thomasesmith / vw-car-net-api

Connecting to the VW Car-Net API with HTTP requests
https://carnet.vw.com/
82 stars 12 forks source link

How did you go about reverse engineering the API? #9

Open nmiodice opened 2 years ago

nmiodice commented 2 years ago

I might do some digging to extend this a little bit, but I'm curious how you figured all this out?

Talking mostly about the non-auth stuff, for example, honking horn, controlling charging and climate, etc...

Network tracing? Trial and error?

thomasesmith commented 2 years ago

I'm curious how you figured all this out?

If you put a MITM proxy between your own phone and it's connection to the internet, you can break your phones SSL temporarily and read the contents of any web requests that any app makes to it's API. I used mitmproxy. This will work unless the app uses "SSL Pinning." But there are also ways around that as well.

nmiodice commented 2 years ago

Any tips on working around what I believe to be SSL pinning on the current carnet app? I have mitmproxy setup but all the API calls to vw's backend are failing.

I'm on iOS if it matters. I wish there was a web version of the app that I could use devtools to inspect :/

thomasesmith commented 2 years ago

I defeated SSL pinning to make this document with mitmproxy and a jailbroken iPhone on which I could install KillSwitch to disable SSL entirely. If you have an extra iOS device lying around, I would recommend you don't do this on your daily driver. This page describes a process pretty close to mine: https://github.com/nabla-c0d3/ssl-kill-switch2/releases

dzielin commented 2 years ago

@nmiodice FYI the new app uses different API endpoints with a slightly different authentication setup. Things are mostly the same for getting the auth token / id token (with different client id, return url, etc.) From there it changes pretty dramatically, as most (if not all) of the endpoints are locked down. All the TSP stuff is different, and seems to be session-based in the new system.

By the way, the SSL pinning stuff is pretty tricky in the new app. Frida can be used to find-and-replace certain HPKP hashes at runtime to successfully use mitmproxy. None of the out-of-the-box SSL unpinning stuff worked for me. This cert pinning isn't the native Android pinning functionality, it's actually baked into okhttp3 which is being used by retrofit to make the API calls.

remylt commented 2 years ago

I think i need to re-flash my phone or what ever, either the application crashes or the bypass did not work (it detects me rooted). same with frida (ssl pinning bypass + anti-root script). I've tested some other car brand app and most did not have this problem (protection). Do you have any advice or solution ? Thanks.

supleshg commented 1 year ago

Hi, really glad to come across this repository. I own Volkswagen Atlas in California and I believe that VW America has different API endpoints. The APIs in this repository does not works with my car. I am using myVW android app.

I am really stuck on this SSL pinning. Could you guys please help me to find APIs for the Volkswagen Ameraica. Really looking forward to hear from you guys.