[GH-ISSUE #1501] oauth2 token -> stored credentials #677

New issue

Open

opened 2026-02-27 19:31:54 +03:00 by kerem · 3 comments

kerem commented 2026-02-27 19:31:54 +03:00

Owner

Copy link

Originally created by @salvatorebattiato on GitHub (May 26, 2025).
Original GitHub issue: https://github.com/librespot-org/librespot/issues/1501

As you probably have noticed, spotify introduced the ability to login from desktop clients via the qr code you usually get in car/tv apps. The fun thing is that it's able to login5 after the oauth flow somehow, being able to store a fully qualified session with saved credentials. That would be awesome to have for alternative clients as it's a 1-click way to login through the mobile app.

Unfortunately, there's no http[2] api endpoint that manages this exchange, and everything is done under the hood by (probably) the TrIPE protocol running on access points at :4070
This is what i've found by digging app traffic with wireshark

-> client token request
-> oauth2 request
-> polling login spotify with all scopes
<- access_token (Bearer) and refresh_token get received
<-> encrypted stuff going on with ap-gew4.spotify.com:4070
-> login5 request with username and stored_password (protobuf entry 100)
     note that username was never to be found in http requests before this point
     so probably was decrypted somewhere in the :4070 tcp session
<- login5 response with a full-qualified Bearer and the same stored_password sent
     (able to do sessiontransfer and everything possible on spotify public api)

I'll post all the files needed in case someone wants to have fun reverse-engineering the TrIPE messages with the access point, below there's a dump of the encrypted conversation, the ssl keylog to decrypt the pcap with all http requests for reference (packets in it are almost all spotify-related, since I routed all traffic through a sock5 proxy and tcp-dumped it, as this was the only way to "see" the raw tcp traffic to the ap server)
There's also the output username and stored password that should show up in the decrypted conversation and the automotive apk bundle in case there are some symmetric keys waiting to be dumped

