[GUIDE] How to gain root shell on 2016 Honda Pilot (and now install apps!!!)

Search This thread

nugzo

Senior Member
Apr 20, 2010
3,308
673
51
Fayetteville, NC.
www.capefearcomputer.com
I have a 2017 accord ex-l everything worked great except at the end once the app is uploaded it would fail to install. But the app was added to the whitelist successfully. So I just downloaded the app from the browser on the head unit then it installs just fine. I'm running Waze 3.9.9 runs great. Thinking of installing google play music this week to see how that runs at the same time with waze.

If you have Android Auto, which you should, Google play music should already be working through AA. It and Spotify work fine as long as they're installed on your phone. Havent tried Waze on my 17 Accord because i'm completely happy with Google maps through Android Auto. Cant ask for a better Navigation IMO. I also installed Kodi with the Fire TV (light) build and that works great as well. On the 17 Accord we have a little more room for installs, 1.6GB i believe according to ES file explorer. Having my Security Cameras for home and work on my HU is pretty pimp!! Next i need to install Google Calendar and see how the widgets work out!
 

KYBourbonBoy

New member
Jan 18, 2017
3
1
Android ROM Image

Either this is a really genius thought or dumb one, but here goes....

For computers, you can simply create an image of a hard drive of one computer and put the image on another computer with the exact same specs and the new hard drive works perfectly and seamlessly. IT depts do the all the time at companies.

I do not have the expertise to do so, but is it possible for someone with a 2017 Pilot or Ridgeline to COPY or create an "image" of their entire android OS of their head unit, so that us 2016 Pilot owners could take the image, install/copy onto our head units so that we can get Carplay or Android Auto working? I mean, from what I've read and kept up with on this thread over the past few several months, the hardware of the two years are IDENTICAL. It only makes logical sense that if identical, then programming functions of all of the automobile related electronics (ie. right turn camera, reverse camera, etc) would be the exact same (exception of VIN number and such) and we could copy the "new" 2017 OS to the "old" hardware since HONDA isn't offering us 2016 owners any support or upgrades.

Thoughts from those nerdier/smarter than I? This seems almost too simply.
 
Last edited:
  • Like
Reactions: beingsachinalam

bmilla

New member
Jan 27, 2017
3
0
If you have Android Auto, which you should, Google play music should already be working through AA. It and Spotify work fine as long as they're installed on your phone. Havent tried Waze on my 17 Accord because i'm completely happy with Google maps through Android Auto. Cant ask for a better Navigation IMO. I also installed Kodi with the Fire TV (light) build and that works great as well. On the 17 Accord we have a little more room for installs, 1.6GB i believe according to ES file explorer. Having my Security Cameras for home and work on my HU is pretty pimp!! Next i need to install Google Calendar and see how the widgets work out!

I have an iPhone so no google play music with CarPlay. i have all my music uploaded to Google music. and apple maps is horrible. i have waze, plex, spoitfy and Pandora installed on head unit working well.

---------- Post added at 03:28 PM ---------- Previous post was at 03:26 PM ----------

I have been installing apps for a few weeks now without issue. now all of a sudden every app fails and it looks like the issue is the upload of the new whitelist. here is my error
Backing up whitelist to /data/local/tmp/whitelist-15-02-2017--15-23-21.xml
Uploading whitelist
.\OneClickInstall.sh: [: missing `]'
Rebooting head unit
Press enter when head unit has rebooted and is connected to WiFi

i never saw the missing part show up before so i think that is were the issue is. anyone know how to fix this?
 

Travito

Senior Member
Nov 3, 2007
496
4
32
Owensboro, KY
I've had some success getting apps to install. Sygic unfortunately (my biggest want) seems to be stuck at "Detecting Country" Anyone know a fix for this?

Also does anyone know if it's possible to have these sideloaded apps connect to the net through the hondalink app? I know that the internal browser and hondalink weather and stuff can access the net without WiFi, as long as my phone with the hondalink app is connected via BT. This doesn't work for the added-in apps though.
 
  • Like
Reactions: nugzo

nugzo

Senior Member
Apr 20, 2010
3,308
673
51
Fayetteville, NC.
www.capefearcomputer.com
This thread is a big deal. Fairly new technology. Can't wait for some serious development. Google play services would be nice. Imagine exposed with viper 4 android and some serious sound quality upgrades.recovery with Custom roms..Can't wait for a successful storage option to install all the apps you want. Nova launcher...we're in there! wish @jcase had a new Honda lol.
 

jcase

Retired Forum Moderator / Senior Recognized Develo
Feb 20, 2010
6,331
15,768
Sequim WA
This thread is a big deal. Fairly new technology. Can't wait for some serious development. Google play services would be nice. Imagine exposed with viper 4 android and some serious sound quality upgrades.recovery with Custom roms..Can't wait for a successful storage option to install all the apps you want. Nova launcher...we're in there! wish @jcase had a new Honda lol.

donate one for the cause!, ive got a 16yr old that i owe a car to lol
 

mcgee235

New member
Feb 21, 2017
2
0
Thanks jersacct and purespin for this awesome hack. I was able to install Waze on my 16 Pilot last night without any issue.

During this morning commute, Waze was working great. I have both music and Waze audio alert working.

Actually, I noticed an issue with Wifi right after I have my headunit rooted. It kept connecting and disconnecting to my Wifi network (with my router at home as well as my phone wifi hotspot). When I tried to connect/reconnect, the options for available networks and wifi information on my headunit were greyed out. Is anyone facing the same issue?

Other than that, everything is great for me. I used to keep a tablet on my car for Waze, now it no longer needed.

For the next step, I'm thinking about install Tasker so that it can launch Waze automatically.
 

mcgee235

New member
Feb 21, 2017
2
0
I tried that, it was me. The swiftkey keyboard works only right after installation. It lets you select it as the default keyboard and works, but when you restart the headunit it reverts back to the original android keyboard and the swiftkey keyboard does not work. In order for the keyboard to work again you have to reinstall it and reselect it as the default keyboard. Its very annoying. If we could only set the driving distraction to off permanently then we can bypass all the restrictions.

I got the same issue. Have you figured it out yet?
 

haxy

Member
Jan 24, 2011
21
1
I enabled USB device and still can't connect with adb via USB; nmap shows the following port.

Any suggestion on how to connect adb?
Code:
nmap -sT 169.254.89.237

Starting Nmap 7.40 ( https://nmap.org ) at 2017-02-10 16:12 EST
mass_dns: warning: Unable to open /etc/resolv.conf. Try using --system-dns or specify valid servers with --dns-servers
mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers
Nmap scan report for 169.254.89.237
Host is up (0.00033s latency).
Not shown: 960 closed ports, 30 filtered ports
PORT      STATE SERVICE
22/tcp    open  ssh
88/tcp    open  kerberos-sec
111/tcp   open  rpcbind
445/tcp   open  microsoft-ds
548/tcp   open  afp
993/tcp   open  imaps
1021/tcp  open  exp1
2049/tcp  open  nfs
8081/tcp  open  blackice-icecap
49153/tcp open  unknown
Any more progress on the civic?
 

Richiiee

Member
Dec 11, 2016
21
4
@jersacct
What are the directions to revert this exploit? Is it as simple as replacing the factory_reset script?
Only reason I'm asking is because the HU runs too darn slow for multiple apps to be running and audio issues, so this is pretty much pointless to me for now.
 

enyce9

Senior Member
Jun 26, 2008
251
39
@jersacct
What are the directions to revert this exploit? Is it as simple as replacing the factory_reset script?
Only reason I'm asking is because the HU runs too darn slow for multiple apps to be running and audio issues, so this is pretty much pointless to me for now.
Wondering the same thing....

