BMW Connected Apps Protocol

zdw | 359 points

> asked if I could get access to the BMW Ready SDK ... They declined.

Sometimes this is all the motivation a person needs. Now it's (almost?) reverse-engineered and it could be a big headache for BMW in the future if a exploit/bug/fun-stuff is found by the right people.

Companies: share your SDKs. The guy/girl doing a RE is not your regular "coding demo SDK apps" engineer and will go deeper.

scoutt | 4 years ago

I bought a mid-tier BMW last year. Regardless of how you look at it, it's a big, expensive luxury car. And being a big, expensive luxury car it's big and carefully made and feels like driving around in a well appointed living room or a first class cabin.

And the UX is pretty good. The computer controls can almost be used by memory, they're very close to hand and well laid out. The nav is so-so but the in-dash lane view makes it sane for big cities.

But the software is awful. It's not poorly designed, necessarily, but it's buggy as hell.

Half the time I enter the vehicle the car thinks I'm my wife. She's a foot shorter than I am which means I can crawl into the seat for about 30 seconds before my legs start to cramp. In that time, the following invariably happens:

1. I painfully get a foot on the break and hit the ignition.

2. The computer prompts me to confirm that I'm my wife.

3. While I'm trying to select my profile CarPlay kicks in and opens the media screen.

4. I navigate through several menu levels to set the correct driver profile, swearing the whole time.

Now, I can move the seat back before I enter, but it's slow and clumsy. Then I still have to go through the same process, just minus the leg cramp.

1234_9999_46 | 4 years ago

It's a very interesting article. I'm also impressed by such dedication. Hashing the strings from the decompiled APK to easily debug the protocol in Wireshark is inspiring.

On the topic of using a BMW with you phone without being frustrated, some people put a third-party box between the screen and the car infotainment computer to get Android Auto. I heard the experience isn't perfect.

Personnally I use Google Assistant and I think it works relatively well. I can use it to get directions, make the sound of random animals, change radio, play music on Spotify... To trigger it, you can long press the voice command button on the steering wheel.

speedgoose | 4 years ago

IPs removed and anonymous because it's a little intrusive

Someone at BMW added me accidentally as a nexus repo. I get loads of BMW traffic now, and it's really annoying.

Leaks a bunch of fun stuff.

[BMW'S IP] - - [20/Jan/2020:08:52:11 +0100] "GET .... com/bmw/cc/b2vngtp/statusAPI/20200120.074026-feature_2020-T1.5-CDNGTP-3818-improve-stability-of-integration-tests/statusAPI-20200120.074026-feature_2020-T1.5-CDNGTP-3818-improve-stability-of-integration-tests.war HTTP/1.1" 403 1364 [MYSITE] "-" "Nexus/3.15.1-01 (OSS; Linux; 3.0.101-108.87-xen; amd64; 1.8.0_92)" "-"

ac_20200120 | 4 years ago

I can't help but feel for this guy having done my own reverse engineering of BMW's i-bus back in the day. You get to the point where you see such possibility if the carmaker would just open up a little damn bit. It's a real shame that automakers feel that every software or hardware integration with their vehichle should be something to monetize. Even the forward thinkers like Tesla are no better on this front.

gorkish | 4 years ago

These comments are reminding me why I like analog cars.

I do wish I had adaptive cruise control, though.

shoes_for_thee | 4 years ago

I'm confused why just 1 car company doesn't allow end-user developed apps. A model lineup like that seems like it'd be easy to turn dealer inventory. You have the historical success of both PC and mobile to understand how nobody can compete with a proprietary systems.

mkhpalm | 4 years ago

"<java something-something> bytecode is really easy to decompile"

by the 3rd time i was laughing at this...

"not a problem, barely an inconvenience"

S0und | 4 years ago

> Cries for help on the Spotify forums were ignored

Yea sounds about right :(

whois | 4 years ago