samrum / OnStarJS

NodeJS Library for making OnStar API requests
MIT License
93 stars 20 forks source link

Getting 401 Unauthorized #214

Closed BennyDaBee closed 1 year ago

BennyDaBee commented 1 year ago

Hello,

starting yesterday or Wednesday, started getting 401 errors. The latest branch does not fix this.

joelvandal commented 1 year ago

I have exactly same issues, status command work, but start return a 401 error.

Error: Request Failed with status 401 - Unauthorized

BigThunderSR commented 1 year ago

The entire OnStar app system went down yesterday with even the official GM apps not working. The official GM apps are working now, but we can no longer seem to run any commands via API, so it's possible that they blocked us again.

glassbase commented 1 year ago

Related https://github.com/michaelwoods/onstar2mqtt/issues/243

ShaydeNofziger commented 1 year ago

Perhaps this change has something to do with it? https://github.com/samrum/OnStarJS/commit/6e159a523870323040c5018e68fdc30644abc8ce

~Unless I'm misunderstanding, perhaps that app secret is revoked / shouldn't be in source.~ EDIT: These keys are sourced from the GM APK. disregard above.

@samrum Perhaps you can provide further details on that change and what those values are used for?

joelvandal commented 1 year ago

Perhaps this change has something to do with it? 6e159a5

The secret keys match the one on the latest MyChevrolet APK Version5.21.1 (4151). So it probably another issues. Trying to setup an environment to test SSL pinning, etc to troubleshoot the 401 issue.

BennyDaBee commented 1 year ago

Perhaps this change has something to do with it? 6e159a5

Unless I'm misunderstanding, perhaps that app secret is revoked / shouldn't be in source.

@samrum Perhaps you can provide further details on that change and what those values are used for?

As well, it was broken before and after I merged this into my current version. Something for sure changed on GMs end. Hopefully, Joel will be able to ping it down for us.

joelvandal commented 1 year ago

@samrum I installed GenyMotion, Burp Suite, Frida, etc... but it look like not all request are forwarded to the proxy (MITM). Do you have any reference that I can follow in order to help troubleshoot this issue ?

joelvandal commented 1 year ago

Maybe someone more experimented what me with "pentesting" but I've try tools lime MobSF (very nice), direct command with Frida, etc... but all test I made look to fail as soon as I enable HTTP proxy.

I made "SSL Pinning" bypass test and it always fail. Maybe I do something wrong :(

I really want to help troubleshoot this issue :)

Z1mDMan commented 1 year ago

any update on this? how can I help (as a non-programmer but tech savvy)

joelvandal commented 1 year ago

any update on this? how can I help (as a non-programmer but tech savvy)

Unfortunately I'm unable to bypass "SSL Pinning" when I do test on my environment (Genymotion, Frida, etc). I'm currently blocked at this step.

BennyDaBee commented 1 year ago

@chakal I see you were trying to work on this. Did you have any luck?

BennyDaBee commented 1 year ago

@joelvandal not sure if this may help https://blog.sanghviharshit.com/reverse-engineering-private-api-ssl-pinning/

joelvandal commented 1 year ago

@joelvandal not sure if this may help https://blog.sanghviharshit.com/reverse-engineering-private-api-ssl-pinning/

@BennyDaBee Thanks, I just finish to made all my "setup" working to capture traffics from GM.

I will now review the "unencrypted" pcap :) (thanks to polarproxy, frida, etc).

joelvandal commented 1 year ago

Look like endpoint path changed.

Ex. to send a getCommand, OnStarJS use :

/api/v1/account/vehicles/${this.config.vin}/commands/${command}

But if I check on my trace, I see :

/api/v1/account/vehicles/MYVIN/requests/start1603817341674601627557

So the "commands" was been renamed to "requests" and a number is append after the start parameter.

The number look to include the timestamp when I executed the request (1674601627)

I continue my analysis ... sorry I'm not a pro with Wireshark, etc... but I captured lots of HTTP2 traffic.

joelvandal commented 1 year ago

And it look to use na-mobile-api.gm.com instead of api.gm.com

joelvandal commented 1 year ago

Sorry, the /requests/ URL is the response after we send a POST request :

POST /api/v2/account/vehicles/XXXXXXXXXXXX/commands/start

It use api/v2 instead of api/v1

BennyDaBee commented 1 year ago

Testing on mine now @joelvandal

joelvandal commented 1 year ago

If I decode the JWT token, I also see the following scope

msso gmoc priv user_trailer user onstar role_owner

joelvandal commented 1 year ago

And only the POST to commands/start look to use api/v2 .. all others endpoint still use api/v1/account/etc...

