[Partial] Hacking myford touch, were getting closer!!!

Status
Not open for further replies.
Search This thread

jsalzman

Member
Apr 22, 2015
20
2
Has anyone tried an "autorun.inf" or "autorun.exe" in the root of an SD card or a USB stick?

Would probably need a custom executable to launch cmd.exe. When autorun.exe is launched on a CE based device, it is passed the command line parameter install. So in effect, if you rename cmd.exe to autorun.exe, the system will launch it as:

autorun.exe install

which will operate like you typed:

cmd.exe install

I'm thinking the command prompt, if it appears, will close when given a non operational parameter.

Still, it's worth a shot!
 

jsalzman

Member
Apr 22, 2015
20
2
Didn't work with the Ford.

I added cmd.exe, AND a copy of cmd.exe renamed as autorun.exe, to the root of a USB drive. I also created the numerical autorun folders used by Windows CE based devices.

The latter involved creating a folder called "2577", which indicated a platform specific folder to store autorun files. A folder called "0" is supposed to be a fallback folder, but a CE based device would look for a specially numbered folder like this. This is the list I know of so far AFTER researching the failure of using 2577 and 0:

Processor Folder Name
ARM 720 1824
Arm 820 2080
ARM 920 2336
ARM 7TDMI 70001
Hitachi SH3 10003
Hitachi SH3E 10004
Hitachi SH4 10005
Motorola 821 821
SH3 103
SH4 104
Strongarm 2577

Bear in mind that the Automobile form of Windows is custom compiled, so even if an autorun startup folder is implemented, it might have a unique number.

I did not put on an autorun.inf (yet).

One thing that looked different in this attempt, compared to installing other USB drives that have only Sync upgrade files, is that the prompt "device not supported" appeared for a few seconds. Perhaps it's detecting the autorun, but rejecting it.
 
  • Like
Reactions: Wetzel402

jsalzman

Member
Apr 22, 2015
20
2
I added copies of all the other folder numbers indicated in my previous post to no avail. The system just says the USB device is "not supported"

Anybody know how to decompile the executables for these Windows systems? Perhaps a clue can be found within the executable files hidden inside the Sync update cabs.
 

chunnannn

New member
Jul 9, 2015
3
1
I added copies of all the other folder numbers indicated in my previous post to no avail. The system just says the USB device is "not supported"

Anybody know how to decompile the executables for these Windows systems? Perhaps a clue can be found within the executable files hidden inside the Sync update cabs.

You can use IDA PRO decompile .999 file.
And the .999 file have signature.
 
Last edited:

jsalzman

Member
Apr 22, 2015
20
2
Ouch!!! $1129 USD for the IDA Pro version?

It looks like it could be a useful program for those who make a gainful living actively disassembling software. But to use it as a means to identify a workaround for the missing navigation on MyFord Touch, the cheaper alternative is to just pay $700 for the service others already provide to activate navigation on MyFord Touch.
 

pigbait

Senior Member
Aug 26, 2011
104
6
winnipeg
Nice to see all you guys still working on this.. I can't wait to see what comes from this as I just got a 2015 escape and the dealer never said anything about how MFT is dead witch is I guess my fault for not looking in to it before buying.
 
Last edited:

azitoshi

Member
Aug 8, 2011
30
1
Same here, i just bought Focus 2015 in Europe MTF is called Sync2 but its the same. I am looking forward to so news about any progress :). I wish to unlock navigation or be able to play video on that 8 inch display :) keeping my fingers crossed !:)
 

jsalzman

Member
Apr 22, 2015
20
2
The trick right now is getting any .EXE injected into the system.

Attempts have been made to launch cmd.exe with no success. Part of the problem may be customized file path in the system to run executables. MFT is a customized Windows Embedded Automotive (7?). It's "Windows", but not Windows. It's more like Windows CE, but not like that either.

It is my understanding that Windows Automotive 7 is custom compiled, kind of like a linux distribution. The designers pick whatever elements of an operating system core repository they desire to include, build it, then release it. This can cause many of the more common user access points to be unavailable.
 

diegoweb

Senior Member
Aug 8, 2011
92
11
Can't someone disassembly MyFord Touch and use a jumper data cable in order to debug startup?
Maybe we can see the lines being loaded in startup and spoof an SDCard to pretend to be in the internal memory.
 

vinkress

New member
Aug 11, 2015
1
2
Found this while looking for any info on progress of hacking Ford Sync Gen 1 (not MFT

I do not know the relevancy of this to the efforts expended so far and can't verify that this guy really in fact was on the SYNC team but...some interesting background info that may provide a lead...mention of Adobe Actionscript being used for the GUI, for example.

