05-24-2014, 09:28 AM
Join Date: Dec 2012
Mein Auto: 2014 F30 320d msport
Getting network access to HU_NBT
With the wifi hardware removed, I looked into another way of getting network connectivity to the NBT system. I connected my ENET cable and sniffed traffic, a saw some DHCP DISCOVER packets coming from 2 different MAC addresses, and one of these addresses had the Harman/Becker (who produces the NBT) OUI (first bytes of the MAC address identifying the manufacturer of the NIC).
I set up a dhcp server on my PC (using tftpd64) and after a while had two DHCP leases assigned:
The 192.168.222.1 is whatever it is that ESYS connects to. I'll investigate this, as well as the traffic generated by ESYS later.
The 192.168.222.2 is the NBT. I nmapped it:
And as you can see the SSH and telnet ports are unfortunately closed.
port 80 is listening, and has the lighttpd running on it that I discovered previously through the wifi connection.
The main page gives you a 404 error
The same subdirs are still present (/core and /trace).
However the trace dir doesn't contain logs this time (on my previous car this contained full debug logs of everything the NBT did, as well as boot logs etc.)
The other two ports didn't give me much, they disconnect immediately after connecting. I'll look into these some more in the future but my laptop battery was getting low.
The fact that ports 22 and 23 are unfiltered (not blocked by NBT's firewall, unlike most other ports) is interesting, there should be a way to enable ssh/telnet...
Anyone else feel like jumping into this?
Last edited by cronek; 05-24-2014 at 12:32 PM.