███▄▄▄▄ ▄████████ ███ ▄█ █▄ ▄████████ ███▄▄▄▄ ███▀▀▀██▄ ███ ███ ▀█████████▄ ███ ███ ███ ███ ███▀▀▀██▄ ███ ███ ███ ███ ▀███▀▀██ ███ ███ ███ ███ ███ ███ ███ ███ ███ ███ ███ ▀ ▄███▄▄▄▄███▄▄ ███ ███ ███ ███ ███ ███ ▀███████████ ███ ▀▀███▀▀▀▀███▀ ▀███████████ ███ ███ ███ ███ ███ ███ ███ ███ ███ ███ ███ ███ ███ ███ ███ ███ ███ ███ ███ ███ ███ ███ ███ ███ ▀█ █▀ ███ █▀ ▄████▀ ███ █▀ ███ █▀ ▀█ █▀

Installing Kali Nethunter on a Oneplus 6T

June 12, 2024

Background

I've wanted to get into the world of android penetration testing for a while now. Having a Oneplus 6T lying around collecting dust, all the pieces finally aligned. Going into this I had moderate knowledge on rooting an Android device and all the tools that go with it such as TWRP and ADB. I thought the installation would be long but straightforward, foreshadowing a mountain of hurdles just around the corner.

Disabling Encryption

Running Nethunter requires having an unencrypted device, which means the first step is to disable Android's automatic system-wide encryption. My system was previously rooted, so there was no need to unlock the bootloader, as I had already done it before. However, I did not have TWRP, a custom recovery software, installed.

To fix this, I enabled USB debugging in the Developer Options (unlockable by clicking on the build number in the settings about section multiple times); and booted into Recovery Mode by running adb -d reboot bootloader in my terminal with the phone connected. After downloading the latest version of TWRP, I ran fastboot boot twrp.img and...

Image Credit: gadgetstouse.comImage Credit: gadgetstouse.com

A lovely crash screen. Now, after scouring the web it turned out that TWRP was not working with the Oneplus 6T on OxygenOS 11. I miraculously found a modified version of TWRP that did work however, thanks to this Reddit thread from 2 years ago. The command worked this time and the device booted into TWRP where I flashed the latest permanent installer, which strangely works unlike the temporary boot image.

I then continued with flashing DM-Verity which disables device encryption. But as you might expect with my luck, the installer allows you to select options with the volume keys. Turns out, my volume up key is broken, and the disable disk encryption option requires it! This led me to a quick interlude where I opened the DM-Verity zip and modified utils_functions.sh to remove that sneaky line of code. Finally, after a quick wipe the device was unencrypted.

Are we done yet?

Installing Nethunter

Another detour to recovery and a flashed Magisk module later, we have a rooted device. This was a refreshing change from all the debugging. I flashed the Nethunter zip inside the Magisk app, rebooted and was greeted with a shiny new wallpaper.

Image

To access all of Nethunter's functionalities, you actually need to install a custom kernel which will give it all the permissions it needs. You can compile your own using the tools in this Github repository but having encountered some issues with it, I decided to go for a pre-compiled one made for my specific device. You can find it here. I flashed it like all the previous modules.

The final step takes place inside the Nethunter app where you have to get chroot installed in order to actually do anything. For some reason it was not automatically extracting the tar.xz file for me, and so I did it manually inside Termux as root by running:

su
mv /sdcard/kalifs-arm64-full.tar.xz /data/local/nhsystem/
cd /data/local/nhsystem/
xz -d kalifs-full.tar.xz
tar xvf kalifs-full.tar

And voilà, a working Nethunter install!

Image

What's next?

I'm excited about the possibilities Nethunter offers and particularly interested in HID attacks. Ducky script is the next stop on the list.

Thank you for reading!