[GUIDE] How to gain root shell on 2016 Honda Pilot (and now install apps!!!)

[ericlus15]

i asked anekin about this on the piloteer forum and here is the info - he bought the blackbox from HondaPartsNetwork.com and he will receive it on Tuesday. a bunch of us are waiting on his post about this blackbox swap.

Thanks for the info. I just found the part number and will order one when anekin confirms it works. Does anyone know how do we program the vin into the new black box. I know the radio checks for the correct vin when turned on.

 

[bornwilder]

Hi guys, i too have been searching high and low for a solution to this player lock issue. I am too quite a avid rom flasher for my mobile but i know peanuts about programming. After reading threads after threads i think maybe we can unlock the player if somebody can create a kernel with root access preloaded. Again sorry if i said anything silly.

 

[purespin]

I think this is the breakthrough that everyone is waiting for:

I will post all the info tonight after work

 

[enyce9]

You sir, are the man!???

Sent from my Nexus 6P using Tapatalk

 

[TWINTRBO]

Wow! This is amazing news! I'm assuming Waze is using a tether to a phone for data connection?

 

[jersacct]

I think this is the breakthrough that everyone is waiting for:

I will post all the info tonight after work

I've been spamming refresh for hours.......duuuuuuuuuuude. Give us your secrets .

 

[enyce9]

I've been spamming refresh for hours.......duuuuuuuuuuude. Give us your secrets .

Second this

Sent from my Nexus 6P using Tapatalk

 

[purespin]

Sorry for the delay as I have something to attend after works

First thing first: this totally depends on the root method provided by jersacct in this thread. All the credit to him and others who has helped during the adventure.

Technical details about how to make installation works:

As we all know that ApplistUpdate.apk contains whitelist zip and will install the whitelist.xml in /data/system/ folder. But changing that file didn't seem have any impact, as several of us tried it before. I have searched the whole file system trying to find the files that might be used to control the installation but to no avail.

So I decided to decompile some of the apks and frameworks. The process is quite tedious as the decompilation was not always working, especially for the frameworks. I have tried a few tools but still not 100% working. But luckily I just got enough decompiled code to analyze the logic of whitelisting. After studying the code, here are some findings:

• The "whitelist" system service (in /system/framework/framework.jar/odex) provides the service for other apps to check "whitelist" functionality. It doesn't do much itself except forwarding the call to WhiteListManager.
• The WhiteListManager provides the core functions related to apps installation/permissions and is in /system/framework/services.jar/odex. It loads /system/data/whitelist.xml file during system boot-up. It has the following functions:
  • checkInstallPermission()
  • checkAddinApplication()
  • getRegulationMode()
  • checkAudioFlag()
  • getAudioStreamType()
  • checkRevertFlag()

[highlight]The function checkInstallPermission() is called when app is installed. For 3rd party apps, it will compare the apk signatures to the keyStore values loaded from whitelist.xml.[/highlight]
After lots of tries, I finally managed to create the correct signatures for my test app and I was able to get the "Install" button enabled for my test app!!!
Here are the lines added to whitelist.xml for my test app:

        <application>
            <property>
                <name>TestApp</name>
                <package>com.purespin.testapp</package>
                <versionCode>1-999999999</versionCode>
                <keyStoreLists>
                    <keyStore>308201e53082014ea003020102020454d05fc1300d06092a864886f70d01010505003037310b30090603550406130255533110300e060355040a1307416e64726f6964311630140603550403130d416e64726f6964204465627567301e170d3135303230333035343232355a170d3435303132363035343232355a3037310b30090603550406130255533110300e060355040a1307416e64726f6964311630140603550403130d416e64726f696420446562756730819f300d06092a864886f70d010101050003818d00308189028181009c29ce69a49970e1c26f36c5cbd4051f384b07701e481bcd5563aa5f9952f9ac26aecdee8807de4202ea7cd94a6088d96ef6133d927375759d983777a6f655d08a1e055ce44413dd751a04a407b4773f904abf268faea3ba3de6ae8714c71620dd641d5cbd2deff2e8826aab1f62e3a62e7838a988548d2f76b5e59a35bc9d7d0203010001300d06092a864886f70d0101050500038181004822e80b27a715cd17ee08fa13592e7c18dde93443c1a26d04c80dcbd908e69f2d846a37e397246a64430d858b602a7e7befd77451e7e159de07225d5585e470680acbea0791970bc85f537f7034a5b37ef8fa9f555938d79748fe479c535c9a21cabe3979df15a6ac4428055ae1ad309f5106770223514f2c434447d62c37ca</keyStore>
                </keyStoreLists>
            </property>
            <controlData>
                <withAudio>without</withAudio>
                <audioStreamType>null</audioStreamType>
                <regulation>null</regulation>
                <revert>no</revert>
            </controlData>
        </application>

The rest are pretty straightforward, just get the signatures for any app you want install and add it to the whitelist.xml, upload it to HU, reboot and it can be installed.
​

What have been tested?
I tried some apps and they all can be installed and launched:

• Waze (3.9.9) is running perfectly within 5km test drive without data. I have launched it for a few minutes before going out. So it probably downloaded some maps to cache while still connecting to home wifi.
• HERE/Sygic can be installed and launched but having some problems. The settings page is blank in HERE so I can't choose external USB as the storage. Sygic asked to download maps after launch. So I just uninstalled these 2.
• Spotify is running fine too. But there is no setting to choose external USB as the offline storage (the same version on my phone does have the setting option).
• Kodi is working great. I can even playback video while driving. I know this is illegal but hey! I just want to have some fun . I think this can be disabled by the restrictions settings in the whitelist.xml.

Now the biggest challenge is the storage space. Part of the internal storage is mounted as /sdcard and all the USB ports are mounted as /mnt/usb?. So far all the apps cannot use the USB drives (ES File Explorer can read/write to USB but all the other apps can't recognize the USB as a valid external storage). After installing a few apps, I got warning saying "not enough storage". That's why I had to uninstall HERE/Sygic and didn't play with it much.
I think the whole process to get the signature from apk, update whitelist.xml and upload it to HU can be automated by writing a simple app, just like what S_Mike did for the EU versions. But given the limited internal storage space, it is low priority now.

Note that all the apps are installed under /data/app/ folder, not under /system/app/ folder. But to my surprise, the installed apps have all the "root" privilege. For example, ES File Explorer can open /data/system/whitelist.xml, which is only rw by the root user. It can even edit and write to the file!!! [highlight](I guess one has to be very careful when someone just play around! They can easily brick the HU!!!)[/highlight]

Quick Test
Sorry for the long story. For someone just need a quick test, you can download the attached whitelist.xml and follow these steps (You should compare the content of it with the original one in your HU to see the differences):
Steps:

1. Root your HU by following the instruction in the original post in this thread.
2. adb push whitelist.xml /data/local/tmp/
3. adb shell
4. su
5. cd /data/system
6. cp whitelist.xml whitelist.xml.original
7. cp /data/local/tmp/whitelist.xml .
8. reboot

After reboot, insert a USB with the following apks and try the "USB install" app to install:

• com.purespin.testapp
• com.waze
• com.spotify.music
• org.xbmc.kodi
• com.estrongs.android.pop
• com.sygic.aura
• com.here.app.maps
• com.tinusapps.gpsspeedo
• oops.ledspeedometer
• com.eclipsim.gpsstatus2
• com.rechild.advancedtaskkiller

For other apps
Download the attached GetAndroidSig.jar file and run it against the apk you want to install:

java -jar GetAndroidSig.jar abc.apk

it will print out the signatures for the apk. Add them to the whitelist.xml together with app name and package name. See the attached whitelist.xml for examples. If there are more then 1 signatures, you need to add them all. Check the HERE WeGo example in the xml file.

That's all the info I have now. Let me know if you run into any issue or have any question.

Warnings: I'm not responsible for any damage of your head unit. Use it for your own risk.

 

[purespin]

I've been spamming refresh for hours.......duuuuuuuuuuude. Give us your secrets .

Sorry Jersacct! Just posted it

 

[jersacct]

Sorry Jersacct! Just posted it

So fantastic. I was going to go in another direction when I got more time over the Xmas break. Glad you figured out the signature check!

I'll look into ways to use USB storage to expand APK installation space - likely some custom scripts can be used to bind mount extra storage in the system partition.

Great work, many thanks!!!

 

[moralesd66]

Awesome work gents. No need for Carplay/AA now if I can stream Kodi[emoji12] . This is sick!

 

[bornwilder]

Wow.... really great news. But seems like really complicated. Hopefully soon there will be a much more simple way to get it done. Fingers crossed

 

[jersacct]

Wow.... really great news. But seems like really complicated. Hopefully soon there will be a much more simple way to get it done. Fingers crossed

To you and others concerned about complexity:

Would it be beneficial to have a script (Linux script or Windows batch file) that takes an input of APK to be installed, and the script makes the whitelist modifications accordingly and installs the desired APK? I anticipate this to be a straightforward process.

