GUIDE: How to avoid the Captive Portal Checkin to Google

[ZXR]

I use the App 'Terminal Emulator' from F-Droid for this.
Link: https://f-droid.org/app/jackpal.androidterm

Tried it with the linked emulator (first had problems with the keyboard).
Root works, "pm disable..." is answered with "disabled", for the three "settings put..." I get no answer, just a new line.
Restart and C-P-check is still active.

 

[dhacke]

I use the Shell Terminal Emulator (MobilDev), root request comes up after "su" and can be accepted.
The "pm disable com.android.captiveportallogin" is answered by "Security exception: Attemp to change component state..." and several pids and uids
The settings put global captive_portal_detection_enabled 0 is answered by "Security exception: You either need MANAGE_USERS or CREATE_USERS permission to: query user at..." and now several services listed.
... and so on.

]

Well to be honest i never heard or saw the notification which you report. Plus it is strange that the shell terminal emulator from MobilDev accepts the root but the linked terminal Emulator app not.
By me the su command works with the linked app.

Mayby it has something to do with the customization which Samung does to vanilla android or the Knox blocks the commands somehow.
Sadly i don't have any samsung device to check your mentioned behavior on my side. I prefer sony and Custom Roms in general.
Mayby some other user with a samsung phone and stock Pie can test it, too. If the same problems comes up the stock is most likely the reason.

So values accepted via ADB are not accepted via terminal?

I would say that depends on what commands the values will be used (but that is just a assumption).

 

[ZXR]

]
Well to be honest i never heard or saw the notification which you report. Plus it is strange that the shell terminal emulator from MobilDev accepts the root but the linked terminal Emulator app not.

Hi, I updated my post half an hour later to make the story eaysier. I had a silly issue with the keyboard...
And then you answered too fast.
Now the emulator you mentioned works.
Root works with it, "pm disable..." is answered with "disabled", for the three "settings put..." I get no answer, just a new line.
Restart and C-P-check is still active.

 

[dhacke]

Hi, I updated my post half an hour later to make the story eaysier. I had a silly issue with the keyboard... You answered too fast.
Now the emulator you mentioned works.
Root works with it, "pm disable..." is answered with "disabled", for the three "settings put..." I get no answer, just a new line.

That's exactly the behavior which i expected and have when i execute the commands.
Only the 'pm disable...' give a answer. All other commands just gets executed silently. So atm it sounds good to me.
Did you execute the 'su' twice? That's important, too.

 

[ZXR]

Did you execute the 'su' twice? That's important, too.

Yes I did.
Ok, it seems currently there is no way to disable the C-P-check. Good that the server still can be changed and thanks to Kuketz for providing it.

 

[L4rg0]

I know posts like "I have the same problem" aren´t helpfull, but I have the same problem like ZXR describes it. I have tried it on my old and now on my new phone, both run on Lineage 16. "settings get..." commands spit out the right values, but still the x on my Wifi symbol appears. Is it possible, that my AFWall+ settings are wrong?

edit: found a comment at the Kuketzblog side which suggests to first set the SELinux to permissive:
su
setenforce 0
settings put global captive_portal_mode 0
setenforce 1

This does not seem to work for me just thought it might be interesting. Please note I am not sure if this is recommendable.

 

[dhacke]

I know posts like "I have the same problem" aren´t helpfull, but I have the same problem like ZXR describes it. I have tried it on my old and now on my new phone, both run on Lineage 16. "settings get..." commands spit out the right values, but still the x on my Wifi symbol appears. Is it possible, that my AFWall+ settings are wrong?

Yes it's possible. Mayby you blocked some needed system Apps or have custom scripts in AfWall+.

I would suggest that you deactivate AfWall+ once and check again. If the x disappears it has something to do with AfWall+.

And you need to allow the app "(Root) Apps with Admin-Rights" internet access if AfWall+ is on. Otherwise the x will stay independent of the captive portal checkin state.

 

[dhacke]

edit: found a comment at the Kuketzblog side which suggests to first set the SELinux to permissive:
su
setenforce 0
settings put global captive_portal_mode 0
setenforce 1

This does not seem to work for me just thought it might be interesting. Please note I am not sure if this is recommendable.

Hm i never need change SeLinux to permissive. My phones always runs on enforcing.
But mayby you need to do it on your lineage version. If yes probably all commands must be typed in permissive state not only the one which you mentioned in that post.

 

[gadgetguy08]

1. What is the Captive Portal Checkin?

Every time your android phone connects to the internet via mobile connection or wlan it sends a request to the following url:
http://connectivitycheck.gstatic.com (Google URL).

