• Introducing XDA Computing: Discussion zones for Hardware, Software, and more!    Check it out!

[GUIDE] How to gain root shell on 2016 Honda Pilot (and now install apps!!!)

Search This thread

jersacct

Senior Member
Nov 28, 2010
67
105
Disclaimer - this is your vehicle you are messing with. If you are not comfortable with potentially permanently damaging the head unit, stop here.

Now for the good stuff.

Credit where credit is due: this method relies on the recent "dirtycow" exploit. I used the POC Android exploit code located here:
https://github.com/timwr/CVE-2016-5195

This exploit in simple terms takes advantage of a Linux kernel bug that allows a (small) file to be "overwritten", when a user only has read access to that file. It doesn't actually modify filesystem contents, but any application that reads the file after the exploit is used will read the "new", post-exploit contents instead of the original.

The scripts attached use the dirtycow binary to overwrite the "/system/etc/factory_reset.sh" shell script with a nefarious version. This script is executed when you perform a factory reset operation through the settings menu, and gets executed as the root user :).

The nefarious script is quite simple - it just calls another script that is uploaded and performs a reboot. The second script mounts the /system partition as R/W, then copies over an su binary and sets appropriate permissions, then syncs and mounts read only again.

Please note that the attached "rootme.sh" script is intended to be run from a Linux machine - if I get the time (or enough donations), or if someone else cares to, it can be ported over to a Windows batch file easily enough.
Updated the attached zip to include a Windows batch file.

Steps:
  1. Download the attached zip file
  2. Extract to a machine capable of connecting to your Pilot over ADB
  3. Modify "rootme.sh" (*nix) or "rootme.bat" (Windows) to use the correct IP
    - Change the "172.16.1.217" lines to reflect the correct IP for your Pilot
  4. Execute "rootme.sh" (*nix) or "rootme.bat"
    - ./rootme.sh should do it for *nix
    - for Windows, open a command prompt, navigate to "rootme.bat" location and type "rootme.bat"
    - Watch output for completion
  5. Perform factory reset operation
    - Note - should the exploit function correctly, this step should NOT perform any factory reset operations. However, you should fully expect everything to be reset if the exploit failed or some other problem occurred when attempting to use a nefarious factory_reset.sh script.

After the Pilot reboots, you should be able to get a shell over ADB as normal, except now issuing an "su" command will drop you to root!

Update - thanks to purespin figuring out the signature mechanisms, we can now install apps! I've attached OneClick.zip, which contains a series of scripts to automate the rooting & app installation process.

That said, be careful, use these at your own risk, etc.

Extract zip file to some folder then open up a command prompt in that folder. Also drop the APKs you wish to install to that folder.

Type OnceClickInstall.bat [YourHeadUnitIP] [APKToInstall.apk]

The script will root your device if it's not already, then go ahead and perform steps necessary to install the APK (one reboot required if already rooted).

This basically performs the steps described in purespin's post to get a signature of the APK, download and modify the whitelist XML file, upload it back, reboot, then install the APK.

There's one prompt in the script that asks you too look things over - pay attention here, if any issues crop up at this point damage can be avoided, continuing in a bad state will have undefined results.

Updated the scripts to back up the white list on each run to /data/local/tmp/whitelist-(timestamp).xml.
Updated to handle APKs with more than one signature.

Edit: As suggested by wpg_moe, a Git Hub project has been set up here:
https://github.com/jersacct/2016PilotOneClick.git
Changes & suggestions are encouraged and welcomed, but this is a part time hobby project for me, so expect movement to be "lumpy", as I'm mostly only able to work on this during the weekends.
 

Attachments

  • 2016-Pilot-Root.zip
    81.3 KB · Views: 5,891
Last edited:

jersacct

Senior Member
Nov 28, 2010
67
105
would this work on a 2016 civic android headunit? should be the same concept for it?

I don't have a Civic to test with, but I would imagine Honda uses the same factory reset mechanism on both models.

The included scripts are pretty straightforward - if you care to crack them open you'll see the operations they perform pretty plainly. I think the absolute worst you could suffer if you attempt this is that you factory reset your head unit. Remember your favorite radio stations if you decide to give it a shot.
 

purespin

Senior Member
Apr 1, 2006
57
28
Yes, I am able to root the 2016 Pilot using the method provided by jersacct. It is super easy and strait-forward!

