Explain 403 Forbidden error

[joelvandal]

Hi,

Does it possible to get more detail on possible cause of 403 - Forbidden error ? Using OnStarJS 2.3.11.

All commands (diag, status, etc) work except Start, I always get the following error :

UnhandledPromiseRejectionWarning: Error: Request Failed with status 403 - Forbidden

Any idea on how to trobleshoot this issue ?

[joelvandal]

On MyChevrolet, everything work as expected so I dont think it related to my "OnStar Plan".

If I debug OnStarJS, I see error about invalid scope. Only the "start" command seem tho have problem.

'Bearer error="insufficient_scope", error_description="The request requires higher privileges than provided by the access token.", error_uri="https://tools.ietf.org/html/rfc6750#section-3.1"'

[lusrmgr]

I am having the exact same issue it also happens on alerts (light flash) for me.

[samrum]

I published 2.3.12 with the latest config values.

I don't have a way to test that it fixes the issue since I no longer have a Chevrolet, so if the way token management has changed or the authentication for certain commands is different, that's going to require more investigation to update.

[joelvandal]

I don't have a way to test that it fixes the issue since I no longer have a Chevrolet, so if the way token management has changed or the authentication for certain commands is different, that's going to require more investigation to update.

Unfortunatelly this still fail with a 403 forbidden with the "start" command. Others still work with the new key.

Look like a missing permission on the oAuth2 scope.

[lusrmgr]

Can confirm @joelvandal's findings, the new config values do not fix the 403 - Forbidden error.

@samrum Can I ask how you retrieve what the latest config values should be? I am happy to help maintain those values if I can figure out how to pull those.

[joelvandal]

@lusrmgr I'm reading some docs on how I can retrieve keys ... it look "simple", but I havent complete my installation yet.

https://infosecwriteups.com/hail-frida-the-universal-ssl-pinning-bypass-for-android-e9e1d733d29

We need to bypass SSL pinning on the application, so I will use an Android emulator, install the latest APK, configure the Frida system for SSL pinning and will hope to be able to analyse queries.

Never tried yet.

[samrum]

Yeah, I linked two comments over here: https://github.com/samrum/OnStarJS/issues/205#issuecomment-1267878691 that explain the general idea.

At least to grab the config values I use: genymotion + android APK + frida + frida script that hooks into an internal class to grab them.

Since this isn't just a config issue, the work required is going to be more similar to my last comment in that issue, checking network traffic and/or more deeper introspection into what's going on to emulate it.

[coelho]

Hi @samrum - Just to help with this issue to show some appreciation for your efforts <3

I made a quick script for you to easily get the keys from the APK: https://gist.github.com/coelho/911bab2d2416ef46e6f1aa09dcf97b43

All you have to do:

1. Unzip the APK unzip <apkname>.apk
2. Run with java -jar OnstarAES.jar /path/to/apkunzip/res/raw/
3. Done!

That doesn't really get me much closer to finding the issue (the keys match), but hey. It helps for next time.

[samrum]

Nice one! I always wanted a non-emulator way to grab them and couldn't figure it out, so that's awesome! I knew they were encrypted somewhere in the app...lol.

From poking around the decompiled apk really quick, it seems like in RemoteAPIVehicleService.smali command requests have a "Push-Request" header attached to them. Not sure if that's even the class that's actually used at runtime, but maybe the server is expecting that header now and rejecting when it's not there. Not sure what the value of the header would be though.

That's probably something that someone with an active account could grab from the network log or via frida.

[coelho]

According to the code it is "allow" or null. Not sure if null means no header, or if it means actually null. @samrum

[samrum]

Ah, I see the "allow" const in getPushHeader now, awesome...

@coelho are you able to test adding that header to requests in OnStarJS? I could make a branch that adds it, but wouldn't be able to test it.

[coelho]

@samrum Hi - sent you an email for further debugging.

[samrum]

Should be fixed in v2.3.13.