2.8.7 - Password

[z0rax]

Hey.

Anyone figure out the new Password usage of WhatsApp 2.8.7 ?

It's no longer md5'd IMEI, it's something else.

[timespace7]

After Whatsapp updates to 2.8.9108, whatsapi cannot work with number... Anyone figure out the new Password?

[waninkoko]

They updated Android client to use the new registration api. Now the password is generated in the server and stored in the phone encrypted in a file called "pw".

The absolute path is "/data/data/com.whatsapp/files/pw".

I tried to find the encryption algorithm in the WP version but all the related code is inside a DLL file called "WhatsAppNative.dll" that I cannot decompile (it was probably written in C++) and IDA doesn't give me too much info.

[z0rax]

As long as the password is still hashing by using IMEI we should technically be capable of still using this regardless of password saving locally on the phone, except they've just changed the way IMEI's being hashed, am I right?

[shirioko]

My guess would be that they are also using the SMS verification code as salt for hashing, which is something they should have done from the start.

[FAlbanni]

Technically you can invoke "WhatsAppNative.dll" from java code using native and generating the right password file.

[shirioko]

Isn't that DLL compiled for OMAP (and not for x86)? Thus it would only work on Windows Phone devices?

[ralphmyw]

Same problem when activated some accounts with 2.8.9 version.

[z0rax]

If it is in fact using IMEI + the Verification Code sent through SMS, then it still wouldn't be all that hard to Bruteforce such a password, WHEN we know the new Hashing method.

Let's say that it's, just as an example, something like md5(strrev($imei . $verificationcode));

That could easily be used as

$vcode = 100; $vcodemax = 1000; while ($vcode < $vcodemax) { $pass = md5(sttrev($imei . $vcode)); $content = file_get_contents($url); if(stristr($content,'status="ok"') === false){ $vcode = $vcode + 1; } else { echo 'Password: ' . $pass; } }

That would bruteforce every possible three-digit Verification Code.

This is just an example, all we need is the actual new hashing method. Verification code might not even be in the new hashing, but if it is, it's not that hard to bypass.

[sriharishine]

Hello,

I am facing problem of WRONG PASSWORD, Can you please me to fix this and continue to use this scriptt to send message ?

[shirioko]

The problem with brute forcing the password is that you're doing it against a server and you'll most likely be locked out after 10-100 attempts

[sriharishine]

Oh,Any solution.

I want my PHP script to send Free Whatsapp message ? Can you help me to create such script?

[shirioko]

I'll upload my current website version to gihub when I get home, you can use it as an example, though sending messages does not work yet. Sending a message will create a new socket, invalidating the first one. I'll have to code a message queue which will be sent through the initial socket.

[sriharishine]

Ok thanks for that. So with your current version, I will be able to send the message right?

[shirioko]

No, but I'll make it work before I upload it. You will still face the issue of the new password encryption, so I would suggest that you don't update your current whatsapp version, otherwise you won't be able to log in

[sriharishine]

Ok I understood, Then we need to find a solution for this Password issue as soon as possible.

[timespace7]

Does Whatsapp in iOS face this problem? (Updated to change the password method)

[netvortex]

This is easy!

GET {'Accept': 'text/json', 'User-Agent': 'WhatsApp/2.8.2 WP7/7.10.8773.98 Device/NOKIA-Lumia_800-H112.1402.2.3'} cc=34&in=660330901&id=95818ddc74b3f8bd80b1549fab1dc8a0 Opening connection to v.whatsapp.net Requesting /v2/exist?cc=34&in=602330XXX&id=95818dcc94b3f9bd80b1549fab1dc8a0

Using the V2-exist check it actually GENERATES you the new password on EVERY successfull attempt. So when you got the right hash (IMEI or MAC) you can login!

[netvortex]

The exist check does not USE the password - therefore you only need to know how to generate the hash!

[z0rax]

But we have no clue what the new hashing method is :/

[shirioko]

I found an old whatsapp apk on my Dropbox (2.8. 1355) and tried to log in, hoping that it might downgrade my login method. I couldn't get past the phone number screen though, it just told me that I had to update :/ if anyone is interested in the apk (maybe it does work for first time users) , just let me know and I'll make it public

[fheft]

I'm rather surprised that this issue only seems to bother a handful of people… when WhatsApp protocol changed to 1.2 the corresponding issue for the new auth method easily had over 300 comments. Did most of the people just don't update their WhatsApp so they can still use it?

[shirioko]

I have a number of whatsapp accounts, some of which still work and some don't. I'd assume that it indeed has to do with updating whatsapp. My primary account doesn't work anymore. I also bought a 1-year whatsapp service extension a few months ago, but I don't think that it has anything to do with the issue.

[jonnywilliamson]

@fheft - Finally someone else who's been as amazed as me for how this isn't affecting 90%+ of people! Hopefully as the next couple of weeks go on, we get the tipping point where everyone comes looking for a solution...and we find one.

On another note.

If you install yowsup from https://github.com/tgalal/yowsup

Its a python implementation of whatsapp. However, you can use it to register your mobile phone number with the whatsapp servers.

It'll send your phone the 6 digit verification code, you then add this to the script. The script sends the request off to whatsapp and whatsapp returns the password.

You then know: 1) Your mobile 2) Your mac/imei 3) The 6 digit registration code 4) Your password.

I have done this, but I cannot tell what type of hash it is, it looks too short to be md5 etc. Nor do I wish to post my details online here. Sorry!

HOWEVER, this will now have DE-REGISTERED your actual mobile phone, so don't try and send any messages using the official app on your phone.

If you do, the phone will send off for another registration code and deactivate the password you just got to work with the yowsup script.

Also you can't reactivate your phone for approx 1hour due to restrictions from the whatsapp servers.

I hope that might help someone get started on fixing this.

Thanks.

[QUIETMONEYDON]

So basically... it wont be possible to use whatsapp from 2 diff devices at the same time like we used to, right ?

[filandlam]

Hi jonnywilliamson, any chance you can further describe the registration process please?

[shirioko]

If this works, it would at least be a breakthrough for people without smartphones or supported platforms. I'm very tempted to buy an extra sim card and try it out :')

[echammas]

I ported the current code to java. I needed to release a specific plugin for whatsapp on Android... Now if the authentication procedure really needs bruteforce to get the right password, this will mean that I'm unable to do what I was planning for. The plugin used to compute the password in milliseconds from the imei... but now it needs to brute force the password on the device so it will be taking a long time and therefore it is not feasible anymore from a user experience perspective...

[z0rax]

We don't know for certain yet if it needs bruteforcing or not. There has been no confirmation whether or not the WhatsApp confirmation Code, sent by text message, is used in the password hashing or not. The hashing did change, since the previous one results in an incorrect password, but they may just have changed the hashing into binary or something of the like. I've tried about 10 * 3 different hashing methods and all result with failure. We need to know the new hashing before jumping into conclusions.

[rodero95]

I'm also one of the affected by this issue. WhatsAPI doesn't work for me anymore since I used it with the new Whatsapp version. But I'm thinking of another thing, What if we remove our accounts from the server with the new version and try to registrate with old one? It should use the old register api instead of the new one, should it? I'm gonna try in a moment and report back.

[rodero95]

No luck. I've just tried deleting the account from the new version and then tried re-registering with the old version and it shows me the message to update the app. Also, I've tried with a phone number that has never been connected with the new app and it hasn't worked either, so I think Whatsapp is not accepting registers with the new api anymore. Then the only chance we have is to guess how the new password is hashed.

[fheft]

Would it be possible to sniff the auth sequence of the app, extract the password and use that to login via WhatsAPI (without knowing how it's calculated/hashed)? Of course that's not a suitable way for the future but at least people who use WhatsAPI only for their own account could get it to work again (without deactivating WhatsApp on their phone)…

[rodero95]

There's no need to do that, someone has explained before that https://github.com/tgalal/yowsup should be able to get your hashed password, then replace that in WhatsAPI and it should work again.

[rodero95]

I've just tried WhatsAPI with a phone number and an imei that hasn't updated to the new version and it has worked like a charm. So definitely, if you don't update your whatsapp app it should keep working.

[fheft]

@rodero95: I guess you're refering to jonnywilliamson's posting. But I think with that method (aquiring a NEW password via yowsup) will make WhatsApp stop working on your phone (because the password is specific to a device or randomly generated upon registration). But if you'd sniff the phone's password instead of re-registering with WhatsApp you might keep them both running (of course with the known limitations and disconnects, but at least without re-registration).

[rodero95]

@fheft: Ah, you're right. I didn't take that into account as I use a different phone number just for WhatsAPI.

[rodero95]

I'm revising Yowsup's source code and I've observed it has an option in help that says:

Debug tools: --generatepassword input Generate password from given string in same way Whatsapp generates it from a given IMEI or MAC Address

Is that the V1 password or the V2 password? I suppose is the V1 one, gonna try and report back.

[rodero95]

Yes, definitely is the V1 password. Nothing to do here.

[jonnywilliamson]

Don't waste your time. If you bother to take a look at the source code you'll see that the password generated is exactly the same as the way we have generating it in whatsapi

[brittson]

in yowsup when i used v2 with mobile no & imei , i got a sms , then when i am trying to send sms code with -R then i am not getting the hashcode or anything instead getting an error on python!! anyone facing the same issue?

[rodero95]

Which error are you facing? Take into account that you should have python-dateutil installed. Anyway, the answer should be something like this:

[david@raspberrypi src]$ python yowsup-cli -c config.txt -R 579-494 status: ok kind: free pw: hashed password price: 0,89 € price_expiration: 1358502193 currency: EUR cost: 0.89 expiration: 1359728847 login: country code + phone number type: existing

[brittson]

@rodero95 hi thanks for responding, so if i use this hashed password instead of using hashalgo(imei) in whatsapi ,then you can connect and send messages ?

[rodero95]

Yes, it should work. I don't know if there have been any more changes in the protocol.

[brittson]

@rodero95 let me check

[brittson]

@rodero95 I checked its worked , when i am in listening mode (-l), then its receiving all the msgs sent to this number , but when in interactive mode , msgs are not going !!

[QUIETMONEYDON]

what about the iOS version ?

[FAlbanni]

sniffing will not help since packets are SSL encoded :(

[echammas]

You just do man-in-the-middle with faked ssl certificate...

[shirioko]

Fake certificates cannot be verified by the CA, so it wil probably fail

[echammas]

You add your CA to cacerts.bks in android...

[filandlam]

@rodero95 The v2 hash doesn't work for me, on this line ($wa->encryptPassword() removed) it gives "Wong Password": $url = "https://r.whatsapp.net/v1/exist.php?cc=".$countrycode."&in=".$phonenumber."&udid=".$imei;

If I bypass the above line, it gives: rx <failure xmlns="urn:ietf:params:xml:ns:xmpp-sasl"> rx <not-authorized> rx </failure>