Dissecting the BMW NBT EVO HU Boot Process - Part 1: QNX and the IFS
For the past 2-or-so years, I’ve been hacking on my car’s infotainment unit - the BMW NBT EVO HU. I figured this would be the perfect opportunity to dive into a new topic: What does the boot process of a modern QNX-based infotainment unit look like?
Teardown: The BMW / Harman NBT EVO HU Infotainment Unit (B211)
Today’s teardown is of the BMW NBT EVO HU, an infotainment unit built by Harman Automotive - sound familiar?
The QNX_info ELF Section
When poking at binaries on a QNX-based system, you may run into an interesting ELF header: The so-called QNX_info section!
Teardown: The BMW / Harman NBT HU Infotainment Unit
Today’s teardown is of the BMW NBT HU infotainment unit, built by Harman Automotive. This head unit was used between 2012 and 2019 across a wide array of models in BMW’s lineup, in everything from their sedans to SUVs.
Edge Connector Breakout Boards
The goal was simple: For the past year or so, I’ve been poking at my car’s head unit in my free time. This has now escalated to the point where I have two or three of the head units…
They use a 1mm-pitch edge connector for debugging and development access, and I didn’t want to solder wires directly to the pins in an irreversible way. As such, I created a breakout board!
Extracting QNX IFS Partitions
There isn’t a lot of content online discussing how to dump a QNX IFS partition, so I thought I’d write up a few paragraphs here to spread the tips and tricks that I’ve learned.
(If you just want the tl;dr and already know what IFS partitions are, scroll to the bottom!)
Embedded Firmware Exfiltration - The Easy Way
It’s not often you look to extract an embedded device’s firmware over the network. Luckily, it’s possible with SSH! We’ll go over a few techniques for dumping raw block device bytes out onto the network to facilitate quick extraction of device firmware for static analysis on a separate host computer.
Using CaringCaribou Without Root
Here’s your five second tip of the day: Need to install CaringCaribou on a system you don’t have root on? (For example: a CTF VM)