I was interested in understanding what Honda Telematics does under the hood. It runs a very old version of Android, so rooting it was trivial.

I set up MITM Proxy on a small Linux machine in transparent mode.

Something like this: SSLKEYLOGFILE="$PWD/.mitmproxy/sslkeylogfile.txt" mitmdump --mode transparent -w mitm.out --ssl-insecure

To connect via ADB, you need to do a dance:

Diagnostic Mode:

  • from default menu, hold
    • brightness
    • phone
    • power

Next secret menu:

  • from above:
    • press bottom button then
    • press and hold phone

Next secret menu:

  • from above:
    • press and hold home - takes about ten seconds
  • set USB to device, connect your laptop.
    • nb: you must use a USB-A (male) <-> USB-A (male) cable. I tried several iterations of USB-C <-> USB-A and no go.
    • adb shell am start -a android.intent.action.VIEW -d http://mitm.it
    • after you inject your cert, you need to reboot. You may also need to power cycle the car.

All of this was in service of trying to understand what my vehicle was sending over the air. I installed the CA cert from mitmproxy as a trusted cert and everything worked. What I found was:

  • Once a minute, there is a PUT to: with the vin.
    • Looking in the logs, I see one of these every sixty seconds:
      • except.txt:2020-05-17 11:30:31.780 13188 13497 E TelemaApp(Common): [MwsKvsVinRequest doInBackground(13497)] org.apache.http.conn.HttpHostConnectException: Connection to refused

Looking through the decompiled applications, this is private static final MWS_KVS_VIN_URL:Ljava/lang/String; = ""; unlikely to be set anywhere else.

Good times! But what about the telematics? I put a copy here with everything redacted. The “Score:” stanza is populated by Honda’s Eco Mode Challenge, which is part of the Honda Navigation option, which I don’t have.

This was a fun exploration. I started looking into dumping stuff from F-CAN and B-CAN, but I found that is really well explored ground with no possible interesting applications so I stopped looking into it.