[GUIDE] How to gain root shell on 2016 Honda Pilot (and now install apps!!!)

Search This thread

Ludeape

Senior Member
Jul 2, 2015
517
124
fyi.. HereWego maps is way better that Sygic.. we just need codeage to support the voice volume, and direction notification on the cluster.
If everyone offered a donation to him, maybe he would be so kind to work on it :)
 

manu_b

Member
Jul 9, 2009
7
2
Hello all, I am trying to install sygic via autohack. It seem to not detect downloaded maps. I can see the maps downloaded successfully.
Also has someone been able to extract garmin app from navigation unit? I am just looking for the compass in the imid screen.
 

21Questions

New member
Oct 26, 2012
2
0
dumb question, any possible way to root in the newer firmware in a 2020 honda pilot to a 2016 honda pilot head unit? is there a way to copy a stock rom or anything like that?
 
Hi, I was reading the script and i saw in nefarious.sh the line :
Code:
cp /data/local/tmp/rootme/eu.chainfire.supersu_v2.78-278_Android-2.1.apk /system/app/ >> /data/local/tmp/rootme/root-log.txt 2>&1
I didn't get where the supersu file comes from :D
Do i have to download it separately?
thanks in advance, @jersacct and everyone who will answer me.
PS. I'll write a guide for 2012-2016 pilots rooting since i was a little confused in the beginning :D, you can repost it to be clearer or add it in the Github Project.
 

stacypoulin

New member
Jan 17, 2009
3
0
Hello developers,

I seem to screwed up my radio (Head unit) while trying to install the apk files and or while trying to install Honda hack. My head unit is blank, only the reverse camera and right turn screen works. It won’t restart. I have the impression I might need to go to the dealer and have them re-program the radio/head unit. Any suggestions of does anyone has the OEM software and reinstall procedures by any chance?

Thanks,

An old fart trying hard to stay in the game
 

manu_b

Member
Jul 9, 2009
7
2
Hello developers,

I seem to screwed up my radio (Head unit) while trying to install the apk files and or while trying to install Honda hack. My head unit is blank, only the reverse camera and right turn screen works. It won’t restart. I have the impression I might need to go to the dealer and have them re-program the radio/head unit. Any suggestions of does anyone has the OEM software and reinstall procedures by any chance?

Thanks,

An old fart trying hard to stay in the game
Nothing worked when I ended up with same situation( blank after boot Honda logo). In my case it happened when I was installing busy box. The problem is that your unit is stuck even before the USB gets power, so nothing will work. Your best solution is Ebay and get a used stereo. Save some dollars if you can find one with scratches as your original faceplate with LCD can be transferred on the ebay unit. Honda wanted $3300 CAD for the unit but I got one from eBay for $400. T
If you find a solution then let me know as well, I will fix the broken unit.
 

stacypoulin

New member
Jan 17, 2009
3
0
Nothing worked when I ended up with same situation( blank after boot Honda logo). In my case it happened when I was installing busy box. The problem is that your unit is stuck even before the USB gets power, so nothing will work. Your best solution is Ebay and get a used stereo. Save some dollars if you can find one with scratches as your original faceplate with LCD can be transferred on the ebay unit. Honda wanted $3300 CAD for the unit but I got one from eBay for $400. T
If you find a solution then let me know as well, I will fix the broken unit.
 

ThaNatrix

Member
Apr 9, 2010
5
0
Nashville
How is it there hasn't been any response about a way to acquire the Rom File from the 2017 or 2018 Pilot Infotainment units to hard load onto the 2016 systems? I've looked and looked for files to do it but can't find them, but I"m sure someone with some more know how than myself can hunt them down. If this were possible it would make about 246 pages on piloteers.org irrelevant and make 1000s of people (including myself) ridiculously joyful.
 

horse23

New member
Mar 20, 2021
2
0
Nothing worked when I ended up with same situation( blank after boot Honda logo). In my case it happened when I was installing busy box. The problem is that your unit is stuck even before the USB gets power, so nothing will work. Your best solution is Ebay and get a used stereo. Save some dollars if you can find one with scratches as your original faceplate with LCD can be transferred on the ebay unit. Honda wanted $3300 CAD for the unit but I got one from eBay for $400. T
If you find a solution then let me know as well, I will fix the broken unit.
Does it still hold true that there is no way to fix this through the dealer?
 

cebailey

New member
Sep 12, 2006
2
0
I'm trying to get this working on a 2020 Ridgeline. I wrote up an explanation in the Civic thread:


TLDR: Has anyone gotten a 2019 or 2020 Ridgeline into USB Device Mode somehow?
 

