I've been grepping around for a while now and can't seem to find the OAuth2 key/secret. Not in the plist from what I can tell either. Any pointers on where I should look? Or is it gone?

Hello,

I just dump my current findings here since not sure when I find more time to push this forward... although I'm pretty sure that it is more or less solved now...

Request:

curl -i \
  -X POST \
  -H "Authorization: Bearer *REDACTED*" \
  -H "Content-Type: application/x-www-form-urlencode" \
  -d 'serviceType=CHARGING_CONTROL&data=%7B%22weeklyPlanner%22%3A%7B%7D%7D' \
  https://b2vapi.bmwgroup.com/webapi/v1/user/vehicles/*REDCATED*/executeService

Response:

HTTP/1.1 200 OK
Date: Thu, 12 Jan 2017 19:14:03 GMT
Max-Forwards: 20
Via: 1.0 lpb2vcn01 (BMW Group API Gateway)
X-CorrelationID: Id-7bd577587eb70f0000000000070e98df 0
X-NodeID: 01
X-Powered-By: JOY
Content-Type: application/json;charset=UTF-8
Transfer-Encoding: chunked

{"executionStatus":{"serviceType":"CHARGING_CONTROL","status":"INITIATED","eventId":"[email protected]"}}

One needs to send the proper data as argument data. It's JSON (just URI encoded in my sample above: {"weeklyPlanner":{}}). I'm very confident that the data is the same as returned by chargingprofile API call!

HTH

Kind regards,
Dietmar

PS: Will update w/ new findings... but as said, I'm pretty confident. :)

Update: As expected, it works as written...

Snippet of working sample:

...
  -H "Content-Type: application/x-www-form-urlencode" \
  --data-urlencode 'serviceType=CHARGING_CONTROL' \
  --data-urlencode 'data={"weeklyPlanner":{"climatizationEnabled":true,"chargingMode":"IMMEDIATE_CHARGING","chargingPreferences":"CHARGING_WINDOW","timer1":{"departureTime":"12:30","timerEnabled":true,"weekdays":[]},"timer2":{"weekdays":[]},"timer3":{"departureTime":"19:30","timerEnabled":false,"weekdays":[]},"overrideTimer":{"weekdays":[]},"preferredChargingWindow":{"enabled":false,"startTime":"00:00","endTime":"00:00"}}}'
...

Helpful change in python/bmw.py:

  def executeService(self, vin, serviceType, data=""):
          """
          Post a request for the specified service. e.g.
 
              print c.executeService(vin, 'DOOR_LOCK')
 
          """
          return self.call("/user/vehicles/{}/executeService".format(vin),
              {'serviceType': serviceType, 'data': data})

BMW ConnectedDrive App now uses certificate pinning, making impossible? to capture traffic using an external proxy (e.g. fiddler, charles etc) in order to read key/value and authenticate with API.
Any ideas on how to overcome? (I am using iOS)

I noticed it's possible to log in to all servers and all servers return the vehicle list, but in order to retrieve the vehicle details and send commands it seems you'll have to log in to the server you're car is connected to (error: "Ressource [sic] not found. No status available for VIN ...")

Cars do have a "hub" key, which in my case is set to "HUB_US", which could point to the server where the car "lives on." What are other values people are seeing in Europe and Asia? If "hub" indeed points to the right server, it would be a great way to automatically log in to the right server.

Hi Terence -

I've made quite a few changes to your original - it's sufficiently different that you may want to completely ignore it, but I can do a pull request if wanted!

Basically, I've pulled your original tweeting code out into bmwtweet.py and made a more generic 'bmw' module.

You can do things like:

import bmw
c = bmw.ConnectedDrive()
print c.call('/user/vehicles/')

It uses the 'requests' module, so you need to pip install that if you don't already have it.

Anyway, it's at https://github.com/quentinsf/BMW-i-Remote if you're interested. More to come soon.

Thanks again!
Quentin

Any thoughts on why this isn't working? It has the VIN in vehicle info, but can't pull status info. I see the status info within Charles Proxy when I use the app.

 $ PYTHONWARNINGS="ignore:Unverified HTTPS request" ./bmw.py

Vehicle info
   sendPoi  :  ACTIVATED
   lastDestinations  :  SUPPORTED
   countryCode  :  V2-US
   color  :  LAURUSGRAU MET. M.AKZENT
   vin  :  WBY1Z4xxxxxxxxx
   climateControl  :  NOT_SUPPORTED
   climateNow  :  ACTIVATED
   hasAlarmSystem  :  True
   dealer  :  {u'postalCode': u'12345', u'city': u'City', u'street': u'Address', u'name': u'My BMW', u'country': u'US'}
   remote360  :  NOT_SUPPORTED
   smartSolution  :  NOT_SUPPORTED
   vehicleFinder  :  ACTIVATED
   colorCode  :  B79
   lscType  :  I_LSC_IMM
   rangeMap  :  RANGE_POLYGON
   statisticsCommunityEnabled  :  False
   hornBlow  :  ACTIVATED
   doorUnlock  :  NOT_SUPPORTED
   driveTrain  :  BEV_REX
   hub  :  HUB_US
   brand  :  BMW_I
   statisticsAvailable  :  True
   yearOfConstruction  :  2015
   climateFunction  :  AIRCONDITIONING
   supportedChargingModes  :  [u'AC_LOW', u'AC_HIGH', u'DC']
   doorLock  :  ACTIVATED
   bodytype  :  I01
   lightFlash  :  ACTIVATED
   intermodalRouting  :  AVAILABLE
   chargeNow  :  NOT_SUPPORTED
   model  :  I3 +REX
   onlineSearchMode  :  MAP
   chargingControl  :  WEEKLY_PLANNER

Vehicle status
Traceback (most recent call last):
  File "./bmw.py", line 155, in <module>
    main()
  File "./bmw.py", line 149, in main
    status = c.call("/user/vehicles/{}/status".format(car['vin']))['vehicleStatus']
KeyError: 'vehicleStatus'

I am not sure if this is quite new, but this service also contains some explanations of data that is saved on BMW servers:
https://www.bmw-connecteddrive.de/app/de/index.html#/portal/cardata-intern/archive

I tested it and the query takes 24h to complete and they only provide a snapshot of the connecteddrive data and an PDF explaining the values. I got it in german language, so it wont be so much helpful here, I guess.

may be this helps.
it is also available for newer "i-performance" PHEV cars.

Using IOS I am trying to capture the traffic using Charles proxy. Usually this works for me - but the BMW apps all refuse to connect. I get the same sort of error as when a browser is using HSTS I.e. the session terminates before completing handshake. Has anyone got traffic interception working recently?

Just started looking into this API as a new i3 owner. The OAuth token retrieval does not seem to accept "remote_services vehicle_data" as a valid scope:

% curl \
   -H "Authorization: Basic yes-i-fished-it-out-from-the-apk==" \
   -H "Content-Type: application/x-www-form-urlencoded" \
   -d "grant_type=password&username=me%40my.email&password=verysecret&scope=remote_services+vehicle_data" \
   "https://b2vapi.bmwgroup.com/webapi/oauth/token/"

and I get the result:

{
  "error" : "invalid_scope",
  "error_description" : "The requested scope is invalid, unknown, or malformed."
}

Also tried with other scope values (such as authenticate_user) but no luck. If I leave the scope parameter out, I am granted an access_token with scope=journey_mate but it cannot be used to access the API, resulting in an error:

% curl -H "Authorization: Bearer magic-token-here" "https://b2vapi.bmwgroup.com/webapi/v1/user/vehicles/"
{"error":"invalid_token","error_description":"The access token provided is expired, revoked, malformed, or invalid for other reasons."}

Am I doing something wrong here or has the API structure changed? The journey_mate scope is a clear reference to the Mini app..

