Anyone thought of building a connected drive server?

doublespaces

Administrator
Oct 18, 2016
9,303
4,331
0
AZ
Ride
2009 E93 335i
Well my option 2 in my previous post would be that sub $200 mark. My deal is to do the R&D, then post a DIY How-To and link any code to GitHub with free access to anyone who wants it. I'm not in it for the money, I just want my car to connect the way it was intended. ;)

I contacted a couple ComBox Retrofit "vendors" and I just cannot fathom why I would want to spend more than $200 (let alone a few THOUSAND!) just to have my car talk to the internet again. Also considering I have SiriusXM for life, swapping out my ComBox would take away that option without paying even more to get it back. So all in all, I'm looking for the most low-cost option here that would allow me to continue to have my car as it is now with the added option to ping it for status, location, and remotely control some features like I used to have.

At least, that's my goal.

Well I might add, that people want to eat their cake too, it would need to be a fairly plug and play ordeal, else wise this is a fairly niche modification. If it was easy then I could see a lot of people using a global server of some kind. There is nothing wrong with that, but the more people the better :)

So, for clarity, the 'ComBox" is just some communication box which enables newer media features, right? I think I've seen some people retrofit that before. Too bad my car is an 09 and not a 10.... Is this the only way to get sat radio also?
 

rhodesman

Corporal
Mar 21, 2017
186
78
0
44
Maryland
rhodesman.com
Ride
2010 BMW E88 N54 135i
Well I might add, that people want to eat their cake too, it would need to be a fairly plug and play ordeal, else wise this is a fairly niche modification. If it was easy then I could see a lot of people using a global server of some kind. There is nothing wrong with that, but the more people the better :)
...

Well I mean this is meant for someone to stand up their own "BMW Assists" server and connect their car to that so I mean, the effort at hand already assumes a certain level of DIY know-how to even go this route. If you want a true plug and play option, you can always buy one of the aftermarket retrofit kits. This project is intended to circumvent that by "retrofitting" your current combox setup with 3rd party hardware and customizing a communications avenue that would suit you.

I get your point and if I was going to setup a business to sell some sort of "kit" then I would totally make it as user friendly as possible. However, as of now I'm just seeking to try and get something to work for me personally because I like challenges and cool projects (along with a totally connected car) and maybe as a bi-product of that others will be able to build on what I start to suit their needs.
 
  • Like
Reactions: doublespaces

doublespaces

Administrator
Oct 18, 2016
9,303
4,331
0
AZ
Ride
2009 E93 335i
Well I mean this is meant for someone to stand up their own "BMW Assists" server and connect their car to that so I mean, the effort at hand already assumes a certain level of DIY know-how to even go this route. If you want a true plug and play option, you can always buy one of the aftermarket retrofit kits. This project is intended to circumvent that by "retrofitting" your current combox setup with 3rd party hardware and customizing a communications avenue that would suit you.

I get your point and if I was going to setup a business to sell some sort of "kit" then I would totally make it as user friendly as possible. However, as of now I'm just seeking to try and get something to work for me personally because I like challenges and cool projects (along with a totally connected car) and maybe as a bi-product of that others will be able to build on what I start to suit their needs.

Makes complete sense, I can't help but embrace my big picture thinking, it gets the best of me sometimes.

On another note, I noticed that the combox with telematics are stupid cheap. Will the media only comboxes do this connected drive stuff also?
 

Xer0449

Corporal
Jan 30, 2017
174
59
0
Looking at some images of combox circuitboards online and I'm wondering if it's possible to just swap out the GMS modem card for something else or even have a raspberry Pi intercept the serial data going to the card and direct it over it's own 3G/LTE data connection.

My two directions of penetration/takeover (in my mind) consist of two approaches:
1: have the RaspPi act as a mini-cell-tower/MITM hack that routes the Combox's Edge cell connection through itself and out to a 3G/LTE connection of your choice. This options HAS all the hardware easily accessible online to do this but it comes at a price. the hardware (that I found) to act as the "cell tower" goes for about $400-$450(US) online plus you would need a RaspPi3 and then attach another cell card of the 3G/LTE flavor to send the data back out routed to your system. This is the simplest as 99.9% of this would just involve some very easy to setup server routing software but comes at a high price.

This is how I was thinking of going about it, but LTE/3D/EDGE isn't something I usually dabble in when it comes to hardware. Do you have anything readily available? I don't even need it to actually connect once it starts talking to the rPi - I just want to see a tcpdump :)
 

rhodesman

Corporal
Mar 21, 2017
186
78
0
44
Maryland
rhodesman.com
Ride
2010 BMW E88 N54 135i
... On another note, I noticed that the combox with telematics are stupid cheap. Will the media only comboxes do this connected drive stuff also?

Funny you mention that, that's the step I'm trying to figure out. I have a CIC iDrive system (pre-NBT) and I'm trying to figure out what the proper device is that you would need to crack open. I would assume if you had or have connected drive already setup then I guess it doesn't matter. However now knowing that GPS, SiriusXM, BlueTooth and a bunch of other things are all tied to the damn thing, I don't want to get the wrong "test" unit and F-up my whole car.

My Option 1 route might be the best way to at least "test" the data being communicated, it just sucks that the hardware for that is so much more than i wanted to pay for. then again, it's test equipment, and I mean who wouldn't want a mini-cell tower in their car. .___.
 

Xer0449

Corporal
Jan 30, 2017
174
59
0
From the whitepaper:

"CASE STUDY In terms of USB updates, we were able to download the binary that they provide. Surprisingly, this is a TAR file containing several files. Given that only a valid VIN is required to obtain this update (searching videos on YouTube there is no problem finding one), it would not be difficult for an attacker to obtain the file. We found several signed RPM files within the update that contained the Combox software update. Analysing these files showed they were for Linux 32. In these files we quickly found the binaries that will be copied to the Combox. They are not encrypted, so they provide a lot of internal information about the system and open the door to reverse engineering them in order to install what we want in the vehicle. Examples of code found inside the update: select * from (select sfid from library as l inner join (select * from w_dblAlbumTracksView as a order by a._rowid_ desc) as atv on atv.sFid=fid group by l.album_id order by atv._rowid_ desc) EXCEPT select sfid from mdi_image_ cache as mic inner join library as l on mic.fid = l.fid and profile_index != -1 inner join w_dblAlbumTracksView as atv on atv.sFid = l.fid There are also the configuration files, including comments from the developers:"

Once we're sure, this leads me to believe that we'll be able to change the destination address(es) with a modified updater, removing the need for an in-car DNS server or something of the sort.
 

Xer0449

Corporal
Jan 30, 2017
174
59
0
I had a few minutes so I popped my VIN into the update portal and pulled down the update bin. It came as a single "UPD01008.bin", however they're just .tar's. Attached original + exploded dirs.

Lots of fun stuff in here :)

Code:
@~/Downloads/UPD01008 $ find .
.
./SWIP_00000B97_003_005_008.xml
./SWUP_00000B98_002_006_006
./SWUP_00000B98_002_006_006/.DS_Store
./SWUP_00000B98_002_006_006/beschreibungstabelle.sgbm
./SWUP_00000B98_002_006_006/Phone-2.6.6
./SWUP_00000B98_002_006_006/Phone-2.6.6/HBPhone
./SWUP_00000B98_002_006_006/Phone-2.6.6/HBPhone/exe
./SWUP_00000B98_002_006_006/Phone-2.6.6/HBPhone/exe/libbssservice.so
./SWUP_00000B98_002_006_006/Phone-2.6.6/HBPhone/exe/libdmlservice.so
./SWUP_00000B98_002_006_006/Phone-2.6.6/HBPhone/exe/libdsiservice.so
./SWUP_00000B98_002_006_006/Phone-2.6.6/HBPhone/exe/libmediaservice.so
./SWUP_00000B98_002_006_006/Phone-2.6.6/HBPhone/exe/libphoneservice.so
./SWUP_00000B98_002_006_006/Phone-2.6.6/HBPhone/exe/libpimservice.so
./SWUP_00000B98_002_006_006/Phone-2.6.6/MANIFEST
./SWUP_00000B98_002_006_006/Phone-2.6.6.tar
./SWUP_00000B98_002_006_006.bin
./SWUP_00000B98_003_005_008
./SWUP_00000B98_003_005_008/.DS_Store
./SWUP_00000B98_003_005_008/beschreibungstabelle.sgbm
./SWUP_00000B98_003_005_008/Phone-3.5.8
./SWUP_00000B98_003_005_008/Phone-3.5.8/HBPhone
./SWUP_00000B98_003_005_008/Phone-3.5.8/HBPhone/exe
./SWUP_00000B98_003_005_008/Phone-3.5.8/HBPhone/exe/libbssservice.so
./SWUP_00000B98_003_005_008/Phone-3.5.8/HBPhone/exe/libdataservice.so
./SWUP_00000B98_003_005_008/Phone-3.5.8/HBPhone/exe/libdmlservice.so
./SWUP_00000B98_003_005_008/Phone-3.5.8/HBPhone/exe/libmediaservice.so
./SWUP_00000B98_003_005_008/Phone-3.5.8/HBPhone/exe/libpdiparser.so
./SWUP_00000B98_003_005_008/Phone-3.5.8/HBPhone/exe/libphoneservice.so
./SWUP_00000B98_003_005_008/Phone-3.5.8/HBPhone/exe/libpimservice.so
./SWUP_00000B98_003_005_008/Phone-3.5.8/HBPhone/exe/libsimservice.so
./SWUP_00000B98_003_005_008/Phone-3.5.8/MANIFEST
./SWUP_00000B98_003_005_008/Phone-3.5.8.tar
./SWUP_00000B98_003_005_008.bin
./SWUP_00000B99_001_012_000
./SWUP_00000B99_001_012_000/.DS_Store
./SWUP_00000B99_001_012_000/beschreibungstabelle.sgbm
./SWUP_00000B99_001_012_000/MME-1.12.0
./SWUP_00000B99_001_012_000/MME-1.12.0/HBMedia
./SWUP_00000B99_001_012_000/MME-1.12.0/HBMedia/db
./SWUP_00000B99_001_012_000/MME-1.12.0/HBMedia/db/mme_combined.sql
./SWUP_00000B99_001_012_000/MME-1.12.0/HBMedia/qnx
./SWUP_00000B99_001_012_000/MME-1.12.0/HBMedia/qnx/etc
./SWUP_00000B99_001_012_000/MME-1.12.0/HBMedia/qnx/etc/post_starting_qdb.sh
./SWUP_00000B99_001_012_000/MME-1.12.0/MANIFEST
./SWUP_00000B99_001_012_000/MME-1.12.0.tar
./SWUP_00000B99_001_012_000/post_deinst.scr
./SWUP_00000B99_001_012_000/post_inst.scr
./SWUP_00000B99_001_012_000.bin
./SWUP_00000B99_003_005_004
./SWUP_00000B99_003_005_004/.DS_Store
./SWUP_00000B99_003_005_004/beschreibungstabelle.sgbm
./SWUP_00000B99_003_005_004/MME-3.5.4
./SWUP_00000B99_003_005_004/MME-3.5.4/HBMedia
./SWUP_00000B99_003_005_004/MME-3.5.4/HBMedia/qnx
./SWUP_00000B99_003_005_004/MME-3.5.4/HBMedia/qnx/bin
./SWUP_00000B99_003_005_004/MME-3.5.4/HBMedia/qnx/bin/io-media-generic
./SWUP_00000B99_003_005_004/MME-3.5.4/HBMedia/qnx/lib
./SWUP_00000B99_003_005_004/MME-3.5.4/HBMedia/qnx/lib/dll
./SWUP_00000B99_003_005_004/MME-3.5.4/HBMedia/qnx/lib/dll/cipher-aes.so
./SWUP_00000B99_003_005_004/MME-3.5.4/HBMedia/qnx/lib/dll/iofs-hbextdrive.so
./SWUP_00000B99_003_005_004/MME-3.5.4/HBMedia/qnx/lib/dll/iofs-i2c-ipod.so
./SWUP_00000B99_003_005_004/MME-3.5.4/HBMedia/qnx/lib/dll/iofs-ipod.so
./SWUP_00000B99_003_005_004/MME-3.5.4/HBMedia/qnx/lib/dll/iofs-msdrm10.so
./SWUP_00000B99_003_005_004/MME-3.5.4/HBMedia/qnx/lib/dll/iofs-pfs.so
./SWUP_00000B99_003_005_004/MME-3.5.4/HBMedia/qnx/lib/dll/iofs-ser-ipod.so
./SWUP_00000B99_003_005_004/MME-3.5.4/HBMedia/qnx/lib/dll/iofs-usb-ipod.so
./SWUP_00000B99_003_005_004/MME-3.5.4/HBMedia/qnx/lib/dll/mme-imgprc-gf.so
./SWUP_00000B99_003_005_004/MME-3.5.4/HBMedia/qnx/lib/dll/mmedia
./SWUP_00000B99_003_005_004/MME-3.5.4/HBMedia/qnx/lib/dll/mmedia/aac_parser.so
./SWUP_00000B99_003_005_004/MME-3.5.4/HBMedia/qnx/lib/dll/mmedia/audio_streamer.so
./SWUP_00000B99_003_005_004/MME-3.5.4/HBMedia/qnx/lib/dll/mmedia/audio_writer.so
./SWUP_00000B99_003_005_004/MME-3.5.4/HBMedia/qnx/lib/dll/mmedia/fildes_streamer.so
./SWUP_00000B99_003_005_004/MME-3.5.4/HBMedia/qnx/lib/dll/mmedia/media_streamer.so
./SWUP_00000B99_003_005_004/MME-3.5.4/HBMedia/qnx/lib/dll/mmedia/mp4_parser.so
./SWUP_00000B99_003_005_004/MME-3.5.4/HBMedia/qnx/lib/dll/mmedia/mpega_parser.so
./SWUP_00000B99_003_005_004/MME-3.5.4/HBMedia/qnx/lib/dll/mmedia/queue_filter.so
./SWUP_00000B99_003_005_004/MME-3.5.4/HBMedia/qnx/lib/dll/mmedia/ren_raac_decoder.so
./SWUP_00000B99_003_005_004/MME-3.5.4/HBMedia/qnx/lib/dll/mmedia/stream_reader.so
./SWUP_00000B99_003_005_004/MME-3.5.4/HBMedia/qnx/lib/dll/mmedia/tmpfile_streamer.so
./SWUP_00000B99_003_005_004/MME-3.5.4/HBMedia/qnx/lib/dll/mmedia/wav_parser.so
./SWUP_00000B99_003_005_004/MME-3.5.4/HBMedia/qnx/lib/dll/mmedia/wma9_decoder.so
./SWUP_00000B99_003_005_004/MME-3.5.4/HBMedia/qnx/lib/dll/mmedia/wma9_parser.so
./SWUP_00000B99_003_005_004/MME-3.5.4/HBMedia/qnx/lib/dll/mmedia/wms_control.so
./SWUP_00000B99_003_005_004/MME-3.5.4/HBMedia/qnx/lib/dll/mmedia/wms_streamer.so
./SWUP_00000B99_003_005_004/MME-3.5.4/HBMedia/qnx/lib/dll/mmedia/xing_mpega_decoder.so
./SWUP_00000B99_003_005_004/MME-3.5.4/HBMedia/qnx/lib/libaoi.so.1
./SWUP_00000B99_003_005_004/MME-3.5.4/HBMedia/qnx/lib/libmmedia.so.1
./SWUP_00000B99_003_005_004/MME-3.5.4/HBMedia/qnx/lib/libmmfilter.so.1
./SWUP_00000B99_003_005_004/MME-3.5.4/MANIFEST
./SWUP_00000B99_003_005_004/MME-3.5.4.tar
./SWUP_00000B99_003_005_004.bin
 

Attachments

  • UPD01008.bin_original.zip
    7.8 MB · Views: 246
  • UPD01008_exploded.zip
    23.4 MB · Views: 242
Last edited:
  • Informative
Reactions: doublespaces

doublespaces

Administrator
Oct 18, 2016
9,303
4,331
0
AZ
Ride
2009 E93 335i
Oh wow, if the DNS server can be avoided, then this simply comes down to connectivity.
 

doublespaces

Administrator
Oct 18, 2016
9,303
4,331
0
AZ
Ride
2009 E93 335i
The libdataservice.so seems interesting, but I can't disassemble it without knowing what architecture the combox uses.
 

Xer0449

Corporal
Jan 30, 2017
174
59
0
@rhodesman, without giving it much thought, I'm wondering if we can invoke one of those .scr (which are clearly just bash) and either have it output values (subshell) to a menu item/title, or even try some bash-fu to dump some data back on the usb device.

i.e: we name the device (USB0)
Code:
./SWUP_00000B99_001_012_000/post_inst.scr
#!/bin/sh
rm -rf /HBPersistence/mme/*
##
USB0=$(mount -l | grep -i usb0 | awk '{ print $3 }' | head -n1)
dmesg > $USB0/dump.txt
cat /etc/release* >> $USB0/dump.txt
ls -l /usr/bin >> $USB0/dump.txt
etc...

Just curious as to what invokes these scripts. It's going to take some guessing. Maybe at first we can try to crash the iDrive to confirm it's running what we want, and go from there?

Were you able to look at ./SWUP_00000B99_001_012_000/MME-1.12.0/HBMedia/db/mme_combined.sql ? I can't seem to open it/looks compiled.

Charset, perhaps?

Also, I really don't want to trash my iDrive in my commuter and only car :(
 
Last edited:

rhodesman

Corporal
Mar 21, 2017
186
78
0
44
Maryland
rhodesman.com
Ride
2010 BMW E88 N54 135i
@rhodesman, without giving it much thought, I'm wondering if we can invoke one of those .scr (which are clearly just bash) and either have it output values (subshell) to a menu item/title, or even try some bash-fu to dump some data back on the usb device.

i.e: we name the device (USB0)

./SWUP_00000B99_001_012_000/post_inst.scr
#!/bin/sh
rm -rf /HBPersistence/mme/*
##
USB0=$(mount -l | grep -i usb0 | awk '{ print $3 }' | head -n1)
dmesg > $USB0/dump.txt
cat /etc/release* >> $USB0/dump.txt
ls -l /usr/bin >> $USB0/dump.txt
etc...

I was looking at that also, maybe setting up a Linux VM for starters to just see what the output is?

Just curious as to what invokes these scripts. It's going to take some guessing. Maybe at first we can try to crash the iDrive to confirm it's running what we want, and go from there?
How could one crash iDrive?

Were you able to look at ./SWUP_00000B99_001_012_000/MME-1.12.0/HBMedia/db/mme_combined.sql ? I can't seem to open it/looks compiled.

Charset, perhaps?
I'm trying to figure that out now via Xcode. Nothing is working yet, but my other code editor claimed it was not UTF-8 so... that's a start :/

Also, I really don't want to trash my iDrive in my commuter and only car :(

100% in the same boat... I might spring for a bench test unit or find some bits from totaled cars at local junk yards maybe?
 
  • Like
Reactions: ATL-IS-N54

Xer0449

Corporal
Jan 30, 2017
174
59
0
Responses in-line.

I was looking at that also, maybe setting up a Linux VM for starters to just see what the output is?
Sure thing. I'll spin one up this evening.
How could one crash iDrive?
Fork bomb! In particular, this one:
Code:
:(){ :|: & };:
Should lock up the iDrive up instantly.
I'll just have to power-cycle the car after, but we'll know we've invoked it at least, and that's just one more hurdle crossed.

More info on the forkbomb here: https://explainshell.com/explain?cmd=:(){ :|:& };:
I'm trying to figure that out now via Xcode. Nothing is working yet, but my other code editor claimed it was not UTF-8 so... that's a start :/
I tried sqlpro, it complained that it couldn't load the Thai(?) characters.

100% in the same boat... I might spring for a bench test unit or find some bits from totaled cars at local junk yards maybe?
I'm not sure where to go for this, either. We'd need an iDrive screen, combox unit, harness for power and USB connectivity.
Maybe one of the retrofit guru's is willing to chime in or help?

Some things assumptions thus far:

iDrive is running *nix, although we're not sure of originating distro/fork (yet).
There is a database running somewhere on the unit, most likely only listening locally (I'd be amazed if it was exposed on the cellular network!)
There seem to be lots of custom libraries and kernel modules.
 
Last edited:

doublespaces

Administrator
Oct 18, 2016
9,303
4,331
0
AZ
Ride
2009 E93 335i
@doublespaces can we get a code block format option in the WYSIWYG/txt editor?
@rhodesman can you allow me access to create a branch on your github?
Screenshot_20170404-150935.png
 
  • Like
Reactions: Xer0449