bimmerconnected / bimmer_connected

🚘 Library to query the status of your BMW or Mini from the ConnectedDrive portal
Apache License 2.0
389 stars 81 forks source link

China regon login issue #428

Closed Yixi closed 2 years ago

Yixi commented 2 years ago

Describe the issue

Home assistant BMW login has error from these days:

Authentication error: {"data":null,"code":499100,"error":true,"msgType":"toast","description":"请前往应用市场获取最新版本"} 08:44:28 – (ERROR) /usr/local/lib/python3.9/site-packages/bimmer_connected/api/utils.py

the "请前往应用市场获取最新版本" means "Please go to the App Market for the latest version"

Expected behavior

login success

Which Home Assistant version are you using?

2022.3.8

What was the last working version of Home Assistant Core?

2022.3.8

What is your region?

China

ConnectedDrive website

Number of cars

Output of bimmer_connected fingerprint

No response

Anything in the logs that might be useful for us?

No response

Additional information

No response

nichwang88 commented 2 years ago

Same issue. HA version 2022.4.6.

Logger: bimmer_connected.account
Source: /usr/local/lib/python3.9/site-packages/bimmer_connected/account.py:268 
First occurred: 07:19:50 (103 occurrences) 
Last logged: 09:32:35

Authentication failed (True): 请前往应用市场获取最新版本
Logger: bimmer_connected.account
Source: /usr/local/lib/python3.9/site-packages/bimmer_connected/account.py:112 
First occurred: 07:19:50 (103 occurrences) 
Last logged: 09:32:35

422 Client Error: Unprocessable Entity for url: https://myprofile.bmw.com.cn/eadrax-coas/v1/login/pwd
Traceback (most recent call last):
  File "/usr/local/lib/python3.9/site-packages/bimmer_connected/account.py", line 101, in _get_oauth_token
    token_data = self._login_china()
  File "/usr/local/lib/python3.9/site-packages/bimmer_connected/account.py", line 271, in _login_china
    raise ex
  File "/usr/local/lib/python3.9/site-packages/bimmer_connected/account.py", line 252, in _login_china
    response.raise_for_status()
  File "/usr/local/lib/python3.9/site-packages/requests/models.py", line 960, in raise_for_status
    raise HTTPError(http_error_msg, response=self)
requests.exceptions.HTTPError: 422 Client Error: Unprocessable Entity for url: https://myprofile.bmw.com.cn/eadrax-coas/v1/login/pwd
rikroe commented 2 years ago

Hi, thanks for the report!

This was fixed in #426 (and released with bimmer_connected==0.8.12).

It is not yet included in Home Assistant (https://github.com/home-assistant/core/pull/70374). If you want it fixed immediately, please check our custom component, but beware that this includes some breaking changes right now.

Yixi commented 2 years ago

I update the last vesison of https://github.com/bimmerconnected/ha_custom_component with HACS, still can not login, same issue.

It seem the ha_custom_component use the bimmer_connected==0.9.0.0b6 still have this issue?

Yixi commented 2 years ago

I edit the the /usr/local/lib/python3.9/site-packages/bimmer_connected/const.py from X_USER_AGENT = 'android(v1.07_20200330);{};1.7.0(11152)' to X_USER_AGENT = 'android(v1.07_20200330);{};2.3.0(13603)' in homeassistant docker with HAOS for temporary fix

rikroe commented 2 years ago

Sorry, forgot to release a custom component for this fix. Please try 20220427.1 with 0.9.0b8.

If you're not using the custom component, it will be included in HA 2022.5.

Yixi commented 2 years ago

OH no, the same issue comes again, with last version of customer component which X_USER_AGENT is 'android(v1.07_20200330);{};2.3.0(13603)', start 8 hours ago..

muxiachuixue commented 2 years ago

OH no, the same issue comes again, with last version of customer component which X_USER_AGENT is 'android(v1.07_20200330);{};2.3.0(13603)', start 8 hours ago..

Same to me. It seems that BMW has changed the API checking the app version. Data capture from MyBMW app will be needed.

rikroe commented 2 years ago

I can have a look and try logging in with my dummy account when I'm back from vacation.

