So I've made some interesting headway that I think is part of the key to unlocking this communication lock. To back up a little, I purchased a BMW iCOM +A2 device off ebay (not a knockoff but one of the legit ones that BMW itself uses). It's awesome, and I highly recommend purchasing one. The main reason for this was to get MOST programming abilities so I can directly communicate with the TCU and MULF2 devices (both only accessible via the MOST bus). I loaded up the FSW_PSW from ncsexpert into NCS Dummy and I found quite a few interesting settings I could turn on and off!
MOST2:
BT_EIN_AUS | aktiv - enabled | X | BLUETOOTH ON/OFF |
| nicht_aktiv - not enabled | | |
DUN_EIN_AUS | aktiv - enabled | X | DIAL-UP NETWORK ON/OFF |
| nicht_aktiv - not enabled | | |
A2DP_EIN_AUS | aktiv - enabled | X | BLUETOOTH ADVANCED AUDIO DISTRIBUTION PROFILE (A2DP) ON/OFF |
| nicht_aktiv - not enabled | | |
BT_OBJECT_PUSH | aktiv - enabled | X | BLUETOOTH OBJECT PUSH PROFILE (OPP) |
| nicht_aktiv - not enabled | | |
SMS_EIN_AUS_C12 | aktiv - enabled | X | SMS MESSAGING ON/OFF |
| nicht_aktiv - not enabled | | |
[TBODY]
[/TBODY]
TCU:
BT_ENABLE | aktiv - enabled | X | BLUETOOTH ENABLED |
| nicht_aktiv - not enabled | | |
C14_SIM_IN_TELEMATIK_READ | aktiv - enabled | X | TELEMATICS PRE-INSTALLED SIM |
| nicht_aktiv - not enabled | | |
C14_TELEMATIK_SIM_ENABLED | aktiv - enabled | X | TELEMATICS PRE-INSTALLED SIM ENABLED |
| nicht_aktiv - not enabled | | |
C14_TELEMATIK_ENABLED | aktiv - enabled | X | TELEMATICS ENABLED |
| nicht_aktiv - not enabled | | |
IN_BAND_MODEM | aktiv - enabled | X | (US+!TCUM_CI_15,TCUM_CI_15+TEL_PROF_US)+!TELEMATIC_DIS |
| nicht_aktiv - not enabled | | !((US+!TCUM_CI_15,TCUM_CI_15+TEL_PROF_US)+!TELEMATIC_DIS) |
RINGTONE | | | INCOMING CALL RINGTONE |
| ringtone_1 - ringtone 1 | | standard |
| ringtone_2 - ringtone 2 | X | |
| ringtone_3 - ringtone 3 | | |
SMS_TCU_C15 | aktiv - enabled | X | SMS MESSAGING |
| nicht_aktiv - not enabled | | |
A2DP_AUDIO_STREAMING | aktiv - enabled | X | BLUETOOTH ADVANCED AUDIO DISTRIBUTION PROFILE (A2DP) AUDIO STREAMING |
| nicht_aktiv - not enabled | | |
AVRCP_VERSION | | | |
| version_1_0 - version 1.0 | | |
| version_1_3 - version 1.3 | | |
| version_1_4 - version 1.4 | x | <-- should be this. |
MAX_GPRS_TIMER | | | |
| no_timer - no timer | x | |
| 05_min - 5 minutes | | |
| 10_min - 10 minutes | | |
| 30_min - 30 minutes | | |
PAY_TMC_CONTROL | aktiv - enabled | X | PAY TRAFFIC MESSAGE CHANNEL (TMC) CONTROL |
| nicht_aktiv - not enabled | | |
[TBODY]
[/TBODY]
You might also recall, I found a PPP folder which contained XML files to connect to various BMW proxy servers and had settings to communicate with cellular providers for GPRS connections. Well also in the TCU settings are these:
GATS_SMSC_DEFAULT | | | GLOBAL AUTOMOTIVE TELEMATICS STANDARD (GATS) DEFAULT SMS NUMBER [DATA = 20-BYTE ASCII LEFT-ALIGNED, USE 0 FOR UNUSED CHARACTER] |
| empty - empty | | !VORB_TEL_BUSINE+!(US+!TCUM_CI_15,TEL_PROF_US+TCUM_CI_15) |
| atxeu_prod_d1 | | value: +491710760150 |
| atxeu_prod_prefit_sim_d1 | | VORB_TEL_BUSINE+!PROVIDERZUORD value: +491710760591 |
| wireless_car_prod | | VORB_TEL_BUSINE+PROVIDERZUORD value: +491710760000 |
| atxeu_preprod_d1 | | value: +491710760000 |
| atxeu_tvs_d1 | | value: +491710760595 |
| atxus_att | | US+!TCUM_CI_15,TEL_PROF_US+TCUM_CI_15 value: +13123149810 |
[TBODY]
[/TBODY]
There are three more settings that match this with various options to select. Now, I'm wondering, if I was to ADD a parameter to those with a value of a number that will connect to my server, would that allow it to call my home server vs. BMW!???
I wont be able to test my theory until next week as I'm about to head out of town, but I would like to think this is the missing key and we are over the "hacking the CIC" portion of this journey.... lets at least hope.
Some more promising data settings: