Skip to content

Instantly share code, notes, and snippets.

@hacker1024

hacker1024/mygov_totp_storage.md

Last active September 22, 2024 09:20
Show Gist options
  • Save hacker1024/5d0845863e2dced27fd5eebc4ac95a39 to your computer and use it in GitHub Desktop.
Save hacker1024/5d0845863e2dced27fd5eebc4ac95a39 to your computer and use it in GitHub Desktop.
Download ZIP
Information about TOTP token storage in the myGov Code Generator app, as well as token extraction instructions.
Raw
mygov_totp_storage.md

This gist contains information about TOTP token storage in the myGov Code Generator app, along with instructions on how to extract tokens.

App data

Structure

/data/user/0/au.gov.dhs.centrelink.mygovauthenticator:
├───files
│       myGov.ks
│       sharedSecret
│
└───shared_prefs
        au.gov.dhs.centrelink.mygovauthenticator.prefs_file.xml

Details

  • myGov.ks: A BKS keystore containing a private RSA-256 key used to decrypt the contents of sharedSecret (after decoding the base64 data). The key is called sharedSecret, and uses the hard-coded password of km5QzJJ5NhfGymfp.
  • sharedSecret: The encrypted TOTP token. The encrypted data is stored in base64 form, and decrypts to more base64.
  • au.gov.dhs.centrelink.mygovauthenticator.prefs_file.xml: An XML file containing the IV used to decrypt sharedSecret along with the key in myGov.ks, as well as the myGov.ks keystore password.

TOTP format

The TOTP token must be used with the SHA512 algorithm, and the standard 6-digit length and 30 second period.

Example URI: otpauth://totp/myGov?secret=<BASE32_ENCODED_SECRET>&algorithm=SHA512

Note that some apps like Google Authenticator and Authy do not handle SHA512 properly. BitWarden, for example, does.

Manual instructions

  1. Gain access to the files shown above
  2. Use the keyStorePwd in au.gov.dhs.centrelink.mygovauthenticator.prefs_file.xml to open myGov.ks with a tool like KeyStore Explorer
  3. Use the password km5QzJJ5NhfGymfp to access the sharedSecret key

At this point, you can use this CyberChef recipe to generate a URI, or continue manually:

  1. Decode the base64 data in the sharedSecret file
  2. Use the sharedSecret key, along with the sharedSecret_iv in au.gov.dhs.centrelink.mygovauthenticator.prefs_file.xml, to decrypt the decoded sharedSecret file contents with AES-256-CBC
  3. Convert the decrypted sharedSecret file contents from base64 to base32, removing any = padding from the end.
  4. Generate a URI with the properties specified above
@K1ngJony
Copy link

Any advice on how to get the files in the first place? I've tried adb backup but it comes up empty

@hacker1024
Copy link
Author

Any advice on how to get the files in the first place? I've tried adb backup but it comes up empty

@K1ngJony You'll need a rooted device (or one with file access from a recovery environment). Perhaps an Android emulator would work as well - I'm not sure if the app uses SafetyNet.

@Jarodwr
Copy link

Jarodwr commented Jul 6, 2023

Attempted to do this from bluestacks and didn't have any success, couldn't get access to the app data at that path (I assume it's to do with that safetynet thing you talked about)

@rogerkeays
Copy link

rogerkeays commented Aug 16, 2023
edited
Loading

Sublime.

I only hit a couple of obstacles. Firstly, I found the files in /data/data/au.gov.dhs.centrelink.mygovauthenticator on my device. Secondly, I couldn't cut and paste the secret directly into my authenticator because the textbox truncated the data. I converted the URI to a QR code using https://qr-creator.com/url.php and it worked perfectly.

Thanks for this. Love your work!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment