Public API for remote control?

[jkaberg]

Hi @afirmware, first of thanks for sharing all your work!

Now, this might be out of scope for you but I'm currently investigating trying to access the API which the mobile app (android/ios) communicates with the car via.

There are some preliminary discussion and efforts being done at reddit over here https://www.reddit.com/r/BYD/comments/10a7eoz/reverse_engineering_the_mobile_app_rest_api/ - and specifically this post give some insight.

But I was wondering if you have any insight to this or have any sources that could help us? I do know of the wechat API but IMHO, its way out of bounds for any practical implementation.

The goal is to create an API specification and further down an SDK/library for others to use (eg integration with Home Automation software etc).

What makes this hard for me is then language barrier as I'm situated in Norway, and the little work being done here seems to stem from/in China of which I understand very little 😄

Sorry for being of topic regarding the repo here, I didn't see any other way of contacting you!

[afirmware]

Hi @jkaberg I saw your post on reddit and it looks cool. I have no insights on API decryption. I have only tried to use HttpCanary and installed a root certificate to decrypt HTTPS requests of another app. I have not researched BYD's App. Seeing that you said that BYD's API seems to have a layer of encryption in the payload level, it seems more complicated and you may need to decompile the app to research the decryption method.

In addition, having said your work is cool, these APIs still seem to rely on BYD's server to obtain data. I am a little worried about the car connecting to BYD's server. Recently, some Chinese car owners said that their cars forced OTA updates in the middle of the night without confirmation nor user prompts (https://www.zhihu.com/question/604862223/answer/3061502761, https://www.bilibili.com/video/BV1As4y1y7pk). I feel that it might be better to block the connection with BYD’s server and send the information directly to user's own home server.

As far as I know, some developers in China have developed some apps on the car such as https://www.bilibili.com/video/BV1As4y1y7pk, https://www.bilibili.com/video/BV1kd4y187LQ and https://www.miktone.com/category/Download/ (their download page links to the webdrive https://pan.quark.cn/s/368f8a4d15df#/list/share/259562c5d7db435c86e2a67ea0cfaa79-%E8%BF%AA%E7%B2%89%E8%BE%85%E5%8A%A9%E5%B7%A5%E5%85%B7 it seems the quark.cn webdrive need a mobile number (must be Chinese mobile number?) to register) . It seems that information such as battery level, speed and temperature can be obtained. But it seems that they are not opensource and I don't know how they achieved it. I don't have access to relevant car models and I have not tested these apps. If you can obtain the sensor data through a similar method, it seems that your goal can be achieved by sending these data directly to Home Automation servers. I'd suggest that you can research these apps.

In addition, some users in China seem to have made some progress in rooting the car. For example, this repo https://github.com/CMLNT/Dilink4_For_BYD seems to have done twrp recovery for the car.

[jkaberg]

@afirmware yes very troublesome about the none constented OTA updates, and I'm onboard with your thoughts here.

Last I check with https://oip.byd.com one needs to be a Chinese resident in order to create an developer account, which in turn again is needed to be able to sign the APK's for hardware access (such as SOC, A/C controll etc) via the SDK (also available at the oip website) - this is out of scope for me, but a very valid path in terms of transmitting the data I need - just abit unsure on if we are allowed the low level access to run apps as services (poll/push data while car is off). And if one were to do this, the app will need to pass an code review by the team at BYD which I doublt will consent to extracting data like so 😆 I'm mentioning this as I figure the apps you link to are developed by ppl from China who's been through this process

Root would solve some/most of this, however I'm concerned regarding warranty in this case. I know ppl over at magisk is working towards something aswell, https://github.com/topjohnwu/Magisk/issues?q=is%3Aissue+byd+is%3Aclosed and https://github.com/topjohnwu/Magisk/pulls?q=is%3Apr+is%3Aopen+byd

For now it seems I'm stranded with an none open api and an dead end regarding developer program

[afirmware]

Hi @jkaberg Are you sure the app I linked has gone through these processes? I feel that these processes are for the App to be listed in BYD's official app store, but the app I linked to is not listed in BYD's official app store. Their apk is published in their web drive. Their installation tutorial ( https://v.qq.com/x/cover/mzc001004dehzg2/b3515o6t1qp.html ) mentioned that they need to use wireless adb to install. So it seems to be a third-party application installed by sideloading. I guess they have not gone through the process of application review. But anyway I don't have access to a BYD car running Android system and haven't researched it carefully.

