手把手教你从零构建官方支持设备的Nethunter系统

KALI官方给出的NETHUNTER手机建议

                            手机型号　　　　　　　设备ID          操作系统    基于安卓版本   

首选高端设备是　　一家7/7T                        　　　　  　  OOS           安卓10稳定版

首选中端设备是　　 小咪9T        　　　　　   DAVINCI      蜜柚11        安卓10稳定版

首选低端设备是　　 NEXUS6P     　　　　　  ANGLER        原生安卓　 安卓奥利奥稳定版

首选平板设备是 　　GALAXY TAB S4 LTE      GTS4LLTE           　　　  安卓奥利奥稳定版

 　　本章参考kali官方文档教程 https://www.cnblogs.com/GKLBB/p/13585710.html

　　从零构建就是从设备释放出的内核源码编译打了补丁过后的nethunter系统以支持外接设备和特殊功能。

　　所谓官方支持设备就是在官方构建脚本中kali官方已经包含的设备。如何构建没有包含的设备下一章再讲。

　　所谓设备ID就是手机型号对应的开发代码名，有且仅有一个。

 　　我在强调一下。kali nethunter 不是ROM而是基于ROM的一个子系统，或者轻量虚拟机。ROM你要自己提供的，与官方构建是所用系统一致。一般是原生安卓或第三方开源ROM比如los系统

 

　　这次拿nexus6p设备构建。构建大致流程是 环境-下载-安装-配置-编译-烧录。再次提醒一下，下载kali源gitlab 有高蔷，注意避让。

一、下载、配置、编译

　构建环境：kalilinux虚拟机（其他也linux也可以不过要装有python2开发环境和git工具，因为这些kali自带所以方便点）、全局过蔷的高速网络、还有约10G硬盘空间

　　下载两个文件，一个是构建脚本（https://gitlab.com/kalilinux/nethunter/build-scripts/kali-nethunter-project）大约70M，一个是设备补丁（https://gitlab.com/kalilinux/nethunter/build-scripts/kali-nethunter-devices）大约2G。下载方法：

root@kali:~# git clone https://gitlab.com/kalilinux/nethunter/build-scripts/kali-nethunter-devices.git

root@kali:~# cd kali-nethunter-project/nethunter-installer 
#配置

root@kali:~# ./bootstrap.sh
#上步执行的过程中会问几个问题，不用管一直回车，然后就开始下载 这个补丁源 https://gitlab.com/kalilinux/nethunter/build-scripts/kali-nethunter-project，下载好后会在当前目录下重命名为devicds目录，看看是不是你有这个目录。

root@kali:~# python build.py -h

#注意注意注意 在执行后 在python build.py -h 找到你要构建的设备的ID和与之对应的安卓系统，那如何知道这点呢？你可以查看上步生成的devices目录下文件device.cfg文件，里面有设备对应ID和安卓，记住它。如果你的ID没有对应安卓版本，下列命令将不会生效

#编译
root@kali:~# python build.py -d angler -su -o --rootfs full

#上述命令改成你想编译的设备， -d angler是nexus6p的设备ID ，-o指的是对应安卓oreo，--rootfs full指的是完整版kali chroot系统

#又会下载东西，注意蔷、

你会发现在当前界面会生成一个压缩包，类似update-nethunter-20200902_012622-angler-oreo-kalifs-full.zip。这就是我们要的刷机文件。直接刷入即可。

