This Frida script extracts the stored OTP seed from the Xfinity Android application's "Code Generator". It achieves this by hooking into the VaultImpl class within the application and extracting the encoded secret from the keystore. The resulting seed value can be used in any TOTP authenticator such as Google Authenticator, Bitwarden, or Authy.
The script performs the following steps:
- Targeting: It searches the Android heap for active instances of
android.cim.comcast.com.comcastmobilevault.impl.VaultImpl. - Fallback Instantiation: If no instance is found on the heap, it attempts to manually instantiate
VaultImplusing the application context. - Extraction: Once an instance is acquired, it probes the
xal.totpEntitiesVaultGroupfor stored keys. - Processing: For each key found, it reads the encrypted JSON data, decrypts it using the app's native vault logic, and extracts the
secretfield. - Encoding/Decoding: It uses BouncyCastle's
Base64andBase32classes (found in the app's own libraries) to process the extracted secret into a standard format usable by TOTP authenticators.
- Device: A rooted Android device or an environment where you have sufficient permissions to run Frida, such as a patched Xfinity app containing a Frida gadget.
- Frida: Ensure
frida-serverorfrida-gadgetis running on the device. - Dependencies: This script is designed to be run via
fridaand assumes the target Xfinity APK is installed and running on the device. - Xfinity App: Must be logged in to your Xfinity account and have "Two-step verification" and the "Code Generator" enabled in the settings.
- Start the Xfinity app on the target device and make sure you are logged in.
- Ensure
frida-serveris running as root on the device. - Execute the script using Frida:
frida -U -p $(adb shell pidof com.comcast.mobile.xfinity) -l extract.jsThis project and its associated scripts were developed with the assistance of Gemini AI model, which provided architectural analysis of the Xfinity APK, helped resolve issues with library usage, and assisted in debugging the Frida hook implementation.