SSH Access Guide - Supra NBTEvo Headunit

[nanaisu]

Okay - so I did a bit more digging today on the whole "can we replace things" (i.e. pictures) like @a90.faz wants to since it was a simple and easy test, and the answer is... no.
The filesystem is mounted as read only, which shouldn't be that big of an issue. Just remount the filesystem as RW and we should (probably) be good. I didn't spend too much time on trying to re-mount it. The mount command does exist, though /dev/sda0 isn't mounted.

hu-jacinto:/dev/shmem> mount /dev/fs0p4 on /var type flash /dev/fs0p3 on /mnt/wavedata type flash /dev/fs0p1 on /mnt/application type flash

So thats cool. Lack of automotive/embedded systems is showing here, lol.

Though, the amount of utilities on the system are fairly stripped down, which sucks.

hu-jacinto:/dev/shmem> cd /bin/ hu-jacinto:/bin> ls AudioProcess flashctl pidin Logistic flashit pipe LogisticHUJacintoStage fs-cifs random NBTPathology fs-http rm NbtEvoJacintoDiagHUHighApp grep route SwdlMaster hwidx.sh sh SwdlMaster.hbtc if-bolo slay SwdlSlave if-test sleep SwdlSlave.hbtc if_up sloginfo TraceDSPApp_Root ifconfig sloginterceptor apixconfig inetd sshd autoarpd io-ipc start_swdl.sh bootinfo io-pkt-v4 starterEmergencyRecovery.sh cat ipc-version-check starterPackageCtrl config_eth_patches.sh ipl-version-check switchconf_bcm8950x copy_pidin.sh ksh switchconf_j5 cp ktb_dumper switchconf_ksz8864 dev-ioamp-router login switchconf_sja1105 dev-spi-dra6xx ls sysctl dev-tuner-amfm mkdir sysetadjread dev_signalpath_configurator mount telnetd devc-pty multicored uname devc-seromap mv v850commander devf-generic on v850commander.sh dhcp.client out32 waitfor dumper pci watchdog5-jacinto false pfctl

One of my next goals is to get cURL on the system and see if I can interact with some of the internal BMW resources, like the APIs to retrieve news data and all that. If I can do that, I'll be happy.

The only issue I'm running into is the the chip - it looks like it's running a Texas Instruments DRA72x. OS wise we're looking at QNX 6.5.0. So, for dropping binaries onto the system they need to be....

telnetd: ELF 32-bit LSB executable, ARM, EABI5 version 1 (SYSV), dynamically linked, interpreter /usr/lib/ldqnx.so.2, stripped

Great! Time to learn how to statically compile ARMv7 binaries so we can get some more tools on the machine :,)

Sponsored

 

[a90.faz]

@nanaisu how are you downloading those images? I keep getting errors in WinSCP no matter if i try connecting with SFTP or SCP.

PS: My car is back, happy to tryanything you'd find useful

 

[nanaisu]

@nanaisu how are you downloading those images? I keep getting errors in WinSCP no matter if i try connecting with SFTP or SCP.

PS: My car is back, happy to tryanything you'd find useful

Good ol' sneakernet.
Plug a flash drive in, copy em' over.
It's unfortunately stripped down and doesn't have SCP from what I can tell.

 

[nanaisu]

@nanaisu how are you downloading those images? I keep getting errors in WinSCP no matter if i try connecting with SFTP or SCP.

PS: My car is back, happy to tryanything you'd find useful

I also forgot to mention - I'm trying to acquire a lab headunit before doing any sort of firmware dumps. Unsurprisingly, there's call, texting, contact, and location logs on the headunit, lol.
Just wanted to throw that out there; If you do post anything, thoroughly review it first.

 

[nanaisu]

Triple post today!
Today's update: I've got custom code running

Definitely didn't have to download sketchy QNX 6.5.0 dev software from archive.org since it's EoL and you can only get 8.0.0 or 7.0.0 which only supports ARM64 :,)
But anyways - we've got custom code running now, so we can in theory bring whatever C/C++ software we want to the headunit now

 

[a90.faz]

Thanks for the heads up! Getting code running is quite exciting. Do you have graphical access? i.e can you get things to display on the screen? If so, custom apps/gauges would be a very cool idea.

I'd be super(a) intrested to know the process/toolchain to compile for NBT. If you can throw together a guide, that'd be great!

 

[hufman]

This is so cool! I'm going to have to root my car and dig around too, see what I can find!

 

[iambak]

Hey guys great thread and thanks to everyone who’s shared their work so far.
FYI I came across an in-depth system dump analysis that looks like it overlaps a lot with what you’re doing: https://davidpetric.com/2025/06/23/bmw-nbt-evo-id6-system-dump-analysis/ . It walks through filesystem layout, init scripts, and the USB dump tooling — might help confirm which artifacts are safe to collect and which are risky to touch.

I’m trying to get SSH/shell access to my head unit without paying the amount has anyone managed to figure out how to enable it or is that the only way?

 

[nanaisu]

Hey guys great thread and thanks to everyone who’s shared their work so far.
FYI I came across an in-depth system dump analysis that looks like it overlaps a lot with what you’re doing: https://davidpetric.com/2025/06/23/bmw-nbt-evo-id6-system-dump-analysis/ . It walks through filesystem layout, init scripts, and the USB dump tooling — might help confirm which artifacts are safe to collect and which are risky to touch.

I’m trying to get SSH/shell access to my head unit without paying the amount has anyone managed to figure out how to enable it or is that the only way?

Good share - it's been a while since I poked around with things, but if you're looking to try a replay attack, I uploaded the pcap here:
https://github.com/Sq00ky/Supra-Headunit-RE/blob/main/headunit-flash-traffic.pcapng
Maybe there's a way with ISTA or eSys?

Sponsored