Now the question is what is next :) I have been working as programmer for the last 20 years but I don't have much knowledge of Android hacking. What's the starting point?
 
  • Like
Reactions: ammarbukhari

TWINTRBO

Senior Member
Sep 29, 2016
82
5
I'd say step 2 is to get the system info from a Ridgeline or a '17 pilot when they come out so we can try to put Android Auto or Car Play on the 16 models. Navigation would be nice but with AA/CP, you wouldn't need it.
 

jersacct

Senior Member
Nov 28, 2010
67
105
Yep, this is just a first step. We still have to work around the white list service Honda put in place that's preventing installation of other APKs. I have not been successful in replacing the ApplistUpdate.apk with a modified version or replacing /data/system/whitelist.xml with a modified version. In either case the service is still preventing installation of new APKs.

I have a couple of workaround theories I'm working on - tracking down and modifying the service's source to always allow APK installation (effectively disabling the white list check), using the service's own interface to add APKs to the white list (much like S_Mike has done for the EU versions), stripping out or disabling the service entirely.
 

purespin

Senior Member
Apr 1, 2006
57
28
I think it would be much easier to get APKs installed than porting Android Auto or Car Play over. I would be much happy if we can achieve what they have done on EU versions.
Yep, this is just a first step. We still have to work around the white list service Honda put in place that's preventing installation of other APKs. I have not been successful in replacing the ApplistUpdate.apk with a modified version or replacing /data/system/whitelist.xml with a modified version. In either case the service is still preventing installation of new APKs.

Any summary on how S_Mike did that (using the service's own interface to add APKs to the white list)? If not, I might spend some time to loop through the 139-page thread after work :(
I have a couple of workaround theories I'm working on - tracking down and modifying the service's source to always allow APK installation (effectively disabling the white list check), using the service's own interface to add APKs to the white list (much like S_Mike has done for the EU versions), stripping out or disabling the service entirely.
 

ammarbukhari

Member
Mar 15, 2011
26
0
I have a pilot 2016. But i dont have a Linux machine. So how can i use this. Even if i use this, if i will not have access to install apks then what is the use. I am a bit confused. I am also a developer and have been rooting my phones to install custom roms, but that was all with the guides that i found on the internet. Didn't try any thing fancy.
 

jersacct

Senior Member
Nov 28, 2010
67
105
I have a pilot 2016. But i dont have a Linux machine. So how can i use this.

I've updated the attachment to include a Windows batch file, and updated the instructions.

Rooting the device with this method doesn't mean you can unlock all the Android goodies we're hoping for. It will, however, help a person so inclined to defeat the Honda installation restrictions.
 

enyce9

Senior Member
Jun 26, 2008
251
39
I've updated the attachment to include a Windows batch file, and updated the instructions.

Rooting the device with this method doesn't mean you can unlock all the Android goodies we're hoping for. It will, however, help a person so inclined to defeat the Honda installation restrictions.
Thanks, have you had any luck installing an apk? That's what I'm looking to do on my Ridgeline.

Sent from my Nexus 6P using Tapatalk
 

anekin007

Senior Member
May 15, 2013
68
19
The system doesn't just check the white list. It checks the certs as well. If it's isn't sign by the developer for Honda the package installer won't install the apk.
 

maecar

Member
May 16, 2016
33
26
Guys, you probably have to change the signature of the APK in the list from that code to "PREINSTALL", without the "". I have a 2015 Honda HR-V and that's the way we can install apps on our head unit. Some people had problem to install apps after updating Honda applications, because it changed "PREINSTALL" to the app signature. After a factory reset, they got the PREINSTALL again for "HondaAppCenter_A1.apk". So, try removing the signature code to PREINSTALL for some APK and use that APK name to install the app.
 

jersacct

Senior Member
Nov 28, 2010
67
105
Guys, you probably have to change the signature of the APK in the list from that code to "PREINSTALL", without the "". I have a 2015 Honda HR-V and that's the way we can install apps on our head unit. Some people had problem to install apps after updating Honda applications, because it changed "PREINSTALL" to the app signature. After a factory reset, they got the PREINSTALL again for "HondaAppCenter_A1.apk". So, try removing the signature code to PREINSTALL for some APK and use that APK name to install the app.

