Server selection API.

[ronaldmannak]

I noticed it's possible to log in to all servers and all servers return the vehicle list, but in order to retrieve the vehicle details and send commands it seems you'll have to log in to the server you're car is connected to (error: "Ressource [sic] not found. No status available for VIN ...")

Cars do have a "hub" key, which in my case is set to "HUB_US", which could point to the server where the car "lives on." What are other values people are seeing in Europe and Asia? If "hub" indeed points to the right server, it would be a great way to automatically log in to the right server.

[edent]

Which API call are you using to get the hub data?

[ronaldmannak]

/webapi/v1/user/vehicles/ which returns an array of vehicles connected to the account. Each vehicle includes dealer address, color code, and the "hub" key.

[edent]

My UK registered one is HUB_ECE

[ronaldmannak]

Now we need someone in Mainland China to chime in for the last code.

[jfautley]

Isn't GitHub blocked in mainland China? You might be waiting a while!

[rickpoisson]

Are the BMW apps now updated to use SSL Pinning - meaning the charles proxy approach to get the key and secret wont work?

[ronaldmannak]

My MacOS app stopped working today, Pinning might the issue. I haven't looked at it, but assume it's possible to copy the SSL certificate from the app bundle, isn't it?

[rickpoisson]

I think I'd have to jailbreak my iPhone though for that. I'm going to get an android device and decompile that :-/

[artem-zinnatullin]

You don't need Android device to decompile apk

On Wed, Nov 23, 2016 at 10:52 AM, Rick Fish notifications@github.com wrote:

I think I'd have to jailbreak my iPhone though for that. I'm going to get an android device and decompile that :-/

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/edent/BMW-i-Remote/issues/3#issuecomment-262460302, or mute the thread https://github.com/notifications/unsubscribe-auth/AA7B3IOKHNgUd1m5NzQ2rghe4g8Gb-NIks5rA_7egaJpZM4G14og .

[ronaldmannak]

You don't need to jailbreak your iPhone either. You can do everything on a Mac (or Windows for that matter). Download the i-Remote app from within iTunes on your Mac, then right click -> Show in Finder -> rename the .IPA to .ZIP -> Unzip -> Show Package Content.

[rickpoisson]

So I've done all this. There are 2 certs in the package - unfortunately Charles proxy won't use them properly to impersonate. Are there instructions on how to compete this last step

[ronaldmannak]

If you are trying to decrypt the messages from the I-remote app, that shouldn't work without the server certificate. You should be able to use the two certificates in your own app though, similar to how API keys work. (I haven't tried that myself yet)

[rickpoisson]

Hmm - was trying to use in a chat bot framework vs an app. I just really need the api key and secret to get my auth token and then pull back data. Tesla make this really easy, seems BMW lock it down way more...... :-(

[ronaldmannak]

FYI: I've successfully connected to the BMW US server using the SHA256 certificate from the app bundle. If people are interested, I can clean up the code and post a gist. Code is Swift 3, tested on MacOS.

[rickpoisson]

That would be awesome.... I just want to use my chatbot framework to connect to the car and pull back event data and post some journey uploads.... I've done this for Tesla, but would like to also show BMW connectivity (as the private API seems much richer)

[ronaldmannak]

Gist is here. Not the most pretty code, but it works: https://gist.github.com/ronaldmannak/4563d3bf1987d6fbc1981257292eb769

[ronaldmannak]

So it turns out the certificate bundled with the app only works with the European server, not the US server. Since the US server has a different top level domain, I assume the app needs a different certificate that isn't included in the app. Now it also makes sense why North American drivers haven't been able to use the app ever since BMW upgraded to SSL pinning.

[rickpoisson]

Thanks ronald, but I still seem to be chasing my tail here :-(. I can't find the apikey and secret from the android apk anywhere.... As I can't use CharlesProxy to intercept the traffic I can't get the Bearer token that way either so I'm a bit stuck. I've been able to connect to the connected drive server with the SHA256 cert from the app and get an 'unauthorised' reply from BMW when using the random encoded secret, but without the proper key:secret combo I can't authorise to get a real Bearer token back.
I'm just using a simple curl command structured against the oauth endpoint. Is it possible to send me a private email / direct twitter message to @rickpoisson with a hint where it is? Would be much appreciated!!

Tesla make this really simple - see https://github.com/hjespers/teslams/blob/master/teslams.js. the client and secret are embedded in the file!

[ronaldmannak]

@rickpoisson I don't know where to look for the API key in the Android app. If you would download the iOS app, you'll find the keys in the info.plist

[dgsmith]

@rickpoisson If Ronald's method doesn't work for you, I was able to find the API key and secret in the decompiled android app....it was just buried very deep ;) I could perhaps point you in the right direction?

