Honda Civics and the Evil Valet

本田思域与“邪恶代客”攻击

Three years ago, I published my initial work to understand and reverse engineer my car, specifically the headunit of my 2021 Honda Civic. The initial response was incredibly encouraging. I’m writing to give a project update. 三年前，我发布了初步研究成果，旨在理解并逆向工程我的汽车——具体来说是我那辆 2021 款本田思域的车机系统。当时收到的反馈非常令人鼓舞。现在，我写这篇文章是为了更新该项目的进展。

Keys to the Kingdom

通往核心的钥匙

The biggest progress has been made while mapping out the update process. Honda supports updating the headunit via USB. There are a number of Honda-specific checks, but ultimately the USB drive contains a signed AOSP update file that gets staged and applied via Android recovery. 在梳理更新流程方面，我取得了最大的进展。本田支持通过 USB 更新车机。虽然其中包含一些本田特有的检查机制，但归根结底，USB 驱动器中包含的是一个已签名的 AOSP 更新文件，该文件会通过 Android Recovery 模式进行暂存和应用。

The good news? They left the publicly-known AOSP test key in res/keys, and, even though they modified the recovery binary, the verify_file signature logic matches stock AOSP. So as long as you can properly format a USB drive and sign it with the publicly-known AOSP test key, you can install whatever you want to the headunit, without conventional root access (no need for su with setuid). 好消息是什么？他们将公开的 AOSP 测试密钥留在了 res/keys 中。尽管他们修改了 Recovery 二进制文件，但 verify_file 的签名逻辑与原生 AOSP 保持一致。因此，只要你能正确格式化 USB 驱动器并使用公开的 AOSP 测试密钥进行签名，你就可以在无需常规 Root 权限（无需使用带 setuid 的 su）的情况下，向车机安装任何你想要的内容。

This means that, as long as the headunit has power and an attacker has physical access to the front-most USB port, they have arbitrary code execution on the headunit via the update path. This is an evil maid attack. Since it requires physical access to the cabin of the car rather than the hotel room, I call it an evil valet attack. 这意味着，只要车机处于通电状态，且攻击者能够物理接触到前置 USB 接口，他们就能通过更新路径在车机上执行任意代码。这是一种“邪恶女仆”（Evil Maid）攻击。由于它需要物理接触车内空间而非酒店房间，我将其称为“邪恶代客”（Evil Valet）攻击。

Imagine a journalist drives to a hotel and leaves their car with the valet. The valet, who works for a three-letter agency, installs an update via USB. When the car is returned, the journalist doesn’t know the headunit has been modified. Since I want a cool vulnerability name, I’m calling this “EvilValet”. 想象一下，一位记者开车去酒店并将车交给代客泊车员。这名代客泊车员实际上为某个情报机构工作，他通过 USB 安装了一个更新。当车归还时，记者根本不知道车机已经被篡改了。因为我想要一个酷炫的漏洞名称，所以我将其命名为“EvilValet”。

Building Tools

构建工具

Beyond the update process, the most useful work has been on apk-rebuilder. It has one very important job: take in a Honda Civic update file from the Internet, and produce a clean tree of output files that automates everything a reverse engineer would otherwise have to do manually, including: Resolving resources, Reconstructing .smali code, Repacking APK files, Extracting the ramdisk, And more. 除了更新流程，最有价值的工作在于 apk-rebuilder。它有一个非常重要的任务：接收来自互联网的本田思域更新文件，并生成一个清晰的输出文件树，将逆向工程师原本必须手动完成的所有工作自动化，包括：解析资源、重构 .smali 代码、重新打包 APK 文件、提取 ramdisk 等。

This also serves an important role because we can’t publish actual Honda source code. We publish a function that takes in an update file (that we don’t host) and spits out Honda .smali code, image assets, etc. The resulting output follows a clear directory structure that can be referenced in documentation without actually uploading the sensitive files themselves. 这还有一个重要作用：我们不能发布本田的实际源代码。我们发布的是一个函数，它接收一个更新文件（我们不托管该文件），然后输出本田的 .smali 代码、图像资源等。最终的输出遵循清晰的目录结构，可以在文档中引用，而无需实际上传这些敏感文件本身。

Outstanding Work - A Call for Contributors

待办工作——招募贡献者

There are a few outstanding things that would be nice to have: 还有一些待办事项，如果能完成会更好：

• Known Versions: The update process is fragile and relies heavily on version numbers. If you drive a 10th gen Honda Civic and are tech-savvy, I encourage you to contribute to the “Known Versions, Display Audio Software” section of the repo. 已知版本： 更新过程非常脆弱，且严重依赖版本号。如果你驾驶的是第十代本田思域且具备技术背景，我鼓励你为仓库中的“已知版本，车载音频软件”部分做出贡献。
• Toolchain: I have an experimental/work-in-progress toolchain on my local machine. It makes heavy use of Docker. The current iteration is messy and largely specific to my workflow, but I’d like to publish a clean implementation. 工具链： 我的本地机器上有一个实验性/进行中的工具链，它大量使用了 Docker。目前的版本比较混乱，且很大程度上针对我个人的工作流，但我希望能发布一个干净的实现版本。
• Custom Themes: Custom themes are likely difficult to ship because they live in Mitsubishi’s fork of the AOSP framework. Any attempt to ship a custom theme would likely involve surgically editing the vendor framework. 自定义主题： 自定义主题可能很难发布，因为它们存在于三菱分支的 AOSP 框架中。任何发布自定义主题的尝试都可能涉及对供应商框架进行“外科手术式”的编辑。
• Improve aidl-rebuilder: I started working on a tool to parse .smali files and generate/map out all AIDL interfaces on the headunit. This opens up the door for custom apps such as virtual speedometers. 改进 aidl-rebuilder： 我开始开发一个工具来解析 .smali 文件并生成/映射车机上的所有 AIDL 接口。这为开发虚拟速度表等自定义应用打开了大门。