Updating Root CA Certificates on a very old CITAQ H10 Android Device
posts Android Security Embedded Development Mobile Devices Android Development Device Management Certificate Management ADB CommandsA while ago I was helping out with netguy's CITAQ H10 research found here. I was able to figure out to interface with the printer on it directly via the onboard internal serial port.
Recently however, I've been getting interested in creating some app for it and was checking if the web browser can still access modern websites. Much to my dismay, I discovered a significant hurdle: any websites utilizing Let's Encrypt SSL certificates were inaccessible.
This got me trying to figure out how to update the Root CA certificates on the device, with the hope of enabling seamless access to Let's Encrypt-secured websites. This is some of the steps I had to do to get it working again by updating the built in root certificates to match the latest google android ca-certificates found in the latest android builds for newer devices.
First start by enabling Android dev mode by tapping Settings > About tablet > Build Number multiple times. Then install a terminal emulator android app and run start adbd command to start the adb daemon server. Then use ifconfig to find the ip address that this device is using.
Once you have got the device accessible over the network via adb, open up a shell terminal on your side... then update DEVICE_IPto match what the device ip is. You can then go though these steps below to download the latest CA certs then load it into the android device before rebooting. Once done, you should now be able to access let's encrypt protected websites.
# Pre Setup
DEVICE_IP=192.168.152.248
# Download the CA certificates archive
cd /tmp/
wget -O android-ca.tar.gz https://android.googlesource.com/platform/system/ca-certificates/+archive/refs/heads/main/files.tar.gz
# Create a temporary directory to extract the certificates
mkdir /tmp/cacerts
# Extract the CA certificates to the temporary directory
tar -xzvf android-ca.tar.gz -C /tmp/cacerts/
# Connect to the device
adb connect ${DEVICE_IP}:5555
# Enter root mode (wait at least X seconds for adbd to restart into root mode)
adb root
timeout 40 adb wait-for-any-device
# Push the temporary directory containing the certificates to the device's storage
adb shell mount -o rw,remount,rw /system
adb push /tmp/cacerts/ /system/etc/security/
adb shell mount -o ro,remount,ro /system
# Sanity Check
adb shell "grep -C 0 'ISRG Root X1' /system/etc/security/cacerts/*.0"
adb shell "grep -C 0 'ISRG Root X2' /system/etc/security/cacerts/*.0"
# Reboot
adb reboot
Comments
With an account on the Fediverse or Mastodon, you can respond to this post. Since Mastodon is decentralized, you can use your existing account hosted by another Mastodon server or compatible platform if you don't have an account on this one. Known non-private replies are displayed below.
Learn how this is implemented here.