If you want to try to capture the traffic before, follow https://bimmer-connected.readthedocs.io/en/latest/development/reverse_engineering_mybmw.html

muxiachuixue commented 2 years ago

I can have a look and try logging in with my dummy account when I'm back from vacation.

If you want to try to capture the traffic before, follow https://bimmer-connected.readthedocs.io/en/latest/development/reverse_engineering_mybmw.html

I have captured the traffic half year ago. But I am not sure if the new version of MyBMW app could be installed on my outdated iPhone 6s (IOS13). Too busy these days...May try when I have time. BTW, enjoy your vacation.

Update: MyBMW app requires IOS14 to install the newest version. The old version on IOS13 of my iPhone 6s does not allow me to login. So I have to update my 6s to IOS14 and jail break again...That sounds not good. So I am waiting for your solution. If you need a BMW account in China, you can take mine. Many thanks.

Yixi commented 2 years ago

I have iphone11 and live in China, maybe I can try Intercepting Flutter traffic on iOS , yesterday I tried use Charles tracking MyBMW package, but faild, only get a encoding network traffic

muxiachuixue commented 2 years ago

I have iphone11 and live in China, maybe I can try Intercepting Flutter traffic on iOS , yesterday I tried use Charles tracking MyBMW package, but faild, only get a encoding network traffic

If your iPhone 11 is on IOS14, you need first jail break it. MyBMW is written in Flutter, so you should block the ssl verification using Frida and a VPN is needed.

HuChundong commented 2 years ago

I have iphone11 and live in China, maybe I can try Intercepting Flutter traffic on iOS , yesterday I tried use Charles tracking MyBMW package, but faild, only get a encoding network traffic

If your iPhone 11 is on IOS14, you need first jail break it. MyBMW is written in Flutter, so you should block the ssl verification using Frida and a VPN is needed.

frida script to hook flutter need some change. the flutter framework could not hook.

Yixi commented 2 years ago

My iPhone is the latest version of ios,can't jail break. I use shadowrocket to proxy all request to Charles, I can see the https://myprofile.bmw.com.cn request, but I can't solve the problem with ssl verification, even the ios installed the Charles certifacate

image

rikroe commented 2 years ago

You probably don't have to install your root CA to iOS, as all requests are done by the app itself. And the app (build Wir the Flutter framework) doesn't respect the system root CA or the system proxy - that's why you have to be jailbreaked to inject the disabling of SSL into the app while it is running.

rikroe commented 2 years ago

@HuChundong wrote:

frida script to hook flutter need some change. the flutter framework could not hook.

Strange, for me the exact frida hook from the manual works for MyBMW 2.3.0 on Android.

rikroe commented 2 years ago

Ok, I got a step further (but it isn't solved yet).

First change: The AUTH_CHINA_LOGIN_URL has changed to /eadrax-coas/v2/login/pwd (notice v2 instead of v1).

Second change: In the request to login/pwd, one must also include a x-login-nonce header that changes with every call. Some examples:

tLUZm8Yv2xzPoP1fkIxOyr+pC0D9DwsZDdbXMjEUjtRATFlWITSvRylaM/m2OBfM
tLUZm8Yv2xzPoP1fkIxOyohcY8Vw6erdU0FOBpO7l383nX0fhEC23E5OeuAGH/QV
tLUZm8Yv2xzPoP1fkIxOykL8PsklT+omBxsLnPl1Sywd+ZpO7UlOOBzs7PoQ+P/C
tLUZm8Yv2xzPoP1fkIxOykZDYbRlRNGwnoJrt7Ax+NXZDYYt3ugBzvkk1W9YFj6h
tLUZm8Yv2xzPoP1fkIxOyiDhVu+Rw/EZbw0LrNpepAodf79vo9/dD2OvBrSg5qez

Before each of these calls, the /publickey endpoint is called, so it might have something to do with it. However it cannot be plain RSA encryption, as that would lead to totally different results (and not have results where the first 21 characters stay the same).

Things to note:

I was not able to see any exchange for the nonce except during POST to login/pwd.

Do you guys have any ideas?

muxiachuixue commented 2 years ago

Ok, I got a step further (but it isn't solved yet).

First change: The AUTH_CHINA_LOGIN_URL has changed to /eadrax-coas/v2/login/pwd (notice v2 instead of v1).

Second change: In the request to login/pwd, one must also include a x-login-nonce header that changes with every call. Some examples:

tLUZm8Yv2xzPoP1fkIxOyr+pC0D9DwsZDdbXMjEUjtRATFlWITSvRylaM/m2OBfM
tLUZm8Yv2xzPoP1fkIxOyohcY8Vw6erdU0FOBpO7l383nX0fhEC23E5OeuAGH/QV
tLUZm8Yv2xzPoP1fkIxOykL8PsklT+omBxsLnPl1Sywd+ZpO7UlOOBzs7PoQ+P/C
tLUZm8Yv2xzPoP1fkIxOykZDYbRlRNGwnoJrt7Ax+NXZDYYt3ugBzvkk1W9YFj6h
tLUZm8Yv2xzPoP1fkIxOyiDhVu+Rw/EZbw0LrNpepAodf79vo9/dD2OvBrSg5qez

Before each of these calls, the /publickey endpoint is called, so it might have something to do with it. However it cannot be plain RSA encryption, as that would lead to totally different results (and not have results where the first 21 characters stay the same).

Things to note:

  • while these x-login-nonce values can be used interchangeably, they seem to expire at some point (30 - 60 minutes). Maybe the hash includes a timestamp?
  • The first part (tLUZm8Yv2xzPoP1fkIxOy) stayed the same for me even after all data for the app was deleted, so it might be computed based on username ~/password~? It is computed based on the username - if I change one part of the number to something different, the first part is a totally different hash.

I was not able to see any exchange for the nonce except during POST to login/pwd.

Do you guys have any ideas?

Can these links help? https://en.wikipedia.org/wiki/Cryptographic_nonce https://stackoverflow.com/questions/24977352/should-nonces-be-used-during-log-in https://wordpress.org/support/topic/ajax-login-nonce-creation/ https://stackoverflow.com/questions/46565162/wordpress-auth-nonces-ajax-no-templating-cookie-nonce-is-invalid?rq=1

rikroe commented 2 years ago

Unfortunately, they didn't help that much - they all expect the nonce to be generated on the server, not the client (which I don't see in the data). I've put my full capture into a private team where you have been invited as well so we can discuss it there (don't want to share the login information too publicly ;) )

HuChundong commented 2 years ago

Unfortunately, they didn't help that much - they all expect the nonce to be generated on the server, not the client (which I don't see in the data). I've put my full capture into a private team where you have been invited as well so we can discuss it there (don't want to share the login information too publicly ;) )

sms login still use v1 api. it can work. the nonce include phonenumber and timestamp and maybe use aes. i have dump MyBMW's functions, there's some class name like 'AES-enc'

rikroe commented 2 years ago

AES encryption could make sense, but what would be the key? It would have to be something both client and server know without having it exchanged previously?

HuChundong commented 2 years ago

AES encryption could make sense, but what would be the key? It would have to be something both client and server know without having it exchanged previously?

the key Hard coded there. we need to do some Reverse engineering. at this moment, i use my android phone as a server to create the login nonce but drop the request. rebuild the flutter engine to let the app provide the key itself could be a choice and this job is in progress.

muxiachuixue commented 2 years ago

I have tried the SMS API. It successfully returned the tokens. So, as also mentioned by @HuChundong, this maybe the temporary solution if BMW has not encrypted this API:

  1. Use the SMS API to get the refresh token, and store. The refresh token can be valid for more than 24 hours.
  2. Use the refresh token to obtain the access token and store the new refresh token.
  3. If the new refresh token fails to get the access token, ask the user to input the SMS code.

Since the BMW integration in HA updates every 5-10 minutes, the refresh token will never expires unless the user changes the password or something unpredictable happens.

HuChundong commented 2 years ago

I have completed the reverse engineering of the algorithm and will provide APIs for third-party calls in the future. In view of the plagiarism of https://github.com/opp100/bmw-scriptable-widgets, I will not opensource the code

The AES Key is S2Tw10vQ1***

rikroe commented 2 years ago

Very cool, congratulations! And at the same time very sad that you decide not to publish due to apparently some bad experiences. I sure hope we all can at some point benefit from your knowledge and skill and that you at some point decide to open-source it.

