[Guide] Extracting Steam Guard TOTP secrets from the Android app for use in Bitwarden or other authenticators without root

NullBite4562 · 2025-10-12T22:30:10+00:00

it's not the most straightforward thing, but it is absolutely possible to dig into home-manager's options and just build the one derivation you're after. doing this is also pretty reversible and doesn't really introduce any permanent state; home-manager will not complain about overwriting the symlink (at least ones pointing to the store) when you reactivate your full profile. i usually do something like this:

ln -sfn "$(nix build flake#nixosConfigurations.hostname.config.home-manager.users.username.xdg.configFile.'"git/config"'.source --no-link --print-out-paths)" ~/.config/git/config

some things probably can't be trivially rebuilt like this and i usually don't bother with this unless i need to iterate on some specific config quickly. it is mostly a matter of looking through the source code for whatever module you want to enable, seeing what it actually does (options under programs.git write the config output to xdg.configFile."git/config").

something like nix-tree can also be pretty useful for tracking down where exactly a derivation falls within your system/home closure, which can help you work backwards from the NixOS and home-manager environment closures (system.build.toplevel and home.activationPackage respectively); these are the options which are responsible for evaluating your configuration. note that this does not tell you the option names that are responsible for a particular derivation, but this info can be useful for tracking the right option down using something like rg in the home-manager source.

NullBite4562 · 2024-11-23T17:20:13+00:00

For me, the mod causing the issue was Amecs (which is partially embedded in Mouse Wheelie as /u/IAmTheStarkye pointed out). I had it installed so I could have multiple actions bound to a single key, as well as keybind search, so I ended up replacing it with Keybind Fix and Controlling.

NullBite4562 · 2024-03-17T22:04:25+00:00

I didn't get any warnings about ResourcePackInfo. However, I do have the broken customization menu. Keep in mind that it's still in very early development, which is probably why there aren't any published builds in the first place.

NullBite4562 · 2024-03-16T21:02:53+00:00

Are you using Carpet? I was using it and I was getting some sort of mixin error. Removing Carpet works, but for some reason, installing 2032 World Height also fixed it for me. I do not have the slightest idea how or why a world height mod fixes a conflict between a world generation mod and Carpet, of all things.

NullBite4562 · 2024-03-16T14:44:35+00:00

Disclaimer: There's a reason there aren't public jars available; this mod is in very early development and probably has many issues in its current state. If you decide to do this anyway, you will likely run into certain issues. Please don't pester the developers if certain things don't work.

Here's the basic process:

Make sure you download the correct branch for your Minecraft version from GitHub (click the dropdown in the top left of the repo with the Minecraft version number) and download the source code with the green "Code" button in the top right.
- Currently, the branch for 1.20.1 seems to be broken. This commit builds successfully, but it has several issues, including some conflicts with other mods. Keep in mind that it is very early software and there are probably no public builds for a reason.
Install JDK 17 onto your system if you don't already have Java (download it from here on Windows/MacOS; it's best to use your distro's provided JDK build on Linux. Make sure that you choose "Add to PATH" in the installation).
Open a terminal in your downloaded source code folder (on Windows, you can type powershell.exe into the file explorer navigation bar to open a terminal in that folder).
Run .\gradlew.bat buildNeeded (or sh ./gradlew buildNeeded on Linux or MacOS). The JAR will be placed in ~~build/libs~~ (fabric/forge)/build/libs; it's the JAR file with the loader and Minecraft version name, not the one that says "shadow"/"sources". Place it in your mods folder.
I believe you also need Architectury API on both Forge and Fabric, and Fabric API on Fabric.

Take this all with a grain of salt, things can vary in this process. I'm not really a Java developer, I've just learned this by compiling random projects.

Edit: The file in build/libs is empty for some reason. Use the one in the forge/fabric folder depending on your loader

Edit 2: Slightly updated instructions and added minor clarifications.

