MyFord Touch system hack. Enable features, navigation, rear view camera, etc.

mdl054

Senior Member
Nov 20, 2013
143
70
0
Düsseldorf
UPDATE: Hey folks, navigation has been figured out. Thank you to everyone who helped and an especially big thank you to the folks in Russia who made it mostly possible!
https://forum.xda-developers.com/windows-mobile/general/myford-touch-navigation-activation-t3368080

There was a thread on this topic a while back and has since been closed. Pending certain developments it has become prudent to open a new thread to discuss these new directions.

The last thread can be found here: http://forum.xda-developers.com/windows-mobile/general/hacking-myford-touch-getting-closer-t2938321

First of all, I want to start this thread by saying this is NOT intended to start fights! One user, jmr061, has figured it all out and currently charges money through his own private website and business in the Wisconsin area. I don't want to hear anything about putting anyone out of business. His business is his own. Its fine if you feel that way but this thread isn't the place to discuss it. He is also the only one thus far who has successfully plumbed the workings of MFT entirely and I have nothing but respect for him. He also happens to be a very helpful poster on many Ford enthusiast websites across the net and doesn't deserve any chastising of any kind. Keep it clean!


Current option for adding Navigation to MFT in a non-Nav equipped vehicle:

Replacing the APIM with a Nav enabled one. The part numbers are different and a few versions exist. To successfully add the new APIM you must match the correct options. By not getting the proper APIM you will very likely lose features such as the backup camera, etc.. To properly check which car came with what options you will need to use Ford Etis. Ford Etis can be found Here. Options that are not enabled by the factory show as "Less XXX" where XXX represents the option. For example, a car without Nav will read "Less Navigation". Similarly, a car with Nav will read "With Navigation". You must match all options.

There are a few downsides to this procedure. First of all, the obvious is finding an APIM that is correctly configured for your car. Secondly you will need to rip the dash apart. It isn't particularly difficult depending on your model but it can lead to a few setbacks. A software update from Ford installed on a USB drive can also remove the nav. I'll get into this later down below. The expense is also a factor as you can rarely get the units for less than a few hundred. Certain sites online sell Nav enabled APIMs for over a thousand or more.

You will also need to purchase a navigation SD card separately. At the time of writing (Feb 2016) the A7 card is newest for North America.

I can independently confirm this method does work. This is my 2013 Ford Fusion SE that was equipped with MFT and no Nav.


What I believe we need to do to unlock Navigation in our MFT systems

The secret to enabling features is going to be in the As Built Data. ABD. It seems as though all MFT cars get the same APIM and what differentiates the features is the ABD. The ABD tells the car which features were purchased and which to be enabled. ABD is not plain text, it exists as bits. Comparing the ABD of cars with Nav vs cars without Nav should teach us what modifications we need to make. The ABD is NOT easy to access or change and will likely involve using proprietary or expensive software to do so. Ford VCM2 and IDS are a guarantee. ABD is not unique to the APIM, in fact its used in many modules on the car. We are unable to manually change values on the APIM ABD.

We should be able to accomplish this without opening the dash up as the solution is within the software, not the hardware.

I found a tool for the Ford Focus that will retrieve ABD and edit it. http://ford.xtlt.ru/

Things to keep in mind:
- Updates for MFT from Ford.com will remove Nav from even a Nav enabled APIM. As happened to me. Probably has to do with the ABD (as stated above).
-It seems as though the update files given to a car with Nav are identical to the update files given to a car without Nav. I could be wrong but my testing of this is very limited. I used the VIN from my car to create an account and download the latest version of the software then I used the VIN from a Nav enabled car and created a separate account and downloaded the latest software. The file name, size, and hash are the same. It is unknown (at least by me) at this time if this is the same across the board. Its possible (and likely) the file for the Fusion will differ from the file for say an Escape.
- A downstream USB port exists on the rear of the APIM. Connectivity achieved by use of a Ford Rotunda OTC Sync Generation 2 Programming Cable.
- Interestingly enough it seems that all Nav enabled APIMs use the same Navigation license.
- Many (possibly most) APIMs are all loaded with the Navigation apps already and simply lack the license. Some users on other forums have sucessfully added the license (again the same on all) but it won't magically run. Probably ABD related as well.
- Modifying the Zip files for the update install will break the signature and verification used by the MFT and will NOT install.
- The MFT system is custom designed from the ground up. No standard file structure exists in other systems.
- In the old thread a user jsalzman took his APIM apart. He took highly detailed pictures. They can be found Here. Thank you!
- Ford IDS cannot be used to change ABD on APIM for MFT.
- It seems jmr061 figured it all out around March 2015. Some of his post history on other forums gives us many clues. Please don't flame him.
 