For anyone (like me) who incorrectly thought that having Captive Portal Login blocked by the firewall was enough to prevent this from connecting to G**gle, note that the initial request doesn't get blocked. (Discovered this with a tcpdump capture on the router).

Thanks for sharing this.

 

[hellkaim]

note that the initial request doesn't get blocked. (Discovered this with a tcpdump capture on the router.

Are you sure that:
1. You changed all the values for captive portal (http/https/altenative etc.)?
2. Your AfWall+ has being configured to prevent "boot leak"?

I have Android 9 and for my device I have had no leaking (all requests goes to my URL).

Also AfWall+ in my case is able to allow only a banch of services (10 or so) in order for the NetworkLocation (and this is what causes the x-symbol to appear) to have network access. Also enabling "Apps with root access" is not a good idea. May be there is some manual way to tweak AfWall+ rulles to enable only certan IP addresses for the selected application?

Another question I have for @dhacke
Can we add this to build.prop in order to set it up permanenty and not just till the next reboot. I imagine we can use some boot script but it seems to be out of Android way of doing things...

 

[dhacke]

Are you sure that:
1. You changed all the values for captive portal (http/https/altenative etc.)?
2. Your AfWall+ has being configured to prevent "boot leak"?

I have Android 9 and for my device I have had no leaking (all requests goes to my URL).

Also AfWall+ in my case is able to allow only a banch of services (10 or so) in order for the NetworkLocation (and this is what causes the x-symbol to appear) to have network access. Also enabling "Apps with root access" is not a good idea. May be there is some manual way to tweak AfWall+ rulles to enable only certan IP addresses for the selected application?

Another question I have for @dhacke
Can we add this to build.prop in order to set it up permanenty and not just till the next reboot. I imagine we can use some boot script but it seems to be out of Android way of doing things...

Idk. i don't have experiences about the tweaking possibilty from build.prop
Sry.

 

[shrek42]

Does anyone know why on LAOS 17.1 (Android 10) some DNS requests (namely those for "www.google.com" and "connectivitycheck.gstatic.com" presumably triggered by the captive portal test) can not be entirely blocked by corresponding "127.0.0.1" DNS entries in "/system/etc/hosts" (with "Private DNS" either turned "Off" or left on "Automatic")?

Details:

In previous LineageOS versions (at least 14 and 15) entries like "dns-name-to-block 127.0.0.1" in file "/system/etc/hosts" did work very well to *entirely* silence the device (except DHCP with the gateway when connecting to a Wi-Fi).

But in current LIneageOS version 17.1 (20200727) this seems not to be reliable anymore. With help of the "hosts" file I can block most, but not all connections respectively DNS requests. Each time when I switch on Wi-Fi (at least every 10 minutes after DNS cache timeout) I see DNS requests for "www.google.com" and "connectivitycheck.gstatic.com" leaving the device, even though both DNS names are blocked by "127.0.0.1" entries in "/system/etc/hosts". My gateway router then answers these DNS requests.

Obviously I can block these DNS requests by telling the DNS server "dnsmasq" on my gateway router, e.g. via option "--addn-hosts=/etc/hosts.dnsmasq", to answer all these requests with "127.0.0.1". In a short test this worked perfectly well. Nevertheless my intention is to make the device itself silent without external help, ideally only with help of "/system/etc/hosts".

Switching private DNS ("Settings -> Network & internet -> Private DNS") to "Off" (the default is "Automatic") - and rebooting the device - seems to be without effect on these two DNS requests.

After setting the global variables "captive_portal_*" as suggested in posts #1 and #2 (using "127.0.0.1" instead of "captiveportal.kuketz.de") the DNS requests to "www.google.com" and "connectivitycheck.gstatic.com" do NOT appear anymore. Thus this seems to prove that these two DNS requests are not related to some "DNS availability test", but indeed are related to the "/gen_204" requests of the "captive portal internet availability test".

Unfortunately I was not able to find evidence in the Android sources - probably looking at the wrong places - for the reason why those two DNS requests leave the device and thus ignore "/system/etc/hosts".

All other DNS entries in "/system/etc/hosts" do work well (no DNS requests or connection attempts leave the device). Furthermore when opening "www.google.com" via web browser, there is a "connection refused" message. Thus the "www.google.com" entry in "/system/etc/hosts" indeed *IS* effective, but seems to be ignored by the captive portal test.

BTW: IPv6 is not the cause of the problem since the router allows IPv4 only. Anyway the "hosts" file includes entries with "127.0.0.1" as well as "::1".

Any ideas why those two DNS requests leave the device? Any idea how to restore full functionality of "/system/etc/hosts"? Many thanks.

