New Google Captcha at login breaks everything

[palmarci]

Hello everyone!

Unfortunately, after today's planned maintenance update on September 28, 2023, Medtronic has implemented Google Captcha checks during login. This change has completely disrupted our ability to retrieve data.

Interestingly, a few days prior to this update, my IP address was firewall-blocked. I conducted traceroutes from multiple addresses within the same subnet (and from other ranges too), and it was evident that my packets were being dropped by the BGP router at the Medtronic AS, starting from my original IP address.

Finding a way to bypass this restriction should not be too difficult, especially since there have been no new app updates (at least not yet).

Personally, I believe this could be a deliberate attempt to hinder third-party apps. :(

[palmarci]

I have checked the new login and concluded that the tokens are valid for 3000 seconds. I think the plan would be to store the token to the preferences (like the username here) and before requesting data from carelink we should check if the token is still valid or not. If not then maybe we could start a built-in webbrowser like the official app does and let the user enter his login parameteres and complete the captcha. From the response we could extract the token and use it as we currently do. I saw that there is already a mechanism to update the token once authenticated. I could help implementing this, but i dont have the time currently nor the experience with android development.

[ondrej1024]

For me the official CareLink Connect app is still working and it has not asked me any Capcha verification. So it looks like it uses a different API than the web app. Capcha verification every 3000s (50min) would be a PITA for any user. :smirk:

[aljazvidmar]

The official Carelink app sucks..thats why we are here right? :) Maybe we can sniff traffic from app to Carelink to see if the API is really different or is there any other option on how to store the credentials/token.

[kukuchta]

Unbelievable... If all the effort they put into hindering third party access was redirected into actually making the Carelink app better, there would be no need for such a fight in the first place 😡 Is that so hard to understand?

They should move this bunch of interns who are "developing" Carelink to help the xDrip community instead and let the Carelink die. That could be somewhat beneficial to both apps.

[fjcamacho1401]

¿Tenéis alguna idea de como solucionarlo?

[palmarci]

For me the official CareLink Connect app is still working and it has not asked me any Capcha verification. So it looks like it uses a different API than the web app. Capcha verification every 3000s (50min) would be a PITA for any user. 😏

Thats sounds promising. I will sniff the communication and check our possibilities. Thanks for the info

[kukuchta]

Unfortunately after latest maintenance on european servers my Carelink Mobile app did not start on its own. I had to logout an login again in the app and it did ask me to solve captcha on the login form.

[kukuchta]

Now when submitting POST with credentials here:

There is a new field witch captcha response:

[Xianinha]

I, could we use xdrip companion to solve this resctriction? I was reading that works. This evening I going to try it. Or someone knows something better? Please excuse my English

[aljazvidmar]

I, could we use xdrip companion to solve this resctriction? I was reading that works. This evening I going to try it. Or someone knows something better? Please excuse my English

Companion app is working - i tried it now. However not as much data is available as it was with Carelink Follower - you only see current SG value not active insulin, history etc.

[keeskdr]

Companion app is working - i tried it now. However not as much data is available as it was with Carelink Follower - you only see current SG value not active insulin, history etc.

Am I missing something? I cannot find the option Companion App in this version of xDrip.

[Xianinha]

You cannot find the companion source because it isnt in the xdrip carelink, you have to install xdrip (latest release )

[hhuitema]

It's quite probable that the login url's now want a captcha token as part of the payload.

I did find an interesting bit of code on how to retrieve this.. but i'm no developer so clueless on how to integrate this.

https://github.com/Hartman5/recaptchaV3-Bypass

[palmarci]

It's quite probable that the login url's now want a captcha token as part of the payload.

I did find an interesting bit of code on how to retrieve this.. but i'm no developer so clueless on how to integrate this.

https://github.com/Hartman5/recaptchaV3-Bypass

I dont think we should be trying to bypass the captcha, implementing the login once and for all would be the most future proof solution. Interesting idea though.

