diff --git a/README.md b/README.md index 46898a49..a35d8814 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,18 @@ # BMW NBT EVO ID6 (SW 18-03) System Dump -This repository contains a full filesystem and binary dump from a BMW NBT EVO ID6 infotainment unit running software version **18-03**. Originaly it is the ID4 unit with 2GB RAM that was flashed to ID6 software. The dump was created for reverse engineering and research purposes, with potential applications in embedded systems analysis, car hacking, and infotainment platform security. +This repository contains a full filesystem and binary dump from a BMW NBT EVO ID6 infotainment unit running software version **18-03**. The unit was originally a BMW NBT EVO **ID4 with 2GB RAM**, later **flashed and upgraded to ID6 software**. + +The dump includes extracted system files, startup scripts, native binaries, and configuration artifacts. It was created for reverse engineering and research purposes, with applications in embedded systems analysis, automotive forensics, infotainment reverse engineering, and car hacking. + +--- + +## 📁 Filesystem Layout Notes + +- The root filesystem (`/`) is composed **entirely of symlinks to `/fs/sda0`**, except for the `/boot` folder +- The `/boot` directory is a standalone structure (included) and represents early-boot kernel and init components +- System runs a hybrid stack based on **QNX** and **Linux-style init/service structure** + +This is useful for studying boot sequences, partition roles, and filesystem overlays in embedded automotive environments. --- @@ -13,7 +25,7 @@ This dataset has been **manually reviewed** to exclude any user-identifiable dat - Bluetooth or WiFi credentials - Voice input data -System-level configuration files (e.g. `/etc/passwd`, `/etc/shadow`) are preserved for research. +System-level configuration files (e.g. `/etc/passwd`, `/etc/shadow`) are preserved for research and auditing purposes. --- @@ -25,4 +37,4 @@ This repository is shared for: - Embedded Linux/QNX system studies - Analysis of BMW's NBT software architecture -All content is provided strictly for non-commercial, research, and educational purposes. +All content is provided strictly for non-commercial, research, and educational purposes. \ No newline at end of file diff --git a/boot/bin/bootinfo b/boot/bin/bootinfo new file mode 100644 index 00000000..17a11f19 Binary files /dev/null and b/boot/bin/bootinfo differ diff --git a/boot/bin/devb-sdmmc-omap5evm b/boot/bin/devb-sdmmc-omap5evm new file mode 100644 index 00000000..305c5eed Binary files /dev/null and b/boot/bin/devb-sdmmc-omap5evm differ diff --git a/boot/bin/devc-seromap b/boot/bin/devc-seromap new file mode 100644 index 00000000..c68aa676 Binary files /dev/null and b/boot/bin/devc-seromap differ diff --git a/boot/bin/dumper b/boot/bin/dumper new file mode 100644 index 00000000..c83dd994 Binary files /dev/null and b/boot/bin/dumper differ diff --git a/boot/bin/gs b/boot/bin/gs new file mode 100644 index 00000000..68a7d6a6 Binary files /dev/null and b/boot/bin/gs differ diff --git a/boot/bin/if-bolo b/boot/bin/if-bolo new file mode 100644 index 00000000..5785e559 Binary files /dev/null and b/boot/bin/if-bolo differ diff --git a/boot/bin/ksh b/boot/bin/ksh new file mode 100644 index 00000000..2fea85ba Binary files /dev/null and b/boot/bin/ksh differ diff --git a/boot/bin/ktb_alloc b/boot/bin/ktb_alloc new file mode 100644 index 00000000..b2462ad7 Binary files /dev/null and b/boot/bin/ktb_alloc differ diff --git a/boot/bin/memcpy_utility.out b/boot/bin/memcpy_utility.out new file mode 100644 index 00000000..81f319e8 Binary files /dev/null and b/boot/bin/memcpy_utility.out differ diff --git a/boot/bin/out32 b/boot/bin/out32 new file mode 100644 index 00000000..d458f38a Binary files /dev/null and b/boot/bin/out32 differ diff --git a/boot/bin/slogger b/boot/bin/slogger new file mode 100644 index 00000000..86a6353f Binary files /dev/null and b/boot/bin/slogger differ diff --git a/boot/bin/sloginterceptor b/boot/bin/sloginterceptor new file mode 100644 index 00000000..dcc016d3 Binary files /dev/null and b/boot/bin/sloginterceptor differ diff --git a/boot/bin/sysinit b/boot/bin/sysinit new file mode 100644 index 00000000..bc7822c0 Binary files /dev/null and b/boot/bin/sysinit differ diff --git a/boot/bin/tracelogger b/boot/bin/tracelogger new file mode 100644 index 00000000..1678fc55 Binary files /dev/null and b/boot/bin/tracelogger differ diff --git a/boot/bin/v850commander b/boot/bin/v850commander new file mode 100644 index 00000000..6ca53c99 Binary files /dev/null and b/boot/bin/v850commander differ diff --git a/boot/bin/v850commander.sh b/boot/bin/v850commander.sh new file mode 100644 index 00000000..55a150fa --- /dev/null +++ b/boot/bin/v850commander.sh @@ -0,0 +1,80 @@ +#!/bin/sh + +ONOFF_IPC_CHANNEL=/dev/ipc/ipc2 + +log_msg() +{ + echo "$0: $1" + echo "$0: $1" > /dev/console +} + +if [[ $HOSTNAME == "hu-omap" ]]; then + OMAP=1 + JACINTO_NODE=hu-jacinto +elif [[ $HOSTNAME == "rse-omap" ]]; then + OMAP=1 + JACINTO_NODE=rse-jacinto +else + OMAP=0 +fi + +if [[ $OMAP -eq 1 ]]; then + ONOFF_IPC_CHANNEL=/net/${JACINTO_NODE}$ONOFF_IPC_CHANNEL +fi + +# Make sure that OnOff IPC channel is open... +if [[ ! -e $ONOFF_IPC_CHANNEL ]]; then + + log_msg "OnOff IPC channel $ONOFF_IPC_CHANNEL not available!" + log_msg "Starting OnOff IPC channel first..." + + # Start appropriate resource manager. Concrete choice depends on IPC Protocol Version used by V850. + whence ipc-version-check > /dev/null + if [[ $? -ne 0 ]]; then + log_msg "Failed to locate ipc-version-check!" + exit 1 + fi + + ipc-version-check + IPC_VERSION=$? + + case "$IPC_VERSION" in + 0) # Initial IPC + START_ONOFF_IPC_CHANNEL="dev-spi-dra6xx -v -c /etc/spi3.cfg" + ;; + 1) # IPC V1 - Block IPC on Jacinto + START_ONOFF_IPC_CHANNEL="io-ipc -c /etc/io-ipc-j5.cfg" + ;; + 2) # IPC V2 - Block IPC on Jacinto and OMAP + START_ONOFF_IPC_CHANNEL="io-ipc -c /etc/io-ipc-v2-j5.cfg" + ;; + *) log_msg "Unknown IPC Version $IPC_VERSION - unable to start OnOff IPC channel!" + exit 2 + ;; + esac + + if [[ $OMAP -eq 1 ]]; then + log_msg "Starting IPC resource manager on $JACINTO_NODE ..." + log_msg "$START_ONOFF_IPC_CHANNEL" + on -f /net/$JACINTO_NODE $START_ONOFF_IPC_CHANNEL + else + log_msg "Starting IPC resource manager ..." + log_msg "$START_ONOFF_IPC_CHANNEL" + $START_ONOFF_IPC_CHANNEL + fi + + waitfor $ONOFF_IPC_CHANNEL 10 + if [[ ! -e $ONOFF_IPC_CHANNEL ]]; then + log_msg "Failed to start IPC resource manager!" + exit 3 + fi + +fi + +# ... then execute v850commander (may run on any node) +log_msg "Executing v850commander $* ..." +exec v850commander $* + +log_msg "Failed to execute v850commander!" + +exit 4 diff --git a/boot/etc/nbt_version.txt b/boot/etc/nbt_version.txt new file mode 100644 index 00000000..5470d916 --- /dev/null +++ b/boot/etc/nbt_version.txt @@ -0,0 +1 @@ +NBTevo_N18092I diff --git a/boot/lib/cam-disk.so b/boot/lib/cam-disk.so new file mode 100644 index 00000000..d1547f5b Binary files /dev/null and b/boot/lib/cam-disk.so differ diff --git a/boot/lib/charset.so b/boot/lib/charset.so new file mode 100644 index 00000000..e106652d Binary files /dev/null and b/boot/lib/charset.so differ diff --git a/boot/lib/fs-dos.so b/boot/lib/fs-dos.so new file mode 100644 index 00000000..a4fda244 Binary files /dev/null and b/boot/lib/fs-dos.so differ diff --git a/boot/lib/fs-qnx6.so b/boot/lib/fs-qnx6.so new file mode 100644 index 00000000..7946e1ac Binary files /dev/null and b/boot/lib/fs-qnx6.so differ diff --git a/boot/lib/io-blk.so b/boot/lib/io-blk.so new file mode 100644 index 00000000..c667b134 Binary files /dev/null and b/boot/lib/io-blk.so differ diff --git a/boot/lib/libc.so.3 b/boot/lib/libc.so.3 new file mode 100644 index 00000000..9ef0a514 Binary files /dev/null and b/boot/lib/libc.so.3 differ diff --git a/boot/lib/libcam.so.2 b/boot/lib/libcam.so.2 new file mode 100644 index 00000000..787b4100 Binary files /dev/null and b/boot/lib/libcam.so.2 differ diff --git a/boot/lib/libnbt_starter_plugin-omap.so b/boot/lib/libnbt_starter_plugin-omap.so new file mode 100644 index 00000000..d827907d Binary files /dev/null and b/boot/lib/libnbt_starter_plugin-omap.so differ