How did you go about reverse engineering the API?

[nmiodice]

I might do some digging to extend this a little bit, but I'm curious how you figured all this out?

Talking mostly about the non-auth stuff, for example, honking horn, controlling charging and climate, etc...

Network tracing? Trial and error?

[thomasesmith]

I'm curious how you figured all this out?

If you put a MITM proxy between your own phone and it's connection to the internet, you can break your phones SSL temporarily and read the contents of any web requests that any app makes to it's API. I used mitmproxy. This will work unless the app uses "SSL Pinning." But there are also ways around that as well.

[nmiodice]

Any tips on working around what I believe to be SSL pinning on the current carnet app? I have mitmproxy setup but all the API calls to vw's backend are failing.

I'm on iOS if it matters. I wish there was a web version of the app that I could use devtools to inspect :/

[thomasesmith]

I defeated SSL pinning to make this document with mitmproxy and a jailbroken iPhone on which I could install KillSwitch to disable SSL entirely. If you have an extra iOS device lying around, I would recommend you don't do this on your daily driver. This page describes a process pretty close to mine: https://github.com/nabla-c0d3/ssl-kill-switch2/releases

[dzielin]

@nmiodice FYI the new app uses different API endpoints with a slightly different authentication setup. Things are mostly the same for getting the auth token / id token (with different client id, return url, etc.) From there it changes pretty dramatically, as most (if not all) of the endpoints are locked down. All the TSP stuff is different, and seems to be session-based in the new system.

By the way, the SSL pinning stuff is pretty tricky in the new app. Frida can be used to find-and-replace certain HPKP hashes at runtime to successfully use mitmproxy. None of the out-of-the-box SSL unpinning stuff worked for me. This cert pinning isn't the native Android pinning functionality, it's actually baked into okhttp3 which is being used by retrofit to make the API calls.

[remylt]

I think i need to re-flash my phone or what ever, either the application crashes or the bypass did not work (it detects me rooted).
same with frida (ssl pinning bypass + anti-root script). I've tested some other car brand app and most did not have this problem (protection).
Do you have any advice or solution ? Thanks.

[supleshg]

Hi, really glad to come across this repository. I own Volkswagen Atlas in California and I believe that VW America has different API endpoints. The APIs in this repository does not works with my car. I am using myVW android app.

• So I tried to setup MITMproxy and the Frida framework to watch the network traffic from app. But unfortunately SSL pinning is not allowing me to do so.
• Tried to use Android 5 ,but the app is not compatible with older versions of OS. So I decompiled the app and try to modify OS restriction but then APK didn't compiled back.
• I did not found the older version of APK which could have been installed on Android 5.
• I came to know about the Exposed installer which can be use to work around SSL pinning. But unfortunately there portal is not responding to get required archives.

I am really stuck on this SSL pinning. Could you guys please help me to find APIs for the Volkswagen Ameraica. Really looking forward to hear from you guys.