When calling /v1/user/vehicles to get the information for all i3 vehicles, I was wondering if anyone has found more values for model, drivetrain and color. For example I have:
"model":"I3 +REX",
"bodytype":"I01",
"driveTrain":"BEV_REX",
"color":"IONIC SILVER METALLIC/BM"

I'd like to know what the model name is for a non Rex i3, is it just model=I3 and drivetrain="BEV"?

And I'd like to see if I can gather more car color names that are possible as I can only get Ionic Silver Metallic for mine. I don't know what the /BM means at the end of IONIC SILVER METALLIC/BM.

Thanks,
Rick

I might be stupid, but why does one need to go through the hassle to reverse engineer the apps ( android or ios ) for that APIKey ?
To me it looks like connecting to the website bmw-connecteddrive.com and retrieving the same json data there is cleaner. All keys get generated on the go. Nothing fancy only a few nerds can use. Or are there advantages to using b2vapi.bmwgroup.com server ?

It appears we can no longer connect in the US.

Here is what I could figure out from my digging in the latest version of the android app:

Found this. Hoping it helps someone:
https://pastebin.com/QRHkRNhz
https://pastebin.com/eMema1J9
https://pastebin.com/QU7vZcmV
https://pastebin.com/en0HGBeT

New auth token path is: "/nlp/oauth/token"
New auth_basic token is: "ZGIxMzQzYWMtZWNiYS00MGRhLTk2NzMtNzA5NWEwZjJhNWQyOmQyNmMxYzhiLTI2NGQtNDc5MC05MjM3LTQ5NzQ3OWJiN2I5NQ=="

Change "scope": "remote_services vehicle_data" to "scope": "journey_mate"

This still doesn't fix everything, but you can get authenticated.

.

Get misc SoC Data is not working anymore. I guess this has something to do with the link used to get it.

Error i get in from the server is:
The remote server returned an error: (403) Forbidden.'

Does anyone know how to get the SoC data now.

Still get the charge percentage. However not SOCmax and SOC

When I submit a GET method request to Rangemap API, it show the following error message.
{
"error": {
"code": 500,
"description": "(SmartPhoneUtil-A-101) Mandatory parameter(s) missed or blank: Cannot calculate remaining range circle, deviceTime is missing!"
}
}

After I added the (deviceTime=1) queryString it show other error message
{
"error": {
"code": 500,
"description": "(SmartPhoneUtil-A-2012) Ressource not found. Cannot calculate remaining range circle!"
}
}

What should I input at deviceTime queryString?
Thanks.

In order to call the DOOR_UNLOCK command, it seem the api is also looking for a secretKnowledge field.
{"error":{"code":500,"description":"(SmartPhoneUtil-A-2013) Action is forbidden. secretKnowledge is missing but required!"}}

This secret is the answer to the security question on the users account. I can't seem to find where to put it in the request. Ive tried in the body and headers under "secretKnowledge", but no luck.

Has anyone gotten this to work?

I'm able to successfully GET the list of vehicles in the account and POST a few instructions like "DOOR_LOCK" and "CLIMATE_NOW".

When trying to send a GET for Vehicle Status using the following code I receive an error and can't get past it. Hoping you can help. I'm in the US using ROOT_URL = "https://b2vapi.bmwgroup.us/webapi"

CODE:
print "\nStatus" status = c.call("/user/vehicles/{}/status".format(car['vin']))['vehicleStatus'] for k,v in status.items(): print " ", k, " : ", v

ERROR:
Status Traceback (most recent call last): File "./bmw.py", line 153, in <module> main() File "./bmw.py", line 147, in main status = c.call("/user/vehicles/{}/status".format(car['vin']))['vehicleStatus'] KeyError: 'vehicleStatus'

I get an extra value 'batterySizeMax' on /statistics/allTrips

...
"batterySizeMax": 35820,
...

Unit is 'Wh' ?!

Hello,

(OT: Thanks for providing all the information.)

Following API call seems to be missing: /webapi/v1/user/vehicles/:VIN/updatePush (haven't tested it yet).

Kind regards,
Dietmar

Hello,

I think the output shown is from /webapi/v1/user/vehicles/:VIN/status call and not from /webapi/v1/user/vehicles/.

Kind regards,
Dietmar

Hi all, great job on the APIs documentation. I used the Python to start off testing along with cURL but then once I got up to speed I built C# code on Windows to access the BMW service calls. I have been using Charles for URL sniffing which has been very helpful.
I noticed a few things.
In your article where you showed the response JSON from a vehicle status, there are more items that can be retrieved if the car is charging which would be good to include.
I found that the chargingTimeRemaining value added to the current time doesn't often match up with the estimated time to complete charging shown on the i3 dash. I wonder why.

When retrieving the vehicle status I was wondering why once I got status it didn't seem to change unless I restarted my app. I guessed that it was a caching issue and although I later figured out how to fix that through code I adopted the same technique BMW did to force each request to be new by appending the time stamp onto the request like this:
https://b2vapi.bmwgroup.us/webapi/v1/user/vehicles/MYVIN/status?deviceTime=2015-12-30T10%3A06%3A13

I included a polling cycle for command executions to look for DELIVERED, PENDING and then exit the wait if an EXECUTED or TIMED_OUT message is returned.

Something funny about door lock. It works fine but I noticed that it doesn't turn on the car alarm. If you look outside of your car when doing a DOORLOCK using the API, the doors lock but then the light under the rear-view mirror is not flashing. If I then press the lock button on my remote, it takes it a step further and turns on the alarm.

I noticed a status from door lock that was odd. I have seen selective_locked but I can't tell what that means. I have been trying to create alternative human readable messages to translate BMW messages but don't know what that means.

I tried to create a DOOR_UNLOCK command but that failed. I think why that is could be because it is not enabled by the car. In the vehicles information object retrieved it shows this:
"doorUnlock": "NOT_SUPPORTED". I assume that if an action says NOT-SUPPORTED then the API cannot control it. Does that sound right?

Has anyone found a way to generate the app's secret token based on using the user's ID and password? That would be super helpful.

Thanks,
Rick

I know all recent models of BMW cars support ConnectedDrive.
But can I use (a subset of) these APIs to interact with BMW non-electric cars, such as BMW X1, BMW X3?

POSTing to https://b2vapi.bmwgroup.com/webapi/oauth/token/ with secret, key, user + password
returns bad request, since ~10 days.
I'm pretty sure, I did not change anything else.

I'm able to use the script in the US to gather information about my 535ix. However, the POST always times out. I'm interested in the best way you guys think to troubleshoot

Here's the part of the code that times out:

`import bmw
import time

c = bmw.ConnectedDrive()
resp = c.call('/user/vehicles/')
vin = resp['vehicles'][0]['vin']

service = 'LIGHT_FLASH'
print "Sending {} request...".format(service)
resp = c.executeService(vin, service)
status = resp['executionStatus']['status']
while status in ('INITIATED','PENDING'):
print status
time.sleep(2)
check = c.call('/user/vehicles/{}/serviceExecutionStatus?serviceType={}'.format(vin, service))
status = check['executionStatus']['status']

print status`

Hi,

a really minor typo: POST /webapi/v1/user/vehicles/:VIN/snedpoi
should be: POST /webapi/v1/user/vehicles/:VIN/sendpoi

Thanks,
Dietmar

I can't, for the life of me work out how to send a POI.

How do I send this as POST data?

body={
"poi": {
"city": "abc",
"lat": nn.nnn,
"lon": nn.nnn,
"name": "name",
"rating": -1,
"postalCode": "12345",
"street": "Musterstr. 6"
}
}

I have converted the whole class to c# and I have it all working nicely, except the POI. I can't even figure out how to send one from a python command line..

Help, please!

Is it possible to get the image(s) of the remote 3d view? This is not possible with the connecteddrive website but only available in the app.

Hi,
we are experiencing latency time of 25-60s for an API call and the iRemote App using:

• https://b2vapi.bmwgroup.com
• Vodafone 4G with iRemote App on iPhone 6
• Car and Phone located in Stuttgart

Looks like we need about
10s to connect with the BMW server
20-50s to wake up the car

What is your experience?

@stefferber

I have a 3 series. I'm not using the API, but wondered if anyone else had noticed this too. When I make a call to /webapi/v1/user/vehicles/'.$vin.'/status i get:

{
  "error": {
    "code": 500,
    "description": "(SmartPhoneUtil-A-101) Mandatory parameter(s) missed or blank: dlat and dlon are required for BMW vehicles!"
  }
}

if i add the lat + long of my home as querystring paramaters (/?dlat=x&dlon=y) it works but i don't get a lot of other data (e.g. door status) although i guess that's to do with the options available on my car:

{
  "vehicleStatus": {
    "vin": "(my VIN)",
    "updateTime": "2016-08-28T17:52:44+0200",
    "position": {
      "lat": 5x.xxxxx,
      "lon": -y.yyyyy,
      "status": "OK"
    }
  }
}

Here's the problem - if the car is more than half a KM from home, when i get:

{
  "vehicleStatus": {
    "vin": "(my VIN)",
    "updateTime": "2016-08-28T17:52:44+0200",
    "position": {
      "status": "TOO_FAR_AWAY"
    }
  }
}

(not sure what the "updateTime" value is as that's clearly a long time ago).

Hi,
we played with the API and we tried to unlock the trunk ONLY. The remote key has that capability but we could not find the API call. As the vehicle status distinguishes all doors, trunk, and hood:

{
  "vehicleStatus": {
[...]
    "updateReason": "DOOR_STATE_CHANGED",
[...]
    "doorDriverFront": "CLOSED",
    "doorDriverRear": "CLOSED",
    "doorPassengerFront": "CLOSED",
    "doorPassengerRear": "CLOSED",
    "windowDriverFront": "CLOSED",
    "windowDriverRear": "CLOSED",
    "windowPassengerFront": "CLOSED",
    "windowPassengerRear": "CLOSED",
    "trunk": "CLOSED",
    "rearWindow": "INVALID",
    "hood": "CLOSED",
    "doorLockState": "SELECTIVE_LOCKED",
   [...]

why not have an API call for it, too. Any idea?
@stefferber

Hi,

you state

I've no idea what the refresh_token is for. Once the access_token expires, you can simply re-authenticate and gain a new one.

in your readme.md.

Perhaps this helps:

https://www.oauth.com/oauth2-servers/access-tokens/refreshing-access-tokens/

Using

POST /oauth/token HTTP/1.1
Host: authorization-server.com
 
grant_type=refresh_token
&refresh_token=xxxxxxxxxxx
&client_id=xxxxxxxxxx
&client_secret=xxxxxxxxxx

you get a new token without login credentials:

The response to the refresh token grant is the same as when issuing an access token. You can optionally issue a new refresh token in the response, or if you don’t include a new refresh token, the client assumes the current refresh token will continue to be valid.

Greetings

So far I made good progress with a nodejs relication, thanks for the very useful documentation. Some information that I cannot find though by using API that are available on the website are detailed battery informations:

The URI here returns it:

https://www.bmw-connecteddrive.de/api/vehicle/navigation/v1/

The resulting json is:
{
"latitude" : ...,
"longitude" : ...,
"isoCountryCode" : "...",
"auxPowerRegular" : ...,
"auxPowerEcoPro" : ...,
"auxPowerEcoProPlus" : ...,
"soc" : ...,
"socMax" : ...,
"pendingUpdate" : false,
"vehicleTracking" : true
}

the values soc and socMax are very interesting because they mean the state of charge in kilowatts and the maximum respectively.

Any idea how I could retrieve these values by using the API?

Thanks!

I have been playing about with this and my new i3 which I got last week. I prefer PHP rather than python so I went with that, I found the curl documentation here was invaluable in helping me to get things working. I have written a script that posts any changes in status to a slack channel rather than twitter.

Everything is working happily and I have a cron job running every 5 minutes to grab the status, if the timestamp has changed (or if the status has changed if it's charging) then it posts a new message to slack. yay!

While I was looking at this last night I noticed that the status doesn't change unless something physically is different with the car.. totally makes sense. What doesn't make sense to me from a technical perspective is that while the vehicle is in motion nothing seems to change. After a drive home from work the updatedReason changed to VEHICLE_MOVING and kept the same timestamp until I got home and parked. I guess the theory behind this is that people aren't going to be using the iRemote on their phones while driving the car.

I did however notice that when charging my i3 the timestamp would change upon every request (I hit refresh a bunch of times and even after a second or two it changed). I'm not sure that up to the second information is necessary and the implications on servers and mobile data would make that a silly thing to me for the car to be doing.. but there ya go. perhaps there is some backend tasks going on where the server calculates what the battery % increase should be based on the charging speed etc and so isn't actually talking to the car directly.

What's my point.. oh yes.. based on the fact that I appear to be able to make new requests every second what do people think is a sensible frequency for requests to be made. I was thinking of going down to 1 every 60 seconds. I'm not sure how easy it would be for BMW to detect/block access for a homemade client.. but I don't want to hammer something and then get myself or everyone blocked.. What does everyone/anyone think?

Also would a PR with the php->slack code be of use to anyone.. would it be better as a separate repo?

Does anyone know the format of the query parameters or post parameters for the "SEND_POI_TO_CAR' function?

I've no idea what the refresh_token is for. Once the access_token expires, you can simply re-authenticate and gain a new one.

The refresh token is used to exchange an expired token for a new one without need for username/ password. Cannot provide more details as I don't have access to the endpoints.

Hi, my lease is up on my 2015 i3 REX and looking at the 2017 REX. Has anyone found out if the same APIs work including the master key and the same JSON response strings?

Thanks!
Rick

needs to be done via
https://customer.bmwgroup.com/gcdm/oauth/authenticate

please see
#23

Has anyone figured out if it is possible to cancel a CLIMATE_NOW or a scheduled pre-condition event? Or to get some indication that a CLIMATE_NOW event is active?

Thanks

you get this XML File when you export your profile on a USB stick (e.g. in a i3):
what does it contain?

<?xml version="1.0" encoding="UTF-8"?>
    -<bmwExportData>
    -<signedContent>
-<header>
<date>2016-03-03T17:53:49</date>
<version>1</version>
<username>(------)</username>
<vin>V608xxx</vin>
<i-step>I001-15-11-504</i-step>
</header>
-<body>
<securityContainer securityLevel="1" type="vehicle"> 9PLCFuIS4uQa7KYKCty+APTHv2Kf9aY5trQ4GGJnOHVc69zlsPr2D1EWSEnqB02bWCy+==
[....ca. 2-3kbyte  encoded string omitted]
</securityContainer>
</body>
</signedContent>
<signature>XDLOP0X53m96jMqb+3gEJxxxxxx=</signature>
</bmwExportData>

When the vehicle is actively charging, there's another data value in vehicleStatus:

chargingTimeRemaining

Unit is minutes.

Hi, can anybody give me a step by step guide... sorry
I´m not so deep into coding... and i have only the iPhone app.
Is there a way to get the password/secret of connected drive without an android phone?

Thanks

I was wondering if there is a way to get the car's battery size? I saw that there is a batterySizeMax parameter in the response of the allTrips request but it seems like a strange place to put the battery size, which is a static value that should be returned with the car information. Is this parameter referring to something else maybe?

Thanks in advance for the response and for the great work documenting these APIs!!