【Wiki Enhancement】New ways to export steam-guard on Steam3.0 for Root Android Device

[MuelNova]

Checklist

• I read and understood ASF's Contributing guidelines
• I also read Setting-up and FAQ, I don't need help, this is an enhancement idea
• My idea doesn't duplicate existing ASF functionality described on the wiki
• I believe that my idea falls into ASF's scope and should be offered as part of ASF built-in functionality
• My idea doesn't violate the Steam Subscriber Agreement
• My idea doesn't violate the Steam Online Conduct
• This is not ASF-ui suggestion

Enhancement purpose

Though steam app has upgraded to 3.0 for a while, new method for exporting steamguard was not there except to downgrade the application to 2.X.

In that case, I took some time to reverse the application and discovered few solutions, which would be easier to export steam guard without modifing the app.

In order to do that, we need frida to hook the Cipher.doFinal function.

Solution

07/17/2023 Try https://github.com/YifePlayte/SteamGuardDump, an xposed plugin to dump steam guard.

• First, Follow the Doc to set up and run frida android server on your device.

• Second, install frida module through pip or poetry.

• Third, run the script below.

import json
import frida
import sys

package = "com.valvesoftware.android.steam.community"
cmd = """
'use strict;'

if (Java.available) {
  Java.perform(function() {

    //Cipher stuff
    const Cipher = Java.use('javax.crypto.Cipher');

    Cipher.doFinal.overload('[B').implementation = function (input) {
        var result = this.doFinal.overload('[B').call(this, input);
        send(result);
    }

  }
)}
"""


def parse_hook(cmd_):
    print('[*] Parsing hook...')
    script = session.create_script(cmd_)
    script.on('message', on_message)
    script.load()


def on_message(message, _):
    try:
        if message:
            if message['type'] == 'send':
                result = "".join(chr(i) for i in message['payload'])
                print(json.dumps(json.loads(result), indent=2, ensure_ascii=False))
    except Exception as e:
        print(e)


if __name__ == '__main__':
    try:
        print('[*] Spawning ' + package)
        pid = frida.get_usb_device().spawn(package)
        session = frida.get_usb_device().attach(pid)
        parse_hook(cmd)
        frida.get_usb_device().resume(pid)
        print('')
        sys.stdin.read()

    except KeyboardInterrupt:
        sys.exit(0)
    except Exception as e:
        print(e)

if everything goes well, your steam app would be automatically opened and all your steam guards would be shown in the stdin.

Why currently available solutions are not sufficient?

For most people who don't have CorePatch (or some similar app) installed, a downgrade installation is not allowed unless the original application is uninstalled. Thus, they have to remove (if not exported before) their old steam guards in order to add new steam guard, which would take them another 15 days to wait.

With frida hook method, the initial set up might be a bit annoying. But once everything is set up, every time you add a new steam guard, all you need to do is start the "frida android server" and run the script again. You don't have to forcibly backup all your accounts' steam guard and to recover them everytime when you want to add a new steam guard.

I can't really say this is a generally-available method, but so far, this is the best and easiest way I can found.

Can you help us with this enhancement idea?

Yes, I can code the solution myself and send a pull request

Additional info

This is not the only method I discovered, see blog(Chinese) for other methods like React Native Javascript Injecting or Packet Capturing Method and detailed analyzation for new steam-guard file SecureStore.xml

[JustArchi]

It looks good enough to include it on the wiki, but before doing so I need to verify myself that this method works flawlessly, and preferably have somebody else doing the same. Thanks for bringing it up to our attention, I'll leave the issue open until I have the time and willings to give it a try.

@Abrynos @Ryzhehvost feel free to verify in the meanwhile.

[Abrynos]

Sorry. I don't even have the original Steam app installed. I can't test this.

[NellClarke]

@Nova-Noir

android 13 root by magisk 25.2
frida 16.0.5
steam app 3.0 from google play

frida is set, connect the phone with USB ADB.
run frida-ps -U will show every app on the phone, ensuring the basics are working.

use python to run your py script, the steam app will open, but nothing shows.

