Sync3UsbBootReformat_EN.md

How to flash reformat on FordSync3 through USB cable

Русская версия ➡️

Intro

This method allows to flash Ford Sync 3 multimedia module(APIM) through USB cable even if it was bricked 🧱. You don't need to solder either the eMMC card reader or any other wires. The only thing you need is to disassemble the Sync module and short circuit of two pads.

TL;DR ➡️

Hardware

Ford Sync 3 module consists of two boards:

• Main board - IPC/CCPU with TI Omap5432 SoC as main CPU, RAM, eMMC flash.
• Second board - VMCU. CPLD and microcontroller placed on it. This part is responsible for the CAN interface (since Omap5432 doesn't have it) and this board also acts as an external watchdog for the main CPU.

IPC and VMCU communicates through UART interface (speed 500kbps, for packets exchange uses COBS encoding). More on this maybe some other time 🙃

OMAP5432 boot mode

According to public datasheet OMAP5432 Multimedia Device we can get info about ways and order of Omap5432 booting (paragraph 2.6 SYSBOOT configuration).

Boot table.

Look at sys_boot3. Exact this pin corresponding to boot priority from USB. If pull down sys_boot3 pin to GND, then Omap SoC will be booting from USB at first.

But how to find sys_boot3 ? 🤔

Answer on this question we could find on another datasheet OMAP5432Multimedia Device Engineering Samples 2.0. This paper contains terminal description and ball locations(Figure 2-1. OMAP5432 AAN S-PBGA-N754 Package (Bottom View)).

Looking for sys_boot3 and see that it's located at V31 place.

But how to get access to V31 ball? 🧐

Since this ball is located under Soc. we can't get to it without a special tools.

Fortunately mate Cusco came to the rescue. He ring out Omap Soc pads and many test points which located at board.
And he found V31!

USB boot MY18.5 (Thanks to IgorStr. for this find)

So, now we ready to boot Sync 3 module from USB.

USBboot

Time to connect Sync to PC with Linux through miniUSB cable. Next we need to wake up Sync by CAN packages. Short two pads circled in red and then enable power 12V.
Look at dmesg log:

kernel: [431083.350475] usb 1-3: new high-speed USB device number 114 using xhci_hcd
kernel: [431083.499541] usb 1-3: New USB device found, idVendor=0451, idProduct=d011, bcdDevice= 0.00
kernel: [431083.499555] usb 1-3: New USB device strings: Mfr=33, Product=37, SerialNumber=0
kernel: [431083.499561] usb 1-3: Product: OMAP5430
kernel: [431083.499566] usb 1-3: Manufacturer: Texas Instruments

Perfect, TI SoC is enumerated on USB bus and awaiting to code download...

But what code we should load to SoC? 🤓

A small remark should be made here. TI Omap5432 USB boot is not actually boot from USB flash drive. Instead we must transfer our executable code (bootloader) to Soc via USB. Then in this bootloader we have to implement the functions to access the Sync eMMC.

After several days of googling, I managed to find links to articles about the TI OMAP5 5432 uEVM ES2.0 (Panda5) debug board refers to http://omapedia.org. Trying to open that links and ... it's redirected to www.ti.com. The site was removed. Fuck! 🤬

However, web.archive.org remember everything, or at least a lot 😌

• General description

• Detailed description of the USB boot process

Most of the links to the source code repositories are still alive. The most interesting tool is UsbBoot(Omapboot). Getting sources git clone git://git.omapzoom.org/repo/omapboot.git usbboot && git checkout 33af7cb409b603cf7988306ab2ea70f052a9a02b and try to compile them.

To build UsbBoot for Omap SoC, we need a toolchain for ARMv7. First option is to get it from Android repository which is linked in the Omap wiki article. Second and easier option is to get assembled toolchain from here.

Compile UsbBoot

export CROSS_COMPILE=/path/to/toolchain/bin/arm-linux-gnueabihf-
make MACH=omap5 BOARD=omap5uevm

And run...

user@pc:~/$ sudo ./out/omap5uevm/usbboot -f
reading ASIC ID
CHIP: 5430
rom minor version: 02
IDEN: 0000000000000000000000000000000000000000
MPKH: 0000000000000000000000000000000000000000000000000000000000000000
CRC0: 071a9a31
CRC1: 00000000
device is GP
using built-in GP iboot of size 23-KB
sending 2ndstage to target...
waiting for 2ndstage response...
received 2ndstage response...

After loading 2ndstage bootloader to Omap and receiving response from it we can try to attach to SoC with fastboot (yes, it's Android tool) and attempt to execute some commands.

RE_format

The reformat package is intended for a factory (clean) installation of the Sync 3 OS. It consists of 2 parts:

1. MLO - bootloader
2. QNX-IFS-REFORMAT - OS image which performing a factory installation of Sync 3 system.

These are exactly the files that we want to flash on the Sync eMMC.
It remains to understand where exactly in eMMC they should be located.

To do this, let's see at the original reformat installation script. It contains the following line: update_boot -t -i /tmp/QNX-IFS-REFORMAT -m /tmp/MLO

So, there is some utility called update_boot that flashes the bootloader and OS firmware. Let's look under the hood...

First of all do strings update_boot:

Usage: %s [-i] [-m] raw partition

	-i   Path of IFS image file
	-m   Path of MLO image file
	-t   Toggle active IFS partition
	-r   replace current IFS with new one
	raw partition   Path of raw partition to write IFS and MLO image files, default value is /dev/hd0.

Great, we found a help strings, and now we know which params are accepted by this utility.

Well, let's find out what exactly this software does.

Take Ghidra🐉 and import update_boot to it. Deсompilation process will not be described in this article. If someone interesting here is link to shittypseudocode obtained by decompilation.

As a result, we get following layout of Sync 3 eMMC.

Sync3 eMMC layout

block	offset	name
0x0000		MBR
0x0002	0x0000400 (1024)	boot bank info
0x0100	0x0020000 (131072)	MLO
0x0184	0x0030800 (198656)	IFS first bank
0x7cd2	0x0F9A400 (16360448)	IFS second bank

Well, it's time to learn how to flash eMMC Sync with custom images transferred via USB from a PC.

Sync3flash

Omap usbboot which we previously compile already has fuctions for eMMC read\write. Let's modify it a bit by adding ability to flash custom images into MLO and QNX-IFS-REFORMAT offsets.

👉 sync3flash.

Flashing eMMC Sync3

Requirements:

• PC with Linux (virtual machine may not work¹, but you can use a livecd Linux on a flash drive, for example puppy linux)
• sync3flash tool
• MLO and QNX-IFS-REFORMAT files from REFORMAT package (you can get patched reformat package here)
• miniUSB cable

So, now we have everything we needed for flashing Sync 3. Let's start:

0. Disassembly Sync 3 module to get physical access to main board with Omap SoC.
1. Connect Sync directly to PC through USB cable. (Don't try to connect through Sync 3 USB hub. This will not work)
2. Start waking up Sync by sending CAN packages.
3. Run sync3flash tool sudo ./sync3flash -i QNX-IFS-REFORMAT -m MLO
4. Short contacts circled in red
5. Enable 12V power supply to Sync module.

If everything goes smooth, you should see output like that:

user@user-PC:/tmp$ sudo ./sync3flash -m MLO -i QNX-IFS-REFORMAT 
waiting for device...
reading ASIC ID
CHIP: 5430
rom minor version: 02
IDEN: 0000000000000000000000000000000000000000
MPKH: 0000000000000000000000000000000000000000000000000000000000000000
CRC0: 071a9a31
CRC1: 00000000
device is GP
sending 2ndstage to target...
waiting for 2ndstage response...
sending image to target...size (22696-B/22-KB/0-MB)
sending image to target...size (9279956-B/9062-KB/8-MB)

After 30 seconds Sync 3 will reboot and reformat will start. That's it 😎

PS:

This article is for entertainment and educational purposes only. All characters are fictional and coincidences are accidental.

PPS:

Many thanks to Cusco for the hardware help, Sanek2033 and Au{R}oN for inspiration and Lynx for the idea. 🙏

---

NOTE:
You can use virtualized Linux on Windows to make it work. Below is example for VirtualBox:
Settings -> USB -> Add Empty Filter
Name: OMAP5 sEVM
Vendor Id: 0451
Product Id: d011

Then sudo ./usbboot -f and do as usual with your board:
* first time should fail as drivers will be installed
* next time will work OK.

Note: We don't support this, so if you have any issues please direct it to the omap5 mailing list. 

Footnotes

1. How to flash using Virtual Box (from OmapWiki) ↩

Hold the short, then turn ignition on, then run script. You don't need to fully crank the vehicle. I booted a windows laptop from a Linux USB drive to avoid VM issues.

Alright, I've got Linux up and running, followed @luckyPipewrench's steps and that has helped me progress a little bit further into the script. I have gotten to the stage of uploading the MLO, however, it still appears that the APIM is turning off the miniUSB port before the script completes! I get to the part where the MLO is being uploaded and this seems to take a while (>30 seconds). Then in a second terminal window I see the Bus 001 Device 046: ID 0451:d011 Texas Instruments, Inc. OMAP5430 disappear and then the script quickly ends.

I ended up using dupont wires between the APIM and the APIM connector and from that I was able to determine that 12V is supplied, even when the miniUSB port goes down. I also unplugged almost every wire, leaving on 12V, GND, I-CAN HIGH, and I-CAN LOW connected (referenced this). I even tried to unplug the CAN lines after I got the OMAP to show up on USB so as to try and prevent some sort of CAN disable message from getting through. It seems to me that there is something on the APIM itself that is preventing the miniUSB from staying on for >30 seconds. Any ideas what it may be?

Are you in your car, and if yes is the engine turned on ? It may be a signal from the car which tells the APIM to go to sleep. This may happen after a little while when you remove your key for example.

Keeping the engine on is the best way I found to ensure power stays there during all the process (sorry planet Earth)

Yeah I have been trying this out in the car and I can measure 12V going into the APIM, even after the miniUSB disconnects. I have also tried to disconnect the CAN lines to the APIM once the file transfer has begun and the miniUSB still disconnects after about 30 seconds.

I was re-reading what bigunclemax wrote above and noticed this line:

Second board - VMCU. CPLD and microcontroller placed on it. This part is responsible for the CAN interface (since Omap5432 doesn't have it) and this board also acts as an external watchdog for the main CPU.

I think "this board also acts as an external watchdog for the main CPU." is likely the culprit that is turning off my main board and subsequently terminating my miniUSB connection mid flash.

So I am thinking I need to figure out one of these:

1. how to disable or feed the watchdog (or fake an alive response from main board to second board) (would require figuring out where the UART lines are)
2. how to continually power the main board bypassing the secondary board (would require figuring out the power layout)
3. how to keep the second board awake for longer
4. how to increase the speed of the MLO/QNX file transfers (although I think this is gated on the OMAP side not the USB port on my computer)

For option 3, I have tested changing the programming (as-built codes) of the APIM with Forscan and discovered that it appears the main board is powered on for 1.5-2 minutes continually. So perhaps I can try to continually change the programming, thus keeping the second board on and then allowing the full image flash of the main board to occur. Or perhaps there is a config in the APIM programming that can change the value of this watchdog timeout.

I'll give it a go this weekend. I'll probably also recompile the syn3flash to enable the USB tracing.

Also thanks for the responses! It is much appreciated!

Alright so I confirmed that the miniUSB is disconnecting using the USB debug tracing. I was unsuccessful in getting the APIM to stay on using Forscan so I think the next step is to get a STM32 blue pill and try out the test bench set up. Perhaps the looping ignition messages will keep the APIM on for long enough. Otherwise it looks like I will just need to buy a new one... sigh.

For reference here is the output with the USB tracing:

sending 2ndstage to target...
usb_write _data = 0x7ffe1f473160 len (4)
usb_write _data = 0x56e9a1e99050 len (4)
usb_write _data = 0x56e9a1e96020 len (12333)
waiting for 2ndstage response...
usb_read _data = 0x7ffe1f473164 len (4)
[ usb read 4 fd = 5], fname=/dev/bus/usb/001/024
[ usb read 4 ] = 4, fname=/dev/bus/usb/001/024, Retry 0
usb_write _data = 0x7ffe1f473164 len (4)
usb_read _data = 0x7ffe1f473168 len (4)
[ usb read 4 fd = 5], fname=/dev/bus/usb/001/024
[ usb read 4 ] = 4, fname=/dev/bus/usb/001/024, Retry 0
sending image to target...size (22696-B/22-KB/0-MB)
usb_write _data = 0x56e9a2ab92a0 len (22696)
usb_write _data = 0x7ffe1f473164 len (4)
ERROR: n = -1, errno = 71 (Protocol error)
usb_read _data = 0x7ffe1f473168 len (4)
[ usb read 4 fd = 5], fname=/dev/bus/usb/001/024
[ usb read 4 ] = -1, fname=/dev/bus/usb/001/024, Retry 0
ERROR: n = -1, errno = 19 (No such device)
[ usb read 4 fd = 5], fname=/dev/bus/usb/001/024
[ usb read 4 ] = -1, fname=/dev/bus/usb/001/024, Retry 1
ERROR: n = -1, errno = 19 (No such device)
[ usb read 4 fd = 5], fname=/dev/bus/usb/001/024
[ usb read 4 ] = -1, fname=/dev/bus/usb/001/024, Retry 2
ERROR: n = -1, errno = 19 (No such device)
[ usb read 4 fd = 5], fname=/dev/bus/usb/001/024
[ usb read 4 ] = -1, fname=/dev/bus/usb/001/024, Retry 3
ERROR: n = -1, errno = 19 (No such device)
[ usb read 4 fd = 5], fname=/dev/bus/usb/001/024
[ usb read 4 ] = -1, fname=/dev/bus/usb/001/024, Retry 4
ERROR: n = -1, errno = 19 (No such device)
[ usb read 4 fd = 5], fname=/dev/bus/usb/001/024
[ usb read 4 ] = -1, fname=/dev/bus/usb/001/024, Retry 5
ERROR: n = -1, errno = 19 (No such device)
sending image to target...size (9279956-B/9062-KB/8-MB)
usb_write _data = 0x718090400010 len (9279956)
ERROR: n = -1, errno = 19 (No such device)