Im gonna spend the $30 to add the functionality. for $5/mo not really a big deal. may still do the donor the api is for at work. idk. I’ll look at the requests tho. I’m no zuckerberg, but I’m sure I could at least come up with something…
If you pre-pay for 5 years during your month trial after it’s installed, it’s 2.99 a month. That’s what I’m doing.
1 Like
Even better.
Is the bearer token and client id static?
Any clue on the expiry for the refresh token? Maybe some clue in the cookies?
As far as I can tell, Client ID is static. I think that ID tells AWS Cognito what app is trying to authenticate. I think it could change at any time, though, depending on if DroneMobile decides they want to change it.
The tokens returned from that first call have an expiration of 3600 in the response, so 1 hour:
The bearer token is the same as the IdToken returned in that first call, so it does expire and does change. After an hour, you can use the refresh token in your call to get a new IdToken.
Oh ok missed that.
seems simple enough to work with the data. I won’t be able to do much until I get my unit, waiting for the car to be delivered… lol.
I could maybe whip up at least the skeleton, but won’t be able to do a whole lot in the way of testing w/o creds. I should have some free time tomorrow morning before work, I’ll give it a start.
I am not sure what is needed to make it a plug-in, but I can likely get something in the way of working code for someone else to work with, or I can investigate the procedure.
I’ll post results when I get some where.
Nice, sounds good. Let me know if I can help at all.
1 Like
@bjhiltbrand,
I assume if you lock, start, unlock with the FOB, the drone app will update with the status.
any chance you could sniff that traffic for me?
Might give me an insight on how to handle the webhooks(if there are any) for state updating.
Thanks
I’ve done all my sniffing from the webpage so far. I’ve never sniffed an app before. But, you are correct, there is an update in the app when you use the fob to control the car. I’ll see what I can do and get results back to you.
After playing around with it and starting a capture session, I realized that the app does not automatically update status of a vehicle. You have to refresh the page (which sends a POST request to https://api.dronemobile.com/api/v1/iot/command with the bearer token in the header and a body that has a command of “DEVICE_STATUS” - I hadn’t seen that one before) to get the app to refresh and display up-to-date information. It does not look like there is a push system. I’ll leave the packet sniffer running throughout the night to see if there is a heartbeat in the app.
Any updates on this? I know nothing about coding but I’d be willing to be a test dummy if you get something working, I’ve tried DroneMobile through assistant relay but it’s flaky at best and usually google doesn’t respond to the commands.
Haven’t had the time to get into the code. Sorry about that.
L.S.S. the hardware is here, but due to severe incompetence, my “new” car is not. So I have yet to even boot up the RS module. And I have been futzing about with a few other projects that unfortunately have taken “emergency” precedence… I’ll peek back if/when I have any updates. Not looking great with the holidays coming. /sigh
UPDATE:
Car is here, remote start is in and working. Unfortunately, It is getting dark so I need to finish the buttoning up tomorrow so I don’t have wires laying around everywhere. I also want to tape everything up before I start farting around with the API (no fires here! 
).
I’ll report back when I make some progress. Cheers!
Ok, so I’m a bit of a novice with sniffing.
@bjhiltbrand mind holding my hand a bit here?
I was able to successfully auth and get user and vehicle info, but I haven’t been able to send any of the commands.
I tried wireshark, but I don’t think I am even pulling anything from Drone… I tried filters but I haven’t seen anything that looks remotely important to our goal. 
edit: nevermind, I’m an idiot… was going about it the whole wrong way… fml… moving forward…
Haha. No worries. I find that Fiddler is way more user friendly, and my go to tool of choice. On rooted android, I used httpcanary to watch app traffic. I used postman to test the endpoints I found and send requests outside of the regular flow.
I abandoned Wireshark completely, I just pulled up the developer console in Firefox… 
I’ll look into HTTPcanary to see what happens when I send a command and get a push back.
I have a POC (VERY messy, more like notes.) Working on cleaning it up. version 1a will be raw python script until I can figure out what I need to do to make it Hassio compliant.
I did test the API with Postman, and i was still having trouble with the commands, until I saw that I was posting with plain text and not application/JSON, instant success.
edit: bad typing
I now have working code. which includes using the refresh token. Being that we are working with cars and not just a light bulb, I considered it a little more secure to not have the password available in plain text. I will implement a notification path to warn the user that the refresh token has expired. (unfortunately I could not find an answer on when that is as AWS documentation says it is programmable from 5min to 10years) but it would be evident thru failure. I will leave the ability to leave it in the config if the user doesn’t care.
Still haven’t gotten to the Hassio setup yet, but i still haven’t gotten a releasable script ready. It works and is no longer just notes as my prior implementation was, but it isn’t really user friendly at this point. Might not be until the weekend 'til I have any considerable amount of time to really get anywhere.
edit: today I learned you can use a keyring (not desirable because that makes the core no longer able to autoboot) or thru AWS. Doesn’t change my decision to give the user the option for a “temporary” password
Nice! I would agree that using the refresh token is the best route to go. Please let me know if you need me to test code. I also have 2 cars on my account. I don’t know if you have more than 1 car, but it would be good to make sure we can handle multiple vehicle scenarios.
The main package is near completion, I am cleaning up the code, and fail testing.
I will be posting to github in the next week or so. Being the holiday season I have several other projects that unfortunately take precedence. I’ve really only been able to work on this during my down time at work in a browser IDE (not particularly ideal).
From there, I need to look into how to get it on PyPi so hassio can import it. as well as building the integration. (any help here will be appreciated)
I’ll appreciate anyone who can help with bug reporting once its uploaded.
As this will be my first public deployment, please be kind =).
Thanks for your patience.
1 Like
Sorry folks, been quite busy. I finished my last ‘big’ project for the holidays.
I had my father(system software eng) and uncle(back end dev) peek at my code before going public,
they pointed out a few logical flaws and at least 2 security issues.
Also, in my testing I noticed 2 new issues:
The AWS auth server went down about 2 weeks ago, I didn’t think about that and have to add better error/exception handling.
As @bjhiltbrand pointed out, there is no ‘auto refresh’ of the telemetry (e.g. the interior temperature).
This is not simply a server issue, it is also that the module doesn’t appear to actually update most of the sensors to the server unless the car is actually running, and/or there is an explicit api call to do so. I assume this is in the interest of saving battery life. It does appear to update on any successful command, but I wouldn’t recommend any type of auto polling by hassio to show things like the door locks(mine always shows unlocked for some reason anyway. must have missed a connection) or even the battery level.
I have to address the security holes and some of the unseen errors before I would want to stamp my name on it and post.
I am off for 2 weeks starting Festivus and plan to take a hard look into it.
At this point, I am uncertain if I will be porting to hassio, it appears to be outside my skill level at this moment, and with the impracticality of updating the sensors, it may not even be worth it. I will still be (eventually) releasing the package, and will be personally be running it as an external script.
Sorry to disappoint, but once it is released, I would not be opposed to someone else implementing it themselves if they so chose.
Happy Holidays!
cheers.
Not only that, I’m pretty sure the main driver behind not updating until a command is sent is to limit the amount of data used per SIM card. There is a limit in their terms of service for the varying tiers, and it states that they reserve the right to charge you more if you go over those data limits.
From the Terms and Conditions:
- General Practices Regarding Use & Storage:
You acknowledge that Firstech, LLC may establish general practices and limits concerning use of the Service, including without limitation, the maximum number of times (and the maximum duration for which) you may access the Service in a given period of time. Also, customers with the “Basic Plan” of service may be required to upgrade their service to the “Premium Plan” if they are found to use the service in excess of 70KB per month for three consecutive months. Use exceeding 70KB is considered excessive use or for commercial applications and will be subject to an upgrade to a higher usage plan, deemed “Premium Plan”. In the rare event that customers exceed “Premium Plan” usage rates, Firstech, LLC reserves the right to charge the customer for additional usage.
Any kind of heartbeat service would almost assuredly overrun that data allotment.
I was at a loss as to the flow to get any plugin into HASS IO, or to Pypi, as well. I can research it over the course of the next couple weeks, as I am wrapping up at work as well. I will have some time to spend on this. If you would be willing, I would like to get a hold of what you have so far and poke around with it to see if I can QA it any further. Send me a message if you want. Thanks.
Most of my python is relegated to local functions, and wrapping existing wrappers… This is my first real attempt to wrap an api directly. As I mentioned before, I have it ‘working’. In fact I use it everyday at work since they managed to block the drone site(and i have little to no cell svc inside), but not “codeanywhere.com” thru which I can SSH into my home server and send a ‘remote_start’ from my code. But it is messy, I have a new revision building, I’ll try to get on it more tomorrow/the weekend and at least have the class structure re-built. then I will re build the test script into something like an actual app. I’ll post the git link once I have something to show.