VOI Scooters API authentication #250
Comments
|
I'll look into this (later) |
|
Hey, Here's an complete Python script for the auth. I've deleted some accounts on the website above, all in the first row of UK should be fine. (Only use them for development pls I found an account with open debts lol) |
|
Does this fix your issue? If so, please close this issue. |
|
I think I am having the same issue. I have tried several different phone numbers, including both numbers that have active Voi accounts and numbers that do not. The request to |
Have you tried my script with the temp sms site provided? Many temp SMS sites are fake. The app does exactly the same my script does. i've validated this for multiple countrys. Have you tried rechecking your number on the official app? |
|
I have tried your script with the temp sms site provided. I cannot get a token back. The output of the script shows Errors about Too Many Requests or ErrNotParsablePhone. |
For me it works just fine. Are you accessing this from an dc ip? |
|
Yes, I use the Chalmers campus network. I tried several times, however, I can not get the text messages. |
Try from a home IP. |
|
I have tried from my home IP. And I did not get the text messages. |
|
This is interesting. Its not working for me too, now. Ill update the script a little later. |
|
Is this still not working, I've been trying and get the same issue. When i login via the app i get an SMS message from "SinchVerify" which is different to the previous Swedish number that used to be sent. |
|
You could potentially be interested in this official GBFS api rather than trying to use the app API: https://docs.voi.com/maas-light/ (I just found this link, I didn't go into more detail, probably it's only for partners) |
I didnt kney that existed. Im prolly able to redo the doc today. |
|
So I added headers to the script: For me this made it work, however I dont even know if it was broken before... |
|
Sick, thank you. I managed to find a workaround by downloading pcapviewer and enabling TLS Decryption to make a new account and get the tokens I needed. I did have to remove the Certificate Pinning that comes default on the Voi app, but after I could decrypt all requests from the app and successfully access the API. |
Small tip: Use BrowserStack. Open it up in chrome (firefox/ie wont work), sign up for a free trial account, upload your apk. Start in on any google device, and enable "Network Debugging" on the right site. Bonus: devices are real, which allows you to use arm images... You can only use this for 2 minutes for each device, but thats usually enough, and is way easier than removing ssl pinning... |
Ah, okay. Thanks for this tip. I was considering downloading a android emulator, but couldn't be asked tbh. I just used my Pixel phone. Never thought of searching for an emulator online. For the future i should use an emulator though, as i use voi daily. (I own one of their long term hire scooters in the UK as e-scooters are illegal, so i have 24/7 access to one. I started looking at how they work so i could try increase the speed, but it's too risky as the scooter is linked to me.) |
Anyway I don't think you could find anything that would make your scooter go faster, it must be clamped on the scooter side, the app only allows you to unlock it. |
It's all software based, all the voi scooters use brushless motors, which can't be limited with 'speed limiting cables' and such i think. You can actually change the speed from the app, and from looking at the api, it sends the speed name (Standard speed, Reduced Speed) when you request to unlock a scooter. It's 100% possible as i received one from them that went around 16-18mph (Ninebot default in the US i think), but eventually the motor started giving me issue so i had to request a replacement. But i'm not sure if that was because of an mistake when installing the IoT device, or someone who previously hired it flashed the software. Either way, it's possible to increase the speed via software, but not through hardware (i've dismantled it and found jack) Here's the website for these scooters (ltr.voi.com |
|
From what you say, the speed values seem to be predefined by the API so it may be difficult to change that. With a little luck it is possible to actually flash the scooter, I know there are applications on Android, but most of the time these scooters have a slightly modified software version compared to "those of the general public" P.S./ I don't think this is the right place to talk about it, but I'd be happy to talk about it more |
No worries, we can talk about it wherever. Just lmk |
|
You can, very easely increase the speed. All you need is an small arduino, and the right codes, but they are on the web. For via the api, as far as im aware, they just have two tiers, normal and reduced, and the speed for those two gets evaluated depending on the country you are in. You can also flash them, however that will defenetly void your warranty. And by hardware means, you can always make it even faster by applying an extra battery, however that requires not having any software limit in the first place. If you want to talk: BastelPichi#2878 |
|
So it appears Voi has implemented some kind of SHA265 signature for their v2 phone verification endpoint. The v1 doesnt appear to work anymore. As the APK is heavely obfuscated, Id reccomend to just get your token via your phone/an online emulator. |
|
Heres an small video tutorial on how to use Browserstack to obtain a token (im using an sponsored version, however this is just as possible on the free tier.) voi_token.mp4 |
|
@BastelPichi The API Headers have been changed and they are signing the requests , have you tried to reverse engineer that, I'm working on that but currently stuck if you could plz help me out #API for creating new token import requests url = "https://api.voiapp.io/v2/auth/verify/phone" payload = "{"country_code":"DE","phone_number":"15213388863"}" response = requests.request("POST", url, headers=headers, data=payload) print(response) This is the current format in which I think they are using HMAC (SHA-256 with a secret key) |
Nope, Im not spending any more time on this, at least for now. Check the message above, its quite easy to obtain a token manually with browserstack. Is there any reason manual token generation doesnt work for you? |
I am going through the steps of accessing VOI data
To gain a code you submit this body with the URL (The example Body)
{
"country_code": "DE",
"phone_number": "176xxxxxxxx"
}
I am from the UK and I cannot get it to submit, returns that 'parsing phone for given country failed'
{
"country_code": "UK",
"phone_number": "758xxxxxxx"
}
Have tried lots of variations, when I use GB the call goes through but I receive no text.
Have just tested verifying my number on the actual VOI app and it works with UK +44
Thanks
The text was updated successfully, but these errors were encountered: