samrum / OnStarJS

NodeJS Library for making OnStar API requests
MIT License
93 stars 20 forks source link

All Requests are Failing with "Request Failed with status 400 - Bad Request" Even with Updated Key #233

Open BigThunderSR opened 1 year ago

BigThunderSR commented 1 year ago

All requests are failing with "Request Failed with status 400 - Bad Request". Updated key in https://github.com/samrum/OnStarJS/pull/232 does not seem to make a difference.

Maliron commented 1 year ago

Why are they SOOO upset that we can interface with their API faster than the terrible MyGMC/Chevrolet app? The apps are so incredibly slow, it is so much faster to bring is all in to HomeAssistant and use that for remote starting and such. We seem to lose access to the API every couple weeks though. This really sucks.

Do we know if this is them shutting us out of the API or simply them changing it? I believe the API is not officially documented or open and this was all reverse engineered right?

LightningManGTS commented 1 year ago

I started doing the homeassitant > node red implementation myself because of gm dropping support for google home (big thanks Bigthundersr by the way). The least they can do is not be insufferable about their API access when their own web developers can't code their website to unhide authenticator elements properly.

tbclark3 commented 1 year ago

Why are they SOOO upset that we can interface with their API faster than the terrible MyGMC/Chevrolet app? The apps are so incredibly slow, it is so much faster to bring is all in to HomeAssistant and use that for remote starting and such. We seem to lose access to the API every couple weeks though. This really sucks.

I also like the API being faster, but it's so much more than that. Integrating into Home Assistant lets me issue a warning if we arm the security system at night while the car is still plugged in (don't want it to catch fire while we're asleep) or early in the morning if I forgot to charge it. It sends me an email to put air in the tires if needed. I'm on my second Bolt, but if GM doesn't want me to use the API, I will switch to a different brand when my lease is up in a couple of months.

BennyDaBee commented 1 year ago

@joelvandal @coelho I know you two were a big help with the last big issue we had, anything you guys would be able to take a look at?

LightningManGTS commented 1 year ago

Is "appId" and "appSecret" in src/onStarAppConfig.json something we should be making unique in every deployment of this library like device UUID's? Is it possible that all these unique instances are showing up as one "device" and then that's what causing it to get blocked? (due to the total number and frequency of requests?)

I ask not being too familiar with how the reverse engineering works.

My only other question is, what if we ask GM directly? or is there enough trepidation that they would outright deny this by making it harder for the api requests to function? https://www.onstar.com/business-solutions/api-data-services

BrettEBowman commented 1 year ago

All requests are failing with "Request Failed with status 400 - Bad Request". Updated key in #232 does not seem to make a difference.

@BigThunderSR: I think that #232 was updated earlier today (Monday, 10/2/23) with another new key pair. Have you been able to test if that gets it working again?

BigThunderSR commented 1 year ago

All requests are failing with "Request Failed with status 400 - Bad Request". Updated key in #232 does not seem to make a difference.

@BigThunderSR: I think that #232 was updated earlier today (Monday, 10/2/23) with another new key pair. Have you been able to test if that gets it working again?

I tried it earlier today even though I knew it wouldn't work either and it did not work as expected.

We need @samrum and others to figure out what changed in the API and make the necessary modifications to OnStarJS to make things work again. Thanks.

BrettEBowman commented 1 year ago

Bummer!

Thanks for trying!

-Brett

From: BigThunderSR @.> Sent: Monday, October 2, 2023 6:50 PM To: samrum/OnStarJS @.> Cc: Brett Bowman @.>; Manual @.> Subject: Re: [samrum/OnStarJS] All Requests are Failing with "Request Failed with status 400 - Bad Request" Even with Updated Key (Issue #233)

All requests are failing with "Request Failed with status 400 - Bad Request". Updated key in #232https://github.com/samrum/OnStarJS/pull/232 does not seem to make a difference.

@BigThunderSRhttps://github.com/BigThunderSR: I think that #232https://github.com/samrum/OnStarJS/pull/232 was updated earlier today (Monday, 10/2/23) with another new key pair. Have you been able to test if that gets it working again?

I tried it earlier today even though I knew it wouldn't work either and it did not work as expected.

We need @samrumhttps://github.com/samrum and others to figure out what changed in the API and make the necessary modifications to OnStarJS to make things work again. Thanks.

— Reply to this email directly, view it on GitHubhttps://github.com/samrum/OnStarJS/issues/233#issuecomment-1743931727, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AEEJW7OMH7WYTFNZSCBY57TX5NHKRAVCNFSM6AAAAAA5J3RWYCVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTONBTHEZTCNZSG4. You are receiving this because you are subscribed to this thread.Message ID: @.**@.>>

BennyDaBee commented 1 year ago

Between #214 and #208, I am trying to get SSL pinning setup to be able to see the requests in real time. Having issues getting the app just to work on Genymotion

BennyDaBee commented 1 year ago

Yea I cant even get the normal app to work on Genymotion before I add anything else to the "device". Any help would be appreciated.

BrettEBowman commented 1 year ago

Flespi.com seems to have a [Changelog] general-motors-onstar protocol.

The last entry there (from 4 days ago) says:

general-motors-onstar protocol has been updated, new parameters added:

EHPE - flespi name position.accuracy
AGEIND - flespi name position.valid

That probably does indicate/confirm that there was a recent change to the OnStar API. Those items seems to only relate to getting location, not the authentication call. But maybe it is at least some clue.

nilathedragon commented 1 year ago

I think the reason for the 400 / bad_application is that they now require the X-Firebase-AppCheck header on the auth endpoints for the request to go through.

The value for that header comes from that thing:

BennyDaBee commented 1 year ago

Im working on getting a Android device to root. I am an iOS person myself so I did not have any on hand. I should have one tonight/tomorrow to be able to test.

Maliron commented 1 year ago

I don't think it's all about the Google app-check blocking us. GM does offer partner API access for fleets. I've reached out their business fleet API people and asked if there is any free API access include for personal use with our OnStar membership. We'll if they reply. I seem to recall applying for GM API access before and never hearing back.

nilathedragon commented 1 year ago

The thing is this project uses (sort of) public client credentials from their android app, fleet customers will have their own credentials that come with their own rules applied to them. I have tried and I know that passing a valid app-check token in that Firebase header will make the token request work again.

My guess is that GM saw that people were using this reverse engineered API for free and they looked for a quick way to put an end to that by adding app check. I guess thats also why its only on the token endpoint. No token, no service.

Maliron commented 1 year ago

That is the pits.. It's such a small subset of users you'd really think it shouldn't be a bit deal to them. I'm sure what they are worried about is someone making money off it. What would be nice is if we could get our own private set of client credentials we could use based off our OnStar subscription. That way it would be unique for each of us, and they wouldn't have to worry, and we'd have our own private API access. I can't see them making a code change like that out of the kindness of their hearts for such a small subset of users though.

Maliron commented 1 year ago

Just spitballing here, I was able to sign up for the GM developers site for making in vehicle apps, I wonder if we can get a client ID for access to the API by "designing" an in vehicle app? I've requested commercial API access through there as well now, I won't be holding my breath though.

BigThunderSR commented 1 year ago

Thanks much @nilathedragon, https://github.com/samrum/OnStarJS/pull/234 has fixed the issue (until OnStar finds another way to block us out again)!!!

BennyDaBee commented 1 year ago

@nilathedragon Just for future issues that may arise, how did you go about the SSL Pinning to grab the request credentials for iOS?

nilathedragon commented 1 year ago

I do all my iOS work using Frida and Objection. You are able to get around their SSL pinning easily using one of the publicly available Frida scripts.

I chose a different route though, I hooked the systems cryptography API's and caught the credentials there. Once again, there are publicly available Frida scripts for this too :)

jianyu-li commented 1 year ago

Thanks @nilathedragon !

Maliron commented 1 year ago

Thank you @nilathedragon !! Good job! I can confirm, I recreated my containers and re-pulled with bigthundersr/onstar2mqtt:latest and all is right in the world again. Hopefully one day GM will let us get access to our own personal client id for personal use and we can do this offically,

stamanf commented 1 year ago

Also back in business. Thanks everyone, happy again 👍👍

BigThunderSR commented 1 year ago

@nilathedragon, could you please see if there is a new key available? The issue is back again this morning, but this time as a 403 - Forbidden. Thanks!

nilathedragon commented 1 year ago

As far as I can see, there was no update to the iOS app. Last updated Oct. 2nd

So they must flag something else. I will look into it.

nilathedragon commented 1 year ago

I noticed that on some accounts the token we get from logging in does not have the "onstar" scope, even though it was requested. This is also true for the official app though. Could you check your token (using jwt.io or similar) and see if it contains the onstar scope?

BigThunderSR commented 1 year ago

I noticed that on some accounts the token we get from logging in does not have the "onstar" scope, even though it was requested. This is also true for the official app though. Could you check your token (using jwt.io or similar) and see if it contains the onstar scope?

