# Getting network access to HU_NBT



## cronek (Dec 22, 2012)

With the wifi hardware removed, I looked into another way of getting network connectivity to the NBT system. I connected my ENET cable and sniffed traffic, a saw some DHCP DISCOVER packets coming from 2 different MAC addresses, and one of these addresses had the Harman/Becker (who produces the NBT) OUI (first bytes of the MAC address identifying the manufacturer of the NIC).

I set up a dhcp server on my PC (using tftpd64) and after a while had two DHCP leases assigned:










The 192.168.222.1 is whatever it is that ESYS connects to. I'll investigate this, as well as the traffic generated by ESYS later.

The 192.168.222.2 is the NBT. I nmapped it:










And as you can see the SSH and telnet ports are unfortunately closed. 
port 80 is listening, and has the lighttpd running on it that I discovered previously through the wifi connection.

The main page gives you a 404 error










The same subdirs are still present (/core and /trace). 
However the trace dir doesn't contain logs this time (on my previous car this contained full debug logs of everything the NBT did, as well as boot logs etc.)


















The other two ports didn't give me much, they disconnect immediately after connecting. I'll look into these some more in the future but my laptop battery was getting low. 
The fact that ports 22 and 23 are unfiltered (not blocked by NBT's firewall, unlike most other ports) is interesting, there should be a way to enable ssh/telnet...

Anyone else feel like jumping into this?


----------



## cronek (Dec 22, 2012)

by the way the IPCE_WEBSERVER value in the HU_NBT FDL is still set to nicht_aktiv here, so it needn't be changed to get this.


----------



## remko (Jun 18, 2014)

Responding to old thread but gaining root access would be really nice.

To get access to NBT either find a lighttpd exploit such as CVE-2013-4559 or if we're lucky NBT will run debug services such as pdebug or qcon (perhaps on port 6811?)


----------



## cronek (Dec 22, 2012)

Woops, completely forgotten about this. 

Yeah I looked into exploiting that vuln, but successfully exploiting it seems unfeasible, due to having no way to trigger a lighttpd service restart without the whole system restarting. And even then the process would just be running as root, requiring another form of remote code execution exploit for the httpd. 

I wonder if there are hardware ways of reading the flash image, maybe the thing even has a JTAG header...


----------



## PhreakShow (Apr 10, 2014)

Any updates here?


----------



## cronek (Dec 22, 2012)

Completely forgot about all this. I've (finally) got some spare time in the next days so I might look into it further.


----------



## rock_wang (Aug 28, 2013)

Can you ping to NBT's IP address?


----------



## bmwc0der (Apr 23, 2015)

rock_wang said:


> Can you ping to NBT's IP address?


Yes it responds to ICMP.

Has anyone tried to find serial pins on the NBT? If you take it apart there are a lot of pads on the board with the Atom processor.


----------



## lssong (Jan 23, 2016)

Now it's 2016~ Any update on this? Really interested in this...


----------



## bzzjh (May 30, 2013)

Any updates here?


----------