[kukuchta]

I agree, we should rather implement the same scheme as in Carelink app. That means:

• display and handle recaptcha form when needed,
• no more aggresive collection service restarts when there is some problem with Carelink data

Bypasing captcha in any way would mean the constant fight with a tool that was designed specially for this purpose.

[palmarci]

I have sniffed the communication of the old Guardian CGM app and the Carelink Connect. The Connect uses the same token based authentication with the captcha, the old CGM app uses the V1 api with only a HTTP Basic Auth header. Sadly that old API is very limited, has only about 4 calls. I have a feeling that its hooked up to the same database though. The current code uses the new API so downgrading it would not be a smart idea, considering that they can just drop the support for the old app/sensor. My current idea is to add a new "token" field to xDrip and entering my token manually from the web browser developer console.

[wtt604]

You cannot find the companion source because it isnt in the xdrip carelink, you have to install xdrip (latest release )

I am using 23ccbd1-2023-071614. I am on update through beta channels, is there a specific date code that I need to update to, because I cannot get the companion app to work.

Thanks for all working on this!

[CenGo86]

Thank you for the Update benceszasz. I hope we can merge this soon into the official xdrip.

[benceszasz]

@CenGo86 this is just the first working prototype. For the official xdrip there are few things to do, for example to use reCAPTCHA browser login only for servers outside US, since in the US the reCAPTCHA is not required (yet?).

[CenGo86]

@CenGo86 this is just the first working prototype. For the official xdrip there are few things to do, for example to use reCAPTCHA browser login only for servers outside US, since in the US the reCAPTCHA is not required (yet?).

I have tested it. The Patient login works, my follower account dont work. The Captcha is coming but still Login error. But with the Patient account it works. I hope this will help you. Im in Germany.

EDIT: I tested again with follower account and now it works. Dont know what i changed but now it works.

[tloczekt]

@CenGo86 this is just the first working prototype. For the official xdrip there are few things to do, for example to use reCAPTCHA browser login only for servers outside US, since in the US the reCAPTCHA is not required (yet?).

US Servers upgrade are scheduled on 8 October, so I think you don't need to do separation for US and EU. I guess they will add reCaptcha feature also for US. By the way last release is working fine with patient login and reCAPTCHA . Thank you so much. Köszönöm.

[rsallar]

If it helps, I tried [v0.1.13-beta] and works well in Spain. Thank you, guys, for the fast response.

[Xianinha]

Fantastic job. I am from Spain too and the app works well. Thank you very much this app helps a lot

[PrezesFifcio]

What a clever way to overcome the obstacle! It has started to work straight away*. Thank you, I am so impressed.

• var.4

Update after 3 hrs: still working fine

[tloczekt]

During 3hr test time, xdrip lost communication 2 times. The last message was token is expired. I logged in again and not only recaptcha I'm not robot but also gallery captcha was necessary.

[CenGo86]

Hmm now I got this.

[tloczekt]

Hmm now I got this.

Next login restores connection, so renewing token is not automatic as expected. Token is valid 1hr.

[kukuchta]

For me it works for several hours without re-logging in, but there are also some issues in the log:

[ondrej1024]

Just trying to understand better this authentication mechanism.

The user logs in with user name and password and now also has to provide the recapcha token. If this is successful it will provide the client with the auth_tmp_token which can be used for all subsequent requests until it expires. But it can be renewed before expiration using the patient/sso/reauth API endpint. If this is done periodically the user does not to have to login again.

Is my understanding correct? Can auth_tmp_token be refreshed forever?

[wtt604]

The user logs in with the patient username (in the xdrip app) and if they are a follower then with their name and password in the browser webpage.

This is my use case, I'm not the patient, so I log in through the browser as my username.

Currently <1 hour after installing it is working on my phone, but the xdrip data is not being sent to my glance watchface on my Fitbit, which is my main use case, and was working great before this captcha. I understand this is a separate issue outside the scope of this great work, and thanks again!!!

