[Partial] Hacking myford touch, were getting closer!!!

Status
Not open for further replies.
Search This thread

boozinbuzz

Member
Nov 3, 2012
13
0
I don't blame the few guys that have figured out the MFT Nav hack for not putting a tutorial onto a blog but I am still curious as to how they did it. I am sure it took them lots of time and effort. From what I can surmise (as someone who has never even touched and OBD-II adapter) is that they have figured out a way to flash the ABD and to unlock the navigation license in the APIM. Here's an ss from one of the guys shortly before he started to offer his service on the various forums.

j8mxk3.jpg
 

Prack

Senior Member
Dec 6, 2010
920
239
Lino Lakes, MN
I don't blame the few guys that have figured out the MFT Nav hack for not putting a tutorial onto a blog but I am still curious as to how they did it. I am sure it took them lots of time and effort. From what I can surmise (as someone who has never even touched and OBD-II adapter) is that they have figured out a way to flash the ABD and to unlock the navigation license in the APIM. Here's an ss from one of the guys shortly before he started to offer his service on the various forums.

j8mxk3.jpg

I don't blame him for wanting to make a buck. But at the same time I'm willing to pay. I just want the ability to enable it again in case the dealer flashes my car during troubleshooting etc. I can't afford to pay 600 bucks for a setting that I can re-enable on my own. My wife would murder me.
 

jmr061

Member
Jun 4, 2015
6
4
I enjoy reading how people feel the need to put me out of business.

There is a lot of research and money invested in what I have accomplished and not accomplished. One of my latest finds is in motion override without a lock pick. Lose some stupid features like VHR but oh well.

You guys seem hung up on the price of an upgrade. How much would u charge if you have over 5k invested in hardware etc? That doesn't count the endless hours of research and ***** slapping my own ride with testing. Still running the original apim with no issues by the way.

You tell me what a fair price would be?

---------- Post added at 06:09 AM ---------- Previous post was at 05:48 AM ----------

I don't blame him for wanting to make a buck. But at the same time I'm willing to pay. I just want the ability to enable it again in case the dealer flashes my car during troubleshooting etc. I can't afford to pay 600 bucks for a setting that I can re-enable on my own. My wife would murder me.

BTW I don't charge $600 to re-enable it if the dealer does a reflash and kills it. I will only do that if its apparent someone was trying to figure out what I did or was trying to hack it.

I have learned a lot about MFT and it is apparent that dealers are very uneducated about trouble shooting and programming. I just had a person contact me asking about NAV as they had their APIM replaced and lost NAV (it was previously hacked by someone else and the APIM went bad supposedly - I think the dealer replaced it needlessly) and I checked how the dealer programmed it and it is missing all the APPs that were supposed to be installed. So many dealers are clueless about stuff it is terrible.

BTW if a person gets an upgrade from me and they have APIM issues that they have their dealer look into, I always tell them to have the dealer contact me before reprogramming it.

I have talked to many dealers through out my dealings regarding thing such as keyless entry and remote start for the PI models and Explorers.

What is unfortunate is that there are too many dealers out there that are close minded and won't believe anything that doesn't come down the wire from Ford while others welcome an "outside the box" approach.
 
  • Like
Reactions: Snow_ball

kthejoker20

Senior Member
Jun 18, 2008
835
229
Kenosha
Well, this is a community. I am not greedy.

But if you choose not to be part of the community, then you are wasting your time grandstanding here.

I'm closing in on the fix myself. And your bs about investing 5k is comical, as I am positive your not in more then $300 for the laptop.

To show how close I am, here is the hint. Data star.....

So if you choose to help great, we would appreciate it. If not, go away and I'll post the fix.

You can cut your losses and take a bounty for posting the fix or make nothing when I do.
 

uscav82

Member
Aug 19, 2015
5
2
Well, this is a community. I am not greedy.

But if you choose not to be part of the community, then you are wasting your time grandstanding here.

I'm closing in on the fix myself. And your bs about investing 5k is comical, as I am positive your not in more then $300 for the laptop.

To show how close I am, here is the hint. Data star.....

So if you choose to help great, we would appreciate it. If not, go away and I'll post the fix.

You can cut your losses and take a bounty for posting the fix or make nothing when I do.

Respectfully the Keyless options and Remote start on the Explorer's are childs play with a VCMII though, no hacking involved.

