Anyone thought of building a connected drive server?

BLACKHAT

Lurker
Mar 4, 2017
17
9
0
Ride
335
Has anyone managed to find the Software Development IDE? QNX are making me jump through hoops to get the eval version. (Scratch that) http://fusion.qnx.com/8/21188/qnxsd...4647&ending=qnxsdp-6.5.0-201007091524-dvd.iso

Alsoooo, we need to figure out which architecture the CIC uses. google says that NBT is using x86 which also uses qnx

@BLACKHAT
Would you mind checking out these files in IDA pro?

/etc/system/bmw_l6.ard
/etc/system/bmw_l6.brd
/etc/system/bmw_l6_sse_vr.bsd
/etc/lbt

I had a look at this before, it's definitely an application made for the BMW, the company that made it does speech recognition etc. I'd say this is the main APP. I'm trying to get this running. IDA didnt show too much, but then again, i didn't spend too much time on it.
 

rhodesman

Corporal
Mar 21, 2017
186
78
0
44
Maryland
rhodesman.com
Ride
2010 BMW E88 N54 135i
Has anyone managed to find the Software Development IDE? QNX are making me jump through hoops to get the eval version. (Scratch that) http://fusion.qnx.com/8/21188/qnxsd...4647&ending=qnxsdp-6.5.0-201007091524-dvd.iso

Alsoooo, we need to figure out which architecture the CIC uses. google says that NBT is using x86 which also uses qnx



I had a look at this before, it's definitely an application made for the BMW, the company that made it does speech recognition etc. I'd say this is the main APP. I'm trying to get this running. IDA didnt show too much, but then again, i didn't spend too much time on it.
Have you looked into the QT OS? https://www.qt.io/qt-automotive-suite/ I can't remember how I found myself on their site but it was through a couple files on the HDD the referenced "QT" and doing some google searching I found that website. It looks like they are some kind of partner with QNX or at least in bed with them to some extent. I couldn't get a copy of their OS yet and it looks like it's going to cost some $$$ to get it. I downloaded the QT-unified-x64 development suite for free claiming I was a student. I'm wondering if maybe that's running on a flash drive inside the CIC system? I need to plug my car back in and do some more testing, been too busy the past week to even think about my car. :(

On another note: I activated the service menu on my iDrive on my way to work and grabbed this image from the BMW Assist/Connected Drive Service Status screen:
m16y89ll.jpg


Interesting notes here is that my cic still shows itself as "registered" with BMW (I can confirm that I did pay for the BMW Assist back when it was active and had the iOS app connected to my car, both of which no longer work for my car as of now). Furthermore, the signal strength NEVER went above 30/100. I have a personal TMobile account so when cross checking that signal with my iPhone's I saw my iPhone at 5 bars of LTE and the BMW never getting above 30/100 on edge. So maybe there is some validity to BMW cutting off the 2G modems. But, that doesn't mean we can't hack in our own serial->LTE modem, all we need to know is the serial pin configuration and what type of communication/driver the cic is using. ;)
 
Last edited:

Xer0449

Corporal
Jan 30, 2017
174
59
0
Yeah, there's a filesystem we're not getting even with the full 80g disk image. It seems like the OS is running elsewhere and it just mounted the HDD shortly after boot.
 

rhodesman

Corporal
Mar 21, 2017
186
78
0
44
Maryland
rhodesman.com
Ride
2010 BMW E88 N54 135i
Yeah, there's a filesystem we're not getting even with the full 80g disk image. It seems like the OS is running elsewhere and it just mounted the HDD shortly after boot.
Hold tight, I found the OS and am pulling it down to my USB in the car. Looking through a bunch of files via the QT development app I was able to read files I couldn't before and it clued me into the missing files. I maybe able to replicate the iDrive in VM... not 100% sure, but I understand the OS structure better than before.

I'm not giving up hope, not yet!!! :p
 
  • Like
Reactions: Xer0449

Xer0449

Corporal
Jan 30, 2017
174
59
0
awwyeah! I want to see this thing boot. Let me know what you've come across!

Also, I think I saw a few .xml files that specified EMEI's - could it be that easy?
Where you able to isolate your home network and see if the cars was able to ping out?
 

rhodesman

Corporal
Mar 21, 2017
186
78
0
44
Maryland
rhodesman.com
Ride
2010 BMW E88 N54 135i
I'm fairly certain /dev/eeprom/ is in some extent the code/build for the CIC. I'm having a hell of a time copying it off the CIC drive, but the way things are named just looks like the structure of a built application.

check out these files:
 

Attachments

  • eeprom.txt
    27.6 KB · Views: 559

rhodesman

Corporal
Mar 21, 2017
186
78
0
44
Maryland
rhodesman.com
Ride
2010 BMW E88 N54 135i
@Xer0449 & @BLACKHAT do you guys have any cp magic that can grab the eeprom folder or any other folder that normal cp can't grab?
I have been using
Code:
cp -rvpt
but it's not helping in grabbing the eeprom folder contents. Some googling has eluded to possible differences in the partition file structure (QNX drive vs. FAT32 USB Stick) but I'm still at a loss of how to get the files off. Would it make sense to format the USB stuck in a QNX format or maybe EXT? I might try those, but I'm open to other suggestions.

Also I found in the /usr/bin folder a function called "sync" would this be something similar to "rsync"??
 

rhodesman

Corporal
Mar 21, 2017
186
78
0
44
Maryland
rhodesman.com
Ride
2010 BMW E88 N54 135i
Morning update: This is where I'm stuck:

SCP does not work inside the BMW CIC QNX/QT system (it's in the /usr/bin/ folder but calling it up just returns a "not found" error) and rsync just flat out doesn't exist inside the CIC. CP is pretty much the ONLY option for copying anything. I was trying to setup a network drive from the QNX VM (which does have those functions installed and working) to the BMW CIC system via telnet but I've only ever done that via ssh and telnet is kind of before my time so I can't get it to work (and I don't think it's actually possible for telnet).

I know there are a TON of symlinks and a LOT of the OS is loaded into RAM. There actually is this idea in QNX called the RAM disk which unlike other conventional OSs, mounts an actual disk that is a partitioned section of the RAM and loads a lot of the OS functions up in there as symlinks for the OS to use (it's in the /mnt dir).

So I'm stuck, I can see the OS and I can copy BITS of the OS to my USB drive in the glove box but trying to copy the OS system as a whole via telnet or FTP has eluded me thus far. I know that BMW can update the CIC software and can do it via this eNet-OBD combox connection which apparently connects to the CIC via Network + fiber!? The unit costs ~$500 and I'm considering buying it, but that's a lot of money to throw at a hunch, especially if it requires a certain computer setup and coding software/build code that I do not possess.
 

Xer0449

Corporal
Jan 30, 2017
174
59
0
I was digging through some stuff, and I think this is how the BMW specific application is loaded into memory and ran.

Code:
./mnt/EFS_RO/startl6sss.sh
#!/bin/ksh

cp /etc/bmw_l6_sse_vr.bsd /dev/shmem/bmw_l6_sse_vr.bsd
qkcp /etc/bmw_l6.ard /dev/shmem
qkcp /etc/bmw_l6.brd /dev/shmem

if [[ -e /dev/shmem/lang.txt ]]; then
   cat /etc/default.cfg /dev/shmem/lang.txt > /dev/shmem/default.cfg
   /usr/bin/scp -f /dev/shmem/default.cfg -s sss_config -c HostAgent AliveService MonitorService SpellmatcherService SCFService AudioMatrixService RecognitionService PrompterService SAIPService SAOPService RmssService TNService -k VerboseLevel=2 >/dev/null &
else
   /usr/bin/scp -f /etc/default.cfg -s sss_config -c HostAgent AliveService MonitorService SpellmatcherService SCFService AudioMatrixService RecognitionService PrompterService SAIPService SAOPService RmssService TNService -k VerboseLevel=2 >/dev/null &
fi
exit 0

Googling around the 'qkcp' command only landed me to this interesting hit:
Screen Shot 2017-05-03 at 1.24.24 PM.png


Looks like someone else had the same idea as us, or at least is interested in ripping it apart. It's an invite-only board, and I've reached out asking for an invitation.

Side note: A bunch of the files that were unable to be copied are actually hardware devices.
For instance, if I had to guess - these would be speakers:

Code:
./dev/snd/pcmC0D0c
./dev/snd/pcmC0D0p
./dev/snd/pcmC0D1p
./dev/snd/pcmC0D2p
./dev/snd/pcmC0D3p
./dev/snd/pcmC0D4p

I bet you could get your speakers to squeal if you cat some_arbitrary_file > /dev/snd/pcmC0D0c (or one of the others?)

I agree with the idea of formatting your USB stick to the QNX FS.
 

Xer0449

Corporal
Jan 30, 2017
174
59
0
Oops. I was wrong :)

"sss" = Speech Service System

/etc/default.cfg
Code:
#CFG V1.0 UTF-8;
# -----------------------------------------------------------------------------
#
# COMPANY            : Harman/Becker Automotive Systems GmbH Ulm
# SYSTEM             : Speech Service System (SSS)
# PROJECT            : BMW L6
# PLATFORM           : SH4/QNX
cont...
 

rhodesman

Corporal
Mar 21, 2017
186
78
0
44
Maryland
rhodesman.com
Ride
2010 BMW E88 N54 135i
Okay, I will try this tonight BUT, I think this is the problem I've been having. You need to run one of these commands to edit/copy the CIC OS:
Code:
mount -uw /mnt/EFS_RO

mount -o remount rw /mnt/EFS_RO

;)
 

rhodesman

Corporal
Mar 21, 2017
186
78
0
44
Maryland
rhodesman.com
Ride
2010 BMW E88 N54 135i
---- EDITED ----

I removed the document for concerns of proprietary & confidential company documentation.

PM me if you are interested in getting a copy.
 
Last edited:

rhodesman

Corporal
Mar 21, 2017
186
78
0
44
Maryland
rhodesman.com
Ride
2010 BMW E88 N54 135i
This is what happens when i try to run TCPDUMP in the cic:
Code:
target:/mnt/hbuser/tmp> /mnt/hbuser/tmp/tcpdump -s 0 -w /mnt/umass20100t12/bmw.pcap
/mnt/hbuser/tmp/tcpdump[1]: ELFh4?2: not found
/mnt/hbuser/tmp/tcpdump[2]: syntax error: `(' unexpected
target:/mnt/hbuser/tmp>
 

BLACKHAT

Lurker
Mar 4, 2017
17
9
0
Ride
335
Sorry guys, Quite a hectic week.

I'm back on deck and i also have the 6.3.2 VM and Development IDE, Let me get up to speed, seems like i've missed out on heaps...

I'd say TCPDUMP errors because it's not compiled for the version of qnx that bmw are running
 

rhodesman

Corporal
Mar 21, 2017
186
78
0
44
Maryland
rhodesman.com
Ride
2010 BMW E88 N54 135i
NICE FIND!!!!

Also for you and @Xer0449 I have successfully images the flash storage off the CIC. it took a bit of sleuthing and a TON of reading over at bmwcoding but:
Code:
cp -V /dev/fs0 /mnt/umass20100t12/fs0_dump.img
SO for you guys, if you want to head on back onto my FTP server, you will find coding/cic-dump/cp-net/10.0.10.210/mnt/umass20100t12/ a very interesting folder.
;)

Also reading through BMWC forum I found where someone explained that using an FTP client like Filezilla will not produce good copies BUT using the command line from a linux distro you can wget -r ftp:root:pass@yourcar//whatever folder you want fairly easily. :D
 
  • Agree
Reactions: Xer0449

rhodesman

Corporal
Mar 21, 2017
186
78
0
44
Maryland
rhodesman.com
Ride
2010 BMW E88 N54 135i
Just an FYI, I just checked BMW-connecteddrive.com and my car shows up as "activated" but there are no services listed that it can use. Not sure if this gets us anywhere, but at least I'll keep it "active" until we find a way to divert those communications.
Screen Shot 2017-05-05 at 11.13.04 AM.jpg