Anyone thought of building a connected drive server?

[rhodesman]

I'm having a hell of a time trying to mount this image using the QNX VM's. It definitely doesn't want to boot, either. In QNX, I can mount it but the filesystem shows empty and reports "corrupted".

How about you guys?

I got it!!!

1. First off, you need QEMU https://github.com/psema4/pine/wiki/Installing-QEMU-on-OS-X
2. Second you will want to do this on your system to the cic.img file:
   

   qemu-img convert -p -O vmdk cic.img cicHDD.vmdk

3. Add that new vmdk to your QNX VM as a second drive
4. boot up the QNX VM and you should see all the partitions in the dev folder
5. type:

   mount -t qnx6 /dev/hd2t77 /mnt/cic1

6. Profit! That first partition is a QNX6 file format, NOT QNX4! Still working on the others but I can see all that is on that drive now!!!

 

[Xer0449]

Nice!!!

The thought had crossed my mind to try and convert it, but my initial thought was that I'd create more problems than I'd solve, being how proprietary everything seems thus far.

I was wrong

 

[BLACKHAT]

I'm flying home tomorrow, pumped to get it downloaded and have a look, great work

 

[rhodesman]

# mount -t qnx6 /dev/hd2t77.1 /mnt/cic2
# cd /mnt
# ls
cic1    cic2    nas
# cd cic2
# ls
.            ..           .boot        Gracenote
# mount -t qnx6 /dev/hd2t77.2 /mnt/cic3
# mount -t qnx6 /dev/hd2t77.3 /mnt/cic4
# mount -t qnx6 /dev/hd2t77.4 /mnt/cic5
# mount -t qnx6 /dev/hd2t77.5 /mnt/cic6

Well, looks like QNX6 it is!!!

 

[rhodesman]

Thought this might be helpful for you @Xer0449 & @BLACKHAT

 

[rhodesman]

this might take a while....

 

[rhodesman]

Further Findings: I have successfully copied the entire cic drive contents to a QNX4 drive I added to the QNX VM without any errors. I am now in the process of duplicating that drive over to my NAS and so far I have not seen or had any errors with content being unreadable or skipped. I'm very confident I will have a full rip of the entire CIC drive to something other than QNX in an hour or so!

 

[ATL-IS-N54]

That was my reason for going down this road, thwarting a $1400 "upgrade" plus I wanted to see if I could setup my own connected drive server so that I didn't have to pay the $400/yr to have access to that also.

Opening up the CIC code has potential to opening a LOT of very expensive "upgrades" for next to nothing. From both BMW or 3rd party CIC upgrade vendors.

Yeah I get the idea, totally dig it... i do however think setting up a server of your own would not go well with BMW, and or would require some serious hacking on the car (client) side at a minimum... i wonder if we could
Use a newer LTE connected car, and or a tethered 2G car, somehow get a snapshot of the BMW connected drive servers… if only we had someone on the inside that could capture a disk image and a snapshot of all the network info… LOL… I bet if we offered to pay BMW shit tons of money they would work with you, but lol, na....

After all for every car that can get away without using the LTE network that's $1400 out of their pocket gross, and probably net about $1350 ...

Obviously there is the don't ask don't tell policy but I think they would eventually find out as this would probably blow up in a good way at first and then backfire in a bad way when they find out that thousands of people have modified their BMWs, to skate the $1400 and what not I'm just rambling now though...

I totally dig it though,.. maybe we could look into a cheaper way of upgrading the LTE network ourselves without paying $1400 I think that might be more feasible than creating a whole server a client network "underground"

 

[rhodesman]

Honestly I don't think BMW has anything to stand on here in regards to shutting me down. If anything, the most I see that they can do is void my warranty, and well, my warranty is already expired so no dice with that. The courts have already taken the stance that it's illegal for Phone companies to not allow people to root their phones, how is rooting the car any different?

We've already discovered a couple neat things about the CIC system of which it has ethernet drivers to support some kind of ethernet connection to the world as well as the GSM card connects/communicates to the CIC/IDrive system via a serial connection. Just these two things alone means we have options to adding our own custom network link to the car.

In regards to standing up a custom server, I'm not hacking BMW's servers and surly if someone where to send me a copy of their server drives that would be grounds for prosecution but to reverse engineer and stand up my own server to connect to my car using software I wrote is not stepping on their toes in any way. I don't see that as anything more than creating a competitor to facebook and giving people the choice to which they want to access.

All-in-all, I own my car outright, it's mine, and all mine. BMW is not offering me any support on the car and I'm not attempting to thwart a connection they have to my car. They stopped supporting my car's data connection, they no longer support the software on my car and/or the hardware which makes it up. This is of no concern to them IMO.

 

[Xer0449]

Honestly I don't think BMW has anything to stand on here in regards to shutting me down. If anything, the most I see that they can do is void my warranty, and well, my warranty is already expired so no dice with that. The courts have already taken the stance that it's illegal for Phone companies to not allow people to root their phones, how is rooting the car any different?

We've already discovered a couple neat things about the CIC system of which it has ethernet drivers to support some kind of ethernet connection to the world as well as the GSM card connects/communicates to the CIC/IDrive system via a serial connection. Just these two things alone means we have options to adding our own custom network link to the car.

In regards to standing up a custom server, I'm not hacking BMW's servers and surly if someone where to send me a copy of their server drives that would be grounds for prosecution but to reverse engineer and stand up my own server to connect to my car using software I wrote is not stepping on their toes in any way. I don't see that as anything more than creating a competitor to facebook and giving people the choice to which they want to access.

All-in-all, I own my car outright, it's mine, and all mine. BMW is not offering me any support on the car and I'm not attempting to thwart a connection they have to my car. They stopped supporting my car's data connection, they no longer support the software on my car and/or the hardware which makes it up. This is of no concern to them IMO.

There it is right there. If we provided/sold information to enable a paid service for free, or started going after BMW services/trying to bypass auth or something, then this would be a different conversation. I don't think we're at a high risk of a C&D (famous last words).

 

[doublespaces]

Keep on pushing guys. If those fuckers wanna know who you are, they will have to subpoena the ISP and I'd tell you to delete all your shit before I tell'm

 

[Xer0449]

Keep on pushing guys. If those fuckers wanna know who you are, they will have to subpoena the ISP and I'd tell you to delete all your shit before I tell'm

I don't think we have anything to worry about. Again, there are no laws being broken.

 

[BLACKHAT]

Yeah I get the idea, totally dig it... i do however think setting up a server of your own would not go well with BMW, and or would require some serious hacking on the car (client) side at a minimum... i wonder if we could
Use a newer LTE connected car, and or a tethered 2G car, somehow get a snapshot of the BMW connected drive servers… if only we had someone on the inside that could capture a disk image and a snapshot of all the network info… LOL… I bet if we offered to pay BMW shit tons of money they would work with you, but lol, na....

After all for every car that can get away without using the LTE network that's $1400 out of their pocket gross, and probably net about $1350 ...

Obviously there is the don't ask don't tell policy but I think they would eventually find out as this would probably blow up in a good way at first and then backfire in a bad way when they find out that thousands of people have modified their BMWs, to skate the $1400 and what not I'm just rambling now though...

I totally dig it though,.. maybe we could look into a cheaper way of upgrading the LTE network ourselves without paying $1400 I think that might be more feasible than creating a whole server a client network "underground"

 

[BLACKHAT]

In regards to rolling your own LTE modem, BMW use their own APN on the T-Mobile network, I would assume that there would be security at that layer that filters IMEI devices to their own programmed modems.

Oh and you have companies profiting from cracking the BMW ECU and TCM (MHD/xHP), BMW don't care.

From what I've seen so far i should have no problems getting a third party modem working on the CIC, making it work with the BMW service would be a different story. Someone send me a CIC retrofit!

 

[Xer0449]

This guy seems to sell pretty solid kits: http://www.bimmerretrofit.com/store/

@BLACKHAT do you have previous QNX experience/know-how? Every time I read a doc on it, I realize how far away from *nix it actually is.

 

[BLACKHAT]

This guy seems to sell pretty solid kits: http://www.bimmerretrofit.com/store/

@BLACKHAT do you have previous QNX experience/know-how? Every time I read a doc on it, I realize how far away from *nix it actually is.

A little bit of exposure, I have a few HMI's and a pumping station that run it. Being an RTOS it's majorly different at the kernel level, but that's the fun of it

 

[ATL-IS-N54]

hmmmm

 

[Xer0449]

Something doesn't add up. Wheres /etc, /bin etc... from the disk image?

Could it be stored on flash? Did the CiC try to boot even while the disk was pulled (assuming you tried).

 

[BLACKHAT]

Could it be on a different partition?

 

[Xer0449]

We had the whole disk image, and all 6 partitions...

also, in /etc/mcd.conf looks like like the rules for media scanning/execution. Here's how to automate...whatever

# CD/DVD/USB/HDD Disc Identification rules

############################################
# monitor mount devices

[/dev/cd*]
Callout      = CD_MEDIA_IOBLK
Argument     = 1000,2000
Priority     = 11,10
Start Rule   = MOUNT
Stop Rule    = UNMOUNT

############################################
# monitor pathes

[/mnt/hbmedia/entertainmentserver/]
Callout        = PATH_MEDIA_SCAN
Argument    = 2000
Priority    = 11,10
Start Rule    = INSERTED
Stop Rule    = EJECTED

[/mnt/hbdata/IBA]
Callout        = PATH_MEDIA_SCAN
Argument    = 2000
Priority    = 11,10
Start Rule    = INSERTED
Stop Rule    = EJECTED

[/mnt/hbnavi/update/]
Callout        = PATH_MEDIA_SCAN
Argument    = 2000
Priority    = 11,10
Start Rule    = NAVI_UPDATE_MOUNT
Stop Rule    = NAVI_UPDATE_UNMOUNT

[/fs/cd*]
Callout        = PATH_MEDIA_PROCMGR
Argument    = /proc/mount
Priority    = 11,12
Start Rule    = DVD_OR_CD
Stop Rule    = EJECTED

[/mnt/umass*]
Callout        = PATH_MEDIA_PROCMGR
Argument    = /proc/mount
Priority    = 11,12
Start Rule    = USB_INSERTED
Stop Rule    = EJECTED

[/fs/usb*]
Callout        = PATH_MEDIA_SCAN
Argument    = 2000
Priority    = 11,12
Start Rule    = INSERTED
Stop Rule    = EJECTED

[/fs/ipod*]
Callout     = PATH_MEDIA_PROCMGR
Argument     = /proc/mount
Priority     = 11,12
Start Rule    = INSERTED
Stop Rule    = EJECTED

[/fs/pfs*]
Callout     = PATH_MEDIA_PROCMGR
Argument     = /proc/mount
Priority     = 11,12
Start Rule    = INSERTED
Stop Rule    = EJECTED

[/dev/vdev-mpegts]
Callout             = PATH_MEDIA_SCAN
Argument            = 2000
Priority            = 11,10
Start Rule          = INSERTED
Stop Rule           = EJECTED

############################################
# device mounting rules

[MOUNT]
Callout      = MOUNT_FSYS
Argument     = /etc/fstab
#Match Rule   = DVD_OR_CD

[UNMOUNT]
Callout      = UNMOUNT_FSYS
#Match Rule   = EJECTED

############################################
# USB detection rules
[USB_INSERTED]
Match Rule   =    NAVI_UPDATE_USB_MOUNT

#[USB_EJECTED]
#Match Rule    =    EJECTED

############################################
# DVD/CD detection rules

[DVD_OR_CD]
Callout      =    DVD_OR_CD
Match Rule   =    DVD_AUDIO
Fail Rule    =    CD_AUDIO

[DVD_AUDIO]
Callout      =    FNAME_MATCH
Argument     =    /AUDIO_TS/AUDIO_TS.IFO
Match Rule   =    INSERTED
Fail Rule    =    DVD_VIDEO

[DVD_VIDEO]
Callout      =    FNAME_MATCH
Argument     =    /VIDEO_TS/VIDEO_TS.IFO
Match Rule   =    INSERTED
Fail Rule    =    VIDEO_CD

[CD_AUDIO]
Callout      =    CD_AUDIO
Match Rule   =    INSERTED
Fail Rule    =    VIDEO_CD

[VIDEO_CD]
Callout      =    FNAME_MATCH
Argument     =    /VCD/INFO.VCD,/MPEGAV/AVSEQ01.DAT,/MPEGAV/MUSIC01.DAT
Match Rule   =    INSERTED
Fail Rule    =    SVIDEO_CD

[SVIDEO_CD]
Callout      =    FNAME_MATCH
Argument     =    /SVCD/INFO.SVD,/MPEGAV/AVSEQ01.MPG,/MPEG2/AVSEQ01.MPG
Match Rule   =    INSERTED
Fail Rule    =    SW_UPDATE

############################################
# path/DVD/CD content detection rules
[SW_UPDATE]
Callout      =    FNAME_MATCH
Argument     =    /hbautorun.sh
Fail Rule    =    NAVI_UPDATE

[NAVI_UPDATE]
Callout      =    FNAME_MATCH
Argument     =    /config.nfm
Fail Rule    =    GRACENOTE_DB_UPDATE


[GRACENOTE_DB_UPDATE]
Callout      =    FNAME_MATCH
Argument     =    /Gracenote/ecddb.mdt
Fail Rule    =    MIXED_AV

[MIXED_AV]
#Callout      =    FNAME_PATTERN
#Argument     =    *.MP4,*.mp4,*.MP3,*.mp3,*.WMV,*.wmv,*.WMA,*.wma,*.AAC,*.aac,*.MPG,*.mpg
Match Rule   =    INSERTED

[INSERTED]

[EJECTED]

[AVAILABLE]

[NAVI_UPDATE_MOUNT]
Callout      =    FNAME_MATCH
Argument     =    /config.nfm

[NAVI_UPDATE_UNMOUNT]

[NAVI_UPDATE_USB_MOUNT]
Callout      =    FNAME_MATCH
Argument     =    /config.nfm

[NAVI_UPDATE_USB_UNMOUNT]

Edit: Looks like someone else already figured this out and is trying to make a killing from it: http://dvdinmotion.com/bmw

@BLACKHAT
Would you mind checking out these files in IDA pro?

/etc/system/bmw_l6.ard
/etc/system/bmw_l6.brd
/etc/system/bmw_l6_sse_vr.bsd
/etc/lbt