Closed BennyDaBee closed 1 year ago
I have exactly same issues, status command work, but start return a 401 error.
Error: Request Failed with status 401 - Unauthorized
The entire OnStar app system went down yesterday with even the official GM apps not working. The official GM apps are working now, but we can no longer seem to run any commands via API, so it's possible that they blocked us again.
Perhaps this change has something to do with it? https://github.com/samrum/OnStarJS/commit/6e159a523870323040c5018e68fdc30644abc8ce
~Unless I'm misunderstanding, perhaps that app secret is revoked / shouldn't be in source.~ EDIT: These keys are sourced from the GM APK. disregard above.
@samrum Perhaps you can provide further details on that change and what those values are used for?
Perhaps this change has something to do with it? 6e159a5
The secret keys match the one on the latest MyChevrolet APK Version5.21.1 (4151). So it probably another issues. Trying to setup an environment to test SSL pinning, etc to troubleshoot the 401 issue.
Perhaps this change has something to do with it? 6e159a5
Unless I'm misunderstanding, perhaps that app secret is revoked / shouldn't be in source.
@samrum Perhaps you can provide further details on that change and what those values are used for?
As well, it was broken before and after I merged this into my current version. Something for sure changed on GMs end. Hopefully, Joel will be able to ping it down for us.
@samrum I installed GenyMotion, Burp Suite, Frida, etc... but it look like not all request are forwarded to the proxy (MITM). Do you have any reference that I can follow in order to help troubleshoot this issue ?
Maybe someone more experimented what me with "pentesting" but I've try tools lime MobSF (very nice), direct command with Frida, etc... but all test I made look to fail as soon as I enable HTTP proxy.
I made "SSL Pinning" bypass test and it always fail. Maybe I do something wrong :(
I really want to help troubleshoot this issue :)
any update on this? how can I help (as a non-programmer but tech savvy)
any update on this? how can I help (as a non-programmer but tech savvy)
Unfortunately I'm unable to bypass "SSL Pinning" when I do test on my environment (Genymotion, Frida, etc). I'm currently blocked at this step.
@chakal I see you were trying to work on this. Did you have any luck?
@joelvandal not sure if this may help https://blog.sanghviharshit.com/reverse-engineering-private-api-ssl-pinning/
@joelvandal not sure if this may help https://blog.sanghviharshit.com/reverse-engineering-private-api-ssl-pinning/
@BennyDaBee Thanks, I just finish to made all my "setup" working to capture traffics from GM.
I will now review the "unencrypted" pcap :) (thanks to polarproxy, frida, etc).
Look like endpoint path changed.
Ex. to send a getCommand, OnStarJS use :
/api/v1/account/vehicles/${this.config.vin}/commands/${command}
But if I check on my trace, I see :
/api/v1/account/vehicles/MYVIN/requests/start1603817341674601627557
So the "commands" was been renamed to "requests" and a number is append after the start parameter.
The number look to include the timestamp when I executed the request (1674601627)
I continue my analysis ... sorry I'm not a pro with Wireshark, etc... but I captured lots of HTTP2 traffic.
And it look to use na-mobile-api.gm.com instead of api.gm.com
Sorry, the /requests/ URL is the response after we send a POST request :
POST /api/v2/account/vehicles/XXXXXXXXXXXX/commands/start
It use api/v2 instead of api/v1
Testing on mine now @joelvandal
If I decode the JWT token, I also see the following scope
msso gmoc priv user_trailer user onstar role_owner
And only the POST to commands/start look to use api/v2 .. all others endpoint still use api/v1/account/etc...
Still learning development myself, would that include the request diagnostics using api/v2?
Also @joelvandal is the appSecret still the same or has it changed?
@BennyDaBee The appSecret haven't changed and the one on latest version of onstarjs is correct.
Ok, how about the appId? Trying to track down why im still getting 401
But if I check on my trace, I see : /api/v1/account/vehicles/MYVIN/requests/start1603817341674601627557 So the "commands" was been renamed to "requests" and a number is append after the start parameter.
Glossed over this. Wonder what the random number in full means.
But if I check on my trace, I see : /api/v1/account/vehicles/MYVIN/requests/start1603817341674601627557 So the "commands" was been renamed to "requests" and a number is append after the start parameter.
Glossed over this. Wonder what the random number in full means.
@BennyDaBee you can ignore this... the request/startRANDOMDIGITS is the URL that we can use to get the status of the command. This URL is returned when we do a POST /api/v2/account/vehicles/XXXXXXXXXXXX/commands/start
The 401 is when we send an request to the /api/v1/oauth/token/upgrade endpoint. When I look on trace (tcpdump), this request doesn't look to be sent anymore.
{
client_id: 'OMB_CVY_AND_5V1',
credential: 'XXXX',
credential_type: 'PIN',
device_id: 'XXXXXX-c2fe-XXXXX-82b1-XXXXXXXXXXX',
grant_type: 'password',
nonce: 'YTU........zNWQ0OTljN.....EyYWU1Nz',
timestamp: '2023-01-25T00:48:11.001Z'
}
When we send a POST for start :
/api/v2/account/vehicles/XXXXXXXXXXX/commands/start
or a POST for diagnostics :
/api/v1/account/vehicles/XXXXXXXXXXXX/commands/diagnostics
The JWT payload look like :
Header :
{ "jku": "https://sec-authz-mobile.na.onstar.cpi.gm.com/api/v1/oauth/keySets/", "kid": "mobile-authz-jwt-token-prod-na-06032023-1", "typ": "JWT", "alg": "RS256" }
Data:
"jti": "XXXXXXXXX-7a85-46e2-XXXXXXXX", "iat": 1674601607, "sub": "CA5NAHF2", "iss": "https://sec-authz-mobile.na.onstar.cpi.gm.com", "aud": "cvc_prod", "exp": 1674603407, "uid": "MY_USERNAME", "ver": 1.3, "scope": "msso gmoc priv user_trailer user onstar role_owner", "pai": "OMNIBUS_CVY", "typ": "bearer", "dci": "XXXXXX-1296-XXXXXXX-9d1f-XXXXXXXXXXXXX", "per": "AAAAAAAAAAAAAM......A==", "chan": "mobile", "vehs": [ { "vin": "1G1FZ6XXXXXX", "per": "AAAAAAAAAAAAAAAAAAAAI...AAAAAAAAA==" } ], "cid": "OMB_CVY_AND_5V1" }
@joelvandal that seemed to do it. I disabled the token upgrade by default and I'm able to request diagnostics. PR incoming.
I confirm that diag, start and stop are working with this patch :)
Will see tomorrow if everything work as expected, I have about 500-600 "start" command that are normally executed each days :)
@michaelwoods @joelvandal Was able to confirm that lock/unlock/start/cancelStart all returned and completed as normal
Just wanted to say you guys are awesome! 😎
Thank you all for the great work!
Hello,
starting yesterday or Wednesday, started getting 401 errors. The latest branch does not fix this.