我親自從零構建官方支援裝置的Nethunter
阿新 • • 發佈:2020-09-02
KALI官方給出的NETHUNTER手機建議
手機型號 裝置ID 作業系統 基於安卓版本
首選高階裝置是 一家7/7T OOS 安卓10穩定版
首選中端裝置是 小咪9T DAVINCI 蜜柚11 安卓10穩定版
首選低端裝置是 NEXUS6P ANGLER 原生安卓 安卓奧利奧穩定版
首選平板裝置是 GALAXY TAB S4 LTE GTS4LLTE 安卓奧利奧穩定版
本章參考kali官方文件教程https://www.cnblogs.com/GKLBB/p/13585710.html
從零構建就是從裝置釋放出的核心原始碼編譯打了補丁過後的nethunter系統以支援外接裝置和特殊功能。
所謂官方支援裝置就是在官方構建指令碼中kali官方已經包含的裝置。如何構建沒有包含的裝置下一章再講。
所謂裝置ID就是手機型號對應的開發程式碼名,有且僅有一個。
我在強調一下。kali nethunter 不是ROM而是基於ROM的一個子系統,或者輕量虛擬機器。ROM你要自己提供的,與官方構建是所用系統一致。一般是原生安卓或第三方開源ROM比如los系統
這次拿nexus6p裝置構建。構建大致流程是 下載-配置-編譯-燒錄。再次提醒一下,下載kali源gitlab 有高薔,注意避讓。
一、下載、配置、編譯
下載兩個檔案,一個是構建指令碼(https://gitlab.com/kalilinux/nethunter/build-scripts/kali-nethunter-project)大約70M,一個是裝置補丁(https://gitlab.com/kalilinux/nethunter/build-scripts/kali-nethunter-devices)大約2G。下載方法:
root@kali:~# git clone https://gitlab.com/kalilinux/nethunter/build-scripts/kali-nethunter-devices.git
root@kali:~# cd kali-nethunter-project/nethunter-installer
root@kali:~# ./bootstrap.sh
#上步執行的過程中會問幾個問題,不用管一直回車,然後就開始下載 這個補丁源 https://gitlab.com/kalilinux/nethunter/build-scripts/kali-nethunter-project,下載好後會在當前目錄下重新命名為devicds目錄,看看是不是你有這個目錄。
root@kali:~# python build.py -h
#注意注意注意 在執行後 在python build.py -h 找到你要構建的裝置的ID和與之對應的安卓系統,那如何知道這點呢?你可以檢視上步生成的devices目錄下檔案device.cfg檔案,裡面有裝置對應ID和安卓,記住它。如果你的ID沒有對應安卓版本,下列命令將不會生效
#編譯
root@kali:~# python build.py -dangler-su -o --rootfs full
#上述命令改成你想編譯的裝置, -d angler是nexus6p的裝置ID ,-o指的是對應安卓oreo,--rootfs full指的是完整版kali chroot系統
#又會下載東西,注意薔、
你會發現在當前介面會生成一個壓縮包,類似update-nethunter-20200902_012622-angler-oreo-kalifs-full.zip。這就是我們要的刷機檔案。直接刷入即可。
二、燒錄
這個過程網上已有很多教程,直接在twrp中刷入即可。詳情百毒知道。
三、分析
以下是zip內容的簡要分析安裝教程,不想看的直接跳過
我與offensive security官方nethunter編譯好的檔案比較,裡面一模一樣。
下面我將分析目錄結構,
解壓後的分析核心安裝指令碼目錄檔案,壓縮包的目錄是META-INF\com\google\android\update-binary
#!/sbin/sh
# Kali NetHunter installer
## start build generated variables
supersu=
## end build generated variables
if [ "$3" ]; then
zip=$3
console=/proc/$$/fd/$2
# 將控制檯緩衝區的位置寫入/ tmp / console以供其他指令碼使用
echo "$console" > /tmp/console
else
console=$(cat /tmp/console)
[ "$console" ] || console=/proc/$$/fd/1
fi
#tmp是安卓臨時目錄
tmp=/tmp/nethunter
#patchtmp補丁檔案路徑
patchtmp=$tmp/boot-patcher
export home=$patchtmp
sutmp=/tmp/supersu
#定處理命令
progress() {
echo "set_progress $1" > "$console"
}
#定義列印命令
print() {
echo "ui_print ${1:- }" > "$console"
echo
}
#定義錯誤中斷命令
abort() {
[ "$1" ] && {
print "Error: $1"
print "Aborting..."
}
cleanup
print "Failed to install Kali NetHunter!"
exit 1
}
#定義清理命令
cleanup() {
print "Cleaning up..."
rm ${SYSTEM}/.rw
rm /data/.rw
/sbin/umount -f /system 2>/dev/null
/sbin/umount -f /system_root 2>/dev/null
[ "$zip" ] && rm /tmp/console
}
#定義安裝命令
install() {
setperm "$2" "$3" "$tmp$1"
if [ "$4" ]; then
cp -r "$tmp$1" "$(dirname "$4")/"
return
fi
cp -r "$tmp$1" "$(dirname "$1")/"
}
# installapp "App Name" "appfile.apk" "play.store.package.name"
#定義安裝app命令,引數1 app名;引數2 app檔案;引數3 包名,如果app在谷歌商店資料庫中就不再安裝
installapp() {
installto=/data/app/
if [ "$3" ]; then
for appdir in "/data/app/$3-"*; do
[ -d "$appdir" ] || continue
echo "Found app directory: $appdir"
if [ ! -f /data/data/com.android.vending/databases/localappstate.db ]; then
echo "Could not find Play Store app database!"
# this should also catch paid/alternative versions if they are suffixed
elif strings /data/data/com.android.vending/databases/localappstate.db | grep -q "^$3"; then
rm -f "/data/app/$2"
print "- Found Play Store installed $1"
return 0
fi
rm -f "/data/app/$2"
installto=$appdir/base.apk
break
done
fi
echo "Installing $1 to $installto"
print "- Installing $1"
cp -f "$tmp/data/app/$2" "$installto" && return 0
print "- Failed to install $1!" && return 1
}
#定義解壓命令
extract() {
rm -rf "$2"
mkdir -p "$2"
unzip -o "$1" -d "$2" -x "$3" ||
abort "Unable to extract! The zip may be corrupt or your device may not have enough RAM to proceed. Consider using a smaller installer if it is available."
}
#定義設定引數命令
setperm() {
find "$3" -type d -exec chmod "$1" {} \;
find "$3" -type f -exec chmod "$2" {} \;
}
#定義連結命令
symlink() {
rm "$2"
ln -s "$1" "$2"
}
#定義掛載命令
mount() {
mountpoint -q "$1" || /sbin/busybox mount -o rw "$1" || abort "Unable to mount $1 as rw!"
>> "$1/.rw" && return || /sbin/busybox mount -o remount,rw "$1"
>> "$1/.rw" && return || abort "Unable to write to $1!"
}
print "##################################################"
print "## ##"
print "## 88 a8P db 88 88 ##"
print "## 88 .88' d88b 88 88 ##"
print "## 88 88' d8''8b 88 88 ##"
print "## 88 d88 d8' '8b 88 88 ##"
print "## 8888'88. d8YaaaaY8b 88 88 ##"
print "## 88P Y8b d8''''''''8b 88 88 ##"
print "## 88 '88. d8' '8b 88 88 ##"
print "## 88 Y8b d8' '8b 888888888 88 ##"
print "## ##"
print "#### ############# NetHunter ####################"
# 解壓aip解壓aip解壓aip解壓aip解壓aip解壓aip解壓aip解壓aip解壓aip解壓aip解壓aip解壓aip解壓aip解壓aip解壓aip解壓aip解壓aip解壓aip解壓aip解壓aip
[ "$zip" ] && {
print "Unpacking the installer..."
extract "$zip" "$tmp" "kalifs-*"
}
cd "$tmp"
. ./env.sh
progress 0.0
print "Starting the install process"
#掛載系統分割槽掛載系統分割槽掛載系統分割槽掛載系統分割槽掛載系統分割槽掛載系統分割槽掛載系統分割槽掛載系統分割槽掛載系統分割槽掛載系統分割槽掛載系統分割槽掛載系統分割槽
mount /data
SYSTEM="/system"
# Modern devices use ${SYSTEM} as root ("/")
#新安卓裝置使用system分割槽作為/檔案系統,參考連結 https://source.android.google.cn/devices/bootloader/system-as-root?hl=zh-tw
system_as_root=`getprop ro.build.system_root_image`
if [ "$system_as_root" == "true" ]; then
print "[system as root] = $system_as_root"
[ -L /system_root ] && rm -f /system_root
mkdir /system_root 2>/dev/null
/sbin/umount -f /system 2>/dev/null
/sbin/mount /system
if [ $? eq 0 ]; then
## system is in fstab
print "[/system] is in fstab, mounting"
/sbin/mount --move /system /system_root
/sbin/mount -o bind /system_root/system /system
else
## system is not in fstab, let's mount it manually
print "[/system] is not in fstab, mounting manually"
/sbin/umount -f /system_root
test -e /dev/block/bootdevice/by-name/system || local slot=$(getprop ro.boot.slot_suffix 2>/dev/null)
/sbin/mount -o rw -t auto /dev/block/bootdevice/by-name/system$slot /system_root
/sbin/mount -o bind /system_root/system /system
fi
[ ! -w /system_root ] && {
abort "無法掛載系統分割槽讀/寫。 請手動解除安裝“ / system”,然後重試"
}
elif [ "$ANDROID_ROOT" == "/system_root" ]; then
print "[ANDROID_ROOT] = $ANDROID_ROOT"
/sbin/mount -o remount,rw /system_root
/sbin/mount -o bind /system_root/system /system
else
mount /system
fi
progress 0.1
#檢查資料分割槽
[ -d /data/data ] || {
abort "您的資料分割槽似乎為空。 在安裝Kali NetHunter之前,請先完成Android安裝嚮導!"
}
setperm 0755 0755 tools
# 如果在安裝過程中缺少某些命令工具,安裝BB到/sbin目錄
print "Installing busybox applets to /sbin"
cp tools/busybox /sbin/busybox_nh
/sbin/busybox_nh --install /sbin
#上一個NH版本檢查
print "Checking for previous versions of NetHunter"
sh tools/previnstall.sh
progress 0.2
#安裝root#安裝root#安裝root#安裝root#安裝root#安裝root#安裝root#安裝root#安裝root#安裝root#安裝root#安裝root#安裝root
[ -f supersu.zip ] && {
print "Extracting SuperSU zip..."
extract supersu.zip "$sutmp"
progress 0.3
sh tools/installsu.sh "$sutmp" "$supersu"
}
progress 0.4
SDK="$(grep 'ro.build.version.sdk' ${SYSTEM}/build.prop | cut -d'=' -f2)"
print "SDK Version: $SDK"
#安裝5個apk安裝5個apk安裝5個apk安裝5個apk安裝5個apk安裝5個apk安裝5個apk安裝5個apk安裝5個apk安裝5個apk安裝5個apk安裝5個apk安裝5個apk安裝5個apk
print "Installing apps:"
if [ $SDK -ge 26 ]; then
# 從SDK26 Oreo開始,我們無法再安裝使用者app,因此我們將NetHunter.apk安裝為系統app
#安裝NH主apk
print "- Installing NetHunter.apk"
mkdir -p ${SYSTEM}/app/NetHunter
#將壓縮包臨時目錄檔案拷貝到系統下
cp $tmp/data/app/NetHunter.apk ${SYSTEM}/app/NetHunter/
# 和安裝NetHunterTerminal.apk,因為nethunter.apk依賴於它
#安裝NH終端apk
print "- Installing NetHunterTerminal.apk"
mkdir -p ${SYSTEM}/app/NetHunter-Terminal
cp $tmp/data/app/NetHunterTerminal.apk ${SYSTEM}/app/NetHunter-Terminal/
