Awesome Android eXtreme Hacking. Part IV. GNU/Linux on your Pocket

Awesome Android eXtreme Hacking Part I Header


NOTE
This article has already been moved to the our new blog. Please update any link to this post as it will be removed in the future. This post is available clicking the link below:

http://papermint-designs.com/dmo-blog/2016-04-awesome-android-extreme-hacking--part-iv--gnu-linux-on-your-pocket


Google

Facebook

Twitter
 

We had done quite some stuff without playing nasty with our phone. There are still a couple of things we can do but, in order to keep the awesomeness level we really have to go and root our device. You may have had read many horror histories about rooting. You might be frightened... You are right. I have heard histories of devices coming back from the Smart Cemetery and claim for revenge on those users that profaned their firmwares.....heresy!!!.

Well, actually, for me, rooting my phone is something I always do immediately after unboxing the device. Being able to root the phone is one of the requirements to chose it. It use to be a safe process but it is true that there is a chance of bricking the phone, specially if you are blindly following instructions.

We will not explain how to root your device. It is often a device dependent process and there are too many different cases to be covered there. Just search the Internet and look for the instructions for your model. Read everything you can and try to understand the process so you can react if something goes wrong. Yes, this is basically a disclaimer... root your device at your own risk.

SAFE ROOTING

Before continuing two more words on rooting Android devices. There are actually two safe ways to get root on Android.

The first one is to buy a Google Device. Google devices allows unlocking the bootloader (that is something you need to do in order to use fastboot and flash new firmware) and Google provides factory images for all their devices. In other words, even when they do not officially support the process there is a good support to go ahead in a safe way. They maybe other companies providing this kind of support. If you are aware of any, please add a comment.

The second one is to use the Android SDK emulator. Yep, the emulator you use for developing your Android Java apps emulates a whole (almost) rooted device. So for those of you who do not want to risk its "precious", let's go for the emulator.

First thing to do is to create a device to run your Android system. Setup your PATH environmental variable to point to your Android SDK tools folder and type

~aaxh $ android avd
AVD stands for Android Virtual Device. Basically it is a tool to define tour "virtual hardware". OK, do not worry, you will get a nice user interface to work with AVD. Android Virtual Device ManagerAVD. Android Virtual Device Manager You can play later with the different option. Right now just press the "Device Definitions" tab and chose a device... for example Nexus 5. Press "Create AVD", select one skin and then press OK. If you feel brave enough you can try to change some parameters.... At least the AVD Name. AVD. Android Virtual Device Manager. Device DefinitionsAVD. Android Virtual Device Manager. Device Definitions Once created, your test device should look like this (more or less) AVD Virtual Device for AAXH testingAVD Virtual Device for AAXH testing The new created Virtual Device is now available and a "Start..." button is now enabled.... you do know what to do, don't you? Booting your emulated Android will take a while, but you can login in your just created virtual machine, before the Android screen is shown.
~aaxh $ adb shell
root@generic:/ #
And Voila!... you are root Now, you should install buildroot... we will need it a bit later. (http://papermint-designs.com/community/node/422)

POCKET LINUX

Now that you can feel the power is time to install GNU/Linux on your phone. Actually Linux is already there. In a way, Android is just another Linux distribution, but really stripped down... and we want to have GNU/Linux in there, not just regular Linux. There are different option on how to deploy your preferred application on your phone. We will talk about one, Buildroot (http://buildroot.uclibc.org/download.html). Just go there, download it and uncompress the tar somewhere in your disk. Buildroot follows the same approach that busybox and the Linux kernel so you should already know what to do. But in case you are feeling lazy.
~aaxh $ tar xzvf buildroot-2015.05.tar.gz 
~aaxh $ cd buildroot-2015.05
~aaxh/buildroot-2015.05 $ make menuconfig
There you go. You should see something like this Buildroot make menuconfig. Main ScreenBuildroot make menuconfig. Main Screen Now you have to set a couple of options: Target Options
  • Target Architecture ► ARM Little endian
  • Target Architecture Variant ► cortex-A9
The architecture Variant depends on your device. You will have to find out the architecture. Otherwise you can always select a lower architecture. If you are using the emulator chose cortex-A9, cortex-A15 (or the default floating point selection) doesn't work on the emulator. When you are done you should see something like this: AAXH05. Buildroot menuconfig. Architecture OptionsAAXH05. Buildroot menuconfig. Architecture Options The next thing to select is the toolchain Toolchain
  • ToolChain Type ► External toolchain
You can select the Buildroot toolchain. In that case buildroot will build its own toolchain and it will allow you to fine tune it. Building the toolchain take quite a while so, for the first test it is better if you select the default external toolchain. In general the Linaro toolchains are the most up to date ones. If you want to use those you have to select a cortex-A variant architecture + target ABI (EABIhf) in the target options. EABIhf stands for hard floating point, and in general will produce faster code. AAXH05. Buildroot menuconfig. Toolchain OptionsAAXH05. Buildroot menuconfig. Toolchain Options Finally, you may want to go into the Target packages option and select some application that you want to have in your phone. Note that all the applications you select will be downloaded from Internet and compiled. In other words, if you select a lot of applications, the first compilation will take quite a long time. For the first build we will just select nmap to convert our phone in a basic penetration testing tool :). Go into networking applications and select nmap. Now we are done. Just leave the interface selecting Exit as many times as required until you are asked to save your configuration. Save it and get back to the bash prompt. Now type make and wait. If you have many cores in your box you might want to run make -j N_cores. Buildroot will do its magic. The first time it has to download/build quite some stuff (including the toolchain) so to you better go and grab some coffee or take a walk in the park ... Some coffees later....

STARTING OUR BRAND NEW GNU/LINUX

Now we have to dump our brand new GNU/Linux on the phone. Actually what we have to deploy is the root filesystem that buildroot had created for us. This is quite easy Unless you had chose some fancy option (something you shouldn't had done at least the first time :), your root filesystem should be under output/images. So, let's copy it into our emulator:
~aaxh/buildroot-2015.05 $ adb push output/images/rootfs.tar /data/local/tmp
And now let's get into the phone and prepare for starting our linux:
~aaxh/buildroot-2015.05$ adb shell
root@generic:/ # cd /data/local/                                  
(configure busybox if you have to... we need tar now)
root@generic:/data/local # export PATH=/data/local/bb:$PATH                    
root@generic:/data/local # mkdir linux
root@generic:/data/local # cd linux
root@generic:/data/local/linux # tar xf ../tmp/rootfs.tar
We are almost done. Now we will start a chroot environment under our buildroot filesystem, and for that we have to mount a couple of pseudo filesystems. We actually have to bind those mounts to the real ones on the device. OK, anyhow, this is what you have to do
root@generic:/data/local/linux # mount -o bind /proc/ /data/local/linux/proc/  
root@generic:/data/local/linux # mount -o bind /dev /data/local/linux/dev 
root@generic:/data/local/linux # mount -o bind /sys /data/local/linux/sys
When we chroot into our new filesystem we will still have access to the device proc, dev and sys directories... Let's try
root@generic:/data/local/linux # cd .. 
root@generic:/data/local # chroot /data//local/linux/ /bin/sh     
/ # export PATH=/bin:/sbin:/usr/bin:/usr/sbin
We are just starting a shell without running any initialisation script so nothing is setup. The very minimal thing we have to setup is the PATH variable in order to be able to execute the application in our new Linux. Now we can run nmap from our phone to look for open ports in our device. You should see something like this:
/ # nmap -v localhost

Starting Nmap 6.47 ( http://nmap.org ) at 2015-07-21 11:24 UTC
mass_dns: warning: Unable to open /etc/resolv.conf. Try using --system-dns or specify valid servers with --dns-servers
mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers
Initiating SYN Stealth Scan at 11:24
Scanning localhost (127.0.0.1) [1000 ports]
Discovered open port 5555/tcp on 127.0.0.1
Completed SYN Stealth Scan at 11:24, 19.22s elapsed (1000 total ports)
Nmap scan report for localhost (127.0.0.1)
Host is up (0.0011s latency).
Not shown: 999 closed ports
PORT     STATE SERVICE
5555/tcp open  freeciv

Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 20.11 seconds
           Raw packets sent: 1289 (56.716KB) | Rcvd: 2579 (108.320KB)
/ # 
That.... Is.... Awesome!!!... isn't it? Now you can rerun menuconfig and start adding your own tools to customise your Linux in your pocket. Not all of them will work, but most of the generic, console based applications will just work. Happy Hacking Awesome Wells