I own a 2021 Honda Civic and have been annoyed by the lack of public documentation/hacking tools for the Android-based headunit. I hope to address this by publishing my research into the headunit and encouraging discussion and community contribution
Thanks :) My friends and I have made a few jokes about hacking my literal "daily driver". TLDR; didn't excise, mostly sat in my car.
I originally rooted the car using Honda Hack via http://www.autohack.org/. A paid service that afaik uses a webkit exploit and probably an old Android kernel exploit to gain root. Part of the motivation for this project was to encourage others to release open-source rooting tools so they don't have to shell out the $25 for the "pro" version that I did.
Once I had root, I installed a few apps via a USB drive, including a file manager and a third-party app for ADB over TCP (I don't think 4.2.2 had built-in support for networked ADB). Then I connected my car to a Wi-Fi hotspot on my phone (at one point editing Android's wpa_supplicant.conf file directly because it got corrupted). Once I made sure that the headunit would autostart ADB over TCP and always try to connect to a certain Wi-Fi network, I had a decent safety net.
So I spent a good amount of time sitting in my car with a laptop after that though I was able to pull partitions via dd and do a lot of research sitting at my desk, especially static analysis of APKs, native libs, and binaries, stopping back at my car on occasion to grep gpio pins or sysfs values.
I didn't want to risk pulling the headunit from the car; that was (and is) an emergency fallback in case I ever wipe flash or something and need to reflash to the physical board. Fortunately I never had the need. I'd be great to get detailed pictures of the unit though. A quick eBay search shows headunits going for ~$1,000, which imo is ridiculous given that they're glorified Android tablets c. 2012. But if anyone has an extra they're looking to donate, definitely get in touch
> Part of the motivation for this project was to encourage others to release open-source rooting tools so they don't have to shell out the $25 for the "pro" version that I did.
I took a quick look at it, someone could easily remove the license check, unlock the pro features and set up an easy to use site for it
I also paid for Honda Hack. I'm curious if you have the same issue as I where once I rooted with Honda Hack, Carplay seems to be extremely buggy where it often doesn't work without several reboots and/or stopping/starting the car. Haven't been able to pinpoint why this is other than the extra features are just bogging down the ancient hardware to a point that it's destabilizing.
Yea if I get more into the hardware hacking side of things, it'd be great if I could add a wire harness to be able to connect external power to the headunit/disconnect it from the car battery. I never had to fully disconnect battery terminals or anything but I had some scares with slow reboot times. I also want to look into LoRa or similar wireless tech to be able to send terminal commands to the car from my desk
It's actually probably running Android Automotive 4.2.2 (as opposed to straight android auto). I encountered this in my journey in to the Pioneer AVH-W4500nex after the internal SDcard failed (here's my post http://avic411.com/index.php?/topic/90861-fix-sdcard-failed-...)
You should have no problem using one of the available rootkits for 4.2.2. That's how I got root on my pioneer. You can find out a lot of interesting stuff binwalking the firmware. Stuff like diag menus and such, at least in the Pioneer stuff.
Yes, you can run your own launcher and apps on it. Probably stable once you figure out what customizations they made.
I have a Toyota RAV4, about 2016, with the built-in system. It's silly amounts of awful when it comes to bad UX. Enough so that I am considering buying a head unit.
Bafflingly, I can't find head units that recognize and obey MP3 playlists. I would have thought that functionality would be a given.
My limited experience says it's mostly about lengths of filenames, non alphabetic characters in filenames, and nested directories. Try flat directory structure and maybe random filenames of 6-8 characters. Simply one more obfuscation step before feeding it into a car system. If lucky, the system might read correctly the ID3 tags.
Oh, no, I tried with very simple setups. Believe me. Down to a playlist of a single song consisting of a single word. No love.
In a rather similar fashion, I managed to reverse engineer the Roku's very, uh, idiosyncratic interpretation of the, well, was it ever a standard? In any case, Roku's Media Player app had, charmingly, decided to simply ignore the order of the songs in the playlist and -- this was fun to figure out -- grab the metadata of the songs and do it by a regular sort of the track number. It's brilliantly stupid, because it'd work just fine if you had a playlist of a single album. There, it makes perfect sense. Nowhere else.
Would love if this ported to the 2021 Honda Accord as well. I would love a custom button to turn on the rear camera for easier parking, longer dwell time after shifting into drive, etc. Keep up the good work!
As far as I currently understand it, most of the code on my headunit is probably 99% identical to the code on 2021 Accord units. Same goes for Acura cars; I can't publish the APK files themselves but there are Acura versions of Honda logos in most of the APKs. Also check out some of the APK filenames: https://github.com/librick/ic1101/blob/main/docs/apk-hashes.....
I welcome PRs/contributions from the community; things like Honda-internal model numbers represent a non-technical obstacle for me as a lone developer. It'd be great to see boot/recovery images for similar vehicles, Accords included.
One of my goals is right-to-repair adjacent. I bought a Honda in the first place because they have a reputation for having an active modding scene and I see value in that positive feedback loop. Hopefully having the repo as a resource helps other people do more hardware mods or manufacture cheaper/consumer-friendly replacement parts.
I've considered trying to make an open source replacement of the /sbin/earlyrvc binary for rear camera hacking specifically. I caught a lucky break because the binary includes logging messages left in by the Honda devs and the messages include method names.
The apparent jankiness of the rear camera was one of the first reasons I started hacking on the car tbh. It was weird to me that the yellow guidelines/overlay don't appear on the camera feed until a little while after the camera feed first shows up. I've confirmed that it's a two stage process controlled in part by the /sbin/earlyrvc binary and later accessed via an Android service. But I'm not sure why the Honda devs didn't include rear camera dash cam functionality. Especially because you can use the side camera while driving, but not the rear camera. My working theory is that there's some sort of limitation with frame buffers or processing power but . I definitely encourage other devs to look into this too
Ahh, didn't realise some Civics have side cameras. My 2020 Civic only has a rear camera. FWIW I haven't noticed much jerkiness from it so far.
I wonder if I could write a little binary that would continuously record the rear camera, at least the last minute or so, and then hook it up to some button in the UI to store the last recording.
How tough is it to root the head unit and work with it?
*Jankiness, not jerkiness. I could have clarified that better; what I mean is that it was strange to me that the backup camera had two stages. The camera video feed comes up first, then the yellow overlay lines are rendered on top later. Which makes sense, that way the user doesn't have to wait for Android to boot up completely before they can view the backup camera.
I want to look more into rear camera viewing/recording too. The binary /sbin/earlyrvc in the repo (in the boot recovery image directory) is what displays the camera on boot. After that there's a few Honda-specific APKs that handle backup camera access for the rest of Android. I had some luck using Ghidra for static analysis of /sbin/earlyrvc. But the biggest hurdle I ran into is a lack of documentation on NVIDIA kernel drivers and the graphics pipeline.
As for rooting, I used a paid ($25) service. You sign up on this sketchy site, pay the $25 to get a unique code (a UUID), and then visit a specific website from the headunit's web browser. AFAIK, whoever runs that service is basically just using a WebKit exploit chained to some other Android exploit(s) to achieve root. It worked for me. I've added some more info on this to the README. But one of my goals is to make rooting easier/free/open source to lower the barrier-to-entry for headunit hacking. It'd be great to see a PR for that
The 10th gen Civic ran from 2016-2022 with the same infotainment setup. So it's a 2016 car with 2012 software. That's very reasonable.
And the benefit to that is that it's easy to hack since there's an RCE in the old browser. So you can jailbreak your own car. (It doesn't have a cellular data connection so it's not a security risk)
Addressing "(It doesn't have a cellular data connection so it's not a security risk)" - I wouldn't say it's not a security risk. Check out the Bluetooth docs in the repo for example. Cellular data is only one interface out of many others (Bluetooth, Wi-Fi, CAN, XM radio, HD radio). Jailbreaking anything isn't without its risks.
Further, I agree that it's reasonable to ship a 2016 car with 2012 software. But I've seen no evidence that these headunits have gotten security updates within that timeframe. Think of it like a smartphone. I can make do with a phone that's a few years old, but I have an expectation that it will receive timely security updates. In the case of the Honda headunits, they run Android. They should receive Android security patches (I'll admit there's certainly complexity there, Google has long struggled with the tradeoff between device security and AOSP ubiquity). There's nothing wrong with using an older version of Android or an LTS kernel, but it should still receive security patches.
Consider Stagefright bugs. As I understand it, although it was published in 2015, it affected several earlier Android versions, including 4.2.2. See: https://en.wikipedia.org/wiki/Stagefright_(bug). As far as I know, my car was never patched against Stagefright bugs. All it takes is a bug in one library (such as for HD radio image processing) and a well-published Android for something like this to be a big problem.
It's complicated; I like jailbreaking. I also think Honda should ship higher-quality software with better security policies and update guarantees
Awww nostalgia hits... some very very long time ago I was working on software tested on KitKat. It's better not to mention it during interviews otherwise will be dismissed as a dinosaur.
I have it on my 2020 civic and at least it doesn't lag. Problem with newer builds is the inevitable creep of increased CPU and memory usage until eventually perfectly good hardware is no longer able to run anything.
Yea I tend to have pretty high memory usage, including when I was running close to stock (i.e., before installing a bunch of third-party apps). My model didn't come with a built-in GPS app, but I was told that the next trim up/more expensive model did. I think more expensive trims came with headunits with more RAM (I think 4GB?) but I can't confirm. It'd be great to see a PR from someone with better hardware to see the actual headunit differences between trims
I'll check mine. I have the Sport Touring so it's the top trim below the Type R with built in GPS but I never actually use the GPS cause my phone's is better.
yep, I also have a 2020 Civic and the software actually is alright, though perhaps my expectations were set really low by the amount of hate I read about the software online. But hey, it supports CarPlay just fine (although does have some weird graphical artifacts sometimes) and the screen is responsive enough which is all that I really want.
I can't speak to CarPlay but yea I'll say the headunit software is certainly usable. One of the reasons I started this project was because I admire the engineering involved. I wish they would've shipped wireless Android Auto though. My car only works with wired Android Auto. It was only a minor inconvenience until I broke a USB-C cable. I rely on my car, I didn't need a failure point in my navigation. I ended up buying an adapter (the Motorola MA1) that lets me use Android Auto wirelessly (the MA1 worked okay, I had a few issues where it would randomly reboot but one day that stopped and I still don't know why; it's finicky). It just seems absurd to have a whole separate hardware/software stack in the form of an adapter just because Honda couldn't use a newer Wi-Fi/Bluetooth chip
Nexus 4 was a great phone. Honestly I don't remember it being particularly slower than my more recent phones, since most of what I do is browse the web, listen to music, and watch YouTube videos.
I bet on today's web it would feel quite slow though, because everything is terrible.
I have serious doubt there were any tablets shipping with Android 4 that used a resistive screen. At least not any that didn't come from some no-name manufacturer for eighty bucks.
I have the same system in my 2017 Civic. It's definitely a capacitive touchscreen. Essentially just a Android tablet from 2012, and it's responsive enough.
Being hackable considered a "bug": if someone founds a way to tweak the infotainment, they will "update" it in no time to block such tweaks. They all pretend to have their own apps, yet they never do. Just in case, block users from creating their own and sharing them. E.g. https://mazdatweaks.com/
Or, as for the Subaru Starlink head-unit, even if it is so buggy and crashes all the time, once the car is out the dealer's door, there is nothing the consumer can do.
Even class actions don't mean they would be recalled or even fixed. They did offer a discount on a new car.
TLDR; Kia rant: Yea it's bizarre to me how recalls aren't more widespread. The fiasco with Kia cars getting broken into is my favorite recent example. Teenagers break into random stranger's Kias and go on joyrides. Then local news channels and police sensationalize Kia car break-ins or villify bored teenagers. It seems like very few people actually demand recalls by Kia. A car that can be unlocked in the span of a TikTok video is a dangerous car; it's a public safety issue. I'm mostly ignorant of the recall process, but it seems like they should be more widespread than they are
> I'm mostly ignorant of the recall process, but it seems like they should be more widespread than they are
Fully agree. The reason is, it's easier (and fits into more popular narratives) to blame Tiktok and Youtube than to hold large corporations accountable.
This feels like when people post content and include "no copyright infringement intended" in the description.