I am new here so i don't know if this has been asked before...

I have used FORscan and see that we can change the screen animation to a Raptor and some others. Im curious to know if its possible to put a custom animation here? Has anyone looked deeper into this or has done it?

 

Interested in any replies here as well.

 

Good question. I'm curious too.

 

After a little googling, it looks like the stock animations are mp4 files. I couldn't find any discussions where someone stated success, but it has been suggested that you may be able to open up one of the sync 3 updates (which include the stock animations) and replace one ore more of the mp4 files with a custom animation. If the sync3 update script does something like md5 checksum verification, this may not be possible.

 

Its not easily done right now. The Sync system uses QNX as its OS, which is *NIX based. The update files have .IFS files and .IMG files. I've been able to unpack the IFS files using QNX dumpifs tool, but there's not much there of any use. The .IMG files on the other hand are where most of the payload is, but I haven't been able to successfully access them. I've mounted the files, they report an x86 boot sector, but they are using a QNX file system that I don't have access to. (e.g. mount -t qnx6 ./file.img -o loop/dev/loop1,blocksize=512 /media/qnx fails with a file system error).

I found a virtual machine of QNX 6.5 and got it up and running on my Windows machine, but I had issues getting the network stack to initialize and couldn't easily get the files over to the VM so I could mount them. That's where I left off about a year ago....I might take a crack at it again. This is all for naught if the update has a checksum function, but that would have to be in the update file itself, since they can't know what the checksum is until they package the update, so I guess theoretically that would be easy enough to bypass.

 

I tried this same exercise with my 2009 F150 sync updates. They had an HMAC MD5. It's a symmetric algorithm, so the needed key will be somewhere in the sync unit's firmware. While I could likely crack it, it wasn't worth the effort to me. You'd need to get the lower level firmware and reverse it. While I didn't "accept" a EULA prohibiting reverse engineering, the legality of this seems questionable.

 

Great info Tricon, thanks!

 

The HMAC function combines the hash with a "secret" key. The key is shared between the OEM's programming system and the embedded systems (Sync computer). The information needed to calculate the hash is in the package, but the information needed for the HMAC, unfortunately won't be.

 

Ahhh, I was thinking more along the lines of a simple MD5 checksum, rather than a certificate type system.

 

It looks like they actually have MD5 sums for the individual files that are loaded in their .der certificate files. But....this just seems to easy to circumvent? 2009kr, how did you come to the conclusion on the HMAC system, did you alter something and try to install it?

Here's a snippet from one of the image certificates:

Type = Utility
Post-Script = GB5T-14G386-AB.sh
File1 = GB5T-14G386-AB.sh
File1 Hash Value = 01bced7dc9f78d69a35ce5c3f0712b8516330e827c1a97b658 3ab1d2fbb01dbf
File1 Size = 2231
File2 = utloggingutility
File2 Hash Value = d2a94381cdda68004ee55bd0c437f3f0148cd489733f8c4469 ad63b52df675e1
File2 Size = 85628
File3 = Decoded_ODL.xml
File3 Hash Value = 9d23e743e31f7075f06d88f198297122e82a2f851fac53adab f761a5c6dd731c
File3 Size = 9478
Save Location = /tmp/

 

I mean, of course, that all makes sense.....

Way above my pay-grade! So you're sayin' there's a chance?!?!

 

It's a little easier to deal with than a cert. With the cert, the private key needed to make the signature isn't on the system. With the HMAC, you need only to find the key stored on your system and then you can make images that will work on all systems. With cert based authentication, you can replace the public cert with your own to make your images verify. This involves writing, not just reading the low level firmware. It also only works on only the one computer that you replaced the cert on.

 

If what 2009kr is saying is correct, then no, not really. We're hosed at not knowing the internal key. Any update we would push would fail as it wouldn't have the key to our trucks chastity belts

 

Then I could see them using the MD5's just for file integrity, and the HMAC to stop idiots like us from borking the whole thing. I got my QNX VM up and running, and the network stack is working this time, but I don't see a easy/legal way forward anyways.

 

It's ok to skirt the lines of legal....better to ask for forgiveness than permission is what I say!