Reverse Engineering BMW Connected Apps Protocol
Download File ===== https://tinurll.com/2tilOz
However, as is normal with Bluetooth, the experience was not very smooth. Sometimes the additional Bluetooth Apps protocol wouldn't connect, and sometimes the individual apps themselves wouldn't be responsive. Cries for help on the Spotify forums were ignored, and the BMW Connected app has terrible reviews with no signs of fixing anything.
The Etch objects are stubbed out with NotImplementedExceptions, so it was very easy for me to watch which calls the official apps make. After filling out as much Fake Car as I needed to make the official app happy, the app (running inside an emulator) used the provided VIN number to download an image of the car it has never been physically connected to:
Turns out that Android encourages music apps to implement a protocol called MediaBrowserService. By implementing this single API, the app automatically becomes available through Android Auto, Android Wear, and supposedly the Bluetooth stack. I could just act as another client to this interface, and implement the car as a frontend on top of this API.
The protocol is deprecated and going away. BMW's new Live Cockpit system does not support any of this remote app protocol, instead finally adding Android Auto support to their existing Apple Carplay support. There will be some apps baked into the car, but apps from the phone won't be able to integrate in the same way.
To further reduce mischief, BMW should use their sandboxing experience and start a developer program like GM has done, for users to express their creativity and build their own apps to contribute to an app store. This entire reverse engineering project started because I wanted to add new functionality to my car, using the marvelous technology that BMW provided. The entire car modding scene shows the devotion people have for tinkering with their cars, and with cars being increasingly software-driven, this is simply the next phase of that same idea.
Even without direct manuals for the VCM or Tegra SoC, development boards often contain schematics and pin-outs for supplied modules, and spares for destructive tests. This would be really helpful in reverse engineering VCMs in the Tesla. Unfortunately, the Jetson Pro Development Kit does not provide any public documentation. Although we tried to obtain a development kit from eBay, there were none available when this report was prepared.
The CID has to be taken apart to access a 4GB normal SD card. It is connected to the gateway and used for staging files during the firmware update. Both were extended outside the CID during the reverse engineering so that they could be accessed with ease when the car was running.
The radio I chose is the BMW Business RDS, also known as the Philips PH7850. This head unit can be connected to BMW 6 CD Changer A, and I managed to find a set with the two for a good price. Now that I have selected the right head unit there are two main parts to this project. First of all I need to reverse engineer the CD changer interface, and secondly I need to connect this to a bluetooth audio module.
The magic is happening in the four connections on the right, which make up the data interface. Luckily, the reverse engineering proved less complicated than expected. After hooking up the logic analyzer I quickly found that the interface resembled some form of SPI communication albeit with a single data line. Typically SPI has two data lines, one for each direction. But as it turns out this bi-directional approach also exists and is known as 3-wire SPI.
I implemented this communication protocol on an arduino pro mini. And used a breadboard compatible bluetooth module with a CSR8635 chip. With this I do not need to get involved on the Bluetooth side. The module I picked has some pins for play/pause controls and next/previous track. I connected these to the Arduino to link them to the actual head unit buttons . Finally I used an isolated DC/DC converter to give the Bluetooth module its own ground in an attempt to improve the audio quality.
As part of reverse engineering your car data, you may want to test whether a specific CAN frame can be used to trigger certain behavior in your vehicle. For example, you may want to unlock your door, blow your horn, turn on the wipers, toggle the radio or manipulate your car dashboard.
Originally, the CLX000 only integrated with Wireshark, for which we developed a set of useful features for CAN reverse engineering. Since then, we have added SavvyCAN to our list of integrations - and we generally believe it is superior for most CAN bus reverse engineering use cases. However, if you e.g. have prior experience using Wireshark, you can of course still use that tool. Below is an example of how to achieve similar steps as shown for SavvyCAN above.
Depending on what your intentions are you may not be able to use the diagnostics port to access the CAN network in your vehicle. In this project, a custom dashboard cluster is going to be built to use the data created during the reverse engineering process, but the diagnostics port does not output all the information needed for a dashboard cluster nor is it in the location of the cluster. To tap into the wires, you may have to pierce the plastic covers, remember to tape the holes over after you have finished with the wires.