Orsmo

New member
Mar 24, 2022
1
0
So, I recognize this thread is quite old, but not so old that the life of my Pilot has come to an end. With luck some of the knowledgable folks from this thread's early days will see this and respond.

Several years back I found this thread and eventually used HondaHack as a convenient way to get the features it offered and install apps rather than having to go through the gyrations required manually. I knew enough that I'd rooted my head unit manually, but it seemed an easier way to go at the time. I purchased a CarlinKit unit so I could get wireless CarPlay and I was reasonably happy, but it wasn't particularly stable, so eventually I just gave up and went back to wired.

Recently I revived my interest in trying to get wireless CarPlay working and came to the conclusion that updating autokit.apk would need to be the first step toward stability, along with updating the firmware on the dongle itself. AutoKit has a built-in facility for checking its own version and the firmware of the dongle against the latest available and then updating either or both. Unfortunately, the new version of the APK requires additional permissions and I discovered that the "Install" button was greyed-out during the upgrade of the APK. The firmware on the dongle itself updated easily enough however.

I knew that HondaHack had a list of downloadable apps and that AutoKit was on it though. Sure enough, the version available to be downloaded through HondaHack was newer than the one I had, so I gave it a go. It installed just fine, but didn't bring the hoped-for stability. It was not even close to the latest available from the manufacturer though. So I set out on a mission to get the lastest version installed.

To that end, I tracked down this thread again, reread it all and downloaded the OneClickInstall package. It took a little effort to get my environment set up for both adb and aapt to be available (since they moved where aapt gets installed on my Mac) and in my path so the script could run semi-successfully. I did still get some errors along the way, but when I ran the commands in the script manually I was able to successfully pull the whitelist, update it with the signature and package name of the APK and push it back to the device (including copying it into place and using su to make the required changes actually work). I even verified that post-reboot the version of the whitelist in the system folder had the changes required.

But then I tried to use adb to install the APK. It slowly transferred the application and then tried to install it only to bomb out with an error of INSTALL_FAILED_INTERNAL_ERROR. So I tried putting the file on a USB stick and then installing it with the USB Installer... No dice, that wants permissions approval. OK, how about installing it with HondaHack from USB? Nope. The forced install tries to work but then fails with the same INSTALL_FAILED_INTERNAL_ERROR.

I'm at a bit of a loss as to what to try next. My understanding is that the original HondaHack developer hasn't really been answering folks based on comments in this thread. It seems unlikely that he's going to update the APK available for download through HondaHack, but maybe that's worth pursuing. I'm perfectly happy to just fix it myself manually, but I don't understand the failure here. Any advice on what to try next?
 

tribuno80

New member
May 28, 2022
1
0
So, I recognize this thread is quite old, but not so old that the life of my Pilot has come to an end. With luck some of the knowledgable folks from this thread's early days will see this and respond.

Several years back I found this thread and eventually used HondaHack as a convenient way to get the features it offered and install apps rather than having to go through the gyrations required manually. I knew enough that I'd rooted my head unit manually, but it seemed an easier way to go at the time. I purchased a CarlinKit unit so I could get wireless CarPlay and I was reasonably happy, but it wasn't particularly stable, so eventually I just gave up and went back to wired.

Recently I revived my interest in trying to get wireless CarPlay working and came to the conclusion that updating autokit.apk would need to be the first step toward stability, along with updating the firmware on the dongle itself. AutoKit has a built-in facility for checking its own version and the firmware of the dongle against the latest available and then updating either or both. Unfortunately, the new version of the APK requires additional permissions and I discovered that the "Install" button was greyed-out during the upgrade of the APK. The firmware on the dongle itself updated easily enough however.

