Skip to content

Instantly share code, notes, and snippets.

@bigunclemax
Last active May 20, 2024 18:22
Show Gist options
  • Save bigunclemax/c566ecfc2f6d92e76e68446e46bdd944 to your computer and use it in GitHub Desktop.
Save bigunclemax/c566ecfc2f6d92e76e68446e46bdd944 to your computer and use it in GitHub Desktop.

How to flash reformat on FordSync3 through USB cable

Intro

This method allows to flash Ford Sync 3 multimedia module(APIM) through USB cable even if it was bricked 🧱. You don't need to solder either the eMMC card reader or any other wires. The only thing you need is to disassemble the Sync module and short circuit of two pads.

TL;DR ➡️

Hardware

Ford Sync 3 module consists of two boards:

  • Main board - IPC/CCPU with TI Omap5432 SoC as main CPU, RAM, eMMC flash.
  • Second board - VMCU. CPLD and microcontroller placed on it. This part is responsible for the CAN interface (since Omap5432 doesn't have it) and this board also acts as an external watchdog for the main CPU.

IPC and VMCU communicates through UART interface (speed 500kbps, for packets exchange uses COBS encoding). More on this maybe some other time 🙃

OMAP5432 boot mode

According to public datasheet OMAP5432 Multimedia Device we can get info about ways and order of Omap5432 booting (paragraph 2.6 SYSBOOT configuration).

Boot table. sysboot

Look at sys_boot3. Exact this pin corresponding to boot priority from USB. If pull down sys_boot3 pin to GND, then Omap SoC will be booting from USB at first.

But how to find sys_boot3 ? 🤔

Answer on this question we could find on another datasheet OMAP5432Multimedia Device Engineering Samples 2.0. This paper contains terminal description and ball locations(Figure 2-1. OMAP5432 AAN S-PBGA-N754 Package (Bottom View)).

Looking for sys_boot3 and see that it's located at V31 place. sysboot

But how to get access to V31 ball? 🧐

Since this ball is located under Soc. we can't get to it without a special tools.

Fortunately mate Cusco came to the rescue. He ring out Omap Soc pads and many test points which located at board.
And he found V31!

sysboot

USB boot MY18.5 (Thanks to IgorStr. for this find)

MY18 5_usbboot_short

So, now we ready to boot Sync 3 module from USB.

USBboot

Time to connect Sync to PC with Linux through miniUSB cable. Next we need to wake up Sync by CAN packages. Short two pads circled in red and then enable power 12V.
Look at dmesg log:

kernel: [431083.350475] usb 1-3: new high-speed USB device number 114 using xhci_hcd
kernel: [431083.499541] usb 1-3: New USB device found, idVendor=0451, idProduct=d011, bcdDevice= 0.00
kernel: [431083.499555] usb 1-3: New USB device strings: Mfr=33, Product=37, SerialNumber=0
kernel: [431083.499561] usb 1-3: Product: OMAP5430
kernel: [431083.499566] usb 1-3: Manufacturer: Texas Instruments

Perfect, TI SoC is enumerated on USB bus and awaiting to code download...

But what code we should load to SoC? 🤓

A small remark should be made here. TI Omap5432 USB boot is not actually boot from USB flash drive. Instead we must transfer our executable code (bootloader) to Soc via USB. Then in this bootloader we have to implement the functions to access the Sync eMMC.

After several days of googling, I managed to find links to articles about the TI OMAP5 5432 uEVM ES2.0 (Panda5) debug board refers to http://omapedia.org. Trying to open that links and ... it's redirected to www.ti.com. The site was removed. Fuck! 🤬

However, web.archive.org remember everything, or at least a lot 😌

Most of the links to the source code repositories are still alive. The most interesting tool is UsbBoot(Omapboot). Getting sources git clone git://git.omapzoom.org/repo/omapboot.git usbboot && git checkout 33af7cb409b603cf7988306ab2ea70f052a9a02b and try to compile them.

To build UsbBoot for Omap SoC, we need a toolchain for ARMv7. First option is to get it from Android repository which is linked in the Omap wiki article. Second and easier option is to get assembled toolchain from here.

Compile UsbBoot

export CROSS_COMPILE=/path/to/toolchain/bin/arm-linux-gnueabihf-
make MACH=omap5 BOARD=omap5uevm

And run...

user@pc:~/$ sudo ./out/omap5uevm/usbboot -f
reading ASIC ID
CHIP: 5430
rom minor version: 02
IDEN: 0000000000000000000000000000000000000000
MPKH: 0000000000000000000000000000000000000000000000000000000000000000
CRC0: 071a9a31
CRC1: 00000000
device is GP
using built-in GP iboot of size 23-KB
sending 2ndstage to target...
waiting for 2ndstage response...
received 2ndstage response...

After loading 2ndstage bootloader to Omap and receiving response from it we can try to attach to SoC with fastboot (yes, it's Android tool) and attempt to execute some commands.

fastboot

RE_format

The reformat package is intended for a factory (clean) installation of the Sync 3 OS. It consists of 2 parts:

  1. MLO - bootloader
  2. QNX-IFS-REFORMAT - OS image which performing a factory installation of Sync 3 system.

These are exactly the files that we want to flash on the Sync eMMC.
It remains to understand where exactly in eMMC they should be located.

To do this, let's see at the original reformat installation script. It contains the following line: update_boot -t -i /tmp/QNX-IFS-REFORMAT -m /tmp/MLO

So, there is some utility called update_boot that flashes the bootloader and OS firmware. Let's look under the hood...

First of all do strings update_boot:

Usage: %s [-i] [-m] raw partition

	-i   Path of IFS image file
	-m   Path of MLO image file
	-t   Toggle active IFS partition
	-r   replace current IFS with new one
	raw partition   Path of raw partition to write IFS and MLO image files, default value is /dev/hd0.

Great, we found a help strings, and now we know which params are accepted by this utility.

Well, let's find out what exactly this software does.

Take Ghidra🐉 and import update_boot to it. Deсompilation process will not be described in this article. If someone interesting here is link to shittypseudocode obtained by decompilation.

As a result, we get following layout of Sync 3 eMMC.

Sync3 eMMC layout

block offset name
0x0000 MBR
0x0002 0x0000400 (1024) boot bank info
0x0100 0x0020000 (131072) MLO
0x0184 0x0030800 (198656) IFS first bank
0x7cd2 0x0F9A400 (16360448) IFS second bank

Well, it's time to learn how to flash eMMC Sync with custom images transferred via USB from a PC.

Sync3flash

Omap usbboot which we previously compile already has fuctions for eMMC read\write. Let's modify it a bit by adding ability to flash custom images into MLO and QNX-IFS-REFORMAT offsets.

👉 sync3flash.

Flashing eMMC Sync3

Requirements:

  • PC with Linux (virtual machine may not work1, but you can use a livecd Linux on a flash drive, for example puppy linux)
  • sync3flash tool
  • MLO and QNX-IFS-REFORMAT files from REFORMAT package (you can get patched reformat package here)
  • miniUSB cable

So, now we have everything we needed for flashing Sync 3. Let's start:

  1. Disassembly Sync 3 module to get physical access to main board with Omap SoC.
  2. Connect Sync directly to PC through USB cable. (Don't try to connect through Sync 3 USB hub. This will not work)
  3. Start waking up Sync by sending CAN packages.
  4. Run sync3flash tool sudo ./sync3flash -i QNX-IFS-REFORMAT -m MLO
  5. Short contacts circled in red
  6. Enable 12V power supply to Sync module.

If everything goes smooth, you should see output like that:

user@user-PC:/tmp$ sudo ./sync3flash -m MLO -i QNX-IFS-REFORMAT 
waiting for device...
reading ASIC ID
CHIP: 5430
rom minor version: 02
IDEN: 0000000000000000000000000000000000000000
MPKH: 0000000000000000000000000000000000000000000000000000000000000000
CRC0: 071a9a31
CRC1: 00000000
device is GP
sending 2ndstage to target...
waiting for 2ndstage response...
sending image to target...size (22696-B/22-KB/0-MB)
sending image to target...size (9279956-B/9062-KB/8-MB)

After 30 seconds Sync 3 will reboot and reformat will start. That's it 😎

PS:

This article is for entertainment and educational purposes only. All characters are fictional and coincidences are accidental.

PPS:

Many thanks to Cusco for the hardware help, Sanek2033 and Au{R}oN for inspiration and Lynx for the idea. 🙏


NOTE:
You can use virtualized Linux on Windows to make it work. Below is example for VirtualBox:
Settings -> USB -> Add Empty Filter
Name: OMAP5 sEVM
Vendor Id: 0451
Product Id: d011

Then sudo ./usbboot -f and do as usual with your board:
* first time should fail as drivers will be installed
* next time will work OK.

Note: We don't support this, so if you have any issues please direct it to the omap5 mailing list. 

Footnotes

  1. How to flash using Virtual Box (from OmapWiki)

@m0nkeyc0de
Copy link

m0nkeyc0de commented Sep 8, 2022

You made my day ! There is hope for my Sync3 I just bricked. Thanks !

@ydupas1
Copy link

ydupas1 commented May 20, 2024

So I'm stuck in "waiting for device" screen even after shorting the pins. What about that 12v power supply? Do I have to add external power to it?

@m0nkeyc0de
Copy link

m0nkeyc0de commented May 20, 2024

So I'm stuck in "waiting for device" screen even after shorting the pins. What about that 12v power supply? Do I have to add external power to it?

The board has to be powered on in order to have this working as shorting the pins changes the boot mode. I did this directly in my car, with a switch soldered to the pins, and long wires. When it works a new USB device must appear. The watch -d lsusb command may help you to see if you did it correctly.

Note that you'll probably need to do a key cycle to turn power on/off on the infotainment system.

Once REFORMAT is booting, you'll need to find a full installation package. The update package you can download from Ford website will very likely not work. I heard that it may eventually be possible that modders forums could have a solution to propose but this is only a theory.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment