hACKING
Car
Featured
Now that we’re fresh into the start of 2026, I thought it would be interesting to take a look back at the state of automotive cybersecurity. To do this, I wanted to answer the question of: What is the state of automotive vulnerability reporting in 2026?
Another day, another teardown - and the first blog post of 2026! Today we’ll be looking at the BMW IDC23H infotainment unit, manufactured by Harman Becker.
The IDC23H is one of the newest infotainment units from BMW, as of January 2026. The design is based on the previous-generation MGU22/MGU22H, and is used in a wide variety of BMW models - this unit in particular was found in one of BMW’s newest X1 U11 SUVs.
For the past 2-or-so years, I’ve been hacking on my car’s infotainment unit - the BMW NBT EVO HU. I figured this would be the perfect opportunity to dive into a new topic: What does the boot process of a modern QNX-based infotainment unit look like?
Today’s teardown is of the BMW NBT EVO HU, an infotainment unit built by Harman Automotive - sound familiar?
When poking at binaries on a QNX-based system, you may run into an interesting ELF header: The so-called QNX_info section!
Today’s teardown is of the BMW NBT HU infotainment unit, built by Harman Automotive. This head unit was used between 2012 and 2019 across a wide array of models in BMW’s lineup, in everything from their sedans to SUVs.
The goal was simple: For the past year or so, I’ve been poking at my car’s head unit in my free time. This has now escalated to the point where I have two or three of the head units…
They use a 1mm-pitch edge connector for debugging and development access, and I didn’t want to solder wires directly to the pins in an irreversible way. As such, I created a breakout board!
It’s not often you look to extract an embedded device’s firmware over the network. Luckily, it’s possible with SSH! We’ll go over a few techniques for dumping raw block device bytes out onto the network to facilitate quick extraction of device firmware for static analysis on a separate host computer.
Here’s your five second tip of the day: Need to install CaringCaribou on a system you don’t have root on? (For example: a CTF VM)
There isn’t a lot of content online discussing how to dump a QNX IFS partition, so I thought I’d write up a few paragraphs here to spread the tips and tricks that I’ve learned.
(If you just want the tl;dr and already know what IFS partitions are, scroll to the bottom!)