I can't post the URL because I am a new guy so here is a version that should be decipherable....hypertext transport protocol secure :// news_dot_ycombinator_dot_com/item?id=8736056

emcrazyone 243 days ago

I was one of the architects working on Ford SYNC. Internally, Ford has a big problem with open source software from a legal stand point. You have a fortune-5 company here. Translation for you: They are a very large target for lawsuits. The open source software provides no indemnification.
You also have to remember when SYNC was in the planning stages long before the public knew about it. I was part of the original team responsible for taking the whole concept to reality.
I can tell you that internally, it was one of the most well run software architecture teams I was ever apart of. The middle level managers really know how to run software teams which is not something you might expect from a big old automotive company.
But in many ways, our hands were tied. Recall about the time Bill Gates and Bill Ford riding around in a model-T. A lot of us didn't want Windows for automotive and were trying to champion Linux. Also, the iMX3 which was in the first generation SYNC modules was at the time a slow processor.
And to top things off, a fair bit of the software running on the SYNC module is not written by Ford. Ford partnered up with a crappy company called B-Squared.
The Maps are not Ford's either. When I was on the team, Ford had partnered with INRIX for Maps, traffic and direction.
SYNC is just not a simple single board computer with some apps running on it. There is an entire eco-system build around the SYNC module because it's connected to the vehicle networks (CAN Bus). Microsoft & Ford being partners (Windows servers in data center), Microsoft wanted to handle some of the software development but when Ford asked Microsoft to sign off on some legal agreement asking MS to take any and all responsibility for things like inadvertently deploying an air bag, they backed off.
Also, Ford SYNC as I said has an eco system of roughly 20-30 backend applications that support it. Some of these have to do with 911 assist and the TREAD act. The TREAD act is the US Federal Government's oversight on safety claims.
Because via SYNC you can report problems and have your vehicle serviced, their is a lot internal logic that keeps track of what is called EOL (End of Line) data about a vehicle which needs to funnel into TREAD act reporting.
Think about the not so long ago Toyota problem where they tried to blame floor mats for gas peddles getting stuck.
EDIT: Also, the GUI is not Microsoft CE native. The WindowsCE is just the OS running on the SYNC module. The GUI was Adobe ActionScript. Trust me, many of us yelled very loud about how stupid an idea this was but because B-Squared own the implementation (not the architecture), they were aloud to chose whatever they wanted to meet Ford specs. The results are a history less: JD Powers gave it SYNC poor ratings and many of us (myself included) got the hell out of dodge.
Middle managers, managing the day to day software architecture and specifications, were caught between a rock and a hard place with senior management (Allan Mullaly, Mark Fields, Bill Ford, Marcy Klevorn) pushing these partnership relationships we were forced to work within.

If you search that thread for more from the guy emcrazyone, there is perhaps more useful info....

I haven't any coding skills per se to contribute to this project but I am hopeful it someday produces a FW mod that allows the 8" screen on the Gen 1 ver 4 of Sync with Navigation to eventually mirror the screen of my iPhone or some such...

Apologies if you have already seen this...I read this whole thread and didn't see any info about the Adobe piece.
 

Prack

Senior Member
Dec 6, 2010
920
239
Lino Lakes, MN
So the guy who sells this for 600 says he can do it in person without pulling the dash apart. Is he doing the APIM changes through the aux port or through the car obd port? Maybe it's just through the USB. I honestly don't have a problem paying to have NAV unlocked on my MFT but I don't like the idea that if something happens later that I can't simply flash/activate NAV again. I also don't want to tear my dash apart and I don't want to drive four hours to have him do it either.
 
Last edited:

Prack

Senior Member
Dec 6, 2010
920
239
Lino Lakes, MN
It's crazy he charges $600. Would be nice if our awsome developers here put him out of business

I agree, sounds like we can't just use one off a different vehicle because we may add/lose features. He wants the VIN to do it so my guess is he goes out to the ford vin site and checks what features you had and toggles them on/off exactly the same as it had plus NAV and whatever other features you want. My guess is once he's inside it's as easy as changing the navigation line from =0 to =1. Kinda bums me out that there is no way for me to get it. I bought the car used with 5k miles on it so never had an option to buy the navigation package.
 

uscav82

Member
Aug 19, 2015
5
2
Reading all of this I didn't think I would have a way to contribute but maybe I can.

There is an adapter cable when flashing the APIM. When its done at a dealer level the media hub is disconnected and the IDS laptop is connected to the mini b 5pin itself.

watch?v=DUbzPFVerwk

Heres a training vid that was posted online, add it to the end of youtube. I'm new and cant just post it.

Not for nothing the guy charging 600 bucks probably works for Ford or was trained. I had my own VCM ii until it **** out while I was enabling remote start on my 13 explorer. If I wasn't so busy I would go visit a friend where I can use their setup with full dealer access. Never tried using it for this purpose but I'm willing to bet I could enable Nav on a unit that didnt have it. Rather than having OASIS self identify the vehicle I could say enter another vin that had the options I wanted or do what your not supposed to do and go into the custom menu.

I'm not a programmer, just a guy trained by Ford pissed at sync lmao. I dont believe this guy cracked anything unless he can do more than add a disabled feature.
 
Last edited:

shockme66

New member
Aug 18, 2015
1
0
Agree, I can't see the video right now but saw this guy who can reprogram the APIM and get nav to work. Can this be done via OASIS or Ford Etis via a usb cable?

Google fordpimods and maybe it will provide some details on how we can do it ourselves.
 

Prack

Senior Member
Dec 6, 2010
920
239
Lino Lakes, MN
Agree, I can't see the video right now but saw this guy who can reprogram the APIM and get nav to work. Can this be done via OASIS or Ford Etis via a usb cable?

Google fordpimods and maybe it will provide some details on how we can do it ourselves.

Google jmr061 his handle on many forums. I've found a lot of details around the time that he figured it out but he never did post many specifics.
 

uscav82

Member
Aug 19, 2015
5
2
Agree, I can't see the video right now but saw this guy who can reprogram the APIM and get nav to work. Can this be done via OASIS or Ford Etis via a usb cable?

Google fordpimods and maybe it will provide some details on how we can do it ourselves.

On that guys page its evident he is using the VCMii/IDS with a whatever calibration file is needed. I have unfortunately not toyed around with this in a non-oem approved manner if you will. Even if I drove out to Boston and got access again, I dont have a vehicle to test with. The best I would be able to do is go through the menu's and see what is available.

I will be getting another personal VCMii but its going to cost me a couple grand and I dont see it happening until early 2016.

My personal feeling is the custom menu that is available during APIM programming is to over ride default settings to the VIN. For example if the customer added anything Ford approved that pass's through the APIM (think ford accessories like ambient lighting) then the technician needs a custom menu to turn features on. That custom menu is more then likely going to provide access to any feature the APIM is capable of.

I could be wrong here because like I said this isnt something I've attempted to do, as I never had the need until now. Actually I just want to see sync opened up, my Explorer has NAV but I'm still bent about the lack of any apps or other promised features.
 
Status
Not open for further replies.

Top Liked Posts

  • There are no posts matching your filters.
  • 6
    Ok Devs-
    (ALSO sync owners, don't update your sync systems anymore by ford, we are getting close to unlock it, and they will put out updates to bork our hack).

    I need some help please. I need to modify this POS sync. You can't do anything with it. I want to get navigation running or bluestacks to run android.

    I got the official ford , usb reboot file I have attached it here. It has the signed files that we need.

    I was able to tigger the install event with those files. And I believe this is our key to Jailbreak the system.

    The best part is that you can run stacked commands on those install scripts:p. https://www.coalfire.com/The-Coalfire-Blog/October-2014-(1)/Reverse-Shells-and-Your-Car?feed=blogs

    I have been struggling to get it it to execute, presumably, I don't know anything about win CE.

    I have the win CE cmd.exe on my usb. Place it into the system, it recognizes and initiates upload. What the code below is trying to do is piggy back on the copy via stacked code to upload cmd.exe to the system then execute it. UNless there is another way to get a shell, once we get the shell, WE OWN THEM.:D

    This is what my path is listed on my autoinstall.1st file -
    Open1 = DelayedReboot.cab; cmd.exe \tmp\cmd.exe; \tmp\cmd.exe

    the cab is required as it is signed by microsoft and bypasses the lock to load additional code.

    Changing the semi colon to & makes it error out, so the semi colon is correct, just dunno if I have the paths right. Normally, it would be something like for linux /fs/usb0/etc...... but I am not sure about CE lists the usb device path...again I am win CE retarded. UNless there is a way to % to the paths, but I dunno much about win.

    Sync, recognizes and executes with no errors. If I change my code a little, it will not work and say error.

    SO what am I missing to get the cmd to run? Or is it already? I was expecting a shell to pop up?

    If someone can point me in the right direction, or to point what file I can call to execute the onboard navigation, that would be awesome as well.

    Even if we can't get a shell, I'd like to be able to execute a file, then I can run MIOpocket on this thing and ditch sync for android apps.


    I have also attached the sync app developer guide link. With programming commands for apps.
    https://developer.ford.com/uploads/DevConf%20-%20Track%205%20-%20Best%20Practices.pdf

    Here is a link to the windows 7 automotive guide on how the system operates, kernel info, driver info, and stuff.
    http://download.microsoft.com/download/0/A/1/0A1E07D6-7562-4566-AACF-E04DF4FF8879/A%20Technical%20Companion%20to%20Windows%20Embedded%20Automotive%207%20(final).pdf


    UPDATE: 04/19/2015 -

    While it is not a software hack, IT IS possible to unlock the navigation only portion of the MFT 8", if you have it without nav.

    IF YOU DO THIS, YOUR CAR WARRANTY IS VOID. You've been warned.

    It will cost a little money, but not set you back $1000 like nav tv and lockpick are charging. Maybe $100 or so.

    Here is what you need to do, if you can't wait for us to unlock the bootloader.....

    1 - Get a used APIM only part with the numbers DS7T in it. (aluminum only part with the fins, you DO NOT need the screen)
    2 - Get the VIN# of the car it came out of and check the VIN to see if it was enabled with factory NAV. There are internet sites that will check the VIN for you. Must be a unit with NAV enabled.
    http://researchmaniacs.com/VIN-Number-Lookup/WindowSticker/Ford.html
    3. Install the APIM only to the back of your LCD.
    4. The system will reboot and reset.
    5. The system will them ask you to insert the NAV sd card, do that. (obviously, you have to buy a nav card from ebay as well, but those are $10)
    6. Enjoy factory NAV for about $100

    This is the only workaround for now. THE APIM is separate from the sync system and only interfaces with it. So, you will retain all your OEM VIN# locked stuff and it will survive reboots and updates. The nac actually just unlocks on that APIM portion, believe it or not. This method doesn't tie into the file system software, it merely accesses it.

    Now.... if someone would be so kind as to just rip the NAND chip from one of those units and post it, so that we can just flash over our existing equipment, we can do this for FREE!!!!!!

    Still working on the video bypass.... It would be nice if our Russian friends can start chiming in for that one please.....

    DON"T FALL FOR THE EBAY GUY CHARGING $600 to $700 for this. Let's put him out of business.... Your help is needed.

    PROPS TO rahrena8690 for the find.

    WORKING FILE LINKS - FOR DEVELOPERS ONLY
    Delayed Reboot project
    https://mega.co.nz/#!m0BEWSrA!qrdgIRYTvccH52794ktdpRfrulI_pSdY3g-iiCyhaFs
    4
    I'm glad he posted the additional information.

    He just lost all credibility.

    What he is referring to you is a bypass module that you wire into the can-bus. While he "claims" ids, I call bs, unless he can provide dealer authentication, even then, he is kinda right about the techs lack of knowledge there though.

    He is just wiring the bypass module to the car and then programming the remote start and door unlock. NOTHING to do with the apim. By programming (or should I say uploading someone else's rom) to the module, he is claiming motion unlock. Not even possible with the can, separate systems.

    People have to keep in mind that this can-bus area is VERY shaddy and attracts the usual low lifes which need it for neferious purposes. Typically, these guys work in car stereo repair shops or the like... What we are doing here is exactly the opposite, and in fact, would make their brain hurt.... No scripts for the kiddies to upload.

    I am sure those guys are SWARMING this thread waiting for the release, so that they can install and profit.

    Well.... I have a surprise for them if they think they will get their hands on the fix....lol, AIN"T HAPPENING. Only legit genuine community members well be eligible when the time comes, for free.

    I appreciate the post though, cause that was my original motivation for taking on this project, you just ignited my fire again.
    3
    Well, this is a community. I am not greedy.

    But if you choose not to be part of the community, then you are wasting your time grandstanding here.

    I'm closing in on the fix myself. And your bs about investing 5k is comical, as I am positive your not in more then $300 for the laptop.

    To show how close I am, here is the hint. Data star.....

    So if you choose to help great, we would appreciate it. If not, go away and I'll post the fix.

    You can cut your losses and take a bounty for posting the fix or make nothing when I do.
    3
    For some reason, the coalfire site took down it's information regarding the reverse shell of the infotainment system.

    Here is what I am talking about with the command on the delayed reboot file. I have conveniently located the stacked command image and attached it for your viewing pleasure. :D

    If we can patch the files, this is how we push them to the chip. Otherwise, I may have to PHYSICALLY pull the system files through JTAG tap... sigh... not really wanting to do that though...

    If we can push them, we would have to unlock the bootloader to bypass the sigs... This is where my brain is staring to hurt....

    Obviously, these commands do not apply to what we are doing, as that is QNX. Plus, I don't want any noobs spunking their system with our fashizzle yet...until we test it.

    Just a final thought, as a plan B, we could reverse shell with the USB exploit as well... just saying.. might be easier
    3
    An integer overflow might work as well, but I have never experiemented on an embedded chip. Stacked command invoking an integer overflow, might give us write access to the system.