Last edited:

rioachim

Senior Member
Jul 4, 2011
266
93
48
Just more proof we can figure it out. :highfive:
I highly doubt it. You need 2 cars with same configuration, one having navigation. Then dump the ABD data, and find the byte that enables nav, change it together with the checksum. Afterwards, you will need Ford IDS and Oasis to do a reinstall on the module, and swap the ABD file. Well, this is just my guess, but for sure additional equipment and paid access to Ford tools is required.
 

mdl054

Senior Member
Nov 20, 2013
143
70
0
Düsseldorf
I've actually found today a few sites in Russian with people who have figured it out. The problem is the translations.

From google translate I got this (I know it sounds funny but I promise I didn't change any of it lol)
Comrades! The revolution, the necessity of which for so long asserted Bolsheviks accomplished!)))

And now in order. The procedure consists of the following stages:
- Take the internal configuration APIM car navigation or read the current, turn it NAVIGATION Application and fill back.
- Make the substitution on the VIN that navigation from the factory
- Connect IDS + FORDTECHSERVICE + OASIS and reinstalling the module as a new SYNC - voila ... a huge thank you to Nicholas Trainer_F for what IDS-tion of the event was made ​​possible ...

Well, just so long as: firmware English, displaying maps in Russian, menus and voice guidance in English. Restayl with the advent of the ITF and the Russian navigation think maybe it will be possible to do in Russian.
 

seadiel

Senior Member
Dec 30, 2008
51
20
0
Crazy you posted this as I been working on this for the last few weeks after that last forum died out.

You stated everything I figured out as well. I have thoroughly disassembled all the update files and found some interesting clues/ideas on a way in through the software side.

For the hardware side I have a good idea how it all works. You can use this to edit as built data w w w ucdsys.ru
The APIM as built data is programmed to the hardware and will tell the software what is enabled and what is not (Nav, backup cam) If you know the Hex values for the as built data and use a third party programming tool you can enable Nav/backup camera through the CAN. There is some more steps for the Nav going this route. You can get the ABD from ford here w w w motorcraftservice.com/AsBuilt and compare a similar year/model car with NAV/backup camera and one without to figure out the hex values.

What I have found out on the software side of things:

myfordtouch runs Windows CE/EDB databases via some sqllite commands then what we all see on the screen is flash (.swf). The update towards the end when it puts the .swf files in does a integrityfilescheck() which verifies the SHA256 hash on these .swf I suspect only. Nothing we can do on the SHA256 check.
But based on what I was able to dissemble from the update files on SYNCGen2_4.32.14122 file versions. The first thing it runs is the 14D546-EE.cab which saves an XML file on the thumb drive this will list your vin #, part #'s, processes running, space on TFAT,RAM,ROM. ect ect. This one is interesting to note the running .exe’s

Before the target images are applied, it appears to save “Registry settings” 14D546-AKB talks about gathering current language and then

“SOFTWARE\Ford\DataManager\gns\system”
“POPUP” NavUnlocked regkey = ‘%d’”
NavUnlocked
SOFTWARE\Ford\DataManager\gns\ApplicationSettings

Near the end of the update for the image files 14D546-AGB it has:

“SOFTWARE\Ford\DataManager\gns\system”
NavUnlocked
SOFTWARE\Ford\DataManager\gns\ApplicationSettings
“%S() Success restoring Nav unlock registry values.
LicenseCount
DPS indicates Navigation has not been unlocked! Exit.

I have created a program for Windows CE to retrieve the registry info to a text file on the USB drive. I was able to create the CAB and run the CAB, but after about 10 seconds it errors out with “Invalid or Unsigned File” my cab is unsigned I figured it wasn’t going to be this easy. Looking at the update files the cab is signed by “Ford Motor Company Internal SYNCGEN2 Issuing CA” and issued to: “Sync Dynamic Code Signing Gen2 A4” inside the cab the .999 file that does all the work is signed by “Microsoft Test Software Publish Certificate” The SYNCGGEN2 is a SHA1 signature hash algorithm. The Microsoft one uses a MD5 hash algorithm and appears to be some random certificate built into the platform builder that says do not use for publishing. I am working on a few methods to get around the signed file. I may try loading the code into a random .jpg or image file and upload it to the background area and in theory once uploaded and clicked on should run the code. Simple Trojan horse.

Code in the Appconsole.swf as noted in the prior thread that determines if NAV should be displayed in the right corner of the screen or if Information should be.

SyncUtilLin797staticfunctionIsNavSystemInstalled()
staticfunctionIsNavSystemInstalled()
{
var_loc1_=false;
if(SyncConst.UseNavOverride)
{
SyncBaseClass.swarning(SyncUtil.sCN,"GetNavSystemStatus:eek:verriding\'IsNavInstalled\'flagtotrue,sinceSyncConst.UseNavOverrideisset.");
_loc1_=true;
}
elseif(Plugins.DataManager)
{
var_loc4_=SyncUtil.GetDMNumber("InboundDiag.NavAppEnabled",1);
var_loc2_=SyncUtil.GetDMNumber("ApplicationSettings.NavUnlocked",0);
var_loc3_=SyncUtil.GetDMNumber("Provisioning.NavInstalled",0);
_loc1_=Boolean(_loc4_==1&&_loc2_==1&&_loc3_==1);
}
else
{
_loc1_=false;
}
SyncConst.IsNavInstalled=_loc1_;
return_loc1_;
}
 

mdl054

Senior Member
Nov 20, 2013
143
70
0
Düsseldorf
Definitely on the right track. I got a second Nav enabled APIM today because I wrecked my last one. I carelessly loaded the wrong update file when I was playing around and used the official ford update (not mine which I never expected to work anyways) which disabled Nav. I've yet to get around the signature issues.

Let me know if you need anything off this APIM.
 
  • Like
Reactions: Panamon

seadiel

Senior Member
Dec 30, 2008
51
20
0
I bought a used NAV enabled APIM as well from w w w.lkqonline.com was only $125+ $12 shipping. It works for my 2013 Fusion, but I have the Fusion Energi and it threw an error (Check engine DTC). I didn't see any reports of other people posting DTC errors when they swapped out non-nav APIM's with nav APIM's from other vehicles. Could be a Hybrid/Energi only problem since there is an additional menu on those cars in myfordtouch.

I am trying a few idea's on the signature issue still. I also thought about taking the NAND flash off the circuit board, but I don't know if I want to spend the money to buy another APIM just to take it apart.
 

seadiel

Senior Member
Dec 30, 2008
51
20
0
Hey all I just bought a 2013 Ford Fusion w/ MFT. Is it safe to update MFT or will that decrease the chance of this project working when it comes to be?
Super Jay,
I am currently on version 3.7.11 (SYNCGen2_4.32.14122) the newest is one up 3.8 (SYNCGen2 V38 15128 updatepackage NA Rev1). I have not looked at the newest version 3.8 yet but I can confirm the update 3.7.11 released 2014 is still vulnerable to the Microsoft Security Vulnerability (MS13-098) Even though this security update was in 12/2013. / 7/2014
“The security update addresses the vulnerability by modifying how the WinVerifyTrust function handles Windows Authenticode signature verification for portable executable files.”

I am able to successfully add additional code to the .999 file without affecting the digital signature. The problem is in order to add the data to the .999 file you have to unpack the .cab file so even though I can get the code in the .999 file and it remain a valid digital signature, I am struggling on repacking the .cab in order to get a valid signature now for the “Ford Motor Company Internal SYNCGEN2 Issuing CA”.
So I am working on just adding the extra code to the .cab file. I can add the code to the cab file without breaking the signature it is just more difficult to understand the .cab hex layout in terms of the format/headers/compression compared to a PE file.

Even if someone is able to get full access to the sync system doesn’t mean you can just drop an android image in, problem solved. The android image would require a lot of customization to make it all work. I am just looking to see if I can get in and if there is a simple way to activate navigation once in without having to modify the hardware/As built data. If successful then this would open up other possible areas like adding more functions or apps.
 

super jay

Senior Member
Jan 10, 2010
62
15
0
26
Buffalo, NY
Thanks for the reply Seadiel,

I should have some free time tomorrow to work on this. I'll try and see if the latest update is still vulnerable. If there's a more productive way for me to help out please let me know.

Edit: Removed unnecessary quote
 
Last edited:
  • Like
Reactions: akifyilmaz

akifyilmaz

New member
Mar 21, 2016
2
0
0
Following this thread...
I'm willing to buy navigation SD cards but Ford is not even giving me the option to open (purchase) Navi functionality!
 
Last edited:

seadiel

Senior Member
Dec 30, 2008
51
20
0
Just an update, I am still messing around with this on my free time. I have a few projects with this going on. I am still working on the added code to the cab file using the (Microsoft Security Vulnerability (MS13-098)). Takes a while to learn hex/COFF structures. I attached the PE file format structure & how it relates to the Authenticode signature format. Crazy you can still add a ton of extra code to a file without breaking a checksum/digital signature.

I been playing around with “BadUSB” that exploits the USB Phison PS2251-03 (2303) controller. I am still working on the firmware to tailor it towards windows ce/myfordtouch.

I will post the instructions soon on how to enable Navigation/backup camera via the hardware/CAN route, since the software side is more difficult.
 

Attachments

Last edited:
  • Like
Reactions: akifyilmaz

Dr3X

New member
Jan 26, 2011
4
2
0
Definitely on the right track. I got a second Nav enabled APIM today because I wrecked my last one. I carelessly loaded the wrong update file when I was playing around and used the official ford update (not mine which I never expected to work anyways) which disabled Nav. I've yet to get around the signature issues.

Let me know if you need anything off this APIM.

I had the same situation. Bricked the NAV when installed the last SYNC update. I could see the license on the MFT but NAV was no longer functional. After some digging into the update files found a discrepancy and "crafted" one with the missing files. It worked like a champ. Now my NAV is working again. You can download it here:
------------https://onedrive.live.com/redir?resid=134D09ADEFC20FD3!52459&authkey=!AH57Dq9Jl3Fj71c&ithint=file%2czip

If the Full package does not work, PM. I will look for the one I used to load just the renaming NAV pieces. Also, need a master reset after the update.

Now I need to figure out how to enable the backup camera into this APIM. I lost mine when swapped for NAV.

GL
 
  • Like
Reactions: seadiel

MarcinXDA

Senior Member
Oct 24, 2010
232
52
58
Warsaw
I had the same situation. Bricked the NAV when installed the last SYNC update. I could see the license on the MFT but NAV was no longer functional. After some digging into the update files found a discrepancy and "crafted" one with the missing files. It worked like a champ. Now my NAV is working again. You can download it here:
------------https://onedrive.live.com/redir?resid=134D09ADEFC20FD3!52459&authkey=!AH57Dq9Jl3Fj71c&ithint=file%2czip

If the Full package does not work, PM. I will look for the one I used to load just the renaming NAV pieces. Also, need a master reset after the update.

Now I need to figure out how to enable the backup camera into this APIM. I lost mine when swapped for NAV.

