BastelPichi
commented
1 year ago I'll look into this (later)
Open alexl246 opened 2 years ago
BastelPichi
commented
1 year ago I'll look into this (later)
BastelPichi
commented
1 year ago Hey, So I wasn't really able to replicate this. I used an temp phone number from here. Alltho the API changed a bit, this shouldn't happen.
Here's an complete Python script for the auth. https://gist.github.com/BastelPichi/b084aa5260331424735fadc3b8e1719d
I've deleted some accounts on the website above, all in the first row of UK should be fine. (Only use them for development pls I found an account with open debts lol)
BastelPichi
commented
1 year ago Does this fix your issue? If so, please close this issue.
tjespe
commented
1 year ago I think I am having the same issue. I have tried several different phone numbers, including both numbers that have active Voi accounts and numbers that do not. The request to https://api.voiapp.io/v1/auth/verify/phone is always successful, and I always get a token back, but I have not received any text messages. I have tried both my American and my Norwegian phone number, as well as temp phone numbers, but the same thing always happens.
BastelPichi
commented
1 year ago I think I am having the same issue. I have tried several different phone numbers, including both numbers that have active Voi accounts and numbers that do not. The request to
https://api.voiapp.io/v1/auth/verify/phoneis always successful, and I always get a token back, but I have not received any text messages. I have tried both my American and my Norwegian phone number, as well as temp phone numbers, but the same thing always happens.
Have you tried my script with the temp sms site provided? Many temp SMS sites are fake.
The app does exactly the same my script does. i've validated this for multiple countrys. Have you tried rechecking your number on the official app?
jhZzz021
commented
1 year ago I have tried your script with the temp sms site provided. I cannot get a token back. The output of the script shows Errors about Too Many Requests or ErrNotParsablePhone. I have tried my own SW phone number. The request to https://api.voiapp.io/v1/auth/verify/phone is always successful, and I always get a token back, but I have not received any text messages.
BastelPichi
commented
1 year ago I have tried your script with the temp sms site provided. I cannot get a token back. The output of the script shows Errors about Too Many Requests or ErrNotParsablePhone. I have tried my own SW phone number. The request to https://api.voiapp.io/v1/auth/verify/phone is always successful, and I always get a token back, but I have not received any text messages.
For me it works just fine. Are you accessing this from an dc ip?
jhZzz021
commented
1 year ago Yes, I use the Chalmers campus network. I tried several times, however, I can not get the text messages.
BastelPichi
commented
1 year ago Chalmers campus network
Try from a home IP.
jhZzz021
commented
1 year ago I have tried from my home IP. And I did not get the text messages.
BastelPichi
commented
1 year ago This is interesting. Its not working for me too, now. Ill update the script a little later.
LiquidEagle
commented
1 year ago Is this still not working, I've been trying and get the same issue. When i login via the app i get an SMS message from "SinchVerify" which is different to the previous Swedish number that used to be sent.
Ifmon
commented
1 year ago You could potentially be interested in this official GBFS api rather than trying to use the app API: https://docs.voi.com/maas-light/ (I just found this link, I didn't go into more detail, probably it's only for partners)
BastelPichi
commented
1 year ago You could potentially be interested in this official GBFS api rather than trying to use the app API: https://docs.voi.com/maas-light/ (I just found this link, I didn't go into more detail, probably it's only for partners)
I didnt kney that existed.
Im prolly able to redo the doc today.
BastelPichi
commented
1 year ago So I added headers to the script: https://gist.github.com/BastelPichi/b084aa5260331424735fadc3b8e1719d
For me this made it work, however I dont even know if it was broken before...
LiquidEagle
commented
1 year ago Sick, thank you. I managed to find a workaround by downloading pcapviewer and enabling TLS Decryption to make a new account and get the tokens I needed. I did have to remove the Certificate Pinning that comes default on the Voi app, but after I could decrypt all requests from the app and successfully access the API.
BastelPichi
commented
1 year ago Sick, thank you. I managed to find a workaround by downloading pcapviewer and enabling TLS Decryption to make a new account and get the tokens I needed. I did have to remove the Certificate Pinning that comes default on the Voi app, but after I could decrypt all requests from the app and successfully access the API.
Small tip: Use BrowserStack. Open it up in chrome (firefox/ie wont work), sign up for a free trial account, upload your apk. Start in on any google device, and enable "Network Debugging" on the right site.
Bonus: devices are real, which allows you to use arm images...
You can only use this for 2 minutes for each device, but thats usually enough, and is way easier than removing ssl pinning...
LiquidEagle
commented
1 year ago Sick, thank you. I managed to find a workaround by downloading pcapviewer and enabling TLS Decryption to make a new account and get the tokens I needed. I did have to remove the Certificate Pinning that comes default on the Voi app, but after I could decrypt all requests from the app and successfully access the API.
Small tip: Use BrowserStack. Open it up in chrome (firefox/ie wont work), sign up for a free trial account, upload your apk. Start in on any google device, and enable "Network Debugging" on the right site.
Bonus: devices are real, which allows you to use arm images...
You can only use this for 2 minutes for each device, but thats usually enough, and is way easier than removing ssl pinning...
Ah, okay. Thanks for this tip. I was considering downloading a android emulator, but couldn't be asked tbh. I just used my Pixel phone. Never thought of searching for an emulator online. For the future i should use an emulator though, as i use voi daily. (I own one of their long term hire scooters in the UK as e-scooters are illegal, so i have 24/7 access to one. I started looking at how they work so i could try increase the speed, but it's too risky as the scooter is linked to me.)
Ifmon
commented
1 year ago I started looking at how they work so i could try increase the speed, but it's too risky as the scooter is linked to me.)
Anyway I don't think you could find anything that would make your scooter go faster, it must be clamped on the scooter side, the app only allows you to unlock it.
LiquidEagle
commented
1 year ago I started looking at how they work so i could try increase the speed, but it's too risky as the scooter is linked to me.)
Anyway I don't think you could find anything that would make your scooter go faster, it must be clamped on the scooter side, the app only allows you to unlock it.
It's all software based, all the voi scooters use brushless motors, which can't be limited with 'speed limiting cables' and such i think. You can actually change the speed from the app, and from looking at the api, it sends the speed name (Standard speed, Reduced Speed) when you request to unlock a scooter. It's 100% possible as i received one from them that went around 16-18mph (Ninebot default in the US i think), but eventually the motor started giving me issue so i had to request a replacement. But i'm not sure if that was because of an mistake when installing the IoT device, or someone who previously hired it flashed the software. Either way, it's possible to increase the speed via software, but not through hardware (i've dismantled it and found jack) Here's the website for these scooters (ltr.voi.com
Ifmon
commented
1 year ago From what you say, the speed values seem to be predefined by the API so it may be difficult to change that.
With a little luck it is possible to actually flash the scooter, I know there are applications on Android, but most of the time these scooters have a slightly modified software version compared to "those of the general public"
P.S./ I don't think this is the right place to talk about it, but I'd be happy to talk about it more
LiquidEagle
commented
1 year ago From what you say, the speed values seem to be predefined by the API so it may be difficult to change that.
With a little luck it is possible to actually flash the scooter, I know there are applications on Android, but most of the time these scooters have a slightly modified software version compared to "those of the general public"
P.S./ I don't think this is the right place to talk about it, but I'd be happy to talk about it more
No worries, we can talk about it wherever. Just lmk
BastelPichi
commented
1 year ago You can, very easely increase the speed. All you need is an small arduino, and the right codes, but they are on the web.
For via the api, as far as im aware, they just have two tiers, normal and reduced, and the speed for those two gets evaluated depending on the country you are in.
You can also flash them, however that will defenetly void your warranty.
And by hardware means, you can always make it even faster by applying an extra battery, however that requires not having any software limit in the first place.
If you want to talk: BastelPichi#2878
BastelPichi
commented
11 months ago So it appears Voi has implemented some kind of SHA265 signature for their v2 phone verification endpoint. The v1 doesnt appear to work anymore.
As the APK is heavely obfuscated, Id reccomend to just get your token via your phone/an online emulator.
BastelPichi
commented
11 months ago Heres an small video tutorial on how to use Browserstack to obtain a token (im using an sponsored version, however this is just as possible on the free tier.)
https://github.com/ubahnverleih/WoBike/assets/63782569/e830af04-151d-4886-bf84-4b53d076c064
VanshAnakin
commented
1 month ago @BastelPichi The API Headers have been changed and they are signing the requests , have you tried to reverse engineer that, I'm working on that but currently stuck if you could plz help me out
import requests import uuid
url = "https://api.voiapp.io/v2/auth/verify/phone"
payload = "{\"country_code\":\"DE\",\"phone_number\":\"15213388863\"}" headers = { 'accept-encoding': 'gzip', 'brand': 'google', 'connection': 'Keep-Alive', 'content-type': 'text/plain; charset=UTF-8', 'host': 'api.voiapp.io', 'manufacturer': 'Google', 'model': 'Pixel 6a', 'user-agent': 'okhttp/4.12.0', 'x-app-name': 'Rider', 'x-app-version': '3.244.0', 'x-device-id': 'c28a6d63ff564f17', 'x-locale': 'en', 'x-os': 'Android', 'x-os-version': '34', 'x-request-id': str(uuid.uuid4()), 'x-request-signature': 'C9937B6D466783DB8786C104AFBA373297FF851A091A92D5C2F623D1EDE7E482', 'x-request-signature-version': 'v2' }
response = requests.request("POST", url, headers=headers, data=payload)
print(response)
This is the current format in which I think they are using HMAC (SHA-256 with a secret key)
BastelPichi
commented
1 month ago @BastelPichi The API Headers have been changed and they are signing the requests , have you tried to reverse engineer that, I'm working on that but currently stuck if you could plz help me out
API for creating new token
import requests import uuid
url = "https://api.voiapp.io/v2/auth/verify/phone"
payload = "{"country_code":"DE","phone_number":"15213388863"}" headers = { 'accept-encoding': 'gzip', 'brand': 'google', 'connection': 'Keep-Alive', 'content-type': 'text/plain; charset=UTF-8', 'host': 'api.voiapp.io', 'manufacturer': 'Google', 'model': 'Pixel 6a', 'user-agent': 'okhttp/4.12.0', 'x-app-name': 'Rider', 'x-app-version': '3.244.0', 'x-device-id': 'c28a6d63ff564f17', 'x-locale': 'en', 'x-os': 'Android', 'x-os-version': '34', 'x-request-id': str(uuid.uuid4()), 'x-request-signature': 'C9937B6D466783DB8786C104AFBA373297FF851A091A92D5C2F623D1EDE7E482', 'x-request-signature-version': 'v2' }
response = requests.request("POST", url, headers=headers, data=payload)
print(response)
This is the current format in which I think they are using HMAC (SHA-256 with a secret key)
Nope, Im not spending any more time on this, at least for now. Check the message above, its quite easy to obtain a token manually with browserstack. Is there any reason manual token generation doesnt work for you?
I am going through the steps of accessing VOI data
To gain a code you submit this body with the URL (The example Body) { "country_code": "DE", "phone_number": "176xxxxxxxx" } I am from the UK and I cannot get it to submit, returns that 'parsing phone for given country failed'
{ "country_code": "UK", "phone_number": "758xxxxxxx" }
Have tried lots of variations, when I use GB the call goes through but I receive no text. Have just tested verifying my number on the actual VOI app and it works with UK +44
Thanks