peers:
  - peer: 0
    host: 192.168.64.2
    port: 44414
  - peer: 1
    host: 34.158.1.133
    port: 4070
packets:
  - packet: 1195
    peer: 0
    index: 0
    timestamp: 1748250835.181074000
    data: !!binary |
      AAQAAAGcUg5QAKABAPABK8ACmO+iPKABAPABAMACAJIDZ1JlUmDoxy/aQhhh81vZ1ar83spPtJ/8
      7da/gkbmzsTMl7eRqR12JCDKpkJlwRB5vWMsAKDcFXSiuu5ehiAUpZt+HaBRrsdkqWwLnECf2Zro
      pjD4APeSUNH8FswTFWq0VL4Fag2gAQHiAxDRnJre/d9TMzzJoDSNtbHCsgTxAVnoNTGaV5Vuw7Za
      OMl4hUI3alWTpV/14ku5jmTgHsZvh4VYI56yC92um/OibpbYrsnakfvhAgSwMUHwOak0HjXxkf6y
      TNfAbQ3q2sOLY9cV7nPHdPzM0cY1FzBCoMo2FONRQ6Yzri6G63wMqplalQQB7xQpxgWkySryL8Z6
      pMqSKCVtfxg1Utxmr+Glwxzz6k30hyFFcasWrsLFkWO5pVyoRv3s+0O5gwv8AB4uIgqn1pFgFaY6
      +QRSpRaOci/Du3Jsnw39r2BoS9E4wlGGYl5ZxK3FF3FLjJscImNoVfz4RsLEFZ7iMzx/X8o1Htqv
      gFKCBQgIARoAKgIIAA==
  - packet: 1199
    peer: 1
    index: 0
    timestamp: 1748250835.260447000
    data: !!binary |
      AAACrFKlBVLsAlLpAlJg6XpsaS5hoiIaeMyXRTnkNjENUrIr5fxfdnHlKvHeNMJqfFqtEBDtHnw9
      NgJPOijH7JtjTd/FiTlktQ4BZkqsNdIHd4tza1GNA4fK7zVosJzQYKnv3ZMJ11IvFFDcxx63oAEA
      8gGAAlS/uXcAxMsCOkLNSs7GNrpXK96FjbtDerMVXl+LmqvadMl7cj0GlzYkRbc+3HCzU6y5h0pv
      wEprZ55toSmsk/NUUVcSe+sov1QqGSsObHXTdnxOavm50Yp1hrLdLoYgVEbWTNZuLQyI7OdWyuwb
      oBi5Qm9BhzUBSvXNUB+902HhtMEtUjKlCDaYKjcgHPv3ocvWsPiJyTq+c+C55sI37/NfCOs69XRJ
      L8Aw/9TBkeRCnFdaXHsSY4R/YWdK5tioaNcgaOZBosfjSnvIKyadnDQHTcNZ1E2owS3toW907h2C
      cwlAxSJXKd4cJONgHhgkFZyZECACB4owhubT/wr+78GiARRSElIQmI3FN/KkqX2mqzI08qQ47fIB
      HFIaUhByA/vd50Mwsox1q2lPO2WfoAEO8AHxhwHCAgJSAJIDEHID+93nQzCyjHWraU87ZZ/iA+QB
      HzGy0b0nfCZ3uIwWqc+vN5TmKTmPpt872BQtfUwb/2tMsTwJ2bkvUHG7ZhqKFVEf/HtYiyE3xvpL
      9HeXD3YCWyc/ZAD4k1BpT7eD2czV+MhQUFRxiBpr0w7iax1YbXiArNyApHDRDb+IkZhUZpEdtuFx
      J2mLkz2adai3zhUwTsIMzmZ8n3Q7JwXUfGtlmSFGCkiwldvtL1GV5x+qF21sIzvToNtH2wJMr363
      FBfYWyEgC7f8+OZNjc1sN+TZpAgUd6jvvoPyCjNwwUeImaKpua1gtaVHAjIUbmr5Rw4BXIWpS0Ms
  - packet: 1205
    peer: 0
    index: 1
    timestamp: 1748250835.274571000
    data: !!binary |
      AAAAOlIYUhZSFMpuwlkt5ozVLSeGWsc+OwCLD2XKogEUUhJSEEsCFzPLeYj/AAAAAAAAceDyAQJS
      APpNZxT7lvn1l7nnaHmNjBy62aKL1lK8LP25CUgEL2MxBOZeNKHykpbO14cwnsqBqHRWa6AX9mK1
      AfkrApkAEz0I+V5eM4vFjBsAnbZL8bUKk+72zMTm+P/XQ1LtwfPCdoZZETrqCX/7YWAAQMbBVOkk
      i1EzplEyBBvMJtiGXRE/9SCYk8QeTcD7imQP7Q2/BAYoTky8bYUA4DHwfdQBkd+73iWQr83L+NEs
      LYscDUkFzKZA9Rv89xQB9sdmRCsqmeqRaa8rXVPtX1dNou7+1iZzXfSQUTapnooyUXYU2b6ZakyP
      hlDVPPhZSSmTfGfA2VByznaNUm2tN89lKmH8Z2nhVUwY97xG1fLQRgrrO/9gbbvBjdLg0bUV2yyG
      oRF5cIDS6uSKc2eLCgW9//QG5JjEvqVzTOvB6utsrfl9wOrAFkBpLPf78HtLZ8OBTIaMuJibphI4
      YgWlavYl4ML85SrpHFnN7DgiS6a7FD+0jcMIcXy0VxYKr/ANDIooi+mKmikKNli2yLyqijbukqj6
      c5s+VnWrZqZrJ7vYieyBym/goceeP1hhG0LrRL7sh3havIJX6NooovXf6zsXRTxf4N+UbY1fB5cQ
      6o3+stYeG9bs3vXD7Qmrs184fpvsvl5lY5Em1CMrNbzLepyZJqHhEtcdezMGOxIvCqTBQ0/VwrWy
      0TCY4PvG//q8p/gnktF7S9IbJSH2VYe2Yja1OsPAfka5o+lV/KQ/8NB3/QxdIKwyI1LWDR5cBG+K
      37lVzk+HnlWpp8VEoOwyEsiz+A9jCmn99GKIfpmQJ+zCn3MkzCg0CyC5IVmw7FV/5jZmmj2jTnjg
      42ePct7xzVbAbTJveKx0mNnKrFWSd6N+bz7rfNUe
  - packet: 1207
    peer: 1
    index: 1
    timestamp: 1748250835.367753000
    data: !!binary |
      wkxBmHTvuimCh6n/suUJ2HdMaTEmBCviU7YJi7QECvhi4BEt5SsFbaDpX0tRPjRfXPgqyXHhmJW1
      wLEo6ecItwG9sTf1wnfVIqS5IlhbiEaw48gLSZw6ox8Huh8WJ43/ST8tlZu5vKktZfBCmpVcqGlG
      6t88dt607mAaEJZg5vu41L76J+aWSwDlGcpuXSPBKsXzRqpdqwPHvoYJrp/HnedP+yh0+dPjD6gl
      0wPwmGAzPo9CB7JD1ed4/3ml54YChasSzmfIKZE6jn95VI169meH1zVY6O2Tv3oyqiLO8nt3zMyd
      8E/PE8CbQK6G+ixuoNq+uHuwAh8h1wwpfwEMvQiTvXhUO9GWNNRATBtkAOc65B2quUW/6SHx3mED
      PSJM1LudzWQakWQG2uuROkMLFzT074YYD/LmVHu2MkNRJjIhAK/jPJkb4kzz2/3E1vBMVauIHvK8
      kmaPgDkHEnHUqBLTHA26d4C4E6Pjf3xXLSjSvxqLKyVF3wtnD3zv9GjiDGGKEYRqq1BF3OXlT2o9
      DqdXPmwMaMNqQ7wlsG97boPDmM80uzzCEFj379W9mWH/0eWT2YqlajbdEHEsKxgiTxnYmStDzNq9
      yYuv5iqrDeZyKOtb3V3mUChRCuVMVjpU7GMcY4ottVyNQYl5JU31dXG/hlbmvAKgYq/qBLOHXEW4
      jea6ua3rukmY1UufzRNGPgvVNJT8N/HPpsYmqByE06D0Q65JTxvAcG6BEasDsa3V0dywUASSjUQJ
      k6hC/q0CS8xd6TqIj8rlv4mspp9m3Cu5wyr9ky/87Q57ecPDMtCgW6ta/p3oUCt0eu7w/qGgTUEq
      zMkpXDaaL+19dWr2WFcrEXupMM2f/oLKNWP6PB16q/uz8eUApYEpiXxGaKOzv4laT2klKZuzfewb
      jAQaAHB27nSEVTvIsDjKBwDvo2ADyJQ8LpvLTadu8JGwcB3DEAZVeLmgzCwssvwQaTK1W5ThyxSA
      I4IYV8x7FVxJ+7/JzIakpXnSrBjkH+ex5KDep9gGPZvwE/zQmLoa9UWngprB1NO6c1oC3FWic1Tz
      bhMAxD8ErrxvyX+QF5khk2b6LqObjL2bWJIjG7NfWKrmiozMSBxK5dxsDjfnphQPPBcRyO6lV/rF
      DWhZqHPgXlJrMqBfyyxeHdZfdB08OWEfJFA0mIwrFXrSKpCFf1EWKL8dRjdZt+r0kw+h/OdUc1/c
      Aaq9WJ0veNHkxhSAk5OOWBT+EEXiabvZDMaEAxwPoH/Nf6NJjLDcqNCnpDB3OQ8VEyDc1TN/cAyU
      S7JVyQvNNmRK26LZ8HtRP8EF7zL3ETS50rkqyGClLvmY2N4kTehrcywAUHHxDjbSLCEyKtRfmAtK
      BQ9lkeCPUaDeDH/rHF/YFezDg7P79xnnsWtdrwAdomc2s2H7w65kFy973WStaaKDnBFDa5PkbcDd
      lkJ3WEfQUKQZAJvThVg7FF+GE5Dng0XBqvNbYm6+YcT9/3OtppPCMJYi77XBqxHarJC7Otz1kEFu
      ib12l0E11ciNsjIpRVsWD7itpC4GPsnfxIoH2XM2OILM+E7nsbTH/MVWLgJZssAwlQuAMOwVdxyU
      3TLKiOHHfeGDentd8xEAP2IgY4ZhHpEgmZ4y2HjQN7ImdhkGMxoH/3c7g/3Ru90aBDL5SVyVUrPc
      Y4FdZX6jw8eh9lfsuS04EkjXs9zovGU5yOce6XLyaLgB1b2jJg+LxD5TUXiZ+LPuaYqv04pe9Gph
      qxZrpaFZD0wI+TdpqbQSW84WDOaAsdUQ6l3QLGWtkLqPzbkVfyBA0T7hHSX3B9wL1grMiBDXAd2k
      +5f4HRRAO76cCdeH7gwpmbzkvlxlkF+hCNjMuj1uGpiRHbCf0G0LTBWeJTSJdrhDcNljFtaHF+FY
      lbKONW8kpeNkpy355qLFIIeSmb71NeRwPBNfA5sErSnJp3vtUECCFfruD7uqklSrYXYmm1ZqwlyD
      CaCl84K0dm2wqoDi2VnktLhMO9EaqnyV6qMaMp5pA6GgWXXYxWpCEHVpGnCeWCz+QdqTTuRfLxc2
      VTsUEcIW8yTSI34AsP81LEdpMO1ipgsaGfit1SSPYRE8tMoPdS4MjIm807UaE+pGoEaD9uK2JvDV
      kVKjRE3Liyfb59zARPdjZjay6sAgUps+bIuhmNYrSWgwqB1vfZXWkF3U+OoBjMJwiURaaHBEZFjH
      Nw3r1pxmQX8oO2MhgDKRvlwWvvq2aiGBYVhzxnG9aFAuhoppxSJUpGC+YcUn5gBqgHi8zQBsRePx
      ktYFmhGK8xXGWHv1iXrGvFNuMu4Hz3euaGbqzrs2ThulRZEG9cUnNNbCXAj8h1cSBdWEyZSdPdaL
      Vj+8TtvZavc4AHi8aOse7gkgKA6bJFdL4ERYt+FHOZQehrf3c9/OiFkxjYuoRc/Mne66NQSu2zGo
      jtJJ8XGbCmhrsklNL1EuGOts2knomH8YN4iOSMg6oXzhxR+CEmfB8r/y+SNrJDpuqYkrmWRVry+/
      0tA1rr5JrmYWH/K+HBx1OEb5/20IXdWxeEbgmZtZxPRTRc+rT3Y5H3AH/uQLBWdA5iCm7WEMuUEe
      zoMjpcBJt0tg6O7z8ITQibp87NfziFODqG2mnEZoa3mzK3Zj63lXpBVlIlfQ9b10HrhAeZ2L0Q7z
      K5CSED1do+SLLucEd9cXPncZSBpZ6b2PWyIDCF7HqP02c+gef6R9FCldd3GD+t7fGRkxbLYeO+Hh
      LZINgEW+ilmyA5JK2ee9LG41QTWeCWa8KVtCeBiAl4d9QQWxnoS+f3fxXhkznxRgfRZZndXozcxA
      b7Td2YLhhKUCaS3+EBVykrQZL+A1pEZ53vWR3cDe3BPLk76EHN0XtpQ8yE5eERc4AcVNAyNeMnBi
      LSRI3JueqOkpIgnVZ3IPdJy1SDTIHRS9rDCjazzNRN4nok+t9N0xIviKZsgmHBSFPpIoK6yjo4XJ
      3hEb9sq+Vj0ToS+EupRCOd/B6l6uf0WdU6rW3bJjo5bV3zaJv3YKgAKFKQhDJA4epUjY7bh2Vx7U
      cR6fDqiI3trvb0oKR8PO2Mc1TeC2tiVX/ei/q/Sp1oF6YCvPQ8awNCc4ijsQSOqG4FIBS473GzVU
      DwoWIjk4d8mi+JVu+ppr+ISc1obVYwFQNGDzduTNA9i9hpZ8RiSlZPw6osb+F7sg5ns3692iVtL/
      6awRpdhk+zE271FgLF2t2bFqXXNuoGOppLonkcoIq4FsLcFwEIwpnMrywQw+wM/k/qY8SsX2Jk8x
      bZuKfxDtJs/eWThyYHHVRS4+Q5sxYVUmPJIFlohG/SlFPQboYfWZzxEsbn1ecLI2lrrlwT+FNNIe
      wSgn0KwxITjENzzaegSY0NnENakm7ZfeBxJuys+C86M8MOZihM+QPdIJAiLeaBTzATENtQ+ItXh3
      WkGt1+rNEzfP/Fup+zdUaNVujsINgtVfbyx5GyZgCTydbI1qHPSs04NVkIsfIr1dqHlNuMUhK/2X
      SFbqn9jhsBs5fsnsU8gIHjIy/cHypNGCRRIcZ20f1mVFBA==
  - packet: 1208
    peer: 1
    index: 2
    timestamp: 1748250835.367753000
    data: !!binary |
      /jYWtK98AhPFWu/RKHanyjcyeBiESj3BLpcQMGx+WZhJtsG9uOiyJRUsjiOTgjUI8ii289RLPclI
      cZj0AVMalWCFsCyYyn8EFLxxs3VTH34Ek4GkIPIsEQ1+a7Xn10wVzhstgWej+eIpuCQkwaaJ06qM
      MlTlW38Z4tZw4a23hS7O/NDuDyNJPhkQTvmIfBX9DHaW/1l/5BqHI9EjHO4KnCY8mghmMIkLQDds
      FjzK1rzbF5akDb3upLuBmDtM94tCYjxPoMZUxLa+ZgHYgG68lbl0gRhmm4Ls/YjhXej5+efWqVv+
      9hGPwGQ01r5Bd13Ag8cStMXsfX8dLhmrq6Zxnbm9swkh8+ZjN/Ef7zn1lS7Cvlcnqz1ShYJO92+K
      wieeKC72P0L/mCNbsxfzumMwRRiOyi1vHTbaWW7r6ZyG5A3xVpm+79AAF3aBxe66S3yw6ibazz+u
      qojpZnSw04u2c8MKiE6/XBVOQP+rs4jdUsnkEFMYSAaXjqnp2DRFqDSSH2zbm5/dGKxpI73lKLMc
      HYvGGBSnNk4Etq1/NYrJGJ0W+Ib9gnl/ehDmtPDedhwvqWzLbnHmxv+ykPn5RYOLtFw7p0MI/b2R
      aWv3/WkBqttzziRhN1XE588K6TsjMFnD3SZ9w5Jk7XMeQ46tuJVZng/EIpWH0PKM50kOyCEIbZQj
      TFoabR+ESlb8RO+QQ7zeRQvluyME8IxYaW4oaTVl2+ivd0NI3PNkH9d+Hl1YwoNnsfZetrYOo+pF
      hS9yAuDcmEylei/wWMVOLD5UvjVwhV5J/del07mC8dXebAi4nlu1zEfccnrbD1ZsfNbBljZL08Ph
      +6yQ0wHv+5ccHg5EMMrJZIG2Gc4oj7Wj0FzvpjMBHekFvNh9oUDiBBNJFRfeQm5eMHcDsCO67uxI
      sQmiKp91oG1uI296s7fZYkSjACqEBXq/6fkhmGQjmq/6llDHLYDVxnenuMThvYVmrkUJ94geGzLk
      HArckNrnyXdLyfJWgn0/H5qTiFi2+HxjAT8QMS/uwK95whX+O/kuVk1CdZe9k7p5d55e/ifOA8eK
      W85nRkZc7Dl59EPpeHt4Fzq0nxcvdpImOFuz1OeOlHh0SxMWx65VpprjlusC0RYB2J0R46EfdJaS
      HWiw91CVFZT+7Ymq66m7NLX/lRfpAAz5lDw5set/eQROBHB49T9lVdxqZUkzE7pd1dydKRiZrY3q
      RSf3FDoXB7UTu34u0zN7cSC5l1kgD1QhLqww/MSwZ3LaMbusJnmnxrNjCP6piU2tXoR2io3Zp8RE
      xjKWs+lJRMcbE8vBb9SsQNW87zNvpH3EbpbLi6a8GEpUaXE+Z5TwchFw0LldfHc7k1TaHkrdFOaF
      HOS2UzTchZqJPS+r15LOxDApHq+o/BORIeALzBrBw7iwHEngldp/j90kmm3nceGtPbneW1RO8nW8
      JvjbW3UQv11p60eihRDSP6Lee4qh2tW6eEatupsE/PnugjGVn6PWLdg8Qhftwkob1LpB245s9LMg
      GaC2+PMB2crjq40Ss5DbA6LuhFJmngUjem432S4SNmYI8q6bWnez8r197hEqLZ/ZLLHOIY3p9iNd
      GzMN/98zuLIVAtK3HOQf1ic9m82Rcyo4K8XwztaC0BY/as2N9dNnFm+DI6PU03CY1frNiNsM22P3
      nIrN6HjGfRcIRcLf2UhIyp9E1bgHq4GcpEf1h9jhy3G4TnthENiBj45mnSqLRTidILZjh9UfxAk6
      AjsQR4mmXIMnj+bDPo7+/mOIv7D93IBUZPQZzuJ7QgepoidpWtmVp+2gEJgnR0z0DbofgGKLei2D
      9xU6k1Rd7uMW+cPE436yBZ+NXLTemqBP+88P7jt2tAcFxfjicQm3yVsiZQjsG5ZHBRDCohPFg1fv
      bn78hV8RritFyS1n0CnjwstyxsxS69I9YYvdmCXx+IkPjqfAaoYA8zMGQRf1E21+YJzX3JXAAc05
      GqhP6ovqHl1kqz6ntVAET6dHo4IvmPnvGCHspNTRKcBsc8gTfO9A2eaLm1eaowlQ7YpCSn4RE5lY
      NQlRSVEk8lWbP+388NjcBaxGqg0Wg7NaCJ4+j56dpX3n9YjIQWrJBJlFD9Kh8pcQDMB48TxPZf54
      eUyd7h3FJcabUvwcaKPqt/zPLo9VGez4BhKgIf9bZ9incTVp2CMhSVgGaFXPm6i0BI//n/oqSRfK
      nR1CW6bMpenANKJFESH+urphSTopxYfGFvi7YAlL8ZQclNr7sZIdhIMbpw1+Mk1AMV9TRDWzh9ul
      Q2NRq4Vucl3rn1awOKrZNUhC7/kumjUJbz4H2QCSYHtF6wxAVrs4dZxdTtAn/BStF/MRq1+znqRy
      h2nZQ+E/oxKEyCbDyeauJZTVmgIaQATNQJHzHvLzrcmoNz2fcJGaAgRh1W9NX8mL3NvSbXiQ18Jf
      0tvV5wDG5ng/MMvpu9LI7kYXtQiAWpAsowEwDvZYKVibN5UpxGN4L9j9qSwd2OAtoPe7UHAz5JiM
      2RE98kLllyDF+n/fZQEgfXk66VovgMwEtuY9aWGyomR6eXUSfoq5msqHaVtqq5LQHTdjIDC5rflh
      cFKN/EwzxQWnolkzwevfYV9zo+sER5iBwVwUpnwhzuccnjlUjKCOYFfPvqSOK5YD4+mHyn1frnPR
      ZfBDi+QILGVs/8LS6QFPIToPx2GtkJ3gHSHpPygRgANJZG5mJCe3qia09CqE5Qit5/B6u1N8+eg7
      TMT6Ps3aOS5cjff4oQbvKL3IrMxgsvGgRCJljbhLkYBXKRctevQjLASOpBmysnlYJxEco1E9Cvoa
      46ETsiFBwsw647OFU7yXkoqkg2od0MB60GGqtodgCdQEruN5X22qyIeuz83Va/Cg9feepzeecZIq
