python-bna: bna restore: bna.http.HTTPError: mobile-service.blizzard.com returned status 502

LOL IT FUCKING WORKED HAHAHAHAHA THANK YOU SO MUCH @mx03

Sadly that forces everyone to download the app and login once before getting the client ID. Are you actually sure about the client ID being per-user? I’m gonna test with different accounts later if you haven’t tried that. And would non-rooted users be able to access that directory?

For those waiting for an app to automate these steps. (only slightly due to the way of getting the client ID/device secret) This is what I did:

1. Download the Battle.net Messenger
2. Login to the app
3. (This step might need root) Get the secret:

• From the app

  1. Press “Enable now” when prompted to enable the authenticator
  2. Go to /data/data/com.blizzard.messenger/shared_prefs/com.blizzard.messenger.authenticator_preferences.xml
  3. Either copy the file to the PC or open it in the phone
  4. Save the content of the string tag named “com.blizzard.messenger.AUTHENTICATOR_DEVICE_SECRET”

• From the REST API

  1. Go to /data/data/com.blizzard.messenger/shared_prefs/com.blizzard.messenger.authenticator_preferences.xml
  2. Either copy the file to the PC or open it in the phone
  3. Copy the content of the string tag named com.blizzard.messenger.PREF_AUTHENTICATION_PROVIDER_CLIENT_ID
  4. Go to https://authenticator-rest-api.bnet-identity.blizzard.net/webjars/swagger-ui/index.html

  You can skip all the steps above with this client ID (as long as this doesn’t get changed lol): baedda12fe054e4abdfc3ad7bdea970a

  1. Make sure to tick the ‘auth.authenticator’ scope then click “Authorize,” paste the acquired client ID to the client ID input then click “Authorize.”
  2. Login if you are not logged in already. Either way, you should be redirected back and see the client ID input as just client_id: ******
  3. Click the “POST: Click and add a brand new authenticator…” header, click “Try it out,” then “Execute.”
  4. The response should be “200: OK” with a JSON output providing your device secret
  5. Save the value of deviceSecret and might as well save serial and restoreCode for backup

1. Convert the device secret from hex to base32. On Linux and maybe macOS, this can be done with echo "PASTEYOURDEVICESECRETHERE" | xxd -r -p | base32
2. Put the converted secret and set the digits to 8 on your authenticator of your choosing. I use Aegis and it works.

I just wanted to chip in and provide my 2 cents about this one. I followed above instructions and turns out you do not need to have the authenticator installed, do not have to use a special clientID. Just do the following to get 2fa secret:

• Go to https://authenticator-rest-api.bnet-identity.blizzard.net/webjars/swagger-ui/index.html
• use clientID: baedda12fe054e4abdfc3ad7bdea970a Make sure to tick the ‘auth.authenticator’ scope then click “Authorize,” paste the acquired client ID to the client ID input then click “Authorize.”
• Login if you are not logged in already. Either way, you should be redirected back and see the client ID input as just client_id: ******
• Click the “POST: /v1/authenticator - Click and add a brand new authenticator…” header, click “Try it out,” then “Execute.”
• The response should be “200: OK” with a JSON output providing your device secret If it responds with anything other then “200: OK”, read what it says and act accordingly. In my case I already had the battle.net app installed, and you cannot create a new authenticator if you do. So in that case, remove the authorization from the app and start the POST step again.
• Save the value of deviceSecret and save serial and restoreCode as well for backup!!
• Convert the device secret from hex to base32. On Linux and macOS use terminal. (on windows use WSL or a online tool) the command is echo "PASTEYOURDEVICESECRETHERE" | xxd -r -p | base32
• Put the converted secret in your 2FA of choice and set the digits to 8. I used Aegis and it works perfectly.

As you can see, lots of overlap, but streamlined process. Hope this helps the next person! Thanks @mx03 and @striczkof!

Here is another way without having to use the Battle.net App

1. Retrieve SSO Token:

• Go to https://account.battle.net/login/en/?ref=localhost. After logging in, ignore the 404 Error, but copy the token following ST= from the URL.
  • Example: EU-84902f44j57m687039586j7egdfa0a54-1165739690

2. Get Bearer Token:

• Replace <SSO_TOKEN> with the token you got from step 1 and execute the following curl command to obtain the Bearer Token:

  curl -X 'POST' \
  'https://oauth.battle.net/oauth/sso' \
  -H "content-type: application/x-www-form-urlencoded; charset=utf-8" \
  -d "client_id=baedda12fe054e4abdfc3ad7bdea970a&grant_type=client_sso&scope=auth.authenticator&token=<SSO_TOKEN>"
  

  • Response:

    {"access_token":"XXX","token_type":"bearer","expires_in":0,"scope":"auth.authenticator","sub":"XXX"}
    

• Copy the Bearer Token to use in steps 3, 4. or 5.

3. Get Serial & Restore Codes:

• Use the Bearer Token to fetch the Serial and Restore Codes of an existing authenticator:

  curl -X 'GET' \
  'https://authenticator-rest-api.bnet-identity.blizzard.net/v1/authenticator' \
  -H 'accept: application/json' \
  -H "Authorization: Bearer <BEARER_TOKEN>"
  

  • Response:

    {"Restore Code": "XXX", "Serial Number": "XXX"}
    

4. Get Existing Authenticator Device Secret:

• Use the Bearer Token, Serial, and Restore codes to retrieve the Device Secret of an Existing Authenticator:

  curl -X 'POST' \
  'https://authenticator-rest-api.bnet-identity.blizzard.net/v1/authenticator/device' \
  -H 'accept: application/json' \
  -H 'Content-Type: application/json' \
  -H "Authorization: Bearer <BEARER_TOKEN>" \
  -d '{
    "restoreCode": "<RESTORE_CODE>",
    "serial": "<SERIAL>"
  }'
  

  • Response:

    {"serial":"XXX","restoreCode":"XXX","deviceSecret":"XXX","timeMs":0,"requireHealup":false}
    

5. Create and Add a New Authenticator:

• Use the Bearer Token to create and add a new authenticator to the users account :

  curl -X 'POST' \
  'https://authenticator-rest-api.bnet-identity.blizzard.net/v1/authenticator' \
  -H 'accept: application/json' \
  -H "Authorization: Bearer <BEARER_TOKEN>" \
  -d ''
  

  • Response:

    {"serial":"XXX","restoreCode":"XXX","deviceSecret":"XXX","timeMs":0,"requireHealup":false}
    

6. Add Authenticator to Password Manager.

• After you have obtianed the deviceSecret convert it from hex to base32 using echo "deviceSecret" | xxd -r -p | base32 on Linux/macOS or cryptii.com if on Windows

• Replace deviceSecret in the following URL: otpauth://totp/Battle.net?secret=deviceSecret&digits=8 with the newly obtained base32 device secret, and you should have a working TOTP.

LOL IT FUCKING WORKED HAHAHAHAHA THANK YOU SO MUCH @mx03

Sadly that forces everyone to download the app and login once before getting the client ID. Are you actually sure about the client ID being per-user? I’m gonna test with different accounts later if you haven’t tried that. And would non-rooted users be able to access that directory?

For those waiting for an app to automate these steps. (only slightly due to the way of getting the client ID/device secret) This is what I did:

1. Download the Battle.net Messenger
2. Login to the app
3. (This step might need root) Get the secret:

• From the app
  1. Press “Enable now” when prompted to enable the authenticator
  2. Go to /data/data/com.blizzard.messenger/shared_prefs/com.blizzard.messenger.authenticator_preferences.xml
  3. Either copy the file to the PC or open it in the phone
  4. Save the content of the string tag named “com.blizzard.messenger.AUTHENTICATOR_DEVICE_SECRET”
• From the REST API
  1. Go to /data/data/com.blizzard.messenger/shared_prefs/com.blizzard.messenger.authenticator_preferences.xml
  2. Either copy the file to the PC or open it in the phone
  3. Copy the content of the string tag named com.blizzard.messenger.PREF_AUTHENTICATION_PROVIDER_CLIENT_ID
  4. Go to https://authenticator-rest-api.bnet-identity.blizzard.net/webjars/swagger-ui/index.html

  You can skip all the steps above with this client ID (as long as this doesn’t get changed lol): baedda12fe054e4abdfc3ad7bdea970a

  1. Make sure to tick the ‘auth.authenticator’ scope then click “Authorize,” paste the acquired client ID to the client ID input then click “Authorize.”
  2. Login if you are not logged in already. Either way, you should be redirected back and see the client ID input as just client_id: ******
  3. Click the “POST: Click and add a brand new authenticator…” header, click “Try it out,” then “Execute.”
  4. The response should be “200: OK” with a JSON output providing your device secret
  5. Save the value of deviceSecret and might as well save serial and restoreCode for backup

1. Convert the device secret from hex to base32. On Linux and maybe macOS, this can be done with echo "PASTEYOURDEVICESECRETHERE" | xxd -r -p | base32
2. Put the converted secret and set the digits to 8 on your authenticator of your choosing. I use Aegis and it works.

Here’s how i got it working with 1Password using Charles Proxy and the Battle.net App on my iPhone

1. Begin by downloading and installing Charles Proxy.

2. Navigate to Help > SSL Proxying within Charles Proxy and select Install Charles Root Certificate on a Mobile Device or Remote Browser. Follow the provided instructions to enable SSL Proxying for your iPhone.

3. Launch the Battle.net App on your iPhone. Then return to Charles Proxy and right-click on https://authenticator-rest-api.bnet-identity.blizzard.net within the list of sites and enable SSL Proxying.

4. Inside the Battle.net App, enable the Authenticator. Then return to Charles Proxy, and expand the contents of https://authenticator-rest-api.bnet-identity.blizzard.net, then locate the device entry. Click on it, then go to Contents, and you will find an output similar to the following:

   {
       "serial": "XXX",
       "restoreCode": "XXX",
       "deviceSecret": "XXX",
       "timeMs": "XXX",
       "requireHealup": false
   }
   

5. Copy the deviceSecret and convert it from hex to base32 using echo "deviceSecret" | xxd -r -p | base32 on Linux/macOS or cryptii.com if on Windows

6. Replace deviceSecret in the following URL: otpauth://totp/BattleNet:Battle.net?secret=deviceSecret&digits=8 with the newly obtained base32 device secret, and you should have a working TOTP.

Worrying news ahead

几年前，我有一个用类似过程创建的旧身份验证器密钥，该密钥也收到了折旧电子邮件。从官方网站上的帐户中删除了旧的身份验证器。然后尝试按照说明添加一个新的：

• 前往 https://authenticator-rest-api.bnet-identity.blizzard.net/webjars/swagger-ui/index.html
• 使用 clientID：baedda12fe054e4abdfc3ad7bdea970a
• 确保勾选“auth.authenticator”范围，然后单击“授权”，将获取的客户端 ID 粘贴到客户端 ID 输入中，然后单击“授权”。
• 如果您尚未登录，请登录。无论哪种方式，您都应该被重定向回去，并看到客户端 ID 输入仅client_id： ******
• 单击“POST： /v1/authenticator - 单击并添加全新的身份验证器…”标题中，单击“试用”，然后单击“执行”。
• 响应应为“200：OK”，并带有提供设备密钥的 JSON 输出 如果它响应的是“200：OK”以外的任何内容，请阅读它所说的内容并采取相应的行动。就我而言，我已经安装了 battle.net 应用程序，如果安装了，则无法创建新的身份验证器。因此，在这种情况下，请从应用程序中删除授权，然后再次启动 POST 步骤。
• 保存deviceSecret的值，并保存serial和restoreCode进行备份！！
• 将设备密钥从十六进制转换为 base32。在 Linux 和 macOS 上使用终端。（在 Windows 上使用 WSL 或在线工具）命令是 echo “PASTEYOURDEVICESECRETHERE” |xxd -r -p |基数32
• 将转换后的密钥放入您选择的 2FA 中，并将数字设置为 8。我使用了宙斯盾，它运行良好。

但是，我得到了以下回复

{
  "url": "https://account.battle.net/creation/",
  "requireHealup": true
}

我只需使用密码即可正常登录该帐户。我不明白他们所说的治愈是什么意思。看起来很内在？也许问题是我没有附加电话号码？我不想添加我的手机。

我有这个问题。然后我实际上阅读并意识到了这一点

您需要在 Battle.net 帐户上设置电话号码

https://authenticator-rest-api.bnet-identity.blizzard.net/webjars/swagger-ui/index.html
Unable to access anymore----

It was fun while it lasted. Thanks Obama!

Trying to follow @BillyCurtis’s method and it fails for me at step 3 {“errorCode”:“BLZBNTARA10000303”,“message”:“Failed to retrieve authenticator; authenticator not found.”}%

Can someone confirm if this method still works?

Go straight to step 5 after you get the bearer token if you don’t already have an authenticator

@ldehaas1612 @L-Goncalves Just found that when reading all the messages since last time I had to do this dance with Blizzard. Today I had just looked at the most recent set of instructions and didn’t realize there had to be a phone number on the account. Also, I definitely had a phone number on it before cuz the verification message when I just added my number showed the last time they sent verification to my number. Not sure why they removed my number at some point.

EDIT: It worked now, thanks.

Blizzard killed my 2fa cuz I still had an old version of their authenticator authorized. Trying @BillyCurtis’s steps, and I get the SSO-token and the bearer token, but when I try to add a new authenticator, I get this response:

{"url":"https://account.battle.net/creation/","requireHealup":true}% 

Read carefully… You have to specify an phone number to your account in order to create a 2FA. This is their fallback method

Blizzard killed my 2fa cuz I still had an old version of their authenticator authorized. Trying @BillyCurtis’s steps, and I get the SSO-token and the bearer token, but when I try to add a new authenticator, I get this response:

{"url":"https://account.battle.net/creation/","requireHealup":true}% 

I believe that the requireHealup value is if it needs a phone number, usually when I was attaching authenticators I would get that if no phone number was attached to the account.

Using the SSO token from the 404 page URL should work without having to get it from the BA-tassadar value.

I thought so too, but it failed several times for me using the token from the 404 page. I’ve just rechecked, and the BA-tassadar value is different from the token value on the 404 page and the account page (same value both times). On Windows this time.

So I’m not sure what is different for me? Maybe firefox, maybe the fact that I already have the Blizzard authenticator setup and I’m just trying to recover the devicesecret?

Regardless, I thought I would share as it may provide a resolution for others.

Resolved my problem. In step 1, I grabbed the sso token at the 404 page. However, it changed between this page and the account overview. My success path was:

1. Login on a web browser, get to my account page and then extract the BA-tassadar value (thanks @L-Goncalves).
2. Use @BillyCurtis step 2 for the bearer token and step 4 for the device secret (I already had the recovery code and serial info).

Thank you to all of the thread contributors - much appreciated.

Using the SSO token from the 404 page URL should work without having to get it from the BA-tassadar value.

Resolved my problem. In step 1, I grabbed the sso token at the 404 page. However, it changed between this page and the account overview. My success path was:

1. Login on a web browser, get to my account page and then extract the BA-tassadar value (thanks @L-Goncalves).

2. Use @BillyCurtis step 2 for the bearer token and step 4 for the device secret (I already had the recovery code and serial info).

Thank you to all of the thread contributors - much appreciated.

Hello Everyone, I’ve been able to replicate the OAuth, you will need to first login into your account at account.battle.net

The open Dev Tools from the browser, go into Cookies Section and get the following value of the Cookie:

You will need to copy it and use in OAuth to get the bearer token to use in the Authenticator Rest API:

I’ve made Javascript script to do that but it can be converted to python too:

async function generateToken() {
  const headers = {
    'Host': 'account.battle.net',
    'accept': 'application/json; charset=UTF-8',
    'content-type': 'application/json; charset=UTF-8',
    'user-agent': 'Battle.net/7123 CFNetwork/1404.0.5 Darwin/22.3.0',
    'accept-language': 'en-GB,en-US;q=0.9,en;q=0.8',
  };

  const url = 'https://account.battle.net/login/sso/generate';

  const data = {
    program_id: 'BSAp',
    platform_id: 'ios',
    client_version: 1,
    login_ticket: '[BA-tassadar COOKIE USE IT HERE]'
  };

  const options = {
    method: 'POST',
    headers: headers,
    body: JSON.stringify(data),
  };

  try {
    const response = await fetch(url, options);
    const dataResponse = await response.json();
    return await oauth(dataResponse.authentication_token);
  } catch (error) {
    console.error(error);
    throw error; // Rethrow the error to propagate it up
  }
}

async function oauth(generated_token) {
  const headers = {
    'Host': 'oauth.battle.net',
    'accept': '*/*',
    'content-type': 'application/x-www-form-urlencoded; charset=utf-8',
    'user-agent': 'BlizzardSocial/1.24.2 (com.blizzard.social; build:7123; iOS 16.3.1) Alamofire/5.8.0',
    'accept-language': 'en-BR;q=1.0, pt-BR;q=0.9',
  };

  const url = 'https://oauth.battle.net/oauth/sso';

  const data = {
    client_id: 'baedda12fe054e4abdfc3ad7bdea970a',
    grant_type: 'client_sso',
    scope: 'auth.authenticator',
    token: generated_token
  };

  const body = new URLSearchParams(data);

  const options = {
    method: 'POST',
    headers: headers,
    body: body,
  };

  try {
    const response = await fetch(url, options);
    return await response.json();
  } catch (error) {
    console.error(error);
    throw error; // Rethrow the error to propagate it up
  }
}

These 2 Functions are used to generate the SSO Token and the other one retrives the Bearer Token to use it then after having the bearer token you are free to use in the request for the rest api like that:

async function fetchAuthenticatorData(bearerToken) {
  const url = 'https://authenticator-rest-api.bnet-identity.blizzard.net/v1/authenticator';

  const headers = {
    'Host': 'authenticator-rest-api.bnet-identity.blizzard.net',
    'accept': '*/*',
    'user-agent': 'BlizzardSocial/1.24.2 (com.blizzard.social; build:7123; iOS 16.3.1) Alamofire/5.8.0',
    'accept-language': 'en-BR;q=1.0, pt-BR;q=0.9',
    'authorization': `Bearer ${bearerToken}`,
    'Content-Type': 'application/json',
  };

  const options = {
    method: 'POST',
    headers: headers,
  };

  try {
    const response = await fetch(url, options);
    return await response.json();
  } catch (error) {
    console.error(error);
    throw error;
  }
}

Wanted to add my two cents.

If you are unable to use command line for any reason to convert your secret, you can go to https://cryptii.com/pipes/hex-to-base32 get it made as well.

QRENCODE

If you can’t use qrencode command line, you can go to https://qrdex.io/ to make a QR for your authentication app. This link was created by a reddit user and does not appear to save your QR code or redirect it anywhere. However, use at your own risk.

@oelna

put it in the setup URL like so

Just on that the otpauth url is supposed to look like this:

otpauth://totp/Battle.net%3A<SERIAL>?period=30&digits=8&algorithm=SHA1&secret=<SECRET>

The number after the the issuer “Battle.net” is supposed to be the serial, (it’s in that JSON structure that is returned) and that is how it was with the old python-bna tool. This won’t stop it from working however if you have something else in there.

@ldehaas1612

So far I’m not worried that my account will be stripped from the 2FA

Me neither. I suspect Blizzard wanted to retire the old API used by the old app for a more standard approach with swagger oauth2 as it’s quite clear they’re removing legacy services that didn’t support OAuth. I also suspect it’s easier for them to invalidate all old authenticators before a certain date than try to migrate them.

Also by having one official app there is now only one codebase to maintain and make sure meets the Google Play target API requirements.

It is both, similar to MS Authenticator. Push and manual generation (fallback) are available.

I am using the new bent authenticator after migrating a while back and recently extracted my secret using the REST API with the steps above. The POST can be used to retrieve your secret.

I have a feeling that re-registering the authenticator using the authenticator POST from the REST with the existing restore data might be enough to trigger the migration. But I cannot tell that for sure.

Yeah I got that email too and I was using Battle.net Authenticator App at some point but then migrated to Bitwarden/Aegis.

The real question is if you associate a new authenticator against the new endpoints backing the new mobile app (or restore the existing authenticator into it), will they still strip it come Jan 6th? I can see this happening for 2 reasons:

1. The official app registers you somewhere else as having done the migration, and the procedure above doesn’t do that.
2. You still have the authenticator on the legacy endpoint active.

I have simply restored my existing authenticator following the procedure above, but as far as I can see, there is no way to verify after doing this we still won’t get the authenticator stripped.

Worrying news ahead

Isn’t this what these instructions are for? i remember it being much simpler previously so assumed this is the new method for the new authenticator, is this not the case?

It looks like the email is only send to users of the old authentication method. I have two accounts, one using this method and one with the new bnet authenticator. I only got the email on the account using this method, which would indicate that it is the old authenticator method.

To clarify you have used the method mentioned here? #38 (comment) the last time i added 2FA to bitwarden was via WinAuth

It’s not possible to use this method without a number linked to my account, working with support to get my number moved from some dodgy account, but i did have 2FA setup, so either they enforced needing a phone number linked or this method is different to the old method i used.

Yes. That is the method I used. Currently I am using this with 1Password.

This totally worked for me. Without ever installing the Authenticator app, I got the secret from the API, put it in the setup URL like so: otpauth://totp/BattleNet:Battle.net?secret=<yoursecrethere>&digits=8

Worked in both 1Password, as well as iCloud Keychain Passwords.

awesome. Much cleaner instructions are great for people!

@striczkof Think the clientid might have changed, as I just tried this and get back 403: Forbidden..... The request requires higher privileges than provided by the access token. Gonna hunt down an old Android phone that’s rooted so I can get the /data file to check the new clientid

@lightmaster Did you tick the “auth.authenticator” scope before trying to login? think I might have forgotten to add that in instructions.

As the app has certificate pinning i haven’t the time for look into more details, but it shouldn’t be hard to make an oauth auth like the app and get the client id.