New Google Captcha at login breaks everything

[palmarci]

Hello everyone!

Unfortunately, after today's planned maintenance update on September 28, 2023, Medtronic has implemented Google Captcha checks during login. This change has completely disrupted our ability to retrieve data.

Interestingly, a few days prior to this update, my IP address was firewall-blocked. I conducted traceroutes from multiple addresses within the same subnet (and from other ranges too), and it was evident that my packets were being dropped by the BGP router at the Medtronic AS, starting from my original IP address.

Finding a way to bypass this restriction should not be too difficult, especially since there have been no new app updates (at least not yet).

Personally, I believe this could be a deliberate attempt to hinder third-party apps. :(

[kukuchta]

I tried for several days to setup an Android emulator on my PC for sniffing purposes, but there are several issues. To sniff data, it is possible to use local sniffing proxy like HTTP Tools. That said:

• Proxies are great for http, and for sniffing our own apps (where you can modify code). Carelink uses encrypted https channel, and cannot be edited to bypass certificate check.

• Android image has to be rooted, so it is possible to inject the proxy's certificate to system certificate store. Since Android 7 it is not possible without root.

• For Carelink app to run it is required to have installed all the Google Play Services components.

• All Android emulator images that are provided in Android Studio or Visual Studio, and have Google Play Services integrated (aka. production images) are locked, unrootable.

• There is a long and hard way to install Google Play Services on emulator using Open GApps project, but I haven't succeeded yet. This project is targeted rather on installing services on physical phone using recovery mode etc.

• It is possible to put the Google Play Services together by installing single components from apkmirror, but there are maaaany version incompatibility issues slong the way.

• There is also the Genymotion site, free for personal use, providing its own set of Android emulators. They are rooted by default and provide one-click option to install Open GApps. But then I ran into another problem. All those emulators are x86 architecture, and only Carelink.apk i found at the apkpure.com are for arm processors.

After a week it started to make me angry, so i had to rest for a while, but I plan to get to this again😁

Do any of you could share any other experience with https sniffing?

[tloczekt]

I am using bluestack 5 Android emulation for run xdrip successfully under Windows computer, but I couldn't run Carelink app on it either.

[palmarci]

I have been reverse engineering the Carelink apps and I made good progress with the login, but there are still a few things to sort out. For anyone who is interested: https://gist.github.com/palmarci/0a572af6818a4c14d6fb4c2eab41c732 https://gist.github.com/palmarci/8390a9713bc54d4d34de076078f570f0

[palmarci]

I tried for several days to setup an Android emulator on my PC for sniffing purposes, but there are several issues. To sniff data, it is possible to use local sniffing proxy like HTTP Tools. That said:

• Proxies are great for http, and for sniffing our own apps (where you can modify code). Carelink uses encrypted https channel, and cannot be edited to bypass certificate check.
• Android image has to be rooted, so it is possible to inject the proxy's certificate to system certificate store. Since Android 7 it is not possible without root.
• For Carelink app to run it is required to have installed all the Google Play Services components.
• All Android emulator images that are provided in Android Studio or Visual Studio, and have Google Play Services integrated (aka. production images) are locked, unrootable.
• There is a long and hard way to install Google Play Services on emulator using Open GApps project, but I haven't succeeded yet. This project is targeted rather on installing services on physical phone using recovery mode etc.
• It is possible to put the Google Play Services together by installing single components from apkmirror, but there are maaaany version incompatibility issues slong the way.
• There is also the Genymotion site, free for personal use, providing its own set of Android emulators. They are rooted by default and provide one-click option to install Open GApps. But then I ran into another problem. All those emulators are x86 architecture, and only Carelink.apk i found at the apkpure.com are for arm processors.

After a week it started to make me angry, so i had to rest for a while, but I plan to get to this again😁

Do any of you could share any other experience with https sniffing?

I used a rooted LineageOs phone with Magisk and SafetyNet fix, and I set Magisk to be hidden for the Medtronic app(s). Check the links above for more info. For the sniffing I used mitmproxy. A few Medtronic apps use SSL pinning, I manually patched those apks. :)

[ondrej1024]

I have been reverse engineering the Carelink apps and I made good progress with the login, but there are still a few things to sort out. For anyone who is interested: https://gist.github.com/palmarci/0a572af6818a4c14d6fb4c2eab41c732 https://gist.github.com/palmarci/8390a9713bc54d4d34de076078f570f0

@palmarci That looks very interesting. Did you actually get the login to work using these APIs I see in your code? Do you know how to get the refresh token?

