Need help with FBUnpinner?
Click the “chat” button below for chat support from the developer who created it, or find similar developers for support.

About the developer

tsarpaul
187 Stars 44 Forks 42 Commits 6 Opened issues

Description

Bypass Facebook/Instagram Certificate Pinning for Android

Services available

!
?

Need anything else?

Contributors list

# 291,435
Python
faceboo...
certifi...
assembl...
19 commits
# 173,619
python3
rop
assembl...
pwnable
3 commits
# 517,062
Python
faceboo...
certifi...
1 commit
# 389,050
Shell
C++
C
fuzzing
1 commit

FBUnpinner

Works for Instagram & Facebook

SUPPORTS:
TLS1.3 & TLS1.2 for x86/ARM32/ARM64
Instagram x86 currently does not work, feel free to open a pull request :)


A script to automate removing certificate pinning defense from Facebook applications.

TESTED FOR THE FOLLOWING APPS: - com.facebook.katana (Facebook for Android) - com.facebook.orca (Messenger) - com.facebook.lasso (Lasso) - com.instagram.android (Instagram for Android)

How-to

[REQUIRES ROOT]
  • Note: for Instagram replace lib-xzs/libcoldstart.so with lib-zstd/libliger.so
  1. Make sure you have run the desired Facebook application atleast once - what happens is that the cert pinning library (libcoldstart.so) is unpacked from an archive embedded in the APK.

  2. Get root shell in your device:

    $(comp): adb shell
    $(phone): su
    
  3. Pull libcoldstart.so from your desired Facebook application:

​ Before version 255 path: /data/data/com.facebook.katana/lib-xzs/libcoldstart.so

#(phone): cp /data/data/com.facebook.katana/lib-superpack-xz/libcoldstart.so /sdcard/libcoldstart.so
#(phone): exit
$(phone): exit
$(comp): adb pull /sdcard/libcoldstart.so FBUnpinner/
  1. Patch the file:

    $ python3 patch.py
    
    OR:
    $ python3 patch.py libliger.so libliger-patched.so
    
  2. Replace libcoldstart.so in the phone with the patched version: ``` $(comp): adb push libcoldstart-patched.so /sdcard/libcoldstart.so $(comp): adb shell $(phone): su

    (phone): cp /sdcard/libcoldstart.so /data/data/com.facebook.katana/lib-superpack-xz/libcoldstart.so

    (phone): chmod 777 /data/data/com.facebook.katana/lib-superpack-xz/libcoldstart.so

    
    
  3. (Optional) Setting up Burp to work with TLS 1.3 ("no cipher suites in common")

    /jdk-11.0.2.jdk/Contents/Home/bin/java -jar burpsuite_community.jar
    

TODO

A script to just patch an APK

Tested Emulators

Android Studio: Nexus6API_24 - Google APIs Intel Atom (x86)

Genymotion: Google Nexus 5X API 26 (x86)

Reference

https://serializethoughts.com/2016/08/18/bypassing-ssl-pinning-in-android-applications/
https://plainsec.org/how-to-bypass-instagram-ssl-pinning-on-android-v78/

We use cookies. If you continue to browse the site, you agree to the use of cookies. For more information on our use of cookies please see our Privacy Policy.