BMW API now requires location, no bypass available

Earlier this year, we got a new car, a BMW 3 series. It came subscribed to the BMW ConnectedDrive service, and that comes with an iPhone or Android app. So, of course, I immediately set about deconstructing the traffic to figure out what was going on, inspired by the work of Terence Eden. Unfortunately, BMW appears to have implemented certificate pinning in the time since Terrence wrote his paper, so my favourite tool, Charles Proxy, was useless – the BMW app simply dropped the connection.

So – I decided to reverse engineer the iphone app itself. I finally managed to get an OAuth appID and app secret from the code base – only to discover that the /webapi/v1/user/vehicles/:VIN/status method now requires location:

{
  "error": {
    "code": 500,
    "description": "(SmartPhoneUtil-A-101) Mandatory
parameter(s) missed or blank: dlat and dlon are required for BMW
vehicles!"
  }
}

if i add the lat + long of my home as querystring paramaters (/?dlat=x&dlon=y) it works but i don’t get a lot of other data (e.g. door status) although i guess that’s to do with the options available on my car:

{
  "vehicleStatus": {
    "vin": "(my VIN)",
    "updateTime": "2016-08-28T17:52:44+0200",
    "position": {
      "lat": "5x.xxxxx",
      "lon": "-y.yyyyy",
      "status": "OK"
    }
  }
}

Here’s the problem – if the car is more than half a KM from home, when i get:

{
  "vehicleStatus": {
    "vin": "(my VIN)",
    "updateTime": "2016-08-28T17:52:44+0200",
    "position": {
      "status": "TOO_FAR_AWAY"
    }
  }
}

(not sure what the updateTime value is as that’s clearly a long time ago).

Bummer.

Twitter API without libraries – for posting as yourself (e.g. a bot)

I have to say that the twitter API documentation is absolutely abysmal. It’s impossible to navigate – calls make reference to other calls but the major problem is that there are almost no examples – they almost all recommend that you use a library. So how on earth are you supposed to learn how the API works? How do you write a bot which tweets as itself (such as my https://twitter.com/EnfieldTownBot)?

anyway – i found a StackExchange article outlining how to use Twitter’s API from Postman – which handles the hashing for you.

Once I got a good grip on the API itself – which isn’t too bad – I now have to figure out how to create an Azure Function App to create and send the tweets – as OAuth 1.0 requires all messages to be signed (hashed). Twitter has a pretty good set of instructions on how to create the hash: https://dev.twitter.com/oauth/overview/creating-signatures

But – oh my gosh. This is a very complicated process. Here are some samples of libraries or code which i’m looking through to try to implement…

http://developer.pearson.com/learningstudio/oauth-1-sample-code

https://code.msdn.microsoft.com/windowsapps/LinkedIn-OAuth-Example-c06d64f5

https://github.com/bittercoder/DevDefined.OAuth-Examples

https://github.com/bittercoder/DevDefined.OAuth

https://www.devexpress.com/Support/Center/CodeCentral/ViewExample.aspx?exampleId=E20020

anyway, I didnt want to lose these links. I’ll come back to this later.

How to: Manage Honeywell Evohome with Azure Logic Apps

When we bought our house a few years ago, we totally gutted it and one of the things we installed was an evohome heating system. Honeywell has an iphone app for the evohome, so recently, I decided to explore the API. Unfortunately, Honeywell doesn’t seem to offer a public API, so I spent a bit of time deconstructing the app with the help of the excellent Charles Proxy.

I’ve published my logic app here on github  https://github.com/mnbf9rca/AzureEvoHome

I also included some logic app recipes for connecting to thethings.io, thingspeak.com and ubidots.com.

Enjoy!