Musically-API Login 401 from Postman client

Hey,

I was trying to connect to musycal.ly from a postman client so I tried to understand the Php code of src/musically.php, however, I am getting a 401 but I ain't sure about why.

There is my request:

[POST] https://api.musical.ly/rest/passport/v2/login?supportLoginVerify=true

Headers (22):

screen shot 2018-03-19 at 10 47 01

x-www-form-encoded:

And I am getting:

{
    "timestamp": 1521470164701,
    "status": 401,
    "error": "Unauthorized",
    "exception": "net.vickymedia.passport.composite.exception.UnauthorizedException",
    "message": "Unauthorized",
    "path": "/v2/login"
}

Do you have any idea why? The 3 Variables USERNAME, USER_EMAIL, and USER_PASSWORD are replaced by the correct values of course.

Thanks for any update !

Mar 19 '18 14:03 Emixam23

Most likely is that your X-Request-Sign5 header value is invalid. The header value is an HMAC-SHA1 hash of the request info which contains a time stamp, if the time stamp is very old, like when this library was written then the server will most likely say you are unauthorised. You need to generate your own X-Request-Info5 header value and then your own X-Request-Sign5 header value to get the correct response.

Mar 20 '18 01:03 charlie-niekirk

Hey, thanks for your answer !

So I just need to generate a HMAC-SHA1 hash of a current timestamp?

You need to generate your own X-Request-Info5 header value What is it corresponding to?

Thanks !

Mar 20 '18 13:03 Emixam23

Base64 decode your current X-Request-Info5 header value, replace the time stamp with a current one and then encode it with base64 again. Generate an HMAC-SHA1 hash of that new value and that is the new X-Request-Sign5.

Mar 21 '18 20:03 charlie-niekirk

Okay thank you, last question, do you know by any chance the key to use for the HMAC-SHA1 hash?

Mar 21 '18 21:03 Emixam23

It depends on whether or not you want to emulate the Android app or the IOS app.

Mar 22 '18 13:03 charlie-niekirk

Since in the header I am giving the information that I am using an iOS device, let's use the full iOS logic?

Mar 22 '18 15:03 Emixam23

Here's a helpful article I wrote for everyone: https://medium.com/@charliethinks/reverse-engineering-musical-y-live-ly-android-apps-part-1-a910daad2ec2

Mar 22 '18 15:03 charlie-niekirk

Hey, nice link, really interesting !

I was just wondering if you could explain to me the "M-TOKEN hash=" logic please? Also, I don't know if the signature works X-Request* works since my token is probably wrong :/

But thanks !

Mar 27 '18 22:03 Emixam23

The "M-TOKEN hash=" is given to you as a header after login I believe, or at least a very specific endpoint.

Mar 28 '18 11:03 charlie-niekirk

Hey,

Yeah it comes from the login response, thanks.

Max

Mar 28 '18 18:03 Emixam23

Success (y) Thanks for your help

Mar 29 '18 19:03 Emixam23

@charlieAndroidDev Could you make your prescribed changes and send a pull request. Thanks

Mar 29 '18 19:03 mangledbottles

@mangledbottles

If were you, I would wait just a bit, I am currently writing an updated version. Once I am done, I will send it to @charlieAndroidDev .

After then, he will be able to make maybe a more understandable code.

Best,

Mar 29 '18 20:03 Emixam23

Yeah I’m happy to do that. There are gonna be pretty huge changes though...

Mar 29 '18 23:03 charlie-niekirk

@charlieAndroidDev has it changed that much? They didn't seem to care too much about checking security precautions when I first looked at it.

Mar 30 '18 19:03 mangledbottles

@mangledbottles Not that much, but it changed

Mar 30 '18 21:03 Emixam23

@charlieAndroidDev Thank you 👏👏

Apr 06 '18 02:04 NullUsers

@charlieAndroidDev Woah, I should have found your medium write up earlier. I took a different approach to get the signature.. which works but.. it's not easy to setup for consistent use. See my repository (which also includes a c# musical.ly API): https://github.com/AeonLucid/MusicallyRE

Edit: Implemented the HMAC-SHA1 signature generation.

Apr 07 '18 23:04 AeonLucid

Stuck on this also...

base64_decode for X-Request-Info5 (note that deviceid is the same as "Slider-Show-Session" :??):

{"method":"POST","os":"iOS 9.0.1","X-Request-ID":"D7698DF1-3676-499F-AEAA-9EBE6564E32F","ostype":"ios","deviceid":"i0cd770c6af4d34659ba7211079066de8bb3","version":"5.7.1","timestamp":"1496086576000","-r":"5054","url":"https://api.musical.ly/rest/passport/v2/login?supportLoginVerify=true"}

I replace that timestamp with current time()."000" one:

{"method":"POST","os":"iOS 9.0.1","X-Request-ID":"D7698DF1-3676-499F-AEAA-9EBE6564E32F","ostype":"ios","deviceid":"i0cd770c6af4d34659ba7211079066de8bb3","version":"5.7.1","timestamp":"1528578105000","-r":"5054","url":"https://api.musical.ly/rest/passport/v2/login?supportLoginVerify=true"}

I base64_encode it:

eyJtZXRob2QiOiJQT1NUIiwib3MiOiJpT1MgOS4wLjEiLCJYLVJlcXVlc3QtSUQiOiJENzY5OERGMS0zNjc2LTQ5OUYtQUVBQS05RUJFNjU2NEUzMkYiLCJvc3R5cGUiOiJpb3MiLCJkZXZpY2VpZCI6ImkwY2Q3NzBjNmFmNGQzNDY1OWJhNzIxMTA3OTA2NmRlOGJiMyIsInZlcnNpb24iOiI1LjcuMSIsInRpbWVzdGFtcCI6IjE1Mjg1NzgxMDUwMDAiLCItciI6IjUwNTQiLCJ1cmwiOiJodHRwczpcL1wvYXBpLm11c2ljYWwubHlcL3Jlc3RcL3Bhc3Nwb3J0XC92MlwvbG9naW4/c3VwcG9ydExvZ2luVmVyaWZ5PXRydWUifQ==

I create HMAC-SH1 above base64 string at https://www.freeformatter.com/hmac-generator.html with the key "016bb7aee66891f9b6ce10f03874eb3889f24546aa&i0cd770c6af4d34659ba7211079066de8bb3" :

3cee6e8c032b8aebad9e1e162384776a8c68ce60

appended the 01a6 (also tried with 01i6) to it to use as X-Request-Sign5 but it gives me a 400 error

Jun 09 '18 21:06 dfuse-dev

@farrusete The IOS app may well use a different secret key to the one used in the Android app. I have not reverse engineered the IOS app whatsoever and as such cannot comment on whether replicating an iOS request in such a way would work at all.

Jun 11 '18 12:06 charlie-niekirk