#解壓apk中的lib目錄到本apk目錄下
unzip -qo ${SYSTEM}/app/NetHunter-Terminal/NetHunterTerminal.apk "lib/*" -d ${SYSTEM}/app/NetHunter-Terminal/
## 某些較新的TWRP版本提供了不支援以上面的解壓縮命令中的壓縮包內指定檔案解壓,因此我們可能需要計劃B
#計劃B,將apk解壓到臨時目錄中在拷貝解壓目錄中的lib目錄到系統
[ -d ${SYSTEM}/app/NetHunter-Terminal/lib ] || {
mkdir -p /tmp/NetHunter-Terminal/
unzip -qo ${SYSTEM}/app/NetHunter-Terminal/NetHunterTerminal.apk -d /tmp/NetHunter-Terminal/
mv /tmp/NetHunter-Terminal/lib ${SYSTEM}/app/NetHunter-Terminal/
}
#上個庫檔案重新命名
mv ${SYSTEM}/app/NetHunter-Terminal/lib/armeabi-v7a ${SYSTEM}/app/NetHunter-Terminal/lib/arm
mv ${SYSTEM}/app/NetHunter-Terminal/lib/arm64-v8a ${SYSTEM}/app/NetHunter-Terminal/lib/arm64
#安裝nh遠端客戶端apk,因為nethunter.apk依賴於它
print "- Installing NetHunter-KeX.apk"
mkdir -p ${SYSTEM}/app/NetHunter-KeX
cp $tmp/data/app/NetHunterKeX.apk ${SYSTEM}/app/NetHunter-KeX/
unzip -qo ${SYSTEM}/app/NetHunter-KeX/NetHunterKeX.apk "lib/*" -d ${SYSTEM}/app/NetHunter-KeX/
## Some newer TWRP versions ship an unzip that does not support the above line so we might need plan B
[ -d ${SYSTEM}/app/NetHunter-KeX/lib ] || {
mkdir -p /tmp/NetHunter-KeX/
unzip -qo ${SYSTEM}/app/NetHunter-KeX/NetHunterKeX.apk -d /tmp/NetHunter-KeX/
mv /tmp/NetHunter-KeX/lib ${SYSTEM}/app/NetHunter-KeX/
}
mv ${SYSTEM}/app/NetHunter-KeX/lib/armeabi-v7a ${SYSTEM}/app/NetHunter-KeX/lib/arm
mv ${SYSTEM}/app/NetHunter-KeX/lib/arm64-v8a ${SYSTEM}/app/NetHunter-KeX/lib/arm64
# 安裝nh商店apk
print "- Installing NetHunter-Store.apk"
mkdir -p ${SYSTEM}/app/NetHunter-Store
cp $tmp/data/app/NetHunterStore.apk ${SYSTEM}/app/NetHunter-Store/
else
#小於奧利奧就
installapp "NetHunter App" "NetHunter.apk" "com.offsec.nethunter"
installapp "NetHunter Terminal" "NetHunterTerminal.apk" "com.offsec.nhterm"
installapp "NetHunter KeX" "NetHunterKeX.apk" "com.offsec.nethunter.kex"
installapp "NetHunter Store" "NetHunterStore.apk" "com.offsec.nethunter.store"
fi
## 安裝特權擴充套件apk
print "- Installing NetHunterStorePrivilegedExtension.apk"
mkdir -p ${SYSTEM}/priv-app/NetHunterStorePrivilegedExtension
cp $tmp/data/app/NetHunterStorePrivilegedExtension.apk ${SYSTEM}/priv-app/NetHunterStorePrivilegedExtension/
if [ $SDK -ge 26 ]
then
mkdir ${SYSTEM}/etc/permissions
chmod 755 ${SYSTEM}/etc/permissions
[ -f system/etc/permissions/com.offsec.nethunter.store.privileged.xml ] && {
install "/system/etc/permissions/com.offsec.nethunter.store.privileged.xml" 0755 0644 "${SYSTEM}/etc/permissions/com.offsec.nethunter.store.privileged.xml"
}
fi
print "Done installing apps"
progress 0.5
#檢查安卓空間
[ -f tools/freespace.sh ] && {
# This actually runs twice when the NetHunter kernel zip is included 當包含NetHunter核心zip時,它實際上運行了兩次
print "Freeing up some space on ${SYSTEM}"
sh tools/freespace.sh ||
abort "Not enough free space on ${SYSTEM} to continue!"
}
#安裝BB工具箱
print "Running busybox installer..."
sh tools/installbusybox.sh
progress 0.6
#安裝桌面桌布
[ -d wallpaper ] && {
print "Installing NetHunter wallpaper"
sh wallpaper/setwallpaper.sh
}
#拷貝開機動畫
[ -f system/media/bootanimation.zip ] && {
print "Installing NetHunter boot animation"
install "/system/media/bootanimation.zip" 0755 0644 "${SYSTEM}/media/bootanimation.zip"
}
progress 0.7
#拷貝nano高亮到安卓系統${SYSTEM}
[ -d system/etc/nano ] && {
print "Copying nano highlights to ${SYSTEM}/etc/nano"
install "/system/etc/nano" 0755 0644 "${SYSTEM}/etc/nano"
}
#拷貝終端配色方案到安卓
[ -d system/etc/terminfo ] && {
print "Copying terminfo files to ${SYSTEM}/etc/terminfo"
install "/system/etc/terminfo" 0755 0644 "${SYSTEM}/etc/terminfo"
}
#拷貝32位共享庫到安卓
[ -d system/lib ] && {
print "Copying 32-bit shared libraries to ${SYSTEM}/lib"
install "/system/lib" 0755 0644 "${SYSTEM}/lib"
}
#拷貝64位共享庫到安卓
[ -d system/lib64 ] && {
print "Copying 64-bit shared libraries to ${SYSTEM}/lib64"
install "/system/lib64" 0755 0644 "${SYSTEM}/lib64"
}
#拷貝可執行到安卓
[ -d system/bin ] && {
print "Installing ${SYSTEM}/bin binaries"
install "/system/bin" 0755 0755 "${SYSTEM}/bin"
}
#拷貝x可執行到安卓
[ -d system/xbin ] && {
print "Installing ${SYSTEM}/xbin binaries"
install "/system/xbin" 0755 0755 "${SYSTEM}/xbin"
}
[ -d data/local ] && {
print "Copying additional files to /data/local"
install "/data/local" 0755 0644
}
[ -d system/etc/init.d ] && {
print "Installing init.d scripts"
install "/system/etc/init.d" 0755 0755 "${SYSTEM}/etc/init.d"
# Create userinit.d and userinit.sh if they don't already exist
mkdir -p "/data/local/userinit.d"
setperm 0755 0755 "/data/local/userinit.d"
[ -f "/data/local/userinit.sh" ] || echo "#!/system/bin/sh" > "/data/local/userinit.sh"
chmod 0755 "/data/local/userinit.sh"
}
[ -d system/addon.d/80-nethunter.sh ] && {
print "Installing ${SYSTEM}/addon.d backup scripts"
install "/system/80-nethunter.sh" 0755 0755 "${SYSTEM}/80-nethunter.sh"
}
#將nh apk中的指令碼連結到安卓系統中方便呼叫,symlink命令是安卓專用建立連線
print "Symlinking Kali boot scripts"
symlink "/data/data/com.offsec.nethunter/files/scripts/bootkali" "${SYSTEM}/bin/bootkali"
symlink "/data/data/com.offsec.nethunter/files/scripts/bootkali_init" "${SYSTEM}/bin/bootkali_init"
symlink "/data/data/com.offsec.nethunter/files/scripts/bootkali_login" "${SYSTEM}/bin/bootkali_login"
symlink "/data/data/com.offsec.nethunter/files/scripts/bootkali_bash" "${SYSTEM}/bin/bootkali_bash"
symlink "/data/data/com.offsec.nethunter/files/scripts/killkali" "${SYSTEM}/bin/killkali"
progress 0.8
#安裝核心補丁,執行預設指令碼路徑
[ -d "$patchtmp" ] && {
print "Running kernel installer..."
sh "$patchtmp/META-INF/com/google/android/update-binary"
mount /data
}
#講讀條 90%
progress 0.9
#安裝kali系統,執行指令碼 installchroot.sh,$zip可能是chroot
print "Running Kali chroot installer..."
sh tools/installchroot.sh "$zip"
cleanup
print "************************************************"
print "* Kali NetHunter is now installed! *"
print "* Don't forget to start the NetHunter app *"
print "* to finish setting everything up! *"
print "************************************************"
progress 1.0
在分析完流程後你有沒有其實安裝nethunter指令碼,就是把我們下載的核心補丁檔案和特別大的kali系統檔案解壓到安卓指定目錄裡,這兩個重要檔案都是已經構建好的,只是拿來用了一下。下章我們講解如何真正構建核心補丁檔案和kali系統檔案。