On the other hand, there may be another way to obtain data such as SOC through the CAN bus of the OBD interface, but the difficulty lies in determining which data corresponds to which sensor/state. I have just know a small part of the CAN bus of a BYD car, and now I can get the data such as opening and closing the door, turning on the lights and turning off the lights https://github.com/BYDcar/opendbc-byd . If you can get these data from the CAN bus, and then send it to your own server through additional self-made hardware, it seems that it is also possible.

[jkaberg]

did some digging in your patches today @afirmware and they obviously contains a lot of interesting things, amongst them is the binaries \system\bin\cloudctrlsrv and \system\bin\cloudmanger - they seem to be the main functionality for remote controlling the car via mqtt, running as system services below the dalvik engine which makes sense as they function when the car is off in contrast to apps running on the screen.

This kind of makes it hard to achieve good remote control without root, and I won't root an expensive car to loose warranty 😆

[codyc1515]

I found the IV, Key and other AES-CBC details inside of the AirConditioning.apk. I was not able to immediately work out how to use this to communicate with the BYD servers or use in conjunction with the BYD app. Trust this helps.

[codyc1515]

Here we go:

CIPHER_NAME = "AES/CBC/NoPadding" IV_STRING = "5b8cf5b593634671" KEY = "5aaffe8ddbf54ba0" TAG = "CAEncrypt"

[jkaberg]

@codyc1515 thats intriguing - I'm gonna try this with the tools located at https://gchq.github.io/CyberChef/

hiting the endpoint https://dilinkappoversea-eu.byd.auto/app/account/login gives one the payload FGoYjdbQdaL+nt/HGw8kx4wCd/GPm+8I9muKKjfvug5AY5bsMIs+oaS3fsHQS2MCT which should be something along the lines with "unauthorized" or similar

EDIT: not sure what to make of it, will test a bit more later

[codyc1515]

With Base64 decoding and hex/hex gives us a result... which is not particularly helpful.

[jkaberg]

The orginal string is not base64, it does not conform to the standard (albeit very similiar in how it looks) - it might be an alternative base64 form, does the code tell us something about this?

I'm wondering if AirConditioning.apk is actully using this API, or an seperate one - can you see related urls in the apk?

I did some previous work into this, and got a hold of this which I'm fairly certain uses the dilinkappoversea-eu.byd.auto api - however the code here is to obfuscated to follow

[codyc1515]

I think you're right. I was not able to get past the SecNeo/Bangcle encryption of the app. I know very little about Android. The iOS app, however, did not look to be so protected.

[jkaberg]

the iOS app I assume is Fairplay encrypted, is this not the case with BYD aswell?

if you have an M1 mac you should be able to dump the decrypted binary from memory, however this is out of my depth

[codyc1515]

Well, yes - that assumes that you get it from the App Store... not directly from BYD.

https://d21xq0dedw8i51.cloudfront.net/appPackage/ios/app/product/dilinktty.ipa

[jkaberg]

Let me know if you get any further. I'm very interested in getting this into an package which could be used within Home Assistant and similar

[codyc1515]

Sorry, it won't be me. I've exhausted everything till now, with a similar intent.

[codyc1515]

Any other thoughts?

[jkaberg]

Unfortunately no, reverse engineering the Android/iOS app is probably the most efficient way of actually understanding how the API works. But this is beyond my knowledge.