New Nissan Connect EV API

LeafAPI.md

Late 2018 Update

I am no longer working on this as the new API is US-only as I'm in the UK, so cannot even use it or the new app. Please don't ask me questions about it as I honestly can't remember anything.

Nissan Connect EV 2018 API

This is a work in progress, just jotting down my findings from the APK decompile so far. As I can only read the decompiled Java and not MITM the app due it not working in the UK, getting the payload info may take a while. There's loads of API calls so this may not be thorough for a while.

Base URL: https://icm.infinitiusa.com/NissanLeafProd/rest

Battery

GET /battery/vehicles/:vin/getChargingStatusRequest

POST /battery/vehicles/:vin/remoteChargingRequest

POST /battery/vehicles/:vin/cancelRemoteChargingRequest

HVAC

POST /hvac/vehicles/:vin/activateHVAC

POST /hvacSchedule/vehicles/:vin/cancelHVACSchedule

POST /hvacSchedule/vehicles/:vin/createHVACSchedule

POST /hvac/vehicles/:vin/deactivateHVAC

GET /hvacSchedule/vehicles/:vin/getHvacSchedule

POST /hvacSchedule/vehicles/:vin/updateHVACSchedule

Find My Car

POST /vehicleLocator/vehicles/:vin/refreshVehicleLocator

POST /vehicleLocator/vehicles/:vin/getNotificationHistory

Security

POST /remote/vehicles/:vin/accounts/:accountId/rdl/createRDL

POST /remote/vehicles/:vin/accounts/:accountId/rdl/createRUDL

Horn and Lights

POST /remote/vehicles/:vin/accounts:accountId/rhl/createRHL

Misc

GET /remote/securityQuestions

PUT /remote/vehicles/:vin/accounts/:accountId/authorizationInformation

Account Stuff

POST /auth/softLoginforAAS

Can take a query string of ?vin=<vinHere>&subscription=<true/false>

POST Body:

{
	"userid": <username>,
    "password": <password>,
    "country": "US", // Others to come?
    "brand-s": "N", // N for Nissan?
    "language-s": "en"
}

It wouldn’t be as bad if they had actually useful offerings as part of their app - Shortcuts and Widgets on iOS for instance.

But they offer the bare minimum and offer it badly, which leads us to needing HASS integration, etc

I haven't been able to get the createRDL, createRDUL, createRHL APIs to work (has anyone?) but I am able to get that functionality with a parallel API that talks to prd.api.telematics.net. I sniffed it from the NissanConnect Services iOS app using mitmproxy, and found that there is a project on GitHub that implements it in Python: https://github.com/KalenXI/NissanConnect. It's a completely separate API that requires its own login process but uses the same username/password as the EV API.

In addition to the basics in that repo, the app works by making a request, getting a service request ID, and polling on that ID. The flow looks roughly like:

Request:

POST https://prd.api.telematics.net/m/remote/accounts/:accountID/vehicles/:vin/remote-door
{
    "command": "UNLOCK",
    "pin": ""
}

Response:

{
    "serviceRequestId": "77D4E140-7603-22EC-B15A-0050578B19DB"
}

Request:

GET https://prd.api.telematics.net/m/remote/accounts/:accountID/vehicles/:vin/remote-door/:serviceRequestID?serviceType=UNLOCK

Response:

{
    "activationDateTime": "2022-01-16T13:35:32-06:00",
    "serviceRequestId": "77D4E140-7603-22EC-B15A-0050578B19DB",
    "serviceType": "REMOTE_DOOR_UNLOCK",
    "status": "INITIATED",
    "statusChangeDateTime": "2022-01-16T13:35:32-06:00"
}

This request/response is repeated until the operation completes. Eventually the status transitions to SENT and finally SUCCESS.

The supported operations appear to be LOCK, UNLOCK, HORN_LIGHT and LIGHT_ONLY. It looks like other Nissan vehicles might support START and STOP for remote engine starts but I don't think the Leaf does.

Hi @joeshaw!

I'm really interested by this new API. I'm in Europe and the header seems to be on "us" URI. Did you see something for EU ?

Thanks

@BreizhCat I’m sorry, I don’t know as I am in the US. What I have noticed, though, is that in the past few years there has been a divergence in mobile apps and APIs between the US and Europe (perhaps GDPR-related?). So I don’t know if this one will work outside the US but I think it’s worth investigating.

@joeshaw
Thanks for your feedback.
I'm aware about the difference between US & EU. My script is working with the old fashion "API". I don't know why Nissan are splitting API's. Maybe GDPR as you said...
I will have a look deeper in your API to see if possible to use it in EU.

Keep in touch :)

Nissan has introduced a new way getting secrets for the API using Google Firebase Cloud storage. This makes it almost impossible to keep supporting North American vehicles as Nissan can update the secrets stored inside Google Firebase on-the-fly so to speak. These secrets cannot be accessed outside the offical app. Because of this Nissan will be able to "disable or break" third part clients. So using the new secret will only temporarily make clients work again until Nissan changes it. They can do this without updating the official app.

So sadly this is basically the last straw for supporting North American vehicles with third party clients and other integrations.