 

[hellkaim]

Idk. i don't have experiences about the tweaking possibilty from build.prop
Sry.

I still do not know reg build.prop but I do know that settings are persistent across reboots. So it nails down to a post flash first run script

Also it is worth mention that disabling captive portal without URL change works fine also on my Android 9.

---------- Post added at 07:52 PM ---------- Previous post was at 07:44 PM ----------

Idk. i don't have experiences about the tweaking possibilty from build.prop
Sry.

Does anyone know why on LAOS 17.1 (Android 10) some DNS requests (namely those for "www.google.com" and "connectivitycheck.gstatic.com" presumably triggered by the captive portal test) can not be entirely blocked by corresponding "127.0.0.1" DNS entries in "/system/etc/hosts" (with "Private DNS" either turned "Off" or left on "Automatic")?
.

I think it's better to ask in Lineage OS thread. From my IMHO Lineage could change the way DNS quires areexecuted or Captive Portal apk has it's own way to issue a request and ignores hosts now.

 

[Blechpirat]

I need some help, please!

I turned of the captiveportal check off. Based on kuketz blog (https://www.kuketz-blog.de/afwall-digitaler-tuervorsteher-take-back-control-teil4/) I used this in a local terminal with root:

su

su

pm disable com.android.captiveportallogin


settings put global captive_portal_detection_enabled 0

settings put global captive_portal_server localhost

settings put global captive_portal_mode 0


reboot

But I can't get the Wifi in the public transport running, because I can't call their portal site, even tho I know their url.

How do I turn portalcheck back on?

 

[crashnburnMDA]

Following..

 

[brzlian.developer]

I need some help, please!

I turned of the captiveportal check off. Based on kuketz blog (https://www.kuketz-blog.de/afwall-digitaler-tuervorsteher-take-back-control-teil4/) I used this in a local terminal with root:

su

su

pm disable com.android.captiveportallogin


settings put global captive_portal_detection_enabled 0

settings put global captive_portal_server localhost

settings put global captive_portal_mode 0


reboot

But I can't get the Wifi in the public transport running, because I can't call their portal site, even tho I know their url.

How do I turn portalcheck back on?

the easier and faster way: set a custom script on afwall returning the values "0" to "1", and set http://clients3.google.com to your server. Apply the rules and after that disable afwall evwrytime you must connect to this public network. After connecting and authenticating you can reenable Afwall.

 

[b1k3rdude]

For Android 8/9:
1. Open a terminal on your phone (via terminal apps).

2. Type the following command:
- su
- su
- pm disable com.android.captiveportallogin
- settings put global captive_portal_detection_enabled 0
- settings put global captive_portal_server localhost
- settings put global captive_portal_mode 0

3. Then reboot your phone (via hardware buttons, system or terminal app).

Just a heads up, tried this on Android 10 on my S20FE (G781B) and it just caused a bootloop.

And because TWRP for this model (as I just discovered) can't restore from the local SD card (has no access to external SD atm) Im kinda f****d, have to start from scratch with a vanilla rom odin flash - deep joy.

 

[xandriksson]

How do I turn portalcheck back on?

I have struggled with the same problem.

With the hints given in this question about the Captive Portal parameters and the link therein to the parameters in the source code, the following worked for me on a Fairphone 3 with Lineage 17.1 :

su
su
pm enable com.android.captiveportallogin # instead of "pm disable"

settings put global captive_portal_detection_enabled 1 # instead of "0"

# captive_portal_server seems not to be relevant for Android >= 7.0, not sure what to value to set this to if I had to:
#     settings put global captive_portal_server localhost

# mode "1" is the default and means according to the source:
# > When detecting a captive portal, display a notification that prompts the user to sign in.
settings put global captive_portal_mode 1 # instead of "0"

reboot

I am not sure yet how this is going to behave on public WiFis but I think that with this I have the Captive Portal service up and running again.

 

[Blechpirat]

Thank you guys.

I tricked myself by not only turning captiveportal off, but also forcing dns over tls. So the dns server of the local system was never able to show me the login page, because of course that page has not dns entry outside its own net.

So I had to turn off DoT off and then use your advice. Took me a while...

 

[optimumpro]

The command 'captive_portal_detection_enabled' has been deprecated since Android 10. The current working command is 'captive_portal_mode_ignore'.

That's the relevant code:

        /**
         * Setting to turn off captive portal detection. Feature is enabled by
         * default and the setting needs to be set to 0 to disable it.
         *
         * @deprecated use CAPTIVE_PORTAL_MODE_IGNORE to disable captive portal detection
         * @hide
         */