Carwings API?

My Nissan Leaf Forum

Help Support My Nissan Leaf Forum:

This site may earn a commission from merchant affiliate links, including eBay, Amazon, and others.
All my apps including the official one stopped working about a day and a half ago. The only thing I can get to work is the full web site. :?
 
flagrantfowl said:
Hi all,

I suddenly started getting HTTP 500 "Internal Server Error" responses from both my scripted Carwings API calls and from "unofficial" apps on my phone, yet the official apps and the Nissan web site seemed to be updating fine. Odd.

So, I set up a proxy to look at the traffic, and saw that the official iOS app ("NissanConnect EV") is connecting to a different URL endpoint and speaking JSON rather than XML. The new endpoint I see is: https://gdcportalgw.its-mo.com All API calls seem to be HTTP GET requests, and all parameters are on the query string.

Is anyone else familiar with this 'new' API? I see no mention of it anywhere on the web. I'm wondering if I need to try to figure it out and modify my scripts to use it rather than the old one that speaks XML.

Thanks!

I believe you have identified issue with my Leaf Link app connection. Two days ago I noticed error message in Leaf Link "Unknown error communicating with CARWINGS". I changed my password, logged in to new Nissan site. Everything works on website. Nissan EV app works fine with new password. Tried to open Leaf Link app again and get authentication error. New password is accepted but returns same "Unknown error communicating with CARWINGS". Suspect Leaf Link needs to be updated. iOS 9.2.1, iPhone 6 plus, Leaf Link 1.2.0
 
I've been working on a Leaf app and started seeing this as well. Argh. I guess they deprecated and then decommissioned the old XML API, these are the risks running rogue. Though having a JSON API will be easier for me. (I haven't gotten my proxy set up yet, but I hope that state change mods aren't done as GET requests. That'd be ripe for CSRF attacks.)

I'd love to collaborate if you have any captures or info you've gathered so far.

Josh

flagrantfowl said:
Hi all,

I suddenly started getting HTTP 500 "Internal Server Error" responses from both my scripted Carwings API calls and from "unofficial" apps on my phone, yet the official apps and the Nissan web site seemed to be updating fine. Odd.

So, I set up a proxy to look at the traffic, and saw that the official iOS app ("NissanConnect EV") is connecting to a different URL endpoint and speaking JSON rather than XML. The new endpoint I see is: https://gdcportalgw.its-mo.com All API calls seem to be HTTP GET requests, and all parameters are on the query string.

Is anyone else familiar with this 'new' API? I see no mention of it anywhere on the web. I'm wondering if I need to try to figure it out and modify my scripts to use it rather than the old one that speaks XML.

Thanks!
 
Ha... Yeah


Code:
// Thanks for putting my credentials in the URL so they can be logged by servers and proxies.
GET https://gdcportalgw.its-mo.com/orchestration_1111/gdc/UserLoginRequest.php?RegionCode=NNA&lg=en-US&DCMID=&VIN=&tz=&UserId=josh%40example.com&Password=supers3kr3t

// Yes, if you paste this URL in your browser you will get JSON data about your car's state dumped to you
// assuming DCMID (found in the Login reponse) and VIN parameters are specified. No other authentication necessary!
GET https://gdcportalgw.its-mo.com/orchestration_1111/gdc/BatteryStatusRecordsRequest.php?RegionCode=NNA&lg=en-US&DCMID=574610958375&VIN=1N4YZ1ZP7EC377749&tz=America/Denver&TimeFrom=2014-07-04T20:42:40

On the plus side it's much easier to dev against!!
 
Think I'm going to flesh out all the operations and their response bodies in some docs. But yes, even state mutation is done via get requests:

Code:
GET https://gdcportalgw.its-mo.com/orchestration_1111/gdc/ACRemoteRequest.php?RegionCode=NNA&lg=en-US&DCMID=<dcmid>&VIN=<vin>&tz=America/Denver

I don't think this is a big deal for CSRF since they're not using cookies to track auth sessions anymore. Though putting secrets in URIs and using GETs for state mutation are not great for a number of other security and perf reasons.

BluesBro said:
How about start/stop AC?
 
joshperry said:
Think I'm going to flesh out all the operations and their response bodies in some docs. But yes, even state mutation is done via get requests:

Code:
GET https://gdcportalgw.its-mo.com/orchestration_1111/gdc/ACRemoteRequest.php?RegionCode=NNA&lg=en-US&DCMID=<dcmid>&VIN=<vin>&tz=America/Denver

I don't think this is a big deal for CSRF since they're not using cookies to track auth sessions anymore. Though putting secrets in URIs and using GETs for state mutation are not great for a number of other security and perf reasons.

BluesBro said:
How about start/stop AC?

This is actually kind of exciting, the existing XML based service is a PITA to work with, this will make things much easier for sure. I'm not overly worried about passwords in the URL as long as it's HTTPS... It's not like anyone can really do anything with the Nissan password... (right?) (Assuming you don't use the same password for other things also, but that's just a bad practice in general, you never know if websites properly encrypt/salt stored passwords).

Anyway, thanks for digging into this and I look forward to hacking away at this new endpoint. Should make my scripts for automating my charging cycles and such much simpler.

-Jeremy
 
I've got a minimal but working Python API here:

https://github.com/jdhorne/pycarwings2

I don't think it will work outside of North America, given the "region" parameter, but I don't know any other values.
 
joshperry said:
For those with any interest: https://github.com/joshperry/carwings/blob/master/protocol.markdown

This is awesome, thanks!

Quick question: DCMID: Does that expire after a set amount of time? If so, any idea how long?

-Jeremy
 
irwinr said:
joshperry said:
For those with any interest: https://github.com/joshperry/carwings/blob/master/protocol.markdown

This is awesome, thanks!

Quick question: DCMID: Does that expire after a set amount of time? If so, any idea how long?

-Jeremy

Not sure actually. I think this is actually an ID number from the DCM in the car (I'm still trying to figure out what the DCM is (one of the car's computers). So I think it may be static, or maybe only static until the car is registered with another owner. It's going to take some more testing to figure out some of the more esoteric stuff.

For my particular use case I'm going to just cache the DCMID for now and assume that it won't ever expire.

Josh
 
joshperry said:
irwinr said:
joshperry said:
For those with any interest: https://github.com/joshperry/carwings/blob/master/protocol.markdown

This is awesome, thanks!

Quick question: DCMID: Does that expire after a set amount of time? If so, any idea how long?

-Jeremy

Not sure actually. I think this is actually an ID number from the DCM in the car (I'm still trying to figure out what the DCM is (one of the car's computers). So I think it may be static, or maybe only static until the car is registered with another owner. It's going to take some more testing to figure out some of the more esoteric stuff.

For my particular use case I'm going to just cache the DCMID for now and assume that it won't ever expire.

Josh

Interesting. It seems to be used essentially as a session ID. If anyone ever figured out your DCMID it's basically as good as your password (And can't be changed like a password if it's discovered).

That seems like a pretty large security hole there, especially since it's also passed in the URL.

That aside: Have you looked at any of the endpoints for the driving history stats? That was going to be my next project, pulling that data down into a local database where I can do more interesting analysis on it.

-Jeremy
 
Regioncode for Europe is "NE" and language seems to follow normal "keyboard standards"
Example: Norway is: no-NO

Can't get your pythonexample to work thou..?

Edit:

And the username for me was the old one that i used with Carwings and not my e-mail-adress...
 
Blues: can you give me more information as to how it's not working? It could be that the URL for the EU server is different, as it was for the XML API. You said your 'old' ID worked, though, so maybe you were able to log in.

If you can send me some output I'll take a look. It might help to turn logging up:

Code:
logging.getLogger("pycarwings2").setLevel(logging.DEBUG)
 
joshperry said:
For those with any interest: https://github.com/joshperry/carwings/blob/master/protocol.markdown


Thanks for the documentation! I now have something better than the Leaf Link (or Nissan) app to activate the climate control. Obtain DCMID and VIN. Enter that info in the URL string and turn on the climate control from a web browser.

Using a Flic button URL command can be automated to a simple hardware button.
https://flic.io
 
One more question:

I noticed your doc refers to this:

"long-poll operation Use the HVAC Remote Activate Result operation to poll for results."

But I don't see a URL operation for the HVAC Remote Activate Result?

-Jeremy
 
joshperry said:
For those with any interest: https://github.com/joshperry/carwings/blob/master/protocol.markdown
flagrantfowl said:
I've got a minimal but working Python API here:

https://github.com/jdhorne/pycarwings2

I don't think it will work outside of North America, given the "region" parameter, but I don't know any other values.
Great work, guys! Very very cool! Thanks for sharing.

I think I'll stand up something on my home server so I can turn the climate control on/off with just one click instead of doing it via several clicks in the ConnectEV app... Or maybe I'll do it in Javascript in the browser so anybody else interested can have the same functionality as well...
 
irwinr: the final portion of the endpoint for the remote "start HVAC" result is ACRemoteResult.php. Note that there are separate endpoints for stopping the HVAC; those are at ACRemoteOffRequest.php and ACRemoteOffResult.php.

There are more details in my Python implementation: https://github.com/jdhorne/pycarwings2/blob/master/pycarwings2/pycarwings2.py
(It's obviously in Python, but I think it's pretty readable even if you're not a Python person.)
 
aqn: In case you happen to be a user of the Indigo home automation software, I've written a plugin that lets you do exactly this kind of thing: https://github.com/jdhorne/indigo-leaf-plugin/tree/feature/rest_api

I created a control page in Indigo with a big button that says "start climate control". Works great.
 
Back
Top