Would you be fine with elaborating a little bit how you got to this point? I tried searching in both the decomiled APK and in libapp.so for the string you mentioned, but didn't find it (or I am decompiling it wrongly - don't have much experience here). Or do I have to do this at runtime, i.e. understanding more how e.g. frida works and printing the information from there?

I would happily discuss this in private with you, if you prefer that.

@muxiachuixue yes, SMS would be another option. However this would need some bigger changes to the library (as you have order the SMS first and then do the login) and to Home Assistant (probably a somehow separate Config Flow?). Could you provide me with the URLs and payloads that are needed for this?

I will anyways try to figure out how to use refesh_token instead of logging in again every 60 minutes.

muxiachuixue commented 2 years ago

Very cool, congratulations! And at the same time very sad that you decide not to publish due to apparently some bad experiences. I sure hope we all can at some point benefit from your knowledge and skill and that you at some point decide to open-source it.

Would you be fine with elaborating a little bit how you got to this point? I tried searching in both the decomiled APK and in libapp.so for the string you mentioned, but didn't find it (or I am decompiling it wrongly - don't have much experience here). Or do I have to do this at runtime, i.e. understanding more how e.g. frida works and printing the information from there?

I would happily discuss this in private with you, if you prefer that.

@muxiachuixue yes, SMS would be another option. However this would need some bigger changes to the library (as you have order the SMS first and then do the login) and to Home Assistant (probably a somehow separate Config Flow?). Could you provide me with the URLs and payloads that are needed for this?

I will anyways try to figure out how to use refesh_token instead of logging in again every 60 minutes.

Give me an email address and I will send you the traffic file of SMS login from Charles. Please do not public the username or any other private information in the file. The API of obtaining access_token from refresh_token can be found in the traffic data you have posted in the bimmerconnected team.

HuChundong commented 2 years ago

Very cool, congratulations! And at the same time very sad that you decide not to publish due to apparently some bad experiences. I sure hope we all can at some point benefit from your knowledge and skill and that you at some point decide to open-source it.

Would you be fine with elaborating a little bit how you got to this point? I tried searching in both the decomiled APK and in libapp.so for the string you mentioned, but didn't find it (or I am decompiling it wrongly - don't have much experience here). Or do I have to do this at runtime, i.e. understanding more how e.g. frida works and printing the information from there?

I would happily discuss this in private with you, if you prefer that.

@muxiachuixue yes, SMS would be another option. However this would need some bigger changes to the library (as you have order the SMS first and then do the login) and to Home Assistant (probably a somehow separate Config Flow?). Could you provide me with the URLs and payloads that are needed for this?

I will anyways try to figure out how to use refesh_token instead of logging in again every 60 minutes.

use this api to get new access token without login again

curl --location --request POST 'https://myprofile.bmw.com.cn/eadrax-coas/v1/oauth/token' \ --header 'user-agent: Dart/2.13 (dart:io)' \ --header 'demo-mode-active: false' \ --header 'x-user-agent: android(mk_hammerhead-userdebug 6.0.1 mob30m 6880f67031 test-keys);bmw;2.1.0(12082)' \ --header 'Accept-Encoding: gzip, deflate' \ --header 'x-correlation-id: a0f3f1d0-edad-4554-8447-5b36fe72b8fe' \ --header 'content-type: application/x-www-form-urlencoded; charset=utf-8' \ --header 'bmw-session-id: 157736f9-d0a1-45fe-a6e5-90dcd6244fd7' \ --header 'bmw-correlation-id: a0f3f1d0-edad-4554-8447-5b36fe72b8fe' \ --header 'ocp-apim-subscription-key;' \ --header 'accept-language: zh-CN' \ --header 'Content-Length: 274' \ --header 'x-raw-locale: zh-CN' \ --header 'host: myprofile.bmw.com.cn' \ --header 'x-cluster-use-mock: never' \ --header '24-hour-format: false' \ --header 'Connection: close' \ --data-raw 'grant_type=refresh_token&refresh_token=get from login '

HuChundong commented 2 years ago

Very cool, congratulations! And at the same time very sad that you decide not to publish due to apparently some bad experiences. I sure hope we all can at some point benefit from your knowledge and skill and that you at some point decide to open-source it.

Would you be fine with elaborating a little bit how you got to this point? I tried searching in both the decomiled APK and in libapp.so for the string you mentioned, but didn't find it (or I am decompiling it wrongly - don't have much experience here). Or do I have to do this at runtime, i.e. understanding more how e.g. frida works and printing the information from there?

I would happily discuss this in private with you, if you prefer that.

@muxiachuixue yes, SMS would be another option. However this would need some bigger changes to the library (as you have order the SMS first and then do the login) and to Home Assistant (probably a somehow separate Config Flow?). Could you provide me with the URLs and payloads that are needed for this?

I will anyways try to figure out how to use refesh_token instead of logging in again every 60 minutes.

sms login is not a good idea. for BMW, send sms will produce cost, what's more, some one may use this api to send spam messages. in my opinion,it's not safe to open source sms login api even though it has Graphic validation guard

rikroe commented 2 years ago

@HuChundong you might be right with not making it too public. Also, if it uses a captcha then we won't be able to use it decently anyhow. @muxiachuixue maybe for now we skip on SMS verification

I will implement the refresh_token but I'm still stuck regarding the password-login nonce.

muxiachuixue commented 2 years ago

@HuChundong you might be right with not making it too public. Also, if it uses a captcha then we won't be able to use it decently anyhow. @muxiachuixue maybe for now we skip on SMS verification

I will implement the refresh_token but I'm still stuck regarding the password-login nonce.

You need first login with password or SMS code to get the refresh token. You can not skip both of the x-login-nonce and SMS code to get access to MyBMW.

rikroe commented 2 years ago

Please send me your capture to rikro@gmx.net. However I would much more like to implement/adjust the existing password flow.

However I won't be able to have a look and retry debugging the MyBMW app in the coming days...

muxiachuixue commented 2 years ago

Please send me your capture to rikro@gmx.net. However I would much more like to implement/adjust the existing password flow.

However I won't be able to have a look and retry debugging the MyBMW app in the coming days...

Sent. Please be careful with the private information.

muxiachuixue commented 2 years ago

Hi @rikroe Would you please update the integration in HA to use the refresh token to get access token and store the new refresh token to a cache file. So if I input the refresh token into the cache file, I can use the integration again (I can get the refresh token by a Siri Shortcut). I have already known the AES key (S2T***Ka), however, the iv still needs sometime.

rikroe commented 2 years ago

@muxiachuixue this feels like a good compromise! I will have a look at it this evening and update the custom component accordingly.

muxiachuixue commented 2 years ago

@muxiachuixue this feels like a good compromise! I will have a look at it this evening and update the custom component accordingly.

Strictly speaking, this is not a "compromise". Instead, when the nonce encryption is totally cracked, it is still better to use the refresh token to get the access token, which is how the App runs. So these codes will not be wasted even the password login method is known.

After you update the codes, any HA user in China who needs the refresh token generation shortcut, please leave a message. But I guess it won't be needed in the near future.

rikroe commented 2 years ago

That's what I meant with "compromise". Just until the login is solved. The refresh token part is implemented and works for me in rest of world, so that makes much more sense to use, I fully agree!

vividmuse commented 2 years ago

133***617

May be I got it

muxiachuixue commented 2 years ago

133***_61_7 May be I got it

So here is the big boss who actually decompiled it. hah~

rikroe commented 2 years ago

Just released library 0.9.0b9 and custom component 20220509.3 (instructions for refresh_token with HA are in the custom component release notes).

Login with & automated refresh of refresh_token does work for rest of world, and should also work for china. Please try and give feedback.

If you guys manage to figure out the AES encryption and are willing to share, I'll happily include it in the library (of course giving you the credit for finding it out, such as with the RSA encryption for china login (https://github.com/bimmerconnected/bimmer_connected/commit/8ffe1fe23ec6fc961b15106dd019c09778e2d0aa).

rikroe commented 2 years ago

133***617

May be I got it

That looks very closely to the mobile I used. If you got that from the x-login-nonce I pasted above, they I'd say you got it.

Again, if you feel to share the then I can try to implement it in the library.

HuChundong commented 2 years ago

133***617

May be I got it

That looks very closely to the mobile I used. If you got that from the x-login-nonce I pasted above, they I'd say you got it.

Again, if you feel to share the then I can try to implement it in the library.

yes,they got it. if they do not share to you, i will share that. The problem is if this be widely used,will bmw change the encrypt way.

vividmuse commented 2 years ago

@muxiachuixue will send key&iv to your email.

rikroe commented 2 years ago

The problem is if this be widely used,will bmw change the encrypt way.

This is true. Although I suspect we were part of the problem, as we logged in every hour from scratch (now using refresh token) and from Home assistant we send two requests for each platform (sensor, binary sensor, lock etc) every five minutes (changed since 2022.5 with DataUpdateCoordinator)

muxiachuixue commented 2 years ago

The problem is if this be widely used,will bmw change the encrypt way.

This is true. Although I suspect we were part of the problem, as we logged in every hour from scratch (now using refresh token) and from Home assistant we send two requests for each platform (sensor, binary sensor, lock etc) every five minutes (changed since 2022.5 with DataUpdateCoordinator)

This is a contradiction. BMW will always try to block the third party softwares no matter what method we are using to login (refresh token, password or SMS). Even you do not publicize the AES key and iv, BMW will try to change the encryption algorithm once they know you are using their APIs. Obviously, it is not a good way to do the encryption work on some personal server, because you need to upload the username (AES) or password (RSA) to a third party server, which may remain legal risks.

The best way is that BMW offers third party APIs, which is impossible in the near future. Since Github, Scriptable and Siri Shortcuts are all open source, it is impossible to conceal anything.

BTW, I have sent the login codes to your email, please check. The AES encryption codes are from @vividmuse, please mention his name if you implement this part. @HuChundong also did a nice job in the reverse engineering. Thanks all the bimmers and passionate guys. And thanks @rikroe for the long-term technical supports in the excellent integration BimmerConnected.

HuChundong commented 2 years ago

The problem is if this be widely used,will bmw change the encrypt way.

This is true. Although I suspect we were part of the problem, as we logged in every hour from scratch (now using refresh token) and from Home assistant we send two requests for each platform (sensor, binary sensor, lock etc) every five minutes (changed since 2022.5 with DataUpdateCoordinator)

This is a contradiction. BMW will always try to block the third party softwares no matter what method we are using to login (refresh token, password or SMS). Even you do not publicize the AES key and iv, BMW will try to change the encryption algorithm once they know you are using their APIs. Obviously, it is not a good way to do the encryption work on some personal server, because you need to upload the username or password to a third party server, which may remain legal risks.

The best way is that BMW offers third party APIs, which is impossible in the near future. Since Github, Scriptable and Siri Shortcuts are all open source, it is impossible to conceal anything.

BTW, I have sent the login codes to your email, please check. The AES encryption codes are from @vividmuse, please mention his name if you implement this part. @HuChundong also did a nice job in the reverse engineering. Thanks all the bimmers and passionate guys. And thanks @rikroe for the long-term technical supports in the excellent integration BimmerConnected.

  1. calculate nonce do not need password.
  2. but the phone number may be privacy related legal issues
  3. in the future, i will write the bmw widget only for myself and my friends to avoid legal risk
muxiachuixue commented 2 years ago

The problem is if this be widely used,will bmw change the encrypt way.

This is true. Although I suspect we were part of the problem, as we logged in every hour from scratch (now using refresh token) and from Home assistant we send two requests for each platform (sensor, binary sensor, lock etc) every five minutes (changed since 2022.5 with DataUpdateCoordinator)

This is a contradiction. BMW will always try to block the third party softwares no matter what method we are using to login (refresh token, password or SMS). Even you do not publicize the AES key and iv, BMW will try to change the encryption algorithm once they know you are using their APIs. Obviously, it is not a good way to do the encryption work on some personal server, because you need to upload the username or password to a third party server, which may remain legal risks. The best way is that BMW offers third party APIs, which is impossible in the near future. Since Github, Scriptable and Siri Shortcuts are all open source, it is impossible to conceal anything. BTW, I have sent the login codes to your email, please check. The AES encryption codes are from @vividmuse, please mention his name if you implement this part. @HuChundong also did a nice job in the reverse engineering. Thanks all the bimmers and passionate guys. And thanks @rikroe for the long-term technical supports in the excellent integration BimmerConnected.

calculate nonce do not need password.

I know, I mean the RSA part if one tries to hide the algorithm. For clear, I edited the last comment.

muxiachuixue commented 2 years ago

The problem is if this be widely used,will bmw change the encrypt way.

This is true. Although I suspect we were part of the problem, as we logged in every hour from scratch (now using refresh token) and from Home assistant we send two requests for each platform (sensor, binary sensor, lock etc) every five minutes (changed since 2022.5 with DataUpdateCoordinator)

This is a contradiction. BMW will always try to block the third party softwares no matter what method we are using to login (refresh token, password or SMS). Even you do not publicize the AES key and iv, BMW will try to change the encryption algorithm once they know you are using their APIs. Obviously, it is not a good way to do the encryption work on some personal server, because you need to upload the username or password to a third party server, which may remain legal risks. The best way is that BMW offers third party APIs, which is impossible in the near future. Since Github, Scriptable and Siri Shortcuts are all open source, it is impossible to conceal anything. BTW, I have sent the login codes to your email, please check. The AES encryption codes are from @vividmuse, please mention his name if you implement this part. @HuChundong also did a nice job in the reverse engineering. Thanks all the bimmers and passionate guys. And thanks @rikroe for the long-term technical supports in the excellent integration BimmerConnected.

  1. calculate nonce do not need password.
  2. but the phone number may be privacy related legal issues
  3. in the future, i will write the bmw widget only for myself and my friends to avoid legal risk

I will not publicize the encryption codes in Siri shortcuts at present until one day the SMS API is encrypted. The users of HA are not that many in China, so it may be more safe to implement the encryption codes in the HA integration. And it is more complicate to use the SMS code to login in HA.

muxiachuixue commented 2 years ago

Just released library 0.9.0b9 and custom component 20220509.3 (instructions for refresh_token with HA are in the custom component release notes).

Login with & automated refresh of refresh_token does work for rest of world, and should also work for china. Please try and give feedback.

If you guys manage to figure out the AES encryption and are willing to share, I'll happily include it in the library (of course giving you the credit for finding it out, such as with the RSA encryption for china login (8ffe1fe).

I have input the refresh token to config/.storage/core.config_entries following the instructions in 20220509.3 and it works perfectly. One thing to note: also add a comma after "region": "china", or you can not reboot HA.

rikroe commented 2 years ago

Big thanks to @HuChundong @muxiachuixue @vividmuse for figuring out the login flow and providing me the information required!

I didn't put in into the code in clear text, but of course it is obvious (cannot be changed). However this feels much better to me than hosting a service somewhere where users have to share personal information (such as mobile number). At least, now everything is still done locally.

The SMS API is not really suited for Home Assistant - it would be possible, but with more effort (and if you guys are using it for the iOS shortcuts, lets keep it there)!

I have just released a new library version + custom component that should enables you logging in again.

muxiachuixue commented 2 years ago

Big thanks to @HuChundong @muxiachuixue @vividmuse for figuring out the login flow and providing me the information required!

I didn't put in into the code in clear text, but of course it is obvious (cannot be changed). However this feels much better to me than hosting a service somewhere where users have to share personal information (such as mobile number). At least, now everything is still done locally.

The SMS API is not really suited for Home Assistant - it would be possible, but with more effort (and if you guys are using it for the iOS shortcuts, lets keep it there)!

I have just released a new library version + custom component that should enables you logging in again.

Thanks. I have tried the 20220511.2 version. It works well.

yongman commented 2 years ago

@rikroe @muxiachuixue I tried 20220511.2, It appears that periodic unavailable, seems one hour. The strategy of token refresh has some defects?