FORUMS
Remove All Ads from XDA

[GUIDE] How to gain root shell on 2016 Honda Pilot (and now install apps!!!)

67 posts
Thanks Meter: 98
 
By jersacct, Member on 25th October 2016, 10:39 PM
Post Reply Email Thread
Disclaimer - this is your vehicle you are messing with. If you are not comfortable with potentially permanently damaging the head unit, stop here.

Now for the good stuff.

Credit where credit is due: this method relies on the recent "dirtycow" exploit. I used the POC Android exploit code located here:
https://github.com/timwr/CVE-2016-5195

This exploit in simple terms takes advantage of a Linux kernel bug that allows a (small) file to be "overwritten", when a user only has read access to that file. It doesn't actually modify filesystem contents, but any application that reads the file after the exploit is used will read the "new", post-exploit contents instead of the original.

The scripts attached use the dirtycow binary to overwrite the "/system/etc/factory_reset.sh" shell script with a nefarious version. This script is executed when you perform a factory reset operation through the settings menu, and gets executed as the root user .

The nefarious script is quite simple - it just calls another script that is uploaded and performs a reboot. The second script mounts the /system partition as R/W, then copies over an su binary and sets appropriate permissions, then syncs and mounts read only again.

Please note that the attached "rootme.sh" script is intended to be run from a Linux machine - if I get the time (or enough donations), or if someone else cares to, it can be ported over to a Windows batch file easily enough.
Updated the attached zip to include a Windows batch file.

Steps:
  1. Download the attached zip file
  2. Extract to a machine capable of connecting to your Pilot over ADB
  3. Modify "rootme.sh" (*nix) or "rootme.bat" (Windows) to use the correct IP
    - Change the "172.16.1.217" lines to reflect the correct IP for your Pilot
  4. Execute "rootme.sh" (*nix) or "rootme.bat"
    - ./rootme.sh should do it for *nix
    - for Windows, open a command prompt, navigate to "rootme.bat" location and type "rootme.bat"
    - Watch output for completion
  5. Perform factory reset operation
    - Note - should the exploit function correctly, this step should NOT perform any factory reset operations. However, you should fully expect everything to be reset if the exploit failed or some other problem occurred when attempting to use a nefarious factory_reset.sh script.

After the Pilot reboots, you should be able to get a shell over ADB as normal, except now issuing an "su" command will drop you to root!

Update - thanks to purespin figuring out the signature mechanisms, we can now install apps! I've attached OneClick.zip, which contains a series of scripts to automate the rooting & app installation process.

That said, be careful, use these at your own risk, etc.

Extract zip file to some folder then open up a command prompt in that folder. Also drop the APKs you wish to install to that folder.

Type OnceClickInstall.bat [YourHeadUnitIP] [APKToInstall.apk]

The script will root your device if it's not already, then go ahead and perform steps necessary to install the APK (one reboot required if already rooted).

This basically performs the steps described in purespin's post to get a signature of the APK, download and modify the whitelist XML file, upload it back, reboot, then install the APK.

There's one prompt in the script that asks you too look things over - pay attention here, if any issues crop up at this point damage can be avoided, continuing in a bad state will have undefined results.

Updated the scripts to back up the white list on each run to /data/local/tmp/whitelist-(timestamp).xml.
Updated to handle APKs with more than one signature.

Edit: As suggested by wpg_moe, a Git Hub project has been set up here:
https://github.com/jersacct/2016PilotOneClick.git
Changes & suggestions are encouraged and welcomed, but this is a part time hobby project for me, so expect movement to be "lumpy", as I'm mostly only able to work on this during the weekends.
Attached Files
File Type: zip 2016-Pilot-Root.zip - [Click for QR Code] (81.3 KB, 2644 views)
File Type: zip OneClick - 11-27-2016.zip - [Click for QR Code] (6.00 MB, 3692 views)
The Following 21 Users Say Thank You to jersacct For This Useful Post: [ View ] Gift jersacct Ad-Free
 
 
26th October 2016, 07:16 PM |#2  
Member
Thanks Meter: 9
 
More
would this work on a 2016 civic android headunit? should be the same concept for it?
The Following User Says Thank You to sheryip For This Useful Post: [ View ] Gift sheryip Ad-Free
26th October 2016, 10:15 PM |#3  
Junior Member
Thanks Meter: 0
 
More
This is GREAT news!!! We will start to test it on a 2016/Civic/Touring. It reminds of of the hacking a linksys firmware via tftp.
26th October 2016, 10:19 PM |#4  
OP Member
Thanks Meter: 98
 
Donate to Me
More
Quote:
Originally Posted by sheryip

would this work on a 2016 civic android headunit? should be the same concept for it?

I don't have a Civic to test with, but I would imagine Honda uses the same factory reset mechanism on both models.

The included scripts are pretty straightforward - if you care to crack them open you'll see the operations they perform pretty plainly. I think the absolute worst you could suffer if you attempt this is that you factory reset your head unit. Remember your favorite radio stations if you decide to give it a shot.
27th October 2016, 05:34 AM |#5  
Member
Thanks Meter: 28
 
More
Yes, I am able to root the 2016 Pilot using the method provided by jersacct. It is super easy and strait-forward!

Now the question is what is next I have been working as programmer for the last 20 years but I don't have much knowledge of Android hacking. What's the starting point?
The Following User Says Thank You to purespin For This Useful Post: [ View ] Gift purespin Ad-Free
27th October 2016, 02:27 PM |#6  
Member
Thanks Meter: 4
 
More
I'd say step 2 is to get the system info from a Ridgeline or a '17 pilot when they come out so we can try to put Android Auto or Car Play on the 16 models. Navigation would be nice but with AA/CP, you wouldn't need it.
27th October 2016, 02:28 PM |#7  
OP Member
Thanks Meter: 98
 
Donate to Me
More
Yep, this is just a first step. We still have to work around the white list service Honda put in place that's preventing installation of other APKs. I have not been successful in replacing the ApplistUpdate.apk with a modified version or replacing /data/system/whitelist.xml with a modified version. In either case the service is still preventing installation of new APKs.

I have a couple of workaround theories I'm working on - tracking down and modifying the service's source to always allow APK installation (effectively disabling the white list check), using the service's own interface to add APKs to the white list (much like S_Mike has done for the EU versions), stripping out or disabling the service entirely.
The Following 2 Users Say Thank You to jersacct For This Useful Post: [ View ] Gift jersacct Ad-Free
27th October 2016, 05:18 PM |#8  
Member
Thanks Meter: 28
 
More
I think it would be much easier to get APKs installed than porting Android Auto or Car Play over. I would be much happy if we can achieve what they have done on EU versions.
Quote:
Originally Posted by jersacct

Yep, this is just a first step. We still have to work around the white list service Honda put in place that's preventing installation of other APKs. I have not been successful in replacing the ApplistUpdate.apk with a modified version or replacing /data/system/whitelist.xml with a modified version. In either case the service is still preventing installation of new APKs.

Any summary on how S_Mike did that (using the service's own interface to add APKs to the white list)? If not, I might spend some time to loop through the 139-page thread after work
Quote:
Originally Posted by jersacct

I have a couple of workaround theories I'm working on - tracking down and modifying the service's source to always allow APK installation (effectively disabling the white list check), using the service's own interface to add APKs to the white list (much like S_Mike has done for the EU versions), stripping out or disabling the service entirely.

27th October 2016, 07:19 PM |#9  
Junior Member
Thanks Meter: 0
 
More
I have a pilot 2016. But i dont have a Linux machine. So how can i use this. Even if i use this, if i will not have access to install apks then what is the use. I am a bit confused. I am also a developer and have been rooting my phones to install custom roms, but that was all with the guides that i found on the internet. Didn't try any thing fancy.
28th October 2016, 01:40 AM |#10  
OP Member
Thanks Meter: 98
 
Donate to Me
More
Quote:
Originally Posted by ammarbukhari

I have a pilot 2016. But i dont have a Linux machine. So how can i use this.

I've updated the attachment to include a Windows batch file, and updated the instructions.

Rooting the device with this method doesn't mean you can unlock all the Android goodies we're hoping for. It will, however, help a person so inclined to defeat the Honda installation restrictions.
The Following 2 Users Say Thank You to jersacct For This Useful Post: [ View ] Gift jersacct Ad-Free
28th October 2016, 09:22 PM |#11  
Junior Member
Thanks Meter: 0
 
More
There is no zip file
Post Reply Subscribe to Thread

Tags
honda, pilot, root

Guest Quick Reply (no urls or BBcode)
Message:
Previous Thread Next Thread
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes