SRP is not implemented (required for Remote Engine Start / HVAC)

[FRSTR]

Originally this issue was posted to Home Assistant integration, but it is also reproduced via renault-api CLI.

On an attempt to start AC in the NEW DUSTER car, the 403 error is returned. At the same time it works ok via MyRenault android app.
At the same time renault-api CLI provides the car status correctly (mileage, fuel, GPS).

Debug log:

DEBUG:renault_api.kamereon:Received Kamereon response 403 on POST to https://api-wired-prod-1-euw1.wrd-aws.com/commerce/v1/accounts/.../kamereon/kca/car-adapter/v1/cars/..../actions/hvac-start?country=RU: {"type":"FUNCTIONAL","messages":[{"code":"err.func.403","message":"{\"errors\":[{\"status\":\"403\",\"code\":\"security.access\",\"detail\":\"Access is denied for this resource\"}]}"}],"errors":[{"errorCode":"err.func.403","errorMessage":"{\"errors\":[{\"status\":\"403\",\"code\":\"security.access\",\"detail\":\"Access is denied for this resource\"}]}"}],"error_reference":"FUNCTIONAL"}
Error: ('err.func.403', 'Access is denied for this resource')

Note: MyRenault app requires a PIN code set in the app to start AC, could it be required in the API and thus not working there?

[FRSTR]

After numerous fails I've finally sniffed the traffic from the official MyRenault app on android, and I see that there is POST to ../actions/engine-start endpoint instead of hvac-start, and the payload is also different from hvac-start. It does not have a temperature in it (in my car the temp is always defaulted to 21, that's probably the reason it is not passed to this endpoint) but has some srp hash or smth like that.

There is also POST to ../actions/srp-sets before that, and a number of GET requests, mostly for notifications around that time.

If I got it right from the source code fragments of the app, the SRP also somehow includes the pin code set during pairing of the app/account to the car.

[epenet]

The joys of the Renault API
It's going to be very difficult for me to replicate and test, but I will accept a PR

May I suggest that you first look at #48 to add some fixtures for the Duster?
If you have a chance, please post also the result of the carGateway (see #157 - I need to create a fixture folder for these) as I am pretty sure that carGateway will be needed to differentiate between Renault and Dacia.

[FRSTR]

Here is the carGateway response for the new duster car with certain felds obfuscated:

{
  "data": {
    "type": "Car",
    "id": "db5c1177-1c3d-46ec-8717-31746d0b3266",
    "attributes": {
      "vin": "VF1AAAA1234567876",
      "vehicleId": 12345,
      "batteryCode": "SANBAT",
      "bin": null,
      "brand": "RENAULT",
      "canGeneration": "C1A",
      "carGateway": "AVN",
      "color": null,
      "dealerId": null,
      "deliveryCountry": "RU ",
      "deliveryDate": null,
      "deviceSerialNumber": null,
      "electricityUnitCost": null,
      "energy": "gasoline",
      "engineType": "H5H",
      "familyCode": "XJD",
      "firstRegistrationDate": null,
      "fuelUnitCost": null,
      "gearbox": "MANUAL",
      "modelCode": "HJD",
      "modelCodeDetail": "XJD1SU",
      "modelName": "NEW DUSTER",
      "modelYear": null,
      "navigAssistCode": null,
      "nickname": null,
      "packId": null,
      "packManufacturingDate": null,
      "packNominalCapacity": null,
      "packType": null,
      "pictureUrl": null,
      "radioType": "RA41A",
      "region": "RU",
      "registrationCountry": "RU ",
      "registrationNumber": "",
      "sourceReferenceId": null,
      "tcuCode": "AIVCT",
      "temperatureUnit": null,
      "upholstery": null,
      "vehicleSourceReference": null,
      "vehicleSourceType": null,
      "vehicleType": null,
      "versionCode": "B2 4 M3M 5C",
      "versionName": null,
      "privacyMode": "off",
      "privacyModeUpdateDate": null,
      "svtFlag": false,
      "svtLastUpdateTime": null,
      "svtBlockFlag": false,
      "svtBlockLastUpdateTime": null
    }
  }
}

[FRSTR]

Here is the vehicle fixture:

{
  "accountId": "account-id-7",
  "country": "RU",
  "vehicleLinks": [
    {
      "brand": "RENAULT",
      "vin": "VF1AAAA1234567876",
      "status": "ACTIVE",
      "linkType": "USER",
      "garageBrand": "renault",
      "mileage": 500,
      "mileageUnit": "km",
      "mileageDate": "2021-10-29",
      "startDate": "2021-03-01",
      "createdDate": "2021-04-01T11:00:00.648452Z",
      "lastModifiedDate": "2021-10-29T08:26:03.648452Z",
      "cancellationReason": {},
      "preferredDealer": {
        "dealerId": "51214321_001",
        "brand": "RENAULT",
        "createdDate": "2018-01-01T19:27:14.798452",
        "lastModifiedDate": "8-01-1:27:14.798452"
      },
      "connectedDriver": {
        "role": "MAIN_DRIVER",
        "createdDate": "2021-03-03T00:01:02.648452Z",
        "lastModifiedDate": "2021-03-03T00:01:02.648452Z"
      },
      "vehicleDetails": {
        "vin": "VF1AAAA1234567876",
        "engineType": "H5H",
        "engineRatio": "460",
        "modelSCR": "JD1",
        "deliveryCountry": {
          "code": "RU",
          "label": "RUSSIA"
        },
        "family": {
          "code": "XJD",
          "label": "XJD FAMILY",
          "group": "007"
        },
        "tcu": {
          "code": "AIVCT",
          "label": "WITH AIVC CONNECTION UNIT",
          "group": "E70"
        },
        "navigationAssistanceLevel": {
          "code": "",
          "label": "",
          "group": ""
        },
        "battery": {
          "code": "SANBAT",
          "label": "",
          "group": "968"
        },
        "radioType": {
          "code": "RA41A",
          "label": "ENDAFFM (SCREEN ATTACH), AUDIO 7 (2 BO + 2 BI + 2 TWEETER, DOUBLE-MICRO",
          "group": "425"
        },
        "registrationCountry": {
          "code": "RU"
        },
        "brand": {
          "label": "RENAULT"
        },
        "model": {
          "code": "XJD1SU",
          "label": "NEW DUSTER",
          "group": "971"
        },
        "gearbox": {
          "code": "BVM6",
          "label": "6-SPEED MANUAL GEARBOX",
          "group": "427"
        },
        "version": {
          "code": "B2 4 M3M 5C"
        },
        "energy": {
          "code": "ESS",
          "label": "PETROL",
          "group": "019"
        },
        "registrationNumber": "REG-NUMBER",
        "vcd": "STANDA/XJD/HJD/EA2/M3/ESS/DG/GDFROI/TR4X4/AFURGE/RV/ABS/BARLO2/CA02/PBCH/LAC/VT/CPE/RET03/1RVLG/PROJAB/RALU16/CEAVFX/ADAC/AIRBA2/SERIE/DRA/DRAP07/HARM02/ATAR02/SGAV05/SGAR02/TECNW/BANAL/KM/PTCAV2/TPRM3/AVREPL/SSDECA/ABLAV/ESPDES/ALEVA/SOPC2C/SPRGAZ/STHPLG/KITGRV/VLCUIR/TRGAS/REPNTC/LVCIPE/LVAREL/SASURV/RSEC01/SGACHA/RUS01/APL03/AIRAR/VOLRHP/FSTPO/ALOUCC/CMAR3P/RA41A/BVM6/RDIF03/ISOFIX/ENPB01/HRGM01/SANFLT/CSRBA2/SANACF/SCHSTA/TLRP21/PRODIS/SAN613/SSFAP/AIRBDE/CHC03/E05C/ADFR/SSPTLP/SANCML/SSFLEX/SEXTIN/PE2017/PHAS1/SAN913/THABT1/SSTYAD/SSHYB/SSCABA/SANBAT/VEC654/XJD1SU/SSNBT/H5H/SDLIGM/SOUVCF/RMEGS/KITPOU/KITPGR/DPSEC/SSPREM/FDIU1/SSMAP/RCALL/PROCBO/SDANGM/ECOMOD/AIVCT/AVGSI/ITPK1/PERN02/VOLCHA/R134A/SFSSAC/SSVOLP/TCHA0/SPMIR/RRCAM/TCHC0/HTNZA",
        "assets": [
          {
            "assetType": "PICTURE",
            "renditions": [
              {
                "resolutionType": "ONE_MYRENAULT_LARGE",
                "url": "https://3dv.renault.com/ImageFromBookmark?configuration=HJD%2FEA2%2FDG%2FTR4X4%2FRV%2FABS%2FBARLO2%2FCA02%2FPBCH%2FRET03%2FPROJAB%2FRALU16%2FDRA%2FDRAP07%2FHARM02%2FATAR02%2FSGAV05%2FTECNW%2FKM%2FABLAV%2FESPDES%2FALEVA%2FSOPC2C%2FVLCUIR%2FLVCIPE%2FLVAREL%2FSGACHA%2FAPL03%2FVOLRHP%2FCMAR3P%2FRA41A%2FBVM6%2FRDIF03%2FENPB01%2FCSRBA2%2FSANACF%2FSAN913%2FH5H%2FRCALL%2FSDANGM%2FECOMOD%2FITPK1%2FPERN02%2FVOLCHA%2FRRCAM&databaseId=42b2c477-c47a-40c9-8ed2-a6966c244777&bookmarkSet=RSITE&bookmark=EXT_34_DESSUS&profile=HELIOS_OWNERSERVICES_LARGE"
              },
              {
                "resolutionType": "ONE_MYRENAULT_SMALL",
                "url": "https://3dv.renault.com/ImageFromBookmark?configuration=HJD%2FEA2%2FDG%2FTR4X4%2FRV%2FABS%2FBARLO2%2FCA02%2FPBCH%2FRET03%2FPROJAB%2FRALU16%2FDRA%2FDRAP07%2FHARM02%2FATAR02%2FSGAV05%2FTECNW%2FKM%2FABLAV%2FESPDES%2FALEVA%2FSOPC2C%2FVLCUIR%2FLVCIPE%2FLVAREL%2FSGACHA%2FAPL03%2FVOLRHP%2FCMAR3P%2FRA41A%2FBVM6%2FRDIF03%2FENPB01%2FCSRBA2%2FSANACF%2FSAN913%2FH5H%2FRCALL%2FSDANGM%2FECOMOD%2FITPK1%2FPERN02%2FVOLCHA%2FRRCAM&databaseId=42b2c477-c47a-40c9-8ed2-a6966c244777&bookmarkSet=RSITE&bookmark=EXT_34_DESSUS&profile=HELIOS_OWNERSERVICES_SMALL_V2"
              }
            ]
          }
        ],
        "yearsOfMaintenance": 12,
        "connectivityTechnology": "NONE",
        "easyConnectStore": false,
        "electrical": false,
        "rlinkStore": false,
        "deliveryDate": "2021-03-01",
        "retrievedFromDhs": false,
        "engineEnergyType": "OTHER",
        "radioCode": "1234"
      }
    }
  ]
}

[FRSTR]

Hi @epenet , sorry for late response, but I'm back now. I've shared the carGateway response above, and also the fixture for my car.
You mentioned a PR for fixture, but I'm not sure I can create it via github UI, and it probably requires usage of the git client. I'm not really a developer and I'm not familiar with git, so not really sure how to create a PR without spending a week for it.
I also not sure if those fixtures are for requests or responses, as sometimes there is a valuable info in the request, and then valuable info could be in another endpoint's response.

Also to add details on the communications to start the engine:

1. At first there is a request to /actions/srp-sets where SRP is generated and sent to servers.
2. Then using the notifications endpoint is polled several times, until there is a response with server-generated response to SRP request
3. After that the client sends POST to /actions/engine-start endpoint with its calculated SRP result.

These 3 steps happen every time. I also found that SRP support exists in https://github.com/mitchellrj/kamereon-python/blob/146904802301aa0b0008e2bdb3a88ed10ff50acf/kamereon/kamereon.py though not sure if it is finilized.

[epenet]

Hi @FRSTR did you manage to work out how SRP works?

[FRSTR]

Hi @epenet Yes, kinda. The SRP is a special standard protocol that is used to authenticate when the communication channel is not trusted. There are also several implementations in python, e.g. here a random repo I just found - https://github.com/cocagne/pysrp
Plus as mentioned above the SRP was somehow supported (not sure it is fully supported there) in another Renault python library at https://github.com/mitchellrj/kamereon-python/blob/146904802301aa0b0008e2bdb3a88ed10ff50acf/kamereon/kamereon.py

The overall idea of SRP communication is the following:

1. The client side creates a cryptic SRP payload based on auth (mainly from pin code in our case as far as I understand) and sends it to the server
2. The server responds with its SRP payload calculated from client's payload.
3. The client calculates the new SRP payload based on received data and sends it back to the server as the final step of auth. This happens in /actions/engine-start endpoint

[epenet]

How much effort are you willing to put into this?
We can try to work on it together, and you can send me the full sniff on "dev at zeflip dot com" if you do not wish to publish them here?

[FRSTR]

@epenet yeah, I can sniff the stuff and try to test builds on my side, I'm just not really a developer to write python code (at least I still don't really get the OOP structure of the code in this repo). Indeed there is some personal info in the sniffs so we better communicate somewhere else, e.g. email as you said.

I also opened the Android app code to try figure our how it works, but again a good architecture instead of spaghetti makes it hard for me to get what's going on there. Though I can share pages from there if you'd like.

So as the first step, you'd want the full communication with SRP for the engine start flow, right? The sniffer I used is not friendly so it will take some time to capture full flow, but I'll start work on that today.

[FRSTR]

@epenet I've just sent you an email with the sniff

[jumpjack]

@FRSTR
offtopic: I read that you had an issue with your HVAC and you got "something" replaced in your car; can you please provide some more details by mail? jumpjack at libero dot it
My HVAC preconditioning is faulty since august 2021 and no dealer was yet able to fix it by updates, so I think they will have to replace"something" too.

[epenet]

@jumpjack: as I have already requested, can you please stop spamming?
If you want to share knowledge, then please do so. If not, then please refrain from comments such as "use my tool instead".

You can already run all debug commands within the renault api like this:
GET: renault-api --debug http get /commerce/v1/accounts/{account_id}/kamereon/kca/car-adapter/v1/cars/{vin}/charging-settings
POST: renault-api --debug http post /commerce/v1/accounts/{account_id}/kamereon/kca/car-adapter/v1/cars/{vin}/actions/charge-schedule '{"data": {"type": "ChargeSchedule", "attributes": {"schedules": []}}}'

[FRSTR]

@jumpjack , I don't want to share those traces as they have personal info and it takes quite some time to clear them out. If you have a tool, you can also sniff it with your car as the faulty module in the car does not affect anything in the app communication except for the final result being failure.
Also I don't really know what was that module/control block replaced in my car. This was replaced by writing an email to Renault support email of MyRenault app, they said they forwarded this to their tech team, and after couple months they wrote back that they know how to fix my issue and I should just go to the car dealer. The dealer had already some info from Renault about a fix required for my car and they just replaced what they were told to.

[FRSTR]

Hi @epenet . Just wanted to double check with you if you plan any work there. I have a daily need to at least lock the car via API or app, and I'm thinking if we proceed here or it may be faster for me to invest time into android app automation on my own.

[epenet]

I'll try to have a fresh look before the end of the month - but not sure when.

[FRSTR]

btw, @epenet I found this library for SRP, and it seems that generating SRP requests could as simple as the example on the readme page - https://github.com/cocagne/pysrp

If the SRP part gets implemented, it can also be used to lock the car, from what I remember the process was very similar.
So also I have a related question here: I notices that there is "get_lock_status" method already exists in the current implementation, and before I even found it I also was able to simply construct it via CLI and it returned the correct status. Do you plan to expose this status to Home Assistant? This would be a helpful sensor for a person like me who sometimes fail to lock the car.

[epenet]

Before it can be added to HomeAssistant, it needs to be exposed by the RenaultVehicle class:

renault-api/src/renault_api/renault_vehicle.py

Line 28 in 680cd5a

class RenaultVehicle:

Is that something you feel you could do?

I have been busy these past weeks inside HA, and this week I refactored a few chunks to make way for the Dacia Spring features that @lucviala created PRs for.

[epenet]

Note: adding the lock status should be much easier than implementating adding SRP as the framework is already there...

[FRSTR]

@epenet but it is already there in renault-api/src/renault_api/renault_vehicle.py :
async def get_lock_status(self) -> models.KamereonVehicleLockStatusData:

Or by expose you mean there should be some other structures? I'm sorry, I'm not fully familiar with the way it works. However if there is an example of another function I can use and just do the same - I can try to replicate it for the lock status

[epenet]

Ah... the fixture file is empty, and so is the corresponding model.
https://github.com/hacf-fr/renault-api/blob/main/tests/fixtures/kamereon/vehicle_data/lock-status.json

renault-api/src/renault_api/kamereon/models.py

Lines 379 to 383 in 680cd5a

	@dataclass
	class KamereonVehicleLockStatusData(KamereonVehicleDataAttributes):
	"""Kamereon vehicle data lock-status attributes."""

If you update the fixture file with real data, and adjust the KamereonVehicleLockStatusData data class it should be straightforward to then add to HA.

[FRSTR]

Ok. let me see If I can figure this out.

[epenet]

And one more file to adjust afterwards: the tests to ensure we parse the data correctly.
https://github.com/hacf-fr/renault-api/blob/main/tests/kamereon/test_kamereon_vehicle_data.py

[FRSTR]

@epenet I've created a draft PR at #506 I did not expect that would be that easy with github desktop app,
but at the same time... I did not run it anywhere to test, hopefully those tests cover it.
And of course please let me know if my updates make sense, or not.

[jumpjack]

In my tests with my app I get the usual "403 forbidden" response.

status": "502",
"code": "gateway.processing",
"title": "VNEXT",
"detail": "an internal error occured while processing request : 403 FORBIDDEN"

[FRSTR]

@jumpjack you get this error for which request?

[jumpjack]

for the last one you are talking about, lock-status.

[jumpjack]

')

Note: MyRenault app requires a PIN code set in the app to start AC, 

Where? On android, version 4.26.0 has no pin request for hvac, just a button.

[FRSTR]

Different cars apparently make it different. My car basically starts its gasoline engine to do the job, and I guess it requires some level of security. Presumably for e-cars, hvac is considered less severe thing and thus does not require anything like that. Though if I'm not mistaken, the PIN code was required at the step of pairing the app with the EasyLink media in car.

[jumpjack]

when I brought my plugin captur to the dealer last week, because preconditioning is no more working since 6 months, during the diagnosis he detected a "missing pin" error, but he was surprises and not able to explain it... so he just ignored it.

[epenet]

Out of interest, does the hvac-status endpoint work on the Captur?
It seems to now be available on the other vehicles, so I wonder if these lines can now be removed:

renault-api/src/renault_api/kamereon/models.py

Lines 57 to 59 in 933b200

	"XJB1SU": { # CAPTUR II
	"support-endpoint-hvac-status": False,
	},

[FRSTR]

@epenet on the main topic of this issue ticket: I created a proof of concept for Engine Start wtih SRP, and it goes throught the entire flow using renault-api cli, but...

• the final verification fails. Probably the SRP library I used is not fully compatible with the one used in Renault, because the SRP protocol appears not that strict.
• after the entire evening of test attempts, the API started responding with errors earlier in the flow, or I got simply banned for too many failed srp auth requests. Good thing is that re-pairing the car to the app helped, though it tooke several attempts.
• renault app seems to use some native library to work with SRP, so you don't really see from Android APK how this part is implemented internally. The code is kinda available but it looks obfuscated.

So not even sure what can be done there further :(

[epenet]

It's hard to discuss without seeing the code - maybe you can create a draft PR to show how much you managed to implement.

[FRSTR]

@epenet I've posted #519
I'll add details on how to run it in this PR

[jumpjack]

Out of interest, does the hvac-status endpoint work on the Captur? It seems to now be available on the other vehicles, so I wonder if these lines can now be removed:

renault-api/src/renault_api/kamereon/models.py

Lines 57 to 59 in 933b200

	"XJB1SU": { # CAPTUR II
	"support-endpoint-hvac-status": False,
	},

Remote activation of HVAC on my captur is broken since August 2021; I brought the car to dealer 6 times and I had SW updated and some HW replaced, but it is still not working. :-( (which is why I started studying unofficial apps and methods to remotely activate HVAC).

But I read that several people have broken remote HVAC on their Captur since december 2021, I guess something is going wrong at Renault. I wonder if they messed up and mixed up Dacia/Renault SW, because my dealer recorded a "missing pin" while performing electronic diagnosis on my Captur, but there is no place where to write any pin in app for the Captur!

[jumpjack]

@epenet on the main topic of this issue ticket: I created a proof of concept for Engine Start wtih SRP, and it goes throught the entire flow using renault-api cli, but...

• the final verification fails. Probably the SRP library I used is not fully compatible with the one used in Renault, because the SRP protocol appears not that strict.
• after the entire evening of test attempts, the API started responding with errors earlier in the flow, or I got simply banned for too many failed srp auth requests. Good thing is that re-pairing the car to the app helped, though it tooke several attempts.
• renault app seems to use some native library to work with SRP, so you don't really see from Android APK how this part is implemented internally. The code is kinda available but it looks obfuscated.

So not even sure what can be done there further :(

UserID is presumably gigya_person_id that can be found if execute "renault-api settings". The same ID is sent at the srp-set endpoint by android app, so probably that the right one

No, UserId is different than PersonId and AccountId!
I somewhere in the various login responses I found an "UserId"... but I can't find/remember its path right now, I discarded it in my code.

Anyway I see also:

• data.accounts[0].personId
• data.accounts[0].accountId
• data.accounts[0].externalId
• data.originUserId
• data.partyId
• data.trackingId

[FRSTR]

well, UserId is what I called it. I also thought that it might be the Kamereon ID of the user, which is 5 digits, or smth like that.
It did not work either, and the reason I think (but not 100% of course) that I choose the right one is that in the first srp request we also send gigya_person_id next to encrypted SRP blob.

[jumpjack]

After digging up my old code...

JWT response:

• callId

personId response:

• UID
• UIDSignature
• callId

accountId response:

• idp.idpId
• mdmId
• partyId
• trackingId

VIN response:

• vehiclelinks[0].preferredDealer.dealerId

And don't forget that also VIN is called "id" in the responses:

{
"id": "Vxxxxxxxxxxxxxxxxx",
"timestamp": "2022-02-07T15:18:06Z",
"batteryLevel": 80,
"batteryTemperature": 20,
"batteryAutonomy": 31,
"batteryCapacity": 0,
"batteryAvailableEnergy": 6,
"plugStatus": 0,
"chargingStatus": 0.4,
"chargingRemainingTime": 15,
"chargingInstantaneousPower": 0
}

[jumpjack]

Another clue is that for Dacia users the PIN required to remotely control the HVAC is the one provided by the car at first pairing with the cellphone.

[FRSTR]

I just tried wtih kmrUserId, it produced the same result. The reason I tried it is that in the final response it is provided by the server, plus in some other Renault API implementatin I saw they tried to use there.
And yes, it does not mean I selected the correct one initially, because the issue could be somewhere else, including pysrp implementation (and there is a discussion about it in its repo).

[FRSTR]

@epenet do you happen to know what url we can use for renault to get similar info as in the code below?

    def get_user_id(self):
        resp = self.oauth.get(
            '{}v1/users/current'.format(self.settings['user_adapter_base_url'])
        )
        user_id = resp.json()['userId']

this is from https://github.com/wobniarin/HEMS_API/blob/main/HEMS_API/nissanapi.py
and their user_adapter_base_url = https://alliance-platform-usersadapter-prod.apps.eu.kamereon.io/user-adapter/

I think this user id can be used in srp, and my guess is that it is different from those I tried

[FRSTR]

@jumpjack isn't it just a root hostname? in that php implementation there does not seem to be a user-adapter available. I tried to run renault-app by adding "/users/current" to couple different paths that came to mind, but it did not work

[jumpjack]

Yes, I didn't notice the slightly different url...

• 'car_adapter_base_url': 'https://alliance-platform-caradapter-prod.apps.eu.kamereon.io/**car**-adapter/',
• 'notifications_base_url': 'https://alliance-platform-notifications-prod.apps.eu.kamereon.io/notifications/',
• 'user_adapter_base_url': 'https://alliance-platform-usersadapter-prod.apps.eu.kamereon.io/**user**-adapter/',

We could try some combinations/variants of these:

• const KAMEREON_API_BACKEND_PERSONS_URI = 'commerce/v1/persons/';
• const KAMEREON_API_BACKEND_ACCOUNTS_URI = 'commerce/v1/accounts/';
• const KAMEREON_API_BACKEND_CAR_ADAPTER_V1_URI = '/kamereon/kca/car-adapter/v1/cars/';
• const KAMEREON_API_BACKEND_CAR_ADAPTER_V2_URI = '/kamereon/kca/car-adapter/v2/cars/';

[epenet]

@FRSTR you should use the sniffing tools that you previously used to confirm.
If the Renault app uses the gigya ID as the user ID, then you might not need to worry about searching longer for the UserID.
Otherwise you should see the required url as part of the sniff.

[FRSTR]

Well, I'm not sure this username is even sent to server, because the server already knows who we are when we are logged in. In srp-sets the request body included "i" param which is gigya ID, and maybe it is there for this purpose, but not sure.

[jumpjack]

Maybe sniffing traffic of this Nissan app can help reversing engineering the SRP protocol? But I don't know if it also works for Leaf.
https://play.google.com/store/apps/details?id=com.ideeo.nsnremote

Have you ever dreamed about activating your car accessories remotely from your mobile device?
The Remote EX for NISSAN allows you to activate several accessories from your car remotely. You can turn on the head lights, sound the horn and lock/unlock doors without touching your car keys.

• Turn Lights Flasher
• Parking Locator (*)
• Head Lights (*)
• Low Beam (*)
• High Beam (*)
• Front Fog Lights (*)
• Turn Lights (*)
• Open Trunk (*)
• Lock/Unlock Doors (*)
• Horn (*)
• Wipers (*)

Commands marked with (*) are available through in-app purchases.

[FRSTR]

Sniffing won't help, the SRP protocol was created to stand against MITM attacks in the first place. Except for SRP part, other communications with the server are clear, and it is all about the implementation of SRP plus some of its variables. I've looked into the Android app, and all those things are hidden in native library.

[FRSTR]

Just in case, I looked into the NIssan's app, and they simply use Renault's implementation and library as is.

[jumpjack]

Where you also able to see how it uses endpoints for horns, lights and doors locking?

[FRSTR]

I used HttpCanary (this is one of debug proxy apps), though I had to use rooted Android with certain tricks and make the SSL certificate from HttpCanary trusted in Android. Otherwise HTTPS sniffing did not work for me.

[jumpjack]

and what did you see?

[FRSTR]

I looked into the things related to engine start and door locks. The lock-status endpoint is for doors, and it is already in the source code of this python project. You can take a look into the tests to see its response format. The engine start routine is in the SRP sample I posted to the other PR.