Teardown: The BMW / Harman IDC23H Infotainment Unit (B423)
Another day, another teardown - and the first blog post of 2026! Today we’ll be looking at the BMW IDC23H infotainment unit, manufactured by Harman Becker.
The IDC23H is one of the newest infotainment units from BMW, as of January 2026. The design is based on the previous-generation MGU22/MGU22H, and is used in a wide variety of BMW models - this unit in particular was found in one of BMW’s newest X1 U11 SUVs.
Dissecting the BMW NBT EVO HU Boot Process - Part 1: QNX and the IFS
For the past 2-or-so years, I’ve been hacking on my car’s infotainment unit - the BMW NBT EVO HU. I figured this would be the perfect opportunity to dive into a new topic: What does the boot process of a modern QNX-based infotainment unit look like?
Teardown: The BMW / Harman NBT EVO HU Infotainment Unit (B211)
Today’s teardown is of the BMW NBT EVO HU, an infotainment unit built by Harman Automotive - sound familiar?
The QNX_info ELF Section
When poking at binaries on a QNX-based system, you may run into an interesting ELF header: The so-called QNX_info section!
Teardown: The BMW / Harman NBT HU Infotainment Unit
Today’s teardown is of the BMW NBT HU infotainment unit, built by Harman Automotive. This head unit was used between 2012 and 2019 across a wide array of models in BMW’s lineup, in everything from their sedans to SUVs.
Edge Connector Breakout Boards
The goal was simple: For the past year or so, I’ve been poking at my car’s head unit in my free time. This has now escalated to the point where I have two or three of the head units…
They use a 1mm-pitch edge connector for debugging and development access, and I didn’t want to solder wires directly to the pins in an irreversible way. As such, I created a breakout board!
Extracting QNX IFS Partitions
There isn’t a lot of content online discussing how to dump a QNX IFS partition, so I thought I’d write up a few paragraphs here to spread the tips and tricks that I’ve learned.
(If you just want the tl;dr and already know what IFS partitions are, scroll to the bottom!)
Embedded Firmware Exfiltration - The Easy Way
It’s not often you look to extract an embedded device’s firmware over the network. Luckily, it’s possible with SSH! We’ll go over a few techniques for dumping raw block device bytes out onto the network to facilitate quick extraction of device firmware for static analysis on a separate host computer.
Using CaringCaribou Without Root
Here’s your five second tip of the day: Need to install CaringCaribou on a system you don’t have root on? (For example: a CTF VM)