What is Zero-Rating / Free Data Bypass

"Zero-rating" (or "free data bypass," commonly called "miǎn liú" in Chinese communities) typically refers to using certain apps or services on a mobile network without consuming the user's data allowance—in other words, surfing the internet for free. This is usually offered by mobile operators or specific app providers to attract more users to those apps or services.

Basic Principle of Free Data Bypass

The zero-rating mentioned above is usually limited to certain apps. The type of free data bypass we're discussing here is not restricted to specific apps; it achieves free access by using particular methods to deceive the operator's billing system.

First, we need to understand how the operator's billing system works.

Accessing a normal website:

Accessing a zero-rated website:

The core principle of free data bypass is to make the billing system think the user is accessing a zero-rated website, while in reality accessing a normal website.

Several Methods of Free Data Bypass

Local Free Data Bypass

Local free data bypass involves running a proxy program on the user's phone to modify all data packets, thereby deceiving the billing system.

The main implementation of the proxy program is to modify the HTTP request headers.

There are two key fields in the request headers: Host and X-Online-Host. Assuming the billing system charges based on the Host field in the HTTP packet, and the proxy server uses the X-Online-Host in the HTTP packet for actual data access, modifying the Host field in the HTTP headers can deceive the billing system.

Operators are not naive; they updated their detection systems, rendering the above method ineffective. Later, netizens began a battle of wits with the operators.

1. Double-Host mode by inserting two Host fields, so the billing system looks at the first Host, while the proxy server looks at the second Host.
1. Double X-Online-Host mode by inserting two X-Online-Host fields.
1. Fake header mode.
1. Fake color mode.
1. ....

Advantages of local free data bypass: no additional resources needed; can be implemented directly on the user's phone, mainly exploiting differences in implementation between the operator's billing system and proxy server. Disadvantages: inconsistencies in operator systems across regions—modes that work in Shanghai may not work in Guangdong; limited modifiable fields mean once all modes are blocked, it becomes unusable.

The biggest problem with local free data bypass is the lag in operator billing. After a free data mode you used gets patched, traffic starts being charged normally without your knowledge. The next morning you wake up to a huge bill from 10086.

Directional / Zero-Rated Data Plans

Starting in 2015, the country required the three major operators to increase speeds and reduce fees; roaming charges were gradually eliminated, and data became nationwide. Prices also became lower, but not low enough for unlimited arbitrary usage.

For people who like watching Douyin or Tencent Video, the three major operators launched directional data cards, such as Tencent King Card, Alibaba Treasure Card, etc. Directional data cards provide large amounts of zero-rated data for certain internet services in addition to general data. For example, Tencent King Card allows free usage of Tencent-family apps up to 40GB.

(Note: the repeated paragraph about directional cards in the original is preserved as-is in structure but translated consistently.)

Cloud-Based Free Data Bypass (Cloud Zero-Rating)

Local free data bypass exploited differences between the billing system and proxy server; later those differences were patched (thanks to netizens doing QA at their own expense). Eventually, operators even eliminated the proxy server and used the billing system directly for internet access, making local free data bypass obsolete. The commonly used method now is generally cloud-based free data bypass—this is the current mainstream approach.

The principle of cloud-based free data bypass requires some basic knowledge of network protocols and understanding of how TCP/IP works.

IP

The current internet is built on the TCP/IP architecture. Communication between computers is not based on domain names but on the IP protocol.

The IP protocol can be understood as the phone number in a computer. For example, if we want to contact Zhang San, we can dial his phone number 123456 to reach him.

DNS

But when we access websites today, we enter domain names. Why is computer communication based on IP protocol? How do they convert between them?

This is what DNS does. Because IP addresses are hard to remember and type, domain names were invented to simplify input—like contact names in a phone book. For example, we save Zhang San's number as 123456 in our contacts; Zhang San is like the domain name, and 123456 is the IP. To contact Zhang San, we just search 'Zhang San' in the phone book instead of typing 123456.

DNS's role is to query the phone book. For example, when I want to access google.com, the computer doesn't know how to reach it, so it queries DNS for google.com's "phone number" (IP).

HTTP

The HTTP protocol is the most common internet protocol for ordinary people and is the cornerstone of the internet. Almost all common applications use the HTTP protocol for communication.

HTTP request structure example:

CodeBlock Loading...

In local free data bypass, we modified the Host field to bypass the billing system. In cloud-based free data bypass, the approach is similar, but the difference lies in how to access the correct target website after bypassing the billing system?

The idea is simple: since local free data bypass was completely fixed due to the merger of the operator's proxy server and billing system, what if we implement our own proxy server? Wouldn't it be similar to the previous method?

Cloud Zero-Rating Principle

Specifically, the original request is encapsulated into the HTTP body and sent to the proxy server. The proxy server parses the HTTP body, reconstructs the original request, and makes the actual request.

That is:

Direct Connection Free Data Bypass

There is also a type of zero-rating that doesn't require a cloud server. Some directional cards allow exempting all traffic for a certain app rather than a specific domain. For example, Tencent King Card exempts all traffic from QQ Browser. The principle is that the app has a built-in proxy server, and traffic generated by that proxy is counted as directional/zero-rated by the operator.

Direct connection free data bypass involves packet capturing to obtain the app's built-in proxy server and using it for all app access.

However, because proxy servers now add dynamic verification, most have become ineffective.

Out-of-Service Zero-Rating

China Telecom provides a green channel for recharging fees after a user is suspended, allowing network access even when suspended to pay bills. Similar to directional zero-rating, out-of-service zero-rating works by changing the Host to the green channel URL to achieve free data.

For suspended users, paying only the monthly suspension keep-number fee (usually 5 yuan) can achieve unlimited data. However, Telecom later implemented restrictions on internet speed for suspended users in most areas—after all, why would you need high speed just to recharge fees?

Limitations of Free Data Bypass

Because the operator's billing system is essentially a black box, it's hard for outsiders to know when the mechanism changes—for example, besides checking the Host field, the billing system can also check ports. Internet traffic usually uses ports 80/443, so cloud servers must generally use ports 80/443.

To achieve free data bypass, global proxying must be used—that is, both domestic and international traffic must go through the cloud server proxy.