# Hello HU-NBT ?!?



## aboulfad (Jun 5, 2015)

Being the last elusive ECU that I haven't "hacked" into, namely HU-NBT, I was always curious if it is possible and how could code be executed on HU-NBT from the USB key, akin to the various stuff out there, where you insert the USB key and voila, something happens to the HU. Note, I am interested only in the how and not what, the possibilities are endless once the HU-NBT is "hacked". One of my goals is to enable telnet/ssh (FYI, inetd isn't running on HU)

Everything I've written here couldn't have been possible without @2real4u nbt unpack tool and @mozy(mbworld) srm research, and guidance from a fellow BMW fan that got all this to work, while I am still in kindergarten. This is work in progress, the learning curve is steep, hoping some others can follow suite and we can make this real to many.

*Tool Requirement*: QNX6.3 or 6.5 SDK and/or Momentics IDE, IDA Pro, binutils, binwalk, text/hex editors,...

Many hours of research led me to two key pieces of information: Mozy's documentation of the srm service and a thread on another forum called "Let's hack NBT!". Equipped with nbt_upack and qnx utilities, I was able to study a bit the various scripts related to srm and mozy's findings.

*Part 1:* MCD (Media Content Detector)
The mcd can be used as an automount FS, and the configuration is in /etc/mcd.cfg. Relevant entry for USB are, which in theory is saying if a USB drive is inserted with a FNAME_PATTERN, then a rule has been matched.

```
[/fs/usb*]
Callout         = PATH_MEDIA_PROCMGR
Argument        = /proc/mount
Priority        = 11,12
Start Rule      = INSERTED
Stop Rule       = MMEMediumEjected
and
[USB_SWPC_ROOT]
Callout      = FNAME_PATTERN
Argument     = depth=1,UPD*.bin,UPD*.BIN,upd*.bin,upd*.BIN
```
*Part 2:* srm ???
Thanks to @2real4u unpacker, here is the list of srm entries in the Intel FS (nothing in Jacinto), the .sh script con activation copies /opt/sys/etc/SPOT/srm*cfg to /var/opt/sys/. No clue as to who calls the srm_config.sh. Which then brings up to srm_startup.cfg that only has an entry for "/fs/usb0" and the copied srm.cfg is empty!


```
./opt/sys/bin/showmem-srm
./opt/sys/bin/srm
./opt/sys/bin/srm_config.sh
./opt/sys/bin/srm_ctrl
./opt/sys/etc/SPOT/srm.cfg
./opt/sys/etc/SPOT/srm_startup.cfg
./opt/sys/etc/srm.cfg
./opt/sys/lib/libsrm_client.so
./opt/sys/lib/libsrm_client_cmd.so
```
*Part 3:* Mozy's srm research
If srm is part of QNX, then its the best kept secret in the world. As mozy says, nothing on the internet and/or in QNX docs. According to mozy there is a way to wrap a library to get it to execute, quoting him:



> - one of the files in the package (to be placed on the SD card) was named srm.cfg!
> - The two interesting ones are the srm.cfg file and a file I'll call c00l_h4x.so.
> - but the important one ("srm.cfg") contains a reference to the library (.so) file also on the SD card


For his MB HU, all he had to do is create a shared library with some code in it, place it along the srm.cfg on the SD card and he was able to execute code on his HU. Luckily, he had what Mercedes calls Emergency Error Logs while in my experiments I am blind...

*Part 4:* UPD*.bin files
They come in different flavours, the BMW media software update bin files, and the other ones (VIM, FSC,...). I was able to fully unpack, untar, decprypt the BMW UPD*.bin but nothing interesting there related to executing some routine from a USB key. As it requires a user action to choose "software update" in iDrive, i dont believe those files contain any *secret* way to execute automatically some routine.

The other category of .bin files, some seem to have a reference to srm.cfg but the format is a bit of challenge to deal with.

*Part 5*: My experiments
I have experimented with both methods, mozy and UPD, neither led to any success. The code that I was trying to execute is a simple "Hello HU-NBT" to be dumped into a file on /fs/usb0. As there is no mean to know what is going on, it's becoming a bit frustrating to continue... Without some means to access boot sequences or logs, we or I am blind to what is happening, UART access may be needed to watch for srm entries and what the heck is going on...


----------



## aboulfad (Jun 5, 2015)

Reserved for update.


----------



## vneno (Mar 28, 2015)

anything new?
it will be nice to start sshd/telnetd, then just remote login.

Look at the mc-upload.sh file, here is a snippet of it:
# 2011/05: New feature: Copy /var/dump to an attached USB stick (recursively). A directory "HBCoreUpload" has to be existant in root folder of USB device.

Edit: maybe you will need to code TRACE option (val: 1 or 2) in HU_NBT also


----------



## aboulfad (Jun 5, 2015)

No it's a dead end for me as I am not willing to remove and take apart my HU to connect via serial. However another chap on another forum may probably provide some capability and other nice stuff that I am sure it will trickle here, when he releases it.


----------



## vneno (Mar 28, 2015)

aboulfad said:


> No it's a dead end for me as I am not willing to remove and take apart my HU to connect via serial. However another chap on another forum may probably provide some capability and other nice stuff that I am sure it will trickle here, when he releases it.


What forum are you referring to? Can you post the link? Thanks.

Sent from my SM-G935F using Tapatalk


----------



## aboulfad (Jun 5, 2015)

vneno said:


> What forum are you referring to? Can you post the link? Thanks.


