All Requests are Failing with "Request Failed with status 400 - Bad Request" Even with Updated Key #233
Comments
|
Why are they SOOO upset that we can interface with their API faster than the terrible MyGMC/Chevrolet app? The apps are so incredibly slow, it is so much faster to bring is all in to HomeAssistant and use that for remote starting and such. We seem to lose access to the API every couple weeks though. This really sucks. Do we know if this is them shutting us out of the API or simply them changing it? I believe the API is not officially documented or open and this was all reverse engineered right? |
|
I started doing the homeassitant > node red implementation myself because of gm dropping support for google home (big thanks Bigthundersr by the way). The least they can do is not be insufferable about their API access when their own web developers can't code their website to unhide authenticator elements properly. |
I also like the API being faster, but it's so much more than that. Integrating into Home Assistant lets me issue a warning if we arm the security system at night while the car is still plugged in (don't want it to catch fire while we're asleep) or early in the morning if I forgot to charge it. It sends me an email to put air in the tires if needed. I'm on my second Bolt, but if GM doesn't want me to use the API, I will switch to a different brand when my lease is up in a couple of months. |
|
@joelvandal @coelho I know you two were a big help with the last big issue we had, anything you guys would be able to take a look at? |
|
Is "appId" and "appSecret" in src/onStarAppConfig.json something we should be making unique in every deployment of this library like device UUID's? Is it possible that all these unique instances are showing up as one "device" and then that's what causing it to get blocked? (due to the total number and frequency of requests?) I ask not being too familiar with how the reverse engineering works. My only other question is, what if we ask GM directly? or is there enough trepidation that they would outright deny this by making it harder for the api requests to function? https://www.onstar.com/business-solutions/api-data-services |
@BigThunderSR: I think that #232 was updated earlier today (Monday, 10/2/23) with another new key pair. Have you been able to test if that gets it working again? |
I tried it earlier today even though I knew it wouldn't work either and it did not work as expected. We need @samrum and others to figure out what changed in the API and make the necessary modifications to OnStarJS to make things work again. Thanks. |
|
Bummer!
Thanks for trying!
…-Brett
From: BigThunderSR ***@***.***>
Sent: Monday, October 2, 2023 6:50 PM
To: samrum/OnStarJS ***@***.***>
Cc: Brett Bowman ***@***.***>; Manual ***@***.***>
Subject: Re: [samrum/OnStarJS] All Requests are Failing with "Request Failed with status 400 - Bad Request" Even with Updated Key (Issue #233)
All requests are failing with "Request Failed with status 400 - Bad Request". Updated key in #232<#232> does not seem to make a difference.
@BigThunderSR<https://github.com/BigThunderSR>: I think that #232<#232> was updated earlier today (Monday, 10/2/23) with another new key pair. Have you been able to test if that gets it working again?
I tried it earlier today even though I knew it wouldn't work either and it did not work as expected.
We need @samrum<https://github.com/samrum> and others to figure out what changed in the API and make the necessary modifications to OnStarJS to make things work again. Thanks.
—
Reply to this email directly, view it on GitHub<#233 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AEEJW7OMH7WYTFNZSCBY57TX5NHKRAVCNFSM6AAAAAA5J3RWYCVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTONBTHEZTCNZSG4>.
You are receiving this because you are subscribed to this thread.Message ID: ***@***.******@***.***>>
|
|
Yea I cant even get the normal app to work on Genymotion before I add anything else to the "device". Any help would be appreciated. |
|
Flespi.com seems to have a [Changelog] general-motors-onstar protocol. The last entry there (from 4 days ago) says: That probably does indicate/confirm that there was a recent change to the OnStar API. Those items seems to only relate to getting location, not the authentication call. But maybe it is at least some clue. |
|
I think the reason for the 400 / bad_application is that they now require the X-Firebase-AppCheck header on the auth endpoints for the request to go through. The value for that header comes from that thing: |
|
Im working on getting a Android device to root. I am an iOS person myself so I did not have any on hand. I should have one tonight/tomorrow to be able to test. |
|
I don't think it's all about the Google app-check blocking us. GM does offer partner API access for fleets. I've reached out their business fleet API people and asked if there is any free API access include for personal use with our OnStar membership. We'll if they reply. I seem to recall applying for GM API access before and never hearing back. |
|
The thing is this project uses (sort of) public client credentials from their android app, fleet customers will have their own credentials that come with their own rules applied to them. I have tried and I know that passing a valid app-check token in that Firebase header will make the token request work again. My guess is that GM saw that people were using this reverse engineered API for free and they looked for a quick way to put an end to that by adding app check. I guess thats also why its only on the token endpoint. No token, no service. |
|
That is the pits.. It's such a small subset of users you'd really think it shouldn't be a bit deal to them. I'm sure what they are worried about is someone making money off it. What would be nice is if we could get our own private set of client credentials we could use based off our OnStar subscription. That way it would be unique for each of us, and they wouldn't have to worry, and we'd have our own private API access. I can't see them making a code change like that out of the kindness of their hearts for such a small subset of users though. |
|
Just spitballing here, I was able to sign up for the GM developers site for making in vehicle apps, I wonder if we can get a client ID for access to the API by "designing" an in vehicle app? I've requested commercial API access through there as well now, I won't be holding my breath though. |
|
Thanks much @nilathedragon, #234 has fixed the issue (until OnStar finds another way to block us out again)!!! |
|
@nilathedragon Just for future issues that may arise, how did you go about the SSL Pinning to grab the request credentials for iOS? |
|
I do all my iOS work using Frida and Objection. You are able to get around their SSL pinning easily using one of the publicly available Frida scripts. I chose a different route though, I hooked the systems cryptography API's and caught the credentials there. Once again, there are publicly available Frida scripts for this too :) |
|
Thanks @nilathedragon ! |
|
Thank you @nilathedragon !! Good job! I can confirm, I recreated my containers and re-pulled with bigthundersr/onstar2mqtt:latest and all is right in the world again. Hopefully one day GM will let us get access to our own personal client id for personal use and we can do this offically, |
|
Also back in business. Thanks everyone, happy again 👍👍 |
|
@nilathedragon, could you please see if there is a new key available? The issue is back again this morning, but this time as a 403 - Forbidden. Thanks! |
|
As far as I can see, there was no update to the iOS app. Last updated Oct. 2nd So they must flag something else. I will look into it. |
@metheos Thanks, I've start a rewrite based on all your code to work as a webservice, Ex. etc... Work in progress, but I will send all infos ASAP. |
|
Hi @metheos, I wanted to let you know that I’ve made a fork of your repository and created a new branch, webservice, which focuses on adapting the project into a web service. Here's the link: https://github.com/joelvandal/node-oauth2-gm/tree/webservice In this implementation: The authentication process has been split into two distinct steps:
I plan to rewrite certain parts of the process to retain additional information from the authentication response for subsequent usage, rather than directly passing it to the MFA endpoint. I appreciate the work you've done in the original project and hope this adaptation proves useful. Feel free to reach out if you have any questions or suggestions! |
@joelvandal, is there any way you can make similar changes in OnStarJS as well? Thanks. |
|
@BigThunderSR Let me continue to work on the proof of concept (thanks again @metheos) and will eventually check if it possible to implement this logic on OnStarJS. |
|
@joelvandal, are you getting any diagnostics from the code that @metheos provided? I've tried multiple times and it just sits here (after previously completing the MFA step): |
|
@BigThunderSR that's all it does, just the initial request to prove that the authentication token is good. |
I'm working on this part, right now I can now retrieve diagnostics data.
|
|
All work :) I can start/stop the velicle, lock/unlock (door and trunk), location, etc. I need to do more cleanup and check how this can be integrated on OnStarJS. For now this version (based on original code from metheos), it a standalone / replacement solution for OnStarJS. https://github.com/joelvandal/node-oauth2-gm/tree/webservice |
|
I have a 100% working version available on : https://github.com/joelvandal/node-oauth2-gm Most, if not all commands are implemented. |
|
Nice work @joelvandal ! |
Now I need to figure how to retrieve list of vehicles since we need to pass VIN on getGMAPIToken function. Normally it a request to https://na-mobile-api.gm.com/api/v1/account/vehicles ... |
|
I found how... sorry :) Must clean some functions :) Now I think I have all infos I need :) |
You should only need the VIN when sending commands, it's not needed to get the GM API Token. |
|
I had posed a question to @BigThunderSR in his own repo for the node-red project to prevent off topic clutter however it rounds back anyways. BigThunderSR/node-red-contrib-onstar2#271 What's the feasibility of modifying both code bases here to either pipe the new auth method into OnStarJS or to reconjigure the new code base to make the functions, file names, and endpoints similar enough that existing projects leveraging OnStarJS don't need to go through complete rewrites? Apologies if this is already being consider and/or actively being worked on. |
|
pardon my ignorance, this sounds great above, is this something that can/will flow down to things like homebridge-onstar? I appreciate all of you devs and your work with this! |
|
Thank you so much guys for your effort in making this work! Would it be possible for someone to send me a code snippet on how to use this? Because When I try to run it with [email protected], I'm getting a 400 bad reqeust when fetching "https://na-mobile-api.gm.com/sec/authz/v3/oauth/token" |
|
I just realized we can make the authentication fully hands-off if we use the 3rd party authenticator option for MFA! I'll test this out later today, but I can't see why it wouldn't work. This feels like the way forward for automated implementations like homeassistant, etc.
|
Let me know :) I'm doing some test also on MFA, ex. using Phone (SMS) and TOTP. About TOTP, the mfaRequestURL look like : We can detect the MFA method from the response payload. |
|
Updated my test code to use TOTP. |
|
One thing of note, my Canadian GM account doesn't seem to support an Authenticator App unfortunately. |
|
@evilpig Try to log with https://my.gm.ca ... I see 3rd party authentication |
|
One thing of note, my Canadian GM account doesn't seem to support an Authenticator App unfortunately.
Ah, I see it in Desktop mode and on my PC. Something seems to be very wrong with the GM Portal. I was able to disable email 2FA. But when I click on Authenticator to start the process, it directs me to https://accounts.gm.com/delete/review?error=redirect_uri_mismatch&error_description=AADB2C90006%3a+The+redirect+URI+%27https%3a%2f%2fwww.gmccanada.ca%2fen%2fmyaccount%2fsecurity%27+provided+in+the+request+is+not+registered+for+the+client+id+.... redacted part of the url. Then it redirects me to www.cadillac.com. Very strange. Just figured I'd share! Thanks for all the work everyone is doing to get this going again. |
|
Just confirming that it was not available for me on mobile but WAS available on desktop (once email 2FA was disabled) |
|
Maybe not the best time to test :) GM look to do crap things on server... I'm now redirected to cadillac.com ... my.gm.com redirect to http://..com etc... LOL |
|
@joelvandal Hi, firstly, thank you for all your hard work. When I make the POST to /auth with my email and password, I get a 200 response and a success message, but when looking at the Node terminal, it looks like axios received a 500 error from the GM endpoint, is that normal? As i work through the chain of POST calls, I also see another axios 500 error when submitting my MFA code, and finally when i POST to /vehicles, i get a 404 response and the message says "Tokens not found", so even though i am receiving success messages back from the node endpoints, it doesnt look like the communication with the GM api is successful. Any tips? EDIT: i am testing this to see if it is possible to integrate 2fauth and reterive the MFA code automatically behind the scenes and supply it to the API. |
|
@mdezzi If you got a 500 errof, it probably because your MFA is not set to Email ? I'm currently checking to implement SMS and OTP method. |
|
@joelvandal Ahh, sorry I skimmed through this thread and thought the OTP method was implemented already. I switched back to email and it looks to be working correctly. I'll keep monitoring to see if you're able to implement OTP, my ideal flow would be to stand this up on its own in a docker container alongside 2fauth. Then, theoretically, i could use Node-Red/Home Assistant to grab the OTP from 2fauth api, and submit during the authentication automatically. Really excited about this, thanks again and thanks @metheos for your hard work too. |
All requests are failing with "Request Failed with status 400 - Bad Request". Updated key in #232 does not seem to make a difference.
The text was updated successfully, but these errors were encountered: