[EU] Login fails: "Invalid request body - Invalid parameter."

[zulufoxtrot]

• Hyundai / Kia Connect version: 3.3.7
• Python version: 3.9.17
• Operating System: Linux

Description

Error at login:

Traceback (most recent call last):
  File "/root/kia-hyundai-tracker/VehicleClient.py", line 251, in loop
    self.vm.check_and_refresh_token()
  File "/root/kia-hyundai-tracker/venv/lib/python3.9/site-packages/hyundai_kia_connect_api/VehicleManager.py", line 120, in check_and_refresh_token
    self.initialize()
  File "/root/kia-hyundai-tracker/venv/lib/python3.9/site-packages/hyundai_kia_connect_api/VehicleManager.py", line 64, in initialize
    self.token: Token = self.api.login(self.username, self.password)
  File "/root/kia-hyundai-tracker/venv/lib/python3.9/site-packages/hyundai_kia_connect_api/KiaUvoApiEU.py", line 198, in login
    device_id = self._get_device_id(stamp)
  File "/root/kia-hyundai-tracker/venv/lib/python3.9/site-packages/hyundai_kia_connect_api/KiaUvoApiEU.py", line 1104, in _get_device_id
    _check_response_for_errors(response)
  File "/root/kia-hyundai-tracker/venv/lib/python3.9/site-packages/hyundai_kia_connect_api/KiaUvoApiEU.py", line 110, in _check_response_for_errors
    raise APIError(f"Server returned: '{response['resMsg']}'")
hyundai_kia_connect_api.exceptions.APIError: Server returned: 'Invalid request body - Invalid parameter.'

The native mobile app still works: tested logout -> login -> force refresh.

[fuatakgun]

I am having the similar issue but different error, will check further.

get_cached_vehicle_status response: {'retCode': 'F', 'resCode': '4017', 'resMsg': 'Invalid request value - Invalid Application Id.','msgId': '5a66ce31-4d76-4e77-bc63-ca646d0302d9'}

If I initiate the login flow, I am getting the same error.

hyundai_kia_connect_api.exceptions.APIError: Server returned: 'Invalid request body - Invalid parameter.'

[dcaplopu]

Hi.

Hi have similar issue but I can not login in the mobile app neither (it says "Network error").

EU user.

[micro521]

I have the same error with fault code below:

Unexpected error fetching kia_uvo data: Server returned: 'Invalid request body - Invalid parameter.'

EU user as well. Everything is on the latest version.

[Maaxion]

If you have the same error, please just tag the original issue with a reaction. Replying I have the same issue just clutters the actual discussion around resolvng the issue. This makes it harder and take longer to fix the actual problem.

[coditmarc]

I had to switch to the Kia Connect app on my (Android) phone since the UVO Connect app seems to be no longer working.

EU User

[coditmarc]

I had to switch to the Kia Connect app on my (Android) phone since the UVO Connect app seems to be no longer working.

EU User

Just got the confirmation from KIA Netherlands that the UVO app should be replaced by the "KIA Connect" app and this probably means that the API used needs to change (for the EU?).

[fuatakgun]

Please let's keep the comment stream clean as much as possible so in case something important pops up, we don't miss it.

I am working on this and trying to figure out what has changed in the login flow.

Also checking other repositories if they have a solution in place.

Me too style comments are not helpful, while i understand the frustration here, let's be patient.

[ZuinigeRijder]

I have sniffed the login call and this is currently send:

POST /api/v1/spa/notifications/register HTTP/1.1
Host: prd.eu-ccapi.hyundai.com:8080
Authorization: 
Ccsp-Device-Id: 
Ccsp-Service-Id: 6d477c38-3ca4-4cf3-9557-2a1929a94654
Offset: 2
Ccsp-Application-Id: 014d2225-8495-4735-812d-2616334fd15d
Stamp: dGpcIp3dP0dLfkNRU........n3rTaiKUOSDEgtA=
Ccuccs2protocolsupport: 0
Content-Type: application/json; charset=UTF-8
Content-Length: 242
Accept-Encoding: gzip, deflate
User-Agent: okhttp/3.12.12
Connection: close

