GUIDE: How to avoid the Captive Portal Checkin to Google

Search This thread

ZXR

Senior Member
Jan 25, 2007
142
30
Samsung Galaxy Note 10+
Last edited:

dhacke

Senior Member
Nov 4, 2018
737
312
I use the Shell Terminal Emulator (MobilDev), root request comes up after "su" and can be accepted.
The "pm disable com.android.captiveportallogin" is answered by "Security exception: Attemp to change component state..." and several pids and uids
The settings put global captive_portal_detection_enabled 0 is answered by "Security exception: You either need MANAGE_USERS or CREATE_USERS permission to: query user at..." and now several services listed.
... and so on.
]

Well to be honest i never heard or saw the notification which you report. Plus it is strange that the shell terminal emulator from MobilDev accepts the root but the linked terminal Emulator app not.
By me the su command works with the linked app.

Mayby it has something to do with the customization which Samung does to vanilla android or the Knox blocks the commands somehow.
Sadly i don't have any samsung device to check your mentioned behavior on my side. I prefer sony and Custom Roms in general.
Mayby some other user with a samsung phone and stock Pie can test it, too. If the same problems comes up the stock is most likely the reason.


So values accepted via ADB are not accepted via terminal?

I would say that depends on what commands the values will be used (but that is just a assumption).
 
Last edited:

ZXR

Senior Member
Jan 25, 2007
142
30
Samsung Galaxy Note 10+
]
Well to be honest i never heard or saw the notification which you report. Plus it is strange that the shell terminal emulator from MobilDev accepts the root but the linked terminal Emulator app not.
Hi, I updated my post half an hour later to make the story eaysier. I had a silly issue with the keyboard...
And then you answered too fast. ;)
Now the emulator you mentioned works.
Root works with it, "pm disable..." is answered with "disabled", for the three "settings put..." I get no answer, just a new line.
Restart and C-P-check is still active.
 

dhacke

Senior Member
Nov 4, 2018
737
312
Hi, I updated my post half an hour later to make the story eaysier. I had a silly issue with the keyboard... You answered too fast. ;)
Now the emulator you mentioned works.
Root works with it, "pm disable..." is answered with "disabled", for the three "settings put..." I get no answer, just a new line.

That's exactly the behavior which i expected and have when i execute the commands.
Only the 'pm disable...' give a answer. All other commands just gets executed silently. So atm it sounds good to me.
Did you execute the 'su' twice? That's important, too.
 

L4rg0

New member
Dec 1, 2019
1
0
I know posts like "I have the same problem" aren´t helpfull, but I have the same problem like ZXR describes it. I have tried it on my old and now on my new phone, both run on Lineage 16. "settings get..." commands spit out the right values, but still the x on my Wifi symbol appears. Is it possible, that my AFWall+ settings are wrong?

edit: found a comment at the Kuketzblog side which suggests to first set the SELinux to permissive:
su
setenforce 0
settings put global captive_portal_mode 0
setenforce 1

This does not seem to work for me just thought it might be interesting. Please note I am not sure if this is recommendable.
 
Last edited:

dhacke

Senior Member
Nov 4, 2018
737
312
I know posts like "I have the same problem" aren´t helpfull, but I have the same problem like ZXR describes it. I have tried it on my old and now on my new phone, both run on Lineage 16. "settings get..." commands spit out the right values, but still the x on my Wifi symbol appears. Is it possible, that my AFWall+ settings are wrong?

Yes it's possible. Mayby you blocked some needed system Apps or have custom scripts in AfWall+.

I would suggest that you deactivate AfWall+ once and check again. If the x disappears it has something to do with AfWall+.

And you need to allow the app "(Root) Apps with Admin-Rights" internet access if AfWall+ is on. Otherwise the x will stay independent of the captive portal checkin state.
 
Last edited:

dhacke

Senior Member
Nov 4, 2018
737
312
edit: found a comment at the Kuketzblog side which suggests to first set the SELinux to permissive:
su
setenforce 0
settings put global captive_portal_mode 0
setenforce 1

This does not seem to work for me just thought it might be interesting. Please note I am not sure if this is recommendable.

Hm i never need change SeLinux to permissive. My phones always runs on enforcing.
But mayby you need to do it on your lineage version. If yes probably all commands must be typed in permissive state not only the one which you mentioned in that post.
 
Last edited:

gadgetguy08

Senior Member
Apr 2, 2008
330
110
1. What is the Captive Portal Checkin?

Every time your android phone connects to the internet via mobile connection or wlan it sends a request to the following url:
http://connectivitycheck.gstatic.com (Google URL).

For anyone (like me) who incorrectly thought that having Captive Portal Login blocked by the firewall was enough to prevent this from connecting to G**gle, note that the initial request doesn't get blocked. (Discovered this with a tcpdump capture on the router).

Thanks for sharing this.
 
  • Like
Reactions: dhacke

hellkaim

Member
Apr 27, 2014
40
7
note that the initial request doesn't get blocked. (Discovered this with a tcpdump capture on the router.

Are you sure that:
1. You changed all the values for captive portal (http/https/altenative etc.)?
2. Your AfWall+ has being configured to prevent "boot leak"?

I have Android 9 and for my device I have had no leaking (all requests goes to my URL).

Also AfWall+ in my case is able to allow only a banch of services (10 or so) in order for the NetworkLocation (and this is what causes the x-symbol to appear) to have network access. Also enabling "Apps with root access" is not a good idea. May be there is some manual way to tweak AfWall+ rulles to enable only certan IP addresses for the selected application?

Another question I have for @dhacke
Can we add this to build.prop in order to set it up permanenty and not just till the next reboot. I imagine we can use some boot script but it seems to be out of Android way of doing things...
 

dhacke

Senior Member
Nov 4, 2018
737
312
Are you sure that:
1. You changed all the values for captive portal (http/https/altenative etc.)?
2. Your AfWall+ has being configured to prevent "boot leak"?

I have Android 9 and for my device I have had no leaking (all requests goes to my URL).

Also AfWall+ in my case is able to allow only a banch of services (10 or so) in order for the NetworkLocation (and this is what causes the x-symbol to appear) to have network access. Also enabling "Apps with root access" is not a good idea. May be there is some manual way to tweak AfWall+ rulles to enable only certan IP addresses for the selected application?

Another question I have for @dhacke
Can we add this to build.prop in order to set it up permanenty and not just till the next reboot. I imagine we can use some boot script but it seems to be out of Android way of doing things...

Idk. i don't have experiences about the tweaking possibilty from build.prop
Sry.
 

shrek42

Member
Feb 28, 2017
14
3
Does anyone know why on LAOS 17.1 (Android 10) some DNS requests (namely those for "www.google.com" and "connectivitycheck.gstatic.com" presumably triggered by the captive portal test) can not be entirely blocked by corresponding "127.0.0.1" DNS entries in "/system/etc/hosts" (with "Private DNS" either turned "Off" or left on "Automatic")?

Details:

In previous LineageOS versions (at least 14 and 15) entries like "dns-name-to-block 127.0.0.1" in file "/system/etc/hosts" did work very well to *entirely* silence the device (except DHCP with the gateway when connecting to a Wi-Fi).

But in current LIneageOS version 17.1 (20200727) this seems not to be reliable anymore. With help of the "hosts" file I can block most, but not all connections respectively DNS requests. Each time when I switch on Wi-Fi (at least every 10 minutes after DNS cache timeout) I see DNS requests for "www.google.com" and "connectivitycheck.gstatic.com" leaving the device, even though both DNS names are blocked by "127.0.0.1" entries in "/system/etc/hosts". My gateway router then answers these DNS requests.

Obviously I can block these DNS requests by telling the DNS server "dnsmasq" on my gateway router, e.g. via option "--addn-hosts=/etc/hosts.dnsmasq", to answer all these requests with "127.0.0.1". In a short test this worked perfectly well. Nevertheless my intention is to make the device itself silent without external help, ideally only with help of "/system/etc/hosts".

Switching private DNS ("Settings -> Network & internet -> Private DNS") to "Off" (the default is "Automatic") - and rebooting the device - seems to be without effect on these two DNS requests.

After setting the global variables "captive_portal_*" as suggested in posts #1 and #2 (using "127.0.0.1" instead of "captiveportal.kuketz.de") the DNS requests to "www.google.com" and "connectivitycheck.gstatic.com" do NOT appear anymore. Thus this seems to prove that these two DNS requests are not related to some "DNS availability test", but indeed are related to the "/gen_204" requests of the "captive portal internet availability test".

Unfortunately I was not able to find evidence in the Android sources - probably looking at the wrong places - for the reason why those two DNS requests leave the device and thus ignore "/system/etc/hosts".

All other DNS entries in "/system/etc/hosts" do work well (no DNS requests or connection attempts leave the device). Furthermore when opening "www.google.com" via web browser, there is a "connection refused" message. Thus the "www.google.com" entry in "/system/etc/hosts" indeed *IS* effective, but seems to be ignored by the captive portal test.

BTW: IPv6 is not the cause of the problem since the router allows IPv4 only. Anyway the "hosts" file includes entries with "127.0.0.1" as well as "::1".

Any ideas why those two DNS requests leave the device? Any idea how to restore full functionality of "/system/etc/hosts"? Many thanks.
 
Last edited:

hellkaim

Member
Apr 27, 2014
40
7
Idk. i don't have experiences about the tweaking possibilty from build.prop
Sry.

I still do not know reg build.prop but I do know that settings are persistent across reboots. So it nails down to a post flash first run script :)

Also it is worth mention that disabling captive portal without URL change works fine also on my Android 9.

---------- Post added at 07:52 PM ---------- Previous post was at 07:44 PM ----------

Idk. i don't have experiences about the tweaking possibilty from build.prop
Sry.

Does anyone know why on LAOS 17.1 (Android 10) some DNS requests (namely those for "www.google.com" and "connectivitycheck.gstatic.com" presumably triggered by the captive portal test) can not be entirely blocked by corresponding "127.0.0.1" DNS entries in "/system/etc/hosts" (with "Private DNS" either turned "Off" or left on "Automatic")?
.

I think it's better to ask in Lineage OS thread. From my IMHO Lineage could change the way DNS quires areexecuted or Captive Portal apk has it's own way to issue a request and ignores hosts now.
 
Last edited:

Blechpirat

Member
Jun 26, 2018
33
2
Hamburg
I need some help, please!

I turned of the captiveportal check off. Based on kuketz blog (https://www.kuketz-blog.de/afwall-digitaler-tuervorsteher-take-back-control-teil4/) I used this in a local terminal with root:

Code:
su

su

pm disable com.android.captiveportallogin


settings put global captive_portal_detection_enabled 0

settings put global captive_portal_server localhost

settings put global captive_portal_mode 0


reboot

But I can't get the Wifi in the public transport running, because I can't call their portal site, even tho I know their url.

How do I turn portalcheck back on?
 

brzlian.developer

New member
Jun 28, 2016
4
2
I need some help, please!

I turned of the captiveportal check off. Based on kuketz blog (https://www.kuketz-blog.de/afwall-digitaler-tuervorsteher-take-back-control-teil4/) I used this in a local terminal with root:

Code:
su

su

pm disable com.android.captiveportallogin


settings put global captive_portal_detection_enabled 0

settings put global captive_portal_server localhost

settings put global captive_portal_mode 0


reboot

But I can't get the Wifi in the public transport running, because I can't call their portal site, even tho I know their url.

How do I turn portalcheck back on?

the easier and faster way: set a custom script on afwall returning the values "0" to "1", and set http://clients3.google.com to your server. Apply the rules and after that disable afwall evwrytime you must connect to this public network. After connecting and authenticating you can reenable Afwall.
 
  • Like
Reactions: Blechpirat
For Android 8/9:
1. Open a terminal on your phone (via terminal apps).

2. Type the following command:
- su
- su
- pm disable com.android.captiveportallogin
- settings put global captive_portal_detection_enabled 0
- settings put global captive_portal_server localhost
- settings put global captive_portal_mode 0

3. Then reboot your phone (via hardware buttons, system or terminal app).
Just a heads up, tried this on Android 10 on my S20FE (G781B) and it just caused a bootloop.

And because TWRP for this model (as I just discovered) can't restore from the local SD card (has no access to external SD atm) Im kinda f****d, have to start from scratch with a vanilla rom odin flash - deep joy.
 
Last edited:
  • Like
Reactions: Blechpirat

xandriksson

New member
Jan 31, 2021
1
1
How do I turn portalcheck back on?

I have struggled with the same problem.

With the hints given in this question about the Captive Portal parameters and the link therein to the parameters in the source code, the following worked for me on a Fairphone 3 with Lineage 17.1 :

Bash:
su
su
pm enable com.android.captiveportallogin # instead of "pm disable"

settings put global captive_portal_detection_enabled 1 # instead of "0"

# captive_portal_server seems not to be relevant for Android >= 7.0, not sure what to value to set this to if I had to:
#     settings put global captive_portal_server localhost

# mode "1" is the default and means according to the source:
# > When detecting a captive portal, display a notification that prompts the user to sign in.
settings put global captive_portal_mode 1 # instead of "0"

reboot

I am not sure yet how this is going to behave on public WiFis but I think that with this I have the Captive Portal service up and running again.
 
  • Like
Reactions: Blechpirat

Blechpirat

Member
Jun 26, 2018
33
2
Hamburg
Thank you guys.

I tricked myself by not only turning captiveportal off, but also forcing dns over tls. So the dns server of the local system was never able to show me the login page, because of course that page has not dns entry outside its own net.

So I had to turn off DoT off and then use your advice. Took me a while...
 

optimumpro

Senior Member
Jan 18, 2013
7,335
14,705
OnePlus 8
The command 'captive_portal_detection_enabled' has been deprecated since Android 10. The current working command is 'captive_portal_mode_ignore'.

That's the relevant code:
Code:
        /**
         * Setting to turn off captive portal detection. Feature is enabled by
         * default and the setting needs to be set to 0 to disable it.
         *
         * @deprecated use CAPTIVE_PORTAL_MODE_IGNORE to disable captive portal detection
         * @hide
         */
 

Top Liked Posts

  • There are no posts matching your filters.
  • 8
    Dear XDA community,

    this my first own thread and guide so please be forbear with me:)
    And i hope i choose the right section:)
    As the topic in the thread says it handles about the Captive Portal Checkin done by Android.
    So first some general info about this.

    1. What is the Captive Portal Checkin?

    Every time your android phone connects to the internet via mobile connection or wlan it sends a request to the following url:
    http://connectivitycheck.gstatic.com (Google URL).

    After that your gets device gets http 204 answer from the mentioned url and at that point the x-symbol at your network icon in the status bar disappears.
    The reason for that behavior is that Android wants to be sure that your connection has internet access.
    If you block that request via AfWall for example the dns fails in some cases and you can't go into the Internet.
    Silly.

    2. Why is this problematic?

    That's a good question because this answer from Google doesn't much hold data. But every time when this connection is done Google get the following information:
    - IP-adress
    - Time of the internet access
    - the Browser which you use

    In my case i use custom roms and no Gapps to avoid Google as much as i can. So i don't want that "ping" to Google.
    That's the reason why i searched for possibilitys to get rid of this ping. And thanks to a german security and privacy specalist i found a possibilty to avoid the ping to Google and have working Internet, too.

    3. What did that guy do?

    Very simple. He just started his own Captive Portal Checkin Service. So no need for Google anymore:)


    WHAT YOU NEED:
    - Computer with installed ADB
    - Active USB Debugging at your phone
    - At least Android 7

    TESTED ON:

    I tested his instructions on my old Xperia Z3 phone (CarbonROM 7.0 based on Android 9, Custom Rom).

    IMPORTANT:
    You need to execute the commands with a booted system (valid for both posts where i write the instructions). It DOESN'T work in the terminal of recoveries (e.g. twrp).
    Thanks @jaysir for the information.

    INSTRUCTIONS:

    Android 7:

    1. Connect the phone with your computer
    2. Activate ADB and test the connection with the "adb devices" command. If your phone shows up go to step 3.
    3. Execute these commands in your terminal:
    => adb shell 'settings put global captive_portal_http_url "http://captiveportal.kuketz.de" '
    => adb shell 'settings put global captive_portal_https_url "https://captiveportal.kuketz.de" '

    Android 8 and 9:

    1. Connect the phone with your computer
    2. Activate ADB and test the connection with the "adb devices" command. If your phone shows up go to step 3.
    3. Execute these commands in your terminal:
    => adb shell 'settings put global captive_portal_http_url "http://captiveportal.kuketz.de" '
    => adb shell 'settings put global captive_portal_https_url "https://captiveportal.kuketz.de" '
    => adb shell 'settings put global captive_portal_fallback_url "http://captiveportal.kuketz.de" '
    => adb shell 'settings put global captive_portal_other_fallback_urls "http://captiveportal.kuketz.de" '

    Well that's it. When you want to revert back just execute the commands again with this url:

    http command: http://connectivitycheck.gstatic.com/generate_204

    https command:
    https://connectivitycheck.gstatic.com/generate_204

    Link to the source:
    https://www.kuketz-blog.de/android-...204-http-antwort-von-captiveportal-kuketz-de/

    If i make any typos tell me:)
    8
    Thanks again to the german security researcher and his community there is a way to deactivate the captive portal checkin completly.

    It works on Android 7 and Android 8.1/9. But in comparision to the method in my first post this needs root access on your phone.

    For all new users:
    I recommend Magisk to gain root.

    So now the instructions:

    For Android 8/9:
    1. Open a terminal on your phone (via terminal apps).

    2. Type the following command:
    - su
    - su
    - pm disable com.android.captiveportallogin
    - settings put global captive_portal_detection_enabled 0
    - settings put global captive_portal_server localhost
    - settings put global captive_portal_mode 0

    3. Then reboot your phone (via hardware buttons, system or terminal app).


    For Android 7:
    1. Open a terminal on your phone (via terminal apps).

    2. Type the following commands:
    - su
    - settings put global captive_portal_detection_enabled 0
    - settings put global captive_portal_server localhost
    - settings put global captive_portal_mode 0

    3. Then reboot your phone (via hardware buttons, system or terminal app).


    Link to Source
    https://www.kuketz-blog.de/empfehlungsecke/#captive-portal
    3
    Very nice and very important tutorial!
    Just for completeness; and I don't claim and definitely don't have a copyright. I reported these procedures already here end of April in the thread "Enhanced Privacy, Security and Battery Duration! My Measures...". I mentioned it also once here in the AFWall+ thread.

    I'm very glad that these procedures get repeated and repeated again. From my personal point of view it's so important to develop the stance to not allow Google to collect our data. I've subscribed to Mike Kuketz and am very grateful for his job and dedication.
    2
    Very nice and very important tutorial!


    Just for completeness; and I don't claim and definitely don't have a copyright. I reported these procedures already here end of April in the thread "Enhanced Privacy, Security and Battery Duration! My Measures...". I mentioned it also once here in the AFWall+ thread.
    I'm very glad that these procedures get repeated and repeated again. From my personal point of view it's so important to develop the stance to not allow Google to collect our data. I've subscribed to Mike Kuketz and am very grateful for his job and dedication.

    I agree to you. It's a pity that so much people don't care about it.
    I must admit i forgot to search in forum whether the instructions was already posted but as you said every mention helps.
    1
    Thanks, however, not working on pixel experience rom.

    Update:
    Seems no settings command under ADB shell, worked when turning on Usb debugging.