Redmi Note 10 Pro – Nethunter

Intro

It was time to upgrade my old Redmi Note 7 with a new Redmi Note 10 Pro. Like the old phone, installed my favorite ROM Pixel Experience on it because i love the clean and intuitive appearance without the bloatware from Xiaomi. Plus Kali Nethunter installed on top for mobile pentesting purposes.

Pixel Experience

Download my ROM

You can build it yourself using the guide below or just download my pre-built ROM. This ROM has all the features enabled Kali Nethunter suggests and has module support for a lot of WiFi, Bluetooth and SDR devices.

INFO

A PixelOS 13 ROM is now also available

Included:
▪ VantomKernel
▪ AOSP-Playground device and vendor tree
▪ MIUI Camera
▪ Google Photo backup in original quality
▪ Many wireless, sdr, bluetooth and usb (gagdet) modules

Skip to chapter Install the ROM if you just want to install the Kali Nethunter ROM without building it yourself.

Please keep in mind that i’m NOT responsible for bricking your phone. This procedure is done entirely at your own risk.

Build the ROM yourself

Platform Tools

Download adb and fastboot from Google and unzip

wget https://dl.google.com/android/repository/platform-tools-latest-linux.zip
unzip platform-tools-latest-linux.zip -d ~

Add the following to ~/.profile

# add Android SDK platform tools to path
if [ -d "$HOME/platform-tools" ] ; then
    PATH="$HOME/platform-tools:$PATH"
fi

Install Git

sudo apt install git

Git clone the following script and execute

cd ~/
git clone https://github.com/akhilnarang/scripts
cd scripts
./setup/android_build_env.sh

Repo

Create these directories

mkdir -p ~/bin
mkdir -p ~/android/pe

Install Repo

curl https://storage.googleapis.com/git-repo-downloads/repo > ~/bin/repo
chmod a+x ~/bin/repo

Add ~/bin to Path

# set PATH so it includes user's private bin if it exists
if [ -d "$HOME/bin" ] ; then
    PATH="$HOME/bin:$PATH"
fi

Update ~/.profile

source ~/.profile

Configure Git

git config --global user.email "you@example.com"
git config --global user.name "Your Name"

Initialize the Pixel Experience repository

cd ~/android/pe
repo init -u https://github.com/PixelExperience/manifest -b eleven-plus

Download the source. This could take a long time depending on your internet connection.

repo sync -c -j$(nproc --all) --force-sync --no-clone-bundle --no-tags

Download the device specific sources like kernel and device tree

source build/envsetup.sh
lunch aosp_sweet-userdebug

Edit kernel config

Add kernel features and modules. In a new terminal browse to the kernel source

cd kernel/xiaomi/sm6150

Edit the kernel configuration

export ARCH=arm64
make sweet_user_defconfig
make menuconfig

For Kali Nethunter to optimally function we need to enable a few kernel features and add some modules. Enable them by following the guide below or download my config. Unzip the config and place it in the configuration directory of the kernel (kernel/xiaomi/sm6150/arch/arm64/configs/)

General Setup

In General Setup

  • clear “Local version”
  • select “System V IPC” (CONFIG_SYSVIPC=y)
Loadable Module Support

In Enable loadable module support

  • Enable “loadable module support” (CONFIG_MODULES=y):
  • select “Module unloading” (CONFIG_MODULE_UNLOAD=y)
  • select “Module versioning support” (CONFIG_MODULE_UNLOAD=y)
  • select “Forced module unloading” (CONFIG_MODULE_FORCE_UNLOAD=y)
Bluetooth

In Networking support -> Bluetooth subsystem support -> Bluetooth device drivers

  • select “HCI USB driver” (CONFIG_BT_HCIBTUSB=m)
  • select “Broadcom protocol support” (CONFIG_BT_HCIBTUSB_BCM=y)
  • select “Realtek protocol support” (CONFIG_BT_HCIBTUSB_RTL=y)
  • select “HCI UART driver” (CONFIG_BT_HCIUART=m)
  • select “HCI BCM203x USB driver” (CONFIG_BT_HCIBCM203X=m)
  • select “HCI BPA10x USB driver” (CONFIG_BT_HCIBPA10X=m)
  • select “HCI BlueFRITZ! USB driver” CONFIG_BT_HCIBFUSB=m)
MAC80211

