Comments URL: https://news.ycombinator.com/item?id=48523080

Points: 381

# Comments: 92

I want to look more into rear camera viewing/recording too. The binary /sbin/earlyrvc in the repo (in the boot recovery image directory) is what displays the camera on boot. After that there's a few Honda-specific APKs that handle backup camera access for the rest of Android. I had some luck using Ghidra for static analysis of /sbin/earlyrvc. But the biggest hurdle I ran into is a lack of documentation on NVIDIA kernel drivers and the graphics pipeline.

As for rooting, I used a paid ($25) service. You sign up on this sketchy site, pay the $25 to get a unique code (a UUID), and then visit a specific website from the headunit's web browser. AFAIK, whoever runs that service is basically just using a WebKit exploit chained to some other Android exploit(s) to achieve root. It worked for me. I've added some more info on this to the README. But one of my goals is to make rooting easier/free/open source to lower the barrier-to-entry for headunit hacking. It'd be great to see a PR for that

Further, I agree that it's reasonable to ship a 2016 car with 2012 software. But I've seen no evidence that these headunits have gotten security updates within that timeframe. Think of it like a smartphone. I can make do with a phone that's a few years old, but I have an expectation that it will receive timely security updates. In the case of the Honda headunits, they run Android. They should receive Android security patches (I'll admit there's certainly complexity there, Google has long struggled with the tradeoff between device security and AOSP ubiquity). There's nothing wrong with using an older version of Android or an LTS kernel, but it should still receive security patches.

Last year, some Mazda cars were accidentally bricked by a radio station broadcast omitting file extensions: https://arstechnica.com/cars/2022/02/radio-station-snafu-in-.... That was an accident, not the work of a malicious actor.

Consider Stagefright bugs. As I understand it, although it was published in 2015, it affected several earlier Android versions, including 4.2.2. See: https://en.wikipedia.org/wiki/Stagefright_(bug). As far as I know, my car was never patched against Stagefright bugs. All it takes is a bug in one library (such as for HD radio image processing) and a well-published Android for something like this to be a big problem.

It's complicated; I like jailbreaking. I also think Honda should ship higher-quality software with better security policies and update guarantees

I originally rooted the car using Honda Hack via http://www.autohack.org/. A paid service that afaik uses a webkit exploit and probably an old Android kernel exploit to gain root. Part of the motivation for this project was to encourage others to release open-source rooting tools so they don't have to shell out the $25 for the "pro" version that I did.

Once I had root, I installed a few apps via a USB drive, including a file manager and a third-party app for ADB over TCP (I don't think 4.2.2 had built-in support for networked ADB). Then I connected my car to a Wi-Fi hotspot on my phone (at one point editing Android's wpa_supplicant.conf file directly because it got corrupted). Once I made sure that the headunit would autostart ADB over TCP and always try to connect to a certain Wi-Fi network, I had a decent safety net.

So I spent a good amount of time sitting in my car with a laptop after that though I was able to pull partitions via dd and do a lot of research sitting at my desk, especially static analysis of APKs, native libs, and binaries, stopping back at my car on occasion to grep gpio pins or sysfs values.

I didn't want to risk pulling the headunit from the car; that was (and is) an emergency fallback in case I ever wipe flash or something and need to reflash to the physical board. Fortunately I never had the need. I'd be great to get detailed pictures of the unit though. A quick eBay search shows headunits going for ~$1,000, which imo is ridiculous given that they're glorified Android tablets c. 2012. But if anyone has an extra they're looking to donate, definitely get in touch

I welcome PRs/contributions from the community; things like Honda-internal model numbers represent a non-technical obstacle for me as a lone developer. It'd be great to see boot/recovery images for similar vehicles, Accords included.

One of my goals is right-to-repair adjacent. I bought a Honda in the first place because they have a reputation for having an active modding scene and I see value in that positive feedback loop. Hopefully having the repo as a resource helps other people do more hardware mods or manufacture cheaper/consumer-friendly replacement parts.

I've considered trying to make an open source replacement of the /sbin/earlyrvc binary for rear camera hacking specifically. I caught a lucky break because the binary includes logging messages left in by the Honda devs and the messages include method names.

Thanks for the kind words and encouragement :)

Comments URL: https://news.ycombinator.com/item?id=36052753

Points: 94

# Comments: 43