Open Victor239 opened 1 year ago
tokens from RKStorage are jwt tokens
I've spent a lot of time trying to find a token. It looks like it should be a file called Steamguard-*
in /data/data/com.valvesoftware.android.steam.community/files/
, but there are no such files. Something changed in the app, I suppose.
The only file I found was /data/data/com.valvesoftware.android.steam.community/shared_prefs/SecureStore.xml
:
<?xml version='1.0' encoding='utf-8' standalone='yes' ?>
<map>
<string name="SteamGuard_1">{...}</string>
</map>
It seems to me, that it holds the token. But it is another story.
if someone stumbles on this from google: https://novanoir.moe/blog/2022/11/20/%E3%80%90ROOT%20Android%E3%80%91Steam%203.0%20%E5%AF%BC%E5%87%BA%E4%BB%A4%E7%89%8C%E7%9A%84%E6%95%B0%E7%A7%8D%E6%96%B9%E6%B3%95/
cd /tmp; wget "https://github.com/frida/frida/releases/download/16.0.8/frida-server-16.0.8-android-arm64.xz"
unxz frida-server-16.0.8-android-arm64.xz
sudo adb root
sudo adb push frida-server-16.0.8-android-arm64 /data/local/tmp/
sudo adb shell "chmod +x /data/local/tmp/frida-server-16.0.8-android-arm64"
sudo adb shell "/data/local/tmp/frida-server-16.0.8-android-arm64"
yay -S aur/python-frida # use your brain here
cd /tmp; wget https://gist.githubusercontent.com/acuifex/1b80ac3490381801c79f9ea20ab763f4/raw/2540e65f18948e8650bcd1b83b97f2aca4dda1c6/dump.py
# if raw link somehow goes bad: https://gist.github.com/acuifex/1b80ac3490381801c79f9ea20ab763f4
python3 ./dump.py
# enter into guard section in the steam app on your phone
# clean up the server
sudo adb shell "rm /data/local/tmp/frida-server-16.0.8-android-arm64 /data/local/tmp/re.frida.server/"
I might add that the time my comment is written, the previous answer no longer outputs the direct otp code. Instead it's something like
{
"accounts": {
"NUMBERS": {
"shared_secret": "som/ething=",
"identity_secret": "something=",
"secret_1": "something=",
"serial_number": "a number",
"revocation_code": "the backup code",
"account_name": "your account name",
"token_gid": "some token",
"confirm_type": 3
}
}
}
To get the otp code, copy the shared_secret, decrypt base64 and encrypt to base32 :
echo "<shared_secret>" | base64 -d | base32
(found from https://github.com/beemdevelopment/Aegis/issues/390#issuecomment-1462800402)
Hello, you suggested
device:/ # cat /data/data/com.valvesoftware.android.steam.community/files/*
, which key is it? I tried both the AuthToken and RefreshToken in Aegis Authenticator but it couldn't import as it said it wasn't in base32.