GL
Backup camera could be enabled by obd2 cable (stn1170) and FoCCCus software.
 

seadiel

Senior Member
Dec 30, 2008
51
20
0
I had the same situation. Bricked the NAV when installed the last SYNC update. I could see the license on the MFT but NAV was no longer functional. After some digging into the update files found a discrepancy and "crafted" one with the missing files. It worked like a champ. Now my NAV is working again. You can download it here:
------------https://onedrive.live.com/redir?resid=134D09ADEFC20FD3!52459&authkey=!AH57Dq9Jl3Fj71c&ithint=file%2czip

If the Full package does not work, PM. I will look for the one I used to load just the renaming NAV pieces. Also, need a master reset after the update.

Now I need to figure out how to enable the backup camera into this APIM. I lost mine when swapped for NAV.

GL
Dr3X,

Thanks for the files. I just noticed EA5T-14D544-AD.zip is not digital signed nor is the .sec file. I am assuming you used this and it worked? I will have to look at that .sec some more, I never really looked at it since it is a 2GB file uncompressed, but if the system will allow that file with no digital signature that is interesting.
 

Dr3X

New member
Jan 26, 2011
4
2
0
Here is the NAV only pieces I used to fix mine. If you already have the same code level and try to install the full package it will stop because is the same level of code. But with a install file with only the missing pieces it will go thru. After the install is finished then do a master reset and you should have that APIM back to nav again.


-----------https://onedrive.live.com/redir?resid=134D09ADEFC20FD3!55786&authkey=!AMRvmLCVKv7eBUs&ithint=file%2czip

---------- Post added at 04:45 PM ---------- Previous post was at 04:39 PM ----------

Backup camera could be enabled by obd2 cable (stn1170) and FoCCCus software.
Can you point me on the right direction to get them?


Thanks
 
  • Like
Reactions: MarcinXDA

ptodic

Member
Jun 15, 2008
13
7
0
Dr3X,

Thanks for the files. I just noticed EA5T-14D544-AD.zip is not digital signed nor is the .sec file. I am assuming you used this and it worked? I will have to look at that .sec some more, I never really looked at it since it is a 2GB file uncompressed, but if the system will allow that file with no digital signature that is interesting.
It seems that ZIP-s are signed too.
 

seadiel

Senior Member
Dec 30, 2008
51
20
0
It seems that ZIP-s are signed too.
When I right click the .zip files I don't see a digital signature tab, I also ran the zip files through sigcheck and it says it is unsigned. There is only one .zip file that does not contain a digital signed .CAB file in it. That is the .sec file found in EA5T-14D544-AD.zip or EA5T-14D544-AC*.zip (Depending on sync upload files/version you have)

Edit: I ran the .sec file through strings.exe looking at the Unicode text in the file and find it interesting as it talks about like there is a windows desktop there with internet explore, FTP, offline mode/this page is secure/you will be redirected ect ect. I attached a screen capture of a portion of the print out. The file is 2gb so I only printed about 10mb in a command console.
 

Attachments

Last edited:

MarcinXDA

Senior Member
Oct 24, 2010
232
52
58
Warsaw
Can you point me on the right direction to get them?


Thanks
What car do you have?

I have ford focus mk3 and Focccus is good for it.
If you have other ford probably Forscan is for you. If you have focus mk3.5 or mondeo mk4 then probably only ucds cable is ok (from russia).

There is also IDS, but it is expensive.

You could find someone with proper cable and knowledge in your area.

I could help with Focccus as I use it.

---------- Post added at 08:59 PM ---------- Previous post was at 08:55 PM ----------

For Focccus you could also read this tread
http://www.focusfanatics.com/forum/showthread.php?p=5863970

---------- Post added at 09:13 PM ---------- Previous post was at 08:59 PM ----------

Enabling rear view camera in ford focus mk3:
Change BCM value
"99" "Park assist camera"
to option "02" With Park Assist Camera.
That's it.
 
Last edited: