OEM CarPuter - Data Logging and Pi: conceptual discussion

[malfuncion]

One thing I can say about hacking Sync, in my 2011 I found it uses a standard 44-pin IDE 2.5" Laptop hard drive. It's made by Hitachi and it is hardware locked. Looking into it some, I might be able to pop in another drive like it, have it lock the drive, then run software to bruteforce the password. From there, you should be able to unlock the original drive( as well as re-lock it) and snoop around. Since I am looking at replacing my headunit with an aftermarket one anyways, I don't care if I mess mine up. I will post any results I have though for anyone else wanted to follow along!

I'd love to assist. Would you mind doing a clonezilla of the drive and uploading the ISO somewhere? How hard is the drive to get to? I may attempt to clone mine off and see if I can do some low level exploring. Do you know if the hardware lock is just a boot stopper or is it fully encrypted?

[J-Will]

maybe it'd be worth you giving it a shot? I'd be more than willing to work with you on a project if you have some time to devote and an "in" to get the Ford Sync software. We can do some VM's and get to hacking minus the up font cost of hardware. Flashing it to the system can probably be done with a tuner or packing the "update" in to a  package and sideloading using USB.

I would genuinely love to assist, but I do not have the time nor the lab equipment at my disposal anymore (incident response/ forensics).  Hopefully, the switch away from Microsoft will open up Sync some. 

I think this project has the appeal of many, certainly myself.  I'd like to see it get off the ground.  Keep us updated with your progress!

[nickstewartroc]

The drive is hardware locked, much like the original Xbox was. If I can get into the drive and be able to unlock/lock it, I'll make an image of it and upload it. As far as getting to the drive, you have to remove everything you would to get the radio surround off and it is in the back of the control unit/dvd/cd player. For me with the nav screen, you have to remove the nav screen(4 screws) then you can remove the 4 screws to the control unit, then from there its just two small Phillip heads and out it come

[nickstewartroc]

In addition, there is two ways I am looking at on how to unlock the drive. The first is like my previous post with drive swapping and brute forcing the password or hexing the password. The problem with this, is that I don't think current "tools" work on the hitachi drive that comes in the headunit, or the extra hitachi drive I have from an old laptop, if I had a western digital, it'd be easy. The other problem with this method is that the headunit may not even lock the secondary drive, it might just throw a code. The secondary method, which I will call the Xbox method, entails the same method used to unlock the original Xbox drives. In this case, you would need to have two separate cables, one for power and one for data. You would also need an adapter to be able to read the drive once unlocked. You would start out with have the data and power plugged into the headunit, once the headunit was one, do some activity on it (on the Xbox it was to rip and play some music) in this case, you could probably get away with just playing music from it if you already have it ripped, if not, rip a song or two. From here, the drive should be unlocked, now you unplug the data only, leaving the power plugged in, and plug the data into the adapter for the PC. Now you should be able to see and read the drive. I will try to get together a parts list needed for doing the Xbox method and update my post
EDIT:
So for the Xbox method, you would need 2x http://www.ebay.com/itm/2-5-inch-44-Pin-Male-to-Female-IDE-Converter-Cable-/290965686445?pt=LH_DefaultDomain_0&hash=item43bee808ad and then an adapter such as http://www.amazon.com/gp/product/B002OV1VJW?psc=1&redirect=true&ref_=oh_aui_detailpage_o03_s00
Basically,you would plug in the one cable to where the harddrive goes into the headunit, then at the other end, cut the connector to where the last 4 pins in a square can be plugged/unplugged separate of the other 40 pins. With the other cable, you should be able to plug in the cable over by a square of 4 pins (the same 4 that you separated from the other cable). I bought the cables and already have the adapter. When they come in, I will do a write up about it.
The one thing about doing it like this compared to trying to get the actual password is having to be connected to the car to unlock the drive. Once the power shuts off to the drive, it will relock.

[65fastback2+2]

http://forum.xda-developers.com/showthread.php?t=2750863

[65fastback2+2]

http://www.focusfanatics.com/forum/car-audio-sync-myford-touch-electronics/261981-hacking-mytouch.html

[malfuncion]

Some pretty interesting links. There's also some good information in there that gives a nice head start. Thanks for the info! So far it appears they are still trying to achieve a shell and haven't got it yet. It does show that it is possible to hijack the sideload updates which is good news. This is getting fun and really intriguing.

[nickstewartroc]

Thanks for those links! Unfortunately for me, its all on MyFordTouch :/ (I have the older Sync) Although the PDF about Windows 7 Automotive embedded may be of help!

[J-Will]

My excitement level is growing.  I want this to happen!! 

Using stock hardware, with minimal replacement (I think it's understood/ expected that a larger HDD will be required aside from firmware locking reasons).  I think the XBox route is a good initial path to take, hopefully that proves fruitful.

Ideally we can get a workable image of the HDD to create a VM and dive in.  I foresee touch screen climate control functionality being fairly difficult to replicate.  This could be an issue as some of these are only accessible on screen.  If we are able to pull drivers from the base image, this would be tremendous help here specifically. 

I'm reaching out to a contact that may have conducted some forensics on Sync when it first came out as a side project when he was in between projects at work.  If he has anything, chances are it'll be company IP, but its worth asking.

[65fastback2+2]

f150 setup

[malfuncion]

f150 setup

Looks good but not OEM. That's an IPAD custom fabbed in to the housing. Kind of what we are going for but not really since that removes the OEM screen

[65fastback2+2]

f150 setup

Looks good but not OEM. That's an IPAD custom fabbed in to the housing. Kind of what we are going for but not really since that removes the OEM screen

if i didnt give up any control and everything worked as OEM, Id do it...better resolution screen ftw

[65fastback2+2]

http://maestro.idatalink.com/product/product/product_id/102

http://www.crutchfield.com/p_794ADSMRR/iDatalink-Maestro-ADS-MRR-Interface-Module.html?tp=3486

[65fastback2+2]

looks like a kenwood ddx9902S (with KCA-WL100) plus the idatalink rr-for01-ds3 is the way to go.

http://www.kenwood.com/usa/car/excelon/ddx9902s/

supports everything the factory system does, and also supports android auto and android mirroring

[ShoBoat]

looks like a kenwood ddx9902S (with KCA-WL100) plus the idatalink rr-for01-ds3 is the way to go.

http://www.kenwood.com/usa/car/excelon/ddx9902s/

supports everything the factory system does, and also supports android auto and android mirroring

Looks like an option for the 10-12, 13+ is not available.


Sent from my iPhone using Tapatalk