Anyone thought of building a connected drive server?

rhodesman

Corporal
Mar 21, 2017
186
78
0
44
Maryland
rhodesman.com
Ride
2010 BMW E88 N54 135i
This may be a frivolous question/topic but I'm always looking for a fun new project to occupy my mind and considering BMW has discontinued the Connected Drive service to all us E-series chaps, I was wondering how possible it would be to stand up a server to continue the service outside of BMW.

I found a website from a guy who has an i3 who reverse engineered the connected drive data API to grab the content and redirect it to his own personal system. Now, according to him this requires an already connected car with access to the connected drive service since he was packet sniffing the connection to find out what data hooks he could tap into. Obviously this makes it harder for anyone who can no longer access the connected drive service because there would be no data to sniff.

With that said, I was wondering if it's possible to break into the com-box that's in our cars to somehow rig up a new cell connection (via cell provider hotspot, sim-card, etc.) and/or grab the data link that sends and receives the car's data in the com-box to send it out via bluetooth (direct, in range, cellphone connectivity?) or run an older Android device as a hacked "com-box" piggyback to send data.

If anyone has or had any thoughts about doing this, we should talk. I'm totally open to programming an app/web service to host the data and all I would need is help getting connected to car's raw data and how I could possibly interact with the car through another device or connection.
 

doublespaces

Administrator
Oct 18, 2016
9,303
4,331
0
AZ
Ride
2009 E93 335i
First, I wasn't even aware of the Connected Drive service until you just mentioned it. I do remember something about newer models having newer media features however with a 2009 I'm not sure I would be able to retrofit or add those things.

Secondly, have you seen this: http://www.e90post.com/forums/showthread.php?t=1203536

Regarding the subject, anything is possible. I presume that the car's module speaks to your mobile device over bluetooth and then uses the devices's cellular or wifi connection to transmit the requests to and from the BMW servers. If the car has a cellular connection itself, this is likely going to be much more difficult. A MITM attack can be used to catch those unencrypted packets to decipher the API protocol. A lot of this is relatively standard stuff. The programming of the server itself isn't really that challenging either, I've got a decent bit of experience in windows sockets.

I spent a good chunk of time making private servers for games which no longer have supported online services in the early 2000's. What you want done, in theory isn't very hard. The only real challenge you face is dealing with the encryption. If something like SSL is used, or another common encryption method, then this shouldn't be too much effort to implement. If the encryption algorithm is a custom flavor, most likely some sort of RC4 based streaming cipher, or RSA encapsulated combination, then you may have actual reverse engineering to do. Learning the proper hand shake/salt and what not may require getting into the ROM on this combox module or whatever it is. If that is the case, then this is probably a lost cause unless some real skilled people get involved. If the encryption used to communicate between the app and BMW is SSL/TLS or something public along these lines, then this should be doable, particularly with the API splayed out in the open.

In fact, a patch could likely be applied to the BMW app to change the hostname it attempts to contact, and this service could run and handle queries for anyone. Very interesting concept indeed...

You could test it using an android emulator and then change your host files on your computer to point to localhost and run your server. If I get bored one day, perhaps I'll investigate it more. The issue is I don't have connected drive on my car.
 

rhodesman

Corporal
Mar 21, 2017
186
78
0
44
Maryland
rhodesman.com
Ride
2010 BMW E88 N54 135i
^^^ great info! Very cool stuff. I think I would default to an SSL/RSA trusted key handshake similar to what I use on my servers to connect via SSH without dealing with inputing credentials.

I might try to play around with the android emulator however I am a more iOS guy so having an iOS variant would be ideal (for me).
 

Xer0449

Corporal
Jan 30, 2017
174
59
0
Just a thought...

A jailbroken iPhone could be the perfect MITM attack vector for packet capture. You may not be able to sniff the BT traffic, but you'll sure as shit see all the API calls start flowing :)
 

doublespaces

Administrator
Oct 18, 2016
9,303
4,331
0
AZ
Ride
2009 E93 335i
Just a thought...

A jailbroken iPhone could be the perfect MITM attack vector for packet capture. You may not be able to sniff the BT traffic, but you'll sure as shit see all the API calls start flowing :)
^^^ great info! Very cool stuff. I think I would default to an SSL/RSA trusted key handshake similar to what I use on my servers to connect via SSH without dealing with inputing credentials.

I might try to play around with the android emulator however I am a more iOS guy so having an iOS variant would be ideal (for me).

The reason I mention Android, is because I know you can do MITM attacks with it using a self signed certificate. I haven't had an iPhone since iPhone 4, so I'm not sure on that end. The packet capture is only useful for people who have a working connected drive and also only useful for mapping out the protocol, which apparently has already been done. What needs done is determining the encryption method and patching the apk/ipa to reach a different hostname. You don't need to do a mitm attack when you already have the network protocol and its attempting to reach you already.
 

doublespaces

Administrator
Oct 18, 2016
9,303
4,331
0
AZ
Ride
2009 E93 335i
Identifying the encryption method would take all of ten seconds of hooking up wireshark assuming the combox is communicating through the mobile device. I read somewhere that it has some sort of cellular capability, which is potentially the reason for shutting down the service for older cars, they have the wrong cellular bands and a lot of carriers are switching off 2g bands and repurposing them. If the module is communicating over its own cellular connection, then I think this is a dead end unless someone gets real serious with it.
 
  • Like
Reactions: Xer0449

Xer0449

Corporal
Jan 30, 2017
174
59
0
Intersting.

The best part is, whatever method they're using for encryption is more than likely old. I'm glad I came across this thread... I think i'll start digging this evening.
 

doublespaces

Administrator
Oct 18, 2016
9,303
4,331
0
AZ
Ride
2009 E93 335i
Android = Linux & iOS = FreeBSD fork. They all check /etc/hosts for name resolution before looking at the name servers listed in /etc/resolv.conf

Also, it seems like these things are actually on the EDGE network...which I'm surprised was still running at the time of the article.
http://www.techradar.com/news/car-tech/bmw-idrive-the-ultimate-guide-1085113

Ah, I thought you were referring specifically to the windows hosts file. My linux knowledge is limited to ubuntu 12/14.04 lts and centos 6.x and only for certain things. I'm a linux nub

If the module is connecting over EDGE, that isn't good as it is likely that data partnership with whichever carrier is expired and any requests from each vechicle's IMEI would be rejected no matter which hostname is being queried. So at this point, I have no idea what to do.
 

rhodesman

Corporal
Mar 21, 2017
186
78
0
44
Maryland
rhodesman.com
Ride
2010 BMW E88 N54 135i
here's a thought: if you setup a raspberry Pi that can communicate with the combox (as in MITM) to intercept it's outdated 2G cellular data then have the RaspPi act as a DNS rerouting that signal over a newer LTE band with sim card from a carrier of your choice it could very easily send that data to any server you desire and require little to zero fiddling with the combox electronics at all.

Check this out: http://nimbelink.com/raspberry-pi/

I built a Gameboy RaspPi and the 2800mAh battery I had used gave the GamePi enough juice to play for 24 hours and that was with it powering a screen and running the CPU at near full tilt with some of the emulated games. To run a DNS MITM piggy-back would have very little power cost and could be tied into the car's battery with minimal draw or even run the pi on a LiPo battery that is only charged when the car is on. Either way, this looks like the easiest, cheapest, and quickest way to regain Connected Drive functionality.

What do you guys think?
 

doublespaces

Administrator
Oct 18, 2016
9,303
4,331
0
AZ
Ride
2009 E93 335i
That is definitely an option! But that is assuming the existing EDGE network is not responsive at all, rather than just sending close connection responses.

I'm a little more interested if we can get something going and would be willing to allocate some server resources for a server if need be. I suppose, I'd need to figure out how to get this on my 2009.
 

rhodesman

Corporal
Mar 21, 2017
186
78
0
44
Maryland
rhodesman.com
Ride
2010 BMW E88 N54 135i
That is definitely an option! But that is assuming the existing EDGE network is not responsive at all, rather than just sending close connection responses.

I'm a little more interested if we can get something going and would be willing to allocate some server resources for a server if need be. I suppose, I'd need to figure out how to get this on my 2009.

I too have server space & resources to spare. I just need to be able to get the data from the car then (in theory) I should be able to parse it into JSON, store it to a DB and then display and do with as I want. First step is that connection though.