In Networking support -> Wireless

  • select “cfg80211 wireless extensions compatibility” (CONFIG_CFG80211_WEXT=y)
  • select “Generic IEEE 802.11 Networking Stack (mac80211)” (CONFIG_MAC80211=m)
  • select “Enable mac80211 mesh networking (pre-802.11s) support” (CONFIG_MAC80211_MESH=y)
Ethernet

In Device Drivers -> Network Device Support -> USB Network Adapters

  • select “USB RTL8150 based ethernet device support” (CONFIG_USB_RTL8150=m)
  • select “Realtek RTL8152/RTL8153 Based USB Ethernet Adapters” (CONFIG_USB_RTL8152=m)
SDR

In Device Drivers -> Multimedia support

  • select “Digital TV support” (CONFIG_MEDIA_DIGITAL_TV_SUPPORT=y)
  • select “Software defined radio support” (CONFIG_MEDIA_SDR_SUPPORT=y)

Deselect at the bottom of the page

  • Autoselect ancillary drivers (tuners, sensors, i2c, spi, frontends) (CONFIG_MEDIA_SUBDRV_AUTOSELECT=n)

In Device Drivers -> Multimedia support-> Customize TV tuners

Deselect all, except these

  • select “Realtek RTL2830 DVB-T” (CONFIG_DVB_RTL2830=m)
  • select “Realtek RTL2832 DVB-T” (CONFIG_DVB_RTL2832=m)
  • select “Realtek RTL2832 SDR” (CONFIG_DVB_RTL2832_SDR=m)
  • select “Silicon Labs Si2168” (CONFIG_DVB_SI2168=m)
  • select “ZyDAS ZD1301” (CONFIG_DVB_ZD1301_DEMOD=m)

In Device Drivers -> Multimedia -> DVB/ATSC adapters -> Customize DVB Frontends

  • select “AirSpy” (CONFIG_USB_AIRSPY=m)
  • select “HackRF” (CONFIG_USB_HACKRF=m)
  • select “Mirics MSi2500” (USB_MSI2500=m)
USB Modem

in Device Drivers -> USB support 

  • select USB Modem (CDC ACM) support (CONFIG_USB_ACM=y)
USB Gadget

In Device Drivers -> USB support -> USB Gadget Support 

  • select “Generic serial bulk in/out” (CONFIG_USB_CONFIGFS_SERIAL=y)
  • select “Abstract Control Model (CDC ACM)” (CONFIG_USB_CONFIGFS_ACM=y)
  • select “Object Exchange Model (CDC OBEX)” (CONFIG_USB_CONFIGFS_OBEX=y)
  • select “Network Control Model (CDC NCM)” (CONFIG_USB_CONFIGFS_NCM=y)
  • select “Ethernet Control Model (CDC ECM)” (CONFIG_USB_CONFIGFS_ECM=y)
  • select “Ethernet Control Model (CDC ECM) subset” (CONFIG_USB_CONFIGFS_ECM_SUBSET=y)
  • select “RNDIS” (CONFIG_USB_CONFIGFS_RNDIS=y)
  • select “Ethernet Emulation Model (EEM)” (CONFIG_USB_CONFIGFS_EEM=y)
  • select “Mass Storage” (CONFIG_USB_CONFIGFS_MASS_STORAGE=y)
Wireless LAN

In Device Drivers -> Network Device Support -> Wireless LAN 

Atheros
  • select “Atheros/Qualcomm devices” (CONFIG_WLAN_VENDOR_ATH=y)
  • select “Atheros HTC based wireless cards support” (CONFIG_ATH9K_HTC=m)
  • select “Linux Community AR9170 802.11n USB support” (CONFIG_CARL9170=m)
  • select “Atheros mobile chipsets support” (CONFIG_ATH6KL=m)
  • select “Atheros ath6kl USB support” (CONFIG_ATH6KL_USB=m)
MediaTek
  • select “MediaTek devices” (CONFIG_WLAN_VENDOR_MEDIATEK=y)
  • select “MediaTek MT7601U (USB) support” (CONFIG_MT7601U=y)
  • select “Ralink devices” (CONFIG_WLAN_VENDOR_RALINK=y)
  • select “Ralink driver support” (CONFIG_RT2X00=m)

In Ralink driver support enable

  • select “Ralink rt2500 (USB) support” (CONFIG_RT2500USB=m)
  • select “Ralink rt2501/rt73 (USB)”*** (CONFIG_RT73USB=m)
  • select “Ralink rt27xx/rt28xx/rt30xx (USB)” (CONFIG_RT2800USB=y)
  • select “rt2800usb – Include support for rt33xx devices” (CONFIG_RT2800USB_RT33XX=y)
  • select “rt2800usb – Include support for rt35xx devices” (CONFIG_RT2800USB_RT35XX=y)
  • select “rt2800usb – Include support for rt3573 devices” (CONFIG_RT2800USB_RT3573=y)
  • select “rt2800usb – Include support for rt53xx devices” (CONFIG_RT2800USB_RT53XX=y)
  • select “rt2800usb – Include support for rt55xx devices” (CONFIG_RT2800USB_RT55XX=y)
  • select “rt2800usb – Include support for unknown (USB)” (CONFIG_RT2800USB_UNKNOWN=y)
Realtek
  • select “Realtek devices” (CONFIG_WLAN_VENDOR_REALTEK=y)
  • select “Realtek 8187 and 8187B USB support” (CONFIG_RTL8187=m)
  • select “Realtek rtlwifi family of devices” (CONFIG_RTL_CARDS=m)
  • select “RTL8723AU/RTL8188[CR]U/RTL819[12]CU (mac80211) support” (CONFIG_RTL8192CU=m)
  • select “Include support for untested Realtek 8xxx USB devices” (CONFIG_RTL8XXXU_UNTESTED=y)
Others
  • select “ZyDAS devices” (CONFIG_WLAN_VENDOR_ZYDAS=y)
  • select “USB ZD1201 based Wireless device support” (CONFIG_USB_ZD1201=m)
  • select “ZyDAS ZD1211/ZD1211B USB-wireless support” (CONFIG_ZD1211RW=y)
  • select “Wireless RNDIS USB support” (CONFIG_USB_NET_RNDIS_WLAN=m)

Save and exit out of menuconfig and copy the new configuration to the kernel config

cp .config arch/arm64/sweet_user_defconfig

For good practice do a make mrproper in the root of the kernel directory

make mrproper

Build the ROM

Turn cache on

export USE_CCACHE=1
export CCACHE_EXEC=/usr/bin/ccache
ccache -M 50G

Start the build process

mka bacon -j$(nproc --all)

Install the ROM

Before flashing anything onto the phone, we first need to unlock the bootloader. Xiaomi applies a ‘delay’ period between applying for the unlock procedure and actually being able to unlock the bootloader of 168 hours. (7 days) So you will have to wait one week before unlocking.

  • Place a SIM card in the phone and disable WiFi
  • Go to Settings → About Phone → Tap MIUI version 5 times to enable Developer Options.
  • Next go Settings → Additional settings → Developer Option.
  • In Developer Option → Turn on the toggle button OEM Unlocking and USB debugging options.
  • Turn on your mobile data. You have to turn on mobile data from the same SIM from which you have created your Mi account.
  • Tap on Mi Unlock status. And then hit the Agree button.
  • After that, you have to tap on “Add Account and Device“.
  • Make sure that you have a balance on your SIM. and avoid warning message on your screen.
  • Then, Power off your phone.
  • Once done, boot your