I knew that HondaHack had a list of downloadable apps and that AutoKit was on it though. Sure enough, the version available to be downloaded through HondaHack was newer than the one I had, so I gave it a go. It installed just fine, but didn't bring the hoped-for stability. It was not even close to the latest available from the manufacturer though. So I set out on a mission to get the lastest version installed.

To that end, I tracked down this thread again, reread it all and downloaded the OneClickInstall package. It took a little effort to get my environment set up for both adb and aapt to be available (since they moved where aapt gets installed on my Mac) and in my path so the script could run semi-successfully. I did still get some errors along the way, but when I ran the commands in the script manually I was able to successfully pull the whitelist, update it with the signature and package name of the APK and push it back to the device (including copying it into place and using su to make the required changes actually work). I even verified that post-reboot the version of the whitelist in the system folder had the changes required.

But then I tried to use adb to install the APK. It slowly transferred the application and then tried to install it only to bomb out with an error of INSTALL_FAILED_INTERNAL_ERROR. So I tried putting the file on a USB stick and then installing it with the USB Installer... No dice, that wants permissions approval. OK, how about installing it with HondaHack from USB? Nope. The forced install tries to work but then fails with the same INSTALL_FAILED_INTERNAL_ERROR.

I'm at a bit of a loss as to what to try next. My understanding is that the original HondaHack developer hasn't really been answering folks based on comments in this thread. It seems unlikely that he's going to update the APK available for download through HondaHack, but maybe that's worth pursuing. I'm perfectly happy to just fix it myself manually, but I don't understand the failure here. Any advice on what to try next?
Any news with the root?
 

zaooza

Member
Mar 27, 2011
9
0
Does anybody know how to enter "USB role settings" on 2018 Pilot HU? I hold "Home" button being in dev menu (serial, fan settings, etc), but nothing happens. Other buttons and their combinations don't work either. I want to change usb role from Host to device to be able to run HondaHack tool or enter adb.
 

Top Liked Posts

  • There are no posts matching your filters.
  • 27
    Disclaimer - this is your vehicle you are messing with. If you are not comfortable with potentially permanently damaging the head unit, stop here.

    Now for the good stuff.

    Credit where credit is due: this method relies on the recent "dirtycow" exploit. I used the POC Android exploit code located here:
    https://github.com/timwr/CVE-2016-5195

    This exploit in simple terms takes advantage of a Linux kernel bug that allows a (small) file to be "overwritten", when a user only has read access to that file. It doesn't actually modify filesystem contents, but any application that reads the file after the exploit is used will read the "new", post-exploit contents instead of the original.

    The scripts attached use the dirtycow binary to overwrite the "/system/etc/factory_reset.sh" shell script with a nefarious version. This script is executed when you perform a factory reset operation through the settings menu, and gets executed as the root user :).

    The nefarious script is quite simple - it just calls another script that is uploaded and performs a reboot. The second script mounts the /system partition as R/W, then copies over an su binary and sets appropriate permissions, then syncs and mounts read only again.

    Please note that the attached "rootme.sh" script is intended to be run from a Linux machine - if I get the time (or enough donations), or if someone else cares to, it can be ported over to a Windows batch file easily enough.
    Updated the attached zip to include a Windows batch file.

    Steps:
    1. Download the attached zip file
    2. Extract to a machine capable of connecting to your Pilot over ADB
    3. Modify "rootme.sh" (*nix) or "rootme.bat" (Windows) to use the correct IP
      - Change the "172.16.1.217" lines to reflect the correct IP for your Pilot
    4. Execute "rootme.sh" (*nix) or "rootme.bat"
      - ./rootme.sh should do it for *nix
      - for Windows, open a command prompt, navigate to "rootme.bat" location and type "rootme.bat"
      - Watch output for completion
    5. Perform factory reset operation
      - Note - should the exploit function correctly, this step should NOT perform any factory reset operations. However, you should fully expect everything to be reset if the exploit failed or some other problem occurred when attempting to use a nefarious factory_reset.sh script.

    After the Pilot reboots, you should be able to get a shell over ADB as normal, except now issuing an "su" command will drop you to root!

    Update - thanks to purespin figuring out the signature mechanisms, we can now install apps! I've attached OneClick.zip, which contains a series of scripts to automate the rooting & app installation process.

    That said, be careful, use these at your own risk, etc.

    Extract zip file to some folder then open up a command prompt in that folder. Also drop the APKs you wish to install to that folder.

    Type OnceClickInstall.bat [YourHeadUnitIP] [APKToInstall.apk]

    The script will root your device if it's not already, then go ahead and perform steps necessary to install the APK (one reboot required if already rooted).

    This basically performs the steps described in purespin's post to get a signature of the APK, download and modify the whitelist XML file, upload it back, reboot, then install the APK.

    There's one prompt in the script that asks you too look things over - pay attention here, if any issues crop up at this point damage can be avoided, continuing in a bad state will have undefined results.

    Updated the scripts to back up the white list on each run to /data/local/tmp/whitelist-(timestamp).xml.
    Updated to handle APKs with more than one signature.

    Edit: As suggested by wpg_moe, a Git Hub project has been set up here:
    https://github.com/jersacct/2016PilotOneClick.git
    Changes & suggestions are encouraged and welcomed, but this is a part time hobby project for me, so expect movement to be "lumpy", as I'm mostly only able to work on this during the weekends.
    23
    I'm a huge tech fan, but no formal training. I read through the thread start to finish so I could attempt to execute this hack on my 2016 Pilot EX-L. With plenty of re-reading along with lots of googling, I was able to gain root access on my Pilot, along with adding the Waze App. Much thanks to all contributors, especially jersacct and purespin who really got this thing going.

    To reciprocate, I decided to create an incredibly dumbed down tutorial on how to get this going. Hopefully this can eliminate some of the burden on fellow forum members to answering the same questions over and over. Since this tutorial is done by a hobbyist and not a professional, it may resonate a bit more with some less tech-savvy people. All of the ADB, JRE, APK lingo can get a bit confusing. But once you understand the basics of what’s going on, the all-in-one script has made this a piece of cake. After creating and reading through the tutorial, I realize I probably went overboard with how much I broke things down, especially considering we're on the xda-developers forums. Either way, maybe it can help a few forum members, along with possibly guiding less tech savvy in future google searches in the future.

    ---------- Post added at 07:39 AM ---------- Previous post was at 07:34 AM ----------

    Super Comprehensive Guide to Hacking your Honda

    (Pilot 2016 EX-L for me)​

    Download OneClick .zip file from page one of this thread. Here is a direct link. We’ll get to this later.
    https://forum.xda-developers.com/attachment.php?attachmentid=3950352&d=1480262045

    Download ADB Installer v1.4.3. Here is a download link. We'll also get to this later:
    http://www.mediafire.com/file/mjjyw6a27m2l1ma/15-Second-ADB-Installer-v1.4.3.zip

    In my case, I already had Java SE Runtime environment installed, so I did not have to do this step. But I assume it's straight forward. Here is a link to Oracle’s page. Choose your OS, download, and install.
    http://www.oracle.com/technetwork/java/javase/downloads/jre8-downloads-2133155.html

    Your two previous downloads from steps 1 & 2 should be sitting in your downloads folder. We’ll start with the ADB installer. Extract the files to a new folder:

    3d9f2c8b848042ffafcd80d6f51bfc49.png


    After extracting, click through the folders until you get to the application. Install the application by right clicking and running as administrator:

    b2ac6dd5ce624a8a82fd7203447c883a.png


    I can't say with certainty that selecting yes is necessary for all questions, but it will certainly do no harm. Type y for all 3 questions. Allow the driver to be installed and you should be good to go:

    059c226879734e6db9474ca149e574c6.png


    Next, for simplicity purposes, create a folder in your root directory called "hondahack". For people that tend to not pay attention to detail, while it might seem silly to do everything exactly as presented here, it will likely help prevent a minor oversight that could derail the entire project later. Right mouse click and select "new folder". Type in "hondahack". The folder's location will be C:\hondahack

    9678af5e15754e029da59d58e0145d2b.png


    I don't know if this next step is necessary, especially after selecting "y" for "Install ADB system-wide". Either way, stay at root directory. This is where adb was installed. My location for adb is C:\adb as seen below:

    4bc79fc32997499a8ec31a0175b57814.png


    Copy the top two files. adb and AdbWinApi.dll and move them to your new hondahack folder. Also, copy the zip from step #1. This is the One Click script located in your downloads directory. Place it into the hondahack folder. Then, right mouse click on the zip file and select, extract here. You should be left with your hondahack folder looking like this:

    d38eaecd2a4e496e9e61b90c482a4d2c.png


    Cut the two files from before, adb and AdbWinApi.dll and move them into the OneClick folder. Your folder should look like below. In a Windows instance with drive letter C, your working path for this project would be C:\hondahack\OneClick

    2a573513225d4e3a8119e2ec90ed337b.png


    Next, we're going to download an APK to use in the script. I simply googled "Waze 3.9.9.0 APK" since that was the version I wanted. Many options came up. This one below works fine:
    https://www.apk20.com/apk/100989/vstart

    Download this file to your working path. Again, in our case, this is the C:\hondahack\OneClick folder. Give it the simple title of waze and save as a .apk file. Don't forget, if it's already showing file type as .apk, do not type in "waze.apk". This will create waze.apk.apk as the filename. If you had "Save as type" set to "All Files", then you would call it "waze.apk". Otherwise, as in the image shown here, call it "waze":

    683fe749810f420ea1630ab0a8f843ae.png


    ---------- Post added at 07:46 AM ---------- Previous post was at 07:39 AM ----------

    Time to head to your vehicle. Here is a screencap of a random youtube video so you can see the screen where you'll be modifying your connection from the Settings > Bluetooth/Wi-Fi tabs section:

    983cf1c576154a9989d831d8e7ebd9e5.png


    First, make sure Wi-Fi On/Off Status is set to on. Then, go to the Wi-Fi network list, and get your vehicle online. Make sure it's on the same local network as your PC. Once connected, check the IP address of your Pilot by going to Settings > Bluetooth/Wi-Fi Settings > Wi-Fi Information. Write this address down and head back to your PC. For our case, we'll say it's 192.168.1.200.

    It is important that you make sure that the IP address of the computer which you're executing the script from is on the same subnet as your vehicle. For instance, if your computer's local IP address is 192.168.1.172, then your vehicle must start the same way, with 192.168.1.#. The simplest way to ensure this is to have them both connected to the same router.

    To verify, you'll go to the command prompt and type in ipconfig. Click the windows icon and type cmd. Then type, ipconfig and hit enter. You'll be looking at the information on whichever adapter is currently in use. In my case, I'm hardwired so it's the ethernet adapter. I've highlighted my IP address in red.

    5df2371a39aa4be0ac897a693bb62c2e.png


    In this case, the vehicle and the computer are on the same subnet. They both start with 192.168.1. We're good to go, and now over 90% done! From here, it's mostly crossing fingers and hoping things go according to plan.

    Head back to the command prompt and bring yourself to the C:\hondahack\OneClick directory. To do this, type
    Code:
    cd c:\hondahack\OneClick
    Now, you'll be executing the script. This specific script is broken down into three parts. Batch File Name > IP Address to pass to script > APK to pass to script. For additional applications, all you'll need to do is download the proper APK file, locate it to your C:\hondahack\OneClick directory. In our case, we're going to type
    Code:
    OneClickInstall.bat 192.168.1.200 waze.apk

    20eb6e3a960941b994ef3249479817e7.png


    Since I have already done this, the below will show something similar to what the output of that command will be:

    Code:
    Usage: ./OneClickInstall.sh ipaddress My.apk
    Example: ./OneClickInstall.sh 192.168.1.200 waze.apk
    Disconnecting other adb devices\n
    
    Connecting to 192.168.1.200\n
    connected to 192.168.1.200:5555
    Checking for root...
    Rooted successfully!
    Already rooted!
    Okay, getting signature of Waze.apk
    Signature: 30820314308202d2a003020102020449806de1300b06072a86 48ce3804030500306c310f300d060355040613064973726165 6c310f300d0603550408130649737261656c3110300e060355 040713075261616e616e61310d300b060355040a130457617a 65310d300b060355040b130457617a65311830160603550403 130f416c657820416772616e6f766963683020170d30393031 32383134333832355a180f3230363331313031313433383235 5a306c310f300d0603550406130649737261656c310f300d06 03550408130649737261656c3110300e060355040713075261 616e616e61310d300b060355040a130457617a65310d300b06 0355040b130457617a65311830160603550403130f416c6578 20416772616e6f76696368308201b83082012c06072a8648ce 3804013082011f02818100fd7f53811d75122952df4a9c2eec e4e7f611b7523cef4400c31e3f80b6512669455d402251fb59 3d8d58fabfc5f5ba30f6cb9b556cd7813b801d346ff26660b7 6b9950a5a49f9fe8047b1022c24fbba9d7feb7c61bf83b57e7 c6a8a6150f04fb83f6d3c51ec3023554135a169132f675f3ae 2b61d72aeff22203199dd14801c70215009760508f15230bcc b292b982a2eb840bf0581cf502818100f7e1a085d69b3ddecb bcab5c36b857b97994afbbfa3aea82f9574c0b3d0782675159 578ebad4594fe67107108180b449167123e84c281613b7cf09 328cc8a6e13c167a8b547c8d28e0a3ae1e2bb3a675916ea37f 0bfa213562f1fb627a01243bcca4f1bea8519089a883dfe15a e59f06928b665e807b552564014c3bfecf492a038185000281 8100ce11f6d402adf4a6aceaf6fe81219ed28299e37ffdca84 6241e7d21e5bf35c8938ee20ce6ade9907c38f12556d574135 ebb36a567c7cb001d75d3952bcca616f4ad232563e407706c9 5bc47f2ed115052d5389eb84799956e5aa4481be2312d347c6 20029b2b8903b5553849111da92372cd50e2f9a7c156d5d10f 3d83bbaf03300b06072a8648ce3804030500032f00302c0214 46d982e8f1ea835d06f44934bf60241e5f8be5c402147d372a f681491f354f34c4ab1a6f30475e69767e
    Getting package information
    Package name: com.waze
    Retrieving current whitelist...
    Preparing replacement whitelist
    Okay - all set to replace the whitelist. Below are the final steps:
    1. Backup existing whitelist to /data/local/tmp/
    2. Upload whitelist to head unit
    3. Reboot head unit
    4. Install APK normally
    
    Please review the below items carefully - if anything doesn't look right, ABORT NOW!\n
    Root status: rooted
    APK signature obtained
    Have package name: com.waze
    Original whitelist.xml size seems okay
    Package name is present in new whitelist
    
    Would you like to proceed? (y/n):


    ---------- Post added at 07:52 AM ---------- Previous post was at 07:51 AM ----------

    At this point, review the above carefully. If it says you're rooted, the APK signature has been obtained, the whitelist.xml file is okay, and the package name is present in the new whitelist xml file, then you're good to proceed. If these results are not the same as above, select n and head to the forums with your question. If you've followed these directions exactly as presented, more than likely you won't face any issues.

    If you select "y" you will see the following:

    Code:
    Backing up whitelist to /data/local/tmp/whitelist-13-12-2016--21-03-02.xml
    Uploading whitelist
    106 KB/s (35666 bytes in 0.328s)
    Rebooting head unit
    Press enter when head unit has rebooted and is connected to WiFi

    Head to your vehicle. Make sure it restarted and is connceted to Wi-Fi. If so, head back to the computer and hit enter This part may take a few minutes depending on the APK size and your connection speed. You will see the following:

    Code:
    Issuing APK installation command - this may take a while depending on APK size
    connected to 192.168.1.208:5555
    252 KB/s (49700115 bytes in 191.852s)
    pkg: /data/local/tmp/Waze.apk
    Success!
    All done - hope you enjoy!

    If you see "Success!", you're good! On your vehicle head unit, go to the home screen, hit the 6 dots at the bottom right, and you should see the little Waze icon. Tap and you're off! Don't forget, you will need to use your phone as a mobile hotspot to provide data while on the go.

    If you see a failure, head back to the forums to see if you can figure where you may have went wrong.

    *****
    Here is TLDR version of this tutorial:

    1. Download the script, an ADB installer, JRE, and whatever APKs you want to add to your Honda.
    2. Have a single folder with the all in one script, ADB files, and APKs.
    3. Run the .bat file from the script at the terminal with the IP of your Honda & the APK of choice as the two parameters. C:\ [.bat file][ip address][apk]
    4. Cross your fingers :)
    *****


    This tutorial goes into great detail for the installation process, but I will leave any tweaks to the pros. I have yet to encounter (likely to limited use) any of these issues, but many have reported some audio issues with Waze, whether it be too quiet, or improper transitioning from music to notifications. This tutorial does not address these issues. From my understanding, there does not seem to be a consensus on why these problem exist or how to replicate these problems. Until there is a solution, they won't be addressed in this tutorial.

    Hopefully this was helpful. Feel free to chime in with any corrections or comments.
    8
    Sorry for the delay as I have something to attend after works :)

    First thing first: this totally depends on the root method provided by jersacct in this thread. All the credit to him and others who has helped during the adventure.

    Technical details about how to make installation works:
    As we all know that ApplistUpdate.apk contains whitelist zip and will install the whitelist.xml in /data/system/ folder. But changing that file didn't seem have any impact, as several of us tried it before. I have searched the whole file system trying to find the files that might be used to control the installation but to no avail.

    So I decided to decompile some of the apks and frameworks. The process is quite tedious as the decompilation was not always working, especially for the frameworks. I have tried a few tools but still not 100% working. But luckily I just got enough decompiled code to analyze the logic of whitelisting. After studying the code, here are some findings:

    • The "whitelist" system service (in /system/framework/framework.jar/odex) provides the service for other apps to check "whitelist" functionality. It doesn't do much itself except forwarding the call to WhiteListManager.
    • The WhiteListManager provides the core functions related to apps installation/permissions and is in /system/framework/services.jar/odex. It loads /system/data/whitelist.xml file during system boot-up. It has the following functions:
      • checkInstallPermission()
      • checkAddinApplication()
      • getRegulationMode()
      • checkAudioFlag()
      • getAudioStreamType()
      • checkRevertFlag()
    [highlight]The function checkInstallPermission() is called when app is installed. For 3rd party apps, it will compare the apk signatures to the keyStore values loaded from whitelist.xml.[/highlight]
    After lots of tries, I finally managed to create the correct signatures for my test app and I was able to get the "Install" button enabled for my test app!!!
    Here are the lines added to whitelist.xml for my test app:
    Code:
            <application>
                <property>
                    <name>TestApp</name>
                    <package>com.purespin.testapp</package>
                    <versionCode>1-999999999</versionCode>
                    <keyStoreLists>
                        <keyStore>308201e53082014ea003020102020454d05fc1300d06092a864886f70d01010505003037310b30090603550406130255533110300e060355040a1307416e64726f6964311630140603550403130d416e64726f6964204465627567301e170d3135303230333035343232355a170d3435303132363035343232355a3037310b30090603550406130255533110300e060355040a1307416e64726f6964311630140603550403130d416e64726f696420446562756730819f300d06092a864886f70d010101050003818d00308189028181009c29ce69a49970e1c26f36c5cbd4051f384b07701e481bcd5563aa5f9952f9ac26aecdee8807de4202ea7cd94a6088d96ef6133d927375759d983777a6f655d08a1e055ce44413dd751a04a407b4773f904abf268faea3ba3de6ae8714c71620dd641d5cbd2deff2e8826aab1f62e3a62e7838a988548d2f76b5e59a35bc9d7d0203010001300d06092a864886f70d0101050500038181004822e80b27a715cd17ee08fa13592e7c18dde93443c1a26d04c80dcbd908e69f2d846a37e397246a64430d858b602a7e7befd77451e7e159de07225d5585e470680acbea0791970bc85f537f7034a5b37ef8fa9f555938d79748fe479c535c9a21cabe3979df15a6ac4428055ae1ad309f5106770223514f2c434447d62c37ca</keyStore>
                    </keyStoreLists>
                </property>
                <controlData>
                    <withAudio>without</withAudio>
                    <audioStreamType>null</audioStreamType>
                    <regulation>null</regulation>
                    <revert>no</revert>
                </controlData>
            </application>
    The rest are pretty straightforward, just get the signatures for any app you want install and add it to the whitelist.xml, upload it to HU, reboot and it can be installed.

    What have been tested?
    I tried some apps and they all can be installed and launched:
    • Waze (3.9.9) is running perfectly within 5km test drive without data. I have launched it for a few minutes before going out. So it probably downloaded some maps to cache while still connecting to home wifi.
    • HERE/Sygic can be installed and launched but having some problems. The settings page is blank in HERE so I can't choose external USB as the storage. Sygic asked to download maps after launch. So I just uninstalled these 2.
    • Spotify is running fine too. But there is no setting to choose external USB as the offline storage (the same version on my phone does have the setting option).
    • Kodi is working great. I can even playback video while driving. I know this is illegal but hey! I just want to have some fun :). I think this can be disabled by the restrictions settings in the whitelist.xml.
    Now the biggest challenge is the storage space. Part of the internal storage is mounted as /sdcard and all the USB ports are mounted as /mnt/usb?. So far all the apps cannot use the USB drives (ES File Explorer can read/write to USB but all the other apps can't recognize the USB as a valid external storage). After installing a few apps, I got warning saying "not enough storage". That's why I had to uninstall HERE/Sygic and didn't play with it much.
    I think the whole process to get the signature from apk, update whitelist.xml and upload it to HU can be automated by writing a simple app, just like what S_Mike did for the EU versions. But given the limited internal storage space, it is low priority now.

    Note that all the apps are installed under /data/app/ folder, not under /system/app/ folder. But to my surprise, the installed apps have all the "root" privilege. For example, ES File Explorer can open /data/system/whitelist.xml, which is only rw by the root user. It can even edit and write to the file!!! [highlight](I guess one has to be very careful when someone just play around! They can easily brick the HU!!!)[/highlight]

    Quick Test
    Sorry for the long story. For someone just need a quick test, you can download the attached whitelist.xml and follow these steps (You should compare the content of it with the original one in your HU to see the differences):
    Steps:
    1. Root your HU by following the instruction in the original post in this thread.
    2. adb push whitelist.xml /data/local/tmp/
    3. adb shell
    4. su
    5. cd /data/system
    6. cp whitelist.xml whitelist.xml.original
    7. cp /data/local/tmp/whitelist.xml .
    8. reboot
    After reboot, insert a USB with the following apks and try the "USB install" app to install:
    • com.purespin.testapp
    • com.waze
    • com.spotify.music
    • org.xbmc.kodi
    • com.estrongs.android.pop
    • com.sygic.aura
    • com.here.app.maps
    • com.tinusapps.gpsspeedo
    • oops.ledspeedometer
    • com.eclipsim.gpsstatus2
    • com.rechild.advancedtaskkiller

    For other apps
    Download the attached GetAndroidSig.jar file and run it against the apk you want to install:
    Code:
    java -jar GetAndroidSig.jar abc.apk
    it will print out the signatures for the apk. Add them to the whitelist.xml together with app name and package name. See the attached whitelist.xml for examples. If there are more then 1 signatures, you need to add them all. Check the HERE WeGo example in the xml file.

    That's all the info I have now. Let me know if you run into any issue or have any question.

    Warnings: I'm not responsible for any damage of your head unit. Use it for your own risk.
    7
    I think this is the breakthrough that everyone is waiting for:

    I will post all the info tonight after work :)
    7
    Wow.... really great news. But seems like really complicated. Hopefully soon there will be a much more simple way to get it done. Fingers crossed

    To you and others concerned about complexity:

    Would it be beneficial to have a script (Linux script or Windows batch file) that takes an input of APK to be installed, and the script makes the whitelist modifications accordingly and installs the desired APK? I anticipate this to be a straightforward process.

    Script inputs: IP address of device, APK to install

    Steps:
    • Connect to device over ADB
    • Check for root (can install root here if needed)
    • Create backup of current whitelist
    • Download current whitelist
    • Identify signature & permissions of APK to be installed
    • Modify whitelist appropriately
    • Copy new whitelist to device
    • Reboot device
    • Wait for device to reconnect
    • Issue install command to install new APK

    Thoughts? I may be able to work on this over the next few days to make rooting & APK installation a simpler process.

    Thanks again to purespin - really great work here.
    I think this is the breakthrough that everyone is waiting for