[MuelNova]

I'm currently using Android 12, I'm not sure if anything about Keystone was changed in Android 13.

Is it possible to hook another function to see if frida is working well?

I disassembled Steam App and confirmed that the decrypt method uses Cipher.doFinal(Byte[]), so it should work if this function is hooked correctly.

There's a problem that I never used Frida so I know few of frida script, so maybe the script is not working well? Maybe you can try to write a new script just remember to hook the Cipher.doFinal(Byte[]) method.

Or, if something was changed in Android 13 that doFinal is no longer allowed to be hooked, you can try hook the Cipher Object and then use it to decrpyt.

[NellClarke]

@Nova-Noir

I searched for some frida scripts and replace cmd in your py script, like this one.

https://github.com/berkayyildi/Frida-Android-Hooking/blob/master/AES_HOOK.txt

After steam app auto open, I enter to 2fa page and switch to show steam guard code.

I can get some output, but it seems to report an error.

'str' object cannot be interpreted as an integer

Since I'm not familiar with encryption and programming, I don't know how to modify it to make it work, but this maybe proves that frida can hook on android 13.

[MuelNova]

Thanks for your comments. I'll investigate it and test it on my android 13 emulator (this may takes few days 'cause I'm moving house)

For the error you mentioned, it is because I modified the output to make it prettier.

You can try replace the function on_message with the code below

def on_message(message, _):
    try:
        if message:
            print(message)
    except Exception as e:
        print(e)

Doing this, run the script again, you should be able to see some outputs with replaced cmd.

[wuhgit]

@iknownothingaboutgit
@Nova-Noir

Android 13 and Magisk 25.2, have the same problem also. but then solved it.

You need to force stop the Steam app and clean the cache data, note clean the cache only, not storage, DON'T DO IT WRONG, otherwise you will lose the existing TOTP data.

The python script will output errors sometimes, and the Steam app may not show any guard code and show move authenticator from other devices, don't do it at this time, My guess that is some kind of security protection probably because you injected unrelated code.

End the python script, kill the Steam app, clear the cache, and run the python script again, until successful.

I probably tried five or six times before I succeeded.

I have two steam accounts, stored the data I got with python script in separate maFile with bot name, imported them in ASF-UI, and now everything works fine!

Big thanks to @Nova-Noir 🎉

[MuelNova]

Oh yes! This could be the issue as my steam was always re-installed for test.

Maybe steam will decrypt the data only when it can't find the decrypted data stored, thus, we might be able to find a more efficient way to get the decrypted data.

For the problem you mentioned that steam asks to move the authenticator from other devices, it is because that the script blocks Steam's original function, and then it will call the original function after we get the data. Thus, if any error occured, the script will still block the function but no calls to the original function. Because no value returns, Steam then think that there's no any guard on this device.

Thanks for your test and solution!@wuhgit

[NellClarke]

@Nova-Noir @wuhgit

I made it!
you guys rock!

[Uklosk]

Hi, I get a timeout when running frida-ps -U to check the frida-server connection.

The server seems to be running without errors.

[qaq112233]

I have a same problem with you in MIUI13(Android12),Win11,Frida16.0.7.
Everything goes well until running frida-ps -U,then it can't find my device.Have you fix the problem?
I have no idea with it.

[MuelNova]

I'm not sure what had happened, could you provide more info / log?

[MuelNova]

@wuhgit But I still have a question there. From what I have discovered, the script hooks the Cipher.doFinal method, and it will be called whenever the app launches ( As I mentioned in my blog, I changed index.android.bundle using React to print the json. However, it will call the function using Cipher.doFinal and later store the decrypted data in memory, which uses to show the TOTP codes )
If so, there isn't anything about steam guard that cache will store.
But from your comments, there seems to be something with cache? IDK what exactly has happened now :(

[wuhgit]

@Nova-Noir

I can confirm that I must clear the cache to make the script work. otherwise, the script will not have any output.

I created a new authenticator a few days ago because I need totp-secret for password manager, this seems to be only available by capturing network packets when first requested.

After I got the totp-secret, I use your script for ASF again. as I said, kill the Steam app first, then clear the cache, run your script, I got everything I need.

[xPaw]

I've suggested it before, but this method of setting up authenticator on multiple "devices" gives you the same secrets, so this method should still work using steamctl without root: https://github.com/ValvePython/steamctl#previews

[JABirchall]

Your a lifesaver. This method works great, simply autheticating 2 devices on the same 2fa.

[JustArchi]

ASF could in theory do the same.

For somebody who doesn't have 2FA set up yet:

• Set up ASF and let it log in
• Use some new command such as !2fainit
• ASF would hand out secrets from adding auth
• Then user adds auth on his mobile phone or whatever else
• User can now use the same secrets handed out by ASF for ASF and also other apps (if needed)

This is insane security hole. I don't know how I should feel about making it possible sigh.

[JustArchi]

@Nova-Noir sorry for delay, I was really busy this last month-two dealing with MatchActively and other stuff, but I didn't forget about this issue.

I presume that https://novanoir.moe is your website, judging by your username. Would you be so kind to offer the original article under https://novanoir.moe/en/blog/2022/11/20/%E3%80%90ROOT%20Android%E3%80%91Steam%203.0%20%E5%AF%BC%E5%87%BA%E4%BB%A4%E7%89%8C%E7%9A%84%E6%95%B0%E7%A7%8D%E6%96%B9%E6%B3%95/ in English perhaps? I think you deserve the credit for finding out about this method and documenting it like you did, and I'd be happy to link to your website for updated steps (if any) and further explanation.

I plan to get down to verifying this method in following days, if it works as described I plan to write a very simplified guide on how to get it working and then link to your website for additional details and original credit, hence why I believe it'd be of great help if the article was also available in English 🙂

[MuelNova]

Sure, but it may takes days as I'm still preparing for my final exams. I will update the English version and also add some details then.

[JustArchi]

Don't worry, I know a thing or two about that 😅, no need to hurry, good luck in your exams! 👍

[JustArchi]

Gave it a try but it doesn't work for me. In particular frida-server looks like permanently frozen after start, tried both arm and arm64 version, no go.

Therefore the script gives:

[*] Spawning com.valvesoftware.android.steam.community
timeout was reached

Doesn't seem like viable option considering it didn't work on my rooted LineageOS, let alone other ROMs and devices. Tried with 16.0.8 and 15.2.2, no luck.

[JustArchi]

Made it work using 15.2.2, Steam app opens but nothing further happens:

[*] Spawning com.valvesoftware.android.steam.community
[*] Parsing hook...

Maybe the script doesn't work with latest Steam beta version. I did try your suggestion of forcing Steam app to stop and cleaning its cache, didn't work.

It's definitely not robust enough to consider for now, maybe it'd make more sense to find out how to efficiently decrypt what Steam has stored in its encrypted file instead - since we're on rooted device, an option is to impersonate official Steam community app and force the OS to hand out decryption keys that would allow us to read SecureStorage.xml. I'm not an Android expert and neither I have the time to dig into this now, but if official Steam app is able to request OS to decrypt those files, then by definition root user that controls whole OS is able to do the same, the only question remains how difficult that is.

I'm converting this issue into a discussion, since there is nothing to do for now in regards to wiki improvements.

[MuelNova]

@JustArchi For that, I have done that by replacing the NativeReact file in Steam App. By doing that, we can get a console output contains decryped steamguard everytime when we open the Steam App.(This is also written in my blog)

This is pretty easy to do, and I have few people tested it, it works well for now.

If you wish, I can write it here or open a new issue for people to test it.

I didn't talk this method at first because I think frida way is safer, as frida doesn't need to change the original app. But this way, however, you have to modify the original steam app(it pretty easy though), and allow your device to install the application without verifying the signatures (I'm not sure if re-sign would work, I know little about this and I haven't test it)

Steam is using KeyStone to generate the encrypt/decrpyt object, and all my Google searches show that frida is the best way to bypass it, and seem no hope to hijack the Key and Secret.
I guess the script would work better if someone can rewrite the script ( I know nothing about Frida before so I just copied and edited their example so there must be some problems )

[MuelNova]

Made it work using 15.2.2, Steam app opens but nothing further happens:

[*] Spawning com.valvesoftware.android.steam.community
[*] Parsing hook...

Maybe the script doesn't work with latest Steam beta version. I did try your suggestion of forcing Steam app to stop and cleaning its cache, didn't work.

It's definitely not robust enough to consider for now, maybe it'd make more sense to find out how to efficiently decrypt what Steam has stored in its encrypted file instead - since we're on rooted device, an option is to impersonate official Steam community app and force the OS to hand out decryption keys that would allow us to read SecureStorage.xml. I'm not an Android expert and neither I have the time to dig into this now, but if official Steam app is able to request OS to decrypt those files, then by definition root user that controls whole OS is able to do the same, the only question remains how difficult that is.

I'm converting this issue into a discussion, since there is nothing to do for now in regards to wiki improvements.

By the way, can I know your steam version and Android version?

[JustArchi]

Sure, Android 12 with Steam 3.3.

[duall]

Worked first try on Android 13, Steam 3.5. 👍

[JABirchall]

Using Steamctl to resetup 2fa on both steam app and steamctl worked for me.
Now just gotta find the mafiles from steamctl

[hxka]

It's in ~/.local/share/steamctl/authenticator/{login}.json. You can just copy it to ArchiSteamFarm/config/{botname}.maFile.

[JustArchi]

Thanks to @Ryzhehvost and our recent efforts on 2FA plugin, it's now possible to duplicate authenticator much easier due to "oversight" on Steam's part also on non-rooted phones.

[MuelNova]

That's great! But I didn't see the details through commits or PR. Is it still working in progress?

[JustArchi]

That's great! But I didn't see the details through commits or PR. Is it still working in progress?

https://github.com/JustArchiNET/ArchiSteamFarm/wiki/Two-factor-authentication#joint-authenticator

[artlp]

I get

[*] Spawning com.valvesoftware.android.steam.community
device not found

when running python script, what to do?

[MuelNova]

Try https://github.com/YifePlayte/SteamGuardDump.

[Blackflexxy]

Unfortunately, I got this while running the script using CrDroid 9.6 (Android 13), Magisk 26.1 and Steam 3.6.3
I tried stopping the app, clearing the cache, enabling airplane mode, but nothing helped

UPD: this comment helped: frida/frida-core#376 (comment)

[MuelNova]

Try https://github.com/YifePlayte/SteamGuardDump.

[MuelNova]

https://github.com/YifePlayte/SteamGuardDump There's an Xposed plugin to dump Steam Guard.

[MuelNova]

BeyondDimension/SteamTools#2598 Check this issue for details.

[MuelNova]

@JustArchi I think this one work perfect.

[hsingll]

test serveral times and always failed.

[MuelNova]

Try https://github.com/YifePlayte/SteamGuardDump.

[hsingll]

worked after disable USAP

[rejedai]

I have extracted the data, can anyone tell me how to generate the secret code for the password manager?

I mean old totp uri Steam:account?secret=SADFSADFQ345HFDGHFDGHFDGH&issuer=Steam

[rejedai]

Figured out, need to convert shared_secret from base64 to base32.

import base64

encoded_secret = "YOUR SHARED SECRET"
decoded_secret = base64.b64decode(encoded_secret)

encoded_secret_base32 = base64.b32encode(decoded_secret)

print(encoded_secret_base32)

[krestaino]

I was getting hung up on [*] Parsing hook... using Steam 3.7.7. I got it working by downgrading Steam to 3.0.0. The script then worked on the first try. So, try downgrading if this script isn't working for you.