二、烧录
　　这个过程网上已有很多教程，直接在twrp中刷入即可。详情百毒知道。到这里本章就讲解结束了


三、分析

以下是zip内容的简要分析安装教程，不想看的直接跳过

我与offensive security官方nethunter编译好的文件比较，里面一模一样。
下面我将分析目录结构，

解压后的分析核心安装脚本目录文件，压缩包的目录是META-INF\com\google\android\update-binary

#!/sbin/sh
# Kali NetHunter installer

## start build generated variables
supersu= ## end build generated variables if [ "$3" ]; then zip=$3 console=/proc/$$/fd/$2 # 将控制台缓冲区的位置写入/ tmp / console以供其他脚本使用 echo "$console" > /tmp/console else console=$(cat /tmp/console) [ "$console" ] || console=/proc/$$/fd/1 fi #tmp是安卓临时目录 tmp=/tmp/nethunter #patchtmp补丁文件路径 patchtmp=$tmp/boot-patcher export home=$patchtmp sutmp=/tmp/supersu #定处理命令 progress() { echo "set_progress $1" > "$console" } #定义打印命令 print() { echo "ui_print ${1:- }" > "$console" echo } #定义错误中断命令 abort() { [ "$1" ] && { print "Error: $1" print "Aborting..." } cleanup print "Failed to install Kali NetHunter!" exit 1 } #定义清理命令 cleanup() { print "Cleaning up..." rm ${SYSTEM}/.rw rm /data/.rw /sbin/umount -f /system 2>/dev/null /sbin/umount -f /system_root 2>/dev/null [ "$zip" ] && rm /tmp/console } #定义安装命令 install() { setperm "$2" "$3" "$tmp$1" if [ "$4" ]; then cp -r "$tmp$1" "$(dirname "$4")/" return fi cp -r "$tmp$1" "$(dirname "$1")/" } # installapp "App Name" "appfile.apk" "play.store.package.name" #定义安装app命令，参数1 app名；参数2 app文件；参数3 包名，如果app在谷歌商店数据库中就不再安装 installapp() { installto=/data/app/ if [ "$3" ]; then for appdir in "/data/app/$3-"*; do [ -d "$appdir" ] || continue echo "Found app directory: $appdir" if [ ! -f /data/data/com.android.vending/databases/localappstate.db ]; then echo "Could not find Play Store app database!" # this should also catch paid/alternative versions if they are suffixed elif strings /data/data/com.android.vending/databases/localappstate.db | grep -q "^$3"; then rm -f "/data/app/$2" print "- Found Play Store installed $1" return 0 fi rm -f "/data/app/$2" installto=$appdir/base.apk break done fi echo "Installing $1 to $installto" print "- Installing $1" cp -f "$tmp/data/app/$2" "$installto" && return 0 print "- Failed to install $1!" && return 1 } #定义解压命令 extract() { rm -rf "$2" mkdir -p "$2" unzip -o "$1" -d "$2" -x "$3" || abort "Unable to extract! The zip may be corrupt or your device may not have enough RAM to proceed. Consider using a smaller installer if it is available." } #定义设置参数命令 setperm() { find "$3" -type d -exec chmod "$1" {} \; find "$3" -type f -exec chmod "$2" {} \; } #定义链接命令 symlink() { rm "$2" ln -s "$1" "$2" } #定义挂载命令 mount() { mountpoint -q "$1" || /sbin/busybox mount -o rw "$1" || abort "Unable to mount $1 as rw!" >> "$1/.rw" && return || /sbin/busybox mount -o remount,rw "$1" >> "$1/.rw" && return || abort "Unable to write to $1!" } print "##################################################" print "## ##" print "## 88 a8P db 88 88 ##" print "## 88 .88' d88b 88 88 ##" print "## 88 88' d8''8b 88 88 ##" print "## 88 d88 d8' '8b 88 88 ##" print "## 8888'88. d8YaaaaY8b 88 88 ##" print "## 88P Y8b d8''''''''8b 88 88 ##" print "## 88 '88. d8' '8b 88 88 ##" print "## 88 Y8b d8' '8b 888888888 88 ##" print "## ##" print "#### ############# NetHunter ####################" # 解压aip解压aip解压aip解压aip解压aip解压aip解压aip解压aip解压aip解压aip解压aip解压aip解压aip解压aip解压aip解压aip解压aip解压aip解压aip解压aip [ "$zip" ] && { print "Unpacking the installer..." extract "$zip" "$tmp" "kalifs-*" } cd "$tmp" . ./env.sh progress 0.0 print "Starting the install process" #挂载系统分区挂载系统分区挂载系统分区挂载系统分区挂载系统分区挂载系统分区挂载系统分区挂载系统分区挂载系统分区挂载系统分区挂载系统分区挂载系统分区 mount /data SYSTEM="/system" # Modern devices use ${SYSTEM} as root ("/") #新安卓设备使用system分区作为/文件系统，参考链接 https://source.android.google.cn/devices/bootloader/system-as-root?hl=zh-tw system_as_root=`getprop ro.build.system_root_image` if [ "$system_as_root" == "true" ]; then print "[system as root] = $system_as_root" [ -L /system_root ] && rm -f /system_root mkdir /system_root 2>/dev/null /sbin/umount -f /system 2>/dev/null /sbin/mount /system if [ $? eq 0 ]; then ## system is in fstab print "[/system] is in fstab, mounting" /sbin/mount --move /system /system_root /sbin/mount -o bind /system_root/system /system else ## system is not in fstab, let's mount it manually print "[/system] is not in fstab, mounting manually" /sbin/umount -f /system_root test -e /dev/block/bootdevice/by-name/system || local slot=$(getprop ro.boot.slot_suffix 2>/dev/null) /sbin/mount -o rw -t auto /dev/block/bootdevice/by-name/system$slot /system_root /sbin/mount -o bind /system_root/system /system fi [ ! -w /system_root ] && { abort "无法挂载系统分区读/写。 请手动卸载“ / system”，然后重试" } elif [ "$ANDROID_ROOT" == "/system_root" ]; then print "[ANDROID_ROOT] = $ANDROID_ROOT" /sbin/mount -o remount,rw /system_root /sbin/mount -o bind /system_root/system /system else mount /system fi progress 0.1 #检查数据分区 [ -d /data/data ] || { abort "您的数据分区似乎为空。 在安装Kali NetHunter之前，请先完成Android安装向导！" } setperm 0755 0755 tools # 如果在安装过程中缺少某些命令工具，安装BB到/sbin目录 print "Installing busybox applets to /sbin" cp tools/busybox /sbin/busybox_nh /sbin/busybox_nh --install /sbin #上一个NH版本检查 print "Checking for previous versions of NetHunter" sh tools/previnstall.sh progress 0.2 #安装root#安装root#安装root#安装root#安装root#安装root#安装root#安装root#安装root#安装root#安装root#安装root#安装root [ -f supersu.zip ] && { print "Extracting SuperSU zip..." extract supersu.zip "$sutmp" progress 0.3 sh tools/installsu.sh "$sutmp" "$supersu" } progress 0.4 SDK="$(grep 'ro.build.version.sdk' ${SYSTEM}/build.prop | cut -d'=' -f2)" print "SDK Version: $SDK" #安装5个apk安装5个apk安装5个apk安装5个apk安装5个apk安装5个apk安装5个apk安装5个apk安装5个apk安装5个apk安装5个apk安装5个apk安装5个apk安装5个apk print "Installing apps:" if [ $SDK -ge 26 ]; then # 从SDK26 Oreo开始，我们无法再安装用户app，因此我们将NetHunter.apk安装为系统app #安装NH主apk print "- Installing NetHunter.apk" mkdir -p ${SYSTEM}/app/NetHunter #将压缩包临时目录文件拷贝到系统下 cp $tmp/data/app/NetHunter.apk ${SYSTEM}/app/NetHunter/ # 和安装NetHunterTerminal.apk，因为nethunter.apk依赖于它 #安装NH终端apk print "- Installing NetHunterTerminal.apk" mkdir -p ${SYSTEM}/app/NetHunter-Terminal cp $tmp/data/app/NetHunterTerminal.apk ${SYSTEM}/app/NetHunter-Terminal/ #解压apk中的lib目录到本apk目录下 unzip -qo ${SYSTEM}/app/NetHunter-Terminal/NetHunterTerminal.apk "lib/*" -d ${SYSTEM}/app/NetHunter-Terminal/ ## 某些较新的TWRP版本提供了不支持以上面的解压缩命令中的压缩包内指定文件解压，因此我们可能需要计划B #计划B，将apk解压到临时目录中在拷贝解压目录中的lib目录到系统 [ -d ${SYSTEM}/app/NetHunter-Terminal/lib ] || { mkdir -p /tmp/NetHunter-Terminal/ unzip -qo ${SYSTEM}/app/NetHunter-Terminal/NetHunterTerminal.apk -d /tmp/NetHunter-Terminal/ mv /tmp/NetHunter-Terminal/lib ${SYSTEM}/app/NetHunter-Terminal/ } #上个库文件重命名 mv ${SYSTEM}/app/NetHunter-Terminal/lib/armeabi-v7a ${SYSTEM}/app/NetHunter-Terminal/lib/arm mv ${SYSTEM}/app/NetHunter-Terminal/lib/arm64-v8a ${SYSTEM}/app/NetHunter-Terminal/lib/arm64 #安装nh远程客户端apk，因为nethunter.apk依赖于它 print "- Installing NetHunter-KeX.apk" mkdir -p ${SYSTEM}/app/NetHunter-KeX cp $tmp/data/app/NetHunterKeX.apk ${SYSTEM}/app/NetHunter-KeX/ unzip -qo ${SYSTEM}/app/NetHunter-KeX/NetHunterKeX.apk "lib/*" -d ${SYSTEM}/app/NetHunter-KeX/ ## Some newer TWRP versions ship an unzip that does not support the above line so we might need plan B [ -d ${SYSTEM}/app/NetHunter-KeX/lib ] || { mkdir -p /tmp/NetHunter-KeX/ unzip -qo ${SYSTEM}/app/NetHunter-KeX/NetHunterKeX.apk -d /tmp/NetHunter-KeX/ mv /tmp/NetHunter-KeX/lib ${SYSTEM}/app/NetHunter-KeX/ } mv ${SYSTEM}/app/NetHunter-KeX/lib/armeabi-v7a ${SYSTEM}/app/NetHunter-KeX/lib/arm mv ${SYSTEM}/app/NetHunter-KeX/lib/arm64-v8a ${SYSTEM}/app/NetHunter-KeX/lib/arm64 # 安装nh商店apk print "- Installing NetHunter-Store.apk" mkdir -p ${SYSTEM}/app/NetHunter-Store cp $tmp/data/app/NetHunterStore.apk ${SYSTEM}/app/NetHunter-Store/ else #小于奥利奥就 installapp "NetHunter App" "NetHunter.apk" "com.offsec.nethunter" installapp "NetHunter Terminal" "NetHunterTerminal.apk" "com.offsec.nhterm" installapp "NetHunter KeX" "NetHunterKeX.apk" "com.offsec.nethunter.kex" installapp "NetHunter Store" "NetHunterStore.apk" "com.offsec.nethunter.store" fi ## 安装特权扩展apk print "- Installing NetHunterStorePrivilegedExtension.apk" mkdir -p ${SYSTEM}/priv-app/NetHunterStorePrivilegedExtension cp $tmp/data/app/NetHunterStorePrivilegedExtension.apk ${SYSTEM}/priv-app/NetHunterStorePrivilegedExtension/ if [ $SDK -ge 26 ] then mkdir ${SYSTEM}/etc/permissions chmod 755 ${SYSTEM}/etc/permissions [ -f system/etc/permissions/com.offsec.nethunter.store.privileged.xml ] && { install "/system/etc/permissions/com.offsec.nethunter.store.privileged.xml" 0755 0644 "${SYSTEM}/etc/permissions/com.offsec.nethunter.store.privileged.xml" } fi print "Done installing apps" progress 0.5 #检查安卓空间 [ -f tools/freespace.sh ] && { # This actually runs twice when the NetHunter kernel zip is included 当包含NetHunter内核zip时，它实际上运行了两次 print "Freeing up some space on ${SYSTEM}" sh tools/freespace.sh || abort "Not enough free space on ${SYSTEM} to continue!" } #安装BB工具箱 print "Running busybox installer..." sh tools/installbusybox.sh progress 0.6 #安装桌面壁纸 [ -d wallpaper ] && { print "Installing NetHunter wallpaper" sh wallpaper/setwallpaper.sh } #拷贝开机动画 [ -f