-
Notifications
You must be signed in to change notification settings - Fork 28
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
API changed to https://identity.vwgroup.io/signin-service/v1 #13
Comments
For a few days now, the messagae has changed when getting the token from https://msg.audi.de/fs-car/core/auth/v1/Audi/DE/token:
|
I've been getting the same. The last time it worked for me was the 9th August
On 16 Aug 2020, at 11:38, andig <notifications@github.com> wrote:
For a few days now, the messagae has changed when getting the token from https://msg.audi.de/fs-car/core/auth/v1/Audi/DE/token:
{
"error":"invalid_grant",
"error_description":
"Bitte überprüfen Sie Ihre eingegebenen Daten."
}
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub, or unsubscribe.
|
If anyone could use something like mitmproxy on Android that would help. The iOS Audi app uses certificate pinning which didn't allow me to debug any further. |
The android app also uses certificate pinning, you need to unpack the app, replace the certificate, pack the app and install it again. |
Found this on a forum: { |
@Mr-Staffman is there a link to the discussion, too? This looks like a jwt token? |
I think it is taken from https://community.home-assistant.io/t/audi-mmi-support/46543/250 |
Ping @davidgiga1993 any news? I'd be happy to update the flow but would need input from the app side. Thanks! |
Is this helping? I've seen and read about quite some smiliarities between VW and Audi. With regards to the server change, it seems even more similar at the time. This page is documenting the VW API: https://productdata.vwgroup.com/quick-start.html |
We‘re lacking client credentials, id and secret. We also don‘t know any of the api endpoints. These are all pieces of the puzzle but not a solution :( |
I tried to recompile the app with the CA from mitmproxy (as I did the last time) but apparently there are some other checks I can't seem to find at the moment. Also recompiling is a giant pain since they switched to kotlin, |
Here is some detail from the Audi website login. I couldn't find out yet where the JWT token comes from: Entering email:
Entering password:
I don't think this UI flow would help us much though. |
I’ve been banging my head against this with recompiling the APK after attempting to stub out the pinning in the okhttp client but so far no luck. I did find the encrypted client Id and whatnot so I’ll be attempting to see if I can decrypt those |
@sandermvanvliet could you share client credentials, id and secret with cpuidle@gmx.de? I've also tried proxying the web application but no luck. It seems to use some type of embedded server component and does requests to localhost:port? |
Once I have them I'll share them. As far as MTIM'ing goes, I've tried with Fiddler but it seems to be doing HTTP |
I've taken water over my head right here i believe. I've managed to recompile the app, and set up an proxy, but can't figure out the certificate issues. It's using pinned certificate? Doesn't manage to login with proxy in place. And I don't know enough about http traffic, jons, tokens and id's :-S |
Doh: I've cut the website login flow now and its a horrible endless chain of redirects.
I'm stumped... UPDATE Seems that A256GCM requires a shared key to decode (https://github.com/dvsekhvalnov/jose2go#verifying-decoding-and-decompressing-tokens). |
I've got a gist ready that can decrypt the values out of |
@sandermvanvliet the |
Nope that's from the decompiled sources. |
One of the (intermediate) keys I'm receiving looks like |
The actual content api seems to have changed to an ugly json-based query language:
{
"query": "\n query ($id: String!, $country: String!, $language: String!, $requestId: String!) {\n vehicleStatusReportWithWarnings (id: $id, country: $country, language: $language, requestId: $requestId){\n vin\n
vehicleType\n lastUpdated\n engines {\n type\n range {\n value\n unit\n }\n filling {\n value\n unit\n }\n adBlueRange {\n
value\n unit\n }\n electric {\n chargingState\n chargingTime\n }\n }\n totalRange {\n value\n unit\n }\n mileage {\n
value\n unit\n }\n oilLevel {\n value\n unit\n }\n service {\n oilChange {\n time {\n value\n unit\n }\n
distance {\n value\n unit\n }\n }\n inspection {\n time {\n value\n unit\n }\n distance {\n value\n
unit\n }\n }\n }\n messages {\n key\n value\n }\n vsrWarnings {\n textId\n pictureId\n timestamp\n }\n stoWarnings {\n
eventId\n txtId\n picId\n criticality\n timeOfOccurence\n }\n }\n }\n ",
"variables": {
"country": "DE",
"id": "VmVo...",
"language": "de",
"requestId": "86931324"
}
} The id in this case is base64-encoded The request uses
...but apparently no auth token. |
Supposedly the client id for the IDK endpoint should be |
Ok it turns out that this is a key to a keychain in the app. Digging further |
Ok so I’ve finally gotten past the certificate pinning. I’ll trace the logon stuff tomorrow, I’m getting there 👍 |
Nice! Would you mind sharing the apk somewhere? |
I've created a postman collection that has the full authentication flow working. You can find it here One thing I noticed is that at step 7 it sometimes already returns the callback URI for the app as I noticed that the authentication flow is pretty similar to the one on the myAudi website (should have known while looking at the Interestingly this matches the VW app really closely so that should make some other folks happy I think. |
Note: in step 2 the order or the query parameters seems to matter, so no way of doing this nicely :(. |
sorry people, ashes on my head! |
hello everyone, me again. window._IDK = { hmac, crsf and relaystate are also included here. |
It is. The same fields are still used, its just that VW builds the page dynamically now. |
I've adjusted that now. but get a 404 error despite the same fields. |
go now. email was still missing in the form_data |
So what fix did you apply to make it work again? |
The form_tag containing the hidden input elements for _crsf, relaystate and hmac has been removed. |
What about a code change? If you have updated version of audi_services.py, it would be much appreciated if you can share it and/or create a PR so everyone can benefit from the update) |
I use my own implementation, but the change to services.py should look like this: with: |
hi, it's been a year again and how could it be otherwise, Audi has once again changed something in its login logic. Since 12 o'clock today I've been getting the error message no healthy upstream - 503 when loading the clientid via https://mbboauth-1d.prd.ece.vwg-connect.com/mbbcoauth/mobile/register/v1. can anyone else understand this? |
I just see the bigger problem is https://app-api.live-my.audi.com/azs/v1/token -> Unknown endpoint - 404 |
Currently, I can see a http 503 on Andoird and myAudi 4.13.0: Same on my PC when I try to access Audi with the Python implemenation. |
Login process of evcc.io works fine. I'm not registering an additional id though. |
yes, exactly. but the clientid url is not the problem. the azs token url is no longer accessible: the url retrieves the access_token with scope: fal |
Similar for evcc- using aazsproxy. |
I don't need the urls 1 and 2. url 3 is the configuration. I know 4 to 9. the url 10 used to be https://app-api.my.audi.com/myaudiappidk/v1/token, I no longer need it. url 12 is for retrieving the clientid. I loaded the tokens from url 11 https://aazsproxy-service.apps.emea.vwapps.io/token. Or how the basic logic works for you? |
Hi @LionelJeans |
OK thank you! I will look at it. |
Btw, I've created a PR that contains the latest secrets from app version 4.13.0. |
Ok great. Where can I find the homeassistant referenced in audi_account.py? |
Hello and Merry Christmas. |
Hello, now the audi_connect interface has an error in audi_services.py>login_request at the point "forward1 after pwd": in the response of the password hmac request, the host no longer seems to be returned. |
Are you sure it's not just updated ToS? |
For example, I am not seeing any new terms of use displayed in the myAudi app. |
where would the ToS be confirmed? |
ok, found it. Thanks. |
After receiving
errors for some time I've noticed that- when logging into my.audi.com- that the signin flow now uses https://identity.vwgroup.io/signin-service/v1. Can anyone confirm if the app is doing the same and help reworking the login?
The text was updated successfully, but these errors were encountered: