New issue with loading

[lixmffm]

Won't display bereals, message is:

SOMETHING WENT WRONG: "" something went wrong, please try refreshing the page or re-login It's quiet here, nobody has posted anything yet.

[NeedNot]

https://gist.github.com/BZHugs/1bf36c111af77667e558697c10c0691b

@.dev It's up to you!

1. you are a literal legend how did you do that?
2. delete it before bereal finds out

[yandevelop]

Thanks, will save it locally!

[rvaidun]

thanks for sharing, saved it locally :). agree with neednot on this one

[StarNumber12046]

https://gist.github.com/BZHugs/1bf36c111af77667e558697c10c0691b <- deleted (ping me on X if u want)

@.dev It's up to you!

What's it about? (if needed for contact, starnumber_ on discord). Can I have it?

[macedonga]

https://gist.github.com/BZHugs/1bf36c111af77667e558697c10c0691b <- deleted (ping me on X if u want) @.dev It's up to you!

What's it about? (if needed for contact, starnumber_ on discord). Can I have it?

You just need to add the following headers to all the requests you make:

{
    "bereal-signature": "MToxNzA3NDgwMjI4OvR2hbFOdgnyAz1bfiCp68ul5sVZiHnv+NAZNySEcBfD",
    "bereal-device-id": "937v3jb942b0h6u9",
    "bereal-timezone": "Europe/Paris",
}

[Maximapple]

Looks like it broke again?

[clam0r]

The current bereal-signature is invalid and has to be renewed

[U14-dev]

{
  'bereal-signature': 'MToxNzEwOTU4NjQxOpg0j8sNuUN6oL3/h9GtyvzOPwPz1Rqf+euE+QfDPQlA',
  'bereal-device-id': 'XKFg0Nkarwqyds17',
  'bereal-timezone': 'Europe/Paris'
}

Try this but no clue how long it stays valid^

[retoheusser]

I guess this play will now go back and forth with BeReal changing signatures and the third-party-client community keeping up with those. It looks like the device id and the timezone influence the outcome of the signature, that's why all 3 must be exactly matching. Would be nice if someone is savvy enough to reverse engineer the algorithm how the signature is computed off the timezone & device id on the device.

[macedonga]

I guess this play will now go back and forth with BeReal changing signatures and the third-party-client community keeping up with those. It looks like the device id and the timezone influence the outcome of the signature, that's why all 3 must be exactly matching. Would be nice if someone is savvy enough to reverse engineer the algorithm how the signature is computed off the timezone & device id on the device.

It has already been reverse engineered, but the code to generate these signatures has been kept private since BeReal would probably change the way it works if it finds out that it has been figured out

[rvaidun]

They probably already know it has been reverse engineered. There is a likely chance a BeReal engineer is lurking in this discussion 😀

[h4rqq]

Most probably yes but it was a quick fix anyways do you think there would be more possibilities of clients to be up for longer periods if they were not publicly available?

[h4rqq]

Making toofake's repo private in short words

[U14-dev]

As long as nothing gets public i hope they do not care. So yes if you have it please keep it private.

[h4rqq]

Maybe we could think of a way to privately share the fixes as well as a way to securely implement them to the repo so that BeReal workers can't see what was changed

[retoheusser]

Ideally, the codebase doesn't contain any magic strings like this signature. They should be injected into the code only at runtime using env variables, just as it is usually done with database credentials, etc. Then the signature can easily be exchanged without any code changes that can be reviewed publicly. But knowing how the signature gets computed is definitely the better way than updating a hardcoded signature. If BeReal wants to change this, they need to change their implementation, which is way more effort for them to roll it out to all devices while maintaining backwards compatibility than to just invalidate static signatures with one click.

[Ein-Tim]

Ideally, the codebase doesn't contain any magic strings like this signature. They should be injected into the code only at runtime using env variables, just as it is usually done with database credentials, etc. Then the signature can easily be exchanged without any code changes that can be reviewed publicly.

However, this would probably increase the time it would take to fix issues that are caused by an invalid signature, as now the community can't provide a PR anymore (just like you, @retoheusser, did yesterday) but has to contact the maintainer in a private way and share the new information with them. They then have to change the environment variables themselves. Having the key public is probably also not a problem, as long as the BeReal viewers work the BeReal team will always know that we somehow got around their security fences and they will continue to strengthen them.

[Maximapple]

Looks like the signature is invalid again. Can someone share a new one?

[U14-dev]

{
  'bereal-signature': 'MToxNzExNzU2MzUzOtbCtqpuvcUSENWw3cYh9/+mFapkW9d2IAUzFhKKQPZx',
  'bereal-device-id': 'm9gci4w7fcd5gl8m',
  'bereal-timezone': 'Europe/Paris'
}

here^

[rvaidun]

They have updated it again. Even with unused valid signatures 401 errors occur. They also seem to have updated the app to hide the requests I am no longer able to see the friends-v1 request in the network requests but the app still downloads the required images.

[Maximapple]

That's very unfortunate. Would using an older version of the app make any difference?

[rvaidun]

nevermind was able to see the friends-v1 requests but even the official client is receiving 401s :/ They must have depreciated this API and moved over to another implementation

[U14-dev]

yeah they changed sth... i keep getting 400 when i try to renew my token

[U14-dev]

But i'm still able to access friends-v1 tho^

[retoheusser]

The signature is computed from the timestamp and is valid for exactly one week. So the signature that was committed one two weeks ago has expired again: MToxNzEwOTU0MTc2OmPlM3WPWqPWRq7EseRiT98fErcmwWg1yUatGmYZnzaH decodes to 1:1710954176:c3uZFıbO&h5Ff6 containing the timestamp which is Wed Mar 20 2024 18:02:56 GMT+0100 (Central European Standard Time)

You can install happy-headers now that contains valid headers for the next two years.

[rvaidun]

Oh I was able to access friends-v1 too. Think my auth header was not getting renewed

[Maximapple]

Let's hope we can get this working again then? Maybe using @retoheusser's happy-headers suggestion, if I understood it correctly?

[rvaidun]

message: "API key expired. Please renew the API key." status: "INVALID_ARGUMENT" Seeing this as the response from the refresh token. I'm thinking the Key URL parameter has been updated. I'm not able to get a new one since SSL pinning for login prevents me from seeing the requests

[U14-dev]

@rvaidun yeah that is what happened to mine too, they use "https://auth.bereal.team/token?grant_type=refresh_token" now to refresh tokens. At least on android clients, idk how they handle ios since i do not own one :D

[rvaidun]

@U14-dev is it being used in the same way? What is the JSON body/required headers

[retoheusser]

return $fetch<BerealTokenResponse>('https://auth.bereal.team/token?grant_type=refresh_token', {
    method: 'POST',
    headers: {
      'Content-Type': 'application/json'
    },
    body: {
      grant_type: 'refresh_token',
      client_id: 'ios',
      client_secret: '962D357B-B134-4AB6-8F53-BEA2B7255420',
      refresh_token: <token>
    }
  })

[rvaidun]

Thanks for this, was able to get feed working again, will push a commit soon. Does anyone know how the updated login endpoints will be. Before we would get a token from https://auth.bereal.team/api/vonage/check-code and send this to https://www.googleapis.com/identitytoolkit/v3/relyingparty/verifyCustomToken?key= Since googleapis is no longer used where would we send the token received from vonage/check-code to

[clam0r]

I recieve the following error on top:

[19:27:23] DEBUG HTTP Request: POST https://securetoken.googleapis.com/v1/token?key=AIzaSyDwjfEeparokD7sXPVQli9NsTuhT6fJ6iA "HTTP/1.1 400 Bad Request"
Exception: b'{\n "error": {\n "code": 400,\n "message": "API key expired. Please renew the API key.",\n "status": "INVALID_ARGUMENT",\n "details": [\n {\n "@type": "type.googleapis.com/google.rpc.ErrorInfo",\n "reason": "API_KEY_INVALID",\n "domain": "googleapis.com",\n "metadata": {\n "service": " securetoken.googleapis.com"\n }\n }\n ]\n }\n}\n'

[rvaidun]

Ok so in the latest version of the Bereal app the API key is updated. the new key is AIzaSyCgNTZt6gzPMh-2voYXOvrt_UR_gpGl83Q

[U14-dev]

Ty^ I love how we always comes together here when something has changed again :D

[0utplay]

