Update Secrets

[nilathedragon]

No description provided.

[nilathedragon]

Probably best to test this one first. Version Nr was 7.0.0 on the app

[BigThunderSR]

Unfortunately, this one is giving "Request Failed with status 403 - Forbidden". 😞

@nilathedragon, does the user agent need to be updated as well? (Not sure this matters, but just in case - I just noticed that the old key was 36 characters, but the new one is only 32 characters.)

[nilathedragon]

Closing this until I know whats going on

[BigThunderSR]

@nilathedragon, could you please provide the creds from version 6.25.2 of the app? That should buy us a bit more time until you can hopefully figure out the situation with the v7 creds. Thanks!

[almoney]

Has there been any progress here? I would like to help discuss this issue with GM and find a formal support approach.

[CamSoper]

Has there been any progress here? I would like to help discuss this issue with GM and find a formal support approach.

Good luck with that, @almoney. They've thus far appeared completely unwilling to support the enthusiast community by sharing any details of their API.

If do you happen to have an in with GM and the ear of somebody who can help, I think most of us would be willing to sign some kind of waiver to get API access, if they were so willing.

[WritesWithBadCode]

@CamSoper You're talking about a company that is getting rid of the much beloved Apple Carplay and Android Auto only to force their customers to pay subscription fees to OnStar. Lets be honest - they won't give access.

[CamSoper]

@WritesWithBadCode I completely agree with you, I only said that last part on the extremely outside chance that @almoney is Mary Barra's cousin or something! 😁

[stevenrhawk]

GM "Envolve" is their commercial/fleet side of OnStar. They're advertising full API access to OnStar via Envolve. I signed up for a 'free' trial account in Envolve, but it requires adding a vehicle (at $16/mo) in order to gain full access. As it's only $1 more per month than a consumer OnStar remote/fob plan, it may be worth trying it. I'm unsure if I'm willing to go down that rabbit hole at the moment as I've got several years free on the consumer plan, plus being a dealer employee I don't pay anywhere near retail for that plan anyway. Has anyone tried Envolve?

[bmcloutier]

@nilathedragon Would you be willing to describe at a high level what you do to obtain the secret key? Thank you!

[joelvandal]

@nilathedragon Would you be willing to describe at a high level what you do to obtain the secret key? Thank you!

I can partially reply ... use a jailbroken iphone then use frida + frida-ios-cipher to retrieve the keys... method look pretty simple but...

I tried to jailbreak an old ipad mini 4 with iOS 15.8 but I think I brick it... And not sure exactly how to jailbreak my iphone 13 (iOS 18.0.1)

[CamSoper]

@snackpack85 I have not, but it sounds interesting.

I use OnStarJS in Home Assistant via onstar2mqtt. I've been thinking about grabbing a free SmartCar API account and rigging up some kind of HA integration. With the low API request quota, I figure we could get updates every 6 hours or so and still have another 100 requests left for start/stop, lock/unlock, etc. Problem is middle age malaise and being halfway addicted to doomscrolling has me struggling to get my actual work done to my satisfaction, much less any side projects. And tbh I don't really enjoy Python.

[BigThunderSR]

@snackpack85 I have not, but it sounds interesting.

I use OnStarJS in Home Assistant via onstar2mqtt. I've been thinking about grabbing a free SmartCar API account and rigging up some kind of HA integration. With the low API request quota, I figure we could get updates every 6 hours or so and still have another 100 requests left for start/stop, lock/unlock, etc. Problem is middle age malaise and being halfway addicted to doomscrolling has me struggling to get my actual work done to my satisfaction, much less any side projects. And tbh I don't really enjoy Python.

FWIW, it doesn't look like they support engine start/stop.

[metheos]

I've done some digging and the JWT is now signed with RS256 instead of HS256. I'm not sure the app secret is even used for the JWT anymore, and I'm not sure what key they're using for the RS256.

Here's the new JWT header

{
  "jku": "https://sec-authz-mobile.na.onstar.cpi.gm.com/api/v1/oauth/keySets/",
  "kid": "sec-authz-mobile-jwt-token-prod-na-20250425-3",
  "typ": "JWT",
  "alg": "RS256"
}

[bcstreaming]

I've done some digging and the JWT is now signed with RS256 instead of HS256. I'm not sure the app secret is even used for the JWT anymore, and I'm not sure what key they're using for the RS256.

Here's the new JWT header

{
  "jku": "https://sec-authz-mobile.na.onstar.cpi.gm.com/api/v1/oauth/keySets/",
  "kid": "sec-authz-mobile-jwt-token-prod-na-20250425-3",
  "typ": "JWT",
  "alg": "RS256"
}

Can you give us your method to be able to find the keys whenever they are rotated i’ve been trying to decrypt it for the last couple of days.

[metheos]

Sure but, as @nilathedragon already discovered, they aren't working with a simple drop and replace.

I hooked frida into these functions to dump the parameters in the mychevy app on a jailbroken iphone.

com.gm.myChevrolet on (iPhone: 15.8.3) [usb] # ios hooking watch method "-[OSAuthenticationConfig setClientSecret:]" --dump-args --dump-return
(agent) Found selector at 0x10304f31c as -[OSAuthenticationConfig setClientSecret:]
(agent) Registering job 491780. Type: watch-method for: -[OSAuthenticationConfig setClientSecret:]
com.gm.myChevrolet on (iPhone: 15.8.3) [usb] # (agent) [491780] Called: -[OSAuthenticationConfig setClientSecret:] 1 arguments(Kind: instance) (Super: NSObject)
(agent) [491780] Argument dump: [OSAuthenticationConfig setClientSecret: OgpDnThUgkBokuKyN83jPsZfR7gIZATg]
(agent) [491780] Return Value: 0x0
(agent) [491780] Called: -[OSAuthenticationConfig setClientSecret:] 1 arguments(Kind: instance) (Super: NSObject)
(agent) [491780] Argument dump: [OSAuthenticationConfig setClientSecret: OgpDnThUgkBokuKyN83jPsZfR7gIZATg]
(agent) [491780] Return Value: 0x0

[metheos]

I think I've found the asymmetric RSA key in the app's keychain. Not sure how to test it.

com.gm.omnibus.encryption.cryptokit.symmetric_key.256-accessible-after-first-unlock-this-device-only

The big problem is going to be that this looks to be a keypair generated by microsoft when you first log in. So onstarjs would need to be able to simulate that process to get the key.

[metheos]

Tried to jam my key into the test code just to see if it would even work, but the key type appears to be unsupported by the crypto in the project.

const privateKey = fs.readFileSync(path.resolve(__dirname, './gm256.pem'), 'utf8');
...
return jwt.sign(payload, privateKey, { noTimestamp: true, algorithm: "RS256" });

Unknown key type "ed25519".