home ripping blog misc

cosmo token retrieval

a two-part guide for retreiving cosmo tokens. part one handles creating a rooted emulator device and retrieving your account tokens, which is as far as most users will need to go. part two handles retrieving the cosmo BASE64_ENCRYPTION_KEY value, which is the same for all users and not required by any of my tools.

part one - account tokens

create a device

  1. install android studio and android SDK
    2. yay -S android-studio android-sdk-platform-tools
  2. run android-studio
  3. open the virtual device manager
  4. create a new device with the following settings
    5. device:         pixel 8
API:            API 34 android 14.0
services:       google play store
system image:	recommended x86_64 image
default boot:	cold
camera:         none
graphics:       hardware acceleration
  5. boot the device
  6. open the play store and install cosmo

root the device

  1. download rootAVD
    2. git clone "https://gitlab.com/newbit/rootAVD" && cd rootAVD
  2. run the script
    3. ./rootAVD.sh ~/Android/Sdk/system-images/android-34/google_apis_playstore/x86_64/ramdisk.img
  3. restart the device (cold boot)

become a superuser

  1. download magisk
    2. curl -Lo magisk.apk "https://github.com/topjohnwu/Magisk/releases/latest/download/app-release.apk"
  2. sideload magisk onto the device
    3. adb install magisk.apk
  3. open magisk on the device, then update and reboot if required
  4. ask for root access
    5. adb shell
su
  5. switch to the superuser tab in the magisk app and grant permissions when prompted

monitor network traffic

  1. install httptoolkit
    2. yay -S httptoolkit
  2. run httptoolkit and select Android Device via ADB
  3. confirm access on the device, ensuring system trust is enabled
  4. open cosmo and log in to your account
  5. monitor traffic inside httptoolkit and look for an entry named /bff/v3/users/login-by-privy
  6. click the entry and view the response to find your tokens

refreshing tokens

to my knowledge tokens expire after approximately one week. once expired, tokens can be refreshed using cosmo-refresh. this simple script saves you from having to open up an emulator and monitor the network traffic to get your new tokens every time the old ones expire.

part two - encryption key

set up frida server

  1. install frida
    2. pip install frida-tools
  2. download and decompress the server file for your version of frida
    3. FRIDA_VERSION=$(frida --version)
curl -Lo frida-server.xz "https://github.com/frida/frida/releases/download/${FRIDA_VERSION}/frida-server-${FRIDA_VERSION}-android-x86_64.xz"
unxz -f frida-server.xz
  3. push the server to the device
    4. adb push frida-server /data/local/tmp/frida-server
adb shell chmod 755 /data/local/tmp/frida-server
  4. start the server on the device
    5. adb shell "/data/local/tmp/frida-server &"

launch app under the hook

  1. download hook.js
    2. curl -LO "https://codeberg.org/djvu/cosmo-util/raw/branch/master/cosmo-token/hook.js"
  2. make sure the cosmo app is closed on the device, then start frida
    3. frida -U -f com.modhaus.cosmo -l hook.js
  3. wait for cosmo to load and you will see the key appear in the frida output