Distinct id is always the same

[springjools]

Issue

All accounts have the same distinct id. The distinct id seems to be related to unix epoch, the distinct id of the accounts created are all tied to the date GMT: Wednesday, July 27, 2022 9:42:20.954 PM. Maybe it's because the firebase_uid is also constant.

Hardcoded?

Test it like this: import jodel_api lat, lng, city = 48.148434, 11.567867, "Munich" j = jodel_api.AndroidJodelAccount(lat=lat, lng=lng, city=city, email_address=) k = jodel_api.AndroidJodelAccount(lat=lat, lng=lng, city=city, email_address=) ...

... >>> print(j.refresh_access_token()) (401, 'Unauthorized') >>> print(k.refresh_access_token()) (200, {'access_token': '75518572-faf32da6-a511d87f-18e4-45ec-9186-4012d1fb5002', 'token_type': 'bearer', 'expires_in': 604800, 'expiration_date': 1660480318}) You can also see that all accounts have the same karma upon generation, a value much higher than the default. ... ## Environment android If you're reporting a bug, please attach the output of the following commands: ``` $ pip show jodel_api Name: jodel-api Version: 1.2.11 Summary: Unoffical Python Interface to the Jodel API Home-page: https://github.com/nborrmann/jodel_api Author: Nils Borrmann Author-email: n.borrmann@googlemail.com License: MIT Location: c:\users\\appdata\roaming\python\python310\site-packages\jodel_api-1.2.11-py3.10.egg Requires: future, mock, protobuf, requests, varint Required-by: $ pip -V pip 22.2.2 $ python -V Python 3.10.0 $ python -c "import jodel_api; print(jodel_api.JodelAccount.version); print(jodel_api.JodelAccount.secret)" 7.51 b'YEKawcOEwzigovvWEFkBVWPIsgHhnIFmfMtfjYLS' python -c "import jodel_api; print(jodel_api.AndroidJodelAccount.version); print(jodel_api.AndroidJodelAccount.secret)" 7.51 b'YEKawcOEwzigovvWEFkBVWPIsgHhnIFmfMtfjYLS' ``` (I think the constructor returns the ios version as default)

[Steverman]

firebase_uid is actually user_id (Firebase Refresh Token) or localId (oob redeem) as they're the same value. The reason why this works is because the hardcoded firebase_uid points to an already verified user in their database.

When "refreshing" all tokens you should assign localId to the key firebase_uid. Just be aware that the current code doesn't handle signups and you most likely paired your email with the hardcoded firebase_uid. This is important because you will get a 477 "Signed Request Expected" status error when you call refresh_all_tokens() with an already paired email.

Using a new email and fixing the firebase_uid in the payload will give you a completely new account with the expected 100 karma . When signing up for the first time the header will return X-User-Blocked: false but will be true on subsequent API calls (and will also be represented under user-config. banned_unti is however not set).

Unfortunately, it seems like the verification system never worked (https://github.com/JodelRaccoons/jodel_api/issues/26) as everyone is just using someone else's user (try calling j.get_posts_recent(mine=True) and see the contents). And new accounts are still blocked (probbly just need to be verified).

Do keys need to be updated again?

[Unbrick]

Current Android key: uNvXCTsaGForyheiAychONmYhipdfktjGcTSxzux Version: 8.1.2

I performed a few tests and the firebase_uid indeed seems to be the issue here. Currently not sure on how to approach the generation of valid firebase_uid values.

@Steverman What do you mean by "fixing the firebase_uid"? Are you aware of any way to generate valid firebase_uid / user-tokens?

[Steverman]

Current Android key: uNvXCTsaGForyheiAychONmYhipdfktjGcTSxzux Version: 8.1.2

I performed a few tests and the firebase_uid indeed seems to be the issue here. Currently not sure on how to approach the generation of valid firebase_uid values.

@Steverman What do you mean by "fixing the firebase_uid"? Are you aware of any way to generate valid firebase_uid / user-tokens?

Yes, but the account won't become verified. I have yet to try updating the key yet.

Pass this

https://github.com/JodelRaccoons/jodel_api/blob/ada181d9e366684ffa69011e30973e1c698bd224/src/jodel_api/android_auth.py#L65

or this

https://github.com/JodelRaccoons/jodel_api/blob/ada181d9e366684ffa69011e30973e1c698bd224/src/jodel_api/android_auth.py#L88

to https://github.com/JodelRaccoons/jodel_api/blob/ada181d9e366684ffa69011e30973e1c698bd224/src/jodel_api/jodel_api.py#L473

Of course you have to modify the return value of generate_firebase_token() to access it. I know it's a valid firebase_uid since putting something random will say that this uid doesn't exist.

And it'll generate a new account.

And don't forget to use a new email

[Unbrick]

Nice, tried and can replicate the 477 so far, thank you! But registration seems to work despite the user being blocked. I'll look into this in the coming days, maybe we can somehow circumvent the blocking.

[Steverman]

Nice, tried and can replicate the 477 so far, thank you! But registration seems to work despite the user being blocked. I'll look into this in the coming days, maybe we can somehow circumvent the blocking.

Do unverified accounts always set user_blocked to true? It would be nice to know if verified: true also means user_blocked: false when inspecting user config. I have a feeling we're missing additional data or another step.

[leon1995]

Current Android key: uNvXCTsaGForyheiAychONmYhipdfktjGcTSxzux

Version: 8.1.2

I performed a few tests and the firebase_uid indeed seems to be the issue here. Currently not sure on how to approach the generation of valid firebase_uid values.

@Steverman What do you mean by "fixing the firebase_uid"? Are you aware of any way to generate valid firebase_uid / user-tokens?

How did you extract the current key? Sadly, the ojoc-keyhack does not work for me :(

[Unbrick]

@leon1995 There are several ways, check out the JodelReversing repository of the JodelRaccoons organisation

[leon1995]

Thanks @Unbrick. I dont have a rooted android device, so I will try the keyhack-v2.

[springjools]

I would now have an extra iphone I could root/jailbreak, but isn't it the case that the ios branch is nowadays totally useless?

[Steverman]

I tried to figure it out using Genymotion but the same thing happens. The account gets blocked for any request after sending a post request to https://api.jodelapis.com/api/v2/users/. Here's what I observed so far:

• device_uid is always e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855. This can be computed with sha256 hash of an empty string. This is probably Genymotion related.
• The 8 first characters ofdistinct_id is a Unix Timestamp in hexadecimal format. The remaining 16 characters are unknown.
• iid that was sent to https://api.jodelapis.com/api/v2/users/ upon account creation is used as a push_token forhttps://api.jodelapis.com/api/v2/users/pushToken
• 2 identical POST requests are sent to https://api.jodelapis.com/api/v3/user/verification/push where verification_code = distinct_id+<16 chars> where the 16 characters are unknown.
• There seems to be integrity tests which might have flagged my account. Not entirely sure.
• The account ends up verified but banned. Accounts created with jodel_api is not verified so I am guessing it's related to my emulator.

[springjools]

Distinct id is something like this:

id_decimal=int(epoch * b/n)

Where b = 2^64 and n = 10^9 (epoch in nanoseconds or something like that). But I don't think this is precisely correct, but something like this. I just discovered this numerically.

[ttiasg]

distinct_id is just a MongoDB ObjectID automatically created by the server and tied to device_uid and every other user info. But yeah obviously you need to generate a unique `device_uid', If not you are just restoring an account. (But this is already implemented in the api here and generating read only accounts is still possible.)

Integrity Checks introduced a while ago which will block the account:

1) Call tohttps://www.googleapis.com/androidantiabuse/... SafetyNet Attestation API returns (obfuscated?)application/x-protobuf

2) The more recent Play Integrity API - returning integrityToken which is then verified with the Jodel Servers.

Some tips if you still want to tinker around with the API:

1) Don't use an Emulator (Integrity checks will block the account after registration) - use a rooted android device 2) I had more luck bypassing the SSL Pinning with this Toolkit 3) If you have an expired but verified account, you can restore it by simply passing the accounts device_uid to AndroidJodelAccount(). It's then tied to your entered Email. And by the way, at least on iOS accounts the device_uid is exposed in the App itself (Settings - Schreib uns) which is really not great security-wise.