Skip to content

How to extract the TOTP secret from your Steam Authenticator, *late* 2023 Edition

Geschrieben von Ian am
It appears to be no longer possible to log in using an old version (2.x) of the Steam app, so this method no longer works.

However, not all hope is lost: There is another method that works with the current vanilla Steam app from the Play Store and has the added benefit that it does not require you to remove your old Steam Guard anymore. It does, however, involve the terminal and running Frida on both your computer and your phone. You still need root access—yes, there are ways to do it without root, but again, iffy.

Here, again, is how to do it, step by step (original instructions from here):
  1. Have the Steam app configured as a Steam Guard.
  2. Connect your phone to your computer via USB and make sure you have USB debugging enabled. You can test this by connecting your phone to your computer and running adb devices. If this is your first time doing this, your phone will likely ask you to authorize your computer for debugging. adb devices should print something like 0d5e3a4d6b3e3e2f device.
  3. Install the frida Python module on your computer (possibly using pip install frida).
  4. Download the frida-server binary (you will have to click on "Show all ... assets") for your phone's architecture (this depends on your phone; you'll most likely need either arm or arm64), unpack it and push the server binary onto your device:
    adb push frida-server /data/local/tmp/
    adb shell
    Within the adb shell, then make the binary executable and run it as root:
    adb-shell$ su
    adb-shell# cd /data/local/tmp/
    adb-shell# chmod 755 frida-server
    adb-shell# frida-server
  5. On your computer, run this script (by MuelNova): 
    import json
    import frida
    import sys

    package = "com.valvesoftware.android.steam.community"
    cmd = """
    'use strict;'

    if (Java.available) {
      Java.perform(function() {

        //Cipher stuff
        const Cipher = Java.use('javax.crypto.Cipher');

        Cipher.doFinal.overload('[B').implementation = function (input) {
            var result = this.doFinal.overload('[B').call(this, input);
            send(result);
        }

      }
    )}
    """


    def parse_hook(cmd_):
        print('[*] Parsing hook...')
        script = session.create_script(cmd_)
        script.on('message', on_message)
        script.load()


    def on_message(message, _):
        try:
            if message:
                if message['type'] == 'send':
                    result = "".join(chr(i) for i in message['payload'])
                    print(json.dumps(json.loads(result), indent=2, ensure_ascii=False))
        except Exception as e:
            print(e)


    if __name__ == '__main__':
        try:
            print('[*] Spawning ' + package)
            pid = frida.get_usb_device().spawn(package)
            session = frida.get_usb_device().attach(pid)
            parse_hook(cmd)
            frida.get_usb_device().resume(pid)
            print('')
            sys.stdin.read()

        except KeyboardInterrupt:
            sys.exit(0)
        except Exception as e:
            print(e)
    This should cause the Steam app on your phone to start, debugger (frida) attached.
  6. At this point, your Steam credentials should be printed on the adb shell: 
    {
      "accounts": {
        "YOUR_STEAM_ID" {
          "shared_secret": "BASE_64_ENCODED_SHARED_SECRET",
          "identity_secret": "***IRRELEVANT***",
          "secret_1": "***IRRELEVANT***",
          "serial_number": "***IRRELEVANT***",
          "revocation_code": "RYOUR_REVOCATION_CODE",
          "account_name": "YOUR_ACCOUNT_NAME",
          "token_gid": "***IRRELEVANT***",
          "steamguard_scheme": 2,
          "steamid": "YOUR_STEAM_ID"
        }
      }
    }
    However, your authenticator app probably wants a base32 encoded secret, so you will need to run it through: 
    echo [BASE_64_ENCODED_SHARED_SECRET] | base64 -d | base32
  7. In your TOTP generator, add an account with the following parameters: 
    Issuer: Steam
    Account name: [YOUR_ACCOUNT_NAME]
    Secret key: [BASE32_ENCODED_SHARED_SECRET_FROM_STEP_6]
  8. Verify that both your TOTP generator and the Steam app are producing the same five-digit alphanumeric codes.
  9. That's it! You can now remove the frida-server binary from your phone: 
    adb-shell# rm /data/local/tmp/frida-server
Acknowledgements:
Thanks to MuelNova for the original instructions and null-dev for clarifying the base64/base32 conversion.

Trackbacks

Keine Trackbacks

Kommentare

Ansicht der Kommentare: Linear | Verschachtelt

Noch keine Kommentare

Kommentar schreiben

Standard-Text Smilies wie :-) und ;-) werden zu Bildern konvertiert.
Umschließende Sterne heben ein Wort hervor (*wort*), per _wort_ kann ein Wort unterstrichen werden.
Die angegebene E-Mail-Adresse wird nicht dargestellt, sondern nur für eventuelle Benachrichtigungen verwendet.

Um maschinelle und automatische Übertragung von Spamkommentaren zu verhindern, bitte die Zeichenfolge im dargestellten Bild in der Eingabemaske eintragen. Nur wenn die Zeichenfolge richtig eingegeben wurde, kann der Kommentar angenommen werden. Bitte beachten Sie, dass Ihr Browser Cookies unterstützen muss, um dieses Verfahren anzuwenden.
CAPTCHA

Formular-Optionen

Kommentare werden erst nach redaktioneller Prüfung freigeschaltet!