DEV Community: James M The latest articles on DEV Community by James M (@endafk). https://dev.to/endafk https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3847370%2F57dbd910-a612-4bc7-a550-d3a055e0a188.jpg DEV Community: James M https://dev.to/endafk en How I Reverse-Lookup M-Pesa's Hashed Phone Numbers Using a 7.2 GB Binary File and One S3 Request James M Sat, 28 Mar 2026 09:35:26 +0000 https://dev.to/endafk/how-i-reverse-lookup-m-pesas-hashed-phone-numbers-using-a-72-gb-binary-file-and-one-s3-request-mk7 https://dev.to/endafk/how-i-reverse-lookup-m-pesas-hashed-phone-numbers-using-a-72-gb-binary-file-and-one-s3-request-mk7 <p>At some point, Safaricom quietly changed the M-Pesa Daraja C2B callback payload. The <code>MSISDN</code> field — which used to contain a partially-masked phone number like <code>2547*****126</code> — started returning something like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>fc418dcfe94c732a57f109e85e54d6c2e86f7c2afe6a2a5a6a5e5a9a9a9a9a9 </code></pre> </div> <p>A SHA256 hash. No announcement, no migration guide. Your integration just quietly broke.</p> <p>This is how I solved it.</p> <h2> The problem </h2> <p>SHA256 is a one-way function. You cannot mathematically reverse it. The only way to recover the original phone number is to hash every possible candidate and check for a match.</p> <p>For Kenyan Safaricom numbers the search space is <code>2547XXXXXXXX</code> and <code>2541XXXXXXXX</code> — exactly <strong>200 million candidates</strong>. Hashing all of them on every callback request takes roughly 2 minutes. That's not a solution, that's a timeout.</p> <h2> Why the obvious approaches don't work </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Approach</th> <th>Lookup time</th> <th>Problem</th> </tr> </thead> <tbody> <tr> <td>Brute-force per request</td> <td>~2 min</td> <td>Kills every callback before Safaricom's 5-second timeout</td> </tr> <tr> <td>SQLite file</td> <td>~5–50 ms</td> <td>~15 GB with indexes, plus query overhead</td> </tr> <tr> <td>PostgreSQL</td> <td>~5 ms</td> <td>Now you need a database server for a Lambda function</td> </tr> <tr> <td>Rainbow tables</td> <td>Saves some space</td> <td>Complex, slower than direct lookup, not worth it for a closed 200M space</td> </tr> </tbody> </table></div> <p>The insight that unlocked everything: <strong>the phone number space is closed and enumerable</strong>.</p> <p>There are exactly 200 million valid numbers. That's small enough to pre-hash every single one, sort the results, and store them in a flat file. Every subsequent lookup becomes a binary search — ~28 comparisons, sub-millisecond, no server, no dependencies.</p> <h2> Building the database </h2> <p>Each record is 36 bytes: 32 bytes of SHA256 hash + 4 bytes of encoded phone index.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">import</span> <span class="n">hashlib</span> <span class="kn">import</span> <span class="n">struct</span> <span class="k">def</span> <span class="nf">hash_number</span><span class="p">(</span><span class="n">n</span><span class="p">:</span> <span class="nb">int</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">bytes</span><span class="p">:</span> <span class="n">phone</span> <span class="o">=</span> <span class="sa">f</span><span class="sh">"</span><span class="s">2547</span><span class="si">{</span><span class="n">n</span><span class="si">:</span><span class="mi">08</span><span class="n">d</span><span class="si">}</span><span class="sh">"</span> <span class="k">if</span> <span class="n">n</span> <span class="o">&lt;</span> <span class="mi">100_000_000</span> <span class="k">else</span> <span class="sa">f</span><span class="sh">"</span><span class="s">2541</span><span class="si">{</span><span class="n">n</span> <span class="o">-</span> <span class="mi">100_000_000</span><span class="si">:</span><span class="mi">08</span><span class="n">d</span><span class="si">}</span><span class="sh">"</span> <span class="k">return</span> <span class="n">hashlib</span><span class="p">.</span><span class="nf">sha256</span><span class="p">(</span><span class="n">phone</span><span class="p">.</span><span class="nf">encode</span><span class="p">()).</span><span class="nf">digest</span><span class="p">()</span> <span class="o">+</span> <span class="n">struct</span><span class="p">.</span><span class="nf">pack</span><span class="p">(</span><span class="sh">"</span><span class="s">&gt;I</span><span class="sh">"</span><span class="p">,</span> <span class="n">n</span><span class="p">)</span> </code></pre> </div> <p>200 million of these, sorted by hash, packed into a flat binary file = <strong>7.2 GB</strong>.</p> <p>The build is parallelised across all CPU cores — each worker hashes and sorts a chunk independently, then the chunks are merged in a single streaming pass. On a modern laptop it takes <strong>60–120 seconds</strong> and requires about 8 GB of free disk space. You only ever build it once.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>python msisdn_lookup.py build <span class="c"># Building hashes.bin...