Am I the only one getting a 401 on the friends-v1 endpoint again? httpx.HTTPStatusError: Client error '401 Unauthorized' for url 'https://mobile.bereal.com/api/feeds/friends-v1'

[NeedNot]

Am I the only one getting a 401 on the friends-v1 endpoint again? httpx.HTTPStatusError: Client error '401 Unauthorized' for url 'https://mobile.bereal.com/api/feeds/friends-v1'

yeah because the signature only lasts 7 days

you could fire up an android emulator and grab a signature that way

[0utplay]

Am I the only one getting a 401 on the friends-v1 endpoint again? httpx.HTTPStatusError: Client error '401 Unauthorized' for url 'https://mobile.bereal.com/api/feeds/friends-v1'

yeah because the signature only lasts 7 days

you could fire up an android emulator and grab a signature that way

I've always wondered what setup you (and the others) are using to get the signature. Because the "default" Android emulator wouldnt have google services and bereal would not even start up

[NeedNot]

Am I the only one getting a 401 on the friends-v1 endpoint again? httpx.HTTPStatusError: Client error '401 Unauthorized' for url 'https://mobile.bereal.com/api/feeds/friends-v1'

yeah because the signature only lasts 7 days you could fire up an android emulator and grab a signature that way

I've always wondered what setup you (and the others) are using to get the signature. Because the "default" Android emulator wouldnt have google services and bereal would not even start up

https://fowled.gitbook.io/bereal/articles/hacking-bereal this but also instead of installing magisk by downloading it you install it with this https://github.com/newbit1/rootAVD

[U14-dev]

{ 'bereal-signature': 'MToxNzEyNzc5NjM2OnT64dJoTh9Yb/SbWYihMpTvcukPmUqS2OddbGq5VypZ', 'bereal-device-id': '33de4spkjujttwde', 'bereal-timezone': 'Europe/Paris' } ^ or just use this for sign: https://github.com/retoheusser/happy-headers

[0utplay]

Thanks to both of you

[U14-dev]

Since here are the most people i'll just ask in this issue: did anyone got the res/req for new endpoints? I kinda do not know what i am looking at and i am not getting any further, could be some encryption?

[retoheusser]

Since here are the most people i'll just ask in this issue: did anyone got the res/req for new endpoints? I kinda do not know what i am looking at and i am not getting any further, could be some encryption?

This looks like a binary payload. It's not visible from the screenshot which endpoint it is but there are some gRPC endpoints that BeReal is now using, so might be one of them. You can look at the request / response headers, there it tells you the content-type of the payload.

[Maximapple]

Looks like it stopped working again :( @rvaidun can you please update it?

[U14-dev]

{ 'bereal-signature': 'MToxNzEzNTI3NzI5Og/3Qu3fvLZY/VZsu/xeS6o049QkzBVUcEiat2IKzzyV', 'bereal-device-id': 'e3gazkyofwgf2sfx', 'bereal-timezone': 'Europe/Paris' }

you can use this sig for now^ I thought rvaidun already updated to use happy headers?

[retoheusser]

The signatures are still valid, I just tested loading the feed with BeFake. @Maximapple can you specify what exactly stopped working?

[Maximapple]

@U14-dev @retoheusser Looks like it was some odd issue on my end that looked like the signatures expired again. Had to restart the script as well as my pc. Works fine now. Sorry!

[fowled]

Hello, I'm the guy who wrote this guide on how to intercept BeReal requests a few months ago.

I've been super inactive since then because I had to focus on school, but I have some spare time in the next few days.

I've seen everything that you guys did to keep up with everything they added to make our life difficult. And your dedication is impressive :)

I do have a question, though: how the hell did some of you manage to find the algorithm used to generate these signatures?? I've been trying to achieve this for the past weeks, without success (code seems to be very deeply obfuscated...)

[NeedNot]

I do have a question, though: how the hell did some of you manage to find the algorithm used to generate these signatures?? I've been trying to achieve this for the past weeks, without success (code seems to be very deeply obfuscated...)

well for 1 it seemed less of a proprietary algo but instead in the code you can find mentions of hmac, a quick search of hmac gives you a good idea of what is going on here.

i would say the rest but other people could be watching