Mobile Pentesting (Android 11 update)

Intro

Updated to Android 11 for the Xiaomi Redmi Note 7 (lavender) which can be downloaded here. My first attempt to build the ROM for myself which included MAC80211, CFG80211 and several wireless modules failed due to some linker errors. While trying to resolve that issue i went another route in the meantime to get the wireless modules build and get Bettercap and Wifite running again.

Quick install

All this can be done in 4 easy to follow steps

  1. Install the latest original ROM from Xiaomi to update firmware and modem partitions to prevent “Error 1” while flashing the latest Pixel Experience ROM.
  2. Download and install Orange Fox recovery instead of TWRP.
  3. Flash the Pixel Experience ROM. And boot it to verify it is working.
  4. Reboot into recovery and download my kernel, flash it and directly after flash Magisk.

If you want to build your own kernel and (specific) modules and flash them to your phone below i describe how to achieve that.

Kernel build process

Go ahead and download the latest Lavender kernel from Pixel Devices on Github.

git clone https://github.com/PixelExperience-Devices/kernel_xiaomi_lavender.git

Download the following toolchains

Menuconfig

Then do a make clean & mrproper in the root of the kernel and go to menuconfig to enable wireless driver support.

export ARCH=arm64

make O=out clean && make O=out mrproper

make O=out ARCH=arm64 lavender-perf_defconfig

make O=out ARCH=arm64 menuconfig

In menuconfig navigate to and enable:

  • Schakel loadable module support in
    • Forced module loading
    • Module unloading
      • Force module unloading
  • Networking support
    • Wireless
      • cfg80211 – wireless configuration API – (built-in select)
      • Generic IEEE 802.11 Networking Stack (mac80211) – (built-in select)
  • Device Drivers
    • Network device support
      • Wireless LAN
        • Select the wireless drivers you need as a module (not built-in)

I’ve added support for:

  • Atheros HTC (ath9k-htc)
  • Ralink (rt30xx)
  • Mediatek (mt7601u)

Exit menuconfig and save .config. Optionally you could copy over the .config to arch/arm64/configs/lavender-perf_defconfig to avoid going through menuconfig every time you need to rebuilt the kernel.

cp out/.config arch/arm64/configs/lavender-perf_defconfig

Update PATH

Then update PATH and LD_LIBRARY_PATH

PATH="/home/wvthoog/android/toolchains/clang-r399163b/bin:/home/wvthoog/android/toolchains/aarch64-linux-android-4.9/bin:/home/wvthoog/android/toolchains/arm-linux-androideabi-4.9/bin:${PATH}" \
LD_LIBRARY_PATH="/home/wvthoog/android/toolchains/clang-r399163b/lib64:$LD_LIBRARY_PATH"

Built the kernel

and finally built the kernel

make -j$(nproc --all) O=out \
                      ARCH=arm64 \
                      CC=clang \
                      LD=ld.lld \
                      CLANG_TRIPLE=aarch64-linux-gnu- \
                      CROSS_COMPILE=aarch64-linux-android- \
                      CROSS_COMPILE_ARM32=arm-linux-androideabi-

AnyKernel3

Once the kernel is built successfully we can use Anykernel3 to flash the kernel and modules onto the phone.

First download Anykernel3 pre-configured for the Xiaomi Redmi Note 7 – Lavender in the root of the kernel directory.

git clone https://github.com/lavender-evergarden/AnyKernel3.git

Then copy the kernel and modules to the Anykernel3 folder.

cp out/arch/arm64/boot/Image AnyKernel3/
cp out/arch/arm64/boot/Image.gz-dtb AnyKernel3/
find out/ -name "*.ko" -exec cp '{}' AnyKernel3/modules/vendor/lib/modules \;

And finally create the zip file

cd AnyKernel3
zip -r9 Kernel-Update.zip * -x .git README.md *placeholder

Once finished you have a flashable zip file that updates the kernel and copies over the modules to the phone.

Flash kernel and modules

use your favorite recovery program (TWRP, Orange Fox etc) to install the newly created zip onto your phone followed by the latest Magisk zip. (for root privileges.

Termux

So if everything went according to plan the phone should boot and the wireless modules reside in the /vendor/lib/modules directory of the phone. Verify this by executing in Termux

pkg update && pkg upgrade -y
pkg install root-repo nano tsudo
sudo ls /vendor/lib/modules

A Magisk popup could/should appear asking for root privileges . Grant that request ‘forever’

You should see a directory list containing the following files

  • ath.ko
  • ath9k_common.ko
  • ath9k_htc.ko
  • ath9k_hw.ko
  • mt7601u.ko
  • rt2800lib.ko
  • rt2800usb.ko
  • rt2x00lib.ko
  • rt2x00usb.ko

Load modules

To load the modules I’ve used insmod this time since modprobe resulted in errors. To load the Mediatek driver for example:

sudo insmod /vendor/lib/modules/mt7601u.ko

To verify if the driver picks up the card succesfully do an iw info

iw wlan2 info

Which should result in

$ iw wlan2 info
Interface wlan2
	ifindex 34
	wdev 0x700000001
	addr 20:e0:17:0e:55:4d
	type managed
	wiphy 7
	txpower 0.00 dBm

Load modules script

As it is not convenient to load the modules every time Termux is started we need to create a script that is loaded when Termux starts. So create a file (mine is modules.sh)

nano modules.sh

and copy over the following code

#!/bin/bash

# Atheros ATH9K_HTC
sudo insmod /vendor/lib/modules/ath.ko
sudo insmod /vendor/lib/modules/ath9k_hw.ko
sudo insmod /vendor/lib/modules/ath9k_common.ko
sudo insmod /vendor/lib/modules/ath9k_htc.ko

# Mediatek MT7601U
sudo insmod /vendor/lib/modules/mt7601u.ko

# Ralink RT2800
sudo insmod /vendor/lib/modules/rt2x00lib.ko
sudo insmod /vendor/lib/modules/rt2x00usb.ko
sudo insmod /vendor/lib/modules/rt2800lib.ko
sudo insmod /vendor/lib/modules/rt2800usb.ko

Save and exit. Then make executable

chmod +x modules.sh

And launch like so

./modules.sh

Bam ! A working wireless pentesting phone running the latest Android 11

nl_NLDutch