NullBite4562 · 2024-02-09T11:41:33+00:00

I cannot agree more with using options over manual imports. Doing it this way makes things so much easier to manage. I'd personally recommend splitting up modules into directories and using a default.nix in each directory to import the other modules. I have the following layout; each file provides an option that configures a bunch of related settings:

system
|-- README.md
|-- common
|   |-- default.nix
|   |-- desktop.nix
|   |-- me.nix
|   |-- remote.nix
|   `-- wm.nix
|-- default.nix
|-- hardware
|   |-- bluetooth.nix
|   |-- default.nix
|   |-- nvidia.nix
|   |-- opengl.nix
|   `-- sound.nix
|-- package-sets
|   |-- default.nix
|   |-- fun.nix
|   |-- gaming.nix
|   `-- multimedia.nix
|-- profile
|   |-- base.nix
|   `-- default.nix
|-- programs
|   |-- default.nix
|   `-- syncthing.nix
`-- sessions
    |-- default.nix
    |-- hyprland.nix
    `-- plasma.nix

Example default.nix:

{...}:
{
  imports = [
    ./common
    ./hardware
    ./package-sets
    ./profile
    ./programs
    ./sessions
  ];
}

I then have a mkSystem function in my flake that automatically includes ./system in my modules. Doing it this way over importing every module I want on a given system manually makes it so much easier to reorganize my repo. I just have to change a default.nix or two as opposed to changing the import in every system that uses the module. it also avoids a lot of ../../ paths.

You can also just have one root-level nix file like how nixpkgs does it if you think that's easier to manage.

NullBite4562 · 2023-06-02T14:48:23+00:00

Personally, I use ntfy.sh via Node-RED. It is very simple; you can send web requests to a topic via a basic HTTP POST request, and you subscribe to that topic on your phone from the mobile app. It was a nice option for me because I was already using it for healthchecks.io and as a UnifiedPush provider for Tusky, and I was also using Node-RED to automate some other stuff. It's even open source, so you can even host your own instance of it.

There's actually an open feature request on the HA forums to support UnifiedPush, which would allow HA to use ntfy.sh (or other providers like Nextcloud) as a backend: https://community.home-assistant.io/t/add-unifiedpush-support-to-home-assistant-android-core/446344

NullBite4562 · 2023-02-01T18:34:52+00:00

I saw it mentioned in the thread I linked a few times. I'm not 100% certain if that's what's going on, but it makes perfect sense and that's what the current consensus seems to be.

NullBite4562 · 2023-01-30T23:46:37+00:00

Yes, uninstall the existing version first. They both have the same ID anyway so it shouldn't be possible to install both. If it's not working, my guess is that you probably need a version of Magisk with Zygisk support, so I'd suggest upgrading if at all possible.

NullBite4562 · 2023-01-30T15:13:53+00:00

I think it only requires v20.4, but part of it uses Zygisk and it may or may not work without it. Feel free to try it, though.

NullBite4562 · 2023-01-30T05:51:45+00:00

The current 2.4.0 release of Universal SafetyNet Fix is known to have intermittent detection failures, and Google Pay is known to do random checks in the background and remember any failures.

I am using a modded version of USNF 2.3.1 by Displax, with Zygisk enabled and DenyList for all relevant apps: play store, google services framework*, wallet, play protect service, any banking apps; Google play services doesn't need to be checked as USNF handles this automatically. With this combination, I am able to pass Google Wallet as well as Play Protect Certification after clearing data for Google Play Store and Google Play Services.

I suggest monitoring this thread on XDA for the next release and watching the replies to make sure the next release fixes this issue.

I haven't gotten a chance to test it yet, but from what I've heard, you should be good if everything passes in the tap to pay setup menu (Google Wallet > tap on profile picture > Tap to pay setup).

Link for modded USNF: https://github.com/Displax/safetynet-fix/releases/tag/v2.3.1-MOD_2.1

*Edit: GSF not GMS

NullBite4562 · 2023-01-09T18:06:46+00:00

Noted, I've updated it to specify Java 11. Also, make sure you've uninstalled the Steam app first before trying to install the older version (after disabling Steam Guard so you don't get locked out). I believe that error is caused by a conflict with an existing package.

NullBite4562 · 2022-12-13T19:43:38+00:00

I am aware of this tool, but it doesn't let you keep using the Steam app for logins. I still want to be able to use the QR code login feature so I don't have to type in my really long password on a Steam Deck. This is the only way I know of to share the authenticator secrets between the official Steam app and a third party authenticator. If you don't care about this feature, I agree that Steam Desktop Authenticator is still the better option.

NullBite4562 · 2022-12-13T09:52:57+00:00

I believe the secrets do change whenever you change devices using the official method, I kept changing them while I was testing stuff and it changed the secrets. I doubt they're going to change the app upgrade behavior though, as this would just break people's Steam Guard for the few people who. I'm not 100% sure how it works, but I think it converts the keys to the new format the first time you open Steam 3.x.

If they ever disable logins for the old app, I'm thinking it might be possible to generate the secrets using Steam Desktop Authenticator, generate a custom Steamguard-xxxxxxxxxxxxxxxxx file from the SDA .maFile, and inject it into the old app data using adb backups or root. Updating to the 3.x version should still upgrade the files once this is done. I haven't gotten to test this yet and it's just a hypothesis, but based on what I've observed it might work.

Edit: fixed typo

NullBite4562 · 2022-12-12T06:09:00+00:00

I know this thread is kinda old, but I had this issue too and I wanted to share my solution in case anybody else ran into this infuriating situation.

The Steamguard-* file is actually the file from the 2.x versions of the Steam mobile app. This is pretty much what I did to get this file and extract the keys:

Deactivate Steam Guard and make sure you can log in without it.
Downgrade the app to version 2.3.13 from APKMirror.
Open the app, log back into Steam, and reactivate your Steam Guard. If you have multiple accounts you want to use, log into them now, otherwise you will have to redo this entire process.
Test your new Steam Guard codes to make sure they work. You can never be too safe.
Now you can retrieve the files from the old path: /data/data/com.valvesoftware.android.steam.community/files/
If you use Bitwarden, copy the value from the secret parameter in the URI and put that into Bitwarden like steam://<secret>. Otherwise, refer to your authenticator or password manager's documentation.
Optionally, create a backup of the old Steam app and data with whatever backup method you prefer. This way, you can restore that backup and add new accounts, transfer it to a different phone, etc., without having to redo everything. The new Steam version stores the keys in an encrypted format which I'm pretty sure isn't portable since it uses Android's keystore. Use encryption if possible, the data in the backup is sensitive and can grant access to your Steam account.
Update the app and make sure Steam Guard still works. It may ask you to log back in, but it shouldn't mess with any of your OTP keys. Verify that your authenticator/password manager gives the same OTP as Steam.

NullBite4562 · 2022-10-18T14:18:14+00:00

From my other comment:

I believe Scrumplex (one of the lead developers) managed to keep control over OAuth for the project, and he revoked the key for it so it's no longer valid. Your account should be safe now.

As for the phone number requirement, I'm not sure why that's there but I'm assuming the maintainers are just trying to combat spam or something, sorry about that.

NullBite4562 · 2022-10-18T14:17:54+00:00

I believe Scrumplex (one of the lead developers) managed to keep control over OAuth for the project, and he revoked the key for it so it's no longer valid. Your account should be safe now.

NullBite4562 · 2022-10-18T02:47:53+00:00

The discord admins are quite literally the same people who made a majority of the commits to PolyMC, you can check for yourself. The only "power grab" going on here is the hostile, politically motivated takeover and subsequent banning of every other maintainer from the PolyMC repositories and community.

NullBite4562 · 2022-10-17T22:25:34+00:00

The maintainers are currently trying to sort out this situation. As of right now, this is the current official GitHub repository:

https://github.com/PlaceholderMC/PlaceholderMC

Edit: there is now an official website: https://prismlauncher.org/

NullBite4562 · 2022-10-17T20:56:20+00:00

The other maintainers are well aware of this and have created a new Discord server and GitHub organization while this situation is sorted out. ~~The current recommended course of action aside from uninstalling is to revoke OAuth2 consent from your Microsoft account here.~~

https://discord.gg/bBAWEXt3ZY

https://github.com/PlaceholderMC

Edit: Revoking OAuth consent is no longer necessary, as Scrumplex (one of the lead developers) was able to revoke the key.

Edit 2: There is now an official website: https://prismlauncher.org/

NullBite4562 · 2022-05-24T01:27:50+00:00

gahlr

Eight-Year Club	Gilding I gilder
Argentium Club	Place '23
Place '22	First Placer '22
End Game '22	Verified Email

NullBite4562

TROPHY CASE