Here's what I see for scope:

"scope": "gmoc priv"

BennyDaBee commented 1 year ago

Issue has not seemed to have returned to me on my fork, so the key is still valid.

nilathedragon commented 1 year ago

I noticed that on some accounts the token we get from logging in does not have the "onstar" scope, even though it was requested. This is also true for the official app though. Could you check your token (using jwt.io or similar) and see if it contains the onstar scope?

Here's what I see for scope:

"scope": "gmoc priv"

Its missing the "onstar" scope, what really weirds me out is that not all accounts do this.

BigThunderSR commented 1 year ago

Actually, looks like their entire system is down right now. Even the official app isn't working...

Let's see what happens after the app resumes working. Thanks.

BigThunderSR commented 1 year ago

Looks like things are back again (for now at least).

tbclark3 commented 1 year ago

My official app is treating me as a new customer this morning. Looks like it's going to require me to press the blue OnStar button in the car to do an initial setup.

BigThunderSR commented 1 year ago

My official app is treating me as a new customer this morning. Looks like it's going to require me to press the blue OnStar button in the car to do an initial setup.

No, don't do that. Just try logging out completely from the app and logging back in. That's what worked for me.

tbclark3 commented 1 year ago

Already tried logging out and back in, didn't work. I called Onstar and the "connection specialist" told me that everyone got unlinked from their accounts last night. They are flooded with calls, and for most of them, at least, there is no alternative but for Onstar to manually relink the account. They did that for mine, but the app still doesn't work. Right now I am in the process of resetting the car (turn off car, open and close door, sit 3 minutes then turn car back on) and the specialist is supposed to call me back.

nilathedragon commented 1 year ago

Already tried logging out and back in, didn't work. I called Onstar and the "connection specialist" told me that everyone got unlinked from their accounts last night. They are flooded with calls, and for most of them, at least, there is no alternative but for Onstar to manually relink the account. They did that for mine, but the app still doesn't work. Right now I am in the process of resetting the car (turn off car, open and close door, sit 3 minutes then turn car back on) and the specialist is supposed to call me back.

Thank you for sharing! Please do keep us posted about how they are resolving this :)

BigThunderSR commented 1 year ago

I logged into OnStar.com and I think that somehow fixed my linkage because I got an email stating as such. I thought it was a one-off just on my account, but I guess that's not the case per the above info. I then logged out of the app and logged back in and everything was working after that.

I would say try what I did and see if that works.

tbclark3 commented 1 year ago

Following the car reset, both the app and the API are now working again. I didn't have to log out of the app for it to start working.

Maliron commented 1 year ago

Well that's interesting.. Got an email from GM this morning saying a password reset is required. My password is still working on the app and the website, but my container is failing with "Request Failed with status 429" now. I have not reset my password yet, but I guess I'll have to give it a try. They really don't like us using the API for "free" I think, even though we pay $15 a month per vehicle to do so.

Maliron commented 1 year ago

Well, I'm not sure now. Must not like the number of request coming through or something. I didn't reset the password, but I sent an unlock command and it still went through. So I guess I'll leave it for now.

BigThunderSR commented 1 year ago

@nilathedragon, I think the iOS app got updated on October 16. Could you please check and update the keys? Thanks much!

nilathedragon commented 1 year ago

@BigThunderSR A bit delayed since I was away last week, but here it is: https://github.com/samrum/OnStarJS/pull/237

BigThunderSR commented 1 year ago

@nilathedragon, no worries and thanks much!

BigThunderSR commented 1 year ago

@nilathedragon, looks like we are 2 versions behind as of today, so could you please update the keys? Thanks!

quicklywilliam commented 1 year ago

I'm still seeing 429 errors on the new version (polling every 10 mins).

BigThunderSR commented 1 year ago

I'm still seeing 429 errors on the new version (polling every 10 mins).

It's working for me although the API keeps throwing 504 errors every so often which has been the norm for several months now.

10 minute polling is far too frequent and you will get 429'd for that every time.

quicklywilliam commented 1 year ago

Got it. Will back off. Has anyone worked out what the minimum safe polling interval is?

BigThunderSR commented 1 year ago

Got it. Will back off. Has anyone worked out what the minimum safe polling interval is?

No less than 30 minutes.

BigThunderSR commented 10 months ago

@nilathedragon, it looks like we are several versions behind at this point, so could you please update the keys again? Thanks!

BigThunderSR commented 8 months ago

@nilathedragon, it looks like the current keys have expired, so could you please assist? Thanks!

evilpig commented 8 months ago

@nilathedragon, it looks like the current keys have expired, so could you please assist? Thanks!

I was setting this up this morning and it worked like 3 hours ago and 2 hours ago stopped working with "Request Failed with status 400 - Bad Request". Not just me then?