jlrpy
jlrpy copied to clipboard
ardevd
JLR API update broke jlrpy again
JLR has updated their API again, breaking third party apps in the process.
@ardevd Out of curiosity, do most of the API changes you've had to fix look like they were intentionally to stop third-party apps, or are they adding new functionality?
@ardevd Out of curiosity, do most of the API changes you've had to fix look like they were intentionally to stop third-party apps, or are they adding new functionality?
Solely to stop third party apps.
The x-App-Secret is now dynamic and seemingly changes frequently. Re-using previously used values doesn't seem to work either.
The
x-App-Secretis now dynamic and seemingly changes frequently. Re-using previously used values doesn't seem to work either.
@ardevd That sounds hard to work around? Is it possible they have implemented it as some sort of shared time-based pseudo-random sequence baked into the app code, similar to a 2FA code?
Not necessarily. Either, the secret is provided by the InControl API, or it might be calculated locally on the device (and reproduced on the server side). Either way, it should be possible to re-implement the same behaviour.
@ardevd Wish I could help, rather than just ask questions, but reverse engineering APIs is not really in my skillset. Thanks v much for trying to sort this for the community!
I think I’ll try to find a contact at JLR unless anyone already has one?
If their intent is to stop third party apps, it seems like they will keep iterating until a jlrpy workaround cannot be made. I’d like to make the case for them offering open API access - I think there are benefits to JLR and it is what forward looking companies are doing.
My attempt probably won’t change anything but I will try. It might sound petty, but removal of API access would factor into my next vehicle purchase decision and somebody in JLR should want to know that if there are others like me.
I'd really appreciate that! This cat and mouse game has been going on for a while now and while I enjoy the challenge, it's getting tedious.
JLR alienating their most enthusiastic customers in a misguided attempt to improve security is unfortunately. I've been reaching out to JLR repeatedly but never heard back.
When I first developed jlrpy and WattCat they did reach out and we concluded that they actually appreciated that someone would develop community apps for such a niche car manufacturer. I guess times have changed.
@ardevd I've tried to decompile the app using a couple of Android Java decompilers and they're all failing to decompile for me. Have you had any luck?
apktool or JADX (which used apktool) works fine.
Weird, I used JADX, must the app that calls it that's the issue.
Found another and interestingly, there are a few developer names throughout the code base who are on LinkedIn or have their own blogs:
Chris Banes Dan Lew
As customer, the reaction will have to be not buying JLR going forward, unless they start offering and supporting official APIs if they're not happy with people hacking around the inofficial ones... Let's see what the EU Data Governance Act will accomplish in the future...
(Venting a bit at JLR) If JLR just switched to using API keys then none of this would be an issue and we could all move forwards with our lives. Devs wouldn't need to ask for usernames/passwords for their apps/integrations and the customer could pick which permissions to grant the API key(s) they create. Then, whenever they want to, the customer can just revoke their API key as they please. Evidently JLR is incapable of coming to this solution though.
On a brighter note, I'd be happy to get involved with helping to reverse engineer the API if needed. 🙂
Yeah. Third party API access has been a thing for the last 15 years now. About time JLR caught up.
I'm happy for all the help I can get. Reach out to me on Discord (ardevd) and I'll bring you up to speed.
@ardevd Thank you so much for continuing to support us here - really appreciated!
@dconlon I received a JLR ‘customer care’ email at the end of March - I assumed it was just a broadcast but now think that I might be on their list of ‘non-authorised’ third-party API users!
Recently, in the past couple of weeks, I have noticed that the JLR Remote app has stopped allowing me to lock / unlock the car remotely. No reason / explanation given.
Now, JLR have also just contacted me today to get the car in for an important ‘security update’.
I will try to find someone to speak to find out if all this is related to the API lockdown and my usage of it, or just coincidental.
Would be interested to know if anyone else has actually engaged with JLR about all this?
The security upgrade has been rolling out across the JLR fleet recently. No idea what it involves.
@ardevd Thank you so much for continuing to support us here - really appreciated!
@dconlon I received a JLR ‘customer care’ email at the end of March - I assumed it was just a broadcast but now think that I might be on their list of ‘non-authorised’ third-party API users!
Recently, in the past couple of weeks, I have noticed that the JLR Remote app has stopped allowing me to lock / unlock the car remotely. No reason / explanation given.
Now, JLR have also just contacted me today to get the car in for an important ‘security update’.
I will try to find someone to speak to find out if all this is related to the API lockdown and my usage of it, or just coincidental.
Would be interested to know if anyone else has actually engaged with JLR about all this?
This is coincidental, I had the security update applied to my car months ago, and the HA integration has been working brilliantly up until a few days ago. I'd definitely recommend getting this applied to your car though! There were some gaping security holes in the keyless unlocking they've finally fixed.
It is a shame that nowadays they still restrict the api to prevent 3rd party apps. ☹️ Not all customers would ever use it, but why not allow those who want to get their data. Didn't we pay already with providing our data to them for free? Can't imagine that the handful of 3rd party users would break their servers
I’ve spent a few hours trying to contact someone in product management but have unfortunately failed. They have their email setup to reject external senders and the contact I had no longer works at JLR. I’ve left messages with various switch boards so there’s still a possibility of a call back but in the mean time I’ll complain to customer care and perhaps everyone with an interest could do the same as some already have.
This is coincidental, I had the security update applied to my car months ago, and the HA integration has been working brilliantly up until a few days ago. I'd definitely recommend getting this applied to your car though! There were some gaping security holes in the keyless unlocking they've finally fixed.
Just to add - from what I gather from my dealer - that is the urgent security update they've been rolling out - fixes for the keyless entry security issues (many insurance companies were refusing to insure JLR products because of it, another great way to get rid of customers!)
this may help ? https://github.com/evcc-io/evcc/pull/13960/files
Thanks! I can't seem to get it to work though, and it's not using a dynamic app secret. Can anyone confirm that it actually works using evcc?
this may help ? https://github.com/evcc-io/evcc/pull/13960/files
Thanks! I can't seem to get it to work though, and it's not using a dynamic app secret. Can anyone confirm that it actually works using evcc?
Just tried to get it work with the evcc approach but failed so far.
Just tried to connect my tibber account with landrover incontrol and that doesn't work anymore. Tibber has the issue opened on May 20th. I believe that Tibber has an official allowance to use the api but landrover broke it for them as well as it seems
Does there seem to be any use of third-party services or proxies to avoid storing the API key in the app?
I opened a ticket at JLR to understand the possibilities of getting access to my data via API
It's a shame it doesn't work again I have to renew my Remote subscription in 15 days. I don't think I'm going to renew it. With the enthusiasm that I put into learning to make my programs for my Jaguar. Bad company policy. He did not predict a good ending.