Edit for below: Never mind, I figured out I was accessing the wrong url for US...

Also, quick question @ronaldmannak, so if I don't have the SSL cert I won't be able to make API calls? I've just got my Bearer authorization on my local computer, but when I go to get the status of my car I get:

{"error":
    {
        "code":500,
        "description":"(SmartPhoneUtil-A-2012) Ressource not found. No status available for VIN WBY...."
    }
}

although I am able to get a list of vehicles?

{
"vehicle": {
    "vin":"WBY...",
    "model":"i3 94REX",
    "bodytype":"I01",
    "driveTrain":"BEV_REX",
    "colorCode":"C2W",
    "brand":"BMW_I",
    "yearOfConstruction":2016,
    "statisticsCommunityEnabled":false,
    "statisticsAvailable":true,
    "hub":"HUB_US",
    "hasAlarmSystem":true,
    "dealer": {
        "name":"XX",
        "street":"XX",
        "postalCode":"XX",
        "city":"XX",
        "country":"US" 
    },
    "countryCode":"V2-US",
    "steering":"LH",
    "hmiVersion":"ID4",
    "a4a":"USB_ONLY",
    "vehicleFinder":"ACTIVATED",
    "remote360":"NOT_SUPPORTED",
    "hornBlow":"ACTIVATED",
    "lightFlash":"ACTIVATED",
    "doorLock":"ACTIVATED",
    "doorUnlock":"SECRET_KNOWLEDGE",
    "climateControl":"NOT_SUPPORTED",
    "climateNow":"ACTIVATED",
    "chargingControl":"WEEKLY_PLANNER",
    "chargeNow":"NOT_SUPPORTED",
    "sendPoi":"ACTIVATED",
    "rangeMap":"RANGE_POLYGON",
    "lastDestinations":"SUPPORTED",
    "intermodalRouting":"AVAILABLE",
    "climateFunction":"AIRCONDITIONING",
    "onlineSearchMode":"MAP",
    "smartSolution":"NOT_SUPPORTED",
    "supportedChargingModes": ["AC_LOW","AC_HIGH","DC"],
    "lscType":"I_LSC_IMM"
    }
}

Thanks!

[smar000]

@dgsmith Could you point me where to look in the decompiled android files? I thought I may have found them in the ae.java file, but these don't seem to work.

Thanks!

[dgsmith]

@smar000 I'm not sure how much I can give away haha, but I used grep to search for relevant places in the code. e.g. grep -R Basic . (note the period). Best of luck!!

[smar000]

Yes, I had done something similar earlier and had in fact even looked at that very file but somehow missed the relevant line. Got it now though, so thanks!

[ronaldmannak]

@dgsmith You're right, the European server seems to accept requests without certificate. Not sure if I spoke too soon or if something changed on BMW's end. The US server doesn't seem to work even with the certificate. The good news: if no certificate is necessary, then Charles should work (again). I wonder if BMW is routing the US car info through the European server now.

[dgsmith]

@ronaldmannak, I've been able to make requests to the US server after actually using the .us domain haha. I'm not quite sure exactly what is going on though. Inside the BMW connected drive app they mention they're using certificate pinning (and the certs are there -- for Charles?).

Another wrench is that BMW is discontinuing the iRemote app -- which is where I got my basic authentication stuff, but looking through the new connected drive app, it does seem like they're only using the .com domain like you say. But then trying the basic authentication from that app, I get an error about undefined scope for the oauth request. The scope they use is something about journey, but I couldn't make any requests with that scope...

[ronaldmannak]

@dgsmith I noticed an error in my App Transport Security settings and am now able to connect to the US server as well (without SSL pinning). Curl now also works. I might be mistaken, but I am pretty sure curl did not work when nobody was able to login to the US server a month ago. Another interesting thing is that my compiled app stopped working that same day the US issues began and still crashes on start. It's odd.

Charles Proxy is still unable to intercept traffic to and from the original BMW apps. I am able to successfully intercept curl requests to BMW. I'm not an expert in SSL pinning, could it be that SSL pinning is optional and used in the original apps but not when our apps without SSL pinning make the requests? I do see the data from other apps that use https like Plugshare.

I also noticed that the new Connected app uses a different server: myc-profile.bmwusa.com. Since i Remote is being phased out, according to a recent email from BMW, I assume we better figure out the new endpoints of myc-profile.bmwusa.com soon if we want to keep our own apps, though I don't know how to do that without Charles Proxy. The old login path does not appear to work on the new server.

[mnikitas]

hi guys, any update on this? does anyone can provide more info regarding myc-profile.bmwusa.com?