Focus Fanatics Forum banner

1 - 20 of 20 Posts

·
Registered
Joined
·
3 Posts
Discussion Starter #1
Hey there,

I've been trying to hack the on-board computer with some success thus far. I've managed to extract system parameters, including a full-blown process & kernel stack list from Windows Automobile 4.0, the OS it's running.

I now need to access the hardware. Does anybody know where it is, and how I'd get there? I have the MFT/Sony dash.

Alternatively, I'd follow the USB/AV/SD card cables from the mid-console storage to wherever the lead, but I'd still need help on how to take the dashboard apart.

Any hints?

Thank you!
 

·
Registered
Joined
·
130 Posts
Wow that's awesome. I don't know how to get to the modules yet but hope to as soon as the repair manuals become available. How did you get as far as you did? Can you run queries against the database?

Sent from my Liberty using Tapatalk
 

·
Registered
Joined
·
104 Posts
I've wondered how long before someone starts making home brew applications for it.
 

·
Registered
Joined
·
218 Posts
Hey there,

I've been trying to hack the on-board computer with some success thus far. I've managed to extract system parameters, including a full-blown process & kernel stack list from Windows Automobile 4.0, the OS it's running.

I now need to access the hardware. Does anybody know where it is, and how I'd get there? I have the MFT/Sony dash.

Alternatively, I'd follow the USB/AV/SD card cables from the mid-console storage to wherever the lead, but I'd still need help on how to take the dashboard apart.

Any hints?

Thank you!
Here is a link to a nice article written by MS on how Windows Auto works and the security used to prevent piracy.

http://download.microsoft.com/download/6/5/0/6505FA0E-1F39-4A34-BDC9-A655A5D3D2DB/MicrosoftAuto4.0TechnicalCompanion.pdf
 

·
Registered
Joined
·
104 Posts
According to that document they base it on Windows CE 6 and not 7.
I'm guessing 7 wasn't mature when they started developing Touch?

Microsoft Auto 4.0 is built on Windows Embedded CE 6.0 R2
Wonder what kind of limitations or future proofing the system has in regards to future software upgrade to the base OS.
 

·
Registered
Joined
·
683 Posts

·
Registered
Joined
·
218 Posts
He's apparently had no problem bypassing the "security" lol.

I would ask Insect Queen via PM where/how to find the APIM Module.
There is never a problem extracting the files, the problem comes when you attempt to "write" back to the system with changed files......
The best way is to find a bug in the boot loader that will allow you to then choose what device to boot from bypassing the security and then allowing you to format the partitions so that the security keys are no longer there....
 

·
Registered
Joined
·
104 Posts
fla2smoker,
That document sheds a lot of light on the system that I had been curious about.

Thank you!
 

·
Registered
Joined
·
671 Posts
There is never a problem extracting the files, the problem comes when you attempt to "write" back to the system with changed files......
The best way is to find a bug in the boot loader that will allow you to then choose what device to boot from bypassing the security and then allowing you to format the partitions so that the security keys are no longer there....
Ah thanks for the bit of info... as you can tell I'm not much of a wiz when it comes to this stuff but thankfully I know enough to understand your explanation lol
 

·
Registered
Joined
·
218 Posts
According to that document they base it on Windows CE 6 and not 7.
I'm guessing 7 wasn't mature when they started developing Touch?



Wonder what kind of limitations or future proofing the system has in regards to future software upgrade to the base OS.
Looking at the requirements for Windows Automotive 7 with silverlight support, it uses the same exact hardware. Here is a link to a developer kit that you can own for a little under $7k...

http://www.qualnetics.com/WE-ADK/

Depends on if Ford wants to keep using the same hardware in future vehicles. It also depends on the interfaces to the CANBUS and other things to hook into the vehicles systems, whether or not we would ever see a version 7 update. My gut says no.....
 

·
Registered
Joined
·
3 Posts
Discussion Starter #12
Bigbot: My current injection vector is the "update reporting" utility. It's essentially a ".exe" file that runs on the car computer. It's cryptographically signed, and hard to modify, but it can be used to deduce information about what's going on in the module. What database are you referring to?

fla2smoker: Very nice find! Thank you!

cappa: thanks!

The computer is pretty well secure networking-wise, even when it's in "Access Point" mode, sharing an internet connection. The only injection vector I've found is the "update & update report process" via the USB. All information, both from the car and to the car, is cryptographically signed.

I want to access the APIM module—basically I expect to find a mini-ATX board, or something looking like the insides of the WE-ADK from http://www.qualnetics.com/WE-ADK/ . The next step would depend exactly on what I find. Depending on the difficulty, I'd even attempt to unsolder any memory modules and read their contents.

Bypassing the boot-loader would indeed be tricky, depending on the kind of validation that happens. Reading the "hard drive" of the APIM module would be a first step. Managing to replace that with an ARM version of Linux, and explore the system would be the second step.
 

·
Registered
Joined
·
3 Posts
Discussion Starter #13 (Edited)
This looks very interesting.
From https://www.defcon.org/html/defcon-19/dc-19-speakers.html#Cohen :

Look At What My Car Can Do
TYLER COHEN DEPARTMENT OF DEFENSE

This presentation is an introduction to the new world of automobile communication, data and entertainment systems, highlighting the Ford Sync System.

The Ford Sync System is a remarkable technological advance that has changed the automobile industry. While hard drives have been used in automobile entertainment applications for some time now, the Ford Sync System is different. It allows the user to interact with the car's communication system in a brand new way. If a vehicle with the Ford Sync system is used to commit a crime or to hide data, how would examiners be able to determine what data might be contained in the Ford Sync System? How does it get there? What forensic process or type of exploitation can be used to determine what traces are left behind on the car's hard drive? This presentation will take the audience through the process of various methods of infilling, hiding, acquiring data, and conducting a forensic exam on the Ford Sync System.

No actual presentation yet, just an abstract, but working on getting the presentation...
 

·
Registered
Joined
·
524 Posts
This looks very interesting.
From https://www.defcon.org/html/defcon-19/dc-19-speakers.html#Cohen :

Look At What My Car Can Do
TYLER COHEN DEPARTMENT OF DEFENSE

This presentation is an introduction to the new world of automobile communication, data and entertainment systems, highlighting the Ford Sync System.

The Ford Sync System is a remarkable technological advance that has changed the automobile industry. While hard drives have been used in automobile entertainment applications for some time now, the Ford Sync System is different. It allows the user to interact with the car's communication system in a brand new way. If a vehicle with the Ford Sync system is used to commit a crime or to hide data, how would examiners be able to determine what data might be contained in the Ford Sync System? How does it get there? What forensic process or type of exploitation can be used to determine what traces are left behind on the car's hard drive? This presentation will take the audience through the process of various methods of infilling, hiding, acquiring data, and conducting a forensic exam on the Ford Sync System.
So is this just a description of a speakers topic at a hacker convention? Would have been nice to see the presentation but there are no links to go any further.
 

·
Registered
Joined
·
647 Posts
Wow. This stuff is beyond me! [pray] At any rate, Ian asked me about accessing the area behind the stereo. Here's what I did:

The plastic trim piece (yellow arrows) can be pulled/pried straight down, revealing a couple of screws that need to be removed. The entire face of the stereo can then be pulled away from the dash. I carefully pried the face from the dash where the red arrows are, and then pulled the unit up and towards me (where I previously removed the screws) at the same time guiding and pulling the upper portion as well (by the red arrows). It's really quite simple, and your method of pulling/prying may differ. There are a few connectors from behind that need to be disconnected before you can completely remove it from the dash. One in particular is VERY short and is an absolute PITA to remove. I had to be very patient with it.

Note - It's been awhile since I've done this. It's quite possible that you don't even need to pry where the red arrows are and it can be simply lifted/pulled away from the dash. Go slow. Once the two screws are removed, it should be quite evident to you what needs to be done. It's much simpler than it looks.

Once that's been removed, it should also be evident that the screen is held in place by a few (can't remember how many) screws and can be easily removed from the dash as well, if that is something that needs to be done. I didn't remove the actual stereo itself, but if memory serves it's just a matter of a few more screws.

 

·
Registered
Joined
·
239 Posts
Damn that looks like a lot of work. (The hacking part)

I wish you the best of luck. People have broken into more secure things than this (see iPhone, PS3) but there are tens of millions of those devices running around and relatively few of these. So obscurity may hurt the effort in the end.

If only geohot didn't have a full time job now. ;)
 

·
Registered
Joined
·
50 Posts
Wow. This stuff is beyond me! [pray] At any rate, Ian asked me about accessing the area behind the stereo. Here's what I did:

The plastic trim piece (yellow arrows) can be pulled/pried straight down, revealing a couple of screws that need to be removed. The entire face of the stereo can then be pulled away from the dash. I carefully pried the face from the dash where the red arrows are, and then pulled the unit up and towards me (where I previously removed the screws) at the same time guiding and pulling the upper portion as well (by the red arrows). It's really quite simple, and your method of pulling/prying may differ. There are a few connectors from behind that need to be disconnected before you can completely remove it from the dash. One in particular is VERY short and is an absolute PITA to remove. I had to be very patient with it.

Note - It's been awhile since I've done this. It's quite possible that you don't even need to pry where the red arrows are and it can be simply lifted/pulled away from the dash. Go slow. Once the two screws are removed, it should be quite evident to you what needs to be done. It's much simpler than it looks.

Once that's been removed, it should also be evident that the screen is held in place by a few (can't remember how many) screws and can be easily removed from the dash as well, if that is something that needs to be done. I didn't remove the actual stereo itself, but if memory serves it's just a matter of a few more screws.


EXACTLY. The touchscreen and the APIM are held together as one unit with 2-4 screws. You take the hardware from the back of the touchscreen... any hacker would have the proper tools to actually remove the aluminum casing....

have fun. when you get further than that? and you REALLY start having fun? PM me. we'll compare notes.... ;)
 

·
Registered
Joined
·
4,328 Posts

·
Registered
Joined
·
329 Posts
I was wondering when someone was gonna get brave and do this.. and for the record.. Ford really skimped on wire length and used the least amount they could get by with when building this car.. they give it just enough to reach...and thats about all you get...
 

·
Registered
Joined
·
2,654 Posts
Very cool. Hopefully good things will come of this, but hopefully fully reversible too, for the day Ford finally catches up with it's promises, lol
 
1 - 20 of 20 Posts
Top