search

argrento / huami-token

Script to obtain watch or band bluetooth token from Huami servers
MIT License
410 stars 94 forks source link

Unauthorized error for AGPS download #30

Open lacek opened 3 years ago

lacek commented 3 years ago

Version: 6efae23

$ python huami_token.py -m xiaomi -g
Getting access token with xiaomi login method...
Copy this URL to web-browser

https://account.xiaomi.com/oauth2/authorize?skip_confirm=false&client_id=xxxxxxxxxxxxxxxxxxx&pt=0&scope=1+6000+16001+20000&redirect_uri=https%3A%2F%2Fhm.xiaomi.com%2Fwatch.do&_locale=en_US&response_type=code

and login to your Mi account.

Paste URL after redirection here.
https://hm.xiaomi.com/watch.do?code=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Token: ['XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX']
Logging in...
Logged in! User id: xxxxxxxxxx
Downloading AGPS_ALM...
Traceback (most recent call last):
  File "/Users/lacek/huami-token/huami_token.py", line 360, in <module>
    device.get_gps_data()
  File "/Users/lacek/huami-token/huami_token.py", line 237, in get_gps_data
    response.raise_for_status()
  File "/Users/lacek/miniconda3/envs/huami-token/lib/python3.9/site-packages/requests/models.py", line 943, in raise_for_status
    raise HTTPError(http_error_msg, response=self)
requests.exceptions.HTTPError: 401 Client Error: Unauthorized for url: https://api-mifit-us2.huami.com/apps/com.huami.midong/fileTypes/AGPS_ALM/files
argrento commented 3 years ago

Hi. Just checked: can not confirm this problem. Do you normally use Zepp app or Mi Fit?

lacek commented 3 years ago

I am downloading A-GPS with huami-token because I use Notify & Fitness for Amazfit as replacement for Zepp/Mi Fit. Haven't use Mi Fit since first set up of my watch, probably a year ago.

Anyway just installed Zepp and is able to login with Mi account and connect to my watch. So I would say it looks normal, at least for my account.

argrento commented 3 years ago

Sometimes one need to login in Zepp app at first with Mi account. Try again now.

no5killz commented 3 years ago

Hi I also get a 401 for this domain when trying to download the agps data but using a amazfit account.

The 401 response contains the following {'code': 0, 'message': 'invalid token', 'data': {'code': '0102'}}. However the get_wearables works and prints the wearables table as expected. Which seems strange to me as the token is the same as in get_gps_data. I also tried it after a login in the Zepp app but this changed nothing.

argrento commented 3 years ago

What countries do you live in, @no5killz and @lacek?

Try replacing in https://github.com/argrento/huami-token/blob/6efae231bff078a292e227e10538f792b1e4c791/urls.py#L31 com.huami.midong with com.xiaomi.hm.health.

no5killz commented 3 years ago

Im tried this from Germany and via VPN from Netherlands, Japan, USA

changing the url to 'agps': 'https://api-mifit-de2.huami.com/apps/api-mifit.huami.com/fileTypes/{pack_name}/files', lets me download the files again. I took the url and host/apps part from the domains part of the login response. This also does not seem to change when using the VPN. However it has worked before with the original url.

Thank you very much for developing this tool and for the fast help!

lacek commented 3 years ago

@argrento I'm in Hong Kong. Tried combinations of (api-mifit-us2, api-mifit-de2, api-mifit-cn2) and (com.huami.midong, com.xiaomi.hm.health, api-mifit.huami.com) but all gave the same error.

At last it worked when I try https://api-mifit.huami.com/apps/com.huami.midong/fileTypes/{pack_name}/files (removed -us2 from the subdomain).

Update:

Found the subdomain api-mifit-sg2 in Google so I gave it (https://api-mifit-sg2.huami.com/apps/com.huami.midong/fileTypes/{pack_name}/files) a try and it worked too!

A conjecture would be that the APIs with geographical location suffixes (api-mifit-us2, api-mifit-de2, api-mifit-sg2 and api-mifit-cn2) are only accessible with IP addresses around that area while the one without suffix (api-mifit) is accessible around the globe. I don't have VPN access outside the country so I cannot verify it. Maybe someone else can give it a try.

argrento commented 3 years ago

APIs with geographical location suffixes are only accessible with IP addresses around that area

I do not think so, since I am from Russia and use us2 server. I will check, probably login server returns suitable API address.

vigejolla commented 3 years ago

I'm also getting this now, from Finland. api-mifit.huami.com works.

piggz commented 3 years ago

Same here, in UK, above url works.

unundev commented 2 years ago

Thanks from Germany for this program that makes it possible to avoid Amazfit's spyware app! Just have a small problem:

I made accounts on amazfit.com/us and amazfit.com/de (apparently accounts are region-specific!), which I can log into with my browser, but when I use these credentials copied from firefox in python3 huami_token.py -m amazfit -g -e copiedemail -p copiedpassword, there's the following error message:

Getting access token with amazfit login method...
Traceback (most recent call last):
  File "huami_token.py", line 352, in <module>
    device.get_access_token()
  File "huami_token.py", line 101, in get_access_token
    raise ValueError(f"Wrong E-mail or Password." \
ValueError: Wrong E-mail or Password.Error: ['401']

so I tried these
'agps': 'https://api-mifit-us2.huami.com/apps/com.huami.midong/fileTypes/{pack_name}/files', (default) 'agps': 'https://api-mifit-us2.huami.com/apps/com.xiaomi.hm.health/fileTypes/{pack_name}/files', 'agps': 'https://api-mifit-de2.huami.com/apps/api-mifit.huami.com/fileTypes/{pack_name}/files', 'agps': 'https://api-mifit-de.huami.com/apps/api-mifit.huami.com/fileTypes/{pack_name}/files', 'agps': 'https://api-mifit.huami.com/apps/com.huami.midong/fileTypes/{pack_name}/files', 'agps': 'https://api-mifit-sg2.huami.com/apps/com.huami.midong/fileTypes/{pack_name}/files', none of which make a difference.

Did they change something or am I doing something wrong?