I think the protection mechanisms in this version are entirely different. There are no "process_controls.list" or "allowed_installations.list" files present in the entire filesystem, nor does a grep across the entire filesystem return any results for "HondaAppCenter". These tell me that the protection mechanisms are not the same as previous or EU versions.

I've attached what I believe to be a component of the replacement mechanisms, an XML file describing full app names, sometimes signatures, and fields describing permissions. Any edits to this file don't seem to be regarded, so I'm still digging in to the core services that make up the white list mechanism.
 

Attachments

  • whitelist.xml
    19.9 KB · Views: 534
Last edited:
  • Like
Reactions: enyce9 and purespin

got2b240

Member
May 24, 2008
42
8
N.E PA
What a coincidence this is, as I heard about the Dirty Cow exploit just the other day and spent time trying to root my 64 bit Samsung smartphone to no avail. I did hear that it works on 32 bit android platforms and how about this for a case in point.

Jersacct, thanks for making this available to the community! I can understand that the first hurdle is getting the system to stop blocking / removing non-whitelisted apps and it sounds like you are just getting to this point now. Keep up the good work and please let us know if there are any minor details that you need worked out that can be delegated to the community, i.e. testing, troubleshooting or research.

Looking forward to having more capabilities with my 2016 Honda Pilot!
 

jersacct

Senior Member
Nov 28, 2010
67
105
Did you update whitelist.xml file directly or update the whitelist.xml file in ApplistUpdate.apk?

I've attempted both approaches, with no luck. It may be that my ApplistUpdate.apk replacement was flawed somehow, so I'm not sure there. Because you modify the zipped whitelist.xml in the APK, you also have to resign the APK before installation, Android won't reinstall an app with different signatures without uninstalling original, and because it's a system app it won't let you uninstall.....blah blah I deleted the original (after backing up) and replaced it with modified version, still no positive result. I attempted to add eu.chainfire.supersu (picked at random, could be anything) to the list of allowed apps in these cases but still couldn't get it installed.

I think my next approach will be to edit the system services (in /system/framework/services.(.jar,.odex)) and see if I can disable all whitelist checks.

Now that root is available, it's only a matter of time before someone gets around Honda's restrictions.
 

Top Liked Posts

  • There are no posts matching your filters.
  • 27
    Disclaimer - this is your vehicle you are messing with. If you are not comfortable with potentially permanently damaging the head unit, stop here.

    Now for the good stuff.

    Credit where credit is due: this method relies on the recent "dirtycow" exploit. I used the POC Android exploit code located here:
    https://github.com/timwr/CVE-2016-5195

    This exploit in simple terms takes advantage of a Linux kernel bug that allows a (small) file to be "overwritten", when a user only has read access to that file. It doesn't actually modify filesystem contents, but any application that reads the file after the exploit is used will read the "new", post-exploit contents instead of the original.

    The scripts attached use the dirtycow binary to overwrite the "/system/etc/factory_reset.sh" shell script with a nefarious version. This script is executed when you perform a factory reset operation through the settings menu, and gets executed as the root user :).

    The nefarious script is quite simple - it just calls another script that is uploaded and performs a reboot. The second script mounts the /system partition as R/W, then copies over an su binary and sets appropriate permissions, then syncs and mounts read only again.

    Please note that the attached "rootme.sh" script is intended to be run from a Linux machine - if I get the time (or enough donations), or if someone else cares to, it can be ported over to a Windows batch file easily enough.
    Updated the attached zip to include a Windows batch file.

    Steps:
    1. Download the attached zip file
    2. Extract to a machine capable of connecting to your Pilot over ADB
    3. Modify "rootme.sh" (*nix) or "rootme.bat" (Windows) to use the correct IP
      - Change the "172.16.1.217" lines to reflect the correct IP for your Pilot
    4. Execute "rootme.sh" (*nix) or "rootme.bat"
      - ./rootme.sh should do it for *nix
      - for Windows, open a command prompt, navigate to "rootme.bat" location and type "rootme.bat"
      - Watch output for completion
    5. Perform factory reset operation
      - Note - should the exploit function correctly, this step should NOT perform any factory reset operations. However, you should fully expect everything to be reset if the exploit failed or some other problem occurred when attempting to use a nefarious factory_reset.sh script.

