手把手教你從零構建官方支持設備的Nethunter系統

KALI官方給出的NETHUNTER手機建議

                            手機型號　　　　　　　設備ID          操作系統    基於安卓版本   

首選高端設備是　　一家7/7T                        　　　　  　  OOS           安卓10穩定版

首選中端設備是　　 小咪9T        　　　　　   DAVINCI      蜜柚11        安卓10穩定版

首選低端設備是　　 NEXUS6P     　　　　　  ANGLER        原生安卓　 安卓奧利奧穩定版

首選平板設備是 　　GALAXY TAB S4 LTE      GTS4LLTE           　　　  安卓奧利奧穩定版

 　　本章參考kali官方文檔教程 https://www.cnblogs.com/GKLBB/p/13585710.html

　　從零構建就是從設備釋放出的內核源碼編譯打了補丁過后的nethunter系統以支持外接設備和特殊功能。

　　所謂官方支持設備就是在官方構建腳本中kali官方已經包含的設備。如何構建沒有包含的設備下一章再講。

　　所謂設備ID就是手機型號對應的開發代碼名，有且僅有一個。

 　　我在強調一下。kali nethunter 不是ROM而是基於ROM的一個子系統，或者輕量虛擬機。ROM你要自己提供的，與官方構建是所用系統一致。一般是原生安卓或第三方開源ROM比如los系統

 

　　這次拿nexus6p設備構建。構建大致流程是 環境-下載-安裝-配置-編譯-燒錄。再次提醒一下，下載kali源gitlab 有高薔，注意避讓。

一、下載、配置、編譯

　構建環境：kalilinux虛擬機（其他也linux也可以不過要裝有python2開發環境和git工具，因為這些kali自帶所以方便點）、全局過薔的高速網絡、還有約10G硬盤空間

　　下載兩個文件，一個是構建腳本（https://gitlab.com/kalilinux/nethunter/build-scripts/kali-nethunter-project）大約70M，一個是設備補丁（https://gitlab.com/kalilinux/nethunter/build-scripts/kali-nethunter-devices）大約2G。下載方法：

root@kali:~# git clone https://gitlab.com/kalilinux/nethunter/build-scripts/kali-nethunter-devices.git

root@kali:~# cd kali-nethunter-project/nethunter-installer 
#配置

root@kali:~# ./bootstrap.sh
#上步執行的過程中會問幾個問題，不用管一直回車，然后就開始下載 這個補丁源 https://gitlab.com/kalilinux/nethunter/build-scripts/kali-nethunter-project，下載好后會在當前目錄下重命名為devicds目錄，看看是不是你有這個目錄。

root@kali:~# python build.py -h

#注意注意注意 在執行后 在python build.py -h 找到你要構建的設備的ID和與之對應的安卓系統，那如何知道這點呢？你可以查看上步生成的devices目錄下文件device.cfg文件，里面有設備對應ID和安卓，記住它。如果你的ID沒有對應安卓版本，下列命令將不會生效

#編譯
root@kali:~# python build.py -d angler -su -o --rootfs full

#上述命令改成你想編譯的設備， -d angler是nexus6p的設備ID ，-o指的是對應安卓oreo，--rootfs full指的是完整版kali chroot系統

#又會下載東西，注意薔、

你會發現在當前界面會生成一個壓縮包，類似update-nethunter-20200902_012622-angler-oreo-kalifs-full.zip。這就是我們要的刷機文件。直接刷入即可。

