Honda Hack / Root: 11th Gen - Work In Progress Discoveries

[Jamieden]

You think we could use the system reboot option in one of the hidden menus to force the HU to boot into recovery/bootloader/fastboot upon bootup?

Maybe there is even a button combination to access the normal Android recovery environments. After all, there has to be a reason the system reboot option is hidden so deep in the hidden settings, and there is NO way they sacrificed the little amount of comfort they had with their tools for security, no matter how secure they want it to be. Anything that is 100% secure has little to no comfort, and to many people, that is bad design. There has to be something we can find.

Sponsored

 

[iLLNESS]

You think we could use the system reboot option in one of the hidden menus to force the HU to boot into recovery/bootloader/fastboot upon bootup?

There is an option to enable rebooting into bootloader inside the dev options as I recall. From there it’s a matter of making a compatible USB stick and having the right startup.sh to accomplish the tasks you want.
I believe the 10th gen civic thread for Honda hack has some info about this process (related to the Chinese firmware) on XDA forums.

 

[Jamieden]

There is an option to enable rebooting into bootloader inside the dev options as I recall. From there it’s a matter of making a compatible USB stick and having the right startup.sh to accomplish the tasks you want.
I believe the 10th gen civic thread for Honda hack has some info about this process (related to the Chinese firmware) on XDA forums.

You wouldn’t happen to have the link, would you? Also, the only option I saw was OEM Bootloader Unlocking. I couldn’t find a way to boot straight into the bootloader. Will the HU run a startup.sh file on a USB automatically on reboot?

 

[Jamieden]

Also, side note, I googled what came up on the device manager when in ADB mode, and it seems this system is running a Qualcomm Snapdragon 820.

 

[Jamieden]

Shot in the dark, I'm going to try to use the Dirtyc0w exploit to gain escalated privileges.

 

[iLLNESS]

You wouldn’t happen to have the link, would you? Also, the only option I saw was OEM Bootloader Unlocking. I couldn’t find a way to boot straight into the bootloader. Will the HU run a startup.sh file on a USB automatically on reboot?

I misremembered. The .sh bootloader script was something else, but related to the Civic (but I can't seem to remember where I saw it).

This was the Chinese method to get a browser installed on the Civic. I highly suggest you do not do this as the Android versions are not similar and you could potentially mess your HU up.

 

[Jamieden]

I misremembered. The .sh bootloader script was something else, but related to the Civic (but I can't seem to remember where I saw it).

This was the Chinese method to get a browser installed on the Civic. I highly suggest you do not do this as the Android versions are not similar and you could potentially mess your HU up.

Might be the old CLI version of HondaHack. But what we can try to do is use cheeky workarounds, like using a steganography attack to force the system to execute code out of a photo, since we can upload images to use as wallpaper.

 

[Jamieden]

Does anyone have any experience with exploiting vulnerabilities for Android? The version on the HU is 8.1.0. If we can find a vulnerability, we can exploit it to either execute code, or to bypass certain things, or to escalate privileges.

 

[psyborg]

Watching, this is awesome keep up the good work guys! Maybe we could get some help from the XDA community?
https://forum.xda-developers.com/f/android-head-units.4267/

 

[Jamieden]

Watching, this is awesome keep up the good work guys! Maybe we could get some help from the XDA community?
https://forum.xda-developers.com/f/android-head-units.4267/

I haven’t ruled out the idea, but most threads are not up to date with the new security methods that Honda and Panasonic have put in place. Since the Android version is 8.1.0, I think we exploit some vulnerabilities out there.

 

[Jamieden]

1. Just a thought… is the head unit separate from the info cluster?
2. I haven’t tried any of the exploits I found yet, but I’m planning on it
3. Is there a way to modify the info cluster?

 

[mapletonPD]

So that 7" screen is not Android What can we do with it!? Here is its source code:

http://www.embedded-carmultimedia.jp/iRT-ITR-Thr/oss/download/H_SA_00001

This isn't the full source code, just the open source libraries they have used.

 

[mapletonPD]

Took delivery on my 2022 Sport Hatchback (Canada). I love this car, but disappointed the 7in. display doesn't even seem to be android (I'm 70% sure; the software version reported isn't an Android one)

I've found two hidden menus in addition to the one in post #11. The process is much the same but uses additional buttons:

"Developer Diagnostic" Menu:
1. Power off the radio
2. While holding down Phone and Connect, and Menu, Press the power button 5 times and DO NOT release Phone, Connect, and Menu.
3. Keep holding Phone, Connect, and Menu for ~5 sec.

The Developer Diagnostics menu comes up with the following items:
DD VSP Error (defaulted to "on")
- Steer angle adjustment result
- Steer angle setting
- Bluetooth information
- Touch panel check
- Display check
- Gamma adjustment
- BMP display

I have not reviewed anything inside these menus yet.

The other hidden menu is called "Authentication Diag" and contains settings for changing the USB to Host/Device mode (among other things). I am hoping this would be a starting point for head unit mods.

Similar to the above, hold down three keys for ~5 seconds after hitting the power button 5 times. I've added a sample screenshot for clarity.

"Authentication Diag" menu:
1. Power off the radio
2. While holding down Phone and Connect, and Back, Press the power button 5 times and DO NOT release Phone, Connect, and Back.
3. Keep holding Phone, Connect, and Back for ~5 sec.

The "Authentication Diag" menu comes up with the following items:
- USB mode change
- Apple CarPlay performance test
- USB hub mode (defaulted to off)
- Bluetooth test

The USB mode lets you toggle between Host & Device mode. Changing the setting seems a bit "flaky" and usually won't allow to select one or the other unless I leave the menu and come back in a few times. It often, but not always, allows me to change to "device" by holding down the button for around 5 seconds and then repeatedly tapping it to get the setting to "stick".

I haven't yet successfully been able to get any farther with this; in Device mode the head unit doesn't recognize either my phone or my computer attached to USB. As I mentioned, the software doesn't even seem to be Android. None of the info provided earlier in this thread seems to apply to the 7in screen (at least, not for Canada) except for the video clip in post #8 and the settings for the EQ in post #11.

I'd love to hear if anyone is able to do anything further with this info & make progress on getting a USB connection to PC.

** Edit** I've also found that either of these two menus can be accessed simply by holding down either the "Back" button or the "Menu" button for 5 sec once you're inside the main "Detailed Information & Setting", which is accessed with just holding Phone and Connect & Pressing the power button 5 times (Posts 8/ 11).

I have a new 2023 HRV Sport which has the exact same stereo. I'd love to figure out how to save some of the options in the settings - specifically the gamma adjust - trying to brighten up my screen. Any idea how to save changes?

 

[Jamieden]

I am back! I have done some research, and I think in order to actually exploit a vulnerability on the device, either an ADB tcpip needs to be opened (which can only be done with the vendor keys), being on the same wifi network as the device (which might be able to be done with the software update module, or something), or finding a tool to send these exploits over USB.

 

[Jamieden]

Okay, I think I have something that may work. Using the System Update option and connecting to your own Wi-Fi, you can change the DNS for the software update server to go to a local server hosting a Linux Server for an exploit regarding the WebView browser. If we can force the head unit to go to that Linux Server, we may be in the clear

Sponsored