Awesome Android eXtreme Hacking. Part IV. GNU/Linux on your Pocket
Awesome Android eXtreme Hacking. Part IV. GNU/Linux on your Pocket
David "DeMO" Martínez Oliveira

We had done quite some stuff without playing nasty with our phone. There are still a couple of things we can do but, in order to keep the awesomeness level we really have to go and root our device. You may have had read many horror histories about rooting. You might be frightened... You are right. I have heard histories of devices coming back from the Smart Cemetery and claim for revenge on those users that profaned their firmwares.....heresy!!!.
Well, actually, for me, rooting my phone is something I always do immediately after unboxing the device. Being able to root the phone is one of the requirements to chose it. It use to be a safe process but it is true that there is a chance of bricking the phone, specially if you are blindly following instructions.

We will not explain how to root your device. It is often a device dependent process and there are too many different cases to be covered there. Just search the Internet and look for the instructions for your model. Read everything you can and try to understand the process so you can react if something goes wrong. Yes, this is basically a disclaimer... root your device at your own risk.


Before continuing two more words on rooting Android devices. There are actually two safe ways to get root on Android.

The first one is to buy a Google Device. Google devices allows unlocking the bootloader (that is something you need to do in order to use fastboot and flash new firmware) and Google provides factory images for all their devices. In other words, even when they do not officially support the process there is a good support to go ahead in a safe way. They maybe other companies providing this kind of support. If you are aware of any, please add a comment.

The second one is to use the Android SDK emulator. Yep, the emulator you use for developing your Android Java apps emulates a whole (almost) rooted device. So for those of you who do not want to risk its "precious", let's go for the emulator.

First thing to do is to create a device to run your Android system. Setup your PATH environmental variable to point to your Android SDK tools folder and type

~aaxh $ android avd

AVD stands for Android Virtual Device. Basically it is a tool to define tour "virtual hardware". OK, do not worry, you will get a nice user interface to work with

AVD. Android Virtual Device

You can play later with the different option. Right now just press the "Device Definitions" tab and chose a device... for example Nexus 5. Press "Create AVD", select one skin and then press OK. If you feel brave enough you can try to change some parameters.... At least the AVD Name.

AVD. Android Virtual Device Manager. Device Definitions

Once created, your test device should look like this (more or less)

AVD Virtual Device for AAXH testing

The new created Virtual Device is now available and a "Start..." button is now enabled.... you do know what to do, don't you?

Booting your emulated Android will take a while, but you can login in your just created virtual machine, before the Android screen is shown.

~aaxh $ adb shell
root@generic:/ #

And Voila!... you are root

Now, you should install buildroot... we will need it a bit later. (


Now that you can feel the power is time to install GNU/Linux on your phone. Actually Linux is already there. In a way, Android is just another Linux distribution, but really stripped down... and we want to have GNU/Linux in there, not just regular Linux.

There are different option on how to deploy your preferred application on your phone. We will talk about one, Buildroot ( Just go there, download it and uncompress the tar somewhere in your disk.

Buildroot follows the same approach that busybox and the Linux kernel so you should already know what to do.

But in case you are feeling lazy.

~aaxh $ tar xzvf buildroot-2015.05.tar.gz 
~aaxh $ cd buildroot-2015.05
~aaxh/buildroot-2015.05 $ make menuconfig

There you go. You should see something like this

Buildroot make menuconfig. Main Screen

Now you have to set a couple of options:

Target Options

  • Target Architecture ► ARM Little endian
  • Target Architecture Variant ► cortex-A9

The architecture Variant depends on your device. You will have to find out the architecture. Otherwise you can always select a lower architecture. If you are using the emulator chose cortex-A9, cortex-A15 (or the default floating point selection) doesn't work on the emulator. When you are done you should see something like this:

AXH05. Buildroot menuconfig. Architecture Options

The next thing to select is the toolchain


  • ToolChain Type ► External toolchain

You can select the Buildroot toolchain. In that case buildroot will build its own toolchain and it will allow you to fine tune it. Building the toolchain take quite a while so, for the first test it is better if you select the default external toolchain.

