Show HN: Honda Civic Infotainment Reverse-Engineering
3 years ago (github.com)
I own a 2021 Honda Civic and have been annoyed by the lack of public documentation/hacking tools for the Android-based headunit. I hope to address this by publishing my research into the headunit and encouraging discussion and community contribution
> initial commit pls dont sue
This feels like when people post content and include "no copyright infringement intended" in the description.
Cool project! How much time have you spent sitting in your car with a laptop, or did you excise the headunit from the car?
Thanks :) My friends and I have made a few jokes about hacking my literal "daily driver". TLDR; didn't excise, mostly sat in my car.
I originally rooted the car using Honda Hack via http://www.autohack.org/. A paid service that afaik uses a webkit exploit and probably an old Android kernel exploit to gain root. Part of the motivation for this project was to encourage others to release open-source rooting tools so they don't have to shell out the $25 for the "pro" version that I did.
Once I had root, I installed a few apps via a USB drive, including a file manager and a third-party app for ADB over TCP (I don't think 4.2.2 had built-in support for networked ADB). Then I connected my car to a Wi-Fi hotspot on my phone (at one point editing Android's wpa_supplicant.conf file directly because it got corrupted). Once I made sure that the headunit would autostart ADB over TCP and always try to connect to a certain Wi-Fi network, I had a decent safety net.
So I spent a good amount of time sitting in my car with a laptop after that though I was able to pull partitions via dd and do a lot of research sitting at my desk, especially static analysis of APKs, native libs, and binaries, stopping back at my car on occasion to grep gpio pins or sysfs values.
I didn't want to risk pulling the headunit from the car; that was (and is) an emergency fallback in case I ever wipe flash or something and need to reflash to the physical board. Fortunately I never had the need. I'd be great to get detailed pictures of the unit though. A quick eBay search shows headunits going for ~$1,000, which imo is ridiculous given that they're glorified Android tablets c. 2012. But if anyone has an extra they're looking to donate, definitely get in touch
> Part of the motivation for this project was to encourage others to release open-source rooting tools so they don't have to shell out the $25 for the "pro" version that I did.
I took a quick look at it, someone could easily remove the license check, unlock the pro features and set up an easy to use site for it
I also paid for Honda Hack. I'm curious if you have the same issue as I where once I rooted with Honda Hack, Carplay seems to be extremely buggy where it often doesn't work without several reboots and/or stopping/starting the car. Haven't been able to pinpoint why this is other than the extra features are just bogging down the ancient hardware to a point that it's destabilizing.
This is the issue I always have with car interface hacking - its uncomfortable and batteries suffer!
Yea if I get more into the hardware hacking side of things, it'd be great if I could add a wire harness to be able to connect external power to the headunit/disconnect it from the car battery. I never had to fully disconnect battery terminals or anything but I had some scares with slow reboot times. I also want to look into LoRa or similar wireless tech to be able to send terminal commands to the car from my desk
Nothing like sitting in my lx with my laptop and techstream running while my steering wheel tries to reset its position and crush my laptop.
It's actually probably running Android Automotive 4.2.2 (as opposed to straight android auto). I encountered this in my journey in to the Pioneer AVH-W4500nex after the internal SDcard failed (here's my post http://avic411.com/index.php?/topic/90861-fix-sdcard-failed-...)
You should have no problem using one of the available rootkits for 4.2.2. That's how I got root on my pioneer. You can find out a lot of interesting stuff binwalking the firmware. Stuff like diag menus and such, at least in the Pioneer stuff.
Yes, you can run your own launcher and apps on it. Probably stable once you figure out what customizations they made.
I have a Toyota RAV4, about 2016, with the built-in system. It's silly amounts of awful when it comes to bad UX. Enough so that I am considering buying a head unit.
Bafflingly, I can't find head units that recognize and obey MP3 playlists. I would have thought that functionality would be a given.
> units that recognize and obey MP3 playlists
My limited experience says it's mostly about lengths of filenames, non alphabetic characters in filenames, and nested directories. Try flat directory structure and maybe random filenames of 6-8 characters. Simply one more obfuscation step before feeding it into a car system. If lucky, the system might read correctly the ID3 tags.
Oh, no, I tried with very simple setups. Believe me. Down to a playlist of a single song consisting of a single word. No love.
In a rather similar fashion, I managed to reverse engineer the Roku's very, uh, idiosyncratic interpretation of the, well, was it ever a standard? In any case, Roku's Media Player app had, charmingly, decided to simply ignore the order of the songs in the playlist and -- this was fun to figure out -- grab the metadata of the songs and do it by a regular sort of the track number. It's brilliantly stupid, because it'd work just fine if you had a playlist of a single album. There, it makes perfect sense. Nowhere else.
Would love if this ported to the 2021 Honda Accord as well. I would love a custom button to turn on the rear camera for easier parking, longer dwell time after shifting into drive, etc. Keep up the good work!
As far as I currently understand it, most of the code on my headunit is probably 99% identical to the code on 2021 Accord units. Same goes for Acura cars; I can't publish the APK files themselves but there are Acura versions of Honda logos in most of the APKs. Also check out some of the APK filenames: https://github.com/librick/ic1101/blob/main/docs/apk-hashes.....
I welcome PRs/contributions from the community; things like Honda-internal model numbers represent a non-technical obstacle for me as a lone developer. It'd be great to see boot/recovery images for similar vehicles, Accords included.
One of my goals is right-to-repair adjacent. I bought a Honda in the first place because they have a reputation for having an active modding scene and I see value in that positive feedback loop. Hopefully having the repo as a resource helps other people do more hardware mods or manufacture cheaper/consumer-friendly replacement parts.
I've considered trying to make an open source replacement of the /sbin/earlyrvc binary for rear camera hacking specifically. I caught a lucky break because the binary includes logging messages left in by the Honda devs and the messages include method names.
Thanks for the kind words and encouragement :)
What would be really nice is to use the rear camera as a dash cam when driving.
The apparent jankiness of the rear camera was one of the first reasons I started hacking on the car tbh. It was weird to me that the yellow guidelines/overlay don't appear on the camera feed until a little while after the camera feed first shows up. I've confirmed that it's a two stage process controlled in part by the /sbin/earlyrvc binary and later accessed via an Android service. But I'm not sure why the Honda devs didn't include rear camera dash cam functionality. Especially because you can use the side camera while driving, but not the rear camera. My working theory is that there's some sort of limitation with frame buffers or processing power but . I definitely encourage other devs to look into this too
2 replies →
>2021 Honda Civic
>2012 software and hardware
Oy vey.
The 10th gen Civic ran from 2016-2022 with the same infotainment setup. So it's a 2016 car with 2012 software. That's very reasonable.
And the benefit to that is that it's easy to hack since there's an RCE in the old browser. So you can jailbreak your own car. (It doesn't have a cellular data connection so it's not a security risk)
Addressing "(It doesn't have a cellular data connection so it's not a security risk)" - I wouldn't say it's not a security risk. Check out the Bluetooth docs in the repo for example. Cellular data is only one interface out of many others (Bluetooth, Wi-Fi, CAN, XM radio, HD radio). Jailbreaking anything isn't without its risks.
Further, I agree that it's reasonable to ship a 2016 car with 2012 software. But I've seen no evidence that these headunits have gotten security updates within that timeframe. Think of it like a smartphone. I can make do with a phone that's a few years old, but I have an expectation that it will receive timely security updates. In the case of the Honda headunits, they run Android. They should receive Android security patches (I'll admit there's certainly complexity there, Google has long struggled with the tradeoff between device security and AOSP ubiquity). There's nothing wrong with using an older version of Android or an LTS kernel, but it should still receive security patches.
Last year, some Mazda cars were accidentally bricked by a radio station broadcast omitting file extensions: https://arstechnica.com/cars/2022/02/radio-station-snafu-in-.... That was an accident, not the work of a malicious actor.
Consider Stagefright bugs. As I understand it, although it was published in 2015, it affected several earlier Android versions, including 4.2.2. See: https://en.wikipedia.org/wiki/Stagefright_(bug). As far as I know, my car was never patched against Stagefright bugs. All it takes is a bug in one library (such as for HD radio image processing) and a well-published Android for something like this to be a big problem.
It's complicated; I like jailbreaking. I also think Honda should ship higher-quality software with better security policies and update guarantees
I wonder the year of its touchscreen. 5 years old car? Almost brand new. 5 years old touchscreen and software? It's going to be painful.
I have a 2017 Civic, and based on the info in the OP, it's the same as the 2021 models, and yes, it's severely dated.
Though it's Android 4.4, which gives me some nostalgia from my Nexus 4 and the Holo era of Android
8 replies →
Probably a resistive type like on really old tablets running Android 4!
4 replies →
Par for the course in automotive. Once something works, it is not getting modified unless bugs appear.
Being hackable considered a "bug": if someone founds a way to tweak the infotainment, they will "update" it in no time to block such tweaks. They all pretend to have their own apps, yet they never do. Just in case, block users from creating their own and sharing them. E.g. https://mazdatweaks.com/
Or, as for the Subaru Starlink head-unit, even if it is so buggy and crashes all the time, once the car is out the dealer's door, there is nothing the consumer can do.
Even class actions don't mean they would be recalled or even fixed. They did offer a discount on a new car.
2 replies →
that's automotive engineering for you lol. aviation is similar
[flagged]
i would love something like that for the newest Piaggio MP3 unit... it's really bad