We are in the process of cleaning up the threads and making them public in the BMW Development subsection to attract new contributors, however I've also granted you access.
Anyone thought of building a connected drive server?
- Thread starter rhodesman
- Start date
-
- Tags
- combox connected drive data hack
Hey! I just found this forum while looking for that copie_scr.sh code execution method, and you guys are doing a great job with the CIC!
I retrofitted a CIC in my car quite a while ago. I investigated a little bit, but I didn't do much more appart from dumping the flash and extracting the contents.
I'm probably late to the party, as the previous posts here regarding the flash filesystem are from almost a year ago. Anyways, I didn't find here how to mount a CIC flash dump and, as it might be helpful for someone, I find it fair to post it here.
Edit: I pressed the wrong button and posted this before writing how to actually mount the flash dump. You'll just need a QNX VM (or a computer with QNX). It's pretty trivial.
I think I'm going to hang around this forum so I can learn from you, and maybe even help
I retrofitted a CIC in my car quite a while ago. I investigated a little bit, but I didn't do much more appart from dumping the flash and extracting the contents.
I'm probably late to the party, as the previous posts here regarding the flash filesystem are from almost a year ago. Anyways, I didn't find here how to mount a CIC flash dump and, as it might be helpful for someone, I find it fair to post it here.
Edit: I pressed the wrong button and posted this before writing how to actually mount the flash dump. You'll just need a QNX VM (or a computer with QNX). It's pretty trivial.
Code:
First of all, we create a virtual flash device
#devf-ram -vvv -s0,128M,,,256k
And format it (Not sure if this is mandatory)
#flashctl -p /dev/fs0 -ev
We copy our dump over the newly created virtual fs (in this case, fs0)
#cp -V <flash_dump_file> /dev/fs0
Only thing left to do is mount our virtual device and start exploring its partitions and contents.
#mountI think I'm going to hang around this forum so I can learn from you, and maybe even help
Last edited:
I think I'm going to hang around this forum so I can learn from you, and maybe even help
Welcome! The more the merrier!
Done.
I'm about to just open up everything in that thread because development has stalled.
Whoa, looks like I'm late to the party. Two days ago, I had this crazy idea to run my own ConnectedDrive server. I'm glad I'm not the only one.
In case it wasn't already mentioned (I'm still processing this thread in its entirety, I'm really excited!) the Combox update (UPD01008.bin) contains compressed SQL scripts which need to be deflated via QNX's deflate binary. You can tell by the first few characters in the file: iwlyfmbp
I've been monitoring the IP traffic between the Combox and my Nexus 6P to see where BMW ConnectedDrive routes through for authorization when tethered through Bluetooth. After running bluetooth_hci.log through Wireshark, I've nailed it down to a curl request:
I might need to update my Combox though as I suspect it's running an older version (C03 instead of C05) so the above servers might be invalid, but I do receive a simple "1.1 Service Unavailable" response. These values are from an 2008 E60 with a retrofitted CIC (C1A) and Combox (from a US 335d E90 that had an active subscription) with all services activated via patched SWTs thanks to intel123's solution on CT. I'll bust out the ICOM tonight and verify that I'm up to date.
My next step is to MITM and attempt to sslstrip the traffic in hopes of decoding the encrypted data. I've setup my older Nexus 10 with Nethunter for this purpose. One of my ideas was to replace the CD API server URLs and certificates with my own and basically return a "Authorization OK" response. Afterwards, implementing the API is the fun part. I'm going to take a look at the /net/front/etc/ppp/ on my CIC tonight.
Oh, there's also decompiling the classic Android APK... but I digress.
Is the Github repo still available by any chance? Please add me in! (@sarog) And what about that "other" thread?
In case it wasn't already mentioned (I'm still processing this thread in its entirety, I'm really excited!) the Combox update (UPD01008.bin) contains compressed SQL scripts which need to be deflated via QNX's deflate binary. You can tell by the first few characters in the file: iwlyfmbp
I've been monitoring the IP traffic between the Combox and my Nexus 6P to see where BMW ConnectedDrive routes through for authorization when tethered through Bluetooth. After running bluetooth_hci.log through Wireshark, I've nailed it down to a curl request:
Code:
curl -X CONNECT --proxy-user b2v_standard:b2v_standard --proxy 160.46.255.1:8080 \
--proxy-header 'Host: b2v.bmwgroup.de' \
--proxy-header 'Accept-Encoding: gzip' \
--proxy-header 'Accept: */*' \
--proxy-header 'BMW-OTA-ID: 20150327-104300' \
--proxy-header 'BMW-Vin: AB12345' \
--proxy-header 'Content-Range: bytes 0-10240/*' \
--proxy-header 'Proxy-Connection: Keep-Alive' \
--proxy-header 'User-Agent: Aetsch3/104040c/02' \
https://b2v.bmwgroup.de:443 --insecureI might need to update my Combox though as I suspect it's running an older version (C03 instead of C05) so the above servers might be invalid, but I do receive a simple "1.1 Service Unavailable" response. These values are from an 2008 E60 with a retrofitted CIC (C1A) and Combox (from a US 335d E90 that had an active subscription) with all services activated via patched SWTs thanks to intel123's solution on CT. I'll bust out the ICOM tonight and verify that I'm up to date.
My next step is to MITM and attempt to sslstrip the traffic in hopes of decoding the encrypted data. I've setup my older Nexus 10 with Nethunter for this purpose.
One of my ideas was to replace the CD API server URLs and certificates with my own and basically return a "Authorization OK" response. Afterwards, implementing the API is the fun part. I'm going to take a look at the /net/front/etc/ppp/ on my CIC tonight.Oh, there's also decompiling the classic Android APK... but I digress.
Is the Github repo still available by any chance? Please add me in! (@sarog) And what about that "other" thread?
Whoa, looks like I'm late to the party. Two days ago, I had this crazy idea to run my own ConnectedDrive server. I'm glad I'm not the only one.
In case it wasn't already mentioned (I'm still processing this thread in its entirety, I'm really excited!) the Combox update (UPD01008.bin) contains compressed SQL scripts which need to be deflated via QNX's deflate binary. You can tell by the first few characters in the file: iwlyfmbp
I've been monitoring the IP traffic between the Combox and my Nexus 6P to see where BMW ConnectedDrive routes through for authorization when tethered through Bluetooth. After running bluetooth_hci.log through Wireshark, I've nailed it down to a curl request:
Code:curl -X CONNECT --proxy-user b2v_standard:b2v_standard --proxy 160.46.255.1:8080 \ --proxy-header 'Host: b2v.bmwgroup.de' \ --proxy-header 'Accept-Encoding: gzip' \ --proxy-header 'Accept: */*' \ --proxy-header 'BMW-OTA-ID: 20150327-104300' \ --proxy-header 'BMW-Vin: AB12345' \ --proxy-header 'Content-Range: bytes 0-10240/*' \ --proxy-header 'Proxy-Connection: Keep-Alive' \ --proxy-header 'User-Agent: Aetsch3/104040c/02' \ https://b2v.bmwgroup.de:443 --insecure
I might need to update my Combox though as I suspect it's running an older version (C03 instead of C05) so the above servers might be invalid, but I do receive a simple "1.1 Service Unavailable" response. These values are from an 2008 E60 with a retrofitted CIC (C1A) and Combox (from a US 335d E90 that had an active subscription) with all services activated via patched SWTs thanks to intel123's solution on CT. I'll bust out the ICOM tonight and verify that I'm up to date.
My next step is to MITM and attempt to sslstrip the traffic in hopes of decoding the encrypted data. I've setup my older Nexus 10 with Nethunter for this purpose.
Oh, there's also decompiling the classic Android APK... but I digress.
Is the Github repo still available by any chance? Please add me in! (@sarog) And what about that "other" thread?
I've added you to view the private section.
The Server is still valid.
You just have to dig some folders "deeper"
The URL for CIC is: https://b2v.bmwgroup.de/com/cdplive/cdp/release/vehicle/servlet/start
The URL for NBT is: https://b2v.bmwgroup.de/com/cdpnbtlive/vehicle/nbt/servlet/start
Using another User-Agent even gives you some "more" informations.
As here seems to be the most advanced discussions about this stuff, i would love to join and contribute the private section
.
Done, but most of it is public now.
DoneThe Server is still valid.
You just have to dig some folders "deeper"
The URL for CIC is: https://b2v.bmwgroup.de/com/cdplive/cdp/release/vehicle/servlet/start
The URL for NBT is: https://b2v.bmwgroup.de/com/cdpnbtlive/vehicle/nbt/servlet/start
Using another User-Agent even gives you some "more" informations.
As here seems to be the most advanced discussions about this stuff, i would love to join and contribute the private section
The Server is still valid.
You just have to dig some folders "deeper"
The URL for CIC is: https://b2v.bmwgroup.de/com/cdplive/cdp/release/vehicle/servlet/start
The URL for NBT is: https://b2v.bmwgroup.de/com/cdpnbtlive/vehicle/nbt/servlet/start
Using another User-Agent even gives you some "more" informations.
As here seems to be the most advanced discussions about this stuff, i would love to join and contribute the private section
If you can find packets or rest api, writing server is the easy part. Please share your findings.
Blackarrow335i
Specialist
I'm going to bring this back to life! With the recent release of Ghidra from the NSA, I downloaded it and started to plug it into the code I had extracted from my CIC. So far it has been able to decompile the taco.hbtc file. I will keep working through the others and decompile as I can. I'll start a new Github repo with the outputs I get.
Similar threads
