Welcome! This repository contains some of my Frida scripts for pentesting General Motors' android applications. More
Certain endpoints such as api.gm.com and gmmobileservices.gm.com are forced to use SSL pinning. The app use okhttp3 for their web requests as well as for the SSL pinning. Getting around this is trivial and simply requires overwriting some of the okhttp3's ssl-piining library functions to return true.
During the authentication process, the application creates a base64-encoded JWT token and sends a request to https://api.gm.com/api/v1/oauth/token with the JWT token which returns a separate token for interacting with their APIs among other things. The key used to sign the JWT is sought after by many since it would allow users to perform certain functions such as starting their car or locking/unlocking the doors in custom applications.
An example token:
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJjbGllbnRfaWQiOiJPTUJfQ1ZZX0FORF81QTEiLCJkZXZpY2VfaWQiOiI1NGNjYmUzMC1mNTYxLTRkNTYtYjJmNi1iN2QyZDM5YWYxZDMiLCJncmFudF90eXBlIjoicGFzc3dvcmQiLCJub25jZSI6Imh0dm00dmRncmg2c21vdmk2NWJvaG00Y2VuIiwicGFzc3dvcmQiOiIxMjM0NTY3ODkwIiwic2NvcGUiOiJvbnN0YXIgZ21vYyBjb21tZXJjZSB1c2VyX3RyYWlsZXIgbXNzbyIsInRpbWVzdGFtcCI6IjIwMjEtMDUtMTJUMDQ6NTY6MzYuMzU4WiIsInVzZXJuYW1lIjoicmFuZG9tQHRlc3QuY29tIn0.wDOD4lh8-5QEmDJZWfWdXfkQ4lscUaYMRdMkkIyWZZ8
base64-decoded JSON data:
{"alg":"HS256","typ":"JWT"}{"client_id":"OMB_CVY_AND_5A1","device_id":"54ccbe30-f561-4d56-b2f6-b7d2d39af1d3","grant_type":"password","nonce":"htvm4vdgrh6smovi65bohm4cen","password":"1234567890","scope":"onstar gmoc commerce user_trailer msso","timestamp":"2021-05-12T04:56:36.358Z","username":"random@test.com"}
Client ID: OMB_CVY_AND_5A1 Key: UGzw6PB8wpKANvnYewmSREXpxtbBkjjmGP6s
The Client ID can easily be obtained by base64 decoding the JWT payload in the api.gm.com request headers once SSL pinning is bypassed. I have decided not to post the Frida code for intercepting the HMAC key, though I can say it isn't difficult to come up with a solution to get it. You may take a look at the JWTBuilder.cs file for a C# implementation that generates a proper JWT token.
Some pieces of code are not included in any package and are a part of defpackage.*. If a method belonging to defpackage.* needs to be intercepted, Java.use() can be used with just the class name.. For example, to intercept defpackage.ow2, use the following: Java.use("ow2");