API change

[Maverick78de]

It seems VW changed something today. It's not working anymore.

[Sneak-L8]

Actually Car-Net is migrating to We Connect. On the Web maintenance time is up to 8th Juli 23:59. Let's see if API is available afterwards. Otherwise we need to know the changes by We Connect....

[massa007]

Is it working for you again?

[Kunibert-007]

Have the same error since 8th July. I have the following error in the log - and username + password are correct:

error: vw-carnet.0 CarNetLogin: 401 Username or PW are incorrect =>{"statusCode":401,"body":{"error":"invalid_grant","error_description":"Error authenticating"},"headers":{"x-auth-error-code":"AC001","x-auth-error-message":"Provided Login or Passcode is not valid","x-fs-tracking-id":"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxx","x-fs-error-code":"GW054","content-type":"application/json;charset=utf-8","content-length":"82","date":"Fri, 02 Aug 2019 22:09:33 GMT","connection":"close","server":"www"},"request":{"uri":{"protocol":"https:","slashes":true,"auth":null,"host":"msg.volkswagen.de","port":443,"hostname":"msg.volkswagen.de","hash":null,"search":null,"query":null,"pathname":"/fs-car/core/auth/v1/VW/DE/token","path":"/fs-car/core/auth/v1/VW/DE/token","href":"https://msg.volkswagen.de/fs-car/core/auth/v1/VW/DE/token"},"method":"POST","headers":{"accept":"application/json","x-app-name":"eRemote","clientid":"CarNetApp","x-app-version":"4.6.1","user-agent":"okhttp/3.7.0","content-type":"application/x-www-form-urlencoded","content-length":91}}}

Is there any solution for this problem?

[thomasesmith]

The endpoints and behaviors outlined in this git are working for me today, as a United States customer of Car-Net. But I'm not sure if this works for customers in other regions: https://github.com/thomasesmith/vw-car-net-api

[massa007]

Have you been able to use your car-net app through mitmproxy? At least with the myAudi App it is not working due to the SSL pinning feature I guess... I just get a Network Error message while using the proxy even if most of the other websites and apps are working! So I fear they implemented their CA hardcoded into the app..

[thomasesmith]

Have you been able to use your car-net app through mitmproxy?

Yes, the Car-Net mobile app connects fine when connecting through an mitm proxy. At least the U.S. iOS app does. I can't speak for other versions/markets though.

[massa007]

I was able to connect via mitmproxy on my old Android phone with an xposed module which disables the ssl pinning :) Now I can see the requests and auth token of the myaudi app! If someone is interested in working on this topic - feel free to contact me!

[Sneak-L8]

I tried to connect via url https://cns.vw.com/mps/v1/login but the only answer it got is:

504 Gateway Time-out

The server didn't respond in time.

Sadly it's not that easy to login via App system...

[thomasesmith]

504 Gateway Time-out

This is how it behaves if you try to load the url in a browser. Is that what you're attempting? This URL is an API endpoint that expects a JSON payload in the body of the request and a particular header. It will always respond 504 when you try to simply load the URL in a browser.

[Sneak-L8]

Yes, I know that is an API I did it via JavaScript: var myUrl = 'https://cns.vw.com/mps/v1/login'; var myFormdata = {'email': CARNET_USERNAME, 'password': CARNET_PASSWORD}; var myHeader = {'Content-Type': 'application/json'} request.post({url: myUrl, form: myFormdata, headers: myHeader}, function(error, response, result){ log("error: " + error + " result: " + result + " response: " + response); So, perhaps there's a need for additional headers or so... In my browser I can even request the page and I'm getting a JSON with an error.

[thomasesmith]

Okay, good yeah, I just wanted to be sure there wasn't a misunderstanding.

Weird, I am connecting fine to that endpoint from USA. But I just changed my workstations VPN to connect to a server in Germany (where GitHub tells me you are located) and then tried again and I now get 504 responses back from it too. Make of that what you will.

[Sneak-L8]

Yes, I'm located in Germany. So there's a geofance probably. I also tried the american login screen and my credentials are not working. I guess there are different systems in EU and US ... But thanks anyway for you offering!

[massa007]

I am currently working on fixing the API change at least for the Audi part. I am again able to login and receive the information about my car. The problem I am struggling with is lock/unlock the car for example as I do not only need the access token but also a security token. The security token procedure uses the personal 4-digit PIN and a challenge string which looks like a SHA256 hash. The PIN is somehow hashed into probably a SHA512 string in combination with the challenge hash but I struggle with finding out HOW they do it... Example with a Demo PIN (0000):

{
    "securityPinAuthentication": {
        "securityPin": {
            "challenge": "B23054E10DFE4E1A050D695BC00A6B74F7162ADC4EE19A10C47D628BDC608723",
            "securityPinHash": "9E798E836593028D8A8177B26871E6F13E9366042228438C1B6470275C02131C85F3855B8B1D84A77CC185895AF5FD31549E63653219D777305A13E4E01F3C1D"
        },
        "securityToken": "This is a temporary security token you get when a first GET requests the security PIN authentication.  This Example is the second step [POST| for the actual authentication where you get the actual security token as a response"
    }
}

Any idea from someone?

BTW: I am willing to help with VW as well, but I can´t test with my own car. So I can just offer to work together with a EU VW customer!

[Sneak-L8]

Did you manage to login by the App API or by web API? If App API it would be great to share this code to be able to make the carnet adapter work again. Sadly I have no information about the challenge. If you logged in via web API: is it possible to lock/unlock the car from the website? Otherwise this could be the problem.

[massa007]

I was able to decrypt the API calls of the myAudi app via mitmproxy and an unlocked Android phone with xposed and a module to disable ssl pinning. So I use the App API for my calls! E.g. this is the access_token call for Audi:

curl \
-H "Accept:application/json" \
-H "Content-Type:application/x-www-form-urlencoded" \
-d "username=USER&password=PASSWORD#&scope=openid profile email mbb offline_access mbbuserid myaudi selfservice:read selfservice:write&client_id=mmiconnect_android&grant_type=password" \
-X POST https://id.audi.com/v1/token

[Sneak-L8]

I tried the audi connect with my E-Golf but then I get "invalid credentials"... But if someone should be able to identifiy the correct login url for VW we could get into the system. Would it be much effort for you to do the same with "We Connect" for VW. I can provide you some temporary credentials if you want.

[massa007]

Not a problem at all! I can at least try :) Everything is prepared already so if you provide credentials I can test it with my setup and give you the API Calls! Just send me a mail to massa [at] partyheld de

[massa007]

I am currently working on fixing the API change at least for the Audi part. I am again able to login and receive the information about my car. The problem I am struggling with is lock/unlock the car for example as I do not only need the access token but also a security token. The security token procedure uses the personal 4-digit PIN and a challenge string which looks like a SHA256 hash. The PIN is somehow hashed into probably a SHA512 string in combination with the challenge hash but I struggle with finding out HOW they do it... Example with a Demo PIN (0000):

{
    "securityPinAuthentication": {
        "securityPin": {
            "challenge": "B23054E10DFE4E1A050D695BC00A6B74F7162ADC4EE19A10C47D628BDC608723",
            "securityPinHash": "9E798E836593028D8A8177B26871E6F13E9366042228438C1B6470275C02131C85F3855B8B1D84A77CC185895AF5FD31549E63653219D777305A13E4E01F3C1D"
        },
        "securityToken": "This is a temporary security token you get when a first GET requests the security PIN authentication.  This Example is the second step [POST| for the actual authentication where you get the actual security token as a response"
    }
}

Any idea from someone?

Any idea on this is still highly appreciated! Feel free to contact me at "massa [at] partyheld de"

[Sneak-L8]

New informations on logging into new We Connect. @massa007 helped me by logging login procedure of We Connect app via mitmproxy. Here are my conclusions

Start login via GET https://identity.vwgroup.io/oidc/v1/authorize?client_id=9496332b-ea03-4091-a224-8c746b885068%40apps_vw-dilab_com&scope=openid%20profile%20mbb%20cars%20birthdate%20nickname%20address%20phone&response_type=id_token%20token%20code&redirect_uri=carnet%3A%2F%2Fidentity-kit%2Flogin&nonce=e9dae820fc268756f559aca9cadec3c29dcfab634ef73bb2999c37ca8795a6da&state=6791eff1-15a8-474d-af48-a04ac0700da3&code_challenge=c-b2lf1f7kbAfV6jDU2Yl65R2Xsbhx5Ksji_x4mFCRw&code_challenge_method=s256 client_id 9496332b-ea03-4091-a224-8c746b885068@apps_vw-dilab_com seems to be constant for We Connect App. You also need to provide a CookieJar. In the answer (response 302) you will find a relayState in response.location url.

