I own a 2021 Honda Civic and have been annoyed by the lack of public documentation/hacking tools for the Android-based headunit. I hope to address this by publishing my research into the headunit and encouraging discussion and community contribution |
I own a 2021 Honda Civic and have been annoyed by the lack of public documentation/hacking tools for the Android-based headunit. I hope to address this by publishing my research into the headunit and encouraging discussion and community contribution |
This feels like when people post content and include "no copyright infringement intended" in the description.
I originally rooted the car using Honda Hack via http://www.autohack.org/. A paid service that afaik uses a webkit exploit and probably an old Android kernel exploit to gain root. Part of the motivation for this project was to encourage others to release open-source rooting tools so they don't have to shell out the $25 for the "pro" version that I did.
Once I had root, I installed a few apps via a USB drive, including a file manager and a third-party app for ADB over TCP (I don't think 4.2.2 had built-in support for networked ADB). Then I connected my car to a Wi-Fi hotspot on my phone (at one point editing Android's wpa_supplicant.conf file directly because it got corrupted). Once I made sure that the headunit would autostart ADB over TCP and always try to connect to a certain Wi-Fi network, I had a decent safety net.
So I spent a good amount of time sitting in my car with a laptop after that though I was able to pull partitions via dd and do a lot of research sitting at my desk, especially static analysis of APKs, native libs, and binaries, stopping back at my car on occasion to grep gpio pins or sysfs values.
I didn't want to risk pulling the headunit from the car; that was (and is) an emergency fallback in case I ever wipe flash or something and need to reflash to the physical board. Fortunately I never had the need. I'd be great to get detailed pictures of the unit though. A quick eBay search shows headunits going for ~$1,000, which imo is ridiculous given that they're glorified Android tablets c. 2012. But if anyone has an extra they're looking to donate, definitely get in touch
I took a quick look at it, someone could easily remove the license check, unlock the pro features and set up an easy to use site for it
You should have no problem using one of the available rootkits for 4.2.2. That's how I got root on my pioneer. You can find out a lot of interesting stuff binwalking the firmware. Stuff like diag menus and such, at least in the Pioneer stuff.
Yes, you can run your own launcher and apps on it. Probably stable once you figure out what customizations they made.
Bafflingly, I can't find head units that recognize and obey MP3 playlists. I would have thought that functionality would be a given.
My limited experience says it's mostly about lengths of filenames, non alphabetic characters in filenames, and nested directories. Try flat directory structure and maybe random filenames of 6-8 characters. Simply one more obfuscation step before feeding it into a car system. If lucky, the system might read correctly the ID3 tags.
In a rather similar fashion, I managed to reverse engineer the Roku's very, uh, idiosyncratic interpretation of the, well, was it ever a standard? In any case, Roku's Media Player app had, charmingly, decided to simply ignore the order of the songs in the playlist and -- this was fun to figure out -- grab the metadata of the songs and do it by a regular sort of the track number. It's brilliantly stupid, because it'd work just fine if you had a playlist of a single album. There, it makes perfect sense. Nowhere else.
I welcome PRs/contributions from the community; things like Honda-internal model numbers represent a non-technical obstacle for me as a lone developer. It'd be great to see boot/recovery images for similar vehicles, Accords included.
One of my goals is right-to-repair adjacent. I bought a Honda in the first place because they have a reputation for having an active modding scene and I see value in that positive feedback loop. Hopefully having the repo as a resource helps other people do more hardware mods or manufacture cheaper/consumer-friendly replacement parts.
I've considered trying to make an open source replacement of the /sbin/earlyrvc binary for rear camera hacking specifically. I caught a lucky break because the binary includes logging messages left in by the Honda devs and the messages include method names.
Thanks for the kind words and encouragement :)
>2012 software and hardware
Oy vey.
And the benefit to that is that it's easy to hack since there's an RCE in the old browser. So you can jailbreak your own car. (It doesn't have a cellular data connection so it's not a security risk)
Further, I agree that it's reasonable to ship a 2016 car with 2012 software. But I've seen no evidence that these headunits have gotten security updates within that timeframe. Think of it like a smartphone. I can make do with a phone that's a few years old, but I have an expectation that it will receive timely security updates. In the case of the Honda headunits, they run Android. They should receive Android security patches (I'll admit there's certainly complexity there, Google has long struggled with the tradeoff between device security and AOSP ubiquity). There's nothing wrong with using an older version of Android or an LTS kernel, but it should still receive security patches.
Last year, some Mazda cars were accidentally bricked by a radio station broadcast omitting file extensions: https://arstechnica.com/cars/2022/02/radio-station-snafu-in-.... That was an accident, not the work of a malicious actor.
Consider Stagefright bugs. As I understand it, although it was published in 2015, it affected several earlier Android versions, including 4.2.2. See: https://en.wikipedia.org/wiki/Stagefright_(bug). As far as I know, my car was never patched against Stagefright bugs. All it takes is a bug in one library (such as for HD radio image processing) and a well-published Android for something like this to be a big problem.
It's complicated; I like jailbreaking. I also think Honda should ship higher-quality software with better security policies and update guarantees
Though it's Android 4.4, which gives me some nostalgia from my Nexus 4 and the Holo era of Android
Even class actions don't mean they would be recalled or even fixed. They did offer a discount on a new car.
I wonder if I could write a little binary that would continuously record the rear camera, at least the last minute or so, and then hook it up to some button in the UI to store the last recording.
How tough is it to root the head unit and work with it?
I want to look more into rear camera viewing/recording too. The binary /sbin/earlyrvc in the repo (in the boot recovery image directory) is what displays the camera on boot. After that there's a few Honda-specific APKs that handle backup camera access for the rest of Android. I had some luck using Ghidra for static analysis of /sbin/earlyrvc. But the biggest hurdle I ran into is a lack of documentation on NVIDIA kernel drivers and the graphics pipeline.
As for rooting, I used a paid ($25) service. You sign up on this sketchy site, pay the $25 to get a unique code (a UUID), and then visit a specific website from the headunit's web browser. AFAIK, whoever runs that service is basically just using a WebKit exploit chained to some other Android exploit(s) to achieve root. It worked for me. I've added some more info on this to the README. But one of my goals is to make rooting easier/free/open source to lower the barrier-to-entry for headunit hacking. It'd be great to see a PR for that
Fully agree. The reason is, it's easier (and fits into more popular narratives) to blame Tiktok and Youtube than to hold large corporations accountable.
[0] https://www.notebookcheck.net/Review-Archos-Arnova-10b-G2-Ta...
I bet on today's web it would feel quite slow though, because everything is terrible.
Still works okay, a little slow, and the battery only lasts a couple hours. A great phone back in its day.