Progress!!

  • Login or Register, members don't see Ads!
  • Tip: You can toggle the Dark Theme at the bottom of the page

rhodesman

Corporal
Mar 21, 2017
181
Maryland
So I've made some interesting headway that I think is part of the key to unlocking this communication lock. To back up a little, I purchased a BMW iCOM +A2 device off ebay (not a knockoff but one of the legit ones that BMW itself uses). It's awesome, and I highly recommend purchasing one. The main reason for this was to get MOST programming abilities so I can directly communicate with the TCU and MULF2 devices (both only accessible via the MOST bus). I loaded up the FSW_PSW from ncsexpert into NCS Dummy and I found quite a few interesting settings I could turn on and off!
MOST2:
BT_EIN_AUSaktiv - enabledXBLUETOOTH ON/OFF
nicht_aktiv - not enabled
DUN_EIN_AUS aktiv - enabledXDIAL-UP NETWORK ON/OFF
nicht_aktiv - not enabled
A2DP_EIN_AUSaktiv - enabledX BLUETOOTH ADVANCED AUDIO DISTRIBUTION PROFILE (A2DP) ON/OFF
nicht_aktiv - not enabled
BT_OBJECT_PUSH aktiv - enabledXBLUETOOTH OBJECT PUSH PROFILE (OPP)
nicht_aktiv - not enabled
SMS_EIN_AUS_C12 aktiv - enabledXSMS MESSAGING ON/OFF
nicht_aktiv - not enabled
[TBODY] [/TBODY]
TCU:
BT_ENABLEaktiv - enabledX BLUETOOTH ENABLED
nicht_aktiv - not enabled
C14_SIM_IN_TELEMATIK_READaktiv - enabledXTELEMATICS PRE-INSTALLED SIM
nicht_aktiv - not enabled
C14_TELEMATIK_SIM_ENABLEDaktiv - enabledXTELEMATICS PRE-INSTALLED SIM ENABLED
nicht_aktiv - not enabled
C14_TELEMATIK_ENABLEDaktiv - enabledX TELEMATICS ENABLED
nicht_aktiv - not enabled
IN_BAND_MODEMaktiv - enabledX(US+!TCUM_CI_15,TCUM_CI_15+TEL_PROF_US)+!TELEMATIC_DIS
nicht_aktiv - not enabled!((US+!TCUM_CI_15,TCUM_CI_15+TEL_PROF_US)+!TELEMATIC_DIS)
RINGTONEINCOMING CALL RINGTONE
ringtone_1 - ringtone 1standard
ringtone_2 - ringtone 2X
ringtone_3 - ringtone 3
SMS_TCU_C15 aktiv - enabledXSMS MESSAGING
nicht_aktiv - not enabled
A2DP_AUDIO_STREAMINGaktiv - enabledXBLUETOOTH ADVANCED AUDIO DISTRIBUTION PROFILE (A2DP) AUDIO STREAMING
nicht_aktiv - not enabled
AVRCP_VERSION
version_1_0 - version 1.0
version_1_3 - version 1.3
version_1_4 - version 1.4x<-- should be this.
MAX_GPRS_TIMER
no_timer - no timerx
05_min - 5 minutes
10_min - 10 minutes
30_min - 30 minutes
PAY_TMC_CONTROLaktiv - enabledX PAY TRAFFIC MESSAGE CHANNEL (TMC) CONTROL
nicht_aktiv - not enabled
[TBODY] [/TBODY]
You might also recall, I found a PPP folder which contained XML files to connect to various BMW proxy servers and had settings to communicate with cellular providers for GPRS connections. Well also in the TCU settings are these:
GATS_SMSC_DEFAULTGLOBAL AUTOMOTIVE TELEMATICS STANDARD (GATS) DEFAULT SMS NUMBER [DATA = 20-BYTE ASCII LEFT-ALIGNED, USE 0 FOR UNUSED CHARACTER]
empty - empty!VORB_TEL_BUSINE+!(US+!TCUM_CI_15,TEL_PROF_US+TCUM_CI_15)
atxeu_prod_d1value: +491710760150
atxeu_prod_prefit_sim_d1VORB_TEL_BUSINE+!PROVIDERZUORD value: +491710760591
wireless_car_prodVORB_TEL_BUSINE+PROVIDERZUORD value: +491710760000
atxeu_preprod_d1value: +491710760000
atxeu_tvs_d1value: +491710760595
atxus_attUS+!TCUM_CI_15,TEL_PROF_US+TCUM_CI_15 value: +13123149810
[TBODY] [/TBODY]
There are three more settings that match this with various options to select. Now, I'm wondering, if I was to ADD a parameter to those with a value of a number that will connect to my server, would that allow it to call my home server vs. BMW!???

I wont be able to test my theory until next week as I'm about to head out of town, but I would like to think this is the missing key and we are over the "hacking the CIC" portion of this journey.... lets at least hope. :)

Some more promising data settings:
Screen Shot 2017-06-15 at 2.50.27 PM.jpg
 
Last edited:

rhodesman

Corporal
Mar 21, 2017
181
Maryland
last night I plugged my car's network into my laptop via the eNet cable and booted up the car. I was running Wireshark and recorded all the calls made from my car out into the world (or it's attempt to, my internet was down). I'm not 100% sure much came of it outside of some calls for DHCP lease but I know very little about network TCP dumps and calls so here is the wireshark file for anyone here to look into. my laptop's address was 192.168.135.1 and the car/iDrive eNet was 192.168.135.10.

Rename wireshark.zip to wireshark.pcapng, it's not actually zipped!
 

Attachments

doublespaces

Administrator
Oct 18, 2016
7,944
AZ
last night I plugged my car's network into my laptop via the eNet cable and booted up the car. I was running Wireshark and recorded all the calls made from my car out into the world (or it's attempt to, my internet was down). I'm not 100% sure much came of it outside of some calls for DHCP lease but I know very little about network TCP dumps and calls so here is the wireshark file for anyone here to look into. my laptop's address was 192.168.135.1 and the car/iDrive eNet was 192.168.135.10.

Rename wireshark.zip to wireshark.pcapng, it's not actually zipped!
I've allowed pcapng extension attachments.
 
  • 1Like
Reactions: rhodesman

rhodesman

Corporal
Mar 21, 2017
181
Maryland
A small leap last night! I made an edit to GATS_SMSC_DEFAULT & GATS_SMSC_BACKUP adding my own custom field with the help of NCS Dummy and editing via NETTODAT. I was able to add my own cellphone number to my TCU!!! Upon rebooting I did get an SOS error in iDrive and the Dash but I would just need to turn those features off since I can't be my own concierge LOL.

I'm getting super close here. If I can get my car's cell connection back up and running, I should be able to receive SMS messages from my car. If I then point my car to something like a google voice number, I can then have google forward the message to my server. Once that's done, it's just a matter of getting my server to understand the data properly and then, bingo!!! (I think)
 

toxx

Lurker
Sep 17, 2017
12
Dubai
Any luck with this ? I believe it's a bit hard to enable the TCU to use mobile network again, as it has inside a SIM which is kind of soldered inside, and TCU has it's own IMEI number (just like any mobile phone). So unless some operator will activate the SIM and IMEI of your TCU, you need to create your own mobile network :D

Basically how this works (i work at the biggest telecom phone operator in the Middle East):

- one company requests a private network for their internal use based on normal mobile network. They will get a number of SIMs with their respective serials . These SIMs are the ones in TCUs . These SIMs will use the operator's network for signal and registration, but they will end up in a different APN which is in this case, BMW's private mobile operator network. So how this is translated in short: "Mobile operator as a service" . With this kind of setup, all these private SIMs can end up connected in BMW's IT environment where they can enable/disable/restrict access.

It may be possible to work on CIC + Combox setup, as ConnectedDrive and Internet stuff is based on VIN number, once VIN is checked and allowed for these services you can connect to Internet.
 

doublespaces

Administrator
Oct 18, 2016
7,944
AZ
I've considered setting up my own mvno once. Waste of money though unless you have a huge marketing budget. Even then you've got a ton of restrictions.
 
  • 1Like
Reactions: rhodesman

rhodesman

Corporal
Mar 21, 2017
181
Maryland
There are ways to allow the iDrive to access data without going through the TCU. You can attach a USB=>Ethernet adaptor into the glovebox and then attach that to some kind of mobile network. I have not gone down that road yet mainly because I have too much other crap on my plate right now but according to the iDrive schematics, that would essentially be an active network port for which it can communicate through. I believe it was setup this way as a development "backdoor" for testing but similar to the OBD=>Eth adaptor I use to telnet and FTP to the iDrive. When I connect my car to my home network via that OBD=>Eth cable, it does send communications out via my home network. So it is possible but I would assume it probably will require some changes to the QNX software.
 

doublespaces

Administrator
Oct 18, 2016
7,944
AZ
I wonder what USB-Network adapters are compatible, but that makes sense considering that USB port is the same way you load music into the car. It is certainly being used for data transfer of some kind. I'm finishing my combox installation despite having an AVIN android head unit, solely in hopes this turns into something.
 

toxx

Lurker
Sep 17, 2017
12
Dubai
There are some specific USB chipsets supported, I was hunting down eBay and Amazon for a D-Link Dub-E100 B1 revision adapter, the silver case one (it's kinda old version) . I tried several others, although link is active, no communcation can be done (no ping, nothing). It's a file inside CIC , in folder /etc which specifies the PCI numbers of supported chipsets.

See attached screenshot. This is the only one popular enough which is known to work. There are some others based on the same chipsets but i haven't tried. With this one it works 100%.
 

Attachments

rhodesman

Corporal
Mar 21, 2017
181
Maryland
...See attached screenshot. This is the only one popular enough which is known to work. There are some others based on the same chipsets but i haven't tried. With this one it works 100%.
Aww damn! I had one of those like a decade ago or something! Crap, now I need to go rummage through my 20+ boxes of random computer parts to find it while my wife reminds me that I don't need all of that "junk" sitting in our basement! (point of contention between us because all my random computer parts, 3 decades worth mind you, take up the space she wants to use to expand the basement bathroom. However on the flip side, all those parts come in handy for my DIY projects like this and don't require me to buy them again!)
 

Xer0449

Corporal
Jan 30, 2017
174
I wonder what USB-Network adapters are compatible, but that makes sense considering that USB port is the same way you load music into the car. It is certainly being used for data transfer of some kind. I'm finishing my combox installation despite having an AVIN android head unit, solely in hopes this turns into something.
I thought I pulled the list of supported chipsets from the CiC and posted it somewhere in here? I'll look again.
 

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Top