With this you can proceed to send userid via GET https://identity.vwgroup.io/signin-service/v1/signin/9496332b-ea03-4091-a224-8c746b885068@apps_vw-dilab_com?relayState=bf38ed96b0fa704f99ce7ddeb4357be1b97bb8c5 The answer will be 200, rest seems to be irrelevant.

Next is a POST to https://identity.vwgroup.io/signin-service/v1/9496332b-ea03-4091-a224-8c746b885068@apps_vw-dilab_com/login/identifier. Here you have to pass the following forms data: _csrf: 9795ed61-9b99-4a8d-931d-32a46c45d11e relayState: bf38ed96b0fa704f99ce7ddeb4357be1b97bb8c5 hmac: b4c36f72ed5a35cda9ad50c140f29b7864e0199130d33f0aadc66cd7338e7da2 email: <userid/email> The answer should be 303.

Here starts my problem... how to get hmac and _csrf? I see some additional values like nonce and challenge being passed, but how to get hmac and _csrf? In the weblogin they are part of some forms data presented by VW but here? Any help is appreciated to continue mods for We Connect... I can also provide mitm data since onyl a temporary user was used.

[Sneak-L8]

Solution is found with this adapter: https://github.com/TA2k/ioBroker.vw-weconnect/ It is able to requast all data by app login with a bunch of additional informations.

[abhishek-decipher]

Making a request like this curl -X POST \ https://cns.vw.com/mps/v1/login \ -H 'cache-control: no-cache' \ -H 'content-type: application/json' \ -H 'postman-token: 6975fa50-0e2c-e304-02ae-c8912b29ec6e' \ -d '{ "email": "so@hello**.es", "password": "**" } Got response like this { "message": "Unauthorized" } Is there any change in request header or url because credential is working fine with provider side

[Mr-Staffman]

I was able to decrypt the API calls of the myAudi app via mitmproxy and an unlocked Android phone with xposed and a module to disable ssl pinning. So I use the App API for my calls! E.g. this is the access_token call for Audi:

curl \
-H "Accept:application/json" \
-H "Content-Type:application/x-www-form-urlencoded" \
-d "username=USER&password=PASSWORD#&scope=openid profile email mbb offline_access mbbuserid myaudi selfservice:read selfservice:write&client_id=mmiconnect_android&grant_type=password" \
-X POST https://id.audi.com/v1/token

Can you still decrypt API calls from myAudi? I have no unlocked device to escape the SSL Pinning.

[massa007]

Didn‘t try since the day I posted that ^^ Do you need anything?

Am 12.05.2020 um 14:15 schrieb Mr-Staffman notifications@github.com:

 I was able to decrypt the API calls of the myAudi app via mitmproxy and an unlocked Android phone with xposed and a module to disable ssl pinning. So I use the App API for my calls! E.g. this is the access_token call for Audi:

curl \ -H "Accept:application/json" \ -H "Content-Type:application/x-www-form-urlencoded" \ -d "username=USER&password=PASSWORD#&scope=openid profile email mbb offline_access mbbuserid myaudi selfservice:read selfservice:write&client_id=mmiconnect_android&grant_type=password" \ -X POST https://id.audi.com/v1/token Can you still decrypt API calls from myAudi? I have no unlocked device to escape the SSL Pinning.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or unsubscribe.

[Mr-Staffman]

Didn‘t try since the day I posted that ^^ Do you need anything? Yes, I need to know how the payload looks like when starting Clima on my Car. None of the three standard settings work, auxiliary, automatic or electric. Stop Clima works fine.

Maybe if I add you as a user of my car and and you can help me? Please reply on gmail staffan.spjuth

[andig]

Hi all, I'm trying to use carnet with German login. It seems the carnet API has the same structure as the audi API. While Audi is working for me, carnet doesn't authenticate. Am I right assuming that carnet is no longer functional and you are in the process of deciphering weconnect?