Script inputs: IP address of device, APK to install

Steps:

• Connect to device over ADB
• Check for root (can install root here if needed)
• Create backup of current whitelist
• Download current whitelist
• Identify signature & permissions of APK to be installed
• Modify whitelist appropriately
• Copy new whitelist to device
• Reboot device
• Wait for device to reconnect
• Issue install command to install new APK

Thoughts? I may be able to work on this over the next few days to make rooting & APK installation a simpler process.

Thanks again to purespin - really great work here.

I think this is the breakthrough that everyone is waiting for

 

[bornwilder]

I think that would help a lot and would have a higher success rate if everything is compiled into a zip file. Something like chainfire's 1 click root zip. Thanks jersacct

 

[enyce9]

To you and others concerned about complexity:

Would it be beneficial to have a script (Linux script or Windows batch file) that takes an input of APK to be installed, and the script makes the whitelist modifications accordingly and installs the desired APK? I anticipate this to be a straightforward process.

Script inputs: IP address of device, APK to install

Steps:

• Connect to device over ADB
• Check for root (can install root here if needed)
• Create backup of current whitelist
• Download current whitelist
• Identify signature & permissions of APK to be installed
• Modify whitelist appropriately
• Copy new whitelist to device
• Reboot device
• Wait for device to reconnect
• Issue install command to install new APK

Thoughts? I may be able to work on this over the next few days to make rooting & APK installation a simpler process.

Thanks again to purespin - really great work here.

That would be greatly appreciated

Sent from my Nexus 6P using Tapatalk

 

[timaelabu]

less complex a script would be great.
being a iphone user i need to find out how to aquire waze, etc apks.
thank you purespin and Jesseract.

 

[purespin]

...
I'll look into ways to use USB storage to expand APK installation space - likely some custom scripts can be used to bind mount extra storage in the system partition. ...

Hi Jersacct,
All my USB sticks are mounted as these:

d---rwxr-x system   media_rw          1969-12-31 16:00 usb4

looks like it is mounted as rw:

/dev/block/vold/8:1 /mnt/usb4 vfat rw,dirsync,relatime,uid=1000,gid=1023,fmask=0702,dmask=0702,allow_utime=0020,codepage=cp437,iocharset=iso8859-1,shortname=mixed,utf8,errors=remount-ro 0 0

But none of the apps can write to the USB, except the "rooted" ES File Explorer. Any idea how to fix this?

 

[jersacct]

Easy rooter/installer

I'll update the main post as well, but I've attached scripts that I hope will serve to make the entire process a bit easier. That said, be careful, use these at your own risk, etc.

Extract zip file to some folder then open up a command prompt in that folder. Also drop the APKs you wish to install to that folder.

Type OnceClickInstall.bat [YourHeadUnitIP] [APKToInstall.apk]

The script will root your device if it's not already, then go ahead and perform steps necessary to install the APK (one reboot required if already rooted).

This basically performs the steps described in purespin's post to get a signature of the APK, download and modify the whitelist XML file, upload it back, reboot, then install the APK.

There's one prompt in the script that asks you too look things over - pay attention here, if any issues crop up at this point damage can be avoided, continuing in a bad state will have undefined results.

I'll look into using some USB storage to expand our room as I find the time.

Cheers!

Edit - removed attachment from this post, see attachment in first post.

 

[jersacct]

Hi Jersacct,
All my USB sticks are mounted as these:

d---rwxr-x system   media_rw          1969-12-31 16:00 usb4

looks like it is mounted as rw:

/dev/block/vold/8:1 /mnt/usb4 vfat rw,dirsync,relatime,uid=1000,gid=1023,fmask=0702,dmask=0702,allow_utime=0020,codepage=cp437,iocharset=iso8859-1,shortname=mixed,utf8,errors=remount-ro 0 0

But none of the apps can write to the USB, except the "rooted" ES File Explorer. Any idea how to fix this?

I might get some time to play with this tonight, but my thought would be to do what's called a bind mount to transparently grow the /data partition onto a USB flash drive. Some reading here:
http://android.stackexchange.com/questions/38263/mount-a-folder-from-external-sd-as-data

I'd plan on looking to do something less permanent than moving all of /data off the internal storage.

 

[purespin]

Type OnceClickInstall.bat [YourHeadUnitIP] [APKToInstall.apk]
Cheers!

Wow! That's really quick! Really amazing shell scripting skills!!!

I might get some time to play with this tonight, but my thought would be to do what's called a bind mount to transparently grow the /data partition onto a USB flash drive. Some reading here:
http://android.stackexchange.com/questions/38263/mount-a-folder-from-external-sd-as-data

I'd plan on looking to do something less permanent than moving all of /data off the internal storage.

I will check it out! Thx!