Getting 401 Unauthorized

Question

Getting 401 Unauthorized

Closed this issue a year ago · 32 comments

BennyDaBee commented 2 years ago

Hello,

starting yesterday or Wednesday, started getting 401 errors. The latest branch does not fix this.

Answer 1 · 2023-01-06T15:05:47.000Z

I have exactly same issues, status command work, but start return a 401 error.

Error: Request Failed with status 401 - Unauthorized

Answer 2 · 2023-01-06T15:12:39.000Z

The entire OnStar app system went down yesterday with even the official GM apps not working. The official GM apps are working now, but we can no longer seem to run any commands via API, so it's possible that they blocked us again.

Answer 3 · 2023-01-07T17:05:57.000Z

Related michaelwoods/onstar2mqtt#243

Answer 4 · 2023-01-10T16:16:49.000Z

Perhaps this change has something to do with it? 6e159a5

~~Unless I'm misunderstanding, perhaps that app secret is revoked / shouldn't be in source.~~
EDIT: These keys are sourced from the GM APK. disregard above.

@samrum Perhaps you can provide further details on that change and what those values are used for?

Answer 5 · 2023-01-10T21:11:08.000Z

Perhaps this change has something to do with it? 6e159a5

The secret keys match the one on the latest MyChevrolet APK Version5.21.1 (4151). So it probably another issues. Trying to setup an environment to test SSL pinning, etc to troubleshoot the 401 issue.

Answer 6 · 2023-01-10T21:16:20.000Z

Perhaps this change has something to do with it? 6e159a5

Unless I'm misunderstanding, perhaps that app secret is revoked / shouldn't be in source.

@samrum Perhaps you can provide further details on that change and what those values are used for?

As well, it was broken before and after I merged this into my current version. Something for sure changed on GMs end. Hopefully, Joel will be able to ping it down for us.

Answer 7 · 2023-01-11T00:38:22.000Z

@samrum I installed GenyMotion, Burp Suite, Frida, etc... but it look like not all request are forwarded to the proxy (MITM). Do you have any reference that I can follow in order to help troubleshoot this issue ?

Answer 8 · 2023-01-12T16:57:57.000Z

Maybe someone more experimented what me with "pentesting" but I've try tools lime MobSF (very nice), direct command with Frida, etc... but all test I made look to fail as soon as I enable HTTP proxy.

I made "SSL Pinning" bypass test and it always fail. Maybe I do something wrong :(

I really want to help troubleshoot this issue :)

Answer 9 · 2023-01-19T15:30:00.000Z

any update on this? how can I help (as a non-programmer but tech savvy)

Answer 10 · 2023-01-19T15:32:25.000Z

any update on this? how can I help (as a non-programmer but tech savvy)

Unfortunately I'm unable to bypass "SSL Pinning" when I do test on my environment (Genymotion, Frida, etc). I'm currently blocked at this step.

Answer 11 · 2023-01-23T02:19:24.000Z

@chakal I see you were trying to work on this. Did you have any luck?

Answer 12 · 2023-01-23T15:13:14.000Z

@joelvandal not sure if this may help https://blog.sanghviharshit.com/reverse-engineering-private-api-ssl-pinning/

Answer 13 · 2023-01-24T21:57:08.000Z

@joelvandal not sure if this may help https://blog.sanghviharshit.com/reverse-engineering-private-api-ssl-pinning/

@BennyDaBee Thanks, I just finish to made all my "setup" working to capture traffics from GM.

I will now review the "unencrypted" pcap :) (thanks to polarproxy, frida, etc).

Answer 14 · 2023-01-24T23:26:44.000Z

Look like endpoint path changed.

Ex. to send a getCommand, OnStarJS use :

/api/v1/account/vehicles/${this.config.vin}/commands/${command}

But if I check on my trace, I see :

/api/v1/account/vehicles/MYVIN/requests/start1603817341674601627557

So the "commands" was been renamed to "requests" and a number is append after the start parameter.

The number look to include the timestamp when I executed the request (1674601627)

I continue my analysis ... sorry I'm not a pro with Wireshark, etc... but I captured lots of HTTP2 traffic.

Answer 15 · 2023-01-24T23:28:21.000Z

And it look to use na-mobile-api.gm.com instead of api.gm.com

Answer 16 · 2023-01-24T23:31:10.000Z

Sorry, the /requests/ URL is the response after we send a POST request :

POST /api/v2/account/vehicles/XXXXXXXXXXXX/commands/start

It use api/v2 instead of api/v1

Answer 17 · 2023-01-24T23:33:59.000Z

Testing on mine now @joelvandal

Answer 18 · 2023-01-24T23:35:18.000Z

If I decode the JWT token, I also see the following scope

msso gmoc priv user_trailer user onstar role_owner

Answer 19 · 2023-01-24T23:37:26.000Z

And only the POST to commands/start look to use api/v2 .. all others endpoint still use api/v1/account/etc...

Answer 20 · 2023-01-24T23:38:43.000Z

Still learning development myself, would that include the request diagnostics using api/v2?

Answer 21 · 2023-01-24T23:49:35.000Z

Also @joelvandal is the appSecret still the same or has it changed?

Answer 22 · 2023-01-24T23:54:25.000Z

@BennyDaBee The appSecret haven't changed and the one on latest version of onstarjs is correct.

Answer 23 · 2023-01-24T23:55:01.000Z

Ok, how about the appId? Trying to track down why im still getting 401

Answer 24 · 2023-01-25T00:03:34.000Z

But if I check on my trace, I see : /api/v1/account/vehicles/MYVIN/requests/start1603817341674601627557 So the "commands" was been renamed to "requests" and a number is append after the start parameter.

Glossed over this. Wonder what the random number in full means.

Answer 25 · 2023-01-25T00:09:36.000Z

But if I check on my trace, I see : /api/v1/account/vehicles/MYVIN/requests/start1603817341674601627557 So the "commands" was been renamed to "requests" and a number is append after the start parameter.

Glossed over this. Wonder what the random number in full means.

@BennyDaBee you can ignore this... the request/startRANDOMDIGITS is the URL that we can use to get the status of the command. This URL is returned when we do a POST /api/v2/account/vehicles/XXXXXXXXXXXX/commands/start

Answer 26 · 2023-01-25T00:53:16.000Z

The 401 is when we send an request to the /api/v1/oauth/token/upgrade endpoint. When I look on trace (tcpdump), this request doesn't look to be sent anymore.

{
  client_id: 'OMB_CVY_AND_5V1',
  credential: 'XXXX',
  credential_type: 'PIN',
  device_id: 'XXXXXX-c2fe-XXXXX-82b1-XXXXXXXXXXX',
  grant_type: 'password',
  nonce: 'YTU........zNWQ0OTljN.....EyYWU1Nz',
  timestamp: '2023-01-25T00:48:11.001Z'
}

When we send a POST for start :

/api/v2/account/vehicles/XXXXXXXXXXX/commands/start

or a POST for diagnostics :

/api/v1/account/vehicles/XXXXXXXXXXXX/commands/diagnostics

The JWT payload look like :

Header :

{ "jku": "https://sec-authz-mobile.na.onstar.cpi.gm.com/api/v1/oauth/keySets/", "kid": "mobile-authz-jwt-token-prod-na-06032023-1", "typ": "JWT", "alg": "RS256" }

Data:

"jti": "XXXXXXXXX-7a85-46e2-XXXXXXXX", "iat": 1674601607, "sub": "CA5NAHF2", "iss": "https://sec-authz-mobile.na.onstar.cpi.gm.com", "aud": "cvc_prod", "exp": 1674603407, "uid": "MY_USERNAME", "ver": 1.3, "scope": "msso gmoc priv user_trailer user onstar role_owner", "pai": "OMNIBUS_CVY", "typ": "bearer", "dci": "XXXXXX-1296-XXXXXXX-9d1f-XXXXXXXXXXXXX", "per": "AAAAAAAAAAAAAM......A==", "chan": "mobile", "vehs": [ { "vin": "1G1FZ6XXXXXX", "per": "AAAAAAAAAAAAAAAAAAAAI...AAAAAAAAA==" } ], "cid": "OMB_CVY_AND_5V1" }

Answer 27 · 2023-01-25T01:43:06.000Z

@joelvandal that seemed to do it. I disabled the token upgrade by default and I'm able to request diagnostics. PR incoming.

Answer 28 · 2023-01-25T02:16:52.000Z

I confirm that diag, start and stop are working with this patch :)

Answer 29 · 2023-01-25T02:25:19.000Z

Will see tomorrow if everything work as expected, I have about 500-600 "start" command that are normally executed each days
:)

Answer 30 · 2023-01-25T02:52:34.000Z

@michaelwoods @joelvandal Was able to confirm that lock/unlock/start/cancelStart all returned and completed as normal

Answer 31 · 2023-01-25T04:52:24.000Z

Just wanted to say you guys are awesome! 😎

Answer 32 · 2023-01-25T19:21:02.000Z

Thank you all for the great work!