I still have yet to see him do anything with the system that is not a factory option so I doubt he has cracked the system in the manner you are attempting. I heavily suspect he's a Ford Tech, you call me or anybody I know at a Dealer level and your just joe blow from the street... I'm going to tell you to politely go **** yourself. Call me as a tech that previously serviced the system and you might have my attention.
 
  • Like
Reactions: pigbait

jmr061

Member
Jun 4, 2015
6
4
I don't blame him for wanting to make a buck. But at the same time I'm willing to pay. I just want the ability to enable it again in case the dealer flashes my car during troubleshooting etc. I can't afford to pay 600 bucks for a setting that I can re-enable on my own. My wife would murder me.

Well, this is a community. I am not greedy.

But if you choose not to be part of the community, then you are wasting your time grandstanding here.

I'm closing in on the fix myself. And your bs about investing 5k is comical, as I am positive your not in more then $300 for the laptop.

To show how close I am, here is the hint. Data star.....

So if you choose to help great, we would appreciate it. If not, go away and I'll post the fix.

You can cut your losses and take a bounty for posting the fix or make nothing when I do.

Respectfully the Keyless options and Remote start on the Explorer's are childs play with a VCMII though, no hacking involved.

I still have yet to see him do anything with the system that is not a factory option so I doubt he has cracked the system in the manner you are attempting. I heavily suspect he's a Ford Tech, you call me or anybody I know at a Dealer level and your just joe blow from the street... I'm going to tell you to politely go **** yourself. Call me as a tech that previously serviced the system and you might have my attention.

I am not a Ford tech and I don't go around calling dealers unsolicited. Remote start on the Explorer (and other like vehicle) is a native function of IDS. Do you know how many dealers/techs have to be educated on that? I don't profit off of things that can be done as direct menu functions of IDS (unless I do it in person). If a dealer has a question about a process or how to do something they are not familiar with I have no issue talking to them about it and providing an answer for it. They contact me, I don't contact them.
 

uscav82

Member
Aug 19, 2015
5
2
I am not a Ford tech and I don't go around calling dealers unsolicited. Remote start on the Explorer (and other like vehicle) is a native function of IDS. Do you know how many dealers/techs have to be educated on that? I don't profit off of things that can be done as direct menu functions of IDS (unless I do it in person). If a dealer has a question about a process or how to do something they are not familiar with I have no issue talking to them about it and providing an answer for it. They contact me, I don't contact them.

I still struggle with part of this concept but either way its not helping the cause here. You get hit by a truck tomorrow and there is no longer any support for what you have done. I have nav so its not about that for me. I would like to see the unit cracked and the possability of loading other apps.
 
  • Like
Reactions: pigbait

kthejoker20

Senior Member
Jun 18, 2008
835
229
Kenosha
I'm glad he posted the additional information.

He just lost all credibility.

What he is referring to you is a bypass module that you wire into the can-bus. While he "claims" ids, I call bs, unless he can provide dealer authentication, even then, he is kinda right about the techs lack of knowledge there though.

He is just wiring the bypass module to the car and then programming the remote start and door unlock. NOTHING to do with the apim. By programming (or should I say uploading someone else's rom) to the module, he is claiming motion unlock. Not even possible with the can, separate systems.

People have to keep in mind that this can-bus area is VERY shaddy and attracts the usual low lifes which need it for neferious purposes. Typically, these guys work in car stereo repair shops or the like... What we are doing here is exactly the opposite, and in fact, would make their brain hurt.... No scripts for the kiddies to upload.

I am sure those guys are SWARMING this thread waiting for the release, so that they can install and profit.

Well.... I have a surprise for them if they think they will get their hands on the fix....lol, AIN"T HAPPENING. Only legit genuine community members well be eligible when the time comes, for free.

I appreciate the post though, cause that was my original motivation for taking on this project, you just ignited my fire again.
 

uscav82

Member
Aug 19, 2015
5
2
I'm glad he posted the additional information.

He just lost all credibility.

What he is referring to you is a bypass module that you wire into the can-bus. While he "claims" ids, I call bs, unless he can provide dealer authentication, even then, he is kinda right about the techs lack of knowledge there though.

He is just wiring the bypass module to the car and then programming the remote start and door unlock. NOTHING to do with the apim. By programming (or should I say uploading someone else's rom) to the module, he is claiming motion unlock. Not even possible with the can, separate systems.

People have to keep in mind that this can-bus area is VERY shaddy and attracts the usual low lifes which need it for neferious purposes. Typically, these guys work in car stereo repair shops or the like... What we are doing here is exactly the opposite, and in fact, would make their brain hurt.... No scripts for the kiddies to upload.

I am sure those guys are SWARMING this thread waiting for the release, so that they can install and profit.

Well.... I have a surprise for them if they think they will get their hands on the fix....lol, AIN"T HAPPENING. Only legit genuine community members well be eligible when the time comes, for free.

I appreciate the post though, cause that was my original motivation for taking on this project, you just ignited my fire again.

I wasn't saying the Remote Start/Keyless had anything to do with the APIM. Those features are unlocked in the Body Control Module. However all the modules do speak over the can-bus.

If you want to program like a dealer all its takes is a little $$.
 

PennStateMtnMan

New member
Aug 29, 2015
1
2
You guys are a lot further than I ever will be with this. I keep reading and just hoping I can provide some insight somewhere to help out, but so far, you are all blowing me away. I truly believe in open source, especially when it comes to your vehicle.
 

suleimankhan

Member
Aug 13, 2012
10
2
I'm subscribed to this thread and anxiously awaiting updates. Sharing knowledge to empower end users like me to do more with what we already have....that's what XDA is all about.
 
  • Like
Reactions: pigbait

jmr061

Member
Jun 4, 2015
6
4
Just so everyone knows after the OP initially falsely accused me of spewing BS on what I had said about my venture into this I sent him a PM and invited him to come visit me and view my setup and what I do as he really isn't that far away. I made the offer to share with him but he never responded back.
 
  • Like
Reactions: Snow_ball

Prack

Senior Member
Dec 6, 2010
920
239
Lino Lakes, MN

Why don't you go check out his setup. Even if it doesn't answer all the questions it may help lead towards opening up the system and isn't that the real goal here? I know you want to put him out of business and all but isn't the real purpose to put some use back into MFT? I still want navigation, bad enough that when I can afford it I'll probably buy a spare APIM from him. Believe me I would love to know how to reapply it myself but it is what it is.
 
Status
Not open for further replies.

Top Liked Posts

  • There are no posts matching your filters.
  • 6
    Ok Devs-
    (ALSO sync owners, don't update your sync systems anymore by ford, we are getting close to unlock it, and they will put out updates to bork our hack).

    I need some help please. I need to modify this POS sync. You can't do anything with it. I want to get navigation running or bluestacks to run android.

    I got the official ford , usb reboot file I have attached it here. It has the signed files that we need.

    I was able to tigger the install event with those files. And I believe this is our key to Jailbreak the system.

    The best part is that you can run stacked commands on those install scripts:p. https://www.coalfire.com/The-Coalfire-Blog/October-2014-(1)/Reverse-Shells-and-Your-Car?feed=blogs

    I have been struggling to get it it to execute, presumably, I don't know anything about win CE.

    I have the win CE cmd.exe on my usb. Place it into the system, it recognizes and initiates upload. What the code below is trying to do is piggy back on the copy via stacked code to upload cmd.exe to the system then execute it. UNless there is another way to get a shell, once we get the shell, WE OWN THEM.:D

    This is what my path is listed on my autoinstall.1st file -
    Open1 = DelayedReboot.cab; cmd.exe \tmp\cmd.exe; \tmp\cmd.exe

    the cab is required as it is signed by microsoft and bypasses the lock to load additional code.

    Changing the semi colon to & makes it error out, so the semi colon is correct, just dunno if I have the paths right. Normally, it would be something like for linux /fs/usb0/etc...... but I am not sure about CE lists the usb device path...again I am win CE retarded. UNless there is a way to % to the paths, but I dunno much about win.

    Sync, recognizes and executes with no errors. If I change my code a little, it will not work and say error.

    SO what am I missing to get the cmd to run? Or is it already? I was expecting a shell to pop up?

    If someone can point me in the right direction, or to point what file I can call to execute the onboard navigation, that would be awesome as well.

    Even if we can't get a shell, I'd like to be able to execute a file, then I can run MIOpocket on this thing and ditch sync for android apps.


    I have also attached the sync app developer guide link. With programming commands for apps.
    https://developer.ford.com/uploads/DevConf%20-%20Track%205%20-%20Best%20Practices.pdf

    Here is a link to the windows 7 automotive guide on how the system operates, kernel info, driver info, and stuff.
    http://download.microsoft.com/download/0/A/1/0A1E07D6-7562-4566-AACF-E04DF4FF8879/A%20Technical%20Companion%20to%20Windows%20Embedded%20Automotive%207%20(final).pdf


    UPDATE: 04/19/2015 -

    While it is not a software hack, IT IS possible to unlock the navigation only portion of the MFT 8", if you have it without nav.

