ElGecko
Posts: 2
Joined: Mon Nov 16, 2015 10:13 pm
Delivery Date: 17 Nov 2015

Re: Carwings API?

Wed Feb 03, 2016 6:22 pm

All my apps including the official one stopped working about a day and a half ago. The only thing I can get to work is the full web site. :?

jfiveash
Posts: 7
Joined: Sat Aug 14, 2010 9:54 am
Delivery Date: 02 Jan 2012
Location: Birmingham, AL

Re: Carwings API?

Thu Feb 04, 2016 8:58 pm

flagrantfowl wrote:Hi all,

I suddenly started getting HTTP 500 "Internal Server Error" responses from both my scripted Carwings API calls and from "unofficial" apps on my phone, yet the official apps and the Nissan web site seemed to be updating fine. Odd.

So, I set up a proxy to look at the traffic, and saw that the official iOS app ("NissanConnect EV") is connecting to a different URL endpoint and speaking JSON rather than XML. The new endpoint I see is: https://gdcportalgw.its-mo.com All API calls seem to be HTTP GET requests, and all parameters are on the query string.

Is anyone else familiar with this 'new' API? I see no mention of it anywhere on the web. I'm wondering if I need to try to figure it out and modify my scripts to use it rather than the old one that speaks XML.

Thanks!


I believe you have identified issue with my Leaf Link app connection. Two days ago I noticed error message in Leaf Link "Unknown error communicating with CARWINGS". I changed my password, logged in to new Nissan site. Everything works on website. Nissan EV app works fine with new password. Tried to open Leaf Link app again and get authentication error. New password is accepted but returns same "Unknown error communicating with CARWINGS". Suspect Leaf Link needs to be updated. iOS 9.2.1, iPhone 6 plus, Leaf Link 1.2.0

joshperry
Posts: 9
Joined: Fri Aug 28, 2015 10:33 am
Delivery Date: 28 Aug 2015
Leaf Number: 335349

Re: Carwings API?

Sun Feb 07, 2016 1:51 pm

I've been working on a Leaf app and started seeing this as well. Argh. I guess they deprecated and then decommissioned the old XML API, these are the risks running rogue. Though having a JSON API will be easier for me. (I haven't gotten my proxy set up yet, but I hope that state change mods aren't done as GET requests. That'd be ripe for CSRF attacks.)

I'd love to collaborate if you have any captures or info you've gathered so far.

Josh

flagrantfowl wrote:Hi all,

I suddenly started getting HTTP 500 "Internal Server Error" responses from both my scripted Carwings API calls and from "unofficial" apps on my phone, yet the official apps and the Nissan web site seemed to be updating fine. Odd.

So, I set up a proxy to look at the traffic, and saw that the official iOS app ("NissanConnect EV") is connecting to a different URL endpoint and speaking JSON rather than XML. The new endpoint I see is: https://gdcportalgw.its-mo.com All API calls seem to be HTTP GET requests, and all parameters are on the query string.

Is anyone else familiar with this 'new' API? I see no mention of it anywhere on the web. I'm wondering if I need to try to figure it out and modify my scripts to use it rather than the old one that speaks XML.

Thanks!

joshperry
Posts: 9
Joined: Fri Aug 28, 2015 10:33 am
Delivery Date: 28 Aug 2015
Leaf Number: 335349

Re: Carwings API?

Sun Feb 07, 2016 2:23 pm

Ha... Yeah


Code: Select all

// Thanks for putting my credentials in the URL so they can be logged by servers and proxies.
GET https://gdcportalgw.its-mo.com/orchestration_1111/gdc/UserLoginRequest.php?RegionCode=NNA&lg=en-US&DCMID=&VIN=&tz=&UserId=josh%40example.com&Password=supers3kr3t

// Yes, if you paste this URL in your browser you will get JSON data about your car's state dumped to you
// assuming DCMID (found in the Login reponse) and VIN parameters are specified. No other authentication necessary!
GET https://gdcportalgw.its-mo.com/orchestration_1111/gdc/BatteryStatusRecordsRequest.php?RegionCode=NNA&lg=en-US&DCMID=574610958375&VIN=1N4YZ1ZP7EC377749&tz=America/Denver&TimeFrom=2014-07-04T20:42:40


On the plus side it's much easier to dev against!!

BluesBro
Posts: 6
Joined: Thu Sep 17, 2015 12:58 am
Delivery Date: 12 Aug 2015

Re: Carwings API?

Sun Feb 07, 2016 2:38 pm

How about start/stop AC?

joshperry
Posts: 9
Joined: Fri Aug 28, 2015 10:33 am
Delivery Date: 28 Aug 2015
Leaf Number: 335349

Re: Carwings API?

Sun Feb 07, 2016 2:43 pm

Think I'm going to flesh out all the operations and their response bodies in some docs. But yes, even state mutation is done via get requests:

Code: Select all

GET https://gdcportalgw.its-mo.com/orchestration_1111/gdc/ACRemoteRequest.php?RegionCode=NNA&lg=en-US&DCMID=<dcmid>&VIN=<vin>&tz=America/Denver


I don't think this is a big deal for CSRF since they're not using cookies to track auth sessions anymore. Though putting secrets in URIs and using GETs for state mutation are not great for a number of other security and perf reasons.

BluesBro wrote:How about start/stop AC?

irwinr
Posts: 20
Joined: Thu Mar 26, 2015 8:20 am
Delivery Date: 26 Mar 2015

Re: Carwings API?

Sun Feb 07, 2016 4:13 pm

joshperry wrote:Think I'm going to flesh out all the operations and their response bodies in some docs. But yes, even state mutation is done via get requests:

Code: Select all

GET https://gdcportalgw.its-mo.com/orchestration_1111/gdc/ACRemoteRequest.php?RegionCode=NNA&lg=en-US&DCMID=<dcmid>&VIN=<vin>&tz=America/Denver


I don't think this is a big deal for CSRF since they're not using cookies to track auth sessions anymore. Though putting secrets in URIs and using GETs for state mutation are not great for a number of other security and perf reasons.

BluesBro wrote:How about start/stop AC?


This is actually kind of exciting, the existing XML based service is a PITA to work with, this will make things much easier for sure. I'm not overly worried about passwords in the URL as long as it's HTTPS... It's not like anyone can really do anything with the Nissan password... (right?) (Assuming you don't use the same password for other things also, but that's just a bad practice in general, you never know if websites properly encrypt/salt stored passwords).

Anyway, thanks for digging into this and I look forward to hacking away at this new endpoint. Should make my scripts for automating my charging cycles and such much simpler.

-Jeremy

joshperry
Posts: 9
Joined: Fri Aug 28, 2015 10:33 am
Delivery Date: 28 Aug 2015
Leaf Number: 335349

Re: Carwings API?

Sun Feb 07, 2016 5:27 pm


flagrantfowl
Posts: 8
Joined: Mon Feb 01, 2016 8:58 pm
Delivery Date: 16 Nov 2015

Re: Carwings API?

Sun Feb 07, 2016 5:44 pm

I've got a minimal but working Python API here:

https://github.com/jdhorne/pycarwings2

I don't think it will work outside of North America, given the "region" parameter, but I don't know any other values.

irwinr
Posts: 20
Joined: Thu Mar 26, 2015 8:20 am
Delivery Date: 26 Mar 2015

Re: Carwings API?

Sun Feb 07, 2016 6:31 pm

joshperry wrote:For those with any interest: https://github.com/joshperry/carwings/b ... l.markdown


This is awesome, thanks!

Quick question: DCMID: Does that expire after a set amount of time? If so, any idea how long?

-Jeremy

Return to “Range / Efficiency / Carwings”