system/media/bootanimation.zip ] && { print "Installing NetHunter boot animation" install "/system/media/bootanimation.zip" 0755 0644 "${SYSTEM}/media/bootanimation.zip" } progress 0.7 #拷贝nano高亮到安卓系统${SYSTEM} [ -d system/etc/nano ] && { print "Copying nano highlights to ${SYSTEM}/etc/nano" install "/system/etc/nano" 0755 0644 "${SYSTEM}/etc/nano" } #拷贝终端配色方案到安卓 [ -d system/etc/terminfo ] && { print "Copying terminfo files to ${SYSTEM}/etc/terminfo" install "/system/etc/terminfo" 0755 0644 "${SYSTEM}/etc/terminfo" } #拷贝32位共享库到安卓 [ -d system/lib ] && { print "Copying 32-bit shared libraries to ${SYSTEM}/lib" install "/system/lib" 0755 0644 "${SYSTEM}/lib" } #拷贝64位共享库到安卓 [ -d system/lib64 ] && { print "Copying 64-bit shared libraries to ${SYSTEM}/lib64" install "/system/lib64" 0755 0644 "${SYSTEM}/lib64" } #拷贝可执行到安卓 [ -d system/bin ] && { print "Installing ${SYSTEM}/bin binaries" install "/system/bin" 0755 0755 "${SYSTEM}/bin" } #拷贝x可执行到安卓 [ -d system/xbin ] && { print "Installing ${SYSTEM}/xbin binaries" install "/system/xbin" 0755 0755 "${SYSTEM}/xbin" } [ -d data/local ] && { print "Copying additional files to /data/local" install "/data/local" 0755 0644 } [ -d system/etc/init.d ] && { print "Installing init.d scripts" install "/system/etc/init.d" 0755 0755 "${SYSTEM}/etc/init.d" # Create userinit.d and userinit.sh if they don't already exist mkdir -p "/data/local/userinit.d" setperm 0755 0755 "/data/local/userinit.d" [ -f "/data/local/userinit.sh" ] || echo "#!/system/bin/sh" > "/data/local/userinit.sh" chmod 0755 "/data/local/userinit.sh" } [ -d system/addon.d/80-nethunter.sh ] && { print "Installing ${SYSTEM}/addon.d backup scripts" install "/system/80-nethunter.sh" 0755 0755 "${SYSTEM}/80-nethunter.sh" } #将nh apk中的脚本链接到安卓系统中方便调用，symlink命令是安卓专用创建连接 print "Symlinking Kali boot scripts" symlink "/data/data/com.offsec.nethunter/files/scripts/bootkali" "${SYSTEM}/bin/bootkali" symlink "/data/data/com.offsec.nethunter/files/scripts/bootkali_init" "${SYSTEM}/bin/bootkali_init" symlink "/data/data/com.offsec.nethunter/files/scripts/bootkali_login" "${SYSTEM}/bin/bootkali_login" symlink "/data/data/com.offsec.nethunter/files/scripts/bootkali_bash" "${SYSTEM}/bin/bootkali_bash" symlink "/data/data/com.offsec.nethunter/files/scripts/killkali" "${SYSTEM}/bin/killkali" progress 0.8 #安装内核补丁，执行默认脚本路径 [ -d "$patchtmp" ] && { print "Running kernel installer..." sh "$patchtmp/META-INF/com/google/android/update-binary" mount /data } #讲读条 90% progress 0.9 #安装kali系统，执行脚本 installchroot.sh，$zip可能是chroot print "Running Kali chroot installer..." sh tools/installchroot.sh "$zip" cleanup print "************************************************" print "* Kali NetHunter is now installed! *" print "* Don't forget to start the NetHunter app *" print "* to finish setting everything up! *" print "************************************************" progress 1.0

 在分析完流程后你有没有其实安装nethunter脚本，就是把我们下载的内核补丁文件和特别大的kali系统文件解压到安卓指定目录里，这两个重要文件都是已经构建好的，只是拿来用了一下。下章我们讲解如何真正构建内核补丁文件和kali系统文件。