[palmarci]

I have been reverse engineering the Carelink apps and I made good progress with the login, but there are still a few things to sort out. For anyone who is interested: https://gist.github.com/palmarci/0a572af6818a4c14d6fb4c2eab41c732 https://gist.github.com/palmarci/8390a9713bc54d4d34de076078f570f0

@palmarci That looks very interesting. Did you actually get the login to work using these APIs I see in your code? Do you know how to get the refresh token?

Not yet, its still a work in progress. I did not wait long enough to have a refresh token request while sniffing the traffic. If i can get the certificate signing request to work, i will do that aswell.

[palmarci]

Ladies and gents, I have fully reversed the new login for the new API. https://gist.github.com/palmarci/0a572af6818a4c14d6fb4c2eab41c732 Currently we can retrive a token and a refresh token. My plan is to refactor the code and build a complete python library for it with example api calls and everything. :)

[wtt604]

I know this probably isn't the best place to discuss this since I don't think it's specifically a follower issue, but is anyone else having issues with carelink for the past 5 hours? Starting a 8am PST? I have been unable to log into carelink on my phone since that time, and have therefore been unable to get the data to xdrip.

Thanks again for everyones great work on this!

[CenGo86]

Generally not with the login, but with token renew. Then I have to log in again and it works again.

I know this probably isn't the best place to discuss this since I don't think it's specifically a follower issue, but is anyone else having issues with carelink for the past 5 hours? Starting a 8am PST? I have been unable to log into carelink on my phone since that time, and have therefore been unable to get the data to xdrip.

Thanks again for everyones great work on this!

[palmarci]

Generally not with the login, but with token renew. Then I have to log in again and it works again.

I know this probably isn't the best place to discuss this since I don't think it's specifically a follower issue, but is anyone else having issues with carelink for the past 5 hours? Starting a 8am PST? I have been unable to log into carelink on my phone since that time, and have therefore been unable to get the data to xdrip. Thanks again for everyones great work on this!

Yes, Im experiencing with the same thing for the past day or so.

[wtt604]

I wasn't getting a notification that I was logged out... I was in the middle of upgrading my phone to Android 14, it then said I wasn't logged in, I logged in and it's working again, both carelink and xdrip!

@palmarci

[wtt604]

I'm currently on the c6b15c5-2023.10.08 version are there newer versions that give me more stable tokens through the captcha?

[palmarci]

yes there are! a wonderful job has been done re-implementing the app's login procedure, so except a new version released soon. in fact im already testing out that version but to be honest there is not a thing to test - it just works

[wtt604]

ok, thanks, so there is no point updating to the latest one available right now? I should wait for this next release?

[wtt604]

Are there more testers needed, hint hint!

[benceszasz]

Pull request for the authentication process of the CarePartner app (CareLink Connect) has been submitted, approved and merged, it will be included in the next release: https://github.com/NightscoutFoundation/xDrip/pull/3210 This version is based on the authentication process of the official mobile app, which was extracted by @palmarci.

[wtt604]

Thank you very much for your work, this is a placeholder for me, I installed the nightly version just now, let's see how long the app stays logged in!

Thanks again @palmarci and @benceszasz

[benceszasz]

@wtt604 check CareLink Follow statuspage in System Status

[wtt604]

@wtt604 check CareLink Follow statuspage in System Status

I got this error which has stopped reporting values today

This "Access expired" is a new error for me.

[wtt604]

When I try to "login with browser" it says "Login Completed!" without me doing anything, but I still don't get to read the BG

[wtt604]

I rebooted my phone and it now seems to work, which seems a bit of a strong method to resolve the issue. Let me know if I can be of any help

[benceszasz]

@wtt604 are you using a dedicated carepartner account in xDrip, which you don't use in CareLink Connect or in another xDrip on a different phone?

[wtt604]

@benceszasz no, it's the same one as the carelink connect.

I assume that there is some problem with that.

[benceszasz]

@wtt604 you have to use a dedicated account or you will get logged out. I have written it in the pull request:

The user account restriction applies to this authentication process as well: a different dedicated follower account must be used in every app, otherwise the previous auth token will be revoked.

Limitations When the same account is logged in from another xdrip or official mobile application the previous login will be closed (authetication token is revoked). A different dedicated follower account must be used in every official and xdrip app, otherwise the previous auth token will be revoked.

Create a new carepartner account in CareLink Personal, request follow in CareLink Personal for the patient account and use this new CarePartner account in xDrip.

[wtt604]

I will do that later today, thanks again for all your work!

[benceszasz]

Problem was solved, no reason to keep it open.