In general the Linaro toolchains are the most up to date ones. If you want to use those you have to select a cortex-A variant architecture + target ABI (EABIhf) in the target options. EABIhf stands for hard floating point, and in general will produce faster code.

AAXH05. Buildroot menuconfig. Toolchain Options

Finally, you may want to go into the Target packages option and select some application that you want to have in your phone. Note that all the applications you select will be downloaded from Internet and compiled. In other words, if you select a lot of applications, the first compilation will take quite a long time.

For the first build we will just select nmap to convert our phone in a basic penetration testing tool :).

Go into networking applications and select nmap.

Now we are done. Just leave the interface selecting Exit as many times as required until you are asked to save your configuration. Save it and get back to the bash prompt.

Now type make and wait. If you have many cores in your box you might want to run make -j N_cores.

Buildroot will do its magic. The first time it has to download/build quite some stuff (including the toolchain) so to you better go and grab some coffee or take a walk in the park


Some coffees later....


Now we have to dump our brand new GNU/Linux on the phone. Actually what we have to deploy is the root filesystem that buildroot had created for us. This is quite easy

Unless you had chose some fancy option (something you shouldn't had done at least the first time :), your root filesystem should be under output/images. So, let's copy it into our emulator:

~aaxh/buildroot-2015.05 $ adb push output/images/rootfs.tar /data/local/tmp

And now let's get into the phone and prepare for starting our linux:

~aaxh/buildroot-2015.05$ adb shell
root@generic:/ # cd /data/local/                                  
(configure busybox if you have to... we need tar now)
root@generic:/data/local # export PATH=/data/local/bb:$PATH                    
root@generic:/data/local # mkdir linux
root@generic:/data/local # cd linux
root@generic:/data/local/linux # tar xf ../tmp/rootfs.tar

We are almost done. Now we will start a chroot environment under our buildroot filesystem, and for that we have to mount a couple of pseudo filesystems. We actually have to bind those mounts to the real ones on the device. OK, anyhow, this is what you have to do

root@generic:/data/local/linux # mount -o bind /proc/ /data/local/linux/proc/  
root@generic:/data/local/linux # mount -o bind /dev /data/local/linux/dev 
root@generic:/data/local/linux # mount -o bind /sys /data/local/linux/sys

When we chroot into our new filesystem we will still have access to the device proc, dev and sys directories... Let's try

root@generic:/data/local/linux # cd .. 
root@generic:/data/local # chroot /data//local/linux/ /bin/sh     
/ # export PATH=/bin:/sbin:/usr/bin:/usr/sbin

We are just starting a shell without running any initialisation script so nothing is setup. The very minimal thing we have to setup is the PATH variable in order to be able to execute the application in our new Linux. Now we can run nmap from our phone to look for open ports in our device. You should see something like this:

/ # nmap -v localhost

Starting Nmap 6.47 ( ) at 2015-07-21 11:24 UTC
mass_dns: warning: Unable to open /etc/resolv.conf. Try using --system-dns or specify valid servers with --dns-servers
mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers
Initiating SYN Stealth Scan at 11:24
Scanning localhost ( [1000 ports]
Discovered open port 5555/tcp on
Completed SYN Stealth Scan at 11:24, 19.22s elapsed (1000 total ports)
Nmap scan report for localhost (
Host is up (0.0011s latency).
Not shown: 999 closed ports
5555/tcp open  freeciv

Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 20.11 seconds
           Raw packets sent: 1289 (56.716KB) | Rcvd: 2579 (108.320KB)
/ # 

That.... Is.... Awesome!!!... isn't it?

Now you can rerun menuconfig and start adding your own tools to customise your Linux in your pocket. Not all of them will work, but most of the generic, console based applications will just work.

Happy Hacking
Awesome Wells

Awesome Android eXtreme Hacking. Part I
Awesome Android eXtreme Hacking. Part II (Sensors)
Awesome Android eXtreme Hacking. Part II. More sensors
Awesome Android eXtreme Hacking. Part III. What a Shell!
Android Development for Web Programmers
Add a Remote Shell to your Android App

Tu publicidad aquí :)