Modern vehicles resemble four-wheels computers connected to the Internet via their In-Vehicle Infotainment (IVI) systems. As with PCs in the past, cars, being connected to the Internet can be potentially vulnerable. The IVI system of a car is part of the intra-vehicle network and can be the entry-point of offensive cybersecurity attacks. The intra-vehicle network, based on the CAN protocol, is vulnerable by design: messages are exchanged in clear. Thus, the uncontrolled access to the CAN bus may have serious impact on the vehicle itself and its passengers. In this paper, we present a vulnerability assessment, through a reverse engineering process, of Kia vehicles IVI system. In particular, we focused on reverse engineer the Kia IVI system to discover vulnerabilities that may allow an attacker to compromise the IVI functionalities and inject CAN frames into the CAN bus to alter the behaviour of (part of) the vehicle. By reverse engineering the IVI, we identified four important vulnerabilities that affect all Kia vehicles that embed the studied IVI. Finally, we show how an attacker can easily control the IVI and inject CAN bus frames by means of a Metasploit module that we wrote.
As a node of the in-vehicle network, an IVI system communicates with other ECUs by using the CAN protocol. It aims to improve the driver user-experience by providing apps for navigation and control vehicle functionalities, such as the HVAC. IVI systems are often based on well-known Operating Systems, such as Android or Linux-based [6]. Even though Linux provides several advantages, Android OS is going to impose its supremacy also in the automotive market [7]. This is mainly caused by the advantages that such OS provides in terms of features in the connected-car scenario. Several car manufacturer (OEM) already mount on their cars IVI with Android OS and others are going to do it soon, e.g., General Motors will embed Android Automotive OS starting in 2021 [8].
To contribute answering the research questions listed above, we targeted our test vehicle, a Kia CEED. In particular, we reverse engineered its IVI system, hereafter also referred as Head Unit (HU), that is also installed into all Kia vehicles that support the 8-inches IVI system version. In our study, we considered it as the entry point for cyberattacks especially when the vehicle is connected to the Internet.
The remainder of this paper is structured as follows: the next section reports some cyber-security attacks performed into the automotive domain in the last decade. Section 3 presents the target of our reverse engineering activity described in Section 4. Sections 5 describes the KOFFEE Module we developed to exploit the discovered vulnerabilities to inject CAN frames into the M-CAN bus of the vehicle. Section 6 presents an example of how the KOFFEE Module can be exploit to remotely perform an end-to-end attack. Section 7 discusses the lessons learned providing an answer for each research question at the basis of our work. Section 8 concludes this paper.
The Framework contains the Android software libraries that allows the HU to properly work. It is located under the folder /system/framework and we needed it to reserve engineering system apps and develop an app that uses system libraries to work. So, to download the Framework files and the system apps from the HU, we leveraged the Meterpreter commands:
By digging into the reversed apps, we came across the file named AutoTestService.java. This JAVA class contains more than 3000 lines of code and, in particular, we focused on the method doCmdMuteToggle(). The method has an interesting line of code that we found (Listing 3).
First, we tried to figure out if the pins corresponding to CANH and CANLwere at least connected (and, thankfully, they were, or else this article would havestopped here and be quite disappointing!). The connected pins were the onescorresponding to the CAN bus, J1850 bus and ISO 9141-2 protocols:
So, the OBD connector has two protocols on it. There's the DCAN bus, , and Ethernet. The K+DCAN cable allows access to DCAN and K-Line buses (K-Line isn't connected on the i3 I think). The ENET cables allow you to talk TCP-IP. Most things I see about coding the car talk about using the ENET cable, but Bimmercode just seems to use DCAN I think.
Matasano Security (now part of NCC group) and Square teamed up to create Microcorruption: an awesome Capture the Flag game that involves reverse engineering MSP430 assembly to unlock a virtual lock. Each level gets progressively harder as the fictitious lock vendor patches security holes and introduces new ones. 153554b96e