Edit, just set xdrip up as a web server as per the glance j structuons and I'm currently awaiting my yojen getting refreshed or not. Fingers crossed!

On Sun, Oct 1, 2023, 9:25 a.m. Ondrej Wisniewski @.***> wrote:

Just trying to understand better this authentication mechanism.

The user logs in with user name and password and now also has to provide the recapcha token. If this is successful it will provide the client with the auth_tmp_token which can be used for all subsequent requests until it expires. But it can be renewed before expiration using the patient/sso/reauth API endpint. If this is done periodically the user does not to have to login again.

Is my understanding correct? Can auth_tmp_token be refreshed forever?

— Reply to this email directly, view it on GitHub https://github.com/benceszasz/xDripCareLinkFollower/issues/37#issuecomment-1742130544, or unsubscribe https://github.com/notifications/unsubscribe-auth/AE4XBPZ22KAONUOQVLVR23DX5GKOTANCNFSM6AAAAAA5LSPN5Q . You are receiving this because you commented.Message ID: @.***>

[ouwerkerkelin]

Hello everyone!

Unfortunately, after today's planned maintenance update on September 28, 2023, Medtronic has implemented Google Captcha checks during login. This change has completely disrupted our ability to retrieve data.

Interestingly, a few days prior to this update, my IP address was firewall-blocked. I conducted traceroutes from multiple addresses within the same subnet (and from other ranges too), and it was evident that my packets were being dropped by the BGP router at the Medtronic AS, starting from my original IP address.

Finding a way to bypass this restriction should not be too difficult, especially since there have been no new app updates (at least not yet).

Personally, I believe this could be a deliberate attempt to hinder third-party apps. :(

The user logs in with the patient username (in the xdrip app) and if they are a follower then with their name and password in the browser webpage. This is my use case, I'm not the patient, so I log in through the browser as my username. Currently <1 hour after installing it is working on my phone, but the xdrip data is not being sent to my glance watchface on my Fitbit, which is my main use case, and was working great before this captcha. I understand this is a separate issue outside the scope of this great work, and thanks again!!! Edit, just set xdrip up as a web server as per the glance j structuons and I'm currently awaiting my yojen getting refreshed or not. Fingers crossed! … On Sun, Oct 1, 2023, 9:25 a.m. Ondrej Wisniewski @.> wrote: Just trying to understand better this authentication mechanism. The user logs in with user name and password and now also has to provide the recapcha token. If this is successful it will provide the client with the auth_tmp_token which can be used for all subsequent requests until it expires. But it can be renewed before expiration using the patient/sso/reauth API endpint. If this is done periodically the user does not to have to login again. Is my understanding correct? Can auth_tmp_token be refreshed forever? — Reply to this email directly, view it on GitHub <#37 (comment)>, or unsubscribe https://github.com/notifications/unsubscribe-auth/AE4XBPZ22KAONUOQVLVR23DX5GKOTANCNFSM6AAAAAA5LSPN5Q . You are receiving this because you commented.Message ID: @.>

I am so happy with the effort and time you put into this. the recurring errors at carelink become very frustrating. thanks again and hopefully it will be fixed soon. i wish i could help.

[kukuchta]

For most of the day it worked fine, but became unstable after several hours.

At some point calls to renew the token completely stopped appearing in the log. I had to re-login to get new BG readings but that did not cause token renewals to start again. It happened several times. After killing and restarting xDrip, then logging in - it came back to life.

There are many CareLink login errors mostly with 200, and few 401 codes, and some Errors renewing token.

To clarify this behavior I will be testing the follower on 3 devices simultanously. I just restarted the device to have clean start and tomorrow hopefully I'll post the log, maybe there are some patterns.

For now, one unusual thing i spotted:

This is only error with some additional error message.

[wtt604]

I've had six hours of renewals, so hopefully this continues.

Thanks again!

On Sun, Oct 1, 2023, 3:12 p.m. Kuba Kuchta @.***> wrote:

For most of the day it worked fine, but became unstable after several hours.

At some point calls to renew the token completely stopped appearing in the log. I had to re-login to get new BG readings but that did not cause token renewals to start again. It happened several times. After killing and restarting xDrip, then logging in - it came back to life.

There are many CareLink login errors mostly with 200, and few 401 codes, and some Errors renewing token.

To clarify this behavior I will be testing the follower on 3 devices simultanously. I just restarted the device to have clean start and tomorrow hopefully I'll post the log, maybe there are some patterns.

For now, one unusual thing i spotted:

[image: IMG-20231001-WA0000.jpg] https://user-images.githubusercontent.com/117176531/271855757-3ac58c35-0cdd-4e0f-a9ce-848e7403ba9c.jpg

— Reply to this email directly, view it on GitHub https://github.com/benceszasz/xDripCareLinkFollower/issues/37#issuecomment-1742218402, or unsubscribe https://github.com/notifications/unsubscribe-auth/AE4XBP5GFG3BOSV3KVBJVFTX5HTEHANCNFSM6AAAAAA5LSPN5Q . You are receiving this because you commented.Message ID: @.***>

[kukuchta]

I restarted device at 23:39 and logged in to carelink at about 23:40, and everything worked for about 1:30h, last received BG value on 01:07.

This is the start:

First errors at 0:10:

They repeated on 0:44 and 1:00

There was nothing special at 1:07 when BGs stopped appearing, but at 1:15 the token renewal errors started:

Failed renewals continued for several hours every single minute up to now. There were no more BGs transferred, and no more login attempts visible in the log.

I logged in to carelink exactly at 8:00 again and it started getting data after a while:

[kukuchta]

Is there any way to get more verbose logging? Some request/response details or content?

[Ajut]

-> Failed renewals continued for several hours every single minute up to now. There were no more BGs transferred, and no more login attempts visible in the log.

I'm happy to report, that for me xdrip-carelink.apk v0.1.13-beta has been working without interuptions around 24 hours now in Samsung Galaxy S21+ and S20FE phones using Android 13 and Carelink EU server, country = Estonia. Grace Period = 30 sec. Phones are using WIFI and LTE, so should have internet conenction avialable like 99% of time, making possible xdrip to renew token automatically (see log below).

Br, Ajut

Mid High EL EH

CareLinkFollowDL

16:42

Token renewed!

16:42 Token is about to expire, trying to renew it.

15:07

Token renewed!

15:07 Token is about to expire, trying to renew it.

13:37

Token renewed!

13:37 Token is about to expire, trying to renew it.

12:07

Token renewed!

12:07 Token is about to expire, trying to renew it.

10:37 Token renewed!

10:37 Token is about to expire, trying to renew it.

09:07 Token renewed!

09:07 Token is about to expire, trying to renew it.

07:32 Token renewed!

07:32 Token is about to expire, trying to renew it.

06:02 Token renewed!

06:02 Token is about to expire, trying to renew it.

04:32 Token renewed!

04:32 Token is about to expire, trying to renew it.

03:02 Token renewed!

03:02

Token is about to expire, trying to renew it.

01:32 Token renewed!

01:32

Token is about to expire, trying to renew it.

23:58

Token renewed!

[benceszasz]

@ondrej1024 Yes, that is the logic: login by user, keep and use the token, refresh token in the background automatically and store the new token. And yes, refreshing the token should be possible forever. FYI: I have started today some stability tests with 8 accounts on two devices using variants with stable internet connection using almost all kind of accounts (780G/Guardian CGM, EU/US, patient/follower/follower with multiple patiens) and all of them are still working. But there are still a lot to test and a lot to enhance in the program code and logic.

[benceszasz]

@palmarci Could you share more details about the login and token refresh communication of the CareLink Connect and Guardian CGM app? It seems to me, that these apps can work forever even if not connected to CareLink, thus they can renew their tokens/logins even after expiration (?). The refreshing (or maybe even the inital obtaining) of the token is a very weak point in the current CaerLink authenticator logic.

[ondrej1024]

Yes, that is the logic: login by user, keep and use the token, refresh token in the background automatically and store the new token. And yes, refreshing the token should be possible forever.

Thanks for confirming. Now I have run some tests with my own code and here I always get a token which expires after 40 min (I wonder how the expiration time is chosen on the server). However, trying to renew the token 10 min before it expires results in a 401 response. Instead renewing it after 10 min is working. This seems really odd.

[kukuchta]

I believe my stability issues are connected with pump frequently being out of base phone BT range.

Beside that both base and follower phone have stable internet connections all the time.

[benceszasz]

@ondrej1024 Actually this token renewal is still new for me too. I was too lazy to implement it earlier, because re-login always worked in the past :) I am also trying to figure out the rules of token renewal now. Currently the token renewal was just quickly added to the constantly repeated data update service: before requesting new data, if the token will expire in 7 mins, then first a new token is aquired. The reason for 5 mins is the 5 min CGM data cycle + safety time.... no comment ... as I wrote it before, this is just a quick and dirty first version.

[palmarci]

⁸

@palmarci Could you share more details about the login and token refresh communication of the CareLink Connect and Guardian CGM app? It seems to me, that these apps can work forever even if not connected to CareLink, thus they can renew their tokens/logins even after expiration (?). The refreshing (or maybe even the inital obtaining) of the token is a very weak point in the current CaerLink authenticator logic.

I could only sniff the login requests sadly because i dont have an old sensor working with the Guardian CGM. The Connect app uses the same Captcha protected login page. If you are insterested in the old app i can send you the patched version and could help you with setting up the man in the middle stuff. In my opinion the old API is very limited though and it does not even use api tokens, just plain old HTTP basic authentication.

[benceszasz]

@palmarci I have old sensors, so I can test it. Connect app's communication could be also very interesting, mostly because it can somehow survive with the original login (token) and connect to CareLink even after a very long time, when normally the tokens are already expired.

[ondrej1024]

mostly because it can somehow survive with the original login (token) and connect to CareLink even after a very long time, when normally the tokens are already expired.

Googling about tokens I found there are different type of tokens. Probably the token which is used on the Carelink web site is an "ID token" which can be refreshed before it expires. The Connect app instead might use a special "Refresh token" which can be used to get a new "ID token" even after it has expired.

[palmarci]

@palmarci I have old sensors, so I can test it. Connect app's communication could be also very interesting, mostly because it can somehow survive with the original login (token) and connect to CareLink even after a very long time, when normally the tokens are already expired.

Could you send me a link or an email where I could send the infos?

[benceszasz]

@palmarci carelinkfollower at gmail :)

[benceszasz]

New version released: https://github.com/benceszasz/xDripCareLinkFollower/releases/tag/v0.1.14-beta

[lmbigdata]

It works perfectly for me. Thanks!!

[benceszasz]

CareLink Follower with reCAPTCHA using browser login has been merged into the official xDrip version yesterday (08/10/2023). Latest official xDrip release already contains this new version of CareLink Follower with reCAPTCHA using browser login: https://github.com/NightscoutFoundation/xDrip/releases/tag/2023.10.08 Please try to use a dedicated CareLink Care Partner account for xDrip to avoid closing your xDrip session by logging in with the same account from either the CareLink Personal website or a Medtronic offical app.

[ondrej1024]

It would be great if we could find out how the Carelink Connect app authenticates without asking again for manual login after the temporary auth token is expired. Can anyone provide a trace of the messages exchanged between the app and the Carelink cloud server when the app is launched?