Technical specifications and manuals

S

superwofy

Corporal
Jan 18, 2021
109
151
0
This is what I was able to collect regarding architecture and components. It's all public.

The main X86 (hu-intel) CPU is a Tunnel Creek with 1GB RAM. Most likely: https://www.intel.com/content/www/u...e660t-512k-cache-1-30-ghz/specifications.html

A QNX driver "dev-speedstep" varies the CPU clock from 600-1300 MHz.

Total Cores1
Total Threads2
Processor Base Frequency1.30 GHz
Cache 512 KB L2 Cache
Bus Speed2500 MHz
TDP3.6 W


The Gateway side is a TI DRA446 (Jacinto). ARMv9 324MHz, 64MB RAM, 64MB flash.

HW <= 08 have an internal Gyroscope (like CIC). HW 21 and 31 do not. This means that for accurate GPS positioning, messages 0x199, 0x19A and 0x19F which would normally be sent by the ICM need to be "emulated.

Units with connector A42*3B above Quadlock have 4 FBAS inputs - 2 in A42*3B, 2 in QuadLock.
 

Attachments

  • Headunit High.pdf
    3.7 MB · Views: 29
  • Manual-para-referencia-NBT.pdf
    1,000.7 KB · Views: 20
  • fcc all internal photos.pdf
    4.3 MB · Views: 20
  • wlan-bt chip.png
    wlan-bt chip.png
    127.5 KB · Views: 15
Last edited:
  • Informative
  • Like
Reactions: Xantor and wheela
Xantor

Xantor

Private
Jan 3, 2023
37
4
0
I won't ask where you got that from lmao but the headunit high pdf was a good read. The step from CIC to NBT seems smaller than CCC to CIC in that regard. Let's see what one could do with this. While I have read your other posts regarding your CIC Portal the NBT might profit from this. Using something newer than HTML4 must be awesome. As a freshly baked "web dev" this also peaked my interest in what one could probably do with a privately hosted server.

oh and wtf was that guy on that told you your project was poop but was yet to contribute anything useful to it xD
 
  • Like
Reactions: wheela
S

superwofy

Corporal
Jan 18, 2021
109
151
0
Xantor said:
I won't ask where you got that from lmao but the headunit high pdf was a good read. The step from CIC to NBT seems smaller than CCC to CIC in that regard. Let's see what one could do with this. While I have read your other posts regarding your CIC Portal the NBT might profit from this. Using something newer than HTML4 must be awesome. As a freshly baked "web dev" this also peaked my interest in what one could probably do with a privately hosted server.

oh and wtf was that guy on that told you your project was poop but was yet to contribute anything useful to it xD
Click to expand...

It's all mostly public. The BMW one I believe is from TIS somewhere.
The more architecture specific one is from Anatel. Brazil's FCC equivalent - public.

Yes indeed, much smaller jump. The addition of an actual GPU makes the menus so sleek. The SSD I added makes the navigation almost instant. It's incremental.

The browser is indeed newer but to be honest the CIC portal I had was pretty quick for what it was. Even with this extra horsepower I don't really have any extra functionality I will add. It's an old WebKit engine still. Vastly newer than the NetFront browser in the CIC but still a dinosaur.

No comment on the last part :tearsofjoy:
 
  • Like
Reactions: wheela
S

superwofy

Corporal
Jan 18, 2021
109
151
0
walkernight88 said:
@superwofy, why not EVO? Why you chose NBT? :D Out of curiosity.
Click to expand...
Mostly coincidental. I got this head unit for very cheap and happened to have a smashed F30 APIX1 screen lying about.

I did think it would be more suitable to E series cars since its design is much closer to CIC than the new EVOs.
I also wanted to run my ConnectedDrive "portal" on it through bluetooth tethering. Is this possible in ID4/5/6?
Security is more lax on NBT too, no component protection.

Hey, who knows, if I find an ID4 for a steal I might work on that too.
 
  • Like
Reactions: Xantor
Xantor

Xantor

Private
Jan 3, 2023
37
4
0
superwofy said:
Mostly coincidental. I got this head unit for very cheap and happened to have a smashed F30 APIX1 screen lying about.

I did think it would be more suitable to E series cars since its design is much closer to CIC than the new EVOs.
I also wanted to run my ConnectedDrive "portal" on it through bluetooth tethering. Is this possible in ID4/5/6?
Security is more lax on NBT too, no component protection.

Hey, who knows, if I find an ID4 for a steal I might work on that too.
Click to expand...
Did they change the IDs and TLC for navigating in those headunits drastically? If so the whole logic for your module would need to be reworked, right?
Can't find the right way to express it lmao. But the NBT and Evo probably don't work with theKWP2000 protocol, right? That's a pretty old standard.

Oh and do you plan to make use of the touch ZBE?

Open to hear your thoughts.
 
W

walkernight88

New Member
Oct 30, 2019
8
7
0
Ride
F10 520d pre-lci
superwofy said:
Mostly coincidental. I got this head unit for very cheap and happened to have a smashed F30 APIX1 screen lying about.

I did think it would be more suitable to E series cars since its design is much closer to CIC than the new EVOs.
I also wanted to run my ConnectedDrive "portal" on it through bluetooth tethering. Is this possible in ID4/5/6?
Security is more lax on NBT too, no component protection.

Hey, who knows, if I find an ID4 for a steal I might work on that too.
Click to expand...
Yes, ConnectedDrive can be hacked on ID5/6 too, but it's totally different than what you've done for CIC. On EVO you've got "apps", which run JS in background and the interface is done via XMLs and rendered by RHMI. There are several milestones to be achieved: provisioning is signed so you need to either replace certs or remove signature, apps are signed with an "AppDevelopmentCert", you need to replace or remove... I've made those things, so when you get your EVO, contact me :D

I still work on the ATM part. The Telematic is f**ed up hard time. Running android on Qualcomm SoC with almost 0 documentation. No usb port, no UART open, ethernet is over someip which sucks... Anyway, I'd recommend an ID4 and upgrade it to 4GB of RAM. (HW 2.x or above)
 
  • Like
Reactions: Xantor
Xantor

Xantor

Private
Jan 3, 2023
37
4
0
ID4 with HW 2.3? Which would remain on ID4 or using it to update to Id5/6?

I know barely anything about those units as of now. Never even had the change to experience anything never than cic in real life.
 
Xantor

Xantor

Private
Jan 3, 2023
37
4
0
walkernight88 said:
Flash to ID5/6... why would you keep the EVO on ID4? It's NBT on steroids :D
Click to expand...
There surely must be some things that wouldn't work in the E9x platform with an NBT/EVO, right? Or vice versa -> E9x stuff that doesn't work in the NBT. Or are they? Like oil level readings? Do they use the same info from the dme or has that changed in the F series. Or other minor things
 
W

walkernight88

New Member
Oct 30, 2019
8
7
0
Ride
F10 520d pre-lci
About the CAN messages mapping between BN2000-BN2020 I have no idea. I only had F01 and EVO works fine. It's true that F01 came with NBT from factory so...
NBT / NBT EVO need 500kbps CAN. I don't think E9x has this bus available. Probably only on powertrain, which is useless for HU. Most certainly you need an emulator which will translate CAN frames from E9x buses to HU bus. Not only the speed of transmission, but the data packets too.
 
pRoxxx

pRoxxx

Private
Feb 9, 2021
29
5
0
Very useful document for reversing.
 

Attachments

  • us-19-Cai-0-Days-And-Mitigations-Roadways-To-Exploit-And-Secure-Connected-BMW-Cars.pdf
    3.5 MB · Views: 23
  • Like
Reactions: Xantor
S

superwofy

Corporal
Jan 18, 2021
109
151
0
walkernight88 said:
About the CAN messages mapping between BN2000-BN2020 I have no idea. I only had F01 and EVO works fine. It's true that F01 came with NBT from factory so...
NBT / NBT EVO need 500kbps CAN. I don't think E9x has this bus available. Probably only on powertrain, which is useless for HU. Most certainly you need an emulator which will translate CAN frames from E9x buses to HU bus. Not only the speed of transmission, but the data packets too.
Click to expand...

Don't need BN2020, 2010 (PL6) is sufficient.
Yes they need 500kbps CAN. I actually did manage to change the bit timing on Jacinto to make it run at 100. But there's no point because you have to give up on ZBE4 and TBX. Also can't isolate the HU from the rest of the buses. See the pdf that pRoxxx posted for why you should.

In my limited testing so far, there's no overlap in BN2000 -> BN2010. Only additional messages. Per what I'm implementing in my module's "emulator" code these are the messages I implemented:
Code: 
0x3C:  Vehicle status.
0xA1:  Faceplate power/eject.
0xA2:  Faceplate memory buttons.
0xA3:  Faceplate seek buttons.
0xA5:  Torque 1.
0xF1:  Faceplate volume.
0x12F: Terminal status.
0x199: Longitudinal acceleration.
0x19A: Lateral acceleration.
0x19F: Yaw rate (gyro). Needed on NBT HW >= 10.
0x1A1: Vehicle speed.
0x1C4, 0x1C5: Distance.
0x2C1: PDC status.
0x301, 0x302: Steering angle, steering angle effective.
0x380: Patched VIN to activate built-in FSCs.
0x393: Kombi LCD brightness. Used by NBT/CID.
0x3A0: Vehicle energy condition.
0x3A7: Driving dynamics switch. Used for mode popup.
0x3F9: Powertrain data 2.
0x510: ZGW Network Management.
0x560: Kombi Network Management.
0x6F1: Clear errors KWP job translated to UDS for NBT_HU and ZBE.

Pretty sure this is enough as a baseline for EVO too.
 
Last edited:
  • Wow
  • Like
Reactions: pRoxxx and Xantor
W

walkernight88

New Member
Oct 30, 2019
8
7
0
Ride
F10 520d pre-lci
superwofy said:
Don't need BN2020, 2010 (PL6) is sufficient.
Yes they need 500kbps CAN. I actually did manage to change the bit timing on Jacinto to make it run at 100. But there's no point because you have to give up on ZBE4 and TBX. Also can't isolate the HU from the rest of the buses. See the pdf that pRoxxx posted for why you should.

In my limited testing so far, there's no overlap in BN2000 -> BN2010. Only additional messages. Per what I'm implementing in my module's "emulator" code these are the messages I implemented:
Code: 
0x3C:  Vehicle status.
0xA1:  Faceplate power/eject.
0xA2:  Faceplate memory buttons.
0xA3:  Faceplate seek buttons.
0xA5:  Torque 1.
0xF1:  Faceplate volume.
0x12F: Terminal status.
0x199: Longitudinal acceleration.
0x19A: Lateral acceleration.
0x19F: Yaw rate (gyro). Needed on NBT HW >= 10.
0x1A1: Vehicle speed.
0x1C4, 0x1C5: Distance.
0x2C1: PDC status.
0x301, 0x302: Steering angle, steering angle effective.
0x380: Patched VIN to activate built-in FSCs.
0x393: Kombi LCD brightness. Used by NBT/CID.
0x3A0: Vehicle energy condition.
0x3A7: Driving dynamics switch. Used for mode popup.
0x3F9: Powertrain data 2.
0x510: ZGW Network Management.
0x560: Kombi Network Management.
0x6F1: Clear errors KWP job translated to UDS for NBT_HU and ZBE.

Pretty sure this is enough as a baseline for EVO too.
Click to expand...

Yes. It's pretty accurate. I'm very interested in A5 - Torque1. Can you share some details about this CAN frame?
 
Xantor

Xantor

Private
Jan 3, 2023
37
4
0
walkernight88 said:
I still work on the ATM part. The Telematic is f**ed up hard time. Running android on Qualcomm SoC with almost 0 documentation. No usb port, no UART open, ethernet is over someip which sucks... Anyway, I'd recommend an ID4 and upgrade it to 4GB of RAM. (HW 2.x or above)
Click to expand...
Can you explain this a bit further? Is it possible to physically upgrade the RAM from 2gb to 4gb like in a PC? Or is this a bit more evolving?
 
W

walkernight88

New Member
Oct 30, 2019
8
7
0
Ride
F10 520d pre-lci
Xantor said:
Can you explain this a bit further? Is it possible to physically upgrade the RAM from 2gb to 4gb like in a PC? Or is this a bit more evolving?
Click to expand...
Not really. You need to solder the ram chips and enable the second ram controller.
 
  • Informative
Reactions: Xantor
You must log in or register to reply here.
Top Bottom