JLR API update broke jlrpy again

[ardevd]

JLR has updated their API again, breaking third party apps in the process.

[pmharris77]

@ardevd Out of curiosity, do most of the API changes you've had to fix look like they were intentionally to stop third-party apps, or are they adding new functionality?

[ardevd]

@ardevd Out of curiosity, do most of the API changes you've had to fix look like they were intentionally to stop third-party apps, or are they adding new functionality?

Solely to stop third party apps.

[ardevd]

Looks like they've added a new layer of API authentication.

[ardevd]

The x-App-Secret is now dynamic and seemingly changes frequently. Re-using previously used values doesn't seem to work either.

[pmharris77]

The x-App-Secret is now dynamic and seemingly changes frequently. Re-using previously used values doesn't seem to work either.

@ardevd That sounds hard to work around? Is it possible they have implemented it as some sort of shared time-based pseudo-random sequence baked into the app code, similar to a 2FA code?

[ardevd]

Not necessarily. Either, the secret is provided by the InControl API, or it might be calculated locally on the device (and reproduced on the server side). Either way, it should be possible to re-implement the same behaviour.

[pmharris77]

@ardevd Wish I could help, rather than just ask questions, but reverse engineering APIs is not really in my skillset. Thanks v much for trying to sort this for the community!

[dconlon]

I think I’ll try to find a contact at JLR unless anyone already has one?

If their intent is to stop third party apps, it seems like they will keep iterating until a jlrpy workaround cannot be made. I’d like to make the case for them offering open API access - I think there are benefits to JLR and it is what forward looking companies are doing.

My attempt probably won’t change anything but I will try. It might sound petty, but removal of API access would factor into my next vehicle purchase decision and somebody in JLR should want to know that if there are others like me.

[ardevd]

I'd really appreciate that! This cat and mouse game has been going on for a while now and while I enjoy the challenge, it's getting tedious.

JLR alienating their most enthusiastic customers in a misguided attempt to improve security is unfortunately. I've been reaching out to JLR repeatedly but never heard back.

When I first developed jlrpy and WattCat they did reach out and we concluded that they actually appreciated that someone would develop community apps for such a niche car manufacturer. I guess times have changed.

[pmharris77]

@ardevd I've tried to decompile the app using a couple of Android Java decompilers and they're all failing to decompile for me. Have you had any luck?

[ardevd]

apktool or JADX (which used apktool) works fine.

[pmharris77]

apktool or JADX (which used apktool) works fine.

Weird, I used JADX, must the app that calls it that's the issue.

Found another and interestingly, there are a few developer names throughout the code base who are on LinkedIn or have their own blogs:

Chris Banes Dan Lew

[andig]

As customer, the reaction will have to be not buying JLR going forward, unless they start offering and supporting official APIs if they're not happy with people hacking around the inofficial ones... Let's see what the EU Data Governance Act will accomplish in the future...

[CadeusTheGreat]

(Venting a bit at JLR) If JLR just switched to using API keys then none of this would be an issue and we could all move forwards with our lives. Devs wouldn't need to ask for usernames/passwords for their apps/integrations and the customer could pick which permissions to grant the API key(s) they create. Then, whenever they want to, the customer can just revoke their API key as they please. Evidently JLR is incapable of coming to this solution though.

On a brighter note, I'd be happy to get involved with helping to reverse engineer the API if needed. 🙂

[ardevd]

Yeah. Third party API access has been a thing for the last 15 years now. About time JLR caught up.

I'm happy for all the help I can get. Reach out to me on Discord (ardevd) and I'll bring you up to speed.

[kkennedyuk]

@ardevd Thank you so much for continuing to support us here - really appreciated!

@dconlon I received a JLR ‘customer care’ email at the end of March - I assumed it was just a broadcast but now think that I might be on their list of ‘non-authorised’ third-party API users!

Recently, in the past couple of weeks, I have noticed that the JLR Remote app has stopped allowing me to lock / unlock the car remotely. No reason / explanation given.

Now, JLR have also just contacted me today to get the car in for an important ‘security update’.

I will try to find someone to speak to find out if all this is related to the API lockdown and my usage of it, or just coincidental.

Would be interested to know if anyone else has actually engaged with JLR about all this?

[ardevd]

The security upgrade has been rolling out across the JLR fleet recently. No idea what it involves.

[cstosgale]

@ardevd Thank you so much for continuing to support us here - really appreciated!

@dconlon I received a JLR ‘customer care’ email at the end of March - I assumed it was just a broadcast but now think that I might be on their list of ‘non-authorised’ third-party API users!

Recently, in the past couple of weeks, I have noticed that the JLR Remote app has stopped allowing me to lock / unlock the car remotely. No reason / explanation given.

Now, JLR have also just contacted me today to get the car in for an important ‘security update’.

I will try to find someone to speak to find out if all this is related to the API lockdown and my usage of it, or just coincidental.

Would be interested to know if anyone else has actually engaged with JLR about all this?

This is coincidental, I had the security update applied to my car months ago, and the HA integration has been working brilliantly up until a few days ago. I'd definitely recommend getting this applied to your car though! There were some gaping security holes in the keyless unlocking they've finally fixed.

[wawibu]

It is a shame that nowadays they still restrict the api to prevent 3rd party apps. ☹️ Not all customers would ever use it, but why not allow those who want to get their data. Didn't we pay already with providing our data to them for free? Can't imagine that the handful of 3rd party users would break their servers

[dconlon]

I’ve spent a few hours trying to contact someone in product management but have unfortunately failed. They have their email setup to reject external senders and the contact I had no longer works at JLR. I’ve left messages with various switch boards so there’s still a possibility of a call back but in the mean time I’ll complain to customer care and perhaps everyone with an interest could do the same as some already have.

[scotttag]

This is coincidental, I had the security update applied to my car months ago, and the HA integration has been working brilliantly up until a few days ago. I'd definitely recommend getting this applied to your car though! There were some gaping security holes in the keyless unlocking they've finally fixed.

Just to add - from what I gather from my dealer - that is the urgent security update they've been rolling out - fixes for the keyless entry security issues (many insurance companies were refusing to insure JLR products because of it, another great way to get rid of customers!)

[MZorzy]

this may help ? https://github.com/evcc-io/evcc/pull/13960/files

[ardevd]

this may help ? https://github.com/evcc-io/evcc/pull/13960/files

Thanks! I can't seem to get it to work though, and it's not using a dynamic app secret. Can anyone confirm that it actually works using evcc?

[andig]

No. Its broken once more now 😰

[rzumbuehl]

this may help ? https://github.com/evcc-io/evcc/pull/13960/files

Thanks! I can't seem to get it to work though, and it's not using a dynamic app secret. Can anyone confirm that it actually works using evcc?

Just tried to get it work with the evcc approach but failed so far.

[MZorzy]

ouch :-(

[wawibu]

Just tried to connect my tibber account with landrover incontrol and that doesn't work anymore. Tibber has the issue opened on May 20th. I believe that Tibber has an official allowance to use the api but landrover broke it for them as well as it seems

[garrettcook]

Does there seem to be any use of third-party services or proxies to avoid storing the API key in the app?

[wawibu]

I opened a ticket at JLR to understand the possibilities of getting access to my data via API

[anggar-programacion]

It's a shame it doesn't work again I have to renew my Remote subscription in 15 days. I don't think I'm going to renew it. With the enthusiasm that I put into learning to make my programs for my Jaguar. Bad company policy. He did not predict a good ending.

[victor987]

Tibber is working now to start/stop the charge and view the battery %, so I guess they have access to the JLR's API. @wawibu mentionned earlier that Tibber had "the issue opened" but I can't find anything about that or their code.

[ardevd]

Tibber is working now to start/stop the charge and view the battery %, so I guess they have access to the JLR's API.

@wawibu mentionned earlier that Tibber had "the issue opened" but I can't find anything about that or their code.

Thank you for reporting this. I'll reach out to Tibber and see if they can share details. I've helped them out previously so maybe they will return the favor.

[wawibu]

I opened a ticket at JLR to understand the possibilities of getting access to my data via API

Got now the Feedback from JLR that they didn't provide 3rd party API and that I could use Incontrol to get the status and export the data. What it far away form what I want to do and incontrol didn't provide gpx information ☹️

[ardevd]

Got some info from a contact at an energy company who has some InControl integration working again. Apparently they've gotten a confidential agreement with JLR that gives them partial access to the API.

Things aren't looking great at this time.

[dconlon]

Things aren't looking great at this time.

A real shame, thanks for your efforts. That being the case, I've documented my workaround to get EV battery state of charge % when the car is at home which may possibly help others:

https://github.com/dconlon/icar_odb_wifi/

[rzumbuehl]

Really a pity that this service is no longer working!

I'm also exploring workarounds for my EV use cases (battery SOC, odometer, remaining range, average consumption). I'm leveraging the JLR InControl web application (https://incontrol.jaguar.com/) that is publishing the recent journeys (unfortunately no other meaningful data is published on this web app). Based on the journey data I then keep track of range, SOC, average consumption etc. in a node.js backend service. I'm fetching the data from the InControl web application using the puppeteer node.js library: https://www.npmjs.com/package/puppeteer. The solution is working kind of ok for my use cases.

Might be of help for some other folks here.

[wawibu]

@dconlon thanks for sharing, could become my workaround as well. Mainly I need the EV SOC and Odometer. Getting all the additional information via API was nice, but SOC and Odo are required for me.

@rzumbuehl it is a shame that the incontrol webpage didn't provide more information. Didn't understand why the mobile app could show me the ev distance, while the webpage doesn't provide it.

JLR is going here - from my pov - into the wrong direction.

[ardevd]

I'll take the opportunity to mention that I'm working as a consultant with DIMO and have implemented support for the Jaguar I-Pace (and many other vehicles). If you get an AutoPi you'll get SoC, SoH and a lot of other metrics from the I-Pace. We are working on making the cheaper Macaron capable too, but it will take a bit of time.

Obviously won't help with remote operations such as climate preconditioning etc, but I'm excited for DIMOs mission to build an open decentralized system for car diagnostics data.

I think for now, DIMO is the best alternative to what we once had.