BMS/Secure-IT Token OATHController.
src/OATHController.cs extracted from uk.co.bmsnotts.mobilesecureit.apk, which uses the Xamarin platform, with an added command-line interface.
dnSpy and ILSpy were used to decompile uk.co.bmsnotts.mobilesecureit.apk/assemblies/MobileSecureIT.dll.
The passcode used to verify the secret is the 5th, 10th, 15th, 20th, 25th and 30th characters of the secret (zero-indexed).
The method for generating HOTP tokens can be found in OATHController.GenerateHOTPPassword.
A Python interface to the Secure-IT Token SQLite3 database can be found in bms_token.db.
The database can be found in the following location on Android:
/data/data/uk.co.bmsnotts.mobilesecureit/files/LocalDB.db3
A graphical interface can be found in bms_token.gui and run using:
python -m bms_token.gui
A command-line interface is also provided:
python -m bms_token.cli
To use the C# command-line interface, compile the modified source.
Compile src/OATHController.cs with Mono:
mcs OATHController.cs
mono OATHController.exe <gen|verify> <secret> <iteration|passcode>
-
gen: generate token for secret at index iteration (negative for range) -
verify: verify passcode for the specified secret
A Python wrapper (requires pythonnet) for the C# classes is found in bms_token.controller.wrapper.
Compile src/OATHController.cs with Mono as a library:
mcs -t:library OATHController.cs
Then copy the built DLL to bms_token/controller/wrapper/bin/.
The Python package bms_token is licensed by the GPL-3.0.
All source code in src is derived from libraries found in uk.co.bmsnotts.mobilesecureit.apk, with an added BMSToken class to provide a command-line interface.
Secure-IT Token = https://play.google.com/store/apps/details?id=uk.co.bmsnotts.mobilesecureit
dnSpy = https://github.com/dnSpy/dnSpy