They save the secret to local storage with the key firebase_config_value. This secret config is located in a Firebase Cloud store. The Firebase Cloud config-key is called welcome_message which is base64 encoded and saved on local storage with the key firebase_config_value. This becomes the new User-Agent-Key.

I think there is little we can do about this sadly without a lot of hurdles. Any ideas?

So it's good bye and farewell to all third party clients and integrations for North American NissanConnect users.

@Tobiaswk Thank you for the writeup, and for all the effort you've done over the years.

Is it impractical or impossible for our apps to authenticate against the Firebase API to get the same info by extracting a credential from the mobile apps?

@joeshaw Thanks appreciate it! It has been my pleasure! ;)

Technically I think it is possible. The main problem is that the Firebase keystore used is normally tied to the application ID or bundle ID on Android and iOS if I'm not mistaken. This means you cannot use the same identifier for a signed app on Google Play or App Store. You would have to create a application with the same identifier and have to remove the official app. You would not be able to publish this app on Google Play or App Store as it clashes with the official identifier. I haven't investigated their Firebase integration in detail. So it's all guesswork. My Firebase knowledge is fairly limited.

So it's definitely something that will need to be investigated.

UPDATE;
Had a look. They are using Firebase Remote Config https://firebase.google.com/docs/remote-config/

That looks promising at least in the sense that they have a REST API: https://firebase.google.com/docs/reference/remote-config/rest

I'm pretty sure we must authenticate using OAuth2 which Google is using for their services. Detailed here etc.; https://firebase.google.com/docs/remote-config/automate-rc#python

I did discover some of the Firebase config values (used for authenticating with Firebase) inside the latest app. I won't post them here. I got the Firebase API Key Nissan use from these values.
https://firebase.google.com/docs/reference/android/com/google/firebase/FirebaseOptions contains these values.

How do we authenticate and get a token using the API Key? Is that enough?

Do you have the JSON keyfile? It looks like that's the preferred way to interact with the various OAuth2 libraries when using service accounts.

Some examples:

• Python example
• Go
• Dart.

That JSON file would contain all the necessary OAuth params (except for Scope, which is documented): client ID, client secret, redirect URL, auth URL and token URL) so if they don't have a JSON file I think these OAuth params would be pulled from elsewhere in the app.

Here's a Go fragment that parses the JSON file and fills out the OAuth parameters: https://cs.opensource.google/go/x/oauth2/+/d3ed0bb2:google/google.go;l=38

No I dont have the JSON file. It seems the North American Nissan app does not have this file. I haven't found it. I only have the values from the FirebaseOptions class instance at this stage.

I have found the way with the help of @yp87.

curl -vvv "https://firebaseremoteconfig.googleapis.com/v1/projects/<projectId>/namespaces/firebase:fetch?key=<apiKey>" -H 'content-type:application/json' -d '{"appId": "<appId>","appInstanceId": "dummy"}'

I have access to all the values needed for the request. I won't post them here. I can get the User-Agent-Key by getting the remote config key-values pairs that contains the welcome_message with the curl above.

This has been implemented directly into dartnissanconnectna.

Just to update. Nissan North America has yet again today made a new release. 7.3.4. This release uses Firebase Database instead of the Remote Config they used in last release. All only to break third party libraries and clients yet again.

Needs some investigation.

UPDATE;
An interesting tidbit. Nissan's own North American app is broken currently because of the changes they've made.

Guys, any progress on this? Thanks

@Raiden38 7.3.4 - Introduced use of Firebase Real-Time Database to store their “secrets”. On top of that Google’s SafetyNet is now used to secure against “security threats, including device tampering, bad URLs, potentially harmful apps, and fake users”.

They still use Firebase RealTime Database to store their User-Agent-Key HTTP header. They used it to rotate the User-Agent-Key every hour or so. This rotation of the User-Agent-Key was sent in "real time" to all the devices using the official app. They've reverted back from this behavior and now just stores a static User-Agent-Key which actually still works today. My guess is that all of this created adverse effects for the users of their official app. So all of this effort to "block" third party clients hit themselves like a ton of bricks. It's ironic in every sense.

I encouraged all users of My Leaf to write to Nissan themselves. Maybe that also had an effect.

I made a little write-up about all of this on my blog; https://tobis.dk/blog/the-farce-of-nissanconnect-north-america/

These APIs haven't worked for a while (see Tobias's post above) but it appears that Nissan have moved or removed these endpoints entirely. I now get 404 not found for everything under https://icm.infinitiusa.com/NissanConnectEVProd/rest, although looking at DNS query logs it seems like the iOS app is still hitting that hostname.

Edit: It is now (back to) https://icm.infinitiusa.com/NissanLeafProd/rest

@joeshaw your edit - does it imply something (anything) is working to some degree? Desperately trying to connect to my Ariya (USA).

@amaisano No, I've given up on this. The countermeasures Nissan took have pretty effectively blocked access outside of their app. Tobias's blog post linked above goes into some detail on what those are.

I am working on several workarounds for the NA crew, mostly based off notifications/alerts from the Android MyNissan app and/or spoken responses from the Alexa skill (both which cannot be permanently relied on either).

I’ll post more when I have it working better, but here is a sneak peek: