We are in the process of cleaning up the threads and making them public in the BMW Development subsection to attract new contributors, however I've also granted you access.@doublespaces, I am also interested about this topic.
Thank you!
We are in the process of cleaning up the threads and making them public in the BMW Development subsection to attract new contributors, however I've also granted you access.@doublespaces, I am also interested about this topic.
Thank you!
First of all, we create a virtual flash device
#devf-ram -vvv -s0,128M,,,256k
And format it (Not sure if this is mandatory)
#flashctl -p /dev/fs0 -ev
We copy our dump over the newly created virtual fs (in this case, fs0)
#cp -V <flash_dump_file> /dev/fs0
Only thing left to do is mount our virtual device and start exploring its partitions and contents.
#mount
I think I'm going to hang around this forum so I can learn from you, and maybe even help
Done.Hey, can i get access to private threat? Im interested. @douplespaces
curl -X CONNECT --proxy-user b2v_standard:b2v_standard --proxy 160.46.255.1:8080 \
--proxy-header 'Host: b2v.bmwgroup.de' \
--proxy-header 'Accept-Encoding: gzip' \
--proxy-header 'Accept: */*' \
--proxy-header 'BMW-OTA-ID: 20150327-104300' \
--proxy-header 'BMW-Vin: AB12345' \
--proxy-header 'Content-Range: bytes 0-10240/*' \
--proxy-header 'Proxy-Connection: Keep-Alive' \
--proxy-header 'User-Agent: Aetsch3/104040c/02' \
https://b2v.bmwgroup.de:443 --insecure
Whoa, looks like I'm late to the party. Two days ago, I had this crazy idea to run my own ConnectedDrive server. I'm glad I'm not the only one.
In case it wasn't already mentioned (I'm still processing this thread in its entirety, I'm really excited!) the Combox update (UPD01008.bin) contains compressed SQL scripts which need to be deflated via QNX's deflate binary. You can tell by the first few characters in the file: iwlyfmbp
I've been monitoring the IP traffic between the Combox and my Nexus 6P to see where BMW ConnectedDrive routes through for authorization when tethered through Bluetooth. After running bluetooth_hci.log through Wireshark, I've nailed it down to a curl request:
Code:curl -X CONNECT --proxy-user b2v_standard:b2v_standard --proxy 160.46.255.1:8080 \ --proxy-header 'Host: b2v.bmwgroup.de' \ --proxy-header 'Accept-Encoding: gzip' \ --proxy-header 'Accept: */*' \ --proxy-header 'BMW-OTA-ID: 20150327-104300' \ --proxy-header 'BMW-Vin: AB12345' \ --proxy-header 'Content-Range: bytes 0-10240/*' \ --proxy-header 'Proxy-Connection: Keep-Alive' \ --proxy-header 'User-Agent: Aetsch3/104040c/02' \ https://b2v.bmwgroup.de:443 --insecure
I might need to update my Combox though as I suspect it's running an older version (C03 instead of C05) so the above servers might be invalid, but I do receive a simple "1.1 Service Unavailable" response. These values are from an 2008 E60 with a retrofitted CIC (C1A) and Combox (from a US 335d E90 that had an active subscription) with all services activated via patched SWTs thanks to intel123's solution on CT. I'll bust out the ICOM tonight and verify that I'm up to date.
My next step is to MITM and attempt to sslstrip the traffic in hopes of decoding the encrypted data. I've setup my older Nexus 10 with Nethunter for this purpose. One of my ideas was to replace the CD API server URLs and certificates with my own and basically return a "Authorization OK" response. Afterwards, implementing the API is the fun part. I'm going to take a look at the /net/front/etc/ppp/ on my CIC tonight.
Oh, there's also decompiling the classic Android APK... but I digress.
Is the Github repo still available by any chance? Please add me in! (@sarog) And what about that "other" thread?
The Server is still valid.I might need to update my Combox though as I suspect it's running an older version (C03 instead of C05) so the above servers might be invalid, but I do receive a simple "1.1 Service Unavailable" response. These values are from an 2008 E60 with a retrofitted CIC (C1A) and Combox (from a US 335d E90 that had an active subscription) with all services activated via patched SWTs thanks to intel123's solution on CT. I'll bust out the ICOM tonight and verify that I'm up to date.
Olá, gostaria de ter acesso à seção privada, conforme eu prossegue? Obrigado!
DoneThe Server is still valid.
You just have to dig some folders "deeper"
The URL for CIC is: https://b2v.bmwgroup.de/com/cdplive/cdp/release/vehicle/servlet/start
The URL for NBT is: https://b2v.bmwgroup.de/com/cdpnbtlive/vehicle/nbt/servlet/start
Using another User-Agent even gives you some "more" informations.
As here seems to be the most advanced discussions about this stuff, i would love to join and contribute the private section .
The Server is still valid.
You just have to dig some folders "deeper"
The URL for CIC is: https://b2v.bmwgroup.de/com/cdplive/cdp/release/vehicle/servlet/start
The URL for NBT is: https://b2v.bmwgroup.de/com/cdpnbtlive/vehicle/nbt/servlet/start
Using another User-Agent even gives you some "more" informations.
As here seems to be the most advanced discussions about this stuff, i would love to join and contribute the private section .
Under the BMW General section there is now a new section at the top called BMW Technical. I've given the active users of this thread privileges to view that section, it is not visible to anyone else without explicit permission and is excluded from the sitemap and indexing.
could you please add me as well?Done, but most of it is public now.
Done