it again for each restart, then you need to edit the auto-mount options(It's not discussed in this post).
Install our Proxy's Root certificate to Trusted Root Certificates
To to install the Root Certificate, make sure you have completed the above step. Otherwise, you will get Permission-denied errors.
- Export the CA Certificate of your Proxy.
- Charles Proxy: Help >>> SSL Proxying >>> Save Charles Root Certificate
- Burp Suite: Burp >>> Settings >>> Tools >>> Proxy >>> Click on "import / export CA certificate" >>> Then export the Certificate in DER Format.
- For other proxies: Refer to their documentation
If your Certificate is in any other format other than PEM, Then you need to convert it to PEM format.
This is how you can convert DER to PEM.
openssl x509 -in <input-filename>.der -out <output-filename>.pem
Once converted to PEM, it's time to generate the file name of the Certificate. File names are in the format of old-style (MD5) subject hash value because of compatibility reasons even in newer versions of Android. This is how you can generate it.
openssl x509 -in <certificate>.pem -subject_hash_old -noout
It would print the old-style (MD5) subject hash value of that PEM Certificate. Rename your PEM Certificate with that value and save it with the extension 0. Ex: 8fe70201.0
Now you need to place the certificate file in the following location:
/etc/security/cacerts
You can use Vim editor to create a new file or you can push it using adb. Now we are going to use adb. You can't push it to the above directory under default configurations. Because it requires root privileges. Therefore, let's push it to /data/local/tmp directory and then move it to the above directory using the shell.
Command to push it to /data/local/tmp directory:
adb -s 127.0.0.1:49959 push ./8fe70201.0 /data/local/tmp
Then you need to use adb shell and then become root user(using su command), and then move the file to the /etc/security/cacerts directory. Once done, change the owner and group of the file to the system using the following command:
chown system:system /etc/security/cacerts/8fe70201.0
Here is my full command prompt output for the above commands:
C:\certs>dir
Volume in drive C has no label.
Volume Serial Number is AAAA-AAAA
Directory of C:\certs
10/23/2023 09:57 PM <DIR> .
10/23/2023 09:57 PM <DIR> ..
10/23/2023 08:25 PM 1,880 charles.pem
1 File(s) 1,880 bytes
2 Dir(s) 145,179,971,584 bytes free
C:\certs>
C:\certs>openssl x509 -in charles.pem -subject_hash_old -noout
8fe70201
C:\certs>rename charles.pem 8fe70201.0
C:\certs>dir
Volume in drive C has no label.
Volume Serial Number is AAAA-AAAA
Directory of C:\certs
10/23/2023 10:18 PM <DIR> .
10/23/2023 10:18 PM <DIR> ..
10/23/2023 08:25 PM 1,880 8fe70201.0
1 File(s) 1,880 bytes
2 Dir(s) 145,179,250,688 bytes free
C:\certs>
C:\certs>adb -s 127.0.0.1:49959 push ./8fe70201.0 /data/local/tmp
./8fe70201.0: 1 file pushed, 0 skipped. 3.5 MB/s (1880 bytes in 0.001s)
C:\certs>adb -s 127.0.0.1:49959 shell
p3s:/ $
p3s:/ $ whoami
shell
p3s:/ $ su
p3s:/ #
p3s:/ # whoami
root
p3s:/ # mv /data/local/tmp/8fe70201.0 /etc/security/cacerts/
p3s:/ # ls -alh /etc/security/cacerts/8fe70201.0
-rw-rw-rw- 1 shell shell 1.8K 2023-10-23 23:03 /etc/security/cacerts/8fe70201.0
p3s:/ #
p3s:/ # chown system:system /etc/security/cacerts/8fe70201.0
p3s:/ #
p3s:/ # ls -alh /etc/security/cacerts/8fe70201.0
-rw-rw-rw- 1 system system 1.8K 2023-10-23 23:04 /etc/security/cacerts/8fe70201.0
p3s:/ #
Now we have installed our Proxy's CA Certificate into the Android System as a Trusted Root Certificate.
Setting Global Proxy on Android
To set up a proxy, we are going to use adb. Alternatively, you can use any Android App (Such as ProxyDroid)
For the purpose of this tutorial, we are going to assume that our proxy is listening on port 8888.
By default, we can't access the services on the host machine from the BlueStacks. Therefore, we need to use port forwarding.
Note: As I mentioned above, parameter -s 127.0.0.1:49959 is used, since I have a couple of ADB running. Therefore, I had to specify the BlueStacks adb port explicitly. Don't get confused by the HTTP Proxy IP/Port in the following examples.
Set Global HTTP Proxy:
adb -s 127.0.0.1:49959 shell settings put global http_proxy 127.0.0.1:8080
You can't replace 127.0.0.1:8080 with the IP of your Host Machine, because it won't connect to your host machine under default settings. That's why we need to use port forwarding. Since we are going to use port forwarding, we can use any port. I have used 8080. You can use 8888 too. I have used port 8080 to make it less confusing when explaining the parameters in the next step.
Port Forwarding:
adb -s 127.0.0.1:49959 reverse tcp:8080 tcp:8888
Any connections to BlueStack's local TCP port 8080 will be forwarded to the Host TCP port 8888. We need to use Host port 8888 because our proxy is listening on the port 8888. We need to use port 8080 because in the above step, we set port 8080 for the Proxy.
Tip: If you are unsure about the order of ports, then you can use the same port as the proxy port to avoid confusion.
Other Useful commands:
Remove Global HTTP Proxy: adb -s 127.0.0.1:64045 shell settings put global http_proxy :0
List all port forwarding: adb -s 127.0.0.1:49959 reverse --list
Remove port forwarding set for the (BlueStacks) local port 8080: adb -s 127.0.0.1:64045 reverse --remove tcp:8080
Remove all port forwarding: adb -s 127.0.0.1:49959 reverse --remove-all
That's all for this tutorial. If you run into any issues, feel free to leave a comment. Your feedbacks are appreciated!
11 Comments
Change blog background vro
ReplyDeleteவெப்சைட்டில் உள்ள பின்னோக்கி படத்தை மாற்றலாமே நண்பா?
ReplyDeleteநன்றி! தற்போது அந்த எண்ணம் இல்லை :v
DeleteHey men, great tutorial but I can't find the \HypervVm.json file, is any other way to change that permission? thx
ReplyDeleteI find alternative file
Deletecheck "Android.bstk.in"
https://github.com/RobThePCGuy/Root-Bluestacks-with-Kitsune-Mask
Deletehere is information
Hey,
DeleteSorry for the delay. For some reasons, not getting comment notifications from blogger. As previous person mentioned you could edit "Android.bstk.in" VirtualBox configuration file. I will update the post soon with this info.
1|p3s:/ # mount -o remount,rw /dev/sda1 /system
ReplyDeletemount: '/dev/sda1'->'/system': I/O error
I already removed the readonly in Android.bstk.in
but still unable to remount.
please advice.
Hi,
DeleteYou need to edit the correct files according to your system configuration. I have updated this article. Please read it again. In short, If HyperV is enabled edit HypervVM.json file otherwise edit the files Android.bstk.in, Pie64.bstk and Pie64.bstk-prev.
The Google Chrome browser in BlueStacks does NOT trust Public keys signed by PortSwigger even though I have installed Burp Proxy certificates in the system as you have shown
ReplyDeleteHi Adithya,
DeleteUnfortunately Recent versions of Chrome for Android no longer accept custom root CA certificates because Chrome now checks certificates additionally using the Certificate Transparency system.
https://android.stackexchange.com/a/240913/252193