Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Is BMW Connected Drive login unavailable again in China? #588

Open
2 of 4 tasks
cat007cat opened this issue Dec 29, 2023 · 41 comments · Fixed by #601
Open
2 of 4 tasks

Is BMW Connected Drive login unavailable again in China? #588

cat007cat opened this issue Dec 29, 2023 · 41 comments · Fixed by #601
Assignees
Labels
bug 🐛 Something isn't working

Comments

@cat007cat
Copy link

Describe the issue

  1. Using Integrations in HomeAssistant OS-> BMW Connected Drive cannot login to BMW
  2. Install 0.14.6 in Docker : testing the official 0.14.6 version in Docker, still unable to log in to BMW China.

Expected behavior

Is the login issue caused by the inability to implement image verification? Or is it because BMW China adjusted the API?

bimmer_connected.models.MyBMWAPIError: HTTPStatusError: True -

Which Home Assistant version are you using?

core - 2023.12.3

What was the last working version of Home Assistant Core?

No response

What is your region?

China

MyBMW website

  • I can still successfully login to the BMW MyBMW website and the car status is available there.
  • I have MyBMW enabled for my vehicle.

Number of cars

  • I have 2 or more cars linked to the MyBMW account.
  • I have a Mini vehicle linked to my account.

Output of bimmer_connected fingerprint

No response

Anything in the logs that might be useful for us?

No response

Additional information

No response

@cat007cat cat007cat added the bug 🐛 Something isn't working label Dec 29, 2023
@rikroe
Copy link
Member

rikroe commented Dec 29, 2023

Could be that BMW have changed something in their captcha logic.

@Yixi could you help out again please?

@Yixi
Copy link
Contributor

Yixi commented Dec 31, 2023

Yes, BMW has update the x-login-nonce algorithm again, my Android phone is broken (It's a 10-year-old machine), I will try again after I find an Android phone that can be rooted and after the holiday is over

@qiuyuxuan1999
Copy link

Yes, BMW has update the x-login-nonce algorithm again, my Android phone is broken (It's a 10-year-old machine), I will try again after I find an Android phone that can be rooted and after the holiday is over

Any progress so far? thank you very much

@xiaozhou0226
Copy link

Update to 2024.1,it still unable to log in

@rikroe rikroe mentioned this issue Jan 21, 2024
6 tasks
@xichengsweet
Copy link

目前还是无法登录

@lwy197809
Copy link

problem not resolved yet.

@rikroe rikroe reopened this Mar 7, 2024
@rikroe
Copy link
Member

rikroe commented Mar 7, 2024

Sorry, this wasn't supposed to be closed.
Unfortunately, the new Chinese login has not been reverse engineered yet (as far as I know).

@Yixi
Copy link
Contributor

Yixi commented Mar 8, 2024

For some reason I can't publish the algorithm for nonce (at least not by being the first one to do so).

If you want to reverse myBMW, you can use the tool https://github.com/worawit/blutter, which does a complete reduction of the assembly and the method names of dart, and generates a python script for IDA to help with the analysis.

Also if you want to login to your China account in home assistant, you can change the part of bimmerconnect api/authentication.py in the HA python lib that gets the nonce to get it from the web interface, and as far as I know, there is a Scriptable script that provides the API for that.

@simon6661
Copy link

Update to 2024.3.13,it still unable to log in

@rikroe
Copy link
Member

rikroe commented Mar 13, 2024

Yixi can you share maybe share the api you mentioned?
Maybe that with a disclaimer is the best way forward.

@Yixi
Copy link
Contributor

Yixi commented Mar 13, 2024

There is an ios Scriptable app script bmw-linker that uses an online API to generate nonce, but the API also takes some encryption measures.

https://github.com/worawit/blutter can completely reverse the libapp.so file and restore the original dart method name. With IDA's dynamic debugging and some assembly knowledge, the nonce algorithm can be restored relatively easily. Hopefully someone else will take up this work. Blutter has solved the hard part.

Because of some company's business reasons, I cannot disclose the algorithm.

@qiuyuxuan1999
Copy link

Yixi can you share maybe share the api you mentioned? Maybe that with a disclaimer is the best way forward.

Yixi doesn't want to disclose the algorithm,no one else can take up this work?

@ttsgit
Copy link

ttsgit commented Jun 13, 2024

有进展么,目前还是无法登录

@qiuyuxuan1999
Copy link

Has this project abandoned the China region?

@blackdm666
Copy link

还是无法登录哦~能用了好心人说一下

@rikroe
Copy link
Member

rikroe commented Jun 28, 2024

We would love to support, however we cannot reverse engineer the code required for login and new tries to publish the new code seem to result in somehow harsh measurements (see Yixi's answer).

If somewhere in the Chinese BMW there is a way/app/website that can extract a bearer or better refresh token, we could try to use this and make it work again.

However as this is a China-only problem, much of the discussion is in Chinese only and not available to me.

Copy link

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

@github-actions github-actions bot added the stale 🤖 Used by Probot label Sep 27, 2024
@cyc56
Copy link

cyc56 commented Sep 27, 2024

@Yixi 哈哈,我就是那个bmw-linker的作者,你说的就是我。不是不能发布,是因为发布了就会被大家都拷贝,然后就被封掉了。
加大了难度

@Yixi
Copy link
Contributor

Yixi commented Sep 27, 2024

@Yixi 哈哈,我就是那个bmw-linker的作者,你说的就是我。不是不能发布,是因为发布了就会被大家都拷贝,然后就被封掉了。 加大了难度

我是因为公司和 B 公司有合作,所以发出来有一些担心,只能自己用用,搞不懂为啥非要给中国区搞个 nonce

@github-actions github-actions bot removed the stale 🤖 Used by Probot label Sep 28, 2024
@Yixi
Copy link
Contributor

Yixi commented Oct 2, 2024

I have built a new API for directly logging in and obtaining a token using a username and password. You can also gradually view the login process at https://bmw.yixi.pro (https://github.com/Yixi/Y-BMW) There is an API provided for generate a nonce. Now the app's verification logic is more complex. The login API is for people with strong hands-on abilities who need to modify the bimmer connect code in the hassio package themselves.

The API address is post https://bmw.yixi.pro/api/util/login with {mobile: xxx, password: xxxx}. This api does not record any logs or store mobile and passwords. If you have concerns about this, please do not use it.

To use it, simply pass in the mobile and password parameters, and you will directly receive the token result after login.

image

nonce generation only supports version 4.9.1(36994).

Manually modify Python code.

image image

@rikroe
Copy link
Member

rikroe commented Oct 5, 2024

Hi @Yixi, your web app/api does return a refresh_token, right? Is this also directly visible in your UI?
If yes, I would think about adjusting the HA config flow, so that the refresh token can be copy/pasted.
Chinese users can then use your webapp to generate the token and use HA normally afterwards.

@Yixi
Copy link
Contributor

Yixi commented Oct 6, 2024

I didn't manage to test the logic for fetching the refresh token during dynamic debugging (it's quite difficult to trigger the refresh during dynamic debugging). The algorithm for generating the nonce when refreshing the token may not necessarily work. Additionally, there’s a validation for header.x = xxx in the request headers. Furthermore, some people may still have concerns about security and privacy when using network services, so I suggest leaving it to those who are willing to tinker with it manually

@rikroe
Copy link
Member

rikroe commented Oct 6, 2024

I agree with you in regards that some people might not want to send their phone/password to a webservice. Therefore I do not want to include it by default in bimmer_connected.

However, adjusting as you mentioned will be very tedious, as this will get overwritten everytime there is an update to Home Assistant.

Can you check if you are able to implement implemente the changes of home-assistant/core@ea36d14 in a HA dev environment and check if providing your phone, email and refresh token from your website also works?

@exiom-xyz
Copy link

Hong Kong owner here! #659

I am not sure if related to this issue but if anyone is willing to help please reach out, much thanks!

@Yixi
Copy link
Contributor

Yixi commented Oct 7, 2024

I tried it yesterday, and the refresh token returned a 401 error. I suspect that there might be some differences between the nonce algorithm (using gcid) and the one used for login (using username). I might need to spend some time debugging with Frida and comparing the content disassembled by IDA. As I mentioned above, it's a bit difficult to trigger the refresh token action on the app side because I need to trigger it to collect debugging information.

Or could @cyc56 provide some help?

@rikroe
Copy link
Member

rikroe commented Oct 7, 2024

Ah, I missed the nonce part for refresh tokens.
Is it possible to have a second endpoint that just returns the nonce value (given username or gcid)?

@Yixi
Copy link
Contributor

Yixi commented Oct 8, 2024

In fact, there is already one. I won’t paste it here directly, but you can see it in the request calls at https://bmw.yixi.pro/. However, the nonce generated based on the GCID might be invalid now.

@rikroe If I resolve the issue with the refresh token nonce, I’ll send you the API email.

I’m currently modifying everything locally and logging in every time. I haven’t used the refresh token logic for now because the API validation fails.

@Yixi
Copy link
Contributor

Yixi commented Oct 8, 2024

I’ve already solved the refresh token nonce issue. The nonce algorithm was consistent because I previously forgot to add the ‘content-type’: ‘text/plain’ header to the refresh token API. A new API has been provided for refreshing the token.

Currently, it seems to only work under ‘x-user-agent’: 'android(29);bmw;4.9.1(36994);cn’

image

@rikroe
Copy link
Member

rikroe commented Oct 9, 2024

Cool and thanks for your mail! I try to find some time in the next days and throw up a basic implementation.
I guess if we only use your nonce endpoints, it could be implemented in the normal library.

While still private/critical data (phone + gcid) it does not contain the password anymore. Should be used with big disclaimers though.

@HuChundong
Copy link
Contributor

The latest version of MyBMW has added more validation parameters, and now some interfaces require two random verifications, nonce and x. I have implemented the calculation of nonce and x, and can keep them updated in real-time with MyBMW (provided that the parameters required for the calculation remain unchanged, with only the algorithm part being modified). I can provide a Docker image for anyone who needs it for local deployment. Meanwhile, I have deployed an online API for testing. If no one submits a PR, I can help resolve the login issues for Chinese users during the Spring Festival if I have time. Additionally, I would like to mention that in China, phone numbers and GCID are not even considered private information, which is a serious neglect of privacy in the country.

@HuChundong
Copy link
Contributor

HuChundong commented Dec 26, 2024

The current solution does not require reverse engineering of the algorithm, which enhances the real-time capability of keeping up with MyBMW updates. However, there are still some memory leak issues that could potentially render the service unavailable under high concurrency. Therefore, the provided interface is intended for testing purposes only.
Api below:
aHR0cDovLzEyMC41NS4xMjUuODg6ODA4Ny9ub25jZT9tb2JpbGU9ODYtcGhvbmVudW1iZXItaGVyZQ==
aHR0cDovLzEyMC41NS4xMjUuODg6ODA4Ny94Tm9uY2U/dXVpZD11dWlkLXY0LWhlcmU=

Additionally, an online interface for calculating the position of the verification code has also been provided:
Y3VybCAtLWxvY2F0aW9uICdodHRwOi8vMTIwLjU1LjEyNS44ODo4MDg3L2NhcFBhc3MnIFwKLS1oZWFkZXIgJ0NvbnRlbnQtVHlwZTogYXBwbGljYXRpb24vanNvbicgXAotLWRhdGEgJ3sKICAgICJiZyI6ImJhc2U2NCBmcm9tIGJtdyBhcGkiLAogICAgImN1dCI6ImJhc2U2NCBmcm9tIGJtdyBhcGkiCn0n

@Yixi
Copy link
Contributor

Yixi commented Dec 26, 2024

The current solution does not require reverse engineering of the algorithm, which enhances the real-time capability of keeping up with MyBMW updates. However, there are still some memory leak issues that could potentially render the service unavailable under high concurrency. Therefore, the provided interface is intended for testing purposes only. Api below: aHR0cDovLzEyMC41NS4xMjUuODg6ODA4Ny9ub25jZT9tb2JpbGU9ODYtcGhvbmVudW1iZXItaGVyZQ== aHR0cDovLzEyMC41NS4xMjUuODg6ODA4Ny94Tm9uY2U/dXVpZD11dWlkLXY0LWhlcmU=

Additionally, an online interface for calculating the position of the verification code has also been provided: Y3VybCAtLWxvY2F0aW9uICdodHRwOi8vMTIwLjU1LjEyNS44ODo4MDg3L2NhcFBhc3MnIFwKLS1oZWFkZXIgJ0NvbnRlbnQtVHlwZTogYXBwbGljYXRpb24vanNvbicgXAotLWRhdGEgJ3sKICAgICJiZyI6ImJhc2U2NCBmcm9tIGJtdyBhcGkiLAogICAgImN1dCI6ImJhc2U2NCBmcm9tIGJtdyBhcGkiCn0n

So your solution is to run an instance of the MyBMW app (iOS or Android) inside Docker, and then use some hooks to log in through the app to obtain the token? I had considered this approach before, but unfortunately, I don’t have enough knowledge and don’t know where to start.

@HuChundong
Copy link
Contributor

HuChundong commented Dec 26, 2024

当前解决方案不需要对算法进行逆向工程,这增强了跟上 MyBMW 更新的实时能力。但是,仍然存在一些内存泄漏问题,这些问题可能会导致服务在高并发下不可用。因此,提供的接口仅用于测试目的。Api 如下:aHR0cDovLzEyMC41NS4xMjUuODg6ODA4Ny9ub25jZT9tb2JpbGU9ODYtcGhvbmVudW1iZXItaGVyZQ==aHR0cDovLzEyMC41NS4xMjUuODg6ODA4Ny94Tm9uY2U/dXVpZD11dWlkLXY0LWhlcmU=
此外,还提供了计算验证码位置的在线接口:Y3VybCAtLWxvY2F0aW9uICdodHRwOi8vMTIwLjU1LjEyNS44ODo4MDg3L2NhcFBhc3MnIFwKLS1oZWFkZXIgJ0NvbnRlbnQtVHlwZTogYXBwbGljYXRpb24vanNvbicgXAotLWRhdGEgJ3sKICAgICJiZyI6ImJhc2U2NCBmcm9tIGJtdyBhcGkiLAogICAgIN1dCI6ImJhc2U2NCBmcm9tIGJtdyBhcGkiCn0n

所以你的解决方案是在 Docker 中运行 MyBMW 应用程序(iOS 或 Android)的实例,然后使用一些钩子通过应用程序登录以获取令牌?我以前也考虑过这种方法,但遗憾的是,我没有足够的知识,也不知道从哪里开始。

2020-2023 年,我的服务直接在 android 虚拟机上运行,并且通过 nginx 暴露到公网。2024 年使用Docker 容器直接运行,无需运行 android。因此提供了自动追踪应用更新的能力以及 token 验证不通过自动回滚的能力。

@rikroe
Copy link
Member

rikroe commented Dec 26, 2024

I guess a local docker image to get the authorization code could work, that's a great idea!

So I would adjust the library not to call BMW for authentication, but a (configurable) local or public API.

Could you provide a documentation of the endpoints? I should have some time in the next 2 weeks to adjust both this library and the HA integration.

@HuChundong
Copy link
Contributor

I guess a local docker image to get the authorization code could work, that's a great idea!

So I would adjust the library not to call BMW for authentication, but a (configurable) local or public API.

Could you provide a documentation of the endpoints? I should have some time in the next 2 weeks to adjust both this library and the HA integration.

If the authorization service, HA, and BimmerConnect are running on the same server, I believe there is no issue with the authorization server directly interacting with BMW. However, if the authorization server acts as a public server, there is a potential risk that the public server's IP might be blocked by BMW. Therefore, it is reasonable for the public server to only handle the computation of the nonce. If the Docker container runs locally on the user's machine, the local service can manage the entire login process. Currently, this part of the work is still under development, and I will refine the related features during the Chinese New Year holiday. In fact, all functionalities have already been developed, but they have not yet been engineered.

@rikroe
Copy link
Member

rikroe commented Dec 26, 2024

Very nice, sound good to me.

If you are able to provide this local authorization server in some other git repository (including some documentation and the REST API endpoints), that would be awesome.

Should bimmerconnected and the HA library still have both phone/password flow and refresh token flow or just refresh token?

@HuChundong
Copy link
Contributor

Very nice, sound good to me.

If you are able to provide this local authorization server in some other git repository (including some documentation and the REST API endpoints), that would be awesome.

Should bimmerconnected and the HA library still have both phone/password flow and refresh token flow or just refresh token?

My goal is to ensure that Chinese users maintain the same workflow as other users. The latest version has been verified, and both the login and refresh processes are fully functional. The only difference is that Chinese users have additional nonce and x in the header.

@rikroe
Copy link
Member

rikroe commented Dec 28, 2024

And you don't want to submit a PR for bummer connected as you fear the nonce algorithm will change too quickly once made public, right?

I'll wait for what you can figure out. In the end, for bimmerconnected it is best if we can just do the login for China using HTTP requests (just not using official endpoints).

@cyc56
Copy link

cyc56 commented Jan 3, 2025

我构建了一个新的 API,用于直接登录并使用用户名和密码获取令牌。您也可以在 https://bmw.yixi.prohttps://github.com/Yixi/Y-BMW) 逐步查看登录过程,提供了生成 nonce 的 API。现在,应用的验证逻辑更加复杂。登录 API 适用于具有较强动手能力,但需要自己修改 hassio 包中的 bimmer connect 代码的人。

API 地址为 。此 api 不记录任何日志或存储手机和密码。如果您对此有疑虑,请不要使用它。post https://bmw.yixi.pro/api/util/login``{mobile: xxx, password: xxxx}

要使用它,只需传入 mobile 和 password 参数,登录后会直接收到 token 结果。

图像 nonce 生成仅支持 version .`4.9.1(36994)`

手动修改 Python 代码。

图像 图像

老哥。这个x的算法是我偷鸡的写法,不是最优的,跟我的生成模式一模一样。这个算法效率太低了

@Yixi
Copy link
Contributor

Yixi commented Jan 4, 2025

哈哈哈, 那个字符 "x" 在逆向里面太难辨识了,所以先借鉴一下,能work就行

老哥。这个x的算法是我偷鸡的写法,不是最优的,跟我的生成模式一模一样。这个算法效率太低了

@cyc56
Copy link

cyc56 commented Jan 8, 2025

哈哈哈, 那个字符 "x" 在逆向里面太难辨识了,所以先借鉴一下,能work就行

老哥。这个x的算法是我偷鸡的写法,不是最优的,跟我的生成模式一模一样。这个算法效率太低了

是的,他们没有用SHA加密,也没用md5,也没用aes,而且这个算法他们写的JS代码,用flutter去调用的,我也没跟踪到。
我只跟踪到入口和传参的指针,然后就没搞定了。惭愧啊

方法名我也跟踪到了,叫:encryptTwo 好像是这个,时间有点长,不记得了
微信截图_20250108105450

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug 🐛 Something isn't working
Projects
None yet
Development

Successfully merging a pull request may close this issue.