Sent from my Nexus 6P using Tapatalk
 

TWINTRBO

Senior Member
Sep 29, 2016
82
5
@jersacct
What are the directions to revert this exploit? Is it as simple as replacing the factory_reset script?
Only reason I'm asking is because the HU runs too darn slow for multiple apps to be running and audio issues, so this is pretty much pointless to me for now.
As far as I know, it hasn't been reversed yet. I thought it was spelled out from the onset that the head unit was not a tablet, it will only run a couple of small apps and that's all. I think your hopes were a bit high for it's real world usage.
 

stilger

Senior Member
Jul 29, 2007
163
43
@jersacct
What are the directions to revert this exploit? Is it as simple as replacing the factory_reset script?
Only reason I'm asking is because the HU runs too darn slow for multiple apps to be running and audio issues, so this is pretty much pointless to me for now.

I just realized the scripts did not make a backup copy of /system/etc/factory_reset.sh. Did anyone happen to save a copy? I have a 2017 Accord. I am not sure if the script is different between cars.
 

Top Liked Posts

  • There are no posts matching your filters.
  • 27
    Disclaimer - this is your vehicle you are messing with. If you are not comfortable with potentially permanently damaging the head unit, stop here.

    Now for the good stuff.

    Credit where credit is due: this method relies on the recent "dirtycow" exploit. I used the POC Android exploit code located here:
    https://github.com/timwr/CVE-2016-5195

    This exploit in simple terms takes advantage of a Linux kernel bug that allows a (small) file to be "overwritten", when a user only has read access to that file. It doesn't actually modify filesystem contents, but any application that reads the file after the exploit is used will read the "new", post-exploit contents instead of the original.

    The scripts attached use the dirtycow binary to overwrite the "/system/etc/factory_reset.sh" shell script with a nefarious version. This script is executed when you perform a factory reset operation through the settings menu, and gets executed as the root user :).

    The nefarious script is quite simple - it just calls another script that is uploaded and performs a reboot. The second script mounts the /system partition as R/W, then copies over an su binary and sets appropriate permissions, then syncs and mounts read only again.

    Please note that the attached "rootme.sh" script is intended to be run from a Linux machine - if I get the time (or enough donations), or if someone else cares to, it can be ported over to a Windows batch file easily enough.
    Updated the attached zip to include a Windows batch file.

    Steps:
    1. Download the attached zip file
    2. Extract to a machine capable of connecting to your Pilot over ADB
    3. Modify "rootme.sh" (*nix) or "rootme.bat" (Windows) to use the correct IP
      - Change the "172.16.1.217" lines to reflect the correct IP for your Pilot
    4. Execute "rootme.sh" (*nix) or "rootme.bat"
      - ./rootme.sh should do it for *nix
      - for Windows, open a command prompt, navigate to "rootme.bat" location and type "rootme.bat"
      - Watch output for completion
    5. Perform factory reset operation
      - Note - should the exploit function correctly, this step should NOT perform any factory reset operations. However, you should fully expect everything to be reset if the exploit failed or some other problem occurred when attempting to use a nefarious factory_reset.sh script.

    After the Pilot reboots, you should be able to get a shell over ADB as normal, except now issuing an "su" command will drop you to root!

    Update - thanks to purespin figuring out the signature mechanisms, we can now install apps! I've attached OneClick.zip, which contains a series of scripts to automate the rooting & app installation process.

    That said, be careful, use these at your own risk, etc.

    Extract zip file to some folder then open up a command prompt in that folder. Also drop the APKs you wish to install to that folder.

    Type OnceClickInstall.bat [YourHeadUnitIP] [APKToInstall.apk]

    The script will root your device if it's not already, then go ahead and perform steps necessary to install the APK (one reboot required if already rooted).

    This basically performs the steps described in purespin's post to get a signature of the APK, download and modify the whitelist XML file, upload it back, reboot, then install the APK.

    There's one prompt in the script that asks you too look things over - pay attention here, if any issues crop up at this point damage can be avoided, continuing in a bad state will have undefined results.

    Updated the scripts to back up the white list on each run to /data/local/tmp/whitelist-(timestamp).xml.
    Updated to handle APKs with more than one signature.

    Edit: As suggested by wpg_moe, a Git Hub project has been set up here:
    https://github.com/jersacct/2016PilotOneClick.git
    Changes & suggestions are encouraged and welcomed, but this is a part time hobby project for me, so expect movement to be "lumpy", as I'm mostly only able to work on this during the weekends.
    23
    I'm a huge tech fan, but no formal training. I read through the thread start to finish so I could attempt to execute this hack on my 2016 Pilot EX-L. With plenty of re-reading along with lots of googling, I was able to gain root access on my Pilot, along with adding the Waze App. Much thanks to all contributors, especially jersacct and purespin who really got this thing going.

    To reciprocate, I decided to create an incredibly dumbed down tutorial on how to get this going. Hopefully this can eliminate some of the burden on fellow forum members to answering the same questions over and over. Since this tutorial is done by a hobbyist and not a professional, it may resonate a bit more with some less tech-savvy people. All of the ADB, JRE, APK lingo can get a bit confusing. But once you understand the basics of what’s going on, the all-in-one script has made this a piece of cake. After creating and reading through the tutorial, I realize I probably went overboard with how much I broke things down, especially considering we're on the xda-developers forums. Either way, maybe it can help a few forum members, along with possibly guiding less tech savvy in future google searches in the future.

    ---------- Post added at 07:39 AM ---------- Previous post was at 07:34 AM ----------

    Super Comprehensive Guide to Hacking your Honda

    (Pilot 2016 EX-L for me)​

    Download OneClick .zip file from page one of this thread. Here is a direct link. We’ll get to this later.
    https://forum.xda-developers.com/attachment.php?attachmentid=3950352&d=1480262045

    Download ADB Installer v1.4.3. Here is a download link. We'll also get to this later:
    http://www.mediafire.com/file/mjjyw6a27m2l1ma/15-Second-ADB-Installer-v1.4.3.zip

    In my case, I already had Java SE Runtime environment installed, so I did not have to do this step. But I assume it's straight forward. Here is a link to Oracle’s page. Choose your OS, download, and install.
    http://www.oracle.com/technetwork/java/javase/downloads/jre8-downloads-2133155.html

    Your two previous downloads from steps 1 & 2 should be sitting in your downloads folder. We’ll start with the ADB installer. Extract the files to a new folder:

    3d9f2c8b848042ffafcd80d6f51bfc49.png


    After extracting, click through the folders until you get to the application. Install the application by right clicking and running as administrator:

    b2ac6dd5ce624a8a82fd7203447c883a.png


    I can't say with certainty that selecting yes is necessary for all questions, but it will certainly do no harm. Type y for all 3 questions. Allow the driver to be installed and you should be good to go:

    059c226879734e6db9474ca149e574c6.png


    Next, for simplicity purposes, create a folder in your root directory called "hondahack". For people that tend to not pay attention to detail, while it might seem silly to do everything exactly as presented here, it will likely help prevent a minor oversight that could derail the entire project later. Right mouse click and select "new folder". Type in "hondahack". The folder's location will be C:\hondahack

    9678af5e15754e029da59d58e0145d2b.png


    I don't know if this next step is necessary, especially after selecting "y" for "Install ADB system-wide". Either way, stay at root directory. This is where adb was installed. My location for adb is C:\adb as seen below:

    4bc79fc32997499a8ec31a0175b57814.png


    Copy the top two files. adb and AdbWinApi.dll and move them to your new hondahack folder. Also, copy the zip from step #1. This is the One Click script located in your downloads directory. Place it into the hondahack folder. Then, right mouse click on the zip file and select, extract here. You should be left with your hondahack folder looking like this:

    d38eaecd2a4e496e9e61b90c482a4d2c.png


    Cut the two files from before, adb and AdbWinApi.dll and move them into the OneClick folder. Your folder should look like below. In a Windows instance with drive letter C, your working path for this project would be C:\hondahack\OneClick

    2a573513225d4e3a8119e2ec90ed337b.png


    Next, we're going to download an APK to use in the script. I simply googled "Waze 3.9.9.0 APK" since that was the version I wanted. Many options came up. This one below works fine:
    https://www.apk20.com/apk/100989/vstart

    Download this file to your working path. Again, in our case, this is the C:\hondahack\OneClick folder. Give it the simple title of waze and save as a .apk file. Don't forget, if it's already showing file type as .apk, do not type in "waze.apk". This will create waze.apk.apk as the filename. If you had "Save as type" set to "All Files", then you would call it "waze.apk". Otherwise, as in the image shown here, call it "waze":

    683fe749810f420ea1630ab0a8f843ae.png


    ---------- Post added at 07:46 AM ---------- Previous post was at 07:39 AM ----------

    Time to head to your vehicle. Here is a screencap of a random youtube video so you can see the screen where you'll be modifying your connection from the Settings > Bluetooth/Wi-Fi tabs section:

    983cf1c576154a9989d831d8e7ebd9e5.png


    First, make sure Wi-Fi On/Off Status is set to on. Then, go to the Wi-Fi network list, and get your vehicle online. Make sure it's on the same local network as your PC. Once connected, check the IP address of your Pilot by going to Settings > Bluetooth/Wi-Fi Settings > Wi-Fi Information. Write this address down and head back to your PC. For our case, we'll say it's 192.168.1.200.

    It is important that you make sure that the IP address of the computer which you're executing the script from is on the same subnet as your vehicle. For instance, if your computer's local IP address is 192.168.1.172, then your vehicle must start the same way, with 192.168.1.#. The simplest way to ensure this is to have them both connected to the same router.

    To verify, you'll go to the command prompt and type in ipconfig. Click the windows icon and type cmd. Then type, ipconfig and hit enter. You'll be looking at the information on whichever adapter is currently in use. In my case, I'm hardwired so it's the ethernet adapter. I've highlighted my IP address in red.

    5df2371a39aa4be0ac897a693bb62c2e.png


    In this case, the vehicle and the computer are on the same subnet. They both start with 192.168.1. We're good to go, and now over 90% done! From here, it's mostly crossing fingers and hoping things go according to plan.

    Head back to the command prompt and bring yourself to the C:\hondahack\OneClick directory. To do this, type
    Code:
    cd c:\hondahack\OneClick
    Now, you'll be executing the script. This specific script is broken down into three parts. Batch File Name > IP Address to pass to script > APK to pass to script. For additional applications, all you'll need to do is download the proper APK file, locate it to your C:\hondahack\OneClick directory. In our case, we're going to type
    Code:
    OneClickInstall.bat 192.168.1.200 waze.apk

    20eb6e3a960941b994ef3249479817e7.png


    Since I have already done this, the below will show something similar to what the output of that command will be:

    Code:
    Usage: ./OneClickInstall.sh ipaddress My.apk
    Example: ./OneClickInstall.sh 192.168.1.200 waze.apk
    Disconnecting other adb devices\n
    
    Connecting to 192.168.1.200\n
    connected to 192.168.1.200:5555
    Checking for root...
    Rooted successfully!
    Already rooted!
    Okay, getting signature of Waze.apk
    Signature: 30820314308202d2a003020102020449806de1300b06072a86 48ce3804030500306c310f300d060355040613064973726165 6c310f300d0603550408130649737261656c3110300e060355 040713075261616e616e61310d300b060355040a130457617a 65310d300b060355040b130457617a65311830160603550403 130f416c657820416772616e6f766963683020170d30393031 32383134333832355a180f3230363331313031313433383235 5a306c310f300d0603550406130649737261656c310f300d06 03550408130649737261656c3110300e060355040713075261 616e616e61310d300b060355040a130457617a65310d300b06 0355040b130457617a65311830160603550403130f416c6578 20416772616e6f76696368308201b83082012c06072a8648ce 3804013082011f02818100fd7f53811d75122952df4a9c2eec e4e7f611b7523cef4400c31e3f80b6512669455d402251fb59 3d8d58fabfc5f5ba30f6cb9b556cd7813b801d346ff26660b7 6b9950a5a49f9fe8047b1022c24fbba9d7feb7c61bf83b57e7 c6a8a6150f04fb83f6d3c51ec3023554135a169132f675f3ae 2b61d72aeff22203199dd14801c70215009760508f15230bcc b292b982a2eb840bf0581cf502818100f7e1a085d69b3ddecb bcab5c36b857b97994afbbfa3aea82f9574c0b3d0782675159 578ebad4594fe67107108180b449167123e84c281613b7cf09 328cc8a6e13c167a8b547c8d28e0a3ae1e2bb3a675916ea37f 0bfa213562f1fb627a01243bcca4f1bea8519089a883dfe15a e59f06928b665e807b552564014c3bfecf492a038185000281 8100ce11f6d402adf4a6aceaf6fe81219ed28299e37ffdca84 6241e7d21e5bf35c8938ee20ce6ade9907c38f12556d574135 ebb36a567c7cb001d75d3952bcca616f4ad232563e407706c9 5bc47f2ed115052d5389eb84799956e5aa4481be2312d347c6 20029b2b8903b5553849111da92372cd50e2f9a7c156d5d10f 3d83bbaf03300b06072a8648ce3804030500032f00302c0214 46d982e8f1ea835d06f44934bf60241e5f8be5c402147d372a f681491f354f34c4ab1a6f30475e69767e
    Getting package information
    Package name: com.waze
    Retrieving current whitelist...
    Preparing replacement whitelist
    Okay - all set to replace the whitelist. Below are the final steps:
    1. Backup existing whitelist to /data/local/tmp/
    2. Upload whitelist to head unit
    3. Reboot head unit
    4. Install APK normally
    
    Please review the below items carefully - if anything doesn't look right, ABORT NOW!\n
    Root status: rooted
    APK signature obtained
    Have package name: com.waze
    Original whitelist.xml size seems okay
    Package name is present in new whitelist
    
    Would you like to proceed? (y/n):


    ---------- Post added at 07:52 AM ---------- Previous post was at 07:51 AM ----------

    At this point, review the above carefully. If it says you're rooted, the APK signature has been obtained, the whitelist.xml file is okay, and the package name is present in the new whitelist xml file, then you're good to proceed. If these results are not the same as above, select n and head to the forums with your question. If you've followed these directions exactly as presented, more than likely you won't face any issues.

    If you select "y" you will see the following:

    Code:
    Backing up whitelist to /data/local/tmp/whitelist-13-12-2016--21-03-02.xml
    Uploading whitelist
    106 KB/s (35666 bytes in 0.328s)
    Rebooting head unit
    Press enter when head unit has rebooted and is connected to WiFi

    Head to your vehicle. Make sure it restarted and is connceted to Wi-Fi. If so, head back to the computer and hit enter This part may take a few minutes depending on the APK size and your connection speed. You will see the following:

    Code:
    Issuing APK installation command - this may take a while depending on APK size
    connected to 192.168.1.208:5555
    252 KB/s (49700115 bytes in 191.852s)
    pkg: /data/local/tmp/Waze.apk
    Success!
    All done - hope you enjoy!

    If you see "Success!", you're good! On your vehicle head unit, go to the home screen, hit the 6 dots at the bottom right, and you should see the little Waze icon. Tap and you're off! Don't forget, you will need to use your phone as a mobile hotspot to provide data while on the go.

    If you see a failure, head back to the forums to see if you can figure where you may have went wrong.

    *****
    Here is TLDR version of this tutorial:

    1. Download the script, an ADB installer, JRE, and whatever APKs you want to add to your Honda.
    2. Have a single folder with the all in one script, ADB files, and APKs.
    3. Run the .bat file from the script at the terminal with the IP of your Honda & the APK of choice as the two parameters. C:\ [.bat file][ip address][apk]
    4. Cross your fingers :)
    *****


    This tutorial goes into great detail for the installation process, but I will leave any tweaks to the pros. I have yet to encounter (likely to limited use) any of these issues, but many have reported some audio issues with Waze, whether it be too quiet, or improper transitioning from music to notifications. This tutorial does not address these issues. From my understanding, there does not seem to be a consensus on why these problem exist or how to replicate these problems. Until there is a solution, they won't be addressed in this tutorial.

    Hopefully this was helpful. Feel free to chime in with any corrections or comments.
    8
    Sorry for the delay as I have something to attend after works :)

    First thing first: this totally depends on the root method provided by jersacct in this thread. All the credit to him and others who has helped during the adventure.

    Technical details about how to make installation works:
    As we all know that ApplistUpdate.apk contains whitelist zip and will install the whitelist.xml in /data/system/ folder. But changing that file didn't seem have any impact, as several of us tried it before. I have searched the whole file system trying to find the files that might be used to control the installation but to no avail.

    So I decided to decompile some of the apks and frameworks. The process is quite tedious as the decompilation was not always working, especially for the frameworks. I have tried a few tools but still not 100% working. But luckily I just got enough decompiled code to analyze the logic of whitelisting. After studying the code, here are some findings:

    • The "whitelist" system service (in /system/framework/framework.jar/odex) provides the service for other apps to check "whitelist" functionality. It doesn't do much itself except forwarding the call to WhiteListManager.
    • The WhiteListManager provides the core functions related to apps installation/permissions and is in /system/framework/services.jar/odex. It loads /system/data/whitelist.xml file during system boot-up. It has the following functions:
      • checkInstallPermission()
      • checkAddinApplication()
      • getRegulationMode()
      • checkAudioFlag()
      • getAudioStreamType()
      • checkRevertFlag()
    [highlight]The function checkInstallPermission() is called when app is installed. For 3rd party apps, it will compare the apk signatures to the keyStore values loaded from whitelist.xml.[/highlight]
    After lots of tries, I finally managed to create the correct signatures for my test app and I was able to get the "Install" button enabled for my test app!!!
    Here are the lines added to whitelist.xml for my test app:
    Code:
            <application>
                <property>
                    <name>TestApp</name>
                    <package>com.purespin.testapp</package>
                    <versionCode>1-999999999</versionCode>
                    <keyStoreLists>
                        <keyStore>308201e53082014ea003020102020454d05fc1300d06092a864886f70d01010505003037310b30090603550406130255533110300e060355040a1307416e64726f6964311630140603550403130d416e64726f6964204465627567301e170d3135303230333035343232355a170d3435303132363035343232355a3037310b30090603550406130255533110300e060355040a1307416e64726f6964311630140603550403130d416e64726f696420446562756730819f300d06092a864886f70d010101050003818d00308189028181009c29ce69a49970e1c26f36c5cbd4051f384b07701e481bcd5563aa5f9952f9ac26aecdee8807de4202ea7cd94a6088d96ef6133d927375759d983777a6f655d08a1e055ce44413dd751a04a407b4773f904abf268faea3ba3de6ae8714c71620dd641d5cbd2deff2e8826aab1f62e3a62e7838a988548d2f76b5e59a35bc9d7d0203010001300d06092a864886f70d0101050500038181004822e80b27a715cd17ee08fa13592e7c18dde93443c1a26d04c80dcbd908e69f2d846a37e397246a64430d858b602a7e7befd77451e7e159de07225d5585e470680acbea0791970bc85f537f7034a5b37ef8fa9f555938d79748fe479c535c9a21cabe3979df15a6ac4428055ae1ad309f5106770223514f2c434447d62c37ca</keyStore>
                    </keyStoreLists>
                </property>
                <controlData>
                    <withAudio>without</withAudio>
                    <audioStreamType>null</audioStreamType>
                    <regulation>null</regulation>
                    <revert>no</revert>
                </controlData>
            </application>
    The rest are pretty straightforward, just get the signatures for any app you want install and add it to the whitelist.xml, upload it to HU, reboot and it can be installed.

    What have been tested?
    I tried some apps and they all can be installed and launched:
    • Waze (3.9.9) is running perfectly within 5km test drive without data. I have launched it for a few minutes before going out. So it probably downloaded some maps to cache while still connecting to home wifi.
    • HERE/Sygic can be installed and launched but having some problems. The settings page is blank in HERE so I can't choose external USB as the storage. Sygic asked to download maps after launch. So I just uninstalled these 2.
    • Spotify is running fine too. But there is no setting to choose external USB as the offline storage (the same version on my phone does have the setting option).
    • Kodi is working great. I can even playback video while driving. I know this is illegal but hey! I just want to have some fun :). I think this can be disabled by the restrictions settings in the whitelist.xml.
    Now the biggest challenge is the storage space. Part of the internal storage is mounted as /sdcard and all the USB ports are mounted as /mnt/usb?. So far all the apps cannot use the USB drives (ES File Explorer can read/write to USB but all the other apps can't recognize the USB as a valid external storage). After installing a few apps, I got warning saying "not enough storage". That's why I had to uninstall HERE/Sygic and didn't play with it much.
    I think the whole process to get the signature from apk, update whitelist.xml and upload it to HU can be automated by writing a simple app, just like what S_Mike did for the EU versions. But given the limited internal storage space, it is low priority now.

    Note that all the apps are installed under /data/app/ folder, not under /system/app/ folder. But to my surprise, the installed apps have all the "root" privilege. For example, ES File Explorer can open /data/system/whitelist.xml, which is only rw by the root user. It can even edit and write to the file!!! [highlight](I guess one has to be very careful when someone just play around! They can easily brick the HU!!!)[/highlight]

    Quick Test
    Sorry for the long story. For someone just need a quick test, you can download the attached whitelist.xml and follow these steps (You should compare the content of it with the original one in your HU to see the differences):
    Steps:
    1. Root your HU by following the instruction in the original post in this thread.
    2. adb push whitelist.xml /data/local/tmp/
    3. adb shell
    4. su
    5. cd /data/system
    6. cp whitelist.xml whitelist.xml.original
    7. cp /data/local/tmp/whitelist.xml .
    8. reboot
    After reboot, insert a USB with the following apks and try the "USB install" app to install:
    • com.purespin.testapp
    • com.waze
    • com.spotify.music
    • org.xbmc.kodi
    • com.estrongs.android.pop
    • com.sygic.aura
    • com.here.app.maps
    • com.tinusapps.gpsspeedo
    • oops.ledspeedometer
    • com.eclipsim.gpsstatus2
    • com.rechild.advancedtaskkiller

    For other apps
    Download the attached GetAndroidSig.jar file and run it against the apk you want to install:
    Code:
    java -jar GetAndroidSig.jar abc.apk
    it will print out the signatures for the apk. Add them to the whitelist.xml together with app name and package name. See the attached whitelist.xml for examples. If there are more then 1 signatures, you need to add them all. Check the HERE WeGo example in the xml file.

    That's all the info I have now. Let me know if you run into any issue or have any question.

    Warnings: I'm not responsible for any damage of your head unit. Use it for your own risk.
    7
    I think this is the breakthrough that everyone is waiting for:

    I will post all the info tonight after work :)
    7
    Wow.... really great news. But seems like really complicated. Hopefully soon there will be a much more simple way to get it done. Fingers crossed

    To you and others concerned about complexity:

    Would it be beneficial to have a script (Linux script or Windows batch file) that takes an input of APK to be installed, and the script makes the whitelist modifications accordingly and installs the desired APK? I anticipate this to be a straightforward process.

    Script inputs: IP address of device, APK to install

    Steps:
    • Connect to device over ADB
    • Check for root (can install root here if needed)
    • Create backup of current whitelist
    • Download current whitelist
    • Identify signature & permissions of APK to be installed
    • Modify whitelist appropriately
    • Copy new whitelist to device
    • Reboot device
    • Wait for device to reconnect
    • Issue install command to install new APK

    Thoughts? I may be able to work on this over the next few days to make rooting & APK installation a simpler process.

    Thanks again to purespin - really great work here.
    I think this is the breakthrough that everyone is waiting for
Our Apps
Get our official app!
The best way to access XDA on your phone
Nav Gestures
Add swipe gestures to any Android
One Handed Mode
Eases uses one hand with your phone