bna restore: bna.http.HTTPError: mobile-service.blizzard.com returned status 502 #38
Comments
|
If you want to fix it and submit a patch I will review and merge it, but in general I don't have a way of actively maintaining it. |
|
I am guessing the overall method for api is different now so not working... Its been 10 years since I worked with python, so I'll just use the ios authenticator. |
|
Yes as blizzard deprecated the battlenet authenticator and replaced it with battlenet messenger with authenticator included, they changed probably the api endpoints. I already looked a little bit how the new works but didn't find something. |
|
I tracked the dns requests and found the domain authenticator-rest-api.bnet-identity.blizzard.net that has an swagger ui: (Dont know why blizz has that documentation online because i don't think they want third party implementations) https://authenticator-rest-api.bnet-identity.blizzard.net/v1/authenticator/device deviceSecret is the secret as hex. Biggest issue is that you need an oauth 2.0 with a specific scope that probably not avail with this way: https://develop.battle.net/documentation/guides/using-oauth |
|
ix it possible to get that scope by snooping in the app binary or something? |
|
The scope is auth.authenticator (you can see it on the swagger page if you press the authorize button), i dont have much time at the moment, so i don't look further into the oauth auth with this scope. |
|
Now this gets my interest. I'm writing a simple Rust binary for this. (i hate installing fuckloads of libraries lol) Hopefully done this weekend if I don't hit any roadblocks. |
|
Yup. Turns out you can't just ask for auth.authenticator scope and be granted that. I tried authenticating with various scopes plus that scope but turns out directly asking for auth.authenticator as some random app is just impossible, it gets silently blocked. I tried entering the access token into the authenticator swagger, no joy saying "must-revalidate" after trying out one of the urls. This is what I got from redirecting to the swagger We need another approach for this. Maybe even some gray area methods by trying to get the Battle.net app info. For now, I can try sniffing the REST GETs and POSTs of the app with wireshark androiddump and see if there's something that can be useful. |
|
The api works with the extracted devicekey from the battlenet app. So yes thats the way it should work. |
@mx03 how do you extract the devicekey? and also we need a way to either distribute the key (kinda grey area legal) or provide a way for people to reliably extract the device key. Once done, I can finish my implementation within a few days. |
|
Sorry i meant the client id, its stored on a android device in this file under <?xml version='1.0' encoding='utf-8' standalone='yes' ?>
<map>
<string name="com.blizzard.messenger.AUTHENTICATOR_CREDENTIALS_ENCRYPTION_TYPE">AES</string>
<boolean name="com.blizzard.messenger.AUTHENTICATOR_SETUP_POSTPONE_LOGIN" value="false" />
<string name="com.blizzard.messenger.AUTHENTICATOR_RESTORE_CODE">Y</string>
<string name="com.blizzard.messenger.PREF_AUTHENTICATION_PROVIDER_CLIENT_ID">C</string>
<string name="com.blizzard.messenger.AUTHENTICATOR_DEVICE_SECRET">X </string>
<string name="com.blizzard.messenger.PREF_AUTHENTICATION_PROVIDER_HOST_URL">oauth.battle.net</string>
<string name="com.blizzard.messenger.AUTHENTICATOR_BGS_REGION_CODE">EU</string>
<string name="com.blizzard.messenger.AUTHENTICATOR_SERIAL">R</string>
<long name="com.blizzard.messenger.AUTHENTICATOR_SERVER_TIME_DIFF" value="0" />
</map> |
|
LOL IT FUCKING WORKED HAHAHAHAHA THANK YOU SO MUCH @mx03 Sadly that forces everyone to download the app and login once before getting the client ID. Are you actually sure about the client ID being per-user? I'm gonna test with different accounts later if you haven't tried that. And would non-rooted users be able to access that directory? For those waiting for an app to automate these steps. (only slightly due to the way of getting the client ID/device secret) This is what I did:
|
|
Maybe there is an API that allows us to grab a custom per user client ID like the app but that's highly improbable. |
|
As the app has certificate pinning i haven't the time for look into more details, but it shouldn't be hard to make an oauth auth like the app and get the client id. |
|
@mx03 does your client id start and end with 'b' and 'a' respectively? Because if so, the client ID is the same everywhere. I tried with two accounts and it is the same. Just wondering if it's also the same on all devices. Just wondering because maybe we can just distribute the client ID since it's hard/impossible for people without rooted phones to get the client ID anyways. |
Yes start with b and ending with a. So it seems it is the same. Just thought about oauth and yes the client id is no secret https://www.oauth.com/oauth2-servers/client-registration/client-id-secret/ . Just half year ago i implemented oauth myself just forget the naming and the use of the clientid. |
|
Reckoned I'm backed into a corner on this one. The localhost redirects are not whitelisted for this client ID and only allows redirect to the Swagger UI (https://authenticator-rest-api.bnet-identity.blizzard.net/swagger-ui/oauth2-redirect.html) and probably the localhost address pointing to the messenger. I'm wondering how do Android apps implement OAuth2 with just a client ID then redirect to the device's web viewer/bowser? Snipping full HTTPS URLs is impossible so the only way to figure this out is by trying to reverse engineer it lol So ye, it's kinda pointless even to make an app for this if you can't ask for an oauth2 token from the device with the client ID provided. I'm putting the client ID of the Battle.net Messenger
|
|
Yes this way probably only works with an electron app that can fetch the token from the returning url. The android app itself does this login request The response url is |
|
@striczkof Think the clientid might have changed, as I just tried this and get back |
@lightmaster Did you tick the "auth.authenticator" scope before trying to login? think I might have forgotten to add that in instructions. |
|
@lightmaster Oh ye I did forget 💀 |
|
90% sure I did, but I'll run it again to make sure |
|
I was wrong, apparently I didn't tick that box. Got serial, restorecode, and secret back. Thx |
|
@striczkof thank you so much for solving this, finally can have totp in bitwarden for blizzard |
|
I did @striczkof described (using the above device ID) but whenever i try and attach the converted device secret to a password manager (tried 1password and MS Authenticator) i only get 6 digit codes, which are then not accepted by the BN client. EDIT: Nevermind. I created the QR code wrong. Works in 1Password now. |
|
I managed to get the AUTHENTICATOR_DEVICE_SECRET string from a rooted phone method, but I could not figure out what to do next and could not get it working by trial and error. For me AUTHENTICATOR_DEVICE_SECRET are 2 base64 strings separated by comma with length 64 and 24. What am I doing wrong? |
Same here, the API method seems to be patched when going to the swagger-ui: So the root method is the only option, I got the XML however its all bytes I believe after base64 decoding it. |
LOL I thought the same too, but apparently, they did not get rid of it. They just changed the URL to https://authenticator-rest-api.bnet-identity.blizzard.net/webjars/swagger-ui/index.html (redirect from https://authenticator-rest-api.bnet-identity.blizzard.net/) and the client ID still works somehow. (tried getting my serial and restore and it works) As for the device secret, they probably changed its format. I gotta check when I have free time. |
I just wanted to chip in and provide my 2 cents about this one. I followed above instructions and turns out you do not need to have the authenticator installed, do not have to use a special clientID. Just do the following to get 2fa secret:
As you can see, lots of overlap, but streamlined process. Hope this helps the next person! Thanks @mx03 and @striczkof! |
I'm getting this error too. Can you please share the fixed command you used? |
Thank you, I have successfully obtained the device secret following your tutorial. |
|
I'm pleased to report that @BillyCurtis's refined steps here: still work like a charm! I received the dreaded e-mail today that my legacy authenticator was removed from my account so I had no authenticator, and they also reset my password. I followed the password reset e-mail, logged in, did step 1 & 2, skipped to step 5 and everything went perfectly. I was able to logout and back in, was prompted for the auth code, and the andOTP worked using: Type TOTP Thanks to everyone who contributed here! |
|
#38 (comment) So what worked for me was first following steps to get the Bearer token from #38 (comment) by @L-Goncalves I only needed the first code but had to convert it to python because I didn't know how to run it properly as a js file. Here's my python version of the code which seemed to work: Then I followed @BillyCurtis 's tutorial from there, but for me the formatting of the curl commands didn't work on my end, so I figured out that I had to remove the backslashes and change the single quotes to double quotes, then making it all a single line So for example his first curl command was changed to this: Which then worked.
And pasting your entire otpauth URL right in that field and hitting save Took a bit to figure out but now it works great!~ Thanks so much guys for helping us with this! |
|
Thanks to #38 (comment)
When I came back to the tab where I was login I had to login again. It asked me for the auth code. Used the one in Aegis and worked like a champ! |
|
Hello everyone. Thanks to @BillyCurtis and @Gigafrost, I made it too! I have wrapped up both their methods, tested, and rewrote them for people who still are facing issues. Here is my guide on how to attach an authenticator to a Battle.net account. Before Starting...
Perquisites
Step 1. Retrieve SSO Token
Step 2. Get Bearer Token
Step 3. Attach a New Authenticator
Additional Notes
Step 4. Setup the Attached Authenticator to a TOTP URL
Credits |
ghost
mentioned this issue
|
#38 (comment) |
|
No matter what I do to get the SSO Token - retrieving through localhost link, US or EU, VPN or no VPN, different browsers, BA-tassadar cookie extraction, even tried doing it with BNet's own authenticator active in the end - curl always returns Invalid SSO Token. It's also a different token every single time I reload the localhost error page. That how it supposed to work? Does this no longer work or am I just unlucky/dumb? |
|
@dmezrahy Seems to be working fine for me. I received the same error as you when I tired in a normal browser session. However, it worked after trying again but in incognito mode. No VPN used. If incognito mode does not work, try a different machine if possible... |
|
@maaaaaaaaaaaaaaaaaaaaaaaa Didn't work at all. Same problem:
Tried different browsers on incognito mode, with and without VPN, and on different machines and connections. Every time a new token on the URL, and none of them return anything different. Also it curiously always tries to default to an EU token when I don't specifically use the US address (us.account.battle.net/login/en/?ref=localhost) or a VPN masked as US, even though I'm trying this from South America (could that be the issue?). |
|
@dmezrahy not sure why it's not working for you as both EU and US SSO tokens work for me. but you could also try using this method #38 (comment) |
|
@BillyCurtis that method specifies iPhone, and I'm using android 14. Charles documentation says that "as of Android N, you need to add configuration to your app in order to have it trust the SSL certificates generated by Charles SSL Proxying. This means that you can only use SSL Proxying with apps that you control." And... yeah. Can't get the certificates to be trusted. No device within the site, only and failed SSL handshakes. Hmmm... maybe I can grab my wife's iPhone? lol |
|
Ok, so I managed to get the proxy working (on iOS), and... it's not like described at all. Maybe it's a region issue. {
"locale": "pt_BR",
"oneTimeCode": "XXXX",
"notificationPlatform": "APNS",
"serial": "USXXXX",
"notificationPlatformToken": "XXXXX",
"applicationName": "social"
}The serial is the value I had to enter to manually setup the authenticator in my b.net account (serial+OTP rather than a QR code+OTP). Can't seem to get a TOTP going from any of the values here, though. Might be they handle South America authentication differently. If anybody has any ideas, though, I'd hear them |
2024-11-29.17-13-39.mp4@dmezrahy if there's no device field you need to disable the authenticator on App and then enable it again. you should then see the device field |
|
@BillyCurtis the simplest things... Yeah, that worked after all! Thanks a lot, Billy! |
can't get the device secret, returns error instead |
|
@sosiskha are you typing the command right? As you can get that error if you type it wrong |
|
@BillyCurtis |
It's the double qoutes at the beginning and end in -d that causes that error if you change them to single qoutes it should work i get the same error using your command. it should look like this curl -X 'POST' \
'https://authenticator-rest-api.bnet-identity.blizzard.net/v1/authenticator/device' \
-H 'accept: application/json' \
-H 'Content-Type: application/json' \
-H "Authorization: Bearer <BEARER_TOKEN>" \
-d '{
"restoreCode": "<RESTORE_CODE>",
"serial": "<SERIAL>"
}' |
trying to do it in windows' cmd, and as i understand it the command has to be a single line and it doesn't accept single quotes
that's what i'm getting |
|
try this curl -X POST "https://authenticator-rest-api.bnet-identity.blizzard.net/v1/authenticator/device" -H "accept: application/json" -H "Content-Type: application/json" -H "Authorization: Bearer <BEARER_TOKEN>" -d "{\"restoreCode\": \"<RESTORE_CODE>\", \"serial\": \"<SERIAL>\"}" |
thanks a lot, it worked! |
|
I took the opportunity to do an exercise in Python (which, I'm still learning) and created my own tool. It is not meant to be a replacement for But if you want a dead simple way to generate a TOTP and QR Code you are free to use it. I was only able to test it using my US-based account. The endpoints are configurable in the code if they are different for EU/TW/CN regions. A great many thanks to those who commented on this issue, it really helped me walk through the process. |
|
@Nighthawk42 I haven't been following the issue too much but if you wish to create a PR here to update the functionality please feel free, I will review it. |
{"Error": "invalid_token", "error_description": "Invalid SSO token."} Is there any way? |
|
Response content: b'{"errorCode":"BLZBNTARA10000102","message":"Failed to attach authenticator; invalid restore code."}' Recently, it has been discovered that the actual restorecode has changed, so it is not possible to directly obtain the devicesecret through the above method |
Wait a minute, |
|
Updated bnet_auth_tool over on my repo. It can now reconstruct TOPT secrets as long as you have the proper information or a JSON created by attaching the authenticator from the tool itself. @jleclanche - I'm still fairly new to Python (about a year and a half in) and admittedly made a lot of progress with the help of Copilot. I took a look at your code to see what could be fixed and ended up nowhere. If you get time maybe you could look at my code and possibly see the differences. |
and others
Is this project still supported? Not sure how much you can do if the battlenet endpoints got changed, but maybe someone has an idea.
The text was updated successfully, but these errors were encountered: