How to extract the TOTP secret from your Steam Authenticator, *late* 2023 Edition
It appears to be no longer possible to log in using an old version (2.x) of the Steam app, so this method no longer works.
However, not all hope is lost: There is another method that works with the current vanilla Steam app from the Play Store and has the added benefit that it does not require you to remove your old Steam Guard anymore. It does, however, involve the terminal and running Frida on both your computer and your phone. You still need root access—yes, there are ways to do it without root, but again, iffy.
Here, again, is how to do it, step by step (original instructions from here):
Thanks to MuelNova for the original instructions and null-dev for clarifying the base64/base32 conversion.
However, not all hope is lost: There is another method that works with the current vanilla Steam app from the Play Store and has the added benefit that it does not require you to remove your old Steam Guard anymore. It does, however, involve the terminal and running Frida on both your computer and your phone. You still need root access—yes, there are ways to do it without root, but again, iffy.
Here, again, is how to do it, step by step (original instructions from here):
- Have the Steam app configured as a Steam Guard.
- Connect your phone to your computer via USB and make sure you have USB debugging enabled. You can test this by connecting your phone to your computer and running adb devices. If this is your first time doing this, your phone will likely ask you to authorize your computer for debugging. adb devices should print something like 0d5e3a4d6b3e3e2f device.
- Install the frida Python module on your computer (possibly using pip install frida).
- Download the frida-server binary (you will have to click on "Show all ... assets") for your phone's architecture (this depends on your phone; you'll most likely need either arm or arm64), unpack it and push the server binary onto your device:
adb push frida-server /data/local/tmp/
Within the adb shell, then make the binary executable and run it as root:
adb shelladb-shell$ su
adb-shell# cd /data/local/tmp/
adb-shell# chmod 755 frida-server
adb-shell# frida-server - On your computer, run this script (by MuelNova):
import json
This should cause the Steam app on your phone to start, debugger (frida) attached.
import frida
import sys
package = "com.valvesoftware.android.steam.community"
cmd = """
'use strict;'
if (Java.available) {
Java.perform(function() {
//Cipher stuff
const Cipher = Java.use('javax.crypto.Cipher');
Cipher.doFinal.overload('[B').implementation = function (input) {
var result = this.doFinal.overload('[B').call(this, input);
send(result);
}
}
)}
"""
def parse_hook(cmd_):
print('[*] Parsing hook...')
script = session.create_script(cmd_)
script.on('message', on_message)
script.load()
def on_message(message, _):
try:
if message:
if message['type'] == 'send':
result = "".join(chr(i) for i in message['payload'])
print(json.dumps(json.loads(result), indent=2, ensure_ascii=False))
except Exception as e:
print(e)
if __name__ == '__main__':
try:
print('[*] Spawning ' + package)
pid = frida.get_usb_device().spawn(package)
session = frida.get_usb_device().attach(pid)
parse_hook(cmd)
frida.get_usb_device().resume(pid)
print('')
sys.stdin.read()
except KeyboardInterrupt:
sys.exit(0)
except Exception as e:
print(e) - At this point, your Steam credentials should be printed on the adb shell:
{
However, your authenticator app probably wants a base32 encoded secret, so you will need to run it through:
"accounts": {
"YOUR_STEAM_ID" {
"shared_secret": "BASE_64_ENCODED_SHARED_SECRET",
"identity_secret": "***IRRELEVANT***",
"secret_1": "***IRRELEVANT***",
"serial_number": "***IRRELEVANT***",
"revocation_code": "RYOUR_REVOCATION_CODE",
"account_name": "YOUR_ACCOUNT_NAME",
"token_gid": "***IRRELEVANT***",
"steamguard_scheme": 2,
"steamid": "YOUR_STEAM_ID"
}
}
}echo [BASE_64_ENCODED_SHARED_SECRET] | base64 -d | base32
- In your TOTP generator, add an account with the following parameters:
Issuer: Steam
Account name: [YOUR_ACCOUNT_NAME]
Secret key: [BASE32_ENCODED_SHARED_SECRET_FROM_STEP_6] - Verify that both your TOTP generator and the Steam app are producing the same five-digit alphanumeric codes.
- That's it! You can now remove the frida-server binary from your phone:
adb-shell# rm /data/local/tmp/frida-server
Thanks to MuelNova for the original instructions and null-dev for clarifying the base64/base32 conversion.
Kommentare
Ansicht der Kommentare: Linear | Verschachtelt