{"pushType":"GCM","pushRegId":"er0DIxzJSXyEBT1qV2CgNm:APA91bHW......a4DrJybqqJ8tVgiZ6HnZCizq0MM3v1kqgjVzlWML1sUudd56m5Ikpw54wEmKEVcsg2ZEs62q5nkWZXNZp2BKLheAD8qXgwTnHQR4FiyJio_aOOaRQjTmVwMwC_","uuid":"a2563e13-2696-42a3-b8a9-7fcfc041dbb4"}

I notice the following differences:

USER_AGENT_OK_HTTP: str = "okhttp/3.12.0" so not okhttp/3.12.12
pushRegId is 1 in our codebase
Connection is Keep-Alive in our code base
In our codebase there is no header Ccsp-Device-Id:
In our codebase there is no header Offset
In our codebase we generate a random uuid
In the example I added ..... to Stamp and pushRegId

Not sure if this can help, but maybe the missing/changed pieces are mandatory?

[cdnninja]

Following along on the bluelinky side. App ID has changed and this may impact the stamps. I have a draft PR created but until the stamps are also updated in the repo it errors. So far we only have one of the new app IDs. @ZuinigeRijder are you in the discord for bluelinky?

[cdnninja]

PRs are into the stamp repo and here. It am hearing good things about this potentially working but until merged I can't confirm.

[ZuinigeRijder]

Following along on the bluelinky side. App ID has changed and this may impact the stamps. I have a draft PR created but until the stamps are also updated in the repo it errors. So far we only have one of the new app IDs. @ZuinigeRijder are you in the discord for bluelinky?

No, I am not on discord bluelinky. I have a discord account, zuinigerijder. In the PR I see that only the AppId of Kia is known and not for Hyundai yet. How did they find the AppId for Kia? Did the decode the App? Or looked at the API calls?

[cdnninja]

Other one is known in chat just no pr for it yet.

[PierreLevres]

Invalid request body is caused by CGM in notify call. When changed to APNS it probably works.

[fuatakgun]

@ZuinigeRijder are you sniffing this on android or ios? I am having issues on android sniffing (ssl pinning on the app side) and I do not have access to a mac to use emulator. If it is android, can you share me how you are doing it now?

[ZuinigeRijder]

@fuatakgun I sniff using NoxPlayer emulator on Windows 10 and Android phone emulating Samsung Galaxy S8.

How to sniff

For the ones who also want to be able to sniff the calls from the App, this is how I did it (do it at your own risk):

• Installed NoxPlayer emulator in Windows 10 and emulate Android 5
• Installed Burp Suite Community Edition on Windows 10
• Then followed this guide without installing Bluelink App yet: Android App Traffic Decryption using Nox Player - Windows Guide
• Disabled Root (because Bluelink App will not work on rooted device) and proxy in Android emulator, installed Bluelink App and login with my credentials
• Enabled proxy and opened Bluelink App and in the Burp Suite the decoded https requests/responses were available

[fuatakgun]

thanks for sharing, can you share the stamp you have used (it is supposed to safe as we all are using the shared stamps earlier)

[ZuinigeRijder]

@fuatakgun

Stamp: dGpcIp3dP0dLfkNRUItk/sCdmouaEMW4JAlLv76lGxrWLqMbn3rTaiKUPyLFgtk=

So this is Bluelink, not Kia.

Interesting is, that the AppId is still the same:

Ccsp-Application-Id: 014d2225-8495-4735-812d-2616334fd15d

[fuatakgun]

stamp format seems to be inline with what we are generating... interesting, I will keep here updated

[ZuinigeRijder]

I have it working, when I fill in the pushRegId from the sniffing.
In the code base, the following is in the KiaUvoApiEU.py:

line 1083:     registration_id = 1

If I change this into:

registration_id = "er0DIxzJSXyEBT1qV2CgNm:APA91bHWKa9uBfYk4.....JybqqJ8tVgiZ6HnZCizq0MM3v1kqgjVzlWML1sUudd56m5Ikpw54wEmKEVcsg2ZEs62q5nkWZXNZp2BKLheAD8qXgwTnHQR4FiyJio_aOOaRQjTmVwMwC_"

Then the calls are working!

I have added .... to registration_id, because I do not know if this is specific for my account or not.

[fuatakgun]

agreed, it is specific to your account, so they are needing for a specific registration id for push notification probabaly, let me double check

[fuatakgun]

registration id is specific to your device and app installation, so google push is targeting that specific instance to send the push notifications.

interestingly, bluelinky is using valid registration IDs and still failing on the login flow.

https://github.com/Hacksore/bluelinky/blob/4a13160d31cb67a877b5b9303720d8f056806ebf/src/controllers/european.controller.ts#L208

[fuatakgun]

Invalid request body is caused by CGM in notify call. When changed to APNS it probably works.

GCM vs APNS is about google and apple push notifications system

[ZuinigeRijder]

registration id is specific to your device and app installation, so google push is targeting that specific instance to send the push notifications.

interestingly, bluelinky is using valid registration IDs and still failing on the login flow.

https://github.com/Hacksore/bluelinky/blob/4a13160d31cb67a877b5b9303720d8f056806ebf/src/controllers/european.controller.ts#L208

The only thing I did is changing the pushRegId to the value I am sniffing, the rest of the source code is the same. In combination with the recently adapted GET /neoPix/bluelinky-stamps/master/hyundai-014d2225-8495-4735-812d-2616334fd15d.v2.json call, it works now for me.

Are you sure "credentials.gcm.token" (I assume the credentials are stored in GIT somehow) is exactly what needs to be provided by pushRegId? Or are there double quotes missing?
Is it working when the pushRegId is hardcoded, instead of getting via a API call?

[fuatakgun]

this ID is assigned by google servers to each device/app installation combination and many brands and services are using google services to send push notifications using these IDs. So, under bluelinks using credentials.gcm.token, actual ID is being used after it was received by google servers. So, it is not static or fixed.

[ZuinigeRijder]

I just wanted to make sure that the call:

const credentials = await pr.register(this.environment.GCMSenderID);

and thereafter:

pushRegId: credentials.gcm.token

Gives the same value as is send in what what can be sniffed in the Bluelink App. So therefore I asked to try if hardcoding this value instead of getting it programmatically will be correct. Especially, because previously the pushRegId: 1 was working (don't care).

As far as I can see the bluelinky source code has a constant GCMSenderId, so maybe the GCMSenderID has been changed? At least I suspect the result of the code can be that the pushRegId is not what is expected.

GCMSenderID: '414998006775'

[osorojo92]

Hello,
I have this error ("Invalid request body - Invalid parameter.") on HomeAssistant.
Some ideas to solve it on HA?
Thanks you

[ZuinigeRijder]

Update on the problem resolution.

The hyundai_kia_connect_api stopped working for EU. Both for Kia and Hyundai, since 29 June 2023.
A fix is found for EU Hyundai, the Hyundai Bluelink server appeared to have a stricter check on pushRegId.

I can confirm that v3.3.8 fixes the problem for EU Hyundai. My monitor tool works in combination with v3.3.8. Also Home Assistant is reported to work again with this fix for EU Hyundai.

For EU Kia the problem is NOT fixed yet and there is worked on by @cdnninja and others. There needs at least a new AppId and stamp generation to be made for EU Kia.

[faipassa]

I confirm this works again with 3.3.8 patch. Thanks a lot for your prompt action :-)
Greetings from France.

[zulufoxtrot]

Release 3.3.10 fixes Kia (Hyundai was already fixed by 3.3.8). Thanks to everyone involved!

[ZuinigeRijder]

The solution for EU Kia invalidates the EU Hyundai solution. See this issue: #354

[zulufoxtrot]

Should be fixed by release 3.3.11.