
BMW Connected Apps Protocol - zdw
https://hufman.github.io/stories/bmwconnectedapps
======
scoutt
> asked if I could get access to the BMW Ready SDK ... They declined.

Sometimes this is all the motivation a person needs. Now it's (almost?)
reverse-engineered and it could be a big headache for BMW in the future if a
exploit/bug/fun-stuff is found by the right people.

Companies: share your SDKs. The guy/girl doing a RE is not your regular
"coding demo SDK apps" engineer and will go deeper.

~~~
selpop
This happened to me with GM

I tried to get developer access via a form and never got a response, so I
tried sending a message the head of the infotainment on LinkedIn

Thankfully he was able to get my application to the dev site moving... but
unfortunately, they required a business use case to get an API key once you
had access to the site.

So I tried to pick the API key out of the app.

They had the most novel obfuscation I've ever seen for an app's API key

 _The key was inside the image data for the launcher icon_

There was a weird transformation applied to it too, so instead of trying to
reverse engineer it I just fired up Charles and intercepted it from there

With the API key and the documentation for the API from the dev site I was
able to write a program that started preconditioning my Volt when I left my
apartment (the car was in an attached underground garage, so it'd be at the
right temperature by the time I got down)

~~~
theflyinghorse
I am thoroughly impressed! How did you find that the key was obfuscated inside
the image though?

~~~
selpop
Similar to what netsharc describes

Found the call that added the header for the API key to each request (even
with Proguard's obfuscation string literals are preserved, so searching for
"x-api-key" worked)

From there I followed the call chain to their transformer, then looked at the
input for the transformer and it was loading a subset of bytes read from the
same resource as the launcher icon (and sure enough, opening it in a hex
editor there was some weird "garbage" that I'm honestly surprised Android
doesn't choke on)

------
1234_9999_46
I bought a mid-tier BMW last year. Regardless of how you look at it, it's a
big, expensive luxury car. And being a big, expensive luxury car it's big and
carefully made and feels like driving around in a well appointed living room
or a first class cabin.

And the UX is pretty good. The computer controls can almost be used by memory,
they're very close to hand and well laid out. The nav is so-so but the in-dash
lane view makes it sane for big cities.

But the software is _awful_. It's not poorly designed, necessarily, but it's
buggy as hell.

Half the time I enter the vehicle the car thinks I'm my wife. She's a foot
shorter than I am which means I can crawl into the seat for about 30 seconds
before my legs start to cramp. In that time, the following invariably happens:

1\. I painfully get a foot on the break and hit the ignition.

2\. The computer prompts me to confirm that I'm my wife.

3\. While I'm trying to select my profile CarPlay kicks in and opens the media
screen.

4\. I navigate through several menu levels to set the correct driver profile,
swearing the whole time.

Now, I can move the seat back before I enter, but it's slow and clumsy. Then I
still have to go through the same process, just minus the leg cramp.

~~~
arrty88
It sounds like all of these problems have to do with the driver profile. My
grandpa's 1999 Buick Park Ave had 2 key fobs. Each fob was paired with a
different driver profile. Depending on which fob unlocked the car, the seat
and preferences were adjusted instantly. Surely BMW can do something similar
here. My only advice is to talk to your salesman / dealer and see if they can
set you straight.

~~~
jakoblorz
I have a completely new Audi A4 2019. Unfortunately I have the same problem.
Additionally, it takes ages to switch profile. When I select my profile, it
loads 2-5min until an error pops up, promting me to select again. Then it
takes like 5secs. What is wrong with IT culture at German car manufacturers?

~~~
forgingahead
It's latency, as the key fob has to communicate with the German servers, and
that round-trip takes a while.

.......

I'm only kind of joking, I don't know the real reason, but I dislike the fact
I can't just get a simple mechanical car. It worked for decades, why did we
need to add janky software to everything?

~~~
_pmf_
Hey, it's not easy REST-ing in German:

{"AnfrageArt":"Personenerkennungsschlüsselanforderungsanfrage",
"ParameterListe":["HerstellerSpezifischePersonenkraftfahrzeugidentifikationsnummer":"1NXBR12E31Z463785"]}

}

~~~
franga2000
This is giving me flashbacks to reverse-engineering some German-made code with
only a veeery basic understanding of German and no technical dictionary.
Google Translate usually had a seizure with technical terms and by the end I
was just going by the "shape" of the code, despise having full function names.
What a language!

------
speedgoose
It's a very interesting article. I'm also impressed by such dedication.
Hashing the strings from the decompiled APK to easily debug the protocol in
Wireshark is inspiring.

On the topic of using a BMW with you phone without being frustrated, some
people put a third-party box between the screen and the car infotainment
computer to get Android Auto. I heard the experience isn't perfect.

Personnally I use Google Assistant and I think it works relatively well. I can
use it to get directions, make the sound of random animals, change radio, play
music on Spotify... To trigger it, you can long press the voice command button
on the steering wheel.

~~~
bmo-at
Yeah, I 'inherited' a 2015 BMW 1-series with very basic equipment from my
grandma. Plenty of car for a cs student, but I really wanted Apple Carplay and
Android Auto in my car.

You're right though, it is not perfect. But I was surprised how well it's
integrated. It definitely connects faster and more reliably than the default
Bluetooth connection in the car and it can be removed without a trace
afterwards, since it's just a piggyback box.

I do experience a crash though sometimes, and then I have to stop, turn off
and lock the car for ~30 seconds just to restart the box.

I have a binary firmware file from the manufacturer, was thinking I might try
to decompile it and make my own version, but I don't have a the experience or
the time atm.

