How To Gain Root Shell On 2016 Honda Pilot

0
2086

We know how interesting and one click away is the concept of downloading and installing applications. Be it your smart phone, iPad, Laptop or PC. But, have you ever thought about doing the same with your vehicle, like installing apps on Honda civic? This is easy, if you clearly follow the instructions. Alternatively, you can skip this, if you are not comfortable messing up with your vehicle.

What to do?

This very method relies on the ‘dirtycow’ exploit. A code that I used, called POC Android exploit. Reference:  https://github.com/timwr/CVE-2016-5195

What happens is, whenever a user in Linux accesses a file, it allows it to be overwritten. Therefore, after this particular exploit, any file that an application reads will have its new, post-exploit contents instead of the original.

The scripts that I used use the dirtycow binary to overwrite the shell script in Linux. The script is then executed when you perform a factory reset through the settings menu in your Honda Civic head unit. The process at the back end is quite simple; one script calls another script and performs a reboot. The second script mounts the system partition, then copies over an SU binary, sets your appropriate permissions, syncs and mounts the read only feature again.

Steps to follow:

  1. Download the zip file (attached in the link).
  2. Extract to a machine capable of linking to your Pilot over ADB
  3. Change “rootme.sh” (*nix) or “rootme.bat” (Windows) to use the correct IP
    – Change the “172.16.1.217” lines to have the correct IP for your Pilot.
  4. Execute “rootme.sh” (*nix) or “rootme.bat”
    – ./rootme.sh should do it for *nix
    – for Windows, open command terminal, navigate to “rootme.bat” location and type “rootme.bat”
    – Wait for output to complete.
  5. Perform factory reset
    – Remember : If the exploit function correctly, this step should NOT perform any factory reset operations. However, you should fully expect everything to be reset if the exploit failed or some other problem occurred when attempting to use a nefarious factory_reset.sh script.

After the above process, the pilot reboots successfully. Then you can land over to the root shell over ADB just except the ‘su’ command will take you there. When you reach your Honda civic developer mode, that should be more like the root shell android, make sure to check if all functions work properly before you begin installing your applications.

Be very careful in executing all processes. Extract the zip file in a folder the open up in command prompt and type: OnceClickInstall.bat [YourHeadUnitIP] [APKToInstall.apk]

The script will root your device if it’s not already, then go and perform steps required to install the APK, already attached in the zip given in the above link (one reboot required if already rooted).

Remember again, if any other issue pops up at this time, the damage can be avoided, instead of any bigger glitch in the next process.

Update the scripts to back up the white list on each run to /data/local/tmp/whitelist-(timestamp).xml.
Update to handle APKs with more than one signature.

Conclusion

Lastly, if you are a beginner, have a look at the Github project to have an idea on how to handle and execute the entire process.

LEAVE A REPLY

This site uses Akismet to reduce spam. Learn how your comment data is processed.