Wednesday, February 13, 2013

Volvo On Call (VOC) API

Hi!

This subject is something that really interests me, its an awesome technology that has many prospects for the future. So, Of course I would like to know how it works.

Before you continue reading, I would like you to know that the information written below is for education purpose only. Using the things explained below (for what ever reason) might (most likely) be breaking the Swedish law (since the volvo on call server is located in Göteborg (Gothenburg)). Contacting and use data from the Volvo on call API might be seen as data trespassing, which Sweden has a law against (Describes as “Dataintrång” defined as crime in 4 chapter 9 § of the crime code (brottsbalken)).

So, here we go.

Next week I am going to get my V60 MY12 and I already downloaded the Volvo On Call app. I thought, if possible I’ll write my own app where I not only can set a timer, but also can set a schedulation and also might be able to export journal information. So, I went to work.

It took me a few hours last night to figure everything out, but I think I got it now. Since I have no Volvo on call account yet, I can’t give any full details just yet.

So, how does it work?

The VOC service

I am not going through any details on how the VOC service works, but from what I understand it, its being run using a cellular connection to post data to the vehicle from a centralized server/service (based upon Wirelesscar.com services I believe). You as user use the service by sending command to an API which in its turn contact the service, which connects to the car.

So, I installed Wireshark and tried to figure some stuff out. I shared the network on my MacBook and connected my iPhone to this network. Then I started listening for packages as I tried to register for an account in the app.

Decrypting

Unfortunate for me, the fine people at Volvo (and maybe some at Mobiento as well(?)) thought of that and took the natural way of setting up the server with a Rapid SSL certificate; thereby encrypting the connection between the client and server… impossible for me to decrypt unless I have the private key (which I’ll never have!). So, I couldn’t find out much more than that the API is located at https://vocapi.wirelesscar.net (wirelesscar.net is owned by Volvo in Göteborg, and host to an IP address in the same city; hence the legal note above!). But, visiting that URL only give me a forbidden page from Apache 2.2.3 web server on a Red Hat server. Dammed! Stuck!

Fortunate for me is that the client (VOC app) doesn’t make any certificate verification and trusts that if the certificate is “trusted” by the system, it must be OK. So, after searching a bit I found the OS X App called “Charles“. Charles is a web-debugging proxy. This means that you can make a proxy for debugging purposes ect. Also, Charles lets me setup an SSL proxy, which is just what I needed. Charles shares the private certificate it uses, so I could import it on my iPhone so my Phone would trust it.

Now I setup my proxy, removed the internet sharing and changed the wireless settings on my phone to connect to the internet using a proxy… my MBP using Charles. Suddenly, when trying to register in the app I actually could figure out where the API is located, which is https://vocapi.wirelesscar.net/customerapi/rest/v2.0/. Since I now possess the private key, Charles automatically decrypts the connection and I could read the data in clear text. Awesome! So I tried it out in the browser….

Dammed! HTTP-Authentication!

Here I got stuck for quite a while… whatever I did, I could not figure out the login. None of the logs, neither in Wireshark or Charles ever displayed any HTTP-Auth. If they would, it would be a piece of cake, since HTTP-Basic auth is nothing more than a Base64 encoding of the login string (username@password).

I set with it an hour yesterday evening and it suddenly hit me… how the hell can the app get data back, when it doesn’t have to login? Well, that’s because the register page doesn’t require any login. So I tried the register account page. So I looked a bit closer, and as you do in a Rest-full API, when setting data you either POST it (new data) or PUT it (update data). The app was Posting.

So I installed the FireFox addon HTTP Resource Test and voila.. it worked! I could re-create the request on my mac.

So now I could figure out why I couldn’t access the other pages. Since I made the request manually now, I could see in Charles that the basic auth was actually the login I would create when creating a real account.

Stuck, till next week

So, for now I am stuck here, since I do not have my VOC pin code yet, which I guess I’ll set with the dealer next week. I will then try to figure out the API and see if it is of any use for what I want to do.

Why do I want to know all this?

Well, even though Mobiento AB made a fine app, I believe some things are missing.
Do not misunderstand me me, I do like Mobiento. They are (just as every other App company in Stockholm), the best App agency (even though they don’t want to call themselves that). I met with them some time last year about an iOS Developer role… but what they really wanted was not someone whom is awesome at iOS, but someone that was willing to develop for Android as well… which acutally is kind of stupid if you ask me. Better to have two professionals in their area then have one person being half-ly good (Hence the SSL Cert verification miss!). I am not a temp so I kindly declined at that time.

Anyways… what I am missing is the possibility to set a schedulation for the heating timer. I would like the app to automagically send the command to the car that the timer must be set for X o’clock tomorrow morning. It doesn’t seem that the app has this support.

There are (at least) two ways of doing this:

1) By an external server, having the values and sending them to the API when appropriate

2) By setting local push notification and inform the user it has to set the timer (which opens the app, shows a button and sets the timer).

Also, I would like the export the journal data to e.g. CSV file so I can use it in e.g. Excel.

Last but not least, I am a little bothered by that Mobiento didn’t add iPhone 5 support AND that the they chose to divert just a little bit from traditional iOS GUI. Somehow, something feels wrong in the app. For instance (in demo mode), the tabs. They give a illusion that the wrong tab is chosen.. the colors should be the other way around (active/in-active tab). I think I actually can make a better looking app… if I only get the time.

Updates

So, when I’ll get my car… will I update this page with the API information?

Well, I don’t know just yet. I gave you in wide ranges the recipe above on how to figure it out yourself, so you could do it yourself. However, given that you actually need an account in order to test your application or to find out how the API looks… I think its best not to share the API information. Maybe I’ll just share some method to prove that I actually figured it out.

Summary

The volvo on call (VOC) API is located here: https://vocapi.wirelesscar.net/customerapi/rest/v2.0/
It uses HTTP Basic Authentication for login, based upon the users credentials.
It uses a Rapid-SSL signed certificate for encryption
Request and Respone data are in JSON format, UTF-8 encoded
The VOC server is located in Göteborg, hence Swedish law applies (regardless from where you connect)
The VOC server runs on Apache 2.2.3 on a Red Hat server.
The official app is developed by Mobiento in Stockholm

Hope you have any use for it. Remember, for education purposes only!

Cheers,
Paul


Source : paulpeelen[dot]com

0 comments:

Post a Comment