~~~
tW4r
There is a slow movement to Reverse Engineer carplay (mostly the problem lies
with apple MFi encryption) but it'd be great if more people joined in to make
a truly opensource carplay implementation

The most advanced RE effort I've found:
[https://www.youtube.com/watch?v=VnS_TP18VBk](https://www.youtube.com/watch?v=VnS_TP18VBk)
(comments)
[https://gist.github.com/Wh1terat/f06c8b4a41f93f482bf5892095b...](https://gist.github.com/Wh1terat/f06c8b4a41f93f482bf5892095bbd40b)

~~~
opsroller
What's there to reverse? CarPlay is extremely basic, you send a surface
geometry to the iPhone and you tell it what it can be used for, a lot like
Apple Watch complications, and then CarPlay can decide what to send to the
buffer.

Example: In a Mini, with wireless CarPlay I get a Main View for CarPlay's
springboard, and configurable split screen for other car functions, however
one of the functions is a media view for currently playing media. This allows
me to use any car functions in the main view and still see what media is
playing from any source including CarPlay, and it shows the Album View from
CarPlay.

[https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&c...](https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=12&ved=2ahUKEwj-
wIOr95LnAhUnFjQIHYUSCYkQFjALegQIBRAB&url=https%3A%2F%2Fdevstreaming-
cdn.apple.com%2Fvideos%2Fwwdc%2F2016%2F722x2eefo3u2rp8k8qs%2F722%2F722_developing_carplay_systems_part_1.pdf%3Fdl%3D1&usg=AOvVaw1hlezk8GKtUDeGcCFj1-Gh)

~~~
tW4r
The (MFi?) authentication prevents you from making your own carpc compatible
with carplay because of encryption, there are efforts to break it (extract
key) but AFAIK none of the public ones have succeeded so far

------
ac_20200120
IPs removed and anonymous because it's a little intrusive

Someone at BMW added me accidentally as a nexus repo. I get loads of BMW
traffic now, and it's really annoying.

Leaks a bunch of fun stuff.

[BMW'S IP] - - [20/Jan/2020:08:52:11 +0100] "GET ....
com/bmw/cc/b2vngtp/statusAPI/20200120.074026-feature_2020-T1.5-CDNGTP-3818-improve-
stability-of-integration-
tests/statusAPI-20200120.074026-feature_2020-T1.5-CDNGTP-3818-improve-
stability-of-integration-tests.war HTTP/1.1" 403 1364 [MYSITE] "-"
"Nexus/3.15.1-01 (OSS; Linux; 3.0.101-108.87-xen; amd64; 1.8.0_92)" "-"

~~~
punnerud
Dang, there is something odd with the (unusual high) number of newly
registrated comments on this post. Good comments, but could all be from the
same person?

From zwb’s bio: “(..) Hacker News is an online game you can play where your
score is up in the top right corner and there's a leaderboard, and you get
points by posting stuff and making comments people like. (..)”

~~~
Tomte
E-mail exists. Please use it.

~~~
0x00000000
Should you though? So some drone in the legal department can accuse you of
“hacking” or “stealing proprietary information”?

With a tech company, maybe you could but it’s still a risk. With a big, ‘old
school’ company? No. Hell no. Unsolicited advice on anything security related
is a bad idea.

~~~
Tomte
He is supposed to mail hn@ycombinator.com. That way dang actually sees it. And
the guidelines specifically ask for doing such meta communication off
HackerNews.

------
gorkish
I can't help but feel for this guy having done my own reverse engineering of
BMW's i-bus back in the day. You get to the point where you see such
possibility if the carmaker would just open up a little damn bit. It's a real
shame that automakers feel that every software or hardware integration with
their vehichle should be something to monetize. Even the forward thinkers like
Tesla are no better on this front.

~~~
hippich
Another possible explanation (other than keeping everything in case it can be
monetized) is being concerned with mirriad of ways it can bring liability to
the company. Perhaps, it is not a practical way to keep such risk away, but I
can see how it can be most rational decision by a big company.

------
shoes_for_thee
These comments are reminding me why I like analog cars.

I do wish I had adaptive cruise control, though.

~~~
UI_at_80x24
Yes completely!

I want an electric car. I don't want any screens though. Analogue dials,
switches, buttons.

I don't expect to own a vehicle for 20 years, but what is the real life-
expectancy of those LCD screens and back-lights? I'm driving a 9-year-old car
right now and half of the 'tech' on it doesn't work worth shit. It drives ok,
but it's nearing it's serviceable EOL.

------
mkhpalm
I'm confused why just 1 car company doesn't allow end-user developed apps. A
model lineup like that seems like it'd be easy to turn dealer inventory. You
have the historical success of both PC and mobile to understand how nobody can
compete with a proprietary systems.

------
S0und
"<java something-something> bytecode is really easy to decompile"

by the 3rd time i was laughing at this...

"not a problem, barely an inconvenience"

------
whois
> Cries for help on the Spotify forums were ignored

Yea sounds about right :(