</span> <span class="c"># Workers: 12</span> <span class="c"># Done in 73s. Records: 200000000. File: 7.2 GB</span> </code></pre> </div> <h2> Local lookup: binary search </h2> <p>With a sorted flat file, lookup is textbook binary search:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">import</span> <span class="n">mmap</span> <span class="k">def</span> <span class="nf">lookup</span><span class="p">(</span><span class="n">target_hash</span><span class="p">:</span> <span class="nb">bytes</span><span class="p">,</span> <span class="n">f</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">str</span> <span class="o">|</span> <span class="bp">None</span><span class="p">:</span> <span class="n">mm</span> <span class="o">=</span> <span class="n">mmap</span><span class="p">.</span><span class="nf">mmap</span><span class="p">(</span><span class="n">f</span><span class="p">.</span><span class="nf">fileno</span><span class="p">(),</span> <span class="mi">0</span><span class="p">,</span> <span class="n">access</span><span class="o">=</span><span class="n">mmap</span><span class="p">.</span><span class="n">ACCESS_READ</span><span class="p">)</span> <span class="n">lo</span><span class="p">,</span> <span class="n">hi</span> <span class="o">=</span> <span class="mi">0</span><span class="p">,</span> <span class="n">RECORD_COUNT</span> <span class="o">-</span> <span class="mi">1</span> <span class="k">while</span> <span class="n">lo</span> <span class="o">&lt;=</span> <span class="n">hi</span><span class="p">:</span> <span class="n">mid</span> <span class="o">=</span> <span class="p">(</span><span class="n">lo</span> <span class="o">+</span> <span class="n">hi</span><span class="p">)</span> <span class="o">//</span> <span class="mi">2</span> <span class="n">record</span> <span class="o">=</span> <span class="n">mm</span><span class="p">[</span><span class="n">mid</span> <span class="o">*</span> <span class="mi">36</span> <span class="p">:</span> <span class="n">mid</span> <span class="o">*</span> <span class="mi">36</span> <span class="o">+</span> <span class="mi">36</span><span class="p">]</span> <span class="n">h</span><span class="p">,</span> <span class="n">idx</span> <span class="o">=</span> <span class="n">record</span><span class="p">[:</span><span class="mi">32</span><span class="p">],</span> <span class="n">struct</span><span class="p">.</span><span class="nf">unpack</span><span class="p">(</span><span class="sh">"</span><span class="s">&gt;I</span><span class="sh">"</span><span class="p">,</span> <span class="n">record</span><span class="p">[</span><span class="mi">32</span><span class="p">:])[</span><span class="mi">0</span><span class="p">]</span> <span class="k">if</span> <span class="n">h</span> <span class="o">==</span> <span class="n">target_hash</span><span class="p">:</span> <span class="k">return</span> <span class="nf">index_to_phone</span><span class="p">(</span><span class="n">idx</span><span class="p">)</span> <span class="k">elif</span> <span class="n">h</span> <span class="o">&lt;</span> <span class="n">target_hash</span><span class="p">:</span> <span class="n">lo</span> <span class="o">=</span> <span class="n">mid</span> <span class="o">+</span> <span class="mi">1</span> <span class="k">else</span><span class="p">:</span> <span class="n">hi</span> <span class="o">=</span> <span class="n">mid</span> <span class="o">-</span> <span class="mi">1</span> <span class="k">return</span> <span class="bp">None</span> </code></pre> </div> <p>~28 iterations. After the OS page cache warms up, repeated lookups are effectively instant.</p> <h2> The Lambda problem — and how uniform distribution solves it </h2> <p>Downloading 7.2 GB inside a Lambda function isn't viable. But you don't have to.</p> <p>SHA256 output is <strong>uniformly distributed</strong>. That means if you sort 200 million SHA256 hashes, they're spread evenly across the full 32-byte hash space. The first 8 bytes of any target hash directly estimate its position in the sorted file:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">def</span> <span class="nf">estimate_position</span><span class="p">(</span><span class="n">target_hash</span><span class="p">:</span> <span class="nb">bytes</span><span class="p">,</span> <span class="n">record_count</span><span class="p">:</span> <span class="nb">int</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">int</span><span class="p">:</span> <span class="n">prefix</span> <span class="o">=</span> <span class="n">struct</span><span class="p">.</span><span class="nf">unpack</span><span class="p">(</span><span class="sh">"</span><span class="s">&gt;Q</span><span class="sh">"</span><span class="p">,</span> <span class="n">target_hash</span><span class="p">[:</span><span class="mi">8</span><span class="p">])[</span><span class="mi">0</span><span class="p">]</span> <span class="n">max_prefix</span> <span class="o">=</span> <span class="p">(</span><span class="mi">1</span> <span class="o">&lt;&lt;</span> <span class="mi">64</span><span class="p">)</span> <span class="o">-</span> <span class="mi">1</span> <span class="k">return</span> <span class="nf">int</span><span class="p">(</span><span class="n">record_count</span> <span class="o">*</span> <span class="n">prefix</span> <span class="o">/</span> <span class="n">max_prefix</span><span class="p">)</span> </code></pre> </div> <p>This gives you a position estimate accurate to within a few thousand records. Fetch a <strong>2 MB block</strong> centred on that position with a single S3 Range GET, binary search within the block — and you're done. One HTTP request, no cold-start overhead, no database.