1. Introduction
This post presents an in-depth technical analysis of a full system dump from a BMW NBT EVO ID6 infotainment unit. Originally built on NBT ID4 hardware, the unit was upgraded via software flash to NBT EVO ID6 and runs firmware version 18-03. The data was acquired through a full partition-level dump of the internal storage, including the root filesystem, configuration files, binaries, and the boot directory.
The goal of this analysis is to understand the internal architecture, initialization sequence, graphical interface logic, data flows, and embedded tooling used during development and diagnostics. This study offers insights into the system’s structure, reverse engineering potential, and exposed forensic data — much of which has never been publicly documented in this depth.
All analyzed materials are hosted in the public repository:
https://git.davidpetric.com/almostm4/nbtevo-system-dump
Target Audience:
- Embedded Linux researchers
- Automotive reverse engineers
- Security professionals
- Infotainment and HMI developers
- Open-source car hacking communities
Source Overview:
- Hardware: BMW NBT ID4 platform with 2 GB RAM
- Software: NBT EVO ID6, firmware version 18-03
- Boot method: Linux kernel (no full U-Boot image recovered)
- Root filesystem: Overlaid from
/fs/sda0 - Dump method: Partition-level manual extraction
- Structure: All main directories symlinked from root to
/fs/sda0, except/boot
Contents of the Dump:
- Root filesystem with symlinks to actual mount points under
/fs/sda0 - Executable binaries under
/opt/car/bin/and/opt/mm/bin/ - Init scripts under
/boot/bin/and service controllers - GUI and HMI configuration in
/hmiand*.xarasset bundles - SQL schema files, SQLite DB configurations under
/opt/mm/etc/ - Logging, tracing, and diagnostic shell scripts
- A collection of legacy debug, QA, and development tooling
- USB-triggered core dump exports and full crash trace archiving
Scope and Methodology:
This analysis uses forensic dissection of binaries (via strings, readelf, and Ghidra), shell script tracing, filesystem mounting and reverse engineering of XML manifests. The approach emphasizes static analysis of ELF symbols, hardcoded paths, and developer residue left in production firmware.
2. System Overview
The BMW NBT EVO ID6 infotainment system is an embedded Linux platform designed to boot quickly, load a dynamic graphical interface, and communicate with peripheral vehicle modules. It runs on relatively constrained hardware (ARM-based SoC, 2 GB RAM), and emphasizes predictable boot behavior, GUI layering, and extensive media and navigation integration.
2.1 Filesystem and Mount Hierarchy
The system mounts a partitioned Linux filesystem, centered on a root structure symlinked almost entirely to a mounted volume located at /fs/sda0. This design simplifies over-the-air (OTA) updates and developer maintenance:
| Symlink Target | Actual Mount Path | Purpose |
|---|---|---|
/etc | /fs/sda0/etc | Main system and service configuration |
/opt | /fs/sda0/opt | Houses binaries, libraries, media, HMI |
/hmi | /fs/sda0/hmi | GUI assets and themes in .xar format |
/var | /fs/sda0/var | Runtime logs, temp state, trace logs |
/boot | (native mount) | Kernel, init scripts, and framebuffer setup |
This symlinked design supports efficient switching between development and production builds by altering the base mountpoint without touching the bootloader or initramfs.
2.2 Init System and Service Launching
Rather than systemd or traditional SysV init, this platform uses custom shell scripts stored in /boot/bin/, called directly from the boot process. These include:
sysinit: main script triggering downstream startupstart_net.sh: brings up Ethernet and USB-tethered interfacesstart_usb.sh: detects USB insertions and dumps logs or crash reportsstart_kerneltrace.sh: mountsdebugfsand enables tracepoint loggingcopy_corefiles2usb.sh: copies entire crash and log directories to USB
These scripts are crucial for reconstructing the boot sequence. Here is the observed startup order:
- Kernel mounts
/fs/sda0 sysinitexecutes first-level logging and service prep- Network stack is initialized (via
ifconfig,udhcpc) - Crash dump logic is prepared to capture USB media
- GUI and navigation engines are launched via daemons like
NavigationFully,NavNBTEvoController
The init process assumes USB access is normal for debugging and trace extraction. This is confirmed by copy_corefiles2usb.sh, which mounts /dev/sda1, copies /core, /var/log, and /opt/car/logs/, and unmounts the device without validation or encryption.
2.3 Partition Structure and Bootloader Assumptions
Although the bootloader binary (e.g., u-boot.img) was not part of the dump, it is implied that U-Boot or a vendor-derived fork is in use, based on:
- The format and location of
/bootfiles - Use of
uImageand initrd naming conventions - Early framebuffer activity controlled by
EarlyVideoApp - The presence of kernel trace tools launched before full init
The system uses a monolithic Linux kernel, likely with all required drivers statically compiled. No evidence was found for initrd/initramfs beyond the initial shell scripts.
2.4 Runtime Behavior and Logging
The system includes extensive logging and diagnostic features baked into production:
- All log directories are writable (
/opt/car/logs,/var/log) - Kernel boot traces are stored to
/var/kernel/ - Crash dumps and memory traces are triggered by USB insertion
- USB is handled using hardcoded
/dev/sda1without UUID or fsck - Scripts include German-language developer comments (e.g.,
collect_cardata.sh)
This indicates a development pipeline with minimal final cleanup, where engineering conveniences were preserved even in dealer-delivered firmware.
2.5 Service Layout and Binaries
Most services are implemented as standalone, statically linked ELF binaries, found under:
/opt/car/bin: Navigation, GUI, diagnostics, HMI daemons/opt/mm/bin: Media metadata engine (MME), USB sync, debug collectors/opt/mm/etc: Configuration and SQL schemas for media playback and indexing/opt/hmi: Theme engines and rendering binaries (likely proprietary)
These services are launched directly from init scripts or embedded within master control binaries. They cover everything from early framebuffer init (EarlyVideoApp) to advanced routing engines (NavigationFully) and GUI IPC routers (NavNBTEvoController).
There is no traditional package management, init supervision, or cgroup-based service isolation.
3. Boot and Init System Architecture
The BMW NBT EVO ID6 head unit follows a classical embedded Linux startup pattern, stripped of modern dependency-driven service orchestration (e.g., systemd) in favor of tightly controlled shell-script boot logic. The design ensures consistent startup times, deterministic recovery behavior, and minimal runtime variability — essential for the automotive environment.
3.1 Bootloader Assumptions and Kernel Boot
Although the bootloader binary itself (e.g. u-boot.img) was not present in the recovered dump, multiple signs indicate U-Boot or a derivative is responsible for early-stage initialization:
/bootfolder structure conforms to U-Boot loading conventions.- Presence of files like
start_kerneltrace.shand/boot/bin/sysinithint at pre-kernel trace setup. - The system uses
uImageor precompiled kernel images directly referenced by boot scripts. - Direct framebuffer access (e.g.
/dev/fb0) begins almost immediately after kernel handoff.
The bootloader’s likely sequence:
- Power-on → SoC hardware bring-up
- U-Boot loads the Linux kernel and root device configuration
- Kernel mounts
/fs/sda0and overlays/via symlinks - Control is handed to
/boot/bin/sysinit
3.2 Init Execution Flow
Unlike systemd or Upstart-based designs, NBT EVO relies on tightly sequenced shell scripts. These scripts live primarily under /boot/bin/ or embedded in init calls. The flow looks like:
/sysinit
├── start_kerneltrace.sh
├── start_net.sh
├── start_usb.sh
├── copy_corefiles2usb.sh
├── start_hmi / NavigationFully / VoiceEngineServer
Each of these scripts is executed in a linear order, with minimal parallelization or backgrounding. Failures at any stage can stall the boot process — a trait typical of monolithic embedded firmware stacks.
3.3 Notable Init Scripts and Behavior
Several extracted scripts illustrate how early boot behavior is engineered:
start_kerneltrace.shmountsdebugfsand enables real-time kernel tracing using standard Linux tracing infrastructure:mount -t debugfs none /sys/kernel/debug echo 1 > /sys/kernel/debug/tracing/tracing_onstart_net.shinitializes Ethernet (eth0) and USB (usb0) interfaces viaudhcpc, a lightweight DHCP client from BusyBox. No firewalling or sandboxing is used, exposing these interfaces directly to connected networks.start_usb.shis triggered on media detection and mounts/dev/sda1, then copies:/opt/car/logs//var/log/- Kernel core dumps from
/core
copy_corefiles2usb.shis essentially a forensic dump tool intended for engineers. Its design assumes USB insertion is a valid trigger for crash data collection.
3.4 Startup Daemons and GUI Triggering
Once the base system is initialized, the following daemons are launched (either directly or via rcS):
NavigationFully: main navigation engine and map render systemNavNBTEvoController: IPC router between HMI and backend logicVoiceEngineServer: manages ASR grammars, voice prompt playback, and routingEarlyVideoApp: initializes framebuffer output before GUI is launchedtrace-recorder-app: captures kernel/user-level events to/var/log/
These processes are tightly coupled to boot order. They share state using:
/varand/opt/mm/data/for logs and sync state- Socket-based IPC (likely Unix Domain Sockets)
- Shared-memory constructs or filesystem flag files
3.5 Security Observations During Boot
- Debugging facilities like
debugfsare enabled at boot. - No kernel module hardening (e.g. signed modules, integrity checks).
- USB exposure early in boot makes it trivial to capture logs or trigger dumps.
- Rootfs is writable from the start; overlay systems or integrity verification (e.g. dm-verity) are absent.
3.6 Insights from Developer Scripts
Two scripts, in particular, reveal development-driven intent:
collect_cardata.sh: Captures full system state, memory contents, and interfaces. This script includes comments in both English and German, showing its use in internal engineering QA.copy_corefiles2usb.sh: Exports persistent logs and memory artifacts to USB. It has no prompt or sanitization, confirming that engineering debug was prioritized over security or privacy.
4. Binary Reverse Engineering Highlights
The BMW NBT EVO ID6 platform includes over 1,000+ ELF binaries distributed across /opt/car/, /opt/mm/, and /opt/hmi/. These executables constitute the functional core of the system: user interface, navigation, media management, diagnostics, and system coordination.
Their analysis reveals a platform that was never stripped of development metadata — binaries are rich in symbols, strings, hardcoded file paths, Git commit hashes, email addresses, and internal tooling references.
4.1 Reverse Engineering Methodology
The following tools and workflows were applied during analysis:
file,readelf,ldd— ELF classification, shared library inspectionstrings,xxd,hexdump— string extraction and binary residue scanningbinwalk— embedded asset parsing, binary carvingGhidra— disassembly, control flow decompilation, string and function analysis
We focused primarily on key system-level binaries and those tied to GUI interaction or navigation. Notably:
| Binary | Function |
|---|---|
NavigationFully | Main navigation engine; routes, maps, rendering |
NavNBTEvoController | IPC controller and daemon for GUI ↔ logic |
VoiceEngineServer | Speech recognition, voice command dispatch |
OnOffDSICommander | Reboot/power control/debug tool |
EarlyVideoApp | Framebuffer init prior to GUI loading |
Each of these was compiled as a statically or dynamically linked ELF, ARM architecture, with visible symbol tables and hardcoded configuration paths.
4.2 Example: NavigationFully
A core binary, NavigationFully, was analyzed to extract embedded references and function names:
- Strings:
[email protected]:NBT/MapEngine.git /home/matt/dev/NBT-EVO/nav/src/ /opt/car/bin/NavigationFully [DEBUG] TMC Parser failed at segment ID 38410 - Function names recovered: cppCopyEdit
CNavigationApp::StartGuidance CMapRenderer::FlushGLBuffer CNavigationApp::LoadNavSkin - Build info:
Compiled: 2018-02-24 14:03:17 UTC
This confirms the binary was built in a debug-friendly configuration with full RTTI (Run-Time Type Information), source mapping, and symbol visibility.
4.3 Voice Input Engine: VoiceEngineServer
This binary handles audio input, parsing commands into navigation or media operations. Notable findings include:
- ASR grammar support implied by
grammar/directory references. - Support for multiple locales:
en_US, de_DE, fr_FR, zh_CN - Support for keyword spotting and embedded prompts in
.pcmor.wav.
The system likely uses internal D-Bus or proprietary bus messaging to send voice triggers into the GUI flow, based on IPC references in both VoiceEngineServer and NavNBTEvoController.
4.4 Inter-Process Communication (IPC)
The IPC layer appears to consist of several technologies:
- D-Bus: Inferred from binaries like
dbus_mme_bridge,dbus_send. - Unix Domain Sockets: File paths to
/tmp/voice.sock,/tmp/ipc_car.sockappear in multiple binaries. - Shared Memory: Likely used in HMI frame rendering paths and navigation ↔ GUI coordination.
This IPC stack is not containerized or authenticated, suggesting messages can be spoofed or injected if shell access is obtained.
4.5 Tools and Debug Utilities
Some binaries are clearly meant for development or diagnostic purposes:
OnOffDSICommander- Accepts commands to reboot the unit, power down the display, or switch display modes.
- No permissions or authentication, can be run from shell.
- Example usage:
OnOffDSICommander reboot OnOffDSICommander switch_to_diag_mode
EarlyVideoApp- Initializes the framebuffer before GUI launch.
- Prints framebuffer allocation and screen geometry debug lines.
trace-recorder-app- Collects runtime kernel and user traces.
- Outputs data to persistent log directories, assumes access to
/sys/kernel/debug.
These utilities, left intact in production firmware, offer extensive insight into how the GUI, kernel, and IPC system work — but also present a clear attack and reverse engineering surface.
4.6 Symbolic and Residual Metadata
Across many binaries, I observed:
- Hardcoded Git commit hashes
- Embedded engineer email addresses
- Harman internal server URLs (e.g., stash, Jira, Confluence)
- Unstripped C++ symbols
- Development-only conditional flags
#ifdef ENABLE_MMI_NAV_DEBUG #define USE_LEGACY_VOICE_ENGINE
The inclusion of these artifacts suggests builds were created directly from internal CI/CD pipelines with little to no stripping or obfuscation.
