Ah: looking at the X3 WDS we see:

Cream = X14092 = Telephone aerial II
Purple = X13385 = Bluetooth antenna
Black = X4293 = not used

NOTE: The WDS has known to be wrong...

From that I think the part marked "Diversity switch" [which I thought could be for the convertibles with the two bumber monuted antenna] is actually for a loop through for the eject box. When Assist needs to, it takes the antenna connection to make an Assist call.

Yes there is a T Mobile.de SIM in the module, but it is PIN locked, and the PIN is not 1234 or 0000. The sim must be roaming enabled and BMW is picking up the bills.

If NavCocder had access to the AT interface on the module, it could do a brute force attack on the [unlocked] SIM to find the PIN Number, or use another SIM to set up calls. The GSM radio in the TCU is not a 5W vehicle radio, so there is not a great deal of improved reception to be had using it. It could save your phone battery though. If the Bluetooth supported SAP it could be a way to save battery on your mobile phone without renting another SIM. When I get it wired in I'll do a profile discovery, but I don't hold out much hope. I know Mercedes of the same period had SAP.

I guess the best way to be sure is to strip down the rear seat, rear shelf and passenger seat and find out. Unfortunately time and daylight is in short supply but I'm going to give it a shot.

Hi,

> From that I think the part marked "Diversity switch" [which I thought could be for the convertibles with the two bumber monuted antenna] is actually for a loop through for the eject box. When Assist needs to, it takes the antenna connection to make an Assist call.

I think you are right

> If NavCocder had access to the AT interface on the module, it could do a brute force attack on the [unlocked] SIM to find the PIN Number,

We can do that. Get in touch via email for the ways and means...
But isn't it so that after 3 failled tries, it requires the PUK?

> or use another SIM to set up calls.

Is it possible to fit another SIM car and use that?

> The GSM radio in the TCU is not a 5W vehicle radio, so there is not a great deal of improved reception to be had using it.

OK. The TCU GSM radio is their primarily for Assist functions and emergency calls

> If the Bluetooth supported SAP it could be a way to save battery on your mobile phone without renting another SIM. When I get it wired in I'll do a profile discovery, but I don't hold out much hope. I know Mercedes of the same period had SAP.

I am pretty sure the TCU supports handsfree / headset profiles only.
However, it does also view SMS and show phonebook - is that a SAP function?

Remove the rear seat bottom and rear seat squab on the side, quick and easy, gives access to the cable channels

Then you can remove the sill trims and remove those foreign non BMW cables

Doing so is good for the environment, as you will gain better fuel economy...

(I challenge you to calculate the improvement!)

The SIM would need to be PIN unlocked when the TCU powers on to camp on to the network and be ready for an Assist call. If it is continuously PIN unlocked when the TCU is powered on, then you would not get a PUK lock from the brute force attack.



Yes absolutely. The command is something like ATD:5551234 etc [D for dial]. You can also set up data calls, although it will be GPRS by dialing ATD:*99#. You may need to configure the gateway usping commands like AT+CGDCONT=1,"IP","three.co.uk" Might be useful if someone finds a way to track the car via it's GPS.

Sadly no, that's SYNC over OBEX (primarily for sending business cards and syncing with Outlook). SAP gives you full remote SIM cloning over BT.

OK, let's try it!

PS: just power up the TCU on the workbench, we can interrogate it there.

PPS: maybe it is SIM locked and the card gets unlocked by the TCU at powerup. The TCU would then have the PIN stored in its config memory

We can read out the config memory, it's fun

Why bother changing the sim card then? Why not stay with the BMW card?

OK, then I'm 99% sure no SAP.

OK Computer had a brainfart while I was uploading. I found a battery backed up Motorola GPS Tracker, a Trimble GPS antenna and a no-label GSM patch antenna. These are connected to the violet and blue FAKRA. I guess they are retrofit since they are not fixed in to OEM cable tiebacks, and are a bit too long.

I think I identified all the cables going through the firewall. I am going to remove the passenger seat, carpet and centre console when I have the new looms ready to lay at the same time.

OK, need to build a little debug loom first.

Becuase the SIM card may be restiricted to certain phone numbers, and also they might notice big phone bills to non Assist numbers


A Nokia 616 bluetooth car phone kit also has SAP plus a SIM slot, but it can't have a SIM and SAP active at the same time, since there is only one radio to connect to the network. The TCU might detect the SIM and disable SAP in a similar way. Still all to play for.