量子哈希sudo apt-get install bison build-essential curl flex git gnupg gperf libesd0-dev
liblz4-tool libncurses5-dev libsdl1.2-dev libwxgtk2.8-dev libxml2 libxml2-utils lzop
openjdk-7-jdk openjdk-7-jre pngcrush schedtool squashfs-tools xsltproc zip zlib1g-dev
Kali Nethunter is a mobile firmware package used for security research, which adds hardware functionalities such as “wireless cracking,” “HID attacks,” and “emulating optical drives” to Android devices, along with software tools like Metasploit. Currently, the official support is limited to a few Android phones. However, by recompiling the Kali Nethunter source code, it can be compiled for other phone models as well. This article will explain the process of porting Kali Nethunter code using the example of Oneplus One and successful testing on a Samsung i9100g phone.
0x00 Analysis of Kali Nethunter Architecture
Kali Nethunter can be divided into three main components:
- Customized phone kernel: Modifying the phone kernel is necessary to add the required drivers for using OTG USB network adapters, simulating HID devices, and emulating CD-ROM drives. Without these modifications, Kali Nethunter won’t be able to utilize hardware-related functionalities.
- Chroot environment file system: All the relevant software programs based on the ARM architecture of Kali are integrated into a file system. By using the chroot functionality of Linux, it is possible to switch to the Kali file system within Android and mount the kernel-related components into the Kali file system. This allows executing corresponding commands within the chrooted Kali environment.
- APK mobile app for providing the interface: The APK app serves as a UI interface for displaying functionalities. In reality, it calls the commands from the chrooted Kali environment to implement all the functionalities. These apps also provide a one-click mount and enable Kali chroot feature.
Modifying the kernel requires the phone kernel code to be open source. Although the kernel code should be open source according to the GPL license, some domestic phones in China still do not disclose their kernel source code. This is why Kali Nethunter only supports Oneplus, Samsung, and Google Nexus phones.
0x01 Preparing CM 12.1 Source Code and Related Environment
To simplify the process of modifying the kernel, you can directly compile the CyanogenMod 12.1 code, which includes the kernel code for the corresponding models (Oneplus One and Samsung i9100g). Since Kali Nethunter itself uses CM 12.1 ROM, it is recommended to choose a phone supported by CyanogenMod for porting.
You can refer to the official CyanogenMod wiki for compiling instructions for the corresponding models. Here, we will demonstrate the compilation process on Ubuntu using Oneplus and i9100g as examples.
Please note that during compilation, you will need at least 100GB of available disk space and a minimum of 4GB of memory in the virtual machine. Before configuring the environment, it is worth mentioning that there is a simplified way of setting up the environment, but it is still recommended to follow the “official” configuration method. This is because CM may have new versions in the future, and the official configuration method provides access to the latest code.
For example, the official demonstration for Oneplus One is as follows:
Additionally, for a 64-bit system, you will need:
If you encounter missing software packages, you can use “apt-cache search” to check if the package name has changed. After that, add ~/bin to the PATH:
Add it to ~/.profile. Then configure repo. There are two ways to obtain the specific device (Oneplus One) code files. One is to follow the steps mentioned in the CyanogenMod Wiki, and the other is to search on Baidu (from the OnePlus community’s “CyanogenMod12 compilation tutorial”). Please search for the method to obtain the code for your own device.
- <?xml version="1.0" encoding="UTF-8"?>
- <manifest>
- <project name="CyanogenMod/android_device_oneplus_bacon" path="device/oneplus/bacon" remote="github" />
- <project name="CyanogenMod/android_device_qcom_common" path="device/qcom/common" remote="github" />
- <project name="CyanogenMod/android_device_oppo_msm8974-common" path="device/oppo/msm8974-common" remote="github" />
- <project name="CyanogenMod/android_device_oppo_common" path="device/oppo/common" remote="github" revision="cm-12.0" />
- <project name="CyanogenMod/android_kernel_oneplus_msm8974" path="kernel/oneplus/msm8974" remote="github" />
- <project name="TheMuppets/proprietary_vendor_oppo" path="vendor/oppo" remote="github" />
- <project name="TheMuppets/proprietary_vendor_oneplus" path="vendor/oneplus" remote="github" />
- <project name="CyanogenMod/android_frameworks_opt_connectivity" path="frameworks/opt/connectivity" remote="github" revision="cm-11.0" />
- </manifest>
After that, you can start syncing the Android code. Please note that you don’t need to get prebuilt after this step because we are using CM 12.1. Only older versions of CM require getting prebuilt. Then it’s time to compile (without modifying the kernel yet) by entering the android/system folder.
export USE_CCACHE=1 prebuilts/misc/linux-x86/ccache/ccache -M 50G
Using CCACHE can speed up the compilation process, but it consumes disk space. For faster speed, it is recommended to set it between 50GB and 100GB, but it is not mandatory. After that, you can start the compilation. “bacon” is the device name. Once the compilation is successful, it will generate cm-12.1-20151127-UNOFFICIAL-bacon.zip, which is the ROM flashable package.
0x02 Simplified CM 12.1 Compilation Environment and Code
All environment configuration issues can be resolved using the Woobuntu system, which already includes the Android compilation environment (including adb). I have packaged the code for you, which is 27GB in size. Simply extract it. The compilation command in Woobuntu is as follows:
export ARCH=arm
To explain briefly, since the owner of the compressed file is me and not you, there may be permission issues with some files. Therefore, it is recommended to compile with root privileges (a more elegant way would be to use chown -R, but changing ownership for 27GB of code is quite cumbersome). When using sudo, it will prompt you to enter your password. I have used only 20GB of CCACHE because my hard drive is small. I have personally tested it from the installation of Woobuntu and confirmed that it can be compiled successfully.
In short, this simplified version only requires you to handle the device-specific code. For example, for i9100g, you only need to set up breakfast i9100g and extract-files according to the wiki (if you can find a simpler method online, it would be better). After that, you can brunch i9100g.
0x03 Modifying the Android Kernel
When modifying the Android kernel, we need to cross-compile the ARM architecture code. Navigate to the kernel folder of the corresponding device, for example, the Oneplus kernel directory is alkaid@alkaid-VirtualBox:~/android/system/kernel/oneplus/msm8974.
make cyanogenmod_bacon_defconfig
In the arch/arm/configs folder, find the defconfig used by CM and modify it as shown below:
After that, you can run make menuconfig. Follow the instructions on the Nethunter GitHub Wiki to select the required driver programs. In my case, I only needed the ATH9K chip driver, so I directly selected Atheros Wireless Cards under Device drivers -> Network device supports -> Wireless lan. If you are using a wireless card with a different chip, please select the corresponding driver program.
In the networking support -> Wireless section, select Generic IEEE 802.11 Networking Stack (mac80211).
Since Oneplus already has the OTG driver enabled by default, if you are compiling for a different device, please check if the OTG option under device driver -> USB is selected.
After setting up, save and exit.
wget http://patches.aircrack-ng.org/mac80211.compat08082009.wl_frag+ack_v1.patch patch -p1 < mac80211.compat08082009.wl_frag+ack_v1.patch
If you are trying this for the first time, you can recompile CM to check for any errors. Then we can start patching the kernel.
Find the patch for your kernel version inside the folder. In this case, it is for the 3.4 kernel. If everything goes well, this patch will fail because the kernel code is continuously updated. However, don’t worry, we can manually patch it.
mkdir ~/arm-stuff
cd ~/arm-stuff
git clone https://github.com/offensive-security/gcc-arm-linux-gnueabihf-4.7
export PATH=${PATH}:/root/arm-stuff/gcc-arm-linux-gnueabihf-4.7/bin
git clone https://github.com/offensive-security/kali-nethunter
cd ~/arm-stuff/kali-nethunter
./build-deps.sh
./androidmenu.sh
As you can see, the patch fails at the third and fourth locations in android.c. We can manually patch it. The left side shows the patch code, and the right side shows the current android.c file. The patch means adding &hidfunction below &uaspfunction. Find the fourth location and add the code accordingly.
After that, recompile CM, and the generated flashable package will be the CM 12.1 with the highly customized kernel for Nethunter.
For i9100g, the compilation will be successful, but for Oneplus, it will show an error related to the USB driver. Find the error location in the code and notice that a structure and a function are used without being defined. In this case, I simply deleted the code that calls the function, and after testing, it didn’t affect the normal functioning of the phone or the stability of Nethunter functionalities.
0x04 Compiling Kali Nethunter Rootfs
Detailed instructions for compiling Kali Nethunter can be found on the Kali Nethunter GitHub page. It is strongly recommended to compile Nethunter within Kali.
During compilation, choose to compile only the rootfs (since we will handle the kernel ourselves).
0x05 Flashing and Testing
If you are not familiar with flashing, please search for how to flash a ROM, such as unlocking the bootloader and installing TWRP.
The flashing sequence is as follows: flash CyanogenMod first, then flash Kali Nethunter rootfs.
The image below shows the HID attack test on i9100g.
Check the functionalities:
- Check if DriveDroid can emulate a USB optical drive.
- Check if UsbKeyboard can simulate mouse and keyboard devices.
- Connect an OTG and USB wireless network adapter to see if Wifite can crack wireless passwords.
0x06 Possible Issues
When porting to the Samsung i9100g phone, the flashing process failed repeatedly due to insufficient storage space on the phone (Kali Nethunter requires at least 2GB of available space). After identifying the issue, an alternative method was used to load the Kali Nethunter rootfs. First, compile the Kali Nethunter rootfs, then create an img disk image file and place it on the SD card. Mount it dynamically to /data/local/kali-armhf. This resolves the issue of insufficient storage space.
If there are errors during kernel compilation, you can compile only the kernel during debugging. The toolchains are available in the prebuilt folder, and you can set the cross_compile variable yourself (usually removing unnecessary drivers resolves most of the errors).
0x07 Conclusion
Now, you can start exploring Nethunter, such as porting the entire WooyunWifi to your phone and implementing offline phishing functionalities. However, these are tasks to be done after compiling Nethunter.
End image: WooyunWifi on a phone, with a hotspot enabled for phishing.
