search

steamguard-totp / steamguard-shared-secret

Obtain Steam Guard Mobile Authenticator shared secret from Android phone without root
70 stars 9 forks source link

About alternative rooted solution #10

Open Victor239 opened 1 year ago

Victor239 commented 1 year ago

Hello, you suggested device:/ # cat /data/data/com.valvesoftware.android.steam.community/files/*, which key is it? I tried both the AuthToken and RefreshToken in Aegis Authenticator but it couldn't import as it said it wasn't in base32.

flnnhuman commented 1 year ago

tokens from RKStorage are jwt tokens

soar commented 1 year ago

I've spent a lot of time trying to find a token. It looks like it should be a file called Steamguard-* in /data/data/com.valvesoftware.android.steam.community/files/, but there are no such files. Something changed in the app, I suppose.

The only file I found was /data/data/com.valvesoftware.android.steam.community/shared_prefs/SecureStore.xml:

<?xml version='1.0' encoding='utf-8' standalone='yes' ?>
<map>
    <string name="SteamGuard_1">{...}</string>
</map>

It seems to me, that it holds the token. But it is another story.

acuifex commented 1 year ago

if someone stumbles on this from google: https://novanoir.moe/blog/2022/11/20/%E3%80%90ROOT%20Android%E3%80%91Steam%203.0%20%E5%AF%BC%E5%87%BA%E4%BB%A4%E7%89%8C%E7%9A%84%E6%95%B0%E7%A7%8D%E6%96%B9%E6%B3%95/

cd /tmp; wget "https://github.com/frida/frida/releases/download/16.0.8/frida-server-16.0.8-android-arm64.xz"
unxz frida-server-16.0.8-android-arm64.xz
sudo adb root
sudo adb push frida-server-16.0.8-android-arm64 /data/local/tmp/
sudo adb shell "chmod +x /data/local/tmp/frida-server-16.0.8-android-arm64"
sudo adb shell "/data/local/tmp/frida-server-16.0.8-android-arm64"

yay -S aur/python-frida # use your brain here
cd /tmp; wget https://gist.githubusercontent.com/acuifex/1b80ac3490381801c79f9ea20ab763f4/raw/2540e65f18948e8650bcd1b83b97f2aca4dda1c6/dump.py
# if raw link somehow goes bad: https://gist.github.com/acuifex/1b80ac3490381801c79f9ea20ab763f4
python3 ./dump.py
# enter into guard section in the steam app on your phone

# clean up the server
sudo adb shell "rm /data/local/tmp/frida-server-16.0.8-android-arm64 /data/local/tmp/re.frida.server/"
autodistries commented 6 months ago

I might add that the time my comment is written, the previous answer no longer outputs the direct otp code. Instead it's something like 

{
 "accounts": {
  "NUMBERS": {
  "shared_secret": "som/ething=",
  "identity_secret": "something=",
  "secret_1": "something=",
  "serial_number": "a number",
  "revocation_code": "the backup code",
  "account_name": "your account name",
  "token_gid": "some token",
  "confirm_type": 3
 }
}
}

To get the otp code, copy the shared_secret, decrypt base64 and encrypt to base32 : 

echo "<shared_secret>" | base64 -d | base32

(found from https://github.com/beemdevelopment/Aegis/issues/390#issuecomment-1462800402)