Anyone thought of building a connected drive server?

manels_dnb

New Member
Feb 14, 2018
1
1
0
Catalonia
Ride
2009 E90 LCI 320d
Hey! I just found this forum while looking for that copie_scr.sh code execution method, and you guys are doing a great job with the CIC!

I retrofitted a CIC in my car quite a while ago. I investigated a little bit, but I didn't do much more appart from dumping the flash and extracting the contents.

I'm probably late to the party, as the previous posts here regarding the flash filesystem are from almost a year ago. Anyways, I didn't find here how to mount a CIC flash dump and, as it might be helpful for someone, I find it fair to post it here.

Edit: I pressed the wrong button and posted this before writing how to actually mount the flash dump. You'll just need a QNX VM (or a computer with QNX). It's pretty trivial.

Code:
First of all, we create a virtual flash device
#devf-ram -vvv -s0,128M,,,256k

And format it (Not sure if this is mandatory)
#flashctl -p /dev/fs0 -ev

We copy our dump over the newly created virtual fs (in this case, fs0)
#cp -V <flash_dump_file> /dev/fs0

Only thing left to do is mount our virtual device and start exploring its partitions and contents.
#mount

I think I'm going to hang around this forum so I can learn from you, and maybe even help :)
 
Last edited:
  • Like
Reactions: doublespaces

mmx

New Member
Sep 1, 2018
2
3
0
Montreal, QC
Ride
08 535xi
Whoa, looks like I'm late to the party. Two days ago, I had this crazy idea to run my own ConnectedDrive server. I'm glad I'm not the only one. :)

In case it wasn't already mentioned (I'm still processing this thread in its entirety, I'm really excited!) the Combox update (UPD01008.bin) contains compressed SQL scripts which need to be deflated via QNX's deflate binary. You can tell by the first few characters in the file: iwlyfmbp

I've been monitoring the IP traffic between the Combox and my Nexus 6P to see where BMW ConnectedDrive routes through for authorization when tethered through Bluetooth. After running bluetooth_hci.log through Wireshark, I've nailed it down to a curl request:

Code:
 curl -X CONNECT --proxy-user b2v_standard:b2v_standard --proxy 160.46.255.1:8080 \
 --proxy-header 'Host: b2v.bmwgroup.de' \
 --proxy-header 'Accept-Encoding: gzip' \
 --proxy-header 'Accept: */*' \
 --proxy-header 'BMW-OTA-ID: 20150327-104300' \
 --proxy-header 'BMW-Vin: AB12345' \
 --proxy-header 'Content-Range: bytes 0-10240/*' \
 --proxy-header 'Proxy-Connection: Keep-Alive' \
 --proxy-header 'User-Agent: Aetsch3/104040c/02' \
 https://b2v.bmwgroup.de:443 --insecure

I might need to update my Combox though as I suspect it's running an older version (C03 instead of C05) so the above servers might be invalid, but I do receive a simple "1.1 Service Unavailable" response. These values are from an 2008 E60 with a retrofitted CIC (C1A) and Combox (from a US 335d E90 that had an active subscription) with all services activated via patched SWTs thanks to intel123's solution on CT. I'll bust out the ICOM tonight and verify that I'm up to date.

My next step is to MITM and attempt to sslstrip the traffic in hopes of decoding the encrypted data. I've setup my older Nexus 10 with Nethunter for this purpose. :) One of my ideas was to replace the CD API server URLs and certificates with my own and basically return a "Authorization OK" response. Afterwards, implementing the API is the fun part. I'm going to take a look at the /net/front/etc/ppp/ on my CIC tonight.

Oh, there's also decompiling the classic Android APK... but I digress.

Is the Github repo still available by any chance? Please add me in! (@sarog) And what about that "other" thread?
 

doublespaces

Administrator
Oct 18, 2016
9,310
4,342
0
AZ
Ride
2009 E93 335i
Whoa, looks like I'm late to the party. Two days ago, I had this crazy idea to run my own ConnectedDrive server. I'm glad I'm not the only one. :)

In case it wasn't already mentioned (I'm still processing this thread in its entirety, I'm really excited!) the Combox update (UPD01008.bin) contains compressed SQL scripts which need to be deflated via QNX's deflate binary. You can tell by the first few characters in the file: iwlyfmbp

I've been monitoring the IP traffic between the Combox and my Nexus 6P to see where BMW ConnectedDrive routes through for authorization when tethered through Bluetooth. After running bluetooth_hci.log through Wireshark, I've nailed it down to a curl request:

Code:
 curl -X CONNECT --proxy-user b2v_standard:b2v_standard --proxy 160.46.255.1:8080 \
 --proxy-header 'Host: b2v.bmwgroup.de' \
 --proxy-header 'Accept-Encoding: gzip' \
 --proxy-header 'Accept: */*' \
 --proxy-header 'BMW-OTA-ID: 20150327-104300' \
 --proxy-header 'BMW-Vin: AB12345' \
 --proxy-header 'Content-Range: bytes 0-10240/*' \
 --proxy-header 'Proxy-Connection: Keep-Alive' \
 --proxy-header 'User-Agent: Aetsch3/104040c/02' \
 https://b2v.bmwgroup.de:443 --insecure

I might need to update my Combox though as I suspect it's running an older version (C03 instead of C05) so the above servers might be invalid, but I do receive a simple "1.1 Service Unavailable" response. These values are from an 2008 E60 with a retrofitted CIC (C1A) and Combox (from a US 335d E90 that had an active subscription) with all services activated via patched SWTs thanks to intel123's solution on CT. I'll bust out the ICOM tonight and verify that I'm up to date.

My next step is to MITM and attempt to sslstrip the traffic in hopes of decoding the encrypted data. I've setup my older Nexus 10 with Nethunter for this purpose. :) One of my ideas was to replace the CD API server URLs and certificates with my own and basically return a "Authorization OK" response. Afterwards, implementing the API is the fun part. I'm going to take a look at the /net/front/etc/ppp/ on my CIC tonight.

Oh, there's also decompiling the classic Android APK... but I digress.

Is the Github repo still available by any chance? Please add me in! (@sarog) And what about that "other" thread?

I've added you to view the private section.
 

rly

New Member
Oct 3, 2018
1
1
0
Ride
E60 - 530xi
I might need to update my Combox though as I suspect it's running an older version (C03 instead of C05) so the above servers might be invalid, but I do receive a simple "1.1 Service Unavailable" response. These values are from an 2008 E60 with a retrofitted CIC (C1A) and Combox (from a US 335d E90 that had an active subscription) with all services activated via patched SWTs thanks to intel123's solution on CT. I'll bust out the ICOM tonight and verify that I'm up to date.
The Server is still valid.
You just have to dig some folders "deeper" :D

The URL for CIC is: https://b2v.bmwgroup.de/com/cdplive/cdp/release/vehicle/servlet/start
The URL for NBT is: https://b2v.bmwgroup.de/com/cdpnbtlive/vehicle/nbt/servlet/start

Using another User-Agent even gives you some "more" informations.

As here seems to be the most advanced discussions about this stuff, i would love to join and contribute the private section :).
 
  • Like
Reactions: doublespaces

doublespaces

Administrator
Oct 18, 2016
9,310
4,342
0
AZ
Ride
2009 E93 335i
Olá, gostaria de ter acesso à seção privada, conforme eu prossegue? Obrigado!

Done, but most of it is public now.

The Server is still valid.
You just have to dig some folders "deeper" :D

The URL for CIC is: https://b2v.bmwgroup.de/com/cdplive/cdp/release/vehicle/servlet/start
The URL for NBT is: https://b2v.bmwgroup.de/com/cdpnbtlive/vehicle/nbt/servlet/start

Using another User-Agent even gives you some "more" informations.

As here seems to be the most advanced discussions about this stuff, i would love to join and contribute the private section :).
Done
 

Deadknight

Lurker
Jul 29, 2017
24
14
0
The Server is still valid.
You just have to dig some folders "deeper" :D

The URL for CIC is: https://b2v.bmwgroup.de/com/cdplive/cdp/release/vehicle/servlet/start
The URL for NBT is: https://b2v.bmwgroup.de/com/cdpnbtlive/vehicle/nbt/servlet/start

Using another User-Agent even gives you some "more" informations.

As here seems to be the most advanced discussions about this stuff, i would love to join and contribute the private section :).

If you can find packets or rest api, writing server is the easy part. Please share your findings.
 

e90reborn

Lurker
Nov 5, 2018
13
2
0
Ride
BMW 335i E90 2010
Under the BMW General section there is now a new section at the top called BMW Technical. I've given the active users of this thread privileges to view that section, it is not visible to anyone else without explicit permission and is excluded from the sitemap and indexing.

can you please add me as well
 

rhodesman

Corporal
Mar 21, 2017
199
120
0
45
Maryland
rhodesman.com
Ride
2010 BMW E88 N54 135i
I'm going to bring this back to life! With the recent release of Ghidra from the NSA, I downloaded it and started to plug it into the code I had extracted from my CIC. So far it has been able to decompile the taco.hbtc file. I will keep working through the others and decompile as I can. I'll start a new Github repo with the outputs I get.
 
  • Like
Reactions: Deadknight