All Requests are Failing with "Request Failed with status 400 - Bad Request" Even with Updated Key

[BigThunderSR]

All requests are failing with "Request Failed with status 400 - Bad Request". Updated key in https://github.com/samrum/OnStarJS/pull/232 does not seem to make a difference.

[Maliron]

Why are they SOOO upset that we can interface with their API faster than the terrible MyGMC/Chevrolet app? The apps are so incredibly slow, it is so much faster to bring is all in to HomeAssistant and use that for remote starting and such. We seem to lose access to the API every couple weeks though. This really sucks.

Do we know if this is them shutting us out of the API or simply them changing it? I believe the API is not officially documented or open and this was all reverse engineered right?

[LightningManGTS]

I started doing the homeassitant > node red implementation myself because of gm dropping support for google home (big thanks Bigthundersr by the way). The least they can do is not be insufferable about their API access when their own web developers can't code their website to unhide authenticator elements properly.

[tbclark3]

Why are they SOOO upset that we can interface with their API faster than the terrible MyGMC/Chevrolet app? The apps are so incredibly slow, it is so much faster to bring is all in to HomeAssistant and use that for remote starting and such. We seem to lose access to the API every couple weeks though. This really sucks.

I also like the API being faster, but it's so much more than that. Integrating into Home Assistant lets me issue a warning if we arm the security system at night while the car is still plugged in (don't want it to catch fire while we're asleep) or early in the morning if I forgot to charge it. It sends me an email to put air in the tires if needed. I'm on my second Bolt, but if GM doesn't want me to use the API, I will switch to a different brand when my lease is up in a couple of months.

[BennyDaBee]

@joelvandal @coelho I know you two were a big help with the last big issue we had, anything you guys would be able to take a look at?

[LightningManGTS]

Is "appId" and "appSecret" in src/onStarAppConfig.json something we should be making unique in every deployment of this library like device UUID's? Is it possible that all these unique instances are showing up as one "device" and then that's what causing it to get blocked? (due to the total number and frequency of requests?)

I ask not being too familiar with how the reverse engineering works.

My only other question is, what if we ask GM directly? or is there enough trepidation that they would outright deny this by making it harder for the api requests to function? https://www.onstar.com/business-solutions/api-data-services

[BrettEBowman]

All requests are failing with "Request Failed with status 400 - Bad Request". Updated key in #232 does not seem to make a difference.

@BigThunderSR: I think that #232 was updated earlier today (Monday, 10/2/23) with another new key pair. Have you been able to test if that gets it working again?

[BigThunderSR]

All requests are failing with "Request Failed with status 400 - Bad Request". Updated key in #232 does not seem to make a difference.

@BigThunderSR: I think that #232 was updated earlier today (Monday, 10/2/23) with another new key pair. Have you been able to test if that gets it working again?

I tried it earlier today even though I knew it wouldn't work either and it did not work as expected.

We need @samrum and others to figure out what changed in the API and make the necessary modifications to OnStarJS to make things work again. Thanks.

[BrettEBowman]

Bummer!

Thanks for trying!

-Brett

From: BigThunderSR @.> Sent: Monday, October 2, 2023 6:50 PM To: samrum/OnStarJS @.> Cc: Brett Bowman @.>; Manual @.> Subject: Re: [samrum/OnStarJS] All Requests are Failing with "Request Failed with status 400 - Bad Request" Even with Updated Key (Issue #233)

All requests are failing with "Request Failed with status 400 - Bad Request". Updated key in #232https://github.com/samrum/OnStarJS/pull/232 does not seem to make a difference.

@BigThunderSRhttps://github.com/BigThunderSR: I think that #232https://github.com/samrum/OnStarJS/pull/232 was updated earlier today (Monday, 10/2/23) with another new key pair. Have you been able to test if that gets it working again?

I tried it earlier today even though I knew it wouldn't work either and it did not work as expected.

We need @samrumhttps://github.com/samrum and others to figure out what changed in the API and make the necessary modifications to OnStarJS to make things work again. Thanks.

— Reply to this email directly, view it on GitHubhttps://github.com/samrum/OnStarJS/issues/233#issuecomment-1743931727, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AEEJW7OMH7WYTFNZSCBY57TX5NHKRAVCNFSM6AAAAAA5J3RWYCVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTONBTHEZTCNZSG4. You are receiving this because you are subscribed to this thread.Message ID: @.**@.>>

[BennyDaBee]

Between #214 and #208, I am trying to get SSL pinning setup to be able to see the requests in real time. Having issues getting the app just to work on Genymotion

[BennyDaBee]

Yea I cant even get the normal app to work on Genymotion before I add anything else to the "device". Any help would be appreciated.

[BrettEBowman]

Flespi.com seems to have a [Changelog] general-motors-onstar protocol.

The last entry there (from 4 days ago) says:

general-motors-onstar protocol has been updated, new parameters added:

EHPE - flespi name position.accuracy
AGEIND - flespi name position.valid

That probably does indicate/confirm that there was a recent change to the OnStar API. Those items seems to only relate to getting location, not the authentication call. But maybe it is at least some clue.

[nilathedragon]

I think the reason for the 400 / bad_application is that they now require the X-Firebase-AppCheck header on the auth endpoints for the request to go through.

The value for that header comes from that thing:

• https://firebase.google.com/docs/app-check
• https://firebase.google.com/docs/app-check/android/play-integrity-provider

[BennyDaBee]

Im working on getting a Android device to root. I am an iOS person myself so I did not have any on hand. I should have one tonight/tomorrow to be able to test.

[Maliron]

I don't think it's all about the Google app-check blocking us. GM does offer partner API access for fleets. I've reached out their business fleet API people and asked if there is any free API access include for personal use with our OnStar membership. We'll if they reply. I seem to recall applying for GM API access before and never hearing back.

[nilathedragon]

The thing is this project uses (sort of) public client credentials from their android app, fleet customers will have their own credentials that come with their own rules applied to them. I have tried and I know that passing a valid app-check token in that Firebase header will make the token request work again.

My guess is that GM saw that people were using this reverse engineered API for free and they looked for a quick way to put an end to that by adding app check. I guess thats also why its only on the token endpoint. No token, no service.

[Maliron]

That is the pits.. It's such a small subset of users you'd really think it shouldn't be a bit deal to them. I'm sure what they are worried about is someone making money off it. What would be nice is if we could get our own private set of client credentials we could use based off our OnStar subscription. That way it would be unique for each of us, and they wouldn't have to worry, and we'd have our own private API access. I can't see them making a code change like that out of the kindness of their hearts for such a small subset of users though.

[Maliron]

Just spitballing here, I was able to sign up for the GM developers site for making in vehicle apps, I wonder if we can get a client ID for access to the API by "designing" an in vehicle app? I've requested commercial API access through there as well now, I won't be holding my breath though.

[BigThunderSR]

Thanks much @nilathedragon, https://github.com/samrum/OnStarJS/pull/234 has fixed the issue (until OnStar finds another way to block us out again)!!!

[BennyDaBee]

@nilathedragon Just for future issues that may arise, how did you go about the SSL Pinning to grab the request credentials for iOS?

[nilathedragon]

I do all my iOS work using Frida and Objection. You are able to get around their SSL pinning easily using one of the publicly available Frida scripts.

I chose a different route though, I hooked the systems cryptography API's and caught the credentials there. Once again, there are publicly available Frida scripts for this too :)

[jianyu-li]

Thanks @nilathedragon !

[Maliron]

Thank you @nilathedragon !! Good job! I can confirm, I recreated my containers and re-pulled with bigthundersr/onstar2mqtt:latest and all is right in the world again. Hopefully one day GM will let us get access to our own personal client id for personal use and we can do this offically,

[stamanf]

Also back in business. Thanks everyone, happy again 👍👍

[BigThunderSR]

@nilathedragon, could you please see if there is a new key available? The issue is back again this morning, but this time as a 403 - Forbidden. Thanks!

[nilathedragon]

As far as I can see, there was no update to the iOS app. Last updated Oct. 2nd

So they must flag something else. I will look into it.

[nilathedragon]

I noticed that on some accounts the token we get from logging in does not have the "onstar" scope, even though it was requested. This is also true for the official app though. Could you check your token (using jwt.io or similar) and see if it contains the onstar scope?

[BigThunderSR]

I noticed that on some accounts the token we get from logging in does not have the "onstar" scope, even though it was requested. This is also true for the official app though. Could you check your token (using jwt.io or similar) and see if it contains the onstar scope?

Here's what I see for scope:

"scope": "gmoc priv"

[BennyDaBee]

Issue has not seemed to have returned to me on my fork, so the key is still valid.

[nilathedragon]

I noticed that on some accounts the token we get from logging in does not have the "onstar" scope, even though it was requested. This is also true for the official app though. Could you check your token (using jwt.io or similar) and see if it contains the onstar scope?

Here's what I see for scope:

"scope": "gmoc priv"

Its missing the "onstar" scope, what really weirds me out is that not all accounts do this.

[BigThunderSR]

Actually, looks like their entire system is down right now. Even the official app isn't working...

Let's see what happens after the app resumes working. Thanks.

[BigThunderSR]

Looks like things are back again (for now at least).

[tbclark3]

My official app is treating me as a new customer this morning. Looks like it's going to require me to press the blue OnStar button in the car to do an initial setup.

[BigThunderSR]

My official app is treating me as a new customer this morning. Looks like it's going to require me to press the blue OnStar button in the car to do an initial setup.

No, don't do that. Just try logging out completely from the app and logging back in. That's what worked for me.

[tbclark3]

Already tried logging out and back in, didn't work. I called Onstar and the "connection specialist" told me that everyone got unlinked from their accounts last night. They are flooded with calls, and for most of them, at least, there is no alternative but for Onstar to manually relink the account. They did that for mine, but the app still doesn't work. Right now I am in the process of resetting the car (turn off car, open and close door, sit 3 minutes then turn car back on) and the specialist is supposed to call me back.

[nilathedragon]

Already tried logging out and back in, didn't work. I called Onstar and the "connection specialist" told me that everyone got unlinked from their accounts last night. They are flooded with calls, and for most of them, at least, there is no alternative but for Onstar to manually relink the account. They did that for mine, but the app still doesn't work. Right now I am in the process of resetting the car (turn off car, open and close door, sit 3 minutes then turn car back on) and the specialist is supposed to call me back.

Thank you for sharing! Please do keep us posted about how they are resolving this :)

[BigThunderSR]

I logged into OnStar.com and I think that somehow fixed my linkage because I got an email stating as such. I thought it was a one-off just on my account, but I guess that's not the case per the above info. I then logged out of the app and logged back in and everything was working after that.

I would say try what I did and see if that works.

[tbclark3]

Following the car reset, both the app and the API are now working again. I didn't have to log out of the app for it to start working.

[Maliron]

Well that's interesting.. Got an email from GM this morning saying a password reset is required. My password is still working on the app and the website, but my container is failing with "Request Failed with status 429" now. I have not reset my password yet, but I guess I'll have to give it a try. They really don't like us using the API for "free" I think, even though we pay $15 a month per vehicle to do so.

[Maliron]

Well, I'm not sure now. Must not like the number of request coming through or something. I didn't reset the password, but I sent an unlock command and it still went through. So I guess I'll leave it for now.

[BigThunderSR]

@nilathedragon, I think the iOS app got updated on October 16. Could you please check and update the keys? Thanks much!

[nilathedragon]

@BigThunderSR A bit delayed since I was away last week, but here it is: https://github.com/samrum/OnStarJS/pull/237

[BigThunderSR]

@nilathedragon, no worries and thanks much!

[BigThunderSR]

@nilathedragon, looks like we are 2 versions behind as of today, so could you please update the keys? Thanks!

[quicklywilliam]

I'm still seeing 429 errors on the new version (polling every 10 mins).

[BigThunderSR]

I'm still seeing 429 errors on the new version (polling every 10 mins).

It's working for me although the API keeps throwing 504 errors every so often which has been the norm for several months now.

10 minute polling is far too frequent and you will get 429'd for that every time.

[quicklywilliam]

Got it. Will back off. Has anyone worked out what the minimum safe polling interval is?

[BigThunderSR]

Got it. Will back off. Has anyone worked out what the minimum safe polling interval is?

No less than 30 minutes.

[BigThunderSR]

@nilathedragon, it looks like we are several versions behind at this point, so could you please update the keys again? Thanks!

[BigThunderSR]

@nilathedragon, it looks like the current keys have expired, so could you please assist? Thanks!

[evilpig]

@nilathedragon, it looks like the current keys have expired, so could you please assist? Thanks!

I was setting this up this morning and it worked like 3 hours ago and 2 hours ago stopped working with "Request Failed with status 400 - Bad Request". Not just me then?