Anyone thought of building a connected drive server?

sunz

New Member
Dec 3, 2020
2
1
0
Hello,
I'm new to the forum, but already read everything on this topic.
congratulations to everyone. It's interesting to read all the things discovered.

@doublespaces can you please add me to closed thread?
 
  • Like
Reactions: doublespaces

bosolanu

Lurker
Dec 7, 2020
11
2
0
Hi guys, very new here. I'm very interested in this topic as well. I have started a project to create something similar to a CIC but on ARM, however I recently retrofitted a CIC and discovered all these posibilities, I've changed my mind now and I'd like to dive in on this. Can I have access to the private topics as well please? @doublespaces
I have experience working with computers and the usual BMW tools.
 
  • Like
Reactions: doublespaces

Woogley

New Member
Jan 4, 2021
1
1
0
Hi I am new to this forum but have a background in embedded linux sw development so I am very interested in this topic.
I also have a BMW Car with CIC and Combox devices so I would like to see if I can contribute somehow.

@doublespaces can you please add me to the hidden thread?
Thank you.
 
  • Like
Reactions: doublespaces

pRoxxx

New Member
Feb 9, 2021
5
1
0
Hi guys, am lead programmer in one gamedev firm, I know a lot of programming langueges like C++/C/C#/Objective-c/java etc, also I have good knowledge OpenGL, and some skill on reverse I think. Could you guys add me, I think I can help you.
 
  • Like
Reactions: doublespaces

volaltd

New Member
Feb 21, 2019
9
7
0
Ride
E60 LCI
Hi guys, am lead programmer in one gamedev firm, I know a lot of programming langueges like C++/C/C#/Objective-c/java etc, also I have good knowledge OpenGL, and some skill on reverse I think. Could you guys add me, I think I can help you.
Hello! Attached sh4 console QNX executable from ComBox which allow to enter password and get bash shell access. Could you please investigate if password depends to serial number or other ecu data? Use '/HBHK/Access.DAT', '/HBPersistence/hk/Access.DAT', 'Show Passwords' as reference points.

*** ComBox Console ***

Commands
-?- for Help
-x- Exit Menu

Menu List
1 - Login Default
2 - Login Developer
3 - Login Root
4 - Save Access persistently
5 - Clear persistent Access
7 - Show Current Setting
 

Attachments

  • TestMenu.bin
    60.8 KB · Views: 4
Last edited:
  • Like
Reactions: pRoxxx

volaltd

New Member
Feb 21, 2019
9
7
0
Ride
E60 LCI
Progress is very slow since I have very little resources, hope to start free public weather service for CIC via ComBox over Bluetooth in a month or two.
 

Attachments

  • cic_combox_weather.jpg
    cic_combox_weather.jpg
    150.7 KB · Views: 34

volaltd

New Member
Feb 21, 2019
9
7
0
Ride
E60 LCI
One more very informative datasheet
 

Attachments

  • us-19-Cai-0-Days-And-Mitigations-Roadways-To-Exploit-And-Secure-Connected-BMW-Cars-wp.pdf
    4.4 MB · Views: 22

pRoxxx

New Member
Feb 9, 2021
5
1
0
Hello! Attached sh4 console QNX executable from ComBox which allow to enter password and get bash shell access. Could you please investigate if password depends to serial number or other ecu data? Use '/HBHK/Access.DAT', '/HBPersistence/hk/Access.DAT', 'Show Passwords' as reference points.

*** ComBox Console ***

Commands
-?- for Help
-x- Exit Menu

Menu List
1 - Login Default
2 - Login Developer
3 - Login Root
4 - Save Access persistently
5 - Clear persistent Access
7 - Show Current Setting
Hello, how did you extract this executable from a combox?
Also, found the instruction set http://www.shared-ptr.com/sh_insns.html.
 

pRoxxx

New Member
Feb 9, 2021
5
1
0
Ok, I got the default login password, it's static, when you request the current password it gives you the password in the same manner as for dev/root.
1614452457833.png
1614452120825.png

I'm currently "decrypting" password for dev/root:

But I have a problem with a combox, I've connected to it with 57600 baud rate, and the terminal is flooding, and after a minute, it shuts down, I've connected "CAS wakeup pin" but it doesn't help. I need to test the dev/root password and it will be hard with "trash" in the terminal and rebooting every single minute. @volaltd could you help me with it?

P.S. Password always 10 letters for all levels.
 
Last edited:

volaltd

New Member
Feb 21, 2019
9
7
0
Ride
E60 LCI
There is one small problem: each module has it's own passwords set. Almost all MOST ecu activated by activity on optic. Are you using Hex-Rays for decompile?
 

pRoxxx

New Member
Feb 9, 2021
5
1
0
There is one small problem: each module has it's own passwords set. Almost all MOST ecu activated by activity on optic. Are you using Hex-Rays for decompile?
Yes, the password depends on module VIN, bt address, and serial number. Yes, Hex-Rays used too. You can send me your VIN/bt/serial and I will give you passwords. About MOST, did I understand right you connect ICOM or other MOST master, and work with the combox console?
 

volaltd

New Member
Feb 21, 2019
9
7
0
Ride
E60 LCI
Thanks, I know passwords for all mine modules. ComBox is useless on a bench, just made out of car 3 wires :)
 

Omas

New Member
Mar 20, 2021
1
0
0
Hi guys, another newbie here. I was just tinkering with my CIC, trying to make internet work. Nothing fancy like BMW Live, I would just like to display my homepage where I have all the information I need in one place. I have VO coded out the BMW Assist, as I read somewhere that by doing so, Combox would use my phone for internet instead of integrated 2G SIM card. My phone now shows the active bluetooth tethering icon, but the internet still does not show on iDrive. By diagnosing btsnoop_hci.log, I discovered that the car is trying to connect to 160.46.255.1:8080. By googling this IP I found this forum and joined. This is my snoop log:

Code:
Frame 15802: 82 bytes on wire (656 bits), 82 bytes captured (656 bits)
Bluetooth
Bluetooth HCI H4
Bluetooth HCI ACL Packet
Bluetooth L2CAP Protocol
Bluetooth BNEP Protocol
Internet Protocol Version 4, Src: 192.168.44.206, Dst: 160.46.255.1
Transmission Control Protocol, Src Port: 65534, Dst Port: 8080, Seq: 0, Len: 0
    Source Port: 65534
    Destination Port: 8080
    [Stream index: 0]
    [TCP Segment Len: 0]
    Sequence Number: 0    (relative sequence number)
    Sequence Number (raw): 444430177
    [Next Sequence Number: 1    (relative sequence number)]
    Acknowledgment Number: 0
    Acknowledgment number (raw): 0
    1011 .... = Header Length: 44 bytes (11)
    Flags: 0x002 (SYN)
    Window: 65535
    [Calculated window size: 65535]
    Checksum: 0xf7eb [unverified]
    [Checksum Status: Unverified]
    Urgent Pointer: 0
    Options: (24 bytes), Maximum segment size, No-Operation (NOP), Window scale, SACK permitted, No-Operation (NOP), No-Operation (NOP), No-Operation (NOP), No-Operation (NOP), Timestamps
    [Timestamps]

The connection failed after some retransmissions, so I decided to dst-nat it to my server. When the TCP connection was established, the request was as follows (I have mangled the ID-s since this is a public forum):

Code:
CONNECT b2v.bmwgroup.de:443 HTTP/1.1                                         
Host: b2v.bmwgroup.de:443                                                     
Proxy-Authorization: Basic YjJ2X3N0YW5kYXJkOmIydl9zdGFuZgFyZA==               
Proxy-Connection: Keep-Alive                                                 
User-Agent: Aetsch3/1043703/02                                               
BMW-Vin: XX71009                                                             
BMW-OTA-ID: 20130409-123456                                                   
BMW-DAS-ID: 20101102-123456                                                   
Accept-Encoding: gzip                                                         
Content-Range: bytes 0-10240/*

Looks like 160.46.255.1 is some kind of a proxy, still registered to BMW group, but not operational. It is strange to me that connecting to b2v.bmwgroup.de:443 from my computer is also not possible. At this point I am hoping to receive some clues in this forum and I hope to give something back.
 
Last edited:

volaltd

New Member
Feb 21, 2019
9
7
0
Ride
E60 LCI
Hi guys, another newbie here. I was just tinkering with my CIC, trying to make internet work. Nothing fancy like BMW Live, I would just like to display my homepage where I have all the information I need in one place. I have VO coded out the BMW Assist, as I read somewhere that by doing so, Combox would use my phone for internet instead of integrated 2G SIM card. My phone now shows the active bluetooth tethering icon, but the internet still does not show on iDrive. By diagnosing btsnoop_hci.log, I discovered that the car is trying to connect to 160.46.255.1:8080. By googling this IP I found this forum and joined. This is my snoop log:

Code:
Frame 15802: 82 bytes on wire (656 bits), 82 bytes captured (656 bits)
Bluetooth
Bluetooth HCI H4
Bluetooth HCI ACL Packet
Bluetooth L2CAP Protocol
Bluetooth BNEP Protocol
Internet Protocol Version 4, Src: 192.168.44.206, Dst: 160.46.255.1
Transmission Control Protocol, Src Port: 65534, Dst Port: 8080, Seq: 0, Len: 0
    Source Port: 65534
    Destination Port: 8080
    [Stream index: 0]
    [TCP Segment Len: 0]
    Sequence Number: 0    (relative sequence number)
    Sequence Number (raw): 444430177
    [Next Sequence Number: 1    (relative sequence number)]
    Acknowledgment Number: 0
    Acknowledgment number (raw): 0
    1011 .... = Header Length: 44 bytes (11)
    Flags: 0x002 (SYN)
    Window: 65535
    [Calculated window size: 65535]
    Checksum: 0xf7eb [unverified]
    [Checksum Status: Unverified]
    Urgent Pointer: 0
    Options: (24 bytes), Maximum segment size, No-Operation (NOP), Window scale, SACK permitted, No-Operation (NOP), No-Operation (NOP), No-Operation (NOP), No-Operation (NOP), Timestamps
    [Timestamps]

The connection failed after some retransmissions, so I decided to dst-nat it to my server. When the TCP connection was established, the request was as follows (I have mangled the ID-s since this is a public forum):

Code:
CONNECT b2v.bmwgroup.de:443 HTTP/1.1                                        
Host: b2v.bmwgroup.de:443                                                    
Proxy-Authorization: Basic YjJ2X3N0YW5kYXJkOmIydl9zdGFuZgFyZA==              
Proxy-Connection: Keep-Alive                                                
User-Agent: Aetsch3/1043703/02                                              
BMW-Vin: XX71009                                                            
BMW-OTA-ID: 20130409-123456                                                  
BMW-DAS-ID: 20101102-123456                                                  
Accept-Encoding: gzip                                                        
Content-Range: bytes 0-10240/*

Looks like 160.46.255.1 is some kind of a proxy, still registered to BMW group, but not operational. It is strange to me that connecting to b2v.bmwgroup.de:443 from my computer is also not possible. At this point I am hoping to receive some clues in this forum and I hope to give something back.
BMW Life is down, nothing works outside private cellular network with access via their active eSIM. Also internet will not work since of whole internet webservers already on TLS 1.2 at minimum, but CIC browser doesn't have those protocol implemented.