Help request - decode otpauth-migration://offline?data= uri

[hellozyemlya]

Hi. I want to extract my original code to use it in third party apps. But offline migration url contains some strange info that I don't know how to extract. Can anyone help extract data in such url payload?

[OmarWKH]

The data is in google's protocol buffer format and encoded with base64.

Aegis is already able to decode it.

It would be nice to have more official documentation like the one for otpauth.

[alexbakker]

I wrote a brief article about the format here. That should have all the info you need to parse it.

[dim13]

I wrote a brief article about the format here. That should have all the info you need to parse it.

The digits field is however an enum. As far, as I could reverse-engineer the format, the proto file should read:

syntax = "proto3";

message MigrationPayload {
	enum Algorithm {
		ALGORITHM_UNSPECIFIED = 0;
		ALGORITHM_SHA1 = 1;
		ALGORITHM_SHA256 = 2;
		ALGORITHM_SHA512 = 3;
		ALGORITHM_MD5 = 4;
	}
	enum DigitCount {
		DIGIT_COUNT_UNSPECIFIED = 0;
		DIGIT_COUNT_SIX = 1;
		DIGIT_COUNT_EIGHT = 2;
	}
	enum OtpType {
		OTP_TYPE_UNSPECIFIED = 0;
		OTP_TYPE_HOTP = 1;
		OTP_TYPE_TOTP = 2;
	}
	message OtpParameters {
		bytes secret = 1;
		string name = 2;
		string issuer = 3;
		Algorithm algorithm = 4;
		DigitCount digits = 5;
		OtpType type = 6;
		int64 counter = 7;
	}
	repeated OtpParameters otp_parameters = 1;
	int32 version = 2;
	int32 batch_size = 3;
	int32 batch_index = 4;
	int32 batch_id = 5;
}

[crazygit]

as I could reverse-engineer the format,

Could you share how to reverse-engineer the format, thanks!

[dim13]

Careful thoughts and some help from apk decompiler for the clues. As far as I can tell, the version above is correct and complete.

If you like, take also look at my go implementation of link-extractor: https://github.com/dim13/otpauth

[crazygit]

Careful thoughts and some help from apk decompiler for the clues. As far as I can tell, the version above is correct and complete.

If you like, take also look at my go implementation of link-extractor: https://github.com/dim13/otpauth

thanks

[alexbakker]

@dim13 You're right, I checked again and it appears I missed some stuff. While Google Authenticator certainly doesn't support the extra digits/algorithm options, I've updated my post for completeness sake.

[dim13]

@alexbakker on a second thought, as it looks like, all int32 fields may be unsigned however. Not quite sure about counter filed too.
From compiled files in it is not quite clear which to choose, as they converge to same type in Java:
https://developers.google.com/protocol-buffers/docs/proto3#scalar
But I've run into negative version numbers, which indicates unsigned types.

[alexbakker]

@dim13 I've only seen negative batch id's. While more correctness would be nice, the other integers are unlikely to ever be large enough for sign to matter.

[dim13]

@alexbakker You're right, I think it was a batch_id, I've run into.