Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

About alternative rooted solution #10

Open
Victor239 opened this issue Oct 14, 2022 · 4 comments
Open

About alternative rooted solution #10

Victor239 opened this issue Oct 14, 2022 · 4 comments

Comments

@Victor239
Copy link

Hello, you suggested device:/ # cat /data/data/com.valvesoftware.android.steam.community/files/*, which key is it? I tried both the AuthToken and RefreshToken in Aegis Authenticator but it couldn't import as it said it wasn't in base32.
@flnnhuman
Copy link

tokens from RKStorage are jwt tokens

@soar
Copy link
Contributor

soar commented Dec 9, 2022

I've spent a lot of time trying to find a token. It looks like it should be a file called Steamguard-* in /data/data/com.valvesoftware.android.steam.community/files/, but there are no such files. Something changed in the app, I suppose.

The only file I found was /data/data/com.valvesoftware.android.steam.community/shared_prefs/SecureStore.xml:

<?xml version='1.0' encoding='utf-8' standalone='yes' ?>
<map>
    <string name="SteamGuard_1">{...}</string>
</map>

It seems to me, that it holds the token. But it is another story.

@acuifex
Copy link

acuifex commented Feb 5, 2023
edited
Loading

if someone stumbles on this from google:
https://novanoir.moe/blog/2022/11/20/%E3%80%90ROOT%20Android%E3%80%91Steam%203.0%20%E5%AF%BC%E5%87%BA%E4%BB%A4%E7%89%8C%E7%9A%84%E6%95%B0%E7%A7%8D%E6%96%B9%E6%B3%95/

cd /tmp; wget "https://github.com/frida/frida/releases/download/16.0.8/frida-server-16.0.8-android-arm64.xz"
unxz frida-server-16.0.8-android-arm64.xz
sudo adb root
sudo adb push frida-server-16.0.8-android-arm64 /data/local/tmp/
sudo adb shell "chmod +x /data/local/tmp/frida-server-16.0.8-android-arm64"
sudo adb shell "/data/local/tmp/frida-server-16.0.8-android-arm64"

yay -S aur/python-frida # use your brain here
cd /tmp; wget https://gist.githubusercontent.com/acuifex/1b80ac3490381801c79f9ea20ab763f4/raw/2540e65f18948e8650bcd1b83b97f2aca4dda1c6/dump.py
# if raw link somehow goes bad: https://gist.github.com/acuifex/1b80ac3490381801c79f9ea20ab763f4
python3 ./dump.py
# enter into guard section in the steam app on your phone

# clean up the server
sudo adb shell "rm /data/local/tmp/frida-server-16.0.8-android-arm64 /data/local/tmp/re.frida.server/"

@autodistries
Copy link

autodistries commented Mar 16, 2024
edited
Loading

I might add that the time my comment is written, the previous answer no longer outputs the direct otp code.
Instead it's something like

{
 "accounts": {
  "NUMBERS": {
  "shared_secret": "som/ething=",
  "identity_secret": "something=",
  "secret_1": "something=",
  "serial_number": "a number",
  "revocation_code": "the backup code",
  "account_name": "your account name",
  "token_gid": "some token",
  "confirm_type": 3
 }
}
}

To get the otp code, copy the shared_secret, decrypt base64 and encrypt to base32 :

echo "<shared_secret>" | base64 -d | base32

(found from beemdevelopment/Aegis#390 (comment))

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@soar @Victor239 @flnnhuman @acuifex @autodistries and others