      /nS6roLSFU3YKfBuJ6WrYlNCddMmKoqXNzFTvE17YD3hsN6SIGMZWY3LkiqEGq+MBxh5wfj8Blfm
      PAb7oEL4FS8SZF9aSxOYy6YNeQe+HrZ+WJPHeGPh3aC79tOM+d352Ni4EPUKEI27Qs0BAYgo+u0g
      uzBHhRiZsTtKFsfyD6rpcMh4yo6aG/hKEmjlYK2kWbe6p0zJMnqbBGC9IVj16VkU8/KavWvSxMiX
      EjfdKxv1EFBhhW1Z1MGAs7TNAIteirIwnIBrAU+Y93l4N42xgua/E3znt5EOaR0QrVj2B8BMgIQK
      FhE/LbXU9X8DzhV0HdXuRIfJxKtF/qPO6R/knDMYYlDmYYBph7w9x+/UeEwqBROHIktQH9dtG9FZ
      sWEvX1Df9T2OtV6kbY/phaDRjZlQ+90HFhcC/en1aeX9q5krnQP/heAeLQq3gyv7Zzn9vwNssu2W
      PH5ur5AOW1xzO/b3EmZX9K0wvZFnydzAPioXGDIGUEv4QudDCQoh7UP+4MOwowp6SjIxTiLw2c8V
      WAUBSryV9a0SCi0bn2tUyHIHV0JIg3pXqhR4HZ2B60GKtZnJtCn2XJrBJfs0hSACSyk6ELYuUfsX
      UsYOdLYL9bRDXFwBVCzDJ4dBaEs45eC8iKsULJvOISd3TQ==
  - packet: 1209
    peer: 1
    index: 3
    timestamp: 1748250835.367753000
    data: !!binary |
      F4gwy2W6CHjis8rUaCx+eG4unU1xdazPsFGsWEOKlfkwxXCW1aiXGVPKS11OfYE51W0GaXg1KBcw
      r8cNeWbD/o1mmFQR3DBXFg4VI7eQJpYabxqwMAK+7t3qUQnEustsDpVoP6J9Cay2u1oKdS/sCbZm
      WZ1m8ohQa1J5iEdMU9LBdPbzIlUqWM0sQRbehmgiDtXQqoU5pJxqlNhNnKlCFlQxS+0ksOVA1zEB
      ltLC8dyA7m8Ew9NjRqM4Y3jWTsyO6S7jxHu+mHhYO2ZGBh3Q0RzoocWWI+cDky/Ubl4DBx9lOuou
      v1gXrJHl2JZ9ZpK+aIUOSJDOFC3MHd5a/vEee5eI23hC6ezvbQaDTETs0vPTZ1whdUKoOeB8zL7L
      K0w26PBqAH1BbwVx1Zb4Hkkm5rBfn6eDEy4r8c3s0GMaxihCAv8KVk0qzRT7AWhctHlOgMGsk1MD
      OlB5A33a+xRWAa6vR3Ve61K7VcUzmFgi8txPOgJD9Ld5DiweMTonxOxx5ywrjlBjC3vk5BuAMI3b
      M9WPANjAS6UrmnMACqugrF0CA92lDV9kv0HC/EAy8oiOsftvItmWOL9uPflQsFCWrv7LcZtdk+wv
      g0Zm+HNgVI7go4o+lyB0ypO+gzVOCpC204pbPONJZFKqs1wge9yWpSdGPHzPzoxO9Pzp2jLl024g
      AK/AaraZ2fFvFik4jZj61/tW0efiJE9ZW4MbuSd4AyUD//pnWpyxlRMsZBCAgjAvTGmfkyPl1GE3
      Y004G7/wCsJm0glSNMMrNM/+Apq5Je2mC2Hh3JsaGLm1i9+0S7pnVVucgQXcXMNzDTjJjvToEdqs
      mTxNDgG0zYQp6A6+ZpByivcvs4boCpYV3Vy9Gnb68DRhCkKJP7U8N1D9XSYaq8ou3mpptjpPwlBM
      N4skNHniCEuN04aZWkUUFiNc9K4VRmBYWMb0dVaX7sryb2qRyW5oAobsElr9/CuLuQgJa2rQjOHl
      h2j8Aazdyxm4aQdbJjzu7rfvOhb32vbga5clSkdCKSZFqZeGltj+Jxb+ic3z6rWYF2KuhbYjuQOp
      NTToduFzRqAguoIaSJcGp/DDhW36h1AyYz+Zjpm9ktQZOA7W4yIHnHsyUMTfqAmXSjzHtk1GNJrz
      /9/7TUipRQFSKsuqrOGmqQnaTRinBq0PRY+5qvybozUKNL8uZUw61mVYKqICIVgX3hC2HvHZhFkV
      KXCQPmMy8hIweGjOMErtV5ecryI+/UaTeOtsWCPKcy3UjRfFTZy6xjLFnrkamaMH83MVrQsnZ4IN
      jGl7gI9Wlar9hn8JElWczTurobnlzkktf7EpushAf/vbMUhegNdh2IQ1FCNaXkmYzbk9lmgup2ny
      BlZHxnB1BsrdU8dwbrkRKb4Kbsl0rELDNT4u/OC49dQkoOyR9QyqM1Q7of6w9vR1RvVB6mcmFqFa
      ccbvfMXF+Dp4PtGIc336SqDSKr7VhEpTAtNYR9PPRiVbKZNZ6UetvEay21k8niW7DAdB9J00w1QD
      P4bUrIXQKtHWvKFjruAeRkMHR3RfgLkLdzb5cr5OlryBnFkfR/5WRB8y9/OXD2gMUa+5RjPBXXzV
      IfFAgBU+eb186TQ+b2r3X9Kt/RE2SNkkCfS0AIVDQJR2KQ6XY6L4STnK+B2K2DjHf65dV4y6x5Xr
      oNxUEupgx7u8fNDLvsqYrV4k1SAmISuEzuBzsahYbT8hvaPtwufDMryiHn+Q0zyHcjHsfE0RuYi5
      50OBbD2OK10ljReiQ4MTTkdmioiG33dPmo4fYRFTvSLHXfSAPh5fa5A/mZvOu/vzJH3eL2WD4lSt
      aMcI5x2xhonEZTPLFVgcDCoE0hmVhklerGBCotQ1V/0N7XFMdCstZao5JbZcPLwID53lT6FaUhFk
      xr8dl+jLWs0Nh0FopUkgAachbq9aQLJ1l6P1v0Um4kOo9DNgOAy72KU0T3JMOyz0hjd7odQLAqMw
      alG2ywJwbBet8cnfrowVJR7oMp04XLfE6dvMG+Liw/BeGHK6MbTn82ZHn7FniR/zpIhbc2mt4xq9
      7i+G4Lkb0nE0o31dBi8BK5wx72S/slV61goyFvQeckQrWaMXs6qGY7vOw5fsf/hbEfNvKMm2MfHA
      sNqhi5gq/jcMgMmtglg4RR7VPU1DTJc4xuieYOqSvnHXAhvYqwXCpdJ1zhOF+tb/JT1/5Vp+m83m
      SH0Y4mR5vaPpjvpJc+PQAaNAng4UH8fVSdps+GnL7TFcxEQ7nekozlocv9PxE4q9
  - packet: 1224
    peer: 0
    index: 2
    timestamp: 1748250835.371758000
    data: !!binary |
      9Ul+j/7/rgAbB8XmOVvia1ZM3TreUHNpwHRJ
  - packet: 1227
    peer: 1
    index: 4
    timestamp: 1748250835.444353000
    data: !!binary |
      XepUHdPjJPg+9Aw+CBIP+H8LgVu2hMI7Q3iDBeHgHkyHzN8547OEvyUXONNx4i9q9VE9rHAUsJgO
      5gmvYaXU4dPQvle1VPHVLb8M0uPUFL5iHRixHOYg54mgsC2NjznNFiUzoC78axvGfwXbK0lO/eGk
      uTGqhlMCNyKsTdilcMkqow8CwkFJRGhNNoVK8+KHnLrlnSHw77fY3c1/J23XjbH6uIdtb5/BbdgC
      vO4tuxHJOJ5qnPhpnOOre76nSU+hu5X72r8xWQFG1LPpuEBf6RbYWU8kc/Kcsp212ayuPnrVSVLC
      FuMIqWwpj2jn5CuCOBzOgCa38fL+zGqImcId4kZkMgu3yLn2pYhvdaNGnOCsoNX63J7TOSKNrp2H
      joCZ1Xvg4ohxqXpyisPQszU5qbj7TDFtyNRcqUhjDOQs3uvGLOBUlg795N7y3295gWSHWF1iWgoz
      2y1Hs5yhddeT9Bxxa125liSFzHlP7pb4x4vktarj+Iguq60IbGIhEfJ6YLrbgEaWoa0q8uYLMI4Y
      KfRoHhC1iRz5bQeibOhzMhuwfkLoc+cpjmZOAbMdWYh3Kmwzw9DcBMeNK/583ZzNAPdVK6jb74jw
      aiaZRpYy0BCHCX+U
  - packet: 1232
    peer: 1
    index: 5
    timestamp: 1748250835.596026000
    data: !!binary |
      f2F1xVwXyNEa3AZ8YsQ6TsBpZ5UQySVcLzZg
  - packet: 1242
    peer: 0
    index: 3
    timestamp: 1748250835.705293000
    data: !!binary |
      4AKDthhh1GgMYv+j9xa2DZQz981CW8cefp2oygb/mxpS+G+cSYbAu+wFM6jEt7bX0jktn5FJLasq
      mZOpa+9WFXpARhGj1sRz5biDoV/ReUx4UtjiHcahTEBcyPWT7q0+LYqHz65oK8JMdKcwLlsXUBeg
      fDS4HU6Lht/PjwBP/U9NpL8AJZcYd2zG8UYXE3+R/szzY9Tb0FLArCbPfyKlhNsTmc4W3SBnVj9a
      VToUb+1qJkCRLKXptUtQMd2tM1VCuy7jeEOCuvMYNRYEG/SrnSiuh0AcbiHC13ktLZ4pjtCyQL8C
      YcNUs34ZfVsl1lOA5RJd7Uy9F6UlwLzANDifb9GlWcq9UosJiH3WpTuydeClBFS8b5q3B4mbXx8B
      KV+ct4fQXrFGlC9ftD92zd/KoV94hnCZ7cjGaw0y0b4hE/bWohsgdqemJoBIrUyXzeu4JuzvjHw2
      KOEv4T332fTqqdSR
  - packet: 1453
    peer: 1
    index: 6
    timestamp: 1748250835.800706000
    data: !!binary |
      oyArikM1z/d5ssA1XcB1NFj+STnBJxnihmiZFmvHlcq9FOTIw/W3MpzDQPagqeGotRW3fCEoFg==

{
  "31mhcrzjvmeczjbu2aeqedb5ge2m": [
    "31mhcrzjvmeczjbu2aeqedb5ge2m",
    "RqBeLzbT2039ybP1e42tUobPKmjroH7GsFzxlLKl2j8FRbh6eDTQwBtv/VfCPEOrPdp8a+vnGI3vf7arxQweRUcMYg9R4GsS64T+TLogn1kT1HzHW+vgBh3mrqcaiYOArAYliijtgUH2R5nZss4S9XDgSvQNPRB4lU+lczBhsdTxT8XgEtPaaFLzvPWDpKA4V+aX4YCEc+QxWxJBrfy5XZvHA+/zGwrGHu8dmtoR4JwJdhUyMbQ7U43IXKnB8BsUd93f/cSpkH962OdwGlHR//XRjJzR7NziE1N1v43dgu6I9cVkErrkVbD7YQt6lzTp"
  ]
}

spotify-automotive-apk-bundle.zip

spotify-traffic.zip

Originally created by @salvatorebattiato on GitHub (May 26, 2025). Original GitHub issue: https://github.com/librespot-org/librespot/issues/1501 As you probably have noticed, spotify introduced the ability to login from desktop clients via the qr code you usually get in car/tv apps. The fun thing is that it's able to login5 after the oauth flow somehow, being able to store a fully qualified session with saved credentials. That would be awesome to have for alternative clients as it's a 1-click way to login through the mobile app. Unfortunately, there's no http[2] api endpoint that manages this exchange, and everything is done under the hood by (probably) the TrIPE protocol running on access points at :4070 This is what i've found by digging app traffic with wireshark ``` -> client token request -> oauth2 request -> polling login spotify with all scopes <- access_token (Bearer) and refresh_token get received <-> encrypted stuff going on with ap-gew4.spotify.com:4070 -> login5 request with username and stored_password (protobuf entry 100) note that username was never to be found in http requests before this point so probably was decrypted somewhere in the :4070 tcp session <- login5 response with a full-qualified Bearer and the same stored_password sent (able to do sessiontransfer and everything possible on spotify public api) ``` I'll post all the files needed in case someone wants to have fun reverse-engineering the TrIPE messages with the access point, below there's a dump of the encrypted conversation, the ssl keylog to decrypt the pcap with all http requests for reference (packets in it are almost all spotify-related, since I routed all traffic through a sock5 proxy and tcp-dumped it, as this was the only way to "see" the raw tcp traffic to the ap server) There's also the output username and stored password that should show up in the decrypted conversation and the automotive apk bundle in case there are some symmetric keys waiting to be dumped ``` peers: - peer: 0 host: 192.168.64.2 port: 44414 - peer: 1 host: 34.158.1.133 port: 4070 packets: - packet: 1195 peer: 0 index: 0 timestamp: 1748250835.181074000 data: !!binary | AAQAAAGcUg5QAKABAPABK8ACmO+iPKABAPABAMACAJIDZ1JlUmDoxy/aQhhh81vZ1ar83spPtJ/8 7da/gkbmzsTMl7eRqR12JCDKpkJlwRB5vWMsAKDcFXSiuu5ehiAUpZt+HaBRrsdkqWwLnECf2Zro pjD4APeSUNH8FswTFWq0VL4Fag2gAQHiAxDRnJre/d9TMzzJoDSNtbHCsgTxAVnoNTGaV5Vuw7Za OMl4hUI3alWTpV/14ku5jmTgHsZvh4VYI56yC92um/OibpbYrsnakfvhAgSwMUHwOak0HjXxkf6y TNfAbQ3q2sOLY9cV7nPHdPzM0cY1FzBCoMo2FONRQ6Yzri6G63wMqplalQQB7xQpxgWkySryL8Z6 pMqSKCVtfxg1Utxmr+Glwxzz6k30hyFFcasWrsLFkWO5pVyoRv3s+0O5gwv8AB4uIgqn1pFgFaY6 +QRSpRaOci/Du3Jsnw39r2BoS9E4wlGGYl5ZxK3FF3FLjJscImNoVfz4RsLEFZ7iMzx/X8o1Htqv gFKCBQgIARoAKgIIAA== - packet: 1199 peer: 1 index: 0 timestamp: 1748250835.260447000 data: !!binary | AAACrFKlBVLsAlLpAlJg6XpsaS5hoiIaeMyXRTnkNjENUrIr5fxfdnHlKvHeNMJqfFqtEBDtHnw9 NgJPOijH7JtjTd/FiTlktQ4BZkqsNdIHd4tza1GNA4fK7zVosJzQYKnv3ZMJ11IvFFDcxx63oAEA 8gGAAlS/uXcAxMsCOkLNSs7GNrpXK96FjbtDerMVXl+LmqvadMl7cj0GlzYkRbc+3HCzU6y5h0pv wEprZ55toSmsk/NUUVcSe+sov1QqGSsObHXTdnxOavm50Yp1hrLdLoYgVEbWTNZuLQyI7OdWyuwb oBi5Qm9BhzUBSvXNUB+902HhtMEtUjKlCDaYKjcgHPv3ocvWsPiJyTq+c+C55sI37/NfCOs69XRJ L8Aw/9TBkeRCnFdaXHsSY4R/YWdK5tioaNcgaOZBosfjSnvIKyadnDQHTcNZ1E2owS3toW907h2C cwlAxSJXKd4cJONgHhgkFZyZECACB4owhubT/wr+78GiARRSElIQmI3FN/KkqX2mqzI08qQ47fIB HFIaUhByA/vd50Mwsox1q2lPO2WfoAEO8AHxhwHCAgJSAJIDEHID+93nQzCyjHWraU87ZZ/iA+QB HzGy0b0nfCZ3uIwWqc+vN5TmKTmPpt872BQtfUwb/2tMsTwJ2bkvUHG7ZhqKFVEf/HtYiyE3xvpL 9HeXD3YCWyc/ZAD4k1BpT7eD2czV+MhQUFRxiBpr0w7iax1YbXiArNyApHDRDb+IkZhUZpEdtuFx J2mLkz2adai3zhUwTsIMzmZ8n3Q7JwXUfGtlmSFGCkiwldvtL1GV5x+qF21sIzvToNtH2wJMr363 FBfYWyEgC7f8+OZNjc1sN+TZpAgUd6jvvoPyCjNwwUeImaKpua1gtaVHAjIUbmr5Rw4BXIWpS0Ms - packet: 1205 peer: 0 index: 1 timestamp: 1748250835.274571000 data: !!binary | AAAAOlIYUhZSFMpuwlkt5ozVLSeGWsc+OwCLD2XKogEUUhJSEEsCFzPLeYj/AAAAAAAAceDyAQJS APpNZxT7lvn1l7nnaHmNjBy62aKL1lK8LP25CUgEL2MxBOZeNKHykpbO14cwnsqBqHRWa6AX9mK1 AfkrApkAEz0I+V5eM4vFjBsAnbZL8bUKk+72zMTm+P/XQ1LtwfPCdoZZETrqCX/7YWAAQMbBVOkk i1EzplEyBBvMJtiGXRE/9SCYk8QeTcD7imQP7Q2/BAYoTky8bYUA4DHwfdQBkd+73iWQr83L+NEs LYscDUkFzKZA9Rv89xQB9sdmRCsqmeqRaa8rXVPtX1dNou7+1iZzXfSQUTapnooyUXYU2b6ZakyP hlDVPPhZSSmTfGfA2VByznaNUm2tN89lKmH8Z2nhVUwY97xG1fLQRgrrO/9gbbvBjdLg0bUV2yyG oRF5cIDS6uSKc2eLCgW9//QG5JjEvqVzTOvB6utsrfl9wOrAFkBpLPf78HtLZ8OBTIaMuJibphI4 YgWlavYl4ML85SrpHFnN7DgiS6a7FD+0jcMIcXy0VxYKr/ANDIooi+mKmikKNli2yLyqijbukqj6 c5s+VnWrZqZrJ7vYieyBym/goceeP1hhG0LrRL7sh3havIJX6NooovXf6zsXRTxf4N+UbY1fB5cQ 6o3+stYeG9bs3vXD7Qmrs184fpvsvl5lY5Em1CMrNbzLepyZJqHhEtcdezMGOxIvCqTBQ0/VwrWy 0TCY4PvG//q8p/gnktF7S9IbJSH2VYe2Yja1OsPAfka5o+lV/KQ/8NB3/QxdIKwyI1LWDR5cBG+K 37lVzk+HnlWpp8VEoOwyEsiz+A9jCmn99GKIfpmQJ+zCn3MkzCg0CyC5IVmw7FV/5jZmmj2jTnjg 42ePct7xzVbAbTJveKx0mNnKrFWSd6N+bz7rfNUe - packet: 1207 peer: 1 index: 1 timestamp: 1748250835.367753000 data: !!binary | wkxBmHTvuimCh6n/suUJ2HdMaTEmBCviU7YJi7QECvhi4BEt5SsFbaDpX0tRPjRfXPgqyXHhmJW1 wLEo6ecItwG9sTf1wnfVIqS5IlhbiEaw48gLSZw6ox8Huh8WJ43/ST8tlZu5vKktZfBCmpVcqGlG 6t88dt607mAaEJZg5vu41L76J+aWSwDlGcpuXSPBKsXzRqpdqwPHvoYJrp/HnedP+yh0+dPjD6gl 0wPwmGAzPo9CB7JD1ed4/3ml54YChasSzmfIKZE6jn95VI169meH1zVY6O2Tv3oyqiLO8nt3zMyd 8E/PE8CbQK6G+ixuoNq+uHuwAh8h1wwpfwEMvQiTvXhUO9GWNNRATBtkAOc65B2quUW/6SHx3mED PSJM1LudzWQakWQG2uuROkMLFzT074YYD/LmVHu2MkNRJjIhAK/jPJkb4kzz2/3E1vBMVauIHvK8 kmaPgDkHEnHUqBLTHA26d4C4E6Pjf3xXLSjSvxqLKyVF3wtnD3zv9GjiDGGKEYRqq1BF3OXlT2o9 DqdXPmwMaMNqQ7wlsG97boPDmM80uzzCEFj379W9mWH/0eWT2YqlajbdEHEsKxgiTxnYmStDzNq9 yYuv5iqrDeZyKOtb3V3mUChRCuVMVjpU7GMcY4ottVyNQYl5JU31dXG/hlbmvAKgYq/qBLOHXEW4 jea6ua3rukmY1UufzRNGPgvVNJT8N/HPpsYmqByE06D0Q65JTxvAcG6BEasDsa3V0dywUASSjUQJ k6hC/q0CS8xd6TqIj8rlv4mspp9m3Cu5wyr9ky/87Q57ecPDMtCgW6ta/p3oUCt0eu7w/qGgTUEq zMkpXDaaL+19dWr2WFcrEXupMM2f/oLKNWP6PB16q/uz8eUApYEpiXxGaKOzv4laT2klKZuzfewb jAQaAHB27nSEVTvIsDjKBwDvo2ADyJQ8LpvLTadu8JGwcB3DEAZVeLmgzCwssvwQaTK1W5ThyxSA I4IYV8x7FVxJ+7/JzIakpXnSrBjkH+ex5KDep9gGPZvwE/zQmLoa9UWngprB1NO6c1oC3FWic1Tz bhMAxD8ErrxvyX+QF5khk2b6LqObjL2bWJIjG7NfWKrmiozMSBxK5dxsDjfnphQPPBcRyO6lV/rF DWhZqHPgXlJrMqBfyyxeHdZfdB08OWEfJFA0mIwrFXrSKpCFf1EWKL8dRjdZt+r0kw+h/OdUc1/c Aaq9WJ0veNHkxhSAk5OOWBT+EEXiabvZDMaEAxwPoH/Nf6NJjLDcqNCnpDB3OQ8VEyDc1TN/cAyU S7JVyQvNNmRK26LZ8HtRP8EF7zL3ETS50rkqyGClLvmY2N4kTehrcywAUHHxDjbSLCEyKtRfmAtK BQ9lkeCPUaDeDH/rHF/YFezDg7P79xnnsWtdrwAdomc2s2H7w65kFy973WStaaKDnBFDa5PkbcDd lkJ3WEfQUKQZAJvThVg7FF+GE5Dng0XBqvNbYm6+YcT9/3OtppPCMJYi77XBqxHarJC7Otz1kEFu ib12l0E11ciNsjIpRVsWD7itpC4GPsnfxIoH2XM2OILM+E7nsbTH/MVWLgJZssAwlQuAMOwVdxyU 3TLKiOHHfeGDentd8xEAP2IgY4ZhHpEgmZ4y2HjQN7ImdhkGMxoH/3c7g/3Ru90aBDL5SVyVUrPc Y4FdZX6jw8eh9lfsuS04EkjXs9zovGU5yOce6XLyaLgB1b2jJg+LxD5TUXiZ+LPuaYqv04pe9Gph qxZrpaFZD0wI+TdpqbQSW84WDOaAsdUQ6l3QLGWtkLqPzbkVfyBA0T7hHSX3B9wL1grMiBDXAd2k +5f4HRRAO76cCdeH7gwpmbzkvlxlkF+hCNjMuj1uGpiRHbCf0G0LTBWeJTSJdrhDcNljFtaHF+FY lbKONW8kpeNkpy355qLFIIeSmb71NeRwPBNfA5sErSnJp3vtUECCFfruD7uqklSrYXYmm1ZqwlyD CaCl84K0dm2wqoDi2VnktLhMO9EaqnyV6qMaMp5pA6GgWXXYxWpCEHVpGnCeWCz+QdqTTuRfLxc2 VTsUEcIW8yTSI34AsP81LEdpMO1ipgsaGfit1SSPYRE8tMoPdS4MjIm807UaE+pGoEaD9uK2JvDV kVKjRE3Liyfb59zARPdjZjay6sAgUps+bIuhmNYrSWgwqB1vfZXWkF3U+OoBjMJwiURaaHBEZFjH Nw3r1pxmQX8oO2MhgDKRvlwWvvq2aiGBYVhzxnG9aFAuhoppxSJUpGC+YcUn5gBqgHi8zQBsRePx ktYFmhGK8xXGWHv1iXrGvFNuMu4Hz3euaGbqzrs2ThulRZEG9cUnNNbCXAj8h1cSBdWEyZSdPdaL Vj+8TtvZavc4AHi8aOse7gkgKA6bJFdL4ERYt+FHOZQehrf3c9/OiFkxjYuoRc/Mne66NQSu2zGo jtJJ8XGbCmhrsklNL1EuGOts2knomH8YN4iOSMg6oXzhxR+CEmfB8r/y+SNrJDpuqYkrmWRVry+/ 0tA1rr5JrmYWH/K+HBx1OEb5/20IXdWxeEbgmZtZxPRTRc+rT3Y5H3AH/uQLBWdA5iCm7WEMuUEe zoMjpcBJt0tg6O7z8ITQibp87NfziFODqG2mnEZoa3mzK3Zj63lXpBVlIlfQ9b10HrhAeZ2L0Q7z K5CSED1do+SLLucEd9cXPncZSBpZ6b2PWyIDCF7HqP02c+gef6R9FCldd3GD+t7fGRkxbLYeO+Hh LZINgEW+ilmyA5JK2ee9LG41QTWeCWa8KVtCeBiAl4d9QQWxnoS+f3fxXhkznxRgfRZZndXozcxA b7Td2YLhhKUCaS3+EBVykrQZL+A1pEZ53vWR3cDe3BPLk76EHN0XtpQ8yE5eERc4AcVNAyNeMnBi LSRI3JueqOkpIgnVZ3IPdJy1SDTIHRS9rDCjazzNRN4nok+t9N0xIviKZsgmHBSFPpIoK6yjo4XJ 3hEb9sq+Vj0ToS+EupRCOd/B6l6uf0WdU6rW3bJjo5bV3zaJv3YKgAKFKQhDJA4epUjY7bh2Vx7U cR6fDqiI3trvb0oKR8PO2Mc1TeC2tiVX/ei/q/Sp1oF6YCvPQ8awNCc4ijsQSOqG4FIBS473GzVU DwoWIjk4d8mi+JVu+ppr+ISc1obVYwFQNGDzduTNA9i9hpZ8RiSlZPw6osb+F7sg5ns3692iVtL/ 6awRpdhk+zE271FgLF2t2bFqXXNuoGOppLonkcoIq4FsLcFwEIwpnMrywQw+wM/k/qY8SsX2Jk8x bZuKfxDtJs/eWThyYHHVRS4+Q5sxYVUmPJIFlohG/SlFPQboYfWZzxEsbn1ecLI2lrrlwT+FNNIe wSgn0KwxITjENzzaegSY0NnENakm7ZfeBxJuys+C86M8MOZihM+QPdIJAiLeaBTzATENtQ+ItXh3 WkGt1+rNEzfP/Fup+zdUaNVujsINgtVfbyx5GyZgCTydbI1qHPSs04NVkIsfIr1dqHlNuMUhK/2X SFbqn9jhsBs5fsnsU8gIHjIy/cHypNGCRRIcZ20f1mVFBA== - packet: 1208 peer: 1 index: 2 timestamp: 1748250835.367753000 data: !!binary | /jYWtK98AhPFWu/RKHanyjcyeBiESj3BLpcQMGx+WZhJtsG9uOiyJRUsjiOTgjUI8ii289RLPclI cZj0AVMalWCFsCyYyn8EFLxxs3VTH34Ek4GkIPIsEQ1+a7Xn10wVzhstgWej+eIpuCQkwaaJ06qM MlTlW38Z4tZw4a23hS7O/NDuDyNJPhkQTvmIfBX9DHaW/1l/5BqHI9EjHO4KnCY8mghmMIkLQDds FjzK1rzbF5akDb3upLuBmDtM94tCYjxPoMZUxLa+ZgHYgG68lbl0gRhmm4Ls/YjhXej5+efWqVv+ 9hGPwGQ01r5Bd13Ag8cStMXsfX8dLhmrq6Zxnbm9swkh8+ZjN/Ef7zn1lS7Cvlcnqz1ShYJO92+K wieeKC72P0L/mCNbsxfzumMwRRiOyi1vHTbaWW7r6ZyG5A3xVpm+79AAF3aBxe66S3yw6ibazz+u qojpZnSw04u2c8MKiE6/XBVOQP+rs4jdUsnkEFMYSAaXjqnp2DRFqDSSH2zbm5/dGKxpI73lKLMc HYvGGBSnNk4Etq1/NYrJGJ0W+Ib9gnl/ehDmtPDedhwvqWzLbnHmxv+ykPn5RYOLtFw7p0MI/b2R aWv3/WkBqttzziRhN1XE588K6TsjMFnD3SZ9w5Jk7XMeQ46tuJVZng/EIpWH0PKM50kOyCEIbZQj TFoabR+ESlb8RO+QQ7zeRQvluyME8IxYaW4oaTVl2+ivd0NI3PNkH9d+Hl1YwoNnsfZetrYOo+pF hS9yAuDcmEylei/wWMVOLD5UvjVwhV5J/del07mC8dXebAi4nlu1zEfccnrbD1ZsfNbBljZL08Ph +6yQ0wHv+5ccHg5EMMrJZIG2Gc4oj7Wj0FzvpjMBHekFvNh9oUDiBBNJFRfeQm5eMHcDsCO67uxI sQmiKp91oG1uI296s7fZYkSjACqEBXq/6fkhmGQjmq/6llDHLYDVxnenuMThvYVmrkUJ94geGzLk HArckNrnyXdLyfJWgn0/H5qTiFi2+HxjAT8QMS/uwK95whX+O/kuVk1CdZe9k7p5d55e/ifOA8eK W85nRkZc7Dl59EPpeHt4Fzq0nxcvdpImOFuz1OeOlHh0SxMWx65VpprjlusC0RYB2J0R46EfdJaS HWiw91CVFZT+7Ymq66m7NLX/lRfpAAz5lDw5set/eQROBHB49T9lVdxqZUkzE7pd1dydKRiZrY3q RSf3FDoXB7UTu34u0zN7cSC5l1kgD1QhLqww/MSwZ3LaMbusJnmnxrNjCP6piU2tXoR2io3Zp8RE xjKWs+lJRMcbE8vBb9SsQNW87zNvpH3EbpbLi6a8GEpUaXE+Z5TwchFw0LldfHc7k1TaHkrdFOaF HOS2UzTchZqJPS+r15LOxDApHq+o/BORIeALzBrBw7iwHEngldp/j90kmm3nceGtPbneW1RO8nW8 JvjbW3UQv11p60eihRDSP6Lee4qh2tW6eEatupsE/PnugjGVn6PWLdg8Qhftwkob1LpB245s9LMg GaC2+PMB2crjq40Ss5DbA6LuhFJmngUjem432S4SNmYI8q6bWnez8r197hEqLZ/ZLLHOIY3p9iNd GzMN/98zuLIVAtK3HOQf1ic9m82Rcyo4K8XwztaC0BY/as2N9dNnFm+DI6PU03CY1frNiNsM22P3 nIrN6HjGfRcIRcLf2UhIyp9E1bgHq4GcpEf1h9jhy3G4TnthENiBj45mnSqLRTidILZjh9UfxAk6 AjsQR4mmXIMnj+bDPo7+/mOIv7D93IBUZPQZzuJ7QgepoidpWtmVp+2gEJgnR0z0DbofgGKLei2D 9xU6k1Rd7uMW+cPE436yBZ+NXLTemqBP+88P7jt2tAcFxfjicQm3yVsiZQjsG5ZHBRDCohPFg1fv bn78hV8RritFyS1n0CnjwstyxsxS69I9YYvdmCXx+IkPjqfAaoYA8zMGQRf1E21+YJzX3JXAAc05 GqhP6ovqHl1kqz6ntVAET6dHo4IvmPnvGCHspNTRKcBsc8gTfO9A2eaLm1eaowlQ7YpCSn4RE5lY NQlRSVEk8lWbP+388NjcBaxGqg0Wg7NaCJ4+j56dpX3n9YjIQWrJBJlFD9Kh8pcQDMB48TxPZf54 eUyd7h3FJcabUvwcaKPqt/zPLo9VGez4BhKgIf9bZ9incTVp2CMhSVgGaFXPm6i0BI//n/oqSRfK nR1CW6bMpenANKJFESH+urphSTopxYfGFvi7YAlL8ZQclNr7sZIdhIMbpw1+Mk1AMV9TRDWzh9ul Q2NRq4Vucl3rn1awOKrZNUhC7/kumjUJbz4H2QCSYHtF6wxAVrs4dZxdTtAn/BStF/MRq1+znqRy h2nZQ+E/oxKEyCbDyeauJZTVmgIaQATNQJHzHvLzrcmoNz2fcJGaAgRh1W9NX8mL3NvSbXiQ18Jf 0tvV5wDG5ng/MMvpu9LI7kYXtQiAWpAsowEwDvZYKVibN5UpxGN4L9j9qSwd2OAtoPe7UHAz5JiM 2RE98kLllyDF+n/fZQEgfXk66VovgMwEtuY9aWGyomR6eXUSfoq5msqHaVtqq5LQHTdjIDC5rflh cFKN/EwzxQWnolkzwevfYV9zo+sER5iBwVwUpnwhzuccnjlUjKCOYFfPvqSOK5YD4+mHyn1frnPR ZfBDi+QILGVs/8LS6QFPIToPx2GtkJ3gHSHpPygRgANJZG5mJCe3qia09CqE5Qit5/B6u1N8+eg7 TMT6Ps3aOS5cjff4oQbvKL3IrMxgsvGgRCJljbhLkYBXKRctevQjLASOpBmysnlYJxEco1E9Cvoa 46ETsiFBwsw647OFU7yXkoqkg2od0MB60GGqtodgCdQEruN5X22qyIeuz83Va/Cg9feepzeecZIq /nS6roLSFU3YKfBuJ6WrYlNCddMmKoqXNzFTvE17YD3hsN6SIGMZWY3LkiqEGq+MBxh5wfj8Blfm PAb7oEL4FS8SZF9aSxOYy6YNeQe+HrZ+WJPHeGPh3aC79tOM+d352Ni4EPUKEI27Qs0BAYgo+u0g uzBHhRiZsTtKFsfyD6rpcMh4yo6aG/hKEmjlYK2kWbe6p0zJMnqbBGC9IVj16VkU8/KavWvSxMiX EjfdKxv1EFBhhW1Z1MGAs7TNAIteirIwnIBrAU+Y93l4N42xgua/E3znt5EOaR0QrVj2B8BMgIQK FhE/LbXU9X8DzhV0HdXuRIfJxKtF/qPO6R/knDMYYlDmYYBph7w9x+/UeEwqBROHIktQH9dtG9FZ sWEvX1Df9T2OtV6kbY/phaDRjZlQ+90HFhcC/en1aeX9q5krnQP/heAeLQq3gyv7Zzn9vwNssu2W PH5ur5AOW1xzO/b3EmZX9K0wvZFnydzAPioXGDIGUEv4QudDCQoh7UP+4MOwowp6SjIxTiLw2c8V WAUBSryV9a0SCi0bn2tUyHIHV0JIg3pXqhR4HZ2B60GKtZnJtCn2XJrBJfs0hSACSyk6ELYuUfsX UsYOdLYL9bRDXFwBVCzDJ4dBaEs45eC8iKsULJvOISd3TQ== - packet: 1209 peer: 1 index: 3 timestamp: 1748250835.367753000 data: !!binary | F4gwy2W6CHjis8rUaCx+eG4unU1xdazPsFGsWEOKlfkwxXCW1aiXGVPKS11OfYE51W0GaXg1KBcw r8cNeWbD/o1mmFQR3DBXFg4VI7eQJpYabxqwMAK+7t3qUQnEustsDpVoP6J9Cay2u1oKdS/sCbZm WZ1m8ohQa1J5iEdMU9LBdPbzIlUqWM0sQRbehmgiDtXQqoU5pJxqlNhNnKlCFlQxS+0ksOVA1zEB ltLC8dyA7m8Ew9NjRqM4Y3jWTsyO6S7jxHu+mHhYO2ZGBh3Q0RzoocWWI+cDky/Ubl4DBx9lOuou v1gXrJHl2JZ9ZpK+aIUOSJDOFC3MHd5a/vEee5eI23hC6ezvbQaDTETs0vPTZ1whdUKoOeB8zL7L K0w26PBqAH1BbwVx1Zb4Hkkm5rBfn6eDEy4r8c3s0GMaxihCAv8KVk0qzRT7AWhctHlOgMGsk1MD OlB5A33a+xRWAa6vR3Ve61K7VcUzmFgi8txPOgJD9Ld5DiweMTonxOxx5ywrjlBjC3vk5BuAMI3b M9WPANjAS6UrmnMACqugrF0CA92lDV9kv0HC/EAy8oiOsftvItmWOL9uPflQsFCWrv7LcZtdk+wv g0Zm+HNgVI7go4o+lyB0ypO+gzVOCpC204pbPONJZFKqs1wge9yWpSdGPHzPzoxO9Pzp2jLl024g AK/AaraZ2fFvFik4jZj61/tW0efiJE9ZW4MbuSd4AyUD//pnWpyxlRMsZBCAgjAvTGmfkyPl1GE3 Y004G7/wCsJm0glSNMMrNM/+Apq5Je2mC2Hh3JsaGLm1i9+0S7pnVVucgQXcXMNzDTjJjvToEdqs mTxNDgG0zYQp6A6+ZpByivcvs4boCpYV3Vy9Gnb68DRhCkKJP7U8N1D9XSYaq8ou3mpptjpPwlBM N4skNHniCEuN04aZWkUUFiNc9K4VRmBYWMb0dVaX7sryb2qRyW5oAobsElr9/CuLuQgJa2rQjOHl h2j8Aazdyxm4aQdbJjzu7rfvOhb32vbga5clSkdCKSZFqZeGltj+Jxb+ic3z6rWYF2KuhbYjuQOp NTToduFzRqAguoIaSJcGp/DDhW36h1AyYz+Zjpm9ktQZOA7W4yIHnHsyUMTfqAmXSjzHtk1GNJrz /9/7TUipRQFSKsuqrOGmqQnaTRinBq0PRY+5qvybozUKNL8uZUw61mVYKqICIVgX3hC2HvHZhFkV KXCQPmMy8hIweGjOMErtV5ecryI+/UaTeOtsWCPKcy3UjRfFTZy6xjLFnrkamaMH83MVrQsnZ4IN jGl7gI9Wlar9hn8JElWczTurobnlzkktf7EpushAf/vbMUhegNdh2IQ1FCNaXkmYzbk9lmgup2ny BlZHxnB1BsrdU8dwbrkRKb4Kbsl0rELDNT4u/OC49dQkoOyR9QyqM1Q7of6w9vR1RvVB6mcmFqFa ccbvfMXF+Dp4PtGIc336SqDSKr7VhEpTAtNYR9PPRiVbKZNZ6UetvEay21k8niW7DAdB9J00w1QD P4bUrIXQKtHWvKFjruAeRkMHR3RfgLkLdzb5cr5OlryBnFkfR/5WRB8y9/OXD2gMUa+5RjPBXXzV IfFAgBU+eb186TQ+b2r3X9Kt/RE2SNkkCfS0AIVDQJR2KQ6XY6L4STnK+B2K2DjHf65dV4y6x5Xr oNxUEupgx7u8fNDLvsqYrV4k1SAmISuEzuBzsahYbT8hvaPtwufDMryiHn+Q0zyHcjHsfE0RuYi5 50OBbD2OK10ljReiQ4MTTkdmioiG33dPmo4fYRFTvSLHXfSAPh5fa5A/mZvOu/vzJH3eL2WD4lSt aMcI5x2xhonEZTPLFVgcDCoE0hmVhklerGBCotQ1V/0N7XFMdCstZao5JbZcPLwID53lT6FaUhFk xr8dl+jLWs0Nh0FopUkgAachbq9aQLJ1l6P1v0Um4kOo9DNgOAy72KU0T3JMOyz0hjd7odQLAqMw alG2ywJwbBet8cnfrowVJR7oMp04XLfE6dvMG+Liw/BeGHK6MbTn82ZHn7FniR/zpIhbc2mt4xq9 7i+G4Lkb0nE0o31dBi8BK5wx72S/slV61goyFvQeckQrWaMXs6qGY7vOw5fsf/hbEfNvKMm2MfHA sNqhi5gq/jcMgMmtglg4RR7VPU1DTJc4xuieYOqSvnHXAhvYqwXCpdJ1zhOF+tb/JT1/5Vp+m83m SH0Y4mR5vaPpjvpJc+PQAaNAng4UH8fVSdps+GnL7TFcxEQ7nekozlocv9PxE4q9 - packet: 1224 peer: 0 index: 2 timestamp: 1748250835.371758000 data: !!binary | 9Ul+j/7/rgAbB8XmOVvia1ZM3TreUHNpwHRJ - packet: 1227 peer: 1 index: 4 timestamp: 1748250835.444353000 data: !!binary | XepUHdPjJPg+9Aw+CBIP+H8LgVu2hMI7Q3iDBeHgHkyHzN8547OEvyUXONNx4i9q9VE9rHAUsJgO 5gmvYaXU4dPQvle1VPHVLb8M0uPUFL5iHRixHOYg54mgsC2NjznNFiUzoC78axvGfwXbK0lO/eGk uTGqhlMCNyKsTdilcMkqow8CwkFJRGhNNoVK8+KHnLrlnSHw77fY3c1/J23XjbH6uIdtb5/BbdgC vO4tuxHJOJ5qnPhpnOOre76nSU+hu5X72r8xWQFG1LPpuEBf6RbYWU8kc/Kcsp212ayuPnrVSVLC FuMIqWwpj2jn5CuCOBzOgCa38fL+zGqImcId4kZkMgu3yLn2pYhvdaNGnOCsoNX63J7TOSKNrp2H joCZ1Xvg4ohxqXpyisPQszU5qbj7TDFtyNRcqUhjDOQs3uvGLOBUlg795N7y3295gWSHWF1iWgoz 2y1Hs5yhddeT9Bxxa125liSFzHlP7pb4x4vktarj+Iguq60IbGIhEfJ6YLrbgEaWoa0q8uYLMI4Y KfRoHhC1iRz5bQeibOhzMhuwfkLoc+cpjmZOAbMdWYh3Kmwzw9DcBMeNK/583ZzNAPdVK6jb74jw aiaZRpYy0BCHCX+U - packet: 1232 peer: 1 index: 5 timestamp: 1748250835.596026000 data: !!binary | f2F1xVwXyNEa3AZ8YsQ6TsBpZ5UQySVcLzZg - packet: 1242 peer: 0 index: 3 timestamp: 1748250835.705293000 data: !!binary | 4AKDthhh1GgMYv+j9xa2DZQz981CW8cefp2oygb/mxpS+G+cSYbAu+wFM6jEt7bX0jktn5FJLasq mZOpa+9WFXpARhGj1sRz5biDoV/ReUx4UtjiHcahTEBcyPWT7q0+LYqHz65oK8JMdKcwLlsXUBeg fDS4HU6Lht/PjwBP/U9NpL8AJZcYd2zG8UYXE3+R/szzY9Tb0FLArCbPfyKlhNsTmc4W3SBnVj9a VToUb+1qJkCRLKXptUtQMd2tM1VCuy7jeEOCuvMYNRYEG/SrnSiuh0AcbiHC13ktLZ4pjtCyQL8C YcNUs34ZfVsl1lOA5RJd7Uy9F6UlwLzANDifb9GlWcq9UosJiH3WpTuydeClBFS8b5q3B4mbXx8B KV+ct4fQXrFGlC9ftD92zd/KoV94hnCZ7cjGaw0y0b4hE/bWohsgdqemJoBIrUyXzeu4JuzvjHw2 KOEv4T332fTqqdSR - packet: 1453 peer: 1 index: 6 timestamp: 1748250835.800706000 data: !!binary | oyArikM1z/d5ssA1XcB1NFj+STnBJxnihmiZFmvHlcq9FOTIw/W3MpzDQPagqeGotRW3fCEoFg== ``` ``` { "31mhcrzjvmeczjbu2aeqedb5ge2m": [ "31mhcrzjvmeczjbu2aeqedb5ge2m", "RqBeLzbT2039ybP1e42tUobPKmjroH7GsFzxlLKl2j8FRbh6eDTQwBtv/VfCPEOrPdp8a+vnGI3vf7arxQweRUcMYg9R4GsS64T+TLogn1kT1HzHW+vgBh3mrqcaiYOArAYliijtgUH2R5nZss4S9XDgSvQNPRB4lU+lczBhsdTxT8XgEtPaaFLzvPWDpKA4V+aX4YCEc+QxWxJBrfy5XZvHA+/zGwrGHu8dmtoR4JwJdhUyMbQ7U43IXKnB8BsUd93f/cSpkH962OdwGlHR//XRjJzR7NziE1N1v43dgu6I9cVkErrkVbD7YQt6lzTp" ] } ``` [spotify-automotive-apk-bundle.zip](https://github.com/user-attachments/files/20440060/spotify-automotive-apk-bundle.zip) [spotify-traffic.zip](https://github.com/user-attachments/files/20440046/spotify-traffic.zip)

kerem added the

enhancement

label 2026-02-27 19:31:54 +03:00

kerem commented 2026-02-27 19:31:55 +03:00

Author

Owner

Copy link

@kingosticks commented on GitHub (May 26, 2025):

I didn't know they now offered that, that's cool. I've never heard of tripe, nor can I find anything when I search for that. I thought this was just known as "device flow", like described at https://community.spotify.com/t5/Spotify-for-Developers/Device-Authorization-Grant-authentication-flow-for-custom/td-p/5485468

Actually, I wonder if just doing what's described there but using Spotify's client ID would just work for us.. I don't think I've ever actually tried!

<!-- gh-comment-id:2910528394 --> @kingosticks commented on GitHub (May 26, 2025): I didn't know they now offered that, that's cool. I've never heard of tripe, nor can I find anything when I search for that. I thought this was just known as "device flow", like described at https://community.spotify.com/t5/Spotify-for-Developers/Device-Authorization-Grant-authentication-flow-for-custom/td-p/5485468 Actually, I wonder if just doing what's described there but using Spotify's client ID would just work for us.. I don't think I've ever actually tried!

kerem commented 2026-02-27 19:31:55 +03:00

Author

Owner

Copy link

@salvatorebattiato commented on GitHub (May 26, 2025):

Yeah, that gives you a bearer token qualified for streaming and other stuff, but not as powerful as one got from login5. For example, with the login5 bearer you can do session transfers and get an sp_dc and xcsrf token. The oauth2 login flow is weaker, you can just put a valid client id scraped from any whitelisted client (car, tv, desktop) and it just works in getting you a weak bearer and the relative refresh token (used to get another bearer after it expired)

I don’t know if you actually need this implemented as a login5 plugin in librespot, but reverse engineering the protocol running on 4070 would be fun. I don’t have the software skills to go that deep in pentesting. I almost reverse engineered all Spotify login related private apis, and I’d love to know what’s going on with access points.

<!-- gh-comment-id:2910554555 --> @salvatorebattiato commented on GitHub (May 26, 2025): Yeah, that gives you a bearer token qualified for streaming and other stuff, but not as powerful as one got from login5. For example, with the login5 bearer you can do session transfers and get an sp_dc and xcsrf token. The oauth2 login flow is weaker, you can just put a valid client id scraped from any whitelisted client (car, tv, desktop) and it just works in getting you a weak bearer and the relative refresh token (used to get another bearer after it expired) I don’t know if you actually need this implemented as a login5 plugin in librespot, but reverse engineering the protocol running on 4070 would be fun. I don’t have the software skills to go that deep in pentesting. I almost reverse engineered all Spotify login related private apis, and I’d love to know what’s going on with access points.

kerem commented 2026-02-27 19:31:55 +03:00

Author

Owner

Copy link

@kingosticks commented on GitHub (May 26, 2025):

Have you seen how our oauth flow works today? We can create a "weak" Access Point session using the resulting oauth access token, and then use that to obtain a "full" reusable credentials session. This is (was?) what their desktop app was doing. I envisioned the same thing but initially using the oauth device flow instead. Would be nice to see if it's possible.

I don't remember if that full session provides the other tokens you mention, but once you're in you have everything required to then create a login5 session also.

<!-- gh-comment-id:2910575436 --> @kingosticks commented on GitHub (May 26, 2025): Have you seen how our oauth flow works today? We can create a "weak" Access Point session using the resulting oauth access token, and then use that to obtain a "full" reusable credentials session. This is (was?) what their desktop app was doing. I envisioned the same thing but initially using the oauth device flow instead. Would be nice to see if it's possible. I don't remember if that full session provides the other tokens you mention, but once you're in you have everything required to then create a login5 session also.

kerem referenced this issue 2026-02-27 20:00:47 +03:00

[PR #665] [MERGED] Tokio migration #1006

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

dev

v0.8.0

v0.7.1

v0.7.0

v0.6.0

v0.5.0

v0.4.2

v0.4.1

v0.4.0

v0.3.1

v0.3.0

v0.2.0

v0.1.6

v0.1.5

v0.1.3

v0.1.2

v0.1.1

v0.1.0

Labels

Clear labels   

A-Alsa

  

SpotifyAPI

  

Tokio 1.0

  

audio

  

bug

  

can't reproduce

  

compilation

  

dependencies

  

duplicate

  

enhancement

  

good first issue

  

help wanted

  

high priority

  

imported

  

imported

  

invalid

  

new api

  

pull-request

Mirrored from GitHub Pull Request

  

question

  

reverse engineering

  

wiki

  

wontfix

No labels

A-Alsa

SpotifyAPI

Tokio 1.0

audio

bug

can't reproduce

compilation

dependencies

duplicate

enhancement

good first issue

help wanted

high priority

imported

imported

invalid

new api

pull-request

question

reverse engineering

wiki

wontfix

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/librespot#677

No description provided.