二、燒錄
　　這個過程網上已有很多教程，直接在twrp中刷入即可。詳情百毒知道。到這里本章就講解結束了


三、分析

以下是zip內容的簡要分析安裝教程，不想看的直接跳過

我與offensive security官方nethunter編譯好的文件比較，里面一模一樣。
下面我將分析目錄結構，

解壓后的分析核心安裝腳本目錄文件，壓縮包的目錄是META-INF\com\google\android\update-binary

#!/sbin/sh
# Kali NetHunter installer

## start build generated variables
supersu= ## end build generated variables if [ "$3" ]; then zip=$3 console=/proc/$$/fd/$2 # 將控制台緩沖區的位置寫入/ tmp / console以供其他腳本使用 echo "$console" > /tmp/console else console=$(cat /tmp/console) [ "$console" ] || console=/proc/$$/fd/1 fi #tmp是安卓臨時目錄 tmp=/tmp/nethunter #patchtmp補丁文件路徑 patchtmp=$tmp/boot-patcher export home=$patchtmp sutmp=/tmp/supersu #定處理命令 progress() { echo "set_progress $1" > "$console" } #定義打印命令 print() { echo "ui_print ${1:- }" > "$console" echo } #定義錯誤中斷命令 abort() { [ "$1" ] && { print "Error: $1" print "Aborting..." } cleanup print "Failed to install Kali NetHunter!" exit 1 } #定義清理命令 cleanup() { print "Cleaning up..." rm ${SYSTEM}/.rw rm /data/.rw /sbin/umount -f /system 2>/dev/null /sbin/umount -f /system_root 2>/dev/null [ "$zip" ] && rm /tmp/console } #定義安裝命令 install() { setperm "$2" "$3" "$tmp$1" if [ "$4" ]; then cp -r "$tmp$1" "$(dirname "$4")/" return fi cp -r "$tmp$1" "$(dirname "$1")/" } # installapp "App Name" "appfile.apk" "play.store.package.name" #定義安裝app命令，參數1 app名；參數2 app文件；參數3 包名，如果app在谷歌商店數據庫中就不再安裝 installapp() { installto=/data/app/ if [ "$3" ]; then for appdir in "/data/app/$3-"*; do [ -d "$appdir" ] || continue echo "Found app directory: $appdir" if [ ! -f /data/data/com.android.vending/databases/localappstate.db ]; then echo "Could not find Play Store app database!" # this should also catch paid/alternative versions if they are suffixed elif strings /data/data/com.android.vending/databases/localappstate.db | grep -q "^$3"; then rm -f "/data/app/$2" print "- Found Play Store installed $1" return 0 fi rm -f "/data/app/$2" installto=$appdir/base.apk break done fi echo "Installing $1 to $installto" print "- Installing $1" cp -f "$tmp/data/app/$2" "$installto" && return 0 print "- Failed to install $1!" && return 1 } #定義解壓命令 extract() { rm -rf "$2" mkdir -p "$2" unzip -o "$1" -d "$2" -x "$3" || abort "Unable to extract! The zip may be corrupt or your device may not have enough RAM to proceed. Consider using a smaller installer if it is available." } #定義設置參數命令 setperm() { find "$3" -type d -exec chmod "$1" {} \; find "$3" -type f -exec chmod "$2" {} \; } #定義鏈接命令 symlink() { rm "$2" ln -s "$1" "$2" } #定義掛載命令 mount() { mountpoint -q "$1" || /sbin/busybox mount -o rw "$1" || abort "Unable to mount $1 as rw!" >> "$1/.rw" && return || /sbin/busybox mount -o remount,rw "$1" >> "$1/.rw" && return || abort "Unable to write to $1!" } print "##################################################" print "## ##" print "## 88 a8P db 88 88 ##" print "## 88 .88' d88b 88 88 ##" print "## 88 88' d8''8b 88 88 ##" print "## 88 d88 d8' '8b 88 88 ##" print "## 8888'88. d8YaaaaY8b 88 88 ##" print "## 88P Y8b d8''''''''8b 88 88 ##" print "## 88 '88. d8' '8b 88 88 ##" print "## 88 Y8b d8' '8b 888888888 88 ##" print "## ##" print "#### ############# NetHunter ####################" # 解壓aip解壓aip解壓aip解壓aip解壓aip解壓aip解壓aip解壓aip解壓aip解壓aip解壓aip解壓aip解壓aip解壓aip解壓aip解壓aip解壓aip解壓aip解壓aip解壓aip [ "$zip" ] && { print "Unpacking the installer..." extract "$zip" "$tmp" "kalifs-*" } cd "$tmp" . ./env.sh progress 0.0 print "Starting the install process" #掛載系統分區掛載系統分區掛載系統分區掛載系統分區掛載系統分區掛載系統分區掛載系統分區掛載系統分區掛載系統分區掛載系統分區掛載系統分區掛載系統分區 mount /data SYSTEM="/system" # Modern devices use ${SYSTEM} as root ("/") #新安卓設備使用system分區作為/文件系統，參考鏈接 https://source.android.google.cn/devices/bootloader/system-as-root?hl=zh-tw system_as_root=`getprop ro.build.system_root_image` if [ "$system_as_root" == "true" ]; then print "[system as root] = $system_as_root" [ -L /system_root ] && rm -f /system_root mkdir /system_root 2>/dev/null /sbin/umount -f /system 2>/dev/null /sbin/mount /system if [ $? eq 0 ]; then ## system is in fstab print "[/system] is in fstab, mounting" /sbin/mount --move /system /system_root /sbin/mount -o bind /system_root/system /system else ## system is not in fstab, let's mount it manually print "[/system] is not in fstab, mounting manually" /sbin/umount -f /system_root test -e /dev/block/bootdevice/by-name/system || local slot=$(getprop ro.boot.slot_suffix 2>/dev/null) /sbin/mount -o rw -t auto /dev/block/bootdevice/by-name/system$slot /system_root /sbin/mount -o bind /system_root/system /system fi [ ! -w /system_root ] && { abort "無法掛載系統分區讀/寫。 請手動卸載“ / system”，然后重試" } elif [ "$ANDROID_ROOT" == "/system_root" ]; then print "[ANDROID_ROOT] = $ANDROID_ROOT" /sbin/mount -o remount,rw /system_root /sbin/mount -o bind /system_root/system /system else mount /system fi progress 0.1 #檢查數據分區 [ -d /data/data ] || { abort "您的數據分區似乎為空。 在安裝Kali NetHunter之前，請先完成Android安裝向導！" } setperm 0755 0755 tools # 如果在安裝過程中缺少某些命令工具，安裝BB到/sbin目錄 print "Installing busybox applets to /sbin" cp tools/busybox /sbin/busybox_nh /sbin/busybox_nh --install /sbin #上一個NH版本檢查 print "Checking for previous versions of NetHunter" sh tools/previnstall.sh progress 0.2 #安裝root#安裝root#安裝root#安裝root#安裝root#安裝root#安裝root#安裝root#安裝root#安裝root#安裝root#安裝root#安裝root [ -f supersu.zip ] && { print "Extracting SuperSU zip..." extract supersu.zip "$sutmp" progress 0.3 sh tools/installsu.sh "$sutmp" "$supersu" } progress 0.4 SDK="$(grep 'ro.build.version.sdk' ${SYSTEM}/build.prop | cut -d'=' -f2)" print "SDK Version: $SDK" #安裝5個apk安裝5個apk安裝5個apk安裝5個apk安裝5個apk安裝5個apk安裝5個apk安裝5個apk安裝5個apk安裝5個apk安裝5個apk安裝5個apk安裝5個apk安裝5個apk print "Installing apps:" if [ $SDK -ge 26 ]; then # 從SDK26 Oreo開始，我們無法再安裝用戶app，因此我們將NetHunter.apk安裝為系統app #安裝NH主apk print "- Installing NetHunter.apk" mkdir -p ${SYSTEM}/app/NetHunter #將壓縮包臨時目錄文件拷貝到系統下 cp $tmp/data/app/NetHunter.apk ${SYSTEM}/app/NetHunter/ # 和安裝NetHunterTerminal.apk，因為nethunter.apk依賴於它 #安裝NH終端apk print "- Installing NetHunterTerminal.apk" mkdir -p ${SYSTEM}/app/NetHunter-Terminal cp $tmp/data/app/NetHunterTerminal.apk ${SYSTEM}/app/NetHunter-Terminal/ #解壓apk中的lib目錄到本apk目錄下 unzip -qo ${SYSTEM}/app/NetHunter-Terminal/NetHunterTerminal.apk "lib/*" -d ${SYSTEM}/app/NetHunter-Terminal/ ## 某些較新的TWRP版本提供了不支持以上面的解壓縮命令中的壓縮包內指定文件解壓，因此我們可能需要計划B #計划B，將apk解壓到臨時目錄中在拷貝解壓目錄中的lib目錄到系統 [ -d ${SYSTEM}/app/NetHunter-Terminal/lib ] || { mkdir -p /tmp/NetHunter-Terminal/ unzip -qo ${SYSTEM}/app/NetHunter-Terminal/NetHunterTerminal.apk -d /tmp/NetHunter-Terminal/ mv /tmp/NetHunter-Terminal/lib ${SYSTEM}/app/NetHunter-Terminal/ } #上個庫文件重命名 mv ${SYSTEM}/app/NetHunter-Terminal/lib/armeabi-v7a ${SYSTEM}/app/NetHunter-Terminal/lib/arm mv ${SYSTEM}/app/NetHunter-Terminal/lib/arm64-v8a ${SYSTEM}/app/NetHunter-Terminal/lib/arm64 #安裝nh遠程客戶端apk，因為nethunter.apk依賴於它 print "- Installing NetHunter-KeX.apk" mkdir -p ${SYSTEM}/app/NetHunter-KeX cp $tmp/data/app/NetHunterKeX.apk ${SYSTEM}/app/NetHunter-KeX/ unzip -qo ${SYSTEM}/app/NetHunter-KeX/NetHunterKeX.apk "lib/*" -d ${SYSTEM}/app/NetHunter-KeX/ ## Some newer TWRP versions ship an unzip that does not support the above line so we might need plan B [ -d ${SYSTEM}/app/NetHunter-KeX/lib ] || { mkdir -p /tmp/NetHunter-KeX/ unzip -qo ${SYSTEM}/app/NetHunter-KeX/NetHunterKeX.apk -d /tmp/NetHunter-KeX/ mv /tmp/NetHunter-KeX/lib ${SYSTEM}/app/NetHunter-KeX/ } mv ${SYSTEM}/app/NetHunter-KeX/lib/armeabi-v7a ${SYSTEM}/app/NetHunter-KeX/lib/arm mv ${SYSTEM}/app/NetHunter-KeX/lib/arm64-v8a ${SYSTEM}/app/NetHunter-KeX/lib/arm64 # 安裝nh商店apk print "- Installing NetHunter-Store.apk" mkdir -p ${SYSTEM}/app/NetHunter-Store cp $tmp/data/app/NetHunterStore.apk ${SYSTEM}/app/NetHunter-Store/ else #小於奧利奧就 installapp "NetHunter App" "NetHunter.apk" "com.offsec.nethunter" installapp "NetHunter Terminal" "NetHunterTerminal.apk" "com.offsec.nhterm" installapp "NetHunter KeX" "NetHunterKeX.apk" "com.offsec.nethunter.kex" installapp "NetHunter Store" "NetHunterStore.apk" "com.offsec.nethunter.store" fi ## 安裝特權擴展apk print "- Installing NetHunterStorePrivilegedExtension.apk" mkdir -p ${SYSTEM}/priv-app/NetHunterStorePrivilegedExtension cp $tmp/data/app/NetHunterStorePrivilegedExtension.apk ${SYSTEM}/priv-app/NetHunterStorePrivilegedExtension/ if [ $SDK -ge 26 ] then mkdir ${SYSTEM}/etc/permissions chmod 755 ${SYSTEM}/etc/permissions [ -f system/etc/permissions/com.offsec.nethunter.store.privileged.xml ] && { install "/system/etc/permissions/com.offsec.nethunter.store.privileged.xml" 0755 0644 "${SYSTEM}/etc/permissions/com.offsec.nethunter.store.privileged.xml" } fi print "Done installing apps" progress 0.5 #檢查安卓空間 [ -f tools/freespace.sh ] && { # This actually runs twice when the NetHunter kernel zip is included 當包含NetHunter內核zip時，它實際上運行了兩次 print "Freeing up some space on ${SYSTEM}" sh tools/freespace.sh || abort "Not enough free space on ${SYSTEM} to continue!" } #安裝BB工具箱 print "Running busybox installer..." sh tools/installbusybox.sh progress 0.6 #安裝桌面壁紙 [ -d wallpaper ] && { print "Installing NetHunter wallpaper" sh wallpaper/setwallpaper.sh } #拷貝開機動畫 [ -f system/media/bootanimation.zip ] && { print "Installing NetHunter boot animation" install "/system/media/bootanimation.zip" 0755 0644 "${SYSTEM}/media/bootanimation.zip" } progress 0.7 #拷貝nano高亮到安卓系統${SYSTEM} [ -d system/etc/nano ] && { print "Copying nano highlights to ${SYSTEM}/etc/nano" install "/system/etc/nano" 0755 0644 "${SYSTEM}/etc/nano" } #拷貝終端配色方案到安卓 [ -d system/etc/terminfo ] && { print "Copying terminfo files to ${SYSTEM}/etc/terminfo" install "/system/etc/terminfo" 0755 0644 "${SYSTEM}/etc/terminfo" } #拷貝32位共享庫到安卓 [ -d system/lib ] && { print "Copying 32-bit shared libraries to ${SYSTEM}/lib" install "/system/lib" 0755 0644 "${SYSTEM}/lib" } #拷貝64位共享庫到安卓 [ -d system/lib64 ] && { print "Copying 64-bit shared libraries to ${SYSTEM}/lib64" install "/system/lib64" 0755 0644 "${SYSTEM}/lib64" } #拷貝可執行到安卓 [ -d system/bin ] && { print "Installing ${SYSTEM}/bin binaries" install "/system/bin" 0755 0755 "${SYSTEM}/bin" } #拷貝x可執行到安卓 [ -d system/xbin ] && { print "Installing ${SYSTEM}/xbin binaries" install "/system/xbin" 0755 0755 "${SYSTEM}/xbin" } [ -d data/local ] && { print "Copying additional files to /data/local" install "/data/local" 0755 0644 } [ -d system/etc/init.d ] && { print "Installing init.d scripts" install "/system/etc/init.d" 0755 0755 "${SYSTEM}/etc/init.d" # Create userinit.d and userinit.sh if they don't already exist mkdir -p "/data/local/userinit.d" setperm 0755 0755 "/data/local/userinit.d" [ -f "/data/local/userinit.sh" ] || echo "#!/system/bin/sh" > "/data/local/userinit.sh" chmod 0755 "/data/local/userinit.sh" } [ -d system/addon.d/80-nethunter.sh ] && { print "Installing ${SYSTEM}/addon.d backup scripts" install "/system/80-nethunter.sh" 0755 0755 "${SYSTEM}/80-nethunter.sh" } #將nh apk中的腳本鏈接到安卓系統中方便調用，symlink命令是安卓專用創建連接 print "Symlinking Kali boot scripts" symlink "/data/data/com.offsec.nethunter/files/scripts/bootkali" "${SYSTEM}/bin/bootkali" symlink "/data/data/com.offsec.nethunter/files/scripts/bootkali_init" "${SYSTEM}/bin/bootkali_init" symlink "/data/data/com.offsec.nethunter/files/scripts/bootkali_login" "${SYSTEM}/bin/bootkali_login" symlink "/data/data/com.offsec.nethunter/files/scripts/bootkali_bash" "${SYSTEM}/bin/bootkali_bash" symlink "/data/data/com.offsec.nethunter/files/scripts/killkali" "${SYSTEM}/bin/killkali" progress 0.8 #安裝內核補丁，執行默認腳本路徑 [ -d "$patchtmp" ] && { print "Running kernel installer..." sh "$patchtmp/META-INF/com/google/android/update-binary" mount /data } #講讀條 90% progress 0.9 #安裝kali系統，執行腳本 installchroot.sh，$zip可能是chroot print "Running Kali chroot installer..." sh tools/installchroot.sh "$zip" cleanup print "************************************************" print "* Kali NetHunter is now installed! *" print "* Don't forget to start the NetHunter app *" print "* to finish setting everything up! *" print "************************************************" progress 1.0

 在分析完流程后你有沒有其實安裝nethunter腳本，就是把我們下載的內核補丁文件和特別大的kali系統文件解壓到安卓指定目錄里，這兩個重要文件都是已經構建好的，只是拿來用了一下。下章我們講解如何真正構建內核補丁文件和kali系統文件。