Custom Screen Animation
Thread Starter
|
Mountain Pass
Joined: Dec 2018
Posts: 160
Likes: 5
From: Bay Area, CA
Custom Screen Animation
I am new here so i don't know if this has been asked before...
I have used FORscan and see that we can change the screen animation to a Raptor and some others. Im curious to know if its possible to put a custom animation here? Has anyone looked deeper into this or has done it?
I have used FORscan and see that we can change the screen animation to a Raptor and some others. Im curious to know if its possible to put a custom animation here? Has anyone looked deeper into this or has done it?
More Turbo
Joined: May 2018
Posts: 590
Likes: 32
After a little googling, it looks like the stock animations are mp4 files. I couldn't find any discussions where someone stated success, but it has been suggested that you may be able to open up one of the sync 3 updates (which include the stock animations) and replace one ore more of the mp4 files with a custom animation. If the sync3 update script does something like md5 checksum verification, this may not be possible.
Logistics Pro
Joined: Apr 2017
Posts: 3,674
Likes: 51
From: SoCal
Its not easily done right now. The Sync system uses QNX as its OS, which is *NIX based. The update files have .IFS files and .IMG files. I've been able to unpack the IFS files using QNX dumpifs tool, but there's not much there of any use. The .IMG files on the other hand are where most of the payload is, but I haven't been able to successfully access them. I've mounted the files, they report an x86 boot sector, but they are using a QNX file system that I don't have access to. (e.g. mount -t qnx6 ./file.img -o loop/dev/loop1,blocksize=512 /media/qnx fails with a file system error).
I found a virtual machine of QNX 6.5 and got it up and running on my Windows machine, but I had issues getting the network stack to initialize and couldn't easily get the files over to the VM so I could mount them. That's where I left off about a year ago....I might take a crack at it again. This is all for naught if the update has a checksum function, but that would have to be in the update file itself, since they can't know what the checksum is until they package the update, so I guess theoretically that would be easy enough to bypass.
I found a virtual machine of QNX 6.5 and got it up and running on my Windows machine, but I had issues getting the network stack to initialize and couldn't easily get the files over to the VM so I could mount them. That's where I left off about a year ago....I might take a crack at it again. This is all for naught if the update has a checksum function, but that would have to be in the update file itself, since they can't know what the checksum is until they package the update, so I guess theoretically that would be easy enough to bypass.
Cargo Master
Joined: Aug 2015
Posts: 2,400
Likes: 15
I tried this same exercise with my 2009 F150 sync updates. They had an HMAC MD5. It's a symmetric algorithm, so the needed key will be somewhere in the sync unit's firmware. While I could likely crack it, it wasn't worth the effort to me. You'd need to get the lower level firmware and reverse it. While I didn't "accept" a EULA prohibiting reverse engineering, the legality of this seems questionable.
Posting Guru
Joined: Mar 2018
Posts: 1,962
Likes: 11
From: Fairbanks, AK
Trending Topics
Cargo Master
Joined: Aug 2015
Posts: 2,400
Likes: 15
The HMAC function combines the hash with a "secret" key. The key is shared between the OEM's programming system and the embedded systems (Sync computer). The information needed to calculate the hash is in the package, but the information needed for the HMAC, unfortunately won't be.
FTE Stories
Ford Trucks for Ford Truck Enthusiasts
Top 10 Fords at 2026 Carlisle Ford Nationals
Joe Kucinski
3 Best / 3 Worst Parts of Modern Ford Ownership
Brett Foote
10 Amazing Upgrades That Solve Common Ford Truck Owner Headaches
Pouria Savadkouei
Every 2026 Ford Engine Explained
Brett Foote
10 Ugly Ford Trucks That We Still Kinda Love
Joe Kucinski
10 Things Every Truck Owner NEEDS (2026 Edition)
Michael S. Palmer
Rezvani's Latest Post-Apocalyptic Monster Is a Ford F-150 Raptor Underneath
Verdad Gallardo
Top 10 Most Expensive Ford Trucks Ever Sold on Bring a Trailer
Joe Kucinski
2027 Ford Super Duty Buyer's Guide (Every Model, Engine, & Package)
Brett Foote
Logistics Pro
Joined: Apr 2017
Posts: 3,674
Likes: 51
From: SoCal
The HMAC function combines the hash with a "secret" key. The key is shared between the OEM's programming system and the embedded systems (Sync computer). The information needed to calculate the hash is in the package, but the information needed for the HMAC, unfortunately won't be.
Logistics Pro
Joined: Apr 2017
Posts: 3,674
Likes: 51
From: SoCal
It looks like they actually have MD5 sums for the individual files that are loaded in their .der certificate files. But....this just seems to easy to circumvent? 2009kr, how did you come to the conclusion on the HMAC system, did you alter something and try to install it?
Here's a snippet from one of the image certificates:
Type = Utility
Post-Script = GB5T-14G386-AB.sh
File1 = GB5T-14G386-AB.sh
File1 Hash Value = 01bced7dc9f78d69a35ce5c3f0712b8516330e827c1a97b658 3ab1d2fbb01dbf
File1 Size = 2231
File2 = utloggingutility
File2 Hash Value = d2a94381cdda68004ee55bd0c437f3f0148cd489733f8c4469 ad63b52df675e1
File2 Size = 85628
File3 = Decoded_ODL.xml
File3 Hash Value = 9d23e743e31f7075f06d88f198297122e82a2f851fac53adab f761a5c6dd731c
File3 Size = 9478
Save Location = /tmp/
Here's a snippet from one of the image certificates:
Type = Utility
Post-Script = GB5T-14G386-AB.sh
File1 = GB5T-14G386-AB.sh
File1 Hash Value = 01bced7dc9f78d69a35ce5c3f0712b8516330e827c1a97b658 3ab1d2fbb01dbf
File1 Size = 2231
File2 = utloggingutility
File2 Hash Value = d2a94381cdda68004ee55bd0c437f3f0148cd489733f8c4469 ad63b52df675e1
File2 Size = 85628
File3 = Decoded_ODL.xml
File3 Hash Value = 9d23e743e31f7075f06d88f198297122e82a2f851fac53adab f761a5c6dd731c
File3 Size = 9478
Save Location = /tmp/
Thread Starter
|
Mountain Pass
Joined: Dec 2018
Posts: 160
Likes: 5
From: Bay Area, CA
Its not easily done right now. The Sync system uses QNX as its OS, which is *NIX based. The update files have .IFS files and .IMG files. I've been able to unpack the IFS files using QNX dumpifs tool, but there's not much there of any use. The .IMG files on the other hand are where most of the payload is, but I haven't been able to successfully access them. I've mounted the files, they report an x86 boot sector, but they are using a QNX file system that I don't have access to. (e.g. mount -t qnx6 ./file.img -o loop/dev/loop1,blocksize=512 /media/qnx fails with a file system error).
I found a virtual machine of QNX 6.5 and got it up and running on my Windows machine, but I had issues getting the network stack to initialize and couldn't easily get the files over to the VM so I could mount them. That's where I left off about a year ago....I might take a crack at it again. This is all for naught if the update has a checksum function, but that would have to be in the update file itself, since they can't know what the checksum is until they package the update, so I guess theoretically that would be easy enough to bypass.
I found a virtual machine of QNX 6.5 and got it up and running on my Windows machine, but I had issues getting the network stack to initialize and couldn't easily get the files over to the VM so I could mount them. That's where I left off about a year ago....I might take a crack at it again. This is all for naught if the update has a checksum function, but that would have to be in the update file itself, since they can't know what the checksum is until they package the update, so I guess theoretically that would be easy enough to bypass.
I tried this same exercise with my 2009 F150 sync updates. They had an HMAC MD5. It's a symmetric algorithm, so the needed key will be somewhere in the sync unit's firmware. While I could likely crack it, it wasn't worth the effort to me. You'd need to get the lower level firmware and reverse it. While I didn't "accept" a EULA prohibiting reverse engineering, the legality of this seems questionable.
The HMAC function combines the hash with a "secret" key. The key is shared between the OEM's programming system and the embedded systems (Sync computer). The information needed to calculate the hash is in the package, but the information needed for the HMAC, unfortunately won't be.
Way above my pay-grade! So you're sayin' there's a chance?!?!
Cargo Master
Joined: Aug 2015
Posts: 2,400
Likes: 15
It's a little easier to deal with than a cert. With the cert, the private key needed to make the signature isn't on the system. With the HMAC, you need only to find the key stored on your system and then you can make images that will work on all systems. With cert based authentication, you can replace the public cert with your own to make your images verify. This involves writing, not just reading the low level firmware. It also only works on only the one computer that you replaced the cert on.
Logistics Pro
Joined: Apr 2017
Posts: 3,674
Likes: 51
From: SoCal
If what 2009kr is saying is correct, then no, not really. We're hosed at not knowing the internal key. Any update we would push would fail as it wouldn't have the key to our trucks chastity belts 
Logistics Pro
Joined: Apr 2017
Posts: 3,674
Likes: 51
From: SoCal
It's a little easier to deal with than a cert. With the cert, the private key needed to make the signature isn't on the system. With the HMAC, you need only to find the key stored on your system and then you can make images that will work on all systems. With cert based authentication, you can replace the public cert with your own to make your images verify. This involves writing, not just reading the low level firmware. It also only works on only the one computer that you replaced the cert on.
Thread Starter
|
Mountain Pass
Joined: Dec 2018
Posts: 160
Likes: 5
From: Bay Area, CA
It's ok to skirt the lines of legal....better to ask for forgiveness than permission is what I say!