Skip to content
Notes from the field

Notes from the field

BMW API now requires location, no bypass available

BMW API now requires location, no bypass available

2016-10-18

Earlier this year, we got a new car, a BMW 3 series. It came subscribed to the BMW ConnectedDrive service, and that comes with an iPhone or Android app. So, of course, I immediately set about deconstructing the traffic to figure out what was going on, inspired by the work of Terence Eden. Unfortunately, BMW appears to have implemented certificate pinning in the time since Terrence wrote his paper, so my favourite tool, Charles Proxy, was useless – the BMW app simply dropped the connection.

So – I decided to reverse engineer the iphone app itself. I finally managed to get an OAuth appID and app secret from the code base – only to discover that the /webapi/v1/user/vehicles/:VIN/status method now requires location:

{
  "error": {
    "code": 500,
    "description": "(SmartPhoneUtil-A-101) Mandatory
parameter(s) missed or blank: dlat and dlon are required for BMW
vehicles!"
  }
}

if i add the lat + long of my home as querystring paramaters (/?dlat=x&dlon=y) it works but i don’t get a lot of other data (e.g. door status) although i guess that’s to do with the options available on my car:

{
  "vehicleStatus": {
    "vin": "(my VIN)",
    "updateTime": "2016-08-28T17:52:44+0200",
    "position": {
      "lat": "5x.xxxxx",
      "lon": "-y.yyyyy",
      "status": "OK"
    }
  }
}

Here’s the problem – if the car is more than half a KM from home, when i get:

{
  "vehicleStatus": {
    "vin": "(my VIN)",
    "updateTime": "2016-08-28T17:52:44+0200",
    "position": {
      "status": "TOO_FAR_AWAY"
    }
  }
}

(not sure what the updateTime value is as that’s clearly a long time ago).

Bummer.

Share this:

  • Click to email a link to a friend (Opens in new window)
  • Click to share on Facebook (Opens in new window)
  • Click to share on LinkedIn (Opens in new window)
  • Click to share on Twitter (Opens in new window)
  • Click to share on WhatsApp (Opens in new window)

fix

Post navigation

PREVIOUS
Twitter API without libraries – for posting as yourself (e.g. a bot)
NEXT
Quick and easy way to tweet from a function app
Comments are closed.

Archives

The standard disclaimer…

The views, thoughts, and opinions expressed in the text belong solely to the me, and not necessarily to the my employer, organization, committee or other group that I belong to or am associated with.

Creative Commons License
This work is licensed under a Creative Commons Attribution-NonCommercial 4.0 International License.
© 2023 Rob Aleck, licensed under CC BY-NC 4.0
Go to mobile version