Earlier this year, we got a new car, a BMW 3 series. It came subscribed to the BMW ConnectedDrive service, and that comes with an iPhone or Android app. So, of course, I immediately set about deconstructing the traffic to figure out what was going on, inspired by the work of Terence Eden. Unfortunately, BMW appears to have implemented certificate pinning in the time since Terrence wrote his paper, so my favourite tool, Charles Proxy, was useless – the BMW app simply dropped the connection.

So – I decided to reverse engineer the iphone app itself. I finally managed to get an OAuth appID and app secret from the code base – only to discover that the /webapi/v1/user/vehicles/:VIN/status method now requires location:

{
  "error": {
    "code": 500,
    "description": "(SmartPhoneUtil-A-101) Mandatory
parameter(s) missed or blank: dlat and dlon are required for BMW
vehicles!"
  }
}

if i add the lat + long of my home as querystring paramaters (/?dlat=x&dlon=y) it works but i don’t get a lot of other data (e.g. door status) although i guess that’s to do with the options available on my car:

{
  "vehicleStatus": {
    "vin": "(my VIN)",
    "updateTime": "2016-08-28T17:52:44+0200",
    "position": {
      "lat": "5x.xxxxx",
      "lon": "-y.yyyyy",
      "status": "OK"
    }
  }
}

Here’s the problem – if the car is more than half a KM from home, when i get:

{
  "vehicleStatus": {
    "vin": "(my VIN)",
    "updateTime": "2016-08-28T17:52:44+0200",
    "position": {
      "status": "TOO_FAR_AWAY"
    }
  }
}

(not sure what the updateTime value is as that’s clearly a long time ago).

Bummer.