    IF YOU DO THIS, YOUR CAR WARRANTY IS VOID. You've been warned.

    It will cost a little money, but not set you back $1000 like nav tv and lockpick are charging. Maybe $100 or so.

    Here is what you need to do, if you can't wait for us to unlock the bootloader.....

    1 - Get a used APIM only part with the numbers DS7T in it. (aluminum only part with the fins, you DO NOT need the screen)
    2 - Get the VIN# of the car it came out of and check the VIN to see if it was enabled with factory NAV. There are internet sites that will check the VIN for you. Must be a unit with NAV enabled.
    http://researchmaniacs.com/VIN-Number-Lookup/WindowSticker/Ford.html
    3. Install the APIM only to the back of your LCD.
    4. The system will reboot and reset.
    5. The system will them ask you to insert the NAV sd card, do that. (obviously, you have to buy a nav card from ebay as well, but those are $10)
    6. Enjoy factory NAV for about $100

    This is the only workaround for now. THE APIM is separate from the sync system and only interfaces with it. So, you will retain all your OEM VIN# locked stuff and it will survive reboots and updates. The nac actually just unlocks on that APIM portion, believe it or not. This method doesn't tie into the file system software, it merely accesses it.

    Now.... if someone would be so kind as to just rip the NAND chip from one of those units and post it, so that we can just flash over our existing equipment, we can do this for FREE!!!!!!

    Still working on the video bypass.... It would be nice if our Russian friends can start chiming in for that one please.....

    DON"T FALL FOR THE EBAY GUY CHARGING $600 to $700 for this. Let's put him out of business.... Your help is needed.

    PROPS TO rahrena8690 for the find.

    WORKING FILE LINKS - FOR DEVELOPERS ONLY
    Delayed Reboot project
    https://mega.co.nz/#!m0BEWSrA!qrdgIRYTvccH52794ktdpRfrulI_pSdY3g-iiCyhaFs
    4
    I'm glad he posted the additional information.

    He just lost all credibility.

    What he is referring to you is a bypass module that you wire into the can-bus. While he "claims" ids, I call bs, unless he can provide dealer authentication, even then, he is kinda right about the techs lack of knowledge there though.

    He is just wiring the bypass module to the car and then programming the remote start and door unlock. NOTHING to do with the apim. By programming (or should I say uploading someone else's rom) to the module, he is claiming motion unlock. Not even possible with the can, separate systems.

    People have to keep in mind that this can-bus area is VERY shaddy and attracts the usual low lifes which need it for neferious purposes. Typically, these guys work in car stereo repair shops or the like... What we are doing here is exactly the opposite, and in fact, would make their brain hurt.... No scripts for the kiddies to upload.

    I am sure those guys are SWARMING this thread waiting for the release, so that they can install and profit.

    Well.... I have a surprise for them if they think they will get their hands on the fix....lol, AIN"T HAPPENING. Only legit genuine community members well be eligible when the time comes, for free.

    I appreciate the post though, cause that was my original motivation for taking on this project, you just ignited my fire again.
    3
    Well, this is a community. I am not greedy.

    But if you choose not to be part of the community, then you are wasting your time grandstanding here.

    I'm closing in on the fix myself. And your bs about investing 5k is comical, as I am positive your not in more then $300 for the laptop.

    To show how close I am, here is the hint. Data star.....

    So if you choose to help great, we would appreciate it. If not, go away and I'll post the fix.

    You can cut your losses and take a bounty for posting the fix or make nothing when I do.
    3
    For some reason, the coalfire site took down it's information regarding the reverse shell of the infotainment system.

    Here is what I am talking about with the command on the delayed reboot file. I have conveniently located the stacked command image and attached it for your viewing pleasure. :D

    If we can patch the files, this is how we push them to the chip. Otherwise, I may have to PHYSICALLY pull the system files through JTAG tap... sigh... not really wanting to do that though...

    If we can push them, we would have to unlock the bootloader to bypass the sigs... This is where my brain is staring to hurt....

    Obviously, these commands do not apply to what we are doing, as that is QNX. Plus, I don't want any noobs spunking their system with our fashizzle yet...until we test it.

    Just a final thought, as a plan B, we could reverse shell with the USB exploit as well... just saying.. might be easier
    3
    An integer overflow might work as well, but I have never experiemented on an embedded chip. Stacked command invoking an integer overflow, might give us write access to the system.