    After the Pilot reboots, you should be able to get a shell over ADB as normal, except now issuing an "su" command will drop you to root!

    Update - thanks to purespin figuring out the signature mechanisms, we can now install apps! I've attached OneClick.zip, which contains a series of scripts to automate the rooting & app installation process.

    That said, be careful, use these at your own risk, etc.

    Extract zip file to some folder then open up a command prompt in that folder. Also drop the APKs you wish to install to that folder.

    Type OnceClickInstall.bat [YourHeadUnitIP] [APKToInstall.apk]

    The script will root your device if it's not already, then go ahead and perform steps necessary to install the APK (one reboot required if already rooted).

    This basically performs the steps described in purespin's post to get a signature of the APK, download and modify the whitelist XML file, upload it back, reboot, then install the APK.

    There's one prompt in the script that asks you too look things over - pay attention here, if any issues crop up at this point damage can be avoided, continuing in a bad state will have undefined results.

    Updated the scripts to back up the white list on each run to /data/local/tmp/whitelist-(timestamp).xml.
    Updated to handle APKs with more than one signature.

    Edit: As suggested by wpg_moe, a Git Hub project has been set up here:
    https://github.com/jersacct/2016PilotOneClick.git
    Changes & suggestions are encouraged and welcomed, but this is a part time hobby project for me, so expect movement to be "lumpy", as I'm mostly only able to work on this during the weekends.
    23
    I'm a huge tech fan, but no formal training. I read through the thread start to finish so I could attempt to execute this hack on my 2016 Pilot EX-L. With plenty of re-reading along with lots of googling, I was able to gain root access on my Pilot, along with adding the Waze App. Much thanks to all contributors, especially jersacct and purespin who really got this thing going.

    To reciprocate, I decided to create an incredibly dumbed down tutorial on how to get this going. Hopefully this can eliminate some of the burden on fellow forum members to answering the same questions over and over. Since this tutorial is done by a hobbyist and not a professional, it may resonate a bit more with some less tech-savvy people. All of the ADB, JRE, APK lingo can get a bit confusing. But once you understand the basics of what’s going on, the all-in-one script has made this a piece of cake. After creating and reading through the tutorial, I realize I probably went overboard with how much I broke things down, especially considering we're on the xda-developers forums. Either way, maybe it can help a few forum members, along with possibly guiding less tech savvy in future google searches in the future.

    ---------- Post added at 07:39 AM ---------- Previous post was at 07:34 AM ----------

    Super Comprehensive Guide to Hacking your Honda

    (Pilot 2016 EX-L for me)​

    Download OneClick .zip file from page one of this thread. Here is a direct link. We’ll get to this later.
    https://forum.xda-developers.com/attachment.php?attachmentid=3950352&d=1480262045

    Download ADB Installer v1.4.3. Here is a download link. We'll also get to this later:
    http://www.mediafire.com/file/mjjyw6a27m2l1ma/15-Second-ADB-Installer-v1.4.3.zip

    In my case, I already had Java SE Runtime environment installed, so I did not have to do this step. But I assume it's straight forward. Here is a link to Oracle’s page. Choose your OS, download, and install.
    http://www.oracle.com/technetwork/java/javase/downloads/jre8-downloads-2133155.html

    Your two previous downloads from steps 1 & 2 should be sitting in your downloads folder. We’ll start with the ADB installer. Extract the files to a new folder:

    3d9f2c8b848042ffafcd80d6f51bfc49.png


    After extracting, click through the folders until you get to the application. Install the application by right clicking and running as administrator:

    b2ac6dd5ce624a8a82fd7203447c883a.png


    I can't say with certainty that selecting yes is necessary for all questions, but it will certainly do no harm. Type y for all 3 questions. Allow the driver to be installed and you should be good to go:

    059c226879734e6db9474ca149e574c6.png


    Next, for simplicity purposes, create a folder in your root directory called "hondahack". For people that tend to not pay attention to detail, while it might seem silly to do everything exactly as presented here, it will likely help prevent a minor oversight that could derail the entire project later. Right mouse click and select "new folder". Type in "hondahack". The folder's location will be C:\hondahack

    9678af5e15754e029da59d58e0145d2b.png


    I don't know if this next step is necessary, especially after selecting "y" for "Install ADB system-wide". Either way, stay at root directory. This is where adb was installed. My location for adb is C:\adb as seen below:

    4bc79fc32997499a8ec31a0175b57814.png


    Copy the top two files. adb and AdbWinApi.dll and move them to your new hondahack folder. Also, copy the zip from step #1. This is the One Click script located in your downloads directory. Place it into the hondahack folder. Then, right mouse click on the zip file and select, extract here. You should be left with your hondahack folder looking like this:

    d38eaecd2a4e496e9e61b90c482a4d2c.png


    Cut the two files from before, adb and AdbWinApi.dll and move them into the OneClick folder. Your folder should look like below. In a Windows instance with drive letter C, your working path for this project would be C:\hondahack\OneClick

    2a573513225d4e3a8119e2ec90ed337b.png


    Next, we're going to download an APK to use in the script. I simply googled "Waze 3.9.9.0 APK" since that was the version I wanted. Many options came up. This one below works fine:
    https://www.apk20.com/apk/100989/vstart

    Download this file to your working path. Again, in our case, this is the C:\hondahack\OneClick folder. Give it the simple title of waze and save as a .apk file. Don't forget, if it's already showing file type as .apk, do not type in "waze.apk". This will create waze.apk.apk as the filename. If you had "Save as type" set to "All Files", then you would call it "waze.apk". Otherwise, as in the image shown here, call it "waze":

    683fe749810f420ea1630ab0a8f843ae.png


    ---------- Post added at 07:46 AM ---------- Previous post was at 07:39 AM ----------

    Time to head to your vehicle. Here is a screencap of a random youtube video so you can see the screen where you'll be modifying your connection from the Settings > Bluetooth/Wi-Fi tabs section:

    983cf1c576154a9989d831d8e7ebd9e5.png


    First, make sure Wi-Fi On/Off Status is set to on. Then, go to the Wi-Fi network list, and get your vehicle online. Make sure it's on the same local network as your PC. Once connected, check the IP address of your Pilot by going to Settings > Bluetooth/Wi-Fi Settings > Wi-Fi Information. Write this address down and head back to your PC. For our case, we'll say it's 192.168.1.200.

    It is important that you make sure that the IP address of the computer which you're executing the script from is on the same subnet as your vehicle. For instance, if your computer's local IP address is 192.168.1.172, then your vehicle must start the same way, with 192.168.1.#. The simplest way to ensure this is to have them both connected to the same router.

    To verify, you'll go to the command prompt and type in ipconfig. Click the windows icon and type cmd. Then type, ipconfig and hit enter. You'll be looking at the information on whichever adapter is currently in use. In my case, I'm hardwired so it's the ethernet adapter. I've highlighted my IP address in red.

    5df2371a39aa4be0ac897a693bb62c2e.png


    In this case, the vehicle and the computer are on the same subnet. They both start with 192.168.1. We're good to go, and now over 90% done! From here, it's mostly crossing fingers and hoping things go according to plan.

    Head back to the command prompt and bring yourself to the C:\hondahack\OneClick directory. To do this, type
    Code:
    cd c:\hondahack\OneClick
    Now, you'll be executing the script. This specific script is broken down into three parts. Batch File Name > IP Address to pass to script > APK to pass to script. For additional applications, all you'll need to do is download the proper APK file, locate it to your C:\hondahack\OneClick directory. In our case, we're going to type
    Code:
    OneClickInstall.bat 192.168.1.200 waze.apk

    20eb6e3a960941b994ef3249479817e7.png


    Since I have already done this, the below will show something similar to what the output of that command will be:

    Code:
    Usage: ./OneClickInstall.sh ipaddress My.apk
    Example: ./OneClickInstall.sh 192.168.1.200 waze.apk
    Disconnecting other adb devices\n
    
    Connecting to 192.168.1.200\n
    connected to 192.168.1.200:5555
    Checking for root...
    Rooted successfully!
    Already rooted!
    Okay, getting signature of Waze.apk
    Signature: 30820314308202d2a003020102020449806de1300b06072a86 48ce3804030500306c310f300d060355040613064973726165 6c310f300d0603550408130649737261656c3110300e060355 040713075261616e616e61310d300b060355040a130457617a 65310d300b060355040b130457617a65311830160603550403 130f416c657820416772616e6f766963683020170d30393031 32383134333832355a180f3230363331313031313433383235 5a306c310f300d0603550406130649737261656c310f300d06 03550408130649737261656c3110300e060355040713075261 616e616e61310d300b060355040a130457617a65310d300b06 0355040b130457617a65311830160603550403130f416c6578 20416772616e6f76696368308201b83082012c06072a8648ce 3804013082011f02818100fd7f53811d75122952df4a9c2eec e4e7f611b7523cef4400c31e3f80b6512669455d402251fb59 3d8d58fabfc5f5ba30f6cb9b556cd7813b801d346ff26660b7 6b9950a5a49f9fe8047b1022c24fbba9d7feb7c61bf83b57e7 c6a8a6150f04fb83f6d3c51ec3023554135a169132f675f3ae 2b61d72aeff22203199dd14801c70215009760508f15230bcc b292b982a2eb840bf0581cf502818100f7e1a085d69b3ddecb bcab5c36b857b97994afbbfa3aea82f9574c0b3d0782675159 578ebad4594fe67107108180b449167123e84c281613b7cf09 328cc8a6e13c167a8b547c8d28e0a3ae1e2bb3a675916ea37f 0bfa213562f1fb627a01243bcca4f1bea8519089a883dfe15a e59f06928b665e807b552564014c3bfecf492a038185000281 8100ce11f6d402adf4a6aceaf6fe81219ed28299e37ffdca84 6241e7d21e5bf35c8938ee20ce6ade9907c38f12556d574135 ebb36a567c7cb001d75d3952bcca616f4ad232563e407706c9 5bc47f2ed115052d5389eb84799956e5aa4481be2312d347c6 20029b2b8903b5553849111da92372cd50e2f9a7c156d5d10f 3d83bbaf03300b06072a8648ce3804030500032f00302c0214 46d982e8f1ea835d06f44934bf60241e5f8be5c402147d372a f681491f354f34c4ab1a6f30475e69767e
    Getting package information
    Package name: com.waze
    Retrieving current whitelist...
    Preparing replacement whitelist
    Okay - all set to replace the whitelist. Below are the final steps:
    1. Backup existing whitelist to /data/local/tmp/
    2. Upload whitelist to head unit
    3. Reboot head unit
    4. Install APK normally
    
    Please review the below items carefully - if anything doesn't look right, ABORT NOW!\n
    Root status: rooted
    APK signature obtained
    Have package name: com.waze
    Original whitelist.xml size seems okay
    Package name is present in new whitelist
    
    Would you like to proceed? (y/n):


    ---------- Post added at 07:52 AM ---------- Previous post was at 07:51 AM ----------

    At this point, review the above carefully. If it says you're rooted, the APK signature has been obtained, the whitelist.xml file is okay, and the package name is present in the new whitelist xml file, then you're good to proceed. If these results are not the same as above, select n and head to the forums with your question. If you've followed these directions exactly as presented, more than likely you won't face any issues.

    If you select "y" you will see the following:

    Code:
    Backing up whitelist to /data/local/tmp/whitelist-13-12-2016--21-03-02.xml
    Uploading whitelist
    106 KB/s (35666 bytes in 0.328s)
    Rebooting head unit
    Press enter when head unit has rebooted and is connected to WiFi

    Head to your vehicle. Make sure it restarted and is connceted to Wi-Fi. If so, head back to the computer and hit enter This part may take a few minutes depending on the APK size and your connection speed. You will see the following:

    Code:
    Issuing APK installation command - this may take a while depending on APK size
    connected to 192.168.1.208:5555
    252 KB/s (49700115 bytes in 191.852s)
    pkg: /data/local/tmp/Waze.apk
    Success!
    All done - hope you enjoy!

    If you see "Success!", you're good! On your vehicle head unit, go to the home screen, hit the 6 dots at the bottom right, and you should see the little Waze icon. Tap and you're off! Don't forget, you will need to use your phone as a mobile hotspot to provide data while on the go.

    If you see a failure, head back to the forums to see if you can figure where you may have went wrong.

    *****
    Here is TLDR version of this tutorial:

    1. Download the script, an ADB installer, JRE, and whatever APKs you want to add to your Honda.
    2. Have a single folder with the all in one script, ADB files, and APKs.
    3. Run the .bat file from the script at the terminal with the IP of your Honda & the APK of choice as the two parameters. C:\ [.bat file][ip address][apk]
    4. Cross your fingers :)
    *****


    This tutorial goes into great detail for the installation process, but I will leave any tweaks to the pros. I have yet to encounter (likely to limited use) any of these issues, but many have reported some audio issues with Waze, whether it be too quiet, or improper transitioning from music to notifications. This tutorial does not address these issues. From my understanding, there does not seem to be a consensus on why these problem exist or how to replicate these problems. Until there is a solution, they won't be addressed in this tutorial.

    Hopefully this was helpful. Feel free to chime in with any corrections or comments.
    8
    Sorry for the delay as I have something to attend after works :)

    First thing first: this totally depends on the root method provided by jersacct in this thread. All the credit to him and others who has helped during the adventure.

    Technical details about how to make installation works:
    As we all know that ApplistUpdate.apk contains whitelist zip and will install the whitelist.xml in /data/system/ folder. But changing that file didn't seem have any impact, as several of us tried it before. I have searched the whole file system trying to find the files that might be used to control the installation but to no avail.

    So I decided to decompile some of the apks and frameworks. The process is quite tedious as the decompilation was not always working, especially for the frameworks. I have tried a few tools but still not 100% working. But luckily I just got enough decompiled code to analyze the logic of whitelisting. After studying the code, here are some findings:

    • The "whitelist" system service (in /system/framework/framework.jar/odex) provides the service for other apps to check "whitelist" functionality. It doesn't do much itself except forwarding the call to WhiteListManager.
    • The WhiteListManager provides the core functions related to apps installation/permissions and is in /system/framework/services.jar/odex. It loads /system/data/whitelist.xml file during system boot-up. It has the following functions:
      • checkInstallPermission()
      • checkAddinApplication()
      • getRegulationMode()
      • checkAudioFlag()
      • getAudioStreamType()
      • checkRevertFlag()
    [highlight]The function checkInstallPermission() is called when app is installed. For 3rd party apps, it will compare the apk signatures to the keyStore values loaded from whitelist.xml.[/highlight]
    After lots of tries, I finally managed to create the correct signatures for my test app and I was able to get the "Install" button enabled for my test app!!!
    Here are the lines added to whitelist.xml for my test app:
    Code:
            <application>
                <property>
                    <name>TestApp</name>
                    <package>com.purespin.testapp</package>
                    <versionCode>1-999999999</versionCode>
                    <keyStoreLists>
                        <keyStore>308201e53082014ea003020102020454d05fc1300d06092a864886f70d01010505003037310b30090603550406130255533110300e060355040a1307416e64726f6964311630140603550403130d416e64726f6964204465627567301e170d3135303230333035343232355a170d3435303132363035343232355a3037310b30090603550406130255533110300e060355040a1307416e64726f6964311630140603550403130d416e64726f696420446562756730819f300d06092a864886f70d010101050003818d00308189028181009c29ce69a49970e1c26f36c5cbd4051f384b07701e481bcd5563aa5f9952f9ac26aecdee8807de4202ea7cd94a6088d96ef6133d927375759d983777a6f655d08a1e055ce44413dd751a04a407b4773f904abf268faea3ba3de6ae8714c71620dd641d5cbd2deff2e8826aab1f62e3a62e7838a988548d2f76b5e59a35bc9d7d0203010001300d06092a864886f70d0101050500038181004822e80b27a715cd17ee08fa13592e7c18dde93443c1a26d04c80dcbd908e69f2d846a37e397246a64430d858b602a7e7befd77451e7e159de07225d5585e470680acbea0791970bc85f537f7034a5b37ef8fa9f555938d79748fe479c535c9a21cabe3979df15a6ac4428055ae1ad309f5106770223514f2c434447d62c37ca</keyStore>
                    </keyStoreLists>
                </property>
                <controlData>
                    <withAudio>without</withAudio>
                    <audioStreamType>null</audioStreamType>
                    <regulation>null</regulation>
                    <revert>no</revert>
                </controlData>
            </application>
    The rest are pretty straightforward, just get the signatures for any app you want install and add it to the whitelist.xml, upload it to HU, reboot and it can be installed.

    What have been tested?
    I tried some apps and they all can be installed and launched:
    • Waze (3.9.9) is running perfectly within 5km test drive without data. I have launched it for a few minutes before going out. So it probably downloaded some maps to cache while still connecting to home wifi.
    • HERE/Sygic can be installed and launched but having some problems. The settings page is blank in HERE so I can't choose external USB as the storage. Sygic asked to download maps after launch. So I just uninstalled these 2.
    • Spotify is running fine too. But there is no setting to choose external USB as the offline storage (the same version on my phone does have the setting option).
    • Kodi is working great. I can even playback video while driving. I know this is illegal but hey! I just want to have some fun :). I think this can be disabled by the restrictions settings in the whitelist.xml.
    Now the biggest challenge is the storage space. Part of the internal storage is mounted as /sdcard and all the USB ports are mounted as /mnt/usb?. So far all the apps cannot use the USB drives (ES File Explorer can read/write to USB but all the other apps can't recognize the USB as a valid external storage). After installing a few apps, I got warning saying "not enough storage". That's why I had to uninstall HERE/Sygic and didn't play with it much.
    I think the whole process to get the signature from apk, update whitelist.xml and upload it to HU can be automated by writing a simple app, just like what S_Mike did for the EU versions. But given the limited internal storage space, it is low priority now.

    Note that all the apps are installed under /data/app/ folder, not under /system/app/ folder. But to my surprise, the installed apps have all the "root" privilege. For example, ES File Explorer can open /data/system/whitelist.xml, which is only rw by the root user. It can even edit and write to the file!!! [highlight](I guess one has to be very careful when someone just play around! They can easily brick the HU!!!)[/highlight]

    Quick Test
    Sorry for the long story. For someone just need a quick test, you can download the attached whitelist.xml and follow these steps (You should compare the content of it with the original one in your HU to see the differences):
    Steps:
    1. Root your HU by following the instruction in the original post in this thread.
    2. adb push whitelist.xml /data/local/tmp/
    3. adb shell
    4. su
    5. cd /data/system
    6. cp whitelist.xml whitelist.xml.original
    7. cp /data/local/tmp/whitelist.xml .
    8. reboot
    After reboot, insert a USB with the following apks and try the "USB install" app to install:
    • com.purespin.testapp
    • com.waze
    • com.spotify.music
    • org.xbmc.kodi
    • com.estrongs.android.pop
    • com.sygic.aura
    • com.here.app.maps
    • com.tinusapps.gpsspeedo
    • oops.ledspeedometer
    • com.eclipsim.gpsstatus2
    • com.rechild.advancedtaskkiller

    For other apps
    Download the attached GetAndroidSig.jar file and run it against the apk you want to install:
    Code:
    java -jar GetAndroidSig.jar abc.apk
    it will print out the signatures for the apk. Add them to the whitelist.xml together with app name and package name. See the attached whitelist.xml for examples. If there are more then 1 signatures, you need to add them all. Check the HERE WeGo example in the xml file.

    That's all the info I have now. Let me know if you run into any issue or have any question.

    Warnings: I'm not responsible for any damage of your head unit. Use it for your own risk.
    7
    I think this is the breakthrough that everyone is waiting for:

    I will post all the info tonight after work :)
    7
    Wow.... really great news. But seems like really complicated. Hopefully soon there will be a much more simple way to get it done. Fingers crossed

    To you and others concerned about complexity:

    Would it be beneficial to have a script (Linux script or Windows batch file) that takes an input of APK to be installed, and the script makes the whitelist modifications accordingly and installs the desired APK? I anticipate this to be a straightforward process.

    Script inputs: IP address of device, APK to install

    Steps:
    • Connect to device over ADB
    • Check for root (can install root here if needed)
    • Create backup of current whitelist
    • Download current whitelist
    • Identify signature & permissions of APK to be installed
    • Modify whitelist appropriately
    • Copy new whitelist to device
    • Reboot device
    • Wait for device to reconnect
    • Issue install command to install new APK

    Thoughts? I may be able to work on this over the next few days to make rooting & APK installation a simpler process.

    Thanks again to purespin - really great work here.
    I think this is the breakthrough that everyone is waiting for