Monday, November 4, 2019

BMW NBT and NBT Evo Firmware Unpacker

It has been five years since I have released the first build of NBT firmware unpacker.

A few years ago I've had to stop the distribution of unpacker because the misuse of unpacker was disrupting the business of BMW retrofit shops. With 2018 public release of NBT and EVO vulnerabilities that have been known to the BMW retrofit scene since at least fall of 2014, and subsequent patching of vulnerabilities by BMW, I no longer consider distribution of the unpacker as harmful.

To commemorate the five years of NBT unpacker, I am releasing an updated and refactored version with the following new features:


  • Search for supported unpackable firmware files within specified folder
  • Searching for specific file within firmware across multiple firmware files in specified folder
  • Better handling of special cases like ASD or EQU files.
Download nbt_unpack release 1.0.0 here: Win32

12 comments:

  1. I didn't understand how to search for files

    ReplyDelete
  2. This searches for i2c.cfg file in all supported firmware files in current folder:
    nbt_unpack.exe -fs i2c.cfg .\

    ReplyDelete
  3. Do You have Firmware Unpacker for CIC Unit?

    ReplyDelete
  4. Hey, when i launch the software nothing happens, it crashes

    ReplyDelete
    Replies
    1. Does it print any error message or stack trace? If not it's likely your OS or Antivirus that's preventing the unpacker from running.

      Delete
    2. No it just launches the CMD window for a split second but doesnt do anything. I tried running it in compatibility mode and no dice

      Delete
    3. It does not have graphical interface, so you need to run it from command line to see any output.

      Delete
  5. Thanks for your help by the way

    ReplyDelete
  6. This comment has been removed by the author.

    ReplyDelete
  7. Hey, a lot of NBT SWFL files crashing your tool here

    panic: runtime error: makeslice: len out of range

    goroutine 1 [running]:
    main.getInputFile(0x11479600, 0x110826e0, 0x492e659, 0x0, 0x492e658, 0x0, 0x0, 0x4, 0x4)
    D:/Coding/Go/src/nbt_unpack/nbt_unpack.go:51 +0x80
    main.unpackFile(0x11010440, 0x3a, 0x10000)
    D:/Coding/Go/src/nbt_unpack/nbt_unpack.go:271 +0x940
    main.ifSupportedUnpack.func1(0x11010440, 0x3a, 0x4e3ba0, 0x1106a180, 0x0, 0x0, 0x0, 0x0)
    D:/Coding/Go/src/nbt_unpack/nbt_unpack.go:479 +0x167
    path/filepath.walk(0x11010440, 0x3a, 0x4e3ba0, 0x1106a180, 0x1100a0b8, 0x0, 0x0)
    C:/Go/src/path/filepath/path.go:358 +0x2de
    path/filepath.walk(0x1100c460, 0x1c, 0x4e3ba0, 0x1106a0c0, 0x1100a0b8, 0x0, 0x1100a0b8)
    C:/Go/src/path/filepath/path.go:382 +0x1fa
    path/filepath.Walk(0x1100c460, 0x1c, 0x1100a0b8, 0x1106a060, 0x0)
    C:/Go/src/path/filepath/path.go:404 +0xdd
    main.main()
    D:/Coding/Go/src/nbt_unpack/nbt_unpack.go:560 +0x18e

    Is there any chance to get the source code so I'll fix it?

    ReplyDelete

Making work with eMMC interposer slightly more convenient

In one of the previous posts I have described eMMC interposer and how it can help with modifications of the device firmware without having t...