Token retrieval and expiration

[nilleiz]

So I came back to this project now, since tidal announced that mqa will be dropped completely from the platform.

Giving that some time has passed, what's the easiest way now to retrieve the token needed by the application?

What about the expiration? Is it still at 24h?

[ebb-earl-co]

@nilleiz thank you for having asked. There technically is no need to retrieve a token, as, by default, tidal-wave uses a spoofed Amazon Fire TV client to retrieve: Dolby Atmos, Lossless, MQA, High, and low quality. The only time that an external token is need is for the retrieval of HiRes FLAC. These tokens do reset after 24 hours because, from TIDAL's perspective, this is security.

Background

One of the precursor projects to this that I have built off of indirectly is OrpheusDL, especially it's tidal submodule. You can see here in the source code that it has a way of spoofing a mobile client so that HiRes can be accessed without the need to find an Android phone lying around, say, but I tried to duplicate the code and couldn't get it to work. There might still be hope that I re-created Orpheus-DL's logic incorrectly, though, so integrating that approach is on the backburner.

Or, there is the tidalapi project that is used as a dependence for a few other projects, but look at the unbelievable seventy lines of obfuscated logic that is used to hide the credentials: here. Then, in order to get a token that will access HiRes content, there is a manual login then copy-and-paste rigmarole that must be done: here.

Explanation of Methodology

So, until I can figure out how to emulate or improve others' methods, then still the easiest manner of getting a token for HiRes FLAC is via an Android device, just a normal Android advice with the normal TIDAL app installed from Google Play Store.

• There is a great project called Waydroid that I use which gives you an Android virtual machine on your desktop machine or wherever, meaning you don't need an extra tablet or phone lying around!

The location of application data on Android is consistent, so the TIDAL data is probably in /sdcard/Android/data/com.aspiro.tidal/. In particular, the files we're looking for are in /sdcard/Android/data/com.aspiro.tidal/cache/okhttp/: this directory has dozens of files with .0 and .1 as extensions. Certain actions done in the Android app generate a .0 file that has the Bearer token in it.

Example

For instance, the following is an example of a file with a Bearer token in it (expired, so the token itself is worthless)

$ cat /sdcard/Android/data/com.aspiro.tidal/cache/okhttp/988f293093c6b255e2c655d55379203d.0

https://api.tidal.com/v1/tracks/363579758/lyrics?deviceType=TABLET&locale=en_US&platform=ANDROID&countryCode=US
GET
1
Authorization: Bearer eyJraWQiOiJ2OU1GbFhqWSIsImFsZyI6IkVTMjU2In0.eyJ0eXBlIjoibzJfYWNjZXNzIiwidWlkIjoxOTUyODk0MzIsInNjb3BlIjoid191c3Igd19zdWIgcl91c3IiLCJnVmVyIjowLCJzVmVyIjowLCJjaWQiOjgwMTgsImN1ayI6ImYxOTRhNGE3NjYyYTg3OGQiLCJleHAiOjE3MTg2Njg3ODYsInNpZCI6Ijk1N2RhYjJmLTE1YmMtNDZkNC05ZWU1LWVhNzc3NmI4ZmM2YyIsImlzcyI6Imh0dHBzOi8vYXV0aC50aWRhbC5jb20vdjEifQ.SjEB9TBHMo1QFY7XJyzu9IoI0cZkJ9_eoTAYxt-UXDB_3C95V8xGFqEDuAv9R4IhrlxxU14GWIn0Rxxpam3CZA
HTTP/1.1 200 
17
content-type: application/json
date: Mon, 17 Jun 2024 00:00:40 GMT
x-ratelimit-remaining: 49
x-ratelimit-requested-tokens: 1
x-ratelimit-burst-capacity: 50
x-ratelimit-replenish-rate: 1
cache-control: max-age=3600, s-maxage=3600
x-envoy-upstream-service-time: 1
server: envoy
content-encoding: gzip
vary: Origin,Access-Control-Request-Method,Access-Control-Request-Headers,authorization
x-cache: Miss from cloudfront
via: 1.1 8c0ea0856b53ef3ac1cc1b0cac7c9fd4.cloudfront.net (CloudFront)
x-amz-cf-pop: DFW57-P6
x-amz-cf-id: Hq4cgZCYV4e9okwwQk9bBIByQFgonHuV9R9Hd70YENaYQ2rMcMlDOQ==
OkHttp-Sent-Millis: 1718582440221
OkHttp-Received-Millis: 1718582440308

TLS_AES_128_GCM_SHA256
3
MIIGCjCCBPKgAwIBAgIQAz+M+M0VDyqbUohOubBE0jANBgkqhkiG9w0BAQsFADA8MQswCQYDVQQGEwJVUzEPMA0GA1UEChMGQW1hem9uMRwwGgYDVQQDExNBbWF6b24gUlNBIDIwNDggTTAzMB4XDTI0MDYwOTAwMDAwMFoXDTI1MDcwODIzNTk1OVowFDESMBAGA1UEAxMJdGlkYWwuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqzSjmBozo59WfYIh2UohfvqLV0KIZfs3SDR5SpLzt1fDF10zZJge3ea2jTtpHuO3CfEmnt2Af++rG0Jmrzg9EzM1DiPFYBy/jyqyoqTIIFyFjpGIxuKI3X/zunUs20xpMiNUiYkErwHsNBj7k9sGqaczvrKodUFzMJpplZjkCqiz+Wmu5sKeVbJ96xGQm+gc2idpmGfWFjIfbPcp3S+3JZ6IQHbHq2fW+dR5o/H4+HDrS0o5ANn02k0WfPQtKztC4zzCI9iqzwH5Xl1MB1CPMVm+TzdPr8rik2tdVr0/QEGkNlRq9U/+3cM0P15FGwErHCec5FvnhtG8uClw3dZ/LwIDAQABo4IDLjCCAyowHwYDVR0jBBgwFoAUVdkYX9IczAHhWLS+q9lVQgHXLgIwHQYDVR0OBBYEFLGYDiY0e7K20+7/ofrftSwSRXlbMGEGA1UdEQRaMFiCCXRpZGFsLmNvbYIPKi53aW1wbXVzaWMuY29tgg13aW1wbXVzaWMuY29tgg10aWRhbGhpZmkuY29tggsqLnRpZGFsLmNvbYIPKi50aWRhbGhpZmkuY29tMBMGA1UdIAQMMAowCAYGZ4EMAQIBMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwOwYDVR0fBDQwMjAwoC6gLIYqaHR0cDovL2NybC5yMm0wMy5hbWF6b250cnVzdC5jb20vcjJtMDMuY3JsMHUGCCsGAQUFBwEBBGkwZzAtBggrBgEFBQcwAYYhaHR0cDovL29jc3AucjJtMDMuYW1hem9udHJ1c3QuY29tMDYGCCsGAQUFBzAChipodHRwOi8vY3J0LnIybTAzLmFtYXpvbnRydXN0LmNvbS9yMm0wMy5jZXIwDAYDVR0TAQH/BAIwADCCAX0GCisGAQQB1nkCBAIEggFtBIIBaQFnAHYAEvFONL1TckyEBhnDjz96E/jntWKHiJxtMAWE6+WGJjoAAAGP+1F8gQAABAMARzBFAiAAxp10S/EmmpR8gS8Q7bCeR5nvudQqP8tAMC/rIC5NiAIhAMMhf2qubXvmK+rwAY2n2WoTQWHGoJHAMQYu1l0VTeNvAHUA5tIxY0B3jMEQQQbXcbnOwdJA9paEhvu6hzId/R43jlAAAAGP+1F8WQAABAMARjBEAiAWzejC8OV+PPHgnpZo15JUp1sTnLpAPmHZKTHiX9q9/AIgVPWKYgEIkYA/4six6ayTA5RtfT3HJiXmHWSuR6Jc+wcAdgDd3Mo0ldfhFgXnlTL6x5/4PRxQ39sAOhQSdgosrLvIKgAAAY/7UYCHAAAEAwBHMEUCIHcIeZaIJ23f9Hjwjbg7ckDSc9Jj27tTb9Gh26BTLPk/AiEAvMT0SP5ahSOvGDwiwsh0s7RC//k7geY2vk7mzvNpIOYwDQYJKoZIhvcNAQELBQADggEBAISw11iUOjdX/aCs1UJ2zRYfW6aMPYa7k0as7nvHG3scXH5Jb5kN1ANG6QTKpFWPGtQlAzfd6jxHqASDDeNvj3m8uh5xpFBE99aNJlQ3yZ6j7lv53McmMJ/EyQKCgYpPWfw+oxTJOaPNV0Wm7s9b5NcZBhuz9ou/+py7gJ9k7MlWbFpTpGrTVC7CZ5SoaylTqYv2fQyFOeYKSrqd9F+E4dzfSYcPZ9Q0lo3uIii3kJbz7hQEVN4fPaA2RICm422KQeoHt75g99a2WiyJbX1YHMquYopuKhOMy39pQ5JEuLZCuw+pynEyQLYgSrrXotJq3hBLZ8m57SYVQgaiB5EVeTM=
MIIEXjCCA0agAwIBAgITB3MSTNQG0mfAmRzdKZqfODF5hTANBgkqhkiG9w0BAQsFADA5MQswCQYDVQQGEwJVUzEPMA0GA1UEChMGQW1hem9uMRkwFwYDVQQDExBBbWF6b24gUm9vdCBDQSAxMB4XDTIyMDgyMzIyMjYwNFoXDTMwMDgyMzIyMjYwNFowPDELMAkGA1UEBhMCVVMxDzANBgNVBAoTBkFtYXpvbjEcMBoGA1UEAxMTQW1hem9uIFJTQSAyMDQ4IE0wMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALd/pVko8vuM475Tf45HV3BbCl/B9Jy89G1CRkFjcPY06WA9lS+7dWbUA7GtWUKoksr69hKMwcMsNpxlw7b3jeXFgxB09/nmalcAWtnLzF+LaDKEA5DQmvKzuh1nfIfqEiKCQSmXXh09Xs+dO7cm5qbaL2hhNJCSAejciwcvOFgFNgEMR42wm6KIFHsQW28jhA+1u/M0p6fVwReuEgZfLfdx82Px0LJck3lST3EB/JfbdsdOzzzg5YkY1dfuqf8y5fUeZ7CzWXbTjujwX/TovmeWKA36VLCz75azW6tDNuDn66FOpADZZ9omVaF6BqNJiLMVl6P3/c0OiUMC6Z5OfKcCAwEAAaOCAVowggFWMBIGA1UdEwEB/wQIMAYBAf8CAQAwDgYDVR0PAQH/BAQDAgGGMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAdBgNVHQ4EFgQUVdkYX9IczAHhWLS+q9lVQgHXLgIwHwYDVR0jBBgwFoAUhBjMhTTsvAyUlC4IWZzHshBOCggwewYIKwYBBQUHAQEEbzBtMC8GCCsGAQUFBzABhiNodHRwOi8vb2NzcC5yb290Y2ExLmFtYXpvbnRydXN0LmNvbTA6BggrBgEFBQcwAoYuaHR0cDovL2NydC5yb290Y2ExLmFtYXpvbnRydXN0LmNvbS9yb290Y2ExLmNlcjA/BgNVHR8EODA2MDSgMqAwhi5odHRwOi8vY3JsLnJvb3RjYTEuYW1hem9udHJ1c3QuY29tL3Jvb3RjYTEuY3JsMBMGA1UdIAQMMAowCAYGZ4EMAQIBMA0GCSqGSIb3DQEBCwUAA4IBAQAGjeWm2cC+3z2MzSCnte46/7JZvj3iQZDY7EvODNdZF41n71Lrk9kbfNwerK0dVNzW36Wefr7j7ZSwBVg50W5ay65jNSN74TTQV1yt4WnSbVvN6KlMs1hiyOZdoHKsKDV2UGNxbdoBYCQNa2GYF8FQIWLugNp35aSOpMy6cFlymFQomIrnOQHwK1nvVY4qxDSJMU/gNJz17D8ArPN3ngnyZ2TwepJ0uBINz3G5te2rdFUF4i4Y3Bb7FUlHDYm4u8aIRGpk2ZpfXmxaoxnbIBZRvGLPSUuPwnwoUOMsJ8jirI5vs2dvchPb7MtI1rlei02f2ivH2vxkjDLltSpe2fiC
MIIDQTCCAimgAwIBAgITBmyfz5m/jAo54vB4ikPmljZbyjANBgkqhkiG9w0BAQsFADA5MQswCQYDVQQGEwJVUzEPMA0GA1UEChMGQW1hem9uMRkwFwYDVQQDExBBbWF6b24gUm9vdCBDQSAxMB4XDTE1MDUyNjAwMDAwMFoXDTM4MDExNzAwMDAwMFowOTELMAkGA1UEBhMCVVMxDzANBgNVBAoTBkFtYXpvbjEZMBcGA1UEAxMQQW1hem9uIFJvb3QgQ0EgMTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALJ4gHHKeNXjca9HgFB0fW7Y14h29Jlo91ghYPl0hAEvrAIthtOgQ3pOsqTQNroBvo3bSMgHFzZM9O6II8c+6zf1tRn4SWiw3te5djgdYZ6k/oI2peVKVuRF4fn9tBb6dNqcmzU5L/qwIFAGbHrQgLKm+a/sRxmPUDgH3KKHOVj4utWp+UhnMJbulHheb4mjUcAwhmahRWa6VOujw5H5SNz/0egwLX0tdHA114gk957EWW67c4cX8jJGKLhD+rcdqsq08p8kDi1L93FcXmn/6pUCyziKrlA4b9v7LWIbxcceVOF34GfID5yHI9Y/QCB/IIDEgEw+OyQmjgSubJrIqg0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAYYwHQYDVR0OBBYEFIQYzIU07LwMlJQuCFmcx7IQTgoIMA0GCSqGSIb3DQEBCwUAA4IBAQCY8jdaQZChGsV2USggNiMOruYou6r4lK5IpDB/G/wkjUu0yKGX9rbxenDIU5PMCCjjmCXPI6T53iHTfIUJrU6adTrCC2qJeHZERxhlbI1Bjjt/msv0tadQ1wUsN+gDS63pYaACbvXy8MWy7Vu33PqUXHeeE6V/Uq2V8viTO96LXFvKWlJbYK8U90vvo/ufQJVtMVT8QtPHRh8jrdkPSHCa2XV4cdFyQzR1bldZwgJcJmApzyMZFo6IQ6XU5MsI+yMRQ+hDKXJioaldXgjUkK642M4UwtBV8ob2xJNDd2ZhwLnoQdeXeGADbkpyrqXRfboQnoZsG4q5WTP468SQvvG5
0
TLSv1.3

This file's contents are a record of the HTTP request sent to the TIDAL API: the gibberish after TLS_AES_128_GCM_SHA256 is the actual encrypted response from the API, but the top part after GET is a record of the TIDAL Android app's parameters sent to the API: the Authorization: Bearer _____ is the key that convinces TIDAL's servers, where the music and videos live, that any request with that key is authorized. This project, tidal-wave, uses that key to pretend that it's the Android app, and get the audio data for the user.

TL; DR

Until a pull request comes in, or I get some time to try to implement a semi-automated approach to spoofing a mobile Android client, then having access to an Android phone or tablet is the easiest way to get a Bearer token for tidal-wave to use: this is because of the tools for working with Android over USB available for Windows, Linux, and macOS.

There are a few helper commands that I can share to make it a bit faster to clear old okhttp/ .0 and .1 files, but until something fundamental changes from TIDAL's end, their security means that there will be manual intervention with some official TIDAL client required.

[jade-doggerel]

Howdy - I cobbled together a hideous PowerShell script to automate the gross part of the Android token retrieval process. It's not pretty but it Works On My Machine so I thought I'd leave it here just in case it is useful to someone.

I'm (clearly) a filthy Windows user and I haven't tested it elsewhere, but in theory I think it should work in other environments, assuming adb is in the same directory or $PATH (and also assuming that you've sullied your operating system with PowerShell for some reason).

I did have a script that wrapped login_android logic to validate/save it, but I seem to have misplaced it...

If you're interested in a PR I'm more than happy to try writing this in Python, but I'm very far from an expert (though I have to say going through the tidal-wave source has been a masterclass in how to write clean, readable and structured Python!!). I wouldn't have any idea how to handle bundling adb... maybe with adb_shell?

edit: I just re-read the TL;DR and you were talking about spoofing a client, not connecting a real device - sorry!! Handling adb is probably the least efficient way to accomplish this...

[ebb-earl-co]

@jade-doggerel thank you for having chimed in! I've just perused the PowerShell script, and it looks just fine. Did you find a way to retrieve many bearer tokens and put them into a CSV? If you automated that part of the process, I'd be very curious!

I haven't updated this project properly for a while because I write Python for my day job, so the willpower to write more Python when I get done with work is low. However, I've got a branch that will overhaul most of tidal-wave authentication logic, doing away with needing manual tokens altogether!

The progenitor project to this one used AndroidAuto and Amazon Fire TV spoofed client credentials, and lo and behold they still work! So the vision is to use those, which are set once and forget, instead of faffing about with the extra phone or tablet lying around...

In any case, please put in a pull request if you like! No one has done so yet, but pull requests are lightweight, so no harm done

[jade-doggerel]

Hahah, I know that feeling all too well! I'm a webdev by day, recently I have been hiding in Python at night 😅

I'm happy to put in a PR! I'm very new to Python, especially build/compile, so not sure how to manage the adb stuff. For the sake of proof of concept I'll subprocess it and work it out later later.

Re: that CSV variable - oops! I forgot about that. Before I started messing with regex automation I just dumped them all in a CSV and sorted them by date. In Windows at least, I've found the modified date on the files sometimes gets out of whack when they've been pulled via adb and obviously it's a lot quicker to process them locally rather than over MTP. I'll check if I still have that version and do a test; this was initally supposed to be a quick and dirty script so I don't think I ever committed it to VCS...

Re: new branch - that sounds very interesting! Let me know if you'd like me to test it out. Since posting that I've been messing around a with tidalapi - they have an implementation of the entire oauth flow, including token generation and refreshes. I haven't looked too far into how it actually works because this library has a dramatic level of abstraction, but I took the access token from it and fed it to tidal_wave (run from the binary) and it worked fine - so I have been working on a half-baked implementation of that. Here's an unfinished prototype. Note it's totally untested at the moment - the token from tidalapi has a much longer expiry (seems to be a week) so I haven't needed it yet. But I did notice that windows-tidal.token created by tidal_wave has:

"client_name": "185286877_185286877_Android Automotive",

I wonder if they use a similar approach to what you're doing?