Also, I found this: https://www.pianywhere.com/

For the Rasp-Pi "hotspot" option, do we know what frequency the older comboxes used? I have the CIC iDrive system in my 2010 135 but I'm not sure if that combox uses the same frequency as my older 2007 CCC iDrive car. Is there any info about that online somewhere?

More good data about the combox here: http://f10.5post.com/forums/showpost.php?p=14027088&postcount=19
 
Last edited:

Xer0449

Corporal
Jan 30, 2017
174
59
0

Does that look like a sim card cradle directly to the left of the GSM antennae?

Also, good article here: http://jalopnik.com/millions-of-connected-bmws-were-using-unencrypted-data-1682795531

and more info on exploiting ConnectedDrive here: https://www.theregister.co.uk/2016/07/08/bmw_vulns/

PoC here: https://www.vulnerability-lab.com/get_content.php?id=1736
(After reading through this more, it was a vuln for the app portal, not the ConnectedDrive itself, but still cool)

This may be useful to grab some information. https://opensource.srlabs.de/projects/snoopsnitch

It looks like one way or another, a cell tower simulator will be required for at least one of us :)
 
Last edited:

R.G.

Lieutenant
Nov 17, 2016
668
326
0
Henderson, NV
Ride
E92 335, F10 M5
Love this, even tho I do not understand it.
So what is the purpose?
I have live traffic on my CIC and don't even have a combox...? Or at least that I know of. What's an easy way to check? I remember checking years ago and determined I did not.
 
  • Like
Reactions: Xer0449

rhodesman

Corporal
Mar 21, 2017
186
78
0
44
Maryland
rhodesman.com
Ride
2010 BMW E88 N54 135i
Looking at some images of combox circuitboards online and I'm wondering if it's possible to just swap out the GMS modem card for something else or even have a raspberry Pi intercept the serial data going to the card and direct it over it's own 3G/LTE data connection.

My two directions of penetration/takeover (in my mind) consist of two approaches:
1: have the RaspPi act as a mini-cell-tower/MITM hack that routes the Combox's Edge cell connection through itself and out to a 3G/LTE connection of your choice. This options HAS all the hardware easily accessible online to do this but it comes at a price. the hardware (that I found) to act as the "cell tower" goes for about $400-$450(US) online plus you would need a RaspPi3 and then attach another cell card of the 3G/LTE flavor to send the data back out routed to your system. This is the simplest as 99.9% of this would just involve some very easy to setup server routing software but comes at a high price.

2: Slightly cheaper but much more "involved" would be to "intercept" the data going to the GSM card via it's serial connection to the main board. A raspPi can listen to that serial connection via it's GPIO pins then send that data out via a USB network dongle (again from your carrier of choice). This would cost much, much less but would require a lot more programming and "investigation" to what that data looks like and how that serial communication is handled between the mainboard and GMS card.

I can easily do #1 without any problems on my own however I would need someone with more device-to-device/driver communication knowledge to help me out with #2. Also, ideally, I wouldn't want to pull the combox out of my car to test #2. So I/we would need to source a GSM combox from somewhere to bench test and try to get working.
 

doublespaces

Administrator
Oct 18, 2016
9,303
4,331
0
AZ
Ride
2009 E93 335i
I'd like to help but it would need to cost less than $200 to be widely adopted in my opinion. Additionally, I'd need to figure out how to retro fit that into my 2009.
 

rhodesman

Corporal
Mar 21, 2017
186
78
0
44
Maryland
rhodesman.com
Ride
2010 BMW E88 N54 135i
I'd like to help but it would need to cost less than $200 to be widely adopted in my opinion. Additionally, I'd need to figure out how to retro fit that into my 2009.

Well my option 2 in my previous post would be that sub $200 mark. My deal is to do the R&D, then post a DIY How-To and link any code to GitHub with free access to anyone who wants it. I'm not in it for the money, I just want my car to connect the way it was intended. ;)

I contacted a couple ComBox Retrofit "vendors" and I just cannot fathom why I would want to spend more than $200 (let alone a few THOUSAND!) just to have my car talk to the internet again. Also considering I have SiriusXM for life, swapping out my ComBox would take away that option without paying even more to get it back. So all in all, I'm looking for the most low-cost option here that would allow me to continue to have my car as it is now with the added option to ping it for status, location, and remotely control some features like I used to have.

At least, that's my goal.