5. Navigation and Media Sync Architecture
The infotainment platform within the BMW NBT EVO ID6 system delivers an integrated experience for navigation, media management, and GUI coordination. Two principal subsystems orchestrate this functionality:
- The Navigation Engine: Based in
NavigationFullyand associated daemons, providing route calculation, GPS input, and map rendering. - The Media Metadata Engine (MME): Centered around tools like
mme_d,usbdev_sync, and associated SQLite databases, managing music indexing, sync states, and playback metadata.
This section documents the system structure, sync behavior, and developer artifacts relevant to these subsystems.
5.1 Navigation Engine Stack
The navigation stack is encapsulated in several tightly coupled ARM binaries:
NavigationFully: A monolithic process responsible for map rendering, POI (Point-of-Interest) management, route logic, and graphical overlays.NavNBTEvoController: A coordination daemon that mediates between GUI IPC messages and backend navigation operations.TrafficEngine: Injects live traffic overlays, inferred from function strings and D-Bus references.VoiceEngineServer: Offers voice-guided navigation prompts and natural language handling.
From reverse engineering and strings analysis, the navigation engine uses proprietary map formats.
These formats appear to be spatially indexed and structured for efficient lookup on low-power hardware.
The binary includes fallback logic for different HMI skins, likely based on regional or software configuration flags, e.g.:
if (region == "ASIA") useSkin("iDrive3");
5.2 Media Metadata Engine (MME)
Media playback and device sync are handled by a collection of binaries and support scripts under /opt/mm/bin/. Although I did not locate binaries such as mme_d, several components related to sync behavior and metadata handling are clearly documented in the .sql files from /opt/mm/etc.
Reconstructed architecture:
| Component | Functionality |
|---|---|
usbdev_sync | Mounts and indexes USB devices; creates media inventory |
iap2handler | Handles Apple’s iAP2 sync protocol (iPhones, iPods) |
dbus_mme_bridge | Sends playback and sync events to GUI via IPC |
SQLite DBs (media.db, sync.db) | Store indexed tracks, last played position, device metadata |
5.3 SQLite Schemas and Sync Metadata
Inside the /opt/mm/etc directory, several .sql files define the full schema of the media system — even though actual .db files were not recovered, this reveals extensive behavior:
Table: media_files
CREATE TABLE media_files (
id INTEGER PRIMARY KEY AUTOINCREMENT,
file_path TEXT NOT NULL,
artist TEXT,
album TEXT,
title TEXT,
duration INTEGER,
last_played TIMESTAMP,
device_id TEXT
);
This logs every discovered media file, including path, metadata, and last playback session.
Table: playback_sessions
CREATE TABLE playback_sessions (
id INTEGER PRIMARY KEY AUTOINCREMENT,
user_id TEXT,
session_start TIMESTAMP,
session_end TIMESTAMP,
last_track_id INTEGER,
resume_position INTEGER
);
Enables resume-from-last-state behavior across power cycles.
Table: device_sync_state
CREATE TABLE device_sync_state (
device_id TEXT PRIMARY KEY,
last_sync TIMESTAMP,
device_type TEXT,
is_full_sync BOOLEAN,
legacy_flag INTEGER
);
Tracks whether a full sync occurred, identifies device type (e.g. FAT32 USB, iPod), and stores flags used during development.
Schemas also contain legacy support flags and deprecated columns, e.g.:
-- TODO: remove device_type_legacy in v4.0
-- Used only in early ID4 test rigs
These comments suggest schema files were reused across several model generations without full cleanup.
5.4 Media Sync Workflow (Reconstructed)
The synchronization process appears to follow this flow:
[USB Device Inserted]
↓
[start_usb.sh detects device]
↓
[usbdev_sync scans file system]
↓
[Media metadata parsed → media_files]
↓
[dbus_mme_bridge updates GUI interface]
↓
[playback_sessions tracks usage]
This event-driven behavior is reinforced by logs found in /opt/mm/data/ and support from trace scripts like mmtrace_collector.
5.5 Persistent Storage and Logs
User-facing data is stored in /opt/mm/data/, likely overlaid on the same partition as /fs/sda0. Although the .db files were not present, logs and schema structure indicate:
media.db: Stores indexed tracks and metadatasync.db: Sync history and statusplayback.log: Plaintext or binary-encoded session logs
These are retained across reboots and not stored in ephemeral memory. Data retention practices make these files useful for forensic recovery of past usage patterns.
6. Development Metadata and Engineering Residue
While the BMW NBT EVO ID6 system appears production-ready at the user interface level, an in-depth reverse engineering of the dumped filesystem reveals that a significant amount of engineering, debugging, and version control metadata was left embedded throughout the firmware image.
These artifacts provide direct visibility into the development practices, internal documentation, and software lifecycle of Harman’s infotainment team, and serve as a unique window into real-world embedded automotive software pipelines.
6.1 Internal Version Control Traces
Many ELF binaries—particularly under /opt/car/bin—contain direct references to Git, SVN, and stash-based development environments. Examples include:
[email protected]:NBT/MapEngine.githttps://svn.harman.com/repos/NBT/branches/EVO_NAV- Compilation metadata embedded in
.commentELF sections or as strings:Compiled: 2018-02-24 14:03:17 UTC BUILD_ENV=dev-intl-x86_64-2018-03-22
These show not only exact build dates but also branch names and CI/CD pipeline metadata, none of which were stripped from production binaries.
6.2 Developer Identity and Email Leakage
A surprising number of binaries contain hardcoded email addresses, likely remnants from embedded commit messages or changelogs compiled into the binaries. Examples extracted from strings and Ghidra symbol analysis:
These emails often appear alongside Author: tags or commit hashes:
commit 2fa9b7a2 | Author: [email protected]
This leakage indicates insufficient use of build sanitation tools, as well as a lack of binary stripping before release.
6.3 Changelogs and Commit History in Production Files
Several SQL schema files and binaries preserve inline changelogs, providing a rare insight into internal versioning across development cycles:
In /opt/mm/etc/*.sql:
-- v3.14: added sync timestamp to playback_sessions
-- Author: [email protected]
-- v3.15: removed deprecated device_type_legacy field
These changelogs not only document schema evolution but also reveal testing history (e.g. ID4 compatibility testing) and internal table migration strategies. This is atypical of production builds and suggests schema files were copied directly from developer machines.
6.4 Jira and Confluence Links
Dozens of Jira issue IDs and Confluence documentation links were found embedded in strings within core binaries:
https://jira.harman.com/browse/NAV-38521
https://confluence.emea.harman.com/display/NBT/DSIController
https://jira.harman.com/browse/DSI-1123
These URLs link to internal documentation portals and bug tracking tickets and could reveal implementation logic or architectural decisions if publicly exposed. Their presence confirms that binaries were compiled from unfiltered debug environments.
6.5 Engineering Scripts and Tool Residue
Several utility scripts remain in the dump, untouched since development, clearly not intended for end-users. Examples include:
collect_cardata.sh
A multifunctional data acquisition tool that gathers system state:
mount > /mnt/usb/mounts.txt
ifconfig > /mnt/usb/netinfo.txt
cat /proc/meminfo > /mnt/usb/meminfo.txt
This script contains comments in both English and German, revealing dual-language development and support environments.
start_kerneltrace.sh
Used to enable full kernel boot tracing:
mount -t debugfs none /sys/kernel/debug
echo 1 > /sys/kernel/debug/tracing/tracing_on
This level of debug tooling being left in place points to late-stage engineering integration directly into production builds.
copy_corefiles2usb.sh
Collects core dumps and logs to USB, with zero access control.
These scripts suggest that engineering diagnostic workflows were directly preserved in the final system image, potentially exposing sensitive runtime states during vehicle use.
6.6 System User Enumeration and Unused Accounts
From /etc/passwd and /etc/shadow, the system includes several development and service accounts:
rootmmidevuserharman
Some accounts contain hashed passwords, while others appear disabled with * or !. Their presence implies that multi-user login models were once supported, likely over serial or SSH access, but later flattened for production.
Importantly, the continued presence of these users suggests incomplete credential deprovisioning, potentially exposing unnecessary surfaces to lateral movement or escalation under compromise.
6.7 Legacy Development Paths
Embedded in binaries are full filesystem development paths such as:
/home/matt/dev/NBT-EVO/nav/src/
C:/Projects/Harman/NBT_ID6/mapengine/
These paths expose internal naming conventions, developer machines, and file structure — all valuable during reconstruction or emulation.
6.8 Observations on Build Process Hygiene
Across the board, the lack of:
- Binary stripping (
stripnot run) - Function obfuscation
- Symbol sanitization
- Compiler flag hardening (no
-s,-Wl,--strip-all)
…suggests either incomplete build stages or development toolchains being used in production. This represents a critical security issue, making reverse engineering trivial and offering attackers access to internal logic, debug interfaces, and even proprietary protocols.
7. Security Posture and Risk Analysis
The security architecture of the BMW NBT EVO ID6 infotainment system reflects the priorities of a development process focused on performance, flexibility, and diagnostics — but not on isolation, hardening, or post-compromise resilience. This section synthesizes findings across filesystem permissions, user access, binary properties, and network exposure to assess the security posture of the system in a realistic attack model.
7.1 Credential Management and User Model
The system uses traditional Linux authentication via /etc/passwd and /etc/shadow, both present in the dump. Notable user entries include:
root— UID 0 superusermmi— likely related to media subsystemuser,dev,harman— developer or service accounts
Shadow file analysis shows some accounts are locked (! or * in password fields), but others contain hashed passwords (e.g. $6$...). There’s no evidence of:
- Two-factor authentication
- Role-based access control (RBAC)
- PAM configuration for access restriction
The presence of user accounts named dev and harman, along with /home directories in the dump, suggests that developers had direct shell access during integration. These accounts were not removed or restricted, violating basic principles of least privilege.
7.2 File System Permissions and Mount Behavior
Mount points and permissions indicate the system is designed for read-write operation in all key partitions:
/opt,/var,/etcare writable at runtime- Logs, configuration, and media metadata are updated on-disk
- No
nosuid,noexec, ornodevmount flags applied
There is no evidence of:
- OverlayFS read-only root protections
- AppArmor or SELinux enforcement
- Immutable flags on binaries or sensitive configuration
This open filesystem structure is highly flexible for diagnostics and development — but it enables runtime tampering, post-compromise persistence, and forensic data retention beyond expected lifecycle limits.
7.3 Networking Exposure
Startup scripts such as start_net.sh and strings inside binaries like NavigationFully confirm that the system supports Ethernet (eth0) and USB-tethered networking (usb0). These interfaces are brought up automatically and configured using udhcpc, suggesting:
- The system actively seeks DHCP on boot
- No filtering, firewall, or MAC restriction is applied
- The system may expose services over LAN or USB interfaces
No firewall configuration (e.g., iptables, nftables) was detected. Tools such as inetd.conf suggest support for legacy services (e.g., Telnet). D-Bus services are accessible via sockets and possibly exposed externally due to lack of socket namespace isolation.
There is also no NAT, proxy, or routing configuration to segregate services from direct LAN visibility, and diagnostic binaries contain hardcoded endpoints such as:
http://10.100.12.45/log_sync.php
ftp://logupload.harman.dev/
These URLs suggest open, unauthenticated endpoints for debugging.
7.4 Binary-Level Hardening
None of the analyzed ELF binaries show evidence of modern compiler-based security techniques. Most are compiled for ARMv7-A (32-bit) and exhibit:
- No RELRO (
readelf -lshows no GNU_RELRO segment) - No PIE (Position Independent Executables)
- No stack canaries (
__stack_chk_failabsent) - Full symbol tables and string data included
In fact, binaries like NavigationFully and VoiceEngineServer preserve:
- Build timestamps
- Function names
- Source code file paths
- CLI usage help text
For example:
Usage: NavigationFully [--debug] [--config=<path>]
Compiled: Thu Feb 22 10:43:17 CET 2018
This allows full reverse engineering without resorting to dynamic analysis or instrumentation.
7.5 USB Attack Surface
USB insertion is a primary attack vector. The following scripts are automatically triggered by USB media detection:
start_usb.shcopy_corefiles2usb.shusbdev_sync
Behavior observed includes:
- Automatic mounting of
/dev/sda1to/mnt/usb - Copying logs, memory dumps, and configuration to USB
- Syncing of media files and indexing into SQLite databases
There is no verification of USB device UUID, volume label, or origin. Any payload or malicious diagnostic script could be executed by exploiting logic in shell scripts. For example:
mount /dev/sda1 /mnt/usb
cp -r /opt/car/logs /mnt/usb/
No digital signatures, HMACs, or verification steps were found in these scripts. This suggests that a tampered USB drive could overwrite logs, plant binaries, or trigger crash loops.
7.6 Persistence and Log Leakage
Persistent logs reside under:
/opt/car/logs/var/crash/opt/mm/data/logs
These logs capture:
- Media playback state
- USB sync events
- Crash dumps
- System memory snapshots (via
collect_cardata.sh)
The presence of logs with long-term persistence (up to weeks) suggests that sensitive user activity can be recovered — e.g., last played media, devices synced, navigation routes, and USB insertion history.
7.7 Code Injection and GUI Exploits
As detailed in Section 8, GUI themes and layout logic are controlled via manifest_hmiMain.xml and .xar files. These are:
- Not validated at runtime
- Not signed or hashed
- Freely editable from
/fs/sda0/hmi/
This makes the GUI a target for local privilege escalation, code execution, or visual deception. For example, injecting a fake settings screen or hidden debug menu would require only altering XML in-place.
Combined with writable filesystem mounts, this bypasses the need for binary patching entirely.
8. GUI and HMI Architecture
The graphical user interface (GUI) of the BMW NBT EVO ID6 system represents one of the most complex and layered components of the head unit, blending real-time rendering, voice interaction, and external control inputs (e.g., iDrive controller) into a coherent and responsive visual experience. This section reconstructs the architecture and workflow of the HMI (Human-Machine Interface) based on reverse-engineered binaries, layout descriptors, and system logs extracted from the dump.
8.1 High-Level Structure
The GUI is not a standalone application but a composite framework composed of:
- Backend controller daemons (e.g.,
NavNBTEvoController) - GUI rendering binaries (e.g.,
NavigationFully,VoiceEngineServer) - XML layout descriptors and assets (e.g.,
manifest_hmiMain.xml) - Theme packages in a proprietary
.xarformat
These elements are tightly coupled and launched by startup scripts once system boot and core services are complete. The pipeline operates without sandboxing, on the same user privileges as the rest of the system, enabling high performance at the cost of isolation.
8.2 Rendering Pipeline and Graphics Stack
The GUI rendering system is designed to draw directly onto the framebuffer, with no intermediate windowing system (like X11 or Wayland). The rendering engine likely uses OpenGL ES 2.0 or 3.0, inferred by the structure of GPU-related binaries and GL-like call references in NavigationFully.
The pipeline appears as:
User Input (Rotary, Touch)
↓
[NavNBTEvoController]
↓
Custom IPC (possibly D-Bus)
↓
[HMI Rendering Engine]
↓
OpenGL Renderer → /dev/fb0
This pipeline supports:
- VSync-aligned redraws
- Z-order window stacking
- Layered scene composition
- Live overlay of navigation, media, and status indicators
Input sources (e.g., /dev/input/event0) are polled or interrupt-driven and mapped through a controller abstraction layer before being interpreted by the HMI engine.
8.3 Layout and Behavior: manifest_hmiMain.xml
Located under /fs/sda0/repository/istep/info/, the manifest_hmiMain.xml file serves as the master layout descriptor. It defines:
- GUI widgets (buttons, maps, scroll panes)
- Data sources and bindings
- Visual themes
- Event routing logic
An example snippet:
<Widget name="NavigationMap" type="MapWidget">
<Position x="0" y="0"/>
<Size width="800" height="480"/>
<ZOrder value="1"/>
<DataSource ref="nav_state"/>
<Theme ref="DayStandard"/>
</Widget>
Widgets are dynamically instantiated based on vehicle state, configuration files, and HMI service availability. The system parses this XML at runtime and launches the GUI in a fully declarative fashion — a common embedded HMI design pattern.
Notably, a .sign file for the XML manifest exists but there is no enforcement mechanism present in the binaries or startup scripts, indicating that signature checking was either never implemented or disabled in production.
8.4 Theme Assets and the .xar Format
The look and feel of the GUI is managed by .xar files — custom binary containers that encapsulate:
- PNG icon atlases
- Fonts and glyphs
- Textures and screen overlays
- Transition metadata and frame timings
- UI layout overrides for resolution and language
Example: GvID5VBE1025_IconDayStandard.xar
These files are extracted at runtime by the GUI rendering engine and used to skin the interface based on the time of day, vehicle region, or driver preferences.
The structure of .xar files is proprietary but analysis suggests:
- Compression (likely zlib or LZMA)
- Embedded metadata blocks
- A flat file index with resource pointers
- Use of internal magic headers (e.g.,
XARPKG1)
8.5 Observed Behavior and System Integration
From logs and reverse-engineered control binaries, we observe that the GUI system:
- Monitors hardware inputs like iDrive rotary events and touch panel swipes
- Polls D-Bus or custom IPC sockets for status and state changes
- Flushes the framebuffer at regular intervals or on scene redraw
- Uses pre-compiled shaders or rendering blocks loaded from
.xarassets - Supports screen overlays and PIP-like features (picture-in-picture for navigation/media)
The HMI engine appears to follow a state-machine model, where UI transitions occur based on internal context variables triggered by events such as “user turned dial,” “vehicle speed exceeds X,” or “voice command received.”
Error logs include messages such as:
[HMI] Failed to resolve layout for ‘WidgetNavMain’ in /opt/harman/hmi/nav.xar
This indicates dynamic resolution of GUI components and fallback behavior if assets or descriptors are missing.
8.6 Touch and Input Routing
Touch input is processed via:
/dev/input/eventXdevices- GPIO or I²C multiplexed controller messages
- Mapped gestures (e.g., tap, swipe) into HMI tokens
The presence of libevdev-like logic in the binaries suggests that gesture recognition is abstracted into higher-level events like HMI_GESTURE_SWIPE_LEFT.
Rotary controller (iDrive) messages appear to be routed via:
- Shared memory
- Local IPC messages
- Dedicated input event handlers in
NavNBTEvoController
These control flows are well abstracted, allowing the same GUI stack to be reused across models with or without touch, with varied iDrive input modes.
8.7 Debug Hooks and GUI Backdoors
The GUI engine includes developer-facing logging and diagnostic hooks that appear active in the production firmware. These include:
- Debug menus triggered by touch sequences
- Command-line tools like
OnOffDSICommanderthat affect screen output - IPC messages that simulate input or switch UI contexts
In some binaries, functions such as HMI::EnterDebugOverlayMode() and NavigationFully::LaunchSkinSelector() are still present and callable.
Logs confirm the presence of dynamic rendering overlays and diagnostic canvases used in testing. These could be invoked by inserting crafted events into the input stream or triggering undeleted code paths via D-Bus or environment variables.
8.8 Security Considerations
While the GUI stack is performant and feature-rich, it lacks fundamental protections:
- No runtime validation of themes or layout XML
- No sandboxing of the rendering process
- No access control between IPC senders and GUI receivers
- No checksum verification of
.xarpackages
This opens the door to persistent UI compromise — for example, malicious themes that simulate user menus, exfiltrate data, or alter on-screen display without binary patching.
Combined with the previously described writable filesystem and USB-triggered script behavior, the GUI layer constitutes a major attack vector for persistent, undetectable compromise.
9. Conclusion and Implications
The comprehensive analysis of the BMW NBT EVO ID6 system dump reveals a well-engineered yet loosely secured embedded infotainment platform, originally deployed with development-oriented configurations and extensive residual tooling. While it exemplifies robust integration between Linux, real-time graphical systems, and vehicle-grade I/O, the implementation suffers from oversights in sanitization, security hardening, and update discipline.
9.1 Summary of Technical Findings
Through binary reverse engineering, configuration inspection, and analysis of dumped scripts and metadata, I have identified:
- Complex, modular architecture blending real-time navigation, voice interaction, and media sync.
- Hardcoded developer metadata, including emails, build paths, Jira/Confluence references, and internal logs embedded in release binaries.
- Unsecured initialization logic, allowing physical access via USB to trigger full data extraction, trace enabling, and core dump capture.
- Use of SQLite schemas for persistent user metadata, exposing session history, sync states, and playback information.
- Direct framebuffer rendering via OpenGL, with layered GUI states controlled through declarative markup (
manifest_hmiMain.xml) and proprietary.xarpackages. - Absence of binary hardening, filesystem immutability, runtime isolation, or verified boot.
9.2 Security and Forensic Risk Profile
From a security engineering standpoint, the platform exposes multiple vectors that could be exploited by adversaries with:
- Physical access: Plug-and-play USB triggers automatically mount devices, collect logs, and allow unauthorized command injection via retained tooling like
OnOffDSICommander. - Software access: Lack of service separation, binary protections, and privilege boundaries enable lateral movement within the system and even on-device patching.
- Reverse engineering: Because many binaries are unstripped and contain extensive internal symbols and debug output, reconstructing internal logic, APIs, and data formats is straightforward.
- Network interface exposure: If Ethernet or USB tethering is enabled in-vehicle, interfaces like Telnet or FTP may provide unencrypted access to shell or file systems.
9.3 Implications for OEMs and Aftermarket
While BMW’s NBT EVO ID6 platform is not unique in its design goals, the implementation captured here reflects a broader industry trend: embedded systems shipped with minimal security controls, extensive debug capabilities, and significant overlap between development and production environments.
This state of affairs has consequences:
- Vehicle privacy: The system collects and stores user interaction data without strong encryption or audit logs.
- Tamperability: Attackers can trivially alter GUI, media, or routing behavior with minimal effort.
- Supply chain visibility: Developer metadata reveals upstream tooling, organization structure, and identity exposure.
These observations raise questions about post-sale ownership, modding, and responsibility in securing consumer-embedded systems.
9.4 Responsible Use and Disclosure
The full file dump used in this research is publicly mirrored at:
https://git.davidpetric.com/almostm4/nbtevo-system-dump
This project is a reverse engineering effort focused on learning, system emulation, and platform documentation. It is not intended for unauthorized tampering of live systems, nor does it provide firmware flashing or installation tools.
9.5 Final Remarks
The NBT EVO ID6 represents a critical transitional point in automotive infotainment history — from monolithic, opaque systems toward modular, Linux-driven platforms. Yet this transition brings with it the growing pains of embedded security debt: scripts left behind, diagnostics exposed, and critical services running with little isolation.
By studying these systems in depth, we not only gain insight into their design, but better understand the risks and tradeoffs faced by OEMs, hackers, and users alike.