Anyone thought of building a connected drive server?

rhodesman

Corporal
Mar 21, 2017
199
120
0
45
Maryland
rhodesman.com
Ride
2010 BMW E88 N54 135i
That's OK, we'll get it. You're trying to pull everything down off the CiC and commit it, or just a more in-depth filesystem map?

Ideally I would like to pull off a total backup. At the very least if I F something up, I'll have a backup to restore with. Also, it would make it easier to look through stuff on my local drive than telnet to my car which requires it to be on and connected to the network.
 
  • Like
Reactions: ATL-IS-N54

Xer0449

Corporal
Jan 30, 2017
174
59
0
I'm trying to find an OVA of QNX so maybe we can see what these executables are doing. Sure as hell can't get them to run on OSX.

@rhodesman , FYI:

Code:
 $~/Downloads/bmw/BMW-combox (hix) $     git push --set-upstream origin hix
Username for 'https://github.com':@gmail.com
Password for 'https://@[email protected]':
remote: Permission to rhodesman/BMW-combox.git denied to.
fatal: unable to access 'https://github.com/rhodesman/BMW-combox.git/': The requested URL returned error: 403
 
Last edited:
  • Informative
Reactions: rhodesman

Xer0449

Corporal
Jan 30, 2017
174
59
0
Can you loop it? It's gross, but at least it's automatic. Even if you write a short expect script, it could work (I think).

Looks like someone compiled a binary of rsync for QNX4 here: http://www.openqnx.com/phpbbforum/viewtopic.php?t=5100

methinks you can push it up using that builtin ftp daemon, chmod +x it, then use telnet to symlink wherever it is to /bin/rsync (or try running it by hand to see if it even works, first). Edit: That won't work.

EDIT: Not responsible for your bricked combox! :).
 
Last edited:

rhodesman

Corporal
Mar 21, 2017
199
120
0
45
Maryland
rhodesman.com
Ride
2010 BMW E88 N54 135i
Can you loop it? It's gross, but at least it's automatic. Even if you write a short expect script, it could work (I think).
...
Edit: That won't work.

EDIT: Not responsible for your bricked combox! :).

LOL, I was actually thinking of another approach: since I can FTP & telnet into the cic-qnx system AND I was successful in adding my car to my home network, could I script up a loop using the output from { find / } parsed into something like JSON on a more modern (updated) system and just send one of my servers to town on my car over the network. I can plug my car's battery into a charger thus into the wall so power won't be a problem. If I leave it to it over night, that in theory should grab a 100% copy of the cic system.

Thoughts?
 

rhodesman

Corporal
Mar 21, 2017
199
120
0
45
Maryland
rhodesman.com
Ride
2010 BMW E88 N54 135i
More data pushed to Git, and it's a bit one! about 1.1 GB of data off the HDD! I hope it's not all the map data, I was trying to avoid that because I don't need 14GB of map data backed up when I can get all future maps for free anyways ;)
 

rhodesman

Corporal
Mar 21, 2017
199
120
0
45
Maryland
rhodesman.com
Ride
2010 BMW E88 N54 135i
Now I'm getting somewhere. Looking at config files in
Code:
/net/front/etc/
is showing some potential points to edit and "mod" to our liking.

Interesting settings I found in mme.conf:

I think.... I think I have FOUND the files used to connect to BMW connected drive! In the folder
Code:
/net/front/etc/ppp/
are a bunch of XML files starting with "cert.xml". Looking inside cert.xml I see a TON of SSL keys for various vendors and from several SSL authentication authorities. Also, some interesting SSL Cert valid dates, some going to 2032 while others expired back in 2011 (my car is a 2010 model year). But, BUT, looking at the xml files named DAR_#.xml (where # is a number sequence starting at 0) you can see isdn, proxy IP, port used, login info for that proxy, etc. etc.

NOTE: I had these files up on the git repo but removed them because of the sensitive nature of the data. All with the username, passwords and ip addresses of BMW's servers, I felt it was not right to have those up for public view. But now you know where you can find your own xml setting files! ;)
 
Last edited:

Xer0449

Corporal
Jan 30, 2017
174
59
0
Watching your commits...

check out /proc/boot/.script :p
 

Attachments

  • Screen Shot 2017-04-21 at 9.15.47 AM.png
    Screen Shot 2017-04-21 at 9.15.47 AM.png
    204.9 KB · Views: 479

Xer0449

Corporal
Jan 30, 2017
174
59
0
Looking at /net/front/etc/inetd.conf, it looks like you may be able to start sshd.

Also in that file :)

Code:
# Systat and netstat give out user information which man be
# valuable to potential "system crackers." Many sites choose to disable
# some or all of these services to improve security.
#
#systat    stream    tcp    nowait    root    /bin/ps        ps -auwwx
#netstat    stream    tcp    nowait    root    /usr/bin/netstat    netstat -f inet

hehe
 

ATL-IS-N54

Sergeant
Nov 20, 2016
261
61
0
ATL ga
It's because the older cars run on a 2G network (which I never knew existed i.e. GPRS, 3G, 4G, LTE. Etc., that has been cut off in some places... (coming soon to a car near you!)
there is an option tho, you can buy the 4G upgrade kit for the older BMWs... it's like 1400$ tho
 

rhodesman

Corporal
Mar 21, 2017
199
120
0
45
Maryland
rhodesman.com
Ride
2010 BMW E88 N54 135i
It's because the older cars run on a 2G network (which I never knew existed i.e. GPRS, 3G, 4G, LTE. Etc., that has been cut off in some places... (coming soon to a car near you!)
there is an option tho, you can buy the 4G upgrade kit for the older BMWs... it's like 1400$ tho
That was my reason for going down this road, thwarting a $1400 "upgrade" plus I wanted to see if I could setup my own connected drive server so that I didn't have to pay the $400/yr to have access to that also.

Opening up the CIC code has potential to opening a LOT of very expensive "upgrades" for next to nothing. From both BMW or 3rd party CIC upgrade vendors.
 

BLACKHAT

Lurker
Mar 4, 2017
17
9
0
Ride
335
Hey Guys,

New here (Aussie). Only running CCC but will see how I can help with reversing or coding, Has anyone got a detailed picture of the inside of the actually box? from that we'll be able to figure out the architecture to de-compile some of the binaries. Maybe then i can spin this up in a VM or some dev hardware to poke and prod. Be handy to know the gsm module they are using too.

I think.... I think I have FOUND the files used to connect to BMW connected drive! In the folder
Code:
/net/front/etc/ppp/
are a bunch of XML files starting with "cert.xml". Looking inside cert.xml I see a TON of SSL keys for various vendors and from several SSL authentication authorities. Also, some interesting SSL Cert valid dates, some going to 2032 while others expired back in 2011 (my car is a 2010 model year). But, BUT, looking at the xml files named DAR_#.xml (where # is a number sequence starting at 0) you can see isdn, proxy IP, port used, login info for that proxy, etc. etc.

NOTE: I had these files up on the git repo but removed them because of the sensitive nature of the data. All with the username, passwords and ip addresses of BMW's servers, I felt it was not right to have those up for public view. But now you know where you can find your own xml setting files! ;)

Found another instance of them @ CIC-hdd/EFS_RO/etc/ppp ;) If anyone has the balls to edit these configs, i can open up a TCP Dump on a live server so we can capture the traffic/handshakes etc...
 

BLACKHAT

Lurker
Mar 4, 2017
17
9
0
Ride
335
So there is a VMware demo of QNX RTOS, runs fine in VM Workstations 12. This is helpful for figuring out what commands we have available to us.

Found it includes dd which will be helpful to grab a full block for block image of the storage and attempt to emulate it in VM however we would need a device to write it too, when adding a USB drive to the system, does it appear when running the "df" command? Compare output to running the command without the drive attached, I'm hoping it auto mounts.

Also with the hardware having a USB host, we can possibly install a usb 3g/lte modem and then use that for internet access.

Here's a thought, since this nix based, we have access to the OS and therefore all the I/O devices on the hardware, wouldn't it be easier to write a script that runs in the background and talks to a server? Providing we can get another internet connection method, this would be a walk in the park and wouldn't require touching/reversing the BMW codebase. I would assume we would have access to the CANBUS, ODB etc too.

If the netstat command returns port 8000 you should be able to connect to it with the QNX dev tools for further understanding of how it all ties together.

I'm thinking it's time to bite the bullet on a CIC retrofit to go any further.

Any chance you could run the following commands via telnet please?
df -h
netstat
ifconfig
ls /dev

qnx.PNG

Looking at /net/front/etc/inetd.conf, it looks like you may be able to start sshd.

Also in that file :)

Code:
# Systat and netstat give out user information which man be
# valuable to potential "system crackers." Many sites choose to disable
# some or all of these services to improve security.
#
#systat    stream    tcp    nowait    root    /bin/ps        ps -auwwx
#netstat    stream    tcp    nowait    root    /usr/bin/netstat    netstat -f inet

hehe

It's documented on how to do this :) This is actually a powerful OS the more i play with it, there is even a VNC wrapper available.