openftm

Open-source implementation of FortiToken's TOTP algorithm.

You can extract the actual TOTP seed and use it with apps like KeePassXC or andOTP, make sure to set the period to 60 seconds.

Prequisites

For this to work, you need to extract 3 things - SSAID, UUID and encrypted seed. This needs root access on your Android device.

SSAID

Android 8.0+

For Android 8.0+ SSAID is unique for every installed app, to get value for FTM run this command in a rooted shell:

# grep com.fortinet /data/system/users/0/settings_ssaid.xml | cut -d" " -f6 | cut -d"=" -f2 | sed 's/"//g'

Output should look like this:

<setting id="32" name="10309" value="eefd7d4837294e94" package="com.fortinet.android.ftm" defaultValue="eefd7d4837294e94" defaultSysSet="false" tag="null" />

Android versions before 8.0

For previous versions of Android SSAID is the same for all apps to get it run following command

# grep android_id /data/system/users/0/settings_secure.xml

  <setting id="31" name="android_id" value="eefd7d4837294e94" package="android" />

Copy the value from quotes and paste it to the script as DEVICE_ID.

UUID

The encrypted UUID is stored in the UUID key of the XML file stored at /data/data/com.fortinet.android.ftm/shared_prefs/FortiToken_SharedPrefs_NAME.xml.

grep UUID /data/data/com.fortinet.android.ftm/shared_prefs/FortiToken_SharedPrefs_NAME.xml | sed -e 's/^[ ]*//' | cut -d">" -f2 | cut -d"<" -f1

will return something like this:

    <string name="UUID">N7gAr30eX72sR2owbVR4WrFiw4e3ignGBO6IcgA4qJjvBYjZvIxZXIMTHOix8QDt</string>

Copy the value paste it to the script as UUID.

Seed

The seed is stored in app's database: /data/data/com.fortinet.android.ftm/databases/FortiToken.db You can copy the file and open it with an SQLite3 editor,

$ sudo sqlite3 /data/data/com.fortinet.android.ftm/databases/FortiToken.db 'SELECT seed FROM Account WHERE type="totp"'
MNmAN7drtlNJxjFqo5bgSN/DZcdWVK9Qv1YyUP3OjuJkDXgV06siQYlQfO0678Lg

or run this command: (I know it's ugly, but does the job)

# grep -Eao 'totp.{64}' /data/data/com.fortinet.android.ftm/databases/FortiToken.db | cut -c5-
MNmAN7drtlNJxjFqo5bgSN/DZcdWVK9Qv1YyUP3OjuJkDXgV06siQYlQfO0678Lg

Copy the output and paste it as SEED.

Usage

• Docker
  • docker build -t openftm:1.0.0 .
  • export OFTM_SSAID=''
  • export OFTM_UUID=''
  • export OFTM_SEED=''
  • xhost +
  • docker run -it --privileged --rm --net host -v "/tmp/.X11-unix:/tmp/.X11-unix:ro" -e DISPLAY=$DISPLAY -e DISPLAY=$DISPLAY -e OFTM_UUID=$OFTM_UUID -e OFTM_SSAID=$OFTM_SSAID -e OFTM_SEED=$OFTM_SEED openftm:1.0.0 bash
  • python main.py
  • exit
  • xhost -
• Manual:
  • cd src
  • pip3 install -U -r requirements.txt to install requirements
  • python3 main.py to run it

$ python3 main.py
UUID KEY: eefd7d4837294e94unknown
UUID: bbc350195b88433dbcc7365cdbd130e5
SEED KEY: eefd7d4837294e94unknownbbc350195b88433dbcc7365cdbd130e5
TOTP SECRET: DEADBEEFDEADBEEFDEADBEEFDEADBEEF
Current TOTP: 779726

Printed TOTP SECRET is base32-encoded and can be used to setup TOTP codes in other authenticator applications like: KeePassXC, andOTP, SailOTP, Numberstation. Make sure to set the period to 60 seconds.

Configuration example with KeePassXC:

• Custom settings
  • Algorithm: SHA-1
  • Time step: 60 sec
  • Code size: 6 digits

Disclaimer

All product and company names are trademarks™ or registered® trademarks of their respective holders. Use of them does not imply any affiliation with or endorsement by them.