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">import</span> <span class="n">boto3</span> <span class="n">s3</span> <span class="o">=</span> <span class="n">boto3</span><span class="p">.</span><span class="nf">client</span><span class="p">(</span><span class="sh">"</span><span class="s">s3</span><span class="sh">"</span><span class="p">)</span> <span class="k">def</span> <span class="nf">lambda_lookup</span><span class="p">(</span><span class="n">target_hash</span><span class="p">:</span> <span class="nb">bytes</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">str</span> <span class="o">|</span> <span class="bp">None</span><span class="p">:</span> <span class="n">pos</span> <span class="o">=</span> <span class="nf">estimate_position</span><span class="p">(</span><span class="n">target_hash</span><span class="p">,</span> <span class="n">RECORD_COUNT</span><span class="p">)</span> <span class="c1"># Centre a 2 MB window on the estimated position </span> <span class="n">start</span> <span class="o">=</span> <span class="nf">max</span><span class="p">(</span><span class="mi">0</span><span class="p">,</span> <span class="p">(</span><span class="n">pos</span> <span class="o">-</span> <span class="mi">28_000</span><span class="p">)</span> <span class="o">*</span> <span class="mi">36</span><span class="p">)</span> <span class="n">end</span> <span class="o">=</span> <span class="nf">min</span><span class="p">(</span><span class="n">FILE_SIZE</span><span class="p">,</span> <span class="n">start</span> <span class="o">+</span> <span class="mi">2</span> <span class="o">*</span> <span class="mi">1024</span> <span class="o">*</span> <span class="mi">1024</span><span class="p">)</span> <span class="n">resp</span> <span class="o">=</span> <span class="n">s3</span><span class="p">.</span><span class="nf">get_object</span><span class="p">(</span> <span class="n">Bucket</span><span class="o">=</span><span class="n">LOOKUP_BUCKET</span><span class="p">,</span> <span class="n">Key</span><span class="o">=</span><span class="n">LOOKUP_KEY</span><span class="p">,</span> <span class="n">Range</span><span class="o">=</span><span class="sa">f</span><span class="sh">"</span><span class="s">bytes=</span><span class="si">{</span><span class="n">start</span><span class="si">}</span><span class="s">-</span><span class="si">{</span><span class="n">end</span><span class="si">}</span><span class="sh">"</span> <span class="p">)</span> <span class="n">block</span> <span class="o">=</span> <span class="n">resp</span><span class="p">[</span><span class="sh">"</span><span class="s">Body</span><span class="sh">"</span><span class="p">].</span><span class="nf">read</span><span class="p">()</span> <span class="k">return</span> <span class="nf">binary_search_block</span><span class="p">(</span><span class="n">block</span><span class="p">,</span> <span class="n">target_hash</span><span class="p">,</span> <span class="n">start</span> <span class="o">//</span> <span class="mi">36</span><span class="p">)</span> </code></pre> </div> <p>The 2 MB window covers ~55,000 records. Given that the uniform distribution estimate is accurate to well within that range, <strong>statistically you will always find your hash in one request</strong>.</p> <p>In practice: ~20 ms including S3 network latency. The Lambda never needs more than 256 MB of memory.</p> <h2> Putting it together in production </h2> <p>The full system is a serverless M-Pesa webhook receiver:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Safaricom callbacks → CloudFront (WAF IP allowlist) → API Gateway → Lambda (parse payload, S3 lookup, DynamoDB write) → DynamoDB Stream → Zoho Books sync + Google Sheets sync </code></pre> </div> <p>Running costs at ~500 transactions/day: <strong>~$0.05/month</strong>.</p> <p>The MSISDN lookup adds roughly 20 ms to the confirm handler. The 5-second Safaricom timeout is never a concern.</p> <h2> Try it yourself </h2> <p>The lookup library is open source and has no external dependencies for core use — pure Python stdlib:</p> <p><strong><a href="https://github.com/endafk/msisdn-lookup" rel="noopener noreferrer">github.com/endafk/msisdn-lookup</a></strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>git clone https://github.com/endafk/msisdn-lookup.git <span class="nb">cd </span>msisdn-lookup python msisdn_lookup.py build <span class="c"># one-time, ~90s</span> python msisdn_lookup.py lookup fc418dcfe94c732a... <span class="c"># → 254712345678</span> </code></pre> </div> <p>If you're building on the Safaricom Daraja API and hit the hashed MSISDN problem, this is probably the fastest solution that exists right now. And if you're not on M-Pesa — the technique applies anywhere you have a closed, enumerable pre-image space and need sub-millisecond lookups without a database.</p> <p><em>Built and deployed in production. The approach came out of necessity — Safaricom's documentation on the hash change is, to put it generously, sparse.</em></p> safaricom python devops