search

audiconnect / audi_connect_ha

Adds an audi connect integration to home assistant
MIT License
237 stars 97 forks source link

invalid_client for refresh_token #131

Closed TA2k closed 2 years ago

TA2k commented 2 years ago

@t0bias-r I'm using your clientid and secret for a nodeJS based qmauth generation. For login the generation with clientId 55f755b0 is working but for grant_type "refresh_token" I receive a {"error":"invalid_client","error_description":"Client authentication failed"}

Is the refresh_token working for the HA implementation?

dateTime: 16473775
v1:55f755b0:2dc9c02e14c2c160f39bb85442d0a66018a957e529a3d372a2f6616d880e4043

Maybe the 4.6.1 has a new clientId Can you please provide the frida script or other hint to receive the clientId and secret from the apk?

t0bias-r commented 2 years ago

The refresh_token is working. For dateTime: 16473775 the result is d1d93982777c56ed2f0d07c4b66435e821fd69a771c3777e43c3cdc219819107. Your result is different, so this might be the problem. Check the secret here: audi_service.c,618

TA2k commented 2 years ago

Sorry this was a copy paste error hashes are matching 16475013 v1:55f755b0:5ba876732b3b3f771edd03e988cfd7d43610085397adcb1031520ec8a8242931

>>> gmtime_100sec = 16475013
>>> xqmauth_secret = bytes([55,24,256-56,256-96,256-72,256-110,57,256-87,3,256-86,256-41,256-103,33,256-30,99,103,81,125,256-39,256-39,71,18,256-107,256-112,256-120,256-12,256-104,89,103,113,256-128,256-91])
>>> xqmauth_val = hmac.new(xqmauth_secret, str(gmtime_100sec).encode("ascii", "ignore"), digestmod="sha256").hexdigest()
>>> print ("v1:55f755b0:" + xqmauth_val)
v1:55f755b0:5ba876732b3b3f771edd03e988cfd7d43610085397adcb1031520ec8a8242931
    "accept": "application/json",
    "content-type": "application/x-www-form-urlencoded",
    "accept-charset": "utf-8",
    "x-qmauth": "v1:55f755b0:d948de63dbd7ec52f6e0cd135d6061a332be9d3fae01bdead82df85a51669970",
    "user-agent": "myAudi-Android/4.6.0 (Build 800236847.2111261819) Android/11",
    "host": "idkproxy-service.apps.emea.vwapps.io",
    "content-length": 1508

client_id=f4d0934f-32bf-4ce4-b3c4-699a7049ad26%40apps_vw-dilab_com&
grant_type=refresh_token&
refresh_token=eyJraWQiO....&
response_type=token%20id_token

Strange why it is working for login but not for refresh.

But anyway a hint how you extract the secret would be helpful

t0bias-r commented 2 years ago

Maybe an issue with urlencode and the token data?

I use Frida to capture the calls to the cryto libs: frida-trace -U Gadget -j 'javax.crypto*!*'

TA2k commented 2 years ago

Incorrect qmauth would be forbidden client It was a misbehavior of the request client. Thanks anyway for your help

With trace I was not able to see the key I use this script

Java.perform(function () {
    // Class of the HMAC Implementation
    var Mac = Java.use("javax.crypto.Mac");
    // Whenever Mac.init(Key key); is called
    Mac.init.overload("java.security.Key").implementation = function (v) {
        var bArray = v.getEncoded();
        console.log(bArray);
        return this.init(v);
    };
});