nexus 5x 刷機指北

內容整理自肉絲姐的安卓入門課
nexus 5x 刷機指北，其它手機類似

環境搭建

首先下載肉絲姐提供的kali系統
https://github.com/r0ysue/AndroidSecurityStudy/blob/master/FART/kali-linux-2019-4-vmware-amd64-zip.torrent

賬號：root
密碼：toor

修改時區

dpkg-reconfigure tzdata

選擇Asia→Shanghai

安裝軟件

apt install xfonts-intl-chinese
apt install ttf-wqy-microhei
apt install tmux jnettop

下載Android Studio

wget https://redirector.gvt1.com/edgedl/android/studio/ide-zips/4.0.1.0/android-studio-ide-193.6626763-linux.tar.gz

解壓並運行，一路默認即可，不要設置代理，最后會下載一些依賴sdk等
要是下載的慢，可以用手機流量開熱點下載

添加adb

vim ~/.bashrc

PATH=$PATH:/root/Android/Sdk/platform-tools

source ~/.bashrc

安卓鏡像

wget https://dl.google.com/dl/android/aosp/bullhead-opm1.171019.011-factory-3be6fd1c.zip

7z x bullhead-opm1.171019.011-factory-3be6fd1c.zip

開始刷機

關機狀態同時按住“音量減”和“電源”直到手機開機，進入 bootloader
確保 adb 和 fastboot 存在, 將手機連接到虛擬機內，把那個不在詢問勾上，確保手機連接的是虛擬機而不是物理機，否則虛擬機可能會卡死

確保手機已解鎖，未解鎖輸入 fastboot oem unlock 解鎖,

root@kali:~/Downloads# cd bullhead-opm1.171019.011/
root@kali:~/Downloads/bullhead-opm1.171019.011# ls
bootloader-bullhead-bhz31a.img  flash-all.sh   image-bullhead-opm1.171019.011.zip
flash-all.bat                   flash-base.sh  radio-bullhead-m8994f-2.6.40.4.04.img
root@kali:~/Downloads/bullhead-opm1.171019.011# ./flash-all.sh 
Sending 'bootloader' (4620 KB)                     OKAY [  0.625s]
Writing 'bootloader'                               OKAY [  0.182s]
Finished. Total time: 0.849s
Rebooting into bootloader                          OKAY [  0.010s]
Finished. Total time: 0.061s
Sending 'radio' (56630 KB)                         OKAY [  6.872s]
Writing 'radio'                                    OKAY [  0.974s]
Finished. Total time: 7.889s
Rebooting into bootloader                          OKAY [  0.013s]
Finished. Total time: 0.068s
--------------------------------------------
Bootloader Version...: BHZ31a
Baseband Version.....: M8994F-2.6.40.4.04
Serial Number........: 0215f2aa23abaee8
--------------------------------------------
extracting android-info.txt (0 MB) to RAM...
Checking 'product'                                 OKAY [  0.018s]
Checking 'version-bootloader'                      OKAY [  0.020s]
Checking 'version-baseband'                        OKAY [  0.020s]
extracting boot.img (11 MB) to disk... took 0.029s
archive does not contain 'boot.sig'
Sending 'boot' (11785 KB)                          OKAY [  1.439s]
Writing 'boot'                                     OKAY [  0.204s]
archive does not contain 'dtbo.img'
archive does not contain 'dt.img'
extracting recovery.img (17 MB) to disk... took 0.036s
archive does not contain 'recovery.sig'
Sending 'recovery' (17429 KB)                      OKAY [  2.083s]
Writing 'recovery'                                 OKAY [  0.323s]
archive does not contain 'vbmeta.img'
archive does not contain 'vbmeta_system.img'
archive does not contain 'vendor_boot.img'
archive does not contain 'super_empty.img'
archive does not contain 'odm.img'
archive does not contain 'product.img'
extracting system.img (1909 MB) to disk... took 15.022s
archive does not contain 'system.sig'
Sending sparse 'system' 1/4 (512608 KB)            OKAY [ 63.256s]
Writing 'system'                                   OKAY [  9.505s]
Sending sparse 'system' 2/4 (523962 KB)            OKAY [ 62.638s]
Writing 'system'                                   OKAY [  9.653s]
Sending sparse 'system' 3/4 (494953 KB)            OKAY [ 60.435s]
Writing 'system'                                   OKAY [  9.762s]
Sending sparse 'system' 4/4 (423449 KB)            OKAY [ 50.828s]
Writing 'system'                                   OKAY [  7.702s]
archive does not contain 'system_ext.img'
extracting vendor.img (185 MB) to disk... took 1.232s
archive does not contain 'vendor.sig'
Sending 'vendor' (190300 KB)                       OKAY [ 22.550s]
Writing 'vendor'                                   OKAY [  3.885s]
archive does not contain 'vendor_dlkm.img'
Erasing 'userdata'                                 OKAY [  0.522s]
mke2fs 1.45.4 (23-Sep-2019)
Creating filesystem with 2874363 4k blocks and 719488 inodes
Filesystem UUID: 7ee79fef-b58e-48fb-95d0-2b7e5f13fa9c
Superblock backups stored on blocks: 
        32768, 98304, 163840, 229376, 294912, 819200, 884736, 1605632, 2654208

Allocating group tables: done                            
Writing inode tables: done                            
Creating journal (16384 blocks): done
Writing superblocks and filesystem accounting information: done 

Sending 'userdata' (124 KB)                        OKAY [  0.111s]
Writing 'userdata'                                 OKAY [  0.018s]
Erasing 'cache'                                    OKAY [  0.082s]
mke2fs 1.45.4 (23-Sep-2019)
Creating filesystem with 24576 4k blocks and 24576 inodes

Allocating group tables: done                            
Writing inode tables: done                            
Creating journal (1024 blocks): done
Writing superblocks and filesystem accounting information: done

Sending 'cache' (44 KB)                            OKAY [  0.082s]
Writing 'cache'                                    OKAY [  0.014s]
Rebooting                                          OKAY [  0.020s]
Finished. Total time: 323.028s
root@kali:~/Downloads/bullhead-opm1.171019.011# 

刷完了之后手機會自動重啟, 刷機已經完成

TWRP

在物理機上下載，然后拖到虛擬機里面
https://eu.dl.twrp.me/bullhead/twrp-3.3.1-0-bullhead.img

手機再次進入 bootloader 模式

root@kali:~/Downloads# ls -al
total 1937804
drwxr-xr-x  4 root root       4096 Aug 30 16:11 .
drwxr-xr-x 20 root root       4096 Aug 30 15:31 ..
drwxrwxr-x  7 root root       4096 Jun 29 18:40 android-studio
-rw-r--r--  1 root root  907569312 Jul 15 01:00 android-studio-ide-193.6626763-linux.tar.gz
drwxr-x---  2 root root       4096 Nov 28  2017 bullhead-opm1.171019.011
-rw-r--r--  1 root root 1059996441 Feb 19  2020 bullhead-opm1.171019.011-factory-3be6fd1c.zip
-rwxrw-rw-  1 root root   16713004 Aug 30 16:10 twrp-3.3.1-0-bullhead.img
root@kali:~/Downloads# adb reboot bootloader
root@kali:~/Downloads# fastboot flash recovery twrp-3.3.1-0-bullhead.img 
Sending 'recovery' (16321 KB)                      OKAY [  2.222s]
Writing 'recovery'                                 OKAY [  0.291s]
Finished. Total time: 2.559s
root@kali:~/Downloads# 

按兩下音量減進入 recovery 模式
下面的划動條划到最右邊顯示所有的選項

Magisk

root@kali:~/Downloads# wget https://github.com/topjohnwu/Magisk/releases/download/v20.4/Magisk-v20.4.zip

root@kali:~/Downloads# ls
android-studio                               bullhead-opm1.171019.011-factory-3be6fd1c.zip
android-studio-ide-193.6626763-linux.tar.gz  Magisk-v20.4.zip
bullhead-opm1.171019.011                     twrp-3.3.1-0-bullhead.img
root@kali:~/Downloads# adb push Magisk-v20.4.zip /sdcard/
adb: error: failed to get feature set: no devices/emulators found
root@kali:~/Downloads# adb push Magisk-v20.4.zip /sdcard/
Magisk-v20.4.zip: 1 file pushed, 0 skipped. 1.2 MB/s (5942417 bytes in 4.825s)

frida-server

root@kali:~/Downloads# wget https://github.com/frida/frida/releases/download/12.11.11/frida-server-12.11.11-android-arm64.xz
root@kali:~/Downloads# 7z x frida-server-12.11.11-android-arm64.xz 
root@kali:~/Downloads# ls -al
total 1996216
drwxr-xr-x  4 root root       4096 Aug 30 16:43 .
drwxr-xr-x 20 root root       4096 Aug 30 16:41 ..
drwxrwxr-x  7 root root       4096 Jun 29 18:40 android-studio
-rw-r--r--  1 root root  907569312 Jul 15 01:00 android-studio-ide-193.6626763-linux.tar.gz
drwxr-x---  2 root root       4096 Nov 28  2017 bullhead-opm1.171019.011
-rw-r--r--  1 root root 1059996441 Feb 19  2020 bullhead-opm1.171019.011-factory-3be6fd1c.zip
-rw-r--r--  1 root root   41023080 Aug 26 02:29 frida-server-12.11.11-android-arm64
-rw-r--r--  1 root root   12843976 Aug 26 02:29 frida-server-12.11.11-android-arm64.xz
-rwxrw-rw-  1 root root    5942417 Aug 30 16:24 Magisk-v20.4.zip
-rwxrw-rw-  1 root root   16713004 Aug 30 16:10 twrp-3.3.1-0-bullhead.img
root@kali:~/Downloads# adb root
adbd is already running as root
root@kali:~/Downloads# adb push frida-server-12.11.11-android-arm64 /data/local/tmp/
frida-server-12.11.11-android-arm64: 1 file pu... skipped. 0.7 MB/s (41023080 bytes in 58.544s)
root@kali:~/Downloads# 

install

進入 bootloader, 進入 recovery 模式，
手機上點擊 install， 找到 Magisk-v20.4.zip，
點擊該文件，划到最右邊安裝，安裝完成之后重啟手機即可

完成

---

第二套

刷 Kali NetHunter

下載

wget https://images.kali.org/nethunter/nethunter-2020.3-bullhead-oreo-kalifs-full.zip
wget https://download.chainfire.eu/1220/SuperSU/SR5-SuperSU-v2.82-SR5-20171001224502.zip?retrieve_file=1

root@kali:~/Downloads# adb reboot bootloader
root@kali:~/Downloads# fastboot flash recovery twrp-3.3.1-0-bullhead.img
Sending 'recovery' (16321 KB)                      OKAY [  2.139s]
Writing 'recovery'                                 OKAY [  0.283s]
Finished. Total time: 2.465s
root@kali:~/Downloads# ls -al
total 3290304
drwxr-xr-x  4 root root       4096 Aug 30 17:51 .
drwxr-xr-x 20 root root       4096 Aug 30 16:41 ..
drwxrwxr-x  7 root root       4096 Jun 29 18:40 android-studio
-rw-r--r--  1 root root  907569312 Jul 15 01:00 android-studio-ide-193.6626763-linux.tar.gz
drwxr-x---  2 root root       4096 Nov 28  2017 bullhead-opm1.171019.011
-rw-r--r--  1 root root 1059996441 Feb 19  2020 bullhead-opm1.171019.011-factory-3be6fd1c.zip
-rw-r--r--  1 root root   41023080 Aug 26 02:29 frida-server-12.11.11-android-arm64
-rw-r--r--  1 root root   12843976 Aug 26 02:29 frida-server-12.11.11-android-arm64.xz
-rwxrw-rw-  1 root root    5942417 Aug 30 16:24 Magisk-v20.4.zip
-rwxrw-rw-  1 root root 1318256428 Aug 30 17:43 nethunter-2020.3-bullhead-oreo-kalifs-full.zip
-rw-r--r--  1 root root    6882992 Oct  2  2017 SR5-SuperSU-v2.82-SR5-20171001224502.zip
-rwxrw-rw-  1 root root   16713004 Aug 30 16:10 twrp-3.3.1-0-bullhead.img
root@kali:~/Downloads# adb push SR5-SuperSU-v2.82-SR5-20171001224502.zip /sdcard/SR5-SuperSU-v2.82-SR5-20171001224502.zip: 1 fil..., 0 skipped. 1.0 MB/s (6882992 bytes in 6.279s)
root@kali:~/Downloads# adb push nethunter-2020.3-bullhead-oreo-kalifs-full.zip /sdcard/
nethunter-2020.3-bullhead-oreo-kalifs-full.zip:...ipped. 0.7 MB/s (1318256428 bytes in 1883.874s)
root@kali:~/Downloads# 

install

進入 bootloader, 進入 recovery 模式，
手機上點擊 install， 找到 需要安裝的模塊，
點擊該文件，划到最右邊安裝，安裝完成之后重啟手機即可

完成