argrento/huami-token

Unauthorized error for AGPS download

lacek opened this issue · 11 comments

lacek commented

Version: 6efae23

$ python huami_token.py -m xiaomi -g
Getting access token with xiaomi login method...
Copy this URL to web-browser

https://account.xiaomi.com/oauth2/authorize?skip_confirm=false&client_id=xxxxxxxxxxxxxxxxxxx&pt=0&scope=1+6000+16001+20000&redirect_uri=https%3A%2F%2Fhm.xiaomi.com%2Fwatch.do&_locale=en_US&response_type=code

and login to your Mi account.

Paste URL after redirection here.
https://hm.xiaomi.com/watch.do?code=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Token: ['XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX']
Logging in...
Logged in! User id: xxxxxxxxxx
Downloading AGPS_ALM...
Traceback (most recent call last):
  File "/Users/lacek/huami-token/huami_token.py", line 360, in <module>
    device.get_gps_data()
  File "/Users/lacek/huami-token/huami_token.py", line 237, in get_gps_data
    response.raise_for_status()
  File "/Users/lacek/miniconda3/envs/huami-token/lib/python3.9/site-packages/requests/models.py", line 943, in raise_for_status
    raise HTTPError(http_error_msg, response=self)
requests.exceptions.HTTPError: 401 Client Error: Unauthorized for url: https://api-mifit-us2.huami.com/apps/com.huami.midong/fileTypes/AGPS_ALM/files
argrento commented

Hi.
Just checked: can not confirm this problem. Do you normally use Zepp app or Mi Fit?

lacek commented

I am downloading A-GPS with huami-token because I use Notify & Fitness for Amazfit as replacement for Zepp/Mi Fit.
Haven't use Mi Fit since first set up of my watch, probably a year ago.

Anyway just installed Zepp and is able to login with Mi account and connect to my watch. So I would say it looks normal, at least for my account.

argrento commented

Sometimes one need to login in Zepp app at first with Mi account.
Try again now.

no5killz commented

Hi
I also get a 401 for this domain when trying to download the agps data but using a amazfit account.

The 401 response contains the following {'code': 0, 'message': 'invalid token', 'data': {'code': '0102'}}. However the get_wearables works and prints the wearables table as expected. Which seems strange to me as the token is the same as in get_gps_data. I also tried it after a login in the Zepp app but this changed nothing.

argrento commented

What countries do you live in, @no5killz and @lacek?

Try replacing in

huami-token/urls.py

Line 31 in 6efae23

'agps': 'https://api-mifit-us2.huami.com/apps/com.huami.midong/fileTypes/{pack_name}/files',

com.huami.midong with com.xiaomi.hm.health.

no5killz commented

Im tried this from Germany and via VPN from Netherlands, Japan, USA

changing the url to 'agps': 'https://api-mifit-de2.huami.com/apps/api-mifit.huami.com/fileTypes/{pack_name}/files', lets me download the files again. I took the url and host/apps part from the domains part of the login response. This also does not seem to change when using the VPN. However it has worked before with the original url.

Thank you very much for developing this tool and for the fast help!

lacek commented

@argrento I'm in Hong Kong. Tried combinations of (api-mifit-us2, api-mifit-de2, api-mifit-cn2) and (com.huami.midong, com.xiaomi.hm.health, api-mifit.huami.com) but all gave the same error.

At last it worked when I try https://api-mifit.huami.com/apps/com.huami.midong/fileTypes/{pack_name}/files (removed -us2 from the subdomain).

Update:

Found the subdomain api-mifit-sg2 in Google so I gave it (https://api-mifit-sg2.huami.com/apps/com.huami.midong/fileTypes/{pack_name}/files) a try and it worked too!

A conjecture would be that the APIs with geographical location suffixes (api-mifit-us2, api-mifit-de2, api-mifit-sg2 and api-mifit-cn2) are only accessible with IP addresses around that area while the one without suffix (api-mifit) is accessible around the globe. I don't have VPN access outside the country so I cannot verify it. Maybe someone else can give it a try.

argrento commented

APIs with geographical location suffixes are only accessible with IP addresses around that area

I do not think so, since I am from Russia and use us2 server. I will check, probably login server returns suitable API address.

vigejolla commented

I'm also getting this now, from Finland. api-mifit.huami.com works.

  • 👍1
piggz commented

Same here, in UK, above url works.

unundev commented

Thanks from Germany for this program that makes it possible to avoid Amazfit's spyware app! Just have a small problem:

I made accounts on amazfit.com/us and amazfit.com/de (apparently accounts are region-specific!), which I can log into with my browser, but when I use these credentials copied from firefox in python3 huami_token.py -m amazfit -g -e copiedemail -p copiedpassword, there's the following error message:

Getting access token with amazfit login method...
Traceback (most recent call last):
  File "huami_token.py", line 352, in <module>
    device.get_access_token()
  File "huami_token.py", line 101, in get_access_token
    raise ValueError(f"Wrong E-mail or Password." \
ValueError: Wrong E-mail or Password.Error: ['401']

so I tried these
'agps': 'https://api-mifit-us2.huami.com/apps/com.huami.midong/fileTypes/{pack_name}/files', (default)
'agps': 'https://api-mifit-us2.huami.com/apps/com.xiaomi.hm.health/fileTypes/{pack_name}/files',
'agps': 'https://api-mifit-de2.huami.com/apps/api-mifit.huami.com/fileTypes/{pack_name}/files',
'agps': 'https://api-mifit-de.huami.com/apps/api-mifit.huami.com/fileTypes/{pack_name}/files',
'agps': 'https://api-mifit.huami.com/apps/com.huami.midong/fileTypes/{pack_name}/files',
'agps': 'https://api-mifit-sg2.huami.com/apps/com.huami.midong/fileTypes/{pack_name}/files',
none of which make a difference.

Did they change something or am I doing something wrong?