I can PM to you, the script you reference seems to dump core on the USB stick, and then I'll have to figure out how to analyze it to see if it contains any logs that say anything useful... too much work, and why not let someone else do it ;-)


----------



## vneno (Mar 28, 2015)

aboulfad said:


> I can PM to you, the script you reference seems to dump core on the USB stick, and then I'll have to figure out how to analyze it to see if it contains any logs that say anything useful... too much work, and why not let someone else do it ;-)


 ok.

Sent from my SM-G935F using Tapatalk


----------



## wiigin (Aug 24, 2017)

-- remove --


----------



## pasko (Oct 5, 2017)

Hi.

I'm all new to this stuff and have a few questions to ask & maybe I could help here.
I haven't tinkered yet with my car (F45 built March 2016), but I also decompressed a few days ago the UPD***.bin file corresponding to the bluetooth update for my car.

So, just as a start a few basic questions:

1.- I read somewhere that CIC (older versions) where based in QNX: Any clues as to which OS are NBT units running?. When you uncompress the UPD***.bin files and check the files under the /bin/ folders, with the 'file' command under Linux, it says they are compiled for Lunux, with kernel version 3.10..... So maybe NBT HU are now running Linux 
2.- I also found a file that specifically disables the USB port for Id's corresponding to an USB-SerialRs232 adaptor. OTOH someone here at bimmerfest.com managed to connect to the NBT unit with a USB-to-LAN adaptor (D-Link, if I remember correctly). Has anyone tried this USB-to-LAN adaptor so far?

Now I can't provide detail of the previous claims, but will be able to do it later from home (in case someone is interested).

Best Regards.


----------



## pasko (Oct 5, 2017)

*Hi*

Hi
I've been also decompressing the UPD*.bin file corresponding to my car and I have also seen that the binary files undet /bin are compiled for linux, with kernel 3.1.0
Also, one of the files in /etc block the use in the USB port of USB-to-SERIAL adaptors...
And a pair of questions:

Why using QNX? Wouldn' it be easier to use plain Linux?

And, Has anyone thought about using an USB-to-ETHERNET adaptor?

Thanks in advance.
Regards.


----------



## anees (Feb 7, 2016)

Try plugging in a USB with a directory called HBCoreUpload in the root of the USB. I'm not sure if the attached script gets called automatically or not at start up.
This is for the NBT EVO

Rename the file from .pdf to .sh

This is the full script vneno was referring to



aboulfad said:


> Being the last elusive ECU that I haven't "hacked" into,


----------



## aboulfad (Jun 5, 2015)

anees said:


> ...This is the full script vneno was referring to


Thanks, but honestly can't recall what's this about  anyways I have a NBT, and the exploits are different for NBT & NBT EVO.


----------



## yangqi (Aug 8, 2017)

Just took a look of the UPD*.bin file, found following script that decrypt the encrypted rpm package using the key in /opt/sys/etc/pf_OBD_sta0.conf

The script is pre_inst.scr, in one of the extracted .bin file inside the UPD*.bin, may be able to play with the script.


```
echo "[kisu] $0"
cd /mnt/share/sys/SWUP_000014B1_002_255_070
chmod +x openssl
p=`./openssl dgst -sha256 /opt/sys/etc/pf_OBD_sta0.conf | sed 's/^.* //'`
./openssl enc -d -aes256 -pass pass:$p -in SWUP_000014B1_002_255_070-1.0-1.i386.rpm.encrypted -out SWUP_000014B1_002_255_070-1.0-1.i386.rpm
chmod -x openssl
```


----------



## pasko (Oct 5, 2017)

Hi.
Interesting thing you found out.
Regarding the UPD*.bin file: Is it a bluetooth update, a software update or a map update?
I ask because I uncompressed a Bluetooth file and didn't find any rpm packages....

Regards.


----------



## yangqi (Aug 8, 2017)

pasko said:


> Hi.
> Interesting thing you found out.
> Regarding the UPD*.bin file: Is it a bluetooth update, a software update or a map update?
> I ask because I uncompressed a Bluetooth file and didn't find any rpm packages....
> ...


It's software update, there is a manifest file that lists all the updates package and their hash values. The rpm package is under the *.bin file inside the UPD*.bin file.


----------



## pasko (Oct 5, 2017)

anees said:


> Try plugging in a USB with a directory called HBCoreUpload in the root of the USB. I'm not sure if the attached script gets called automatically or not at start up.
> This is for the NBT EVO
> 
> Rename the file from .pdf to .sh
> ...


Hi.
Thank you for your answer.
So, the idea is to put the .sh script in the HBCoreUpload folder in the root folder, connect it to the car and see if any files are dumped to the usb drive, right?

Best regards.


----------



## pasko (Oct 5, 2017)

yangqi said:


> It's software update, there is a manifest file that lists all the updates package and their hash values. The rpm package is under the *.bin file inside the UPD*.bin file.


Hi.

Thank you for your answer.
I see you found out that some .bin files are compressed files inside another compressed file.

Did you see any .sh files after decompression? These are usually scripts that can provide hints about the system they are run in....

Best regards.


----------



## anees (Feb 7, 2016)

Have a read on the attached document. It really explains so much.



pasko said:


> Hi.
> Thank you for your answer.
> So, the idea is to put the .sh script in the HBCoreUpload folder in the root folder, connect it to the car and see if any files are dumped to the usb drive, right?
> 
> Best regards.


----------



## pasko (Oct 5, 2017)

Hi.
:thumbup:
Best regards.


----------