BennyDaBee commented 1 year ago

Still learning development myself, would that include the request diagnostics using api/v2?

BennyDaBee commented 1 year ago

Also @joelvandal is the appSecret still the same or has it changed?

joelvandal commented 1 year ago

@BennyDaBee The appSecret haven't changed and the one on latest version of onstarjs is correct.

BennyDaBee commented 1 year ago

Ok, how about the appId? Trying to track down why im still getting 401

BennyDaBee commented 1 year ago

But if I check on my trace, I see : /api/v1/account/vehicles/MYVIN/requests/start1603817341674601627557 So the "commands" was been renamed to "requests" and a number is append after the start parameter.

Glossed over this. Wonder what the random number in full means.

joelvandal commented 1 year ago

But if I check on my trace, I see : /api/v1/account/vehicles/MYVIN/requests/start1603817341674601627557 So the "commands" was been renamed to "requests" and a number is append after the start parameter.

Glossed over this. Wonder what the random number in full means.

@BennyDaBee you can ignore this... the request/startRANDOMDIGITS is the URL that we can use to get the status of the command. This URL is returned when we do a POST /api/v2/account/vehicles/XXXXXXXXXXXX/commands/start

joelvandal commented 1 year ago

The 401 is when we send an request to the /api/v1/oauth/token/upgrade endpoint. When I look on trace (tcpdump), this request doesn't look to be sent anymore.

{
  client_id: 'OMB_CVY_AND_5V1',
  credential: 'XXXX',
  credential_type: 'PIN',
  device_id: 'XXXXXX-c2fe-XXXXX-82b1-XXXXXXXXXXX',
  grant_type: 'password',
  nonce: 'YTU........zNWQ0OTljN.....EyYWU1Nz',
  timestamp: '2023-01-25T00:48:11.001Z'
}

When we send a POST for start :

/api/v2/account/vehicles/XXXXXXXXXXX/commands/start

or a POST for diagnostics :

/api/v1/account/vehicles/XXXXXXXXXXXX/commands/diagnostics

The JWT payload look like :

Header :

{ "jku": "https://sec-authz-mobile.na.onstar.cpi.gm.com/api/v1/oauth/keySets/", "kid": "mobile-authz-jwt-token-prod-na-06032023-1", "typ": "JWT", "alg": "RS256" }

Data:

"jti": "XXXXXXXXX-7a85-46e2-XXXXXXXX", "iat": 1674601607, "sub": "CA5NAHF2", "iss": "https://sec-authz-mobile.na.onstar.cpi.gm.com", "aud": "cvc_prod", "exp": 1674603407, "uid": "MY_USERNAME", "ver": 1.3, "scope": "msso gmoc priv user_trailer user onstar role_owner", "pai": "OMNIBUS_CVY", "typ": "bearer", "dci": "XXXXXX-1296-XXXXXXX-9d1f-XXXXXXXXXXXXX", "per": "AAAAAAAAAAAAAM......A==", "chan": "mobile", "vehs": [ { "vin": "1G1FZ6XXXXXX", "per": "AAAAAAAAAAAAAAAAAAAAI...AAAAAAAAA==" } ], "cid": "OMB_CVY_AND_5V1" }

michaelwoods commented 1 year ago

@joelvandal that seemed to do it. I disabled the token upgrade by default and I'm able to request diagnostics. PR incoming.

joelvandal commented 1 year ago

I confirm that diag, start and stop are working with this patch :)

joelvandal commented 1 year ago

Will see tomorrow if everything work as expected, I have about 500-600 "start" command that are normally executed each days :)

BennyDaBee commented 1 year ago

@michaelwoods @joelvandal Was able to confirm that lock/unlock/start/cancelStart all returned and completed as normal

BigThunderSR commented 1 year ago

Just wanted to say you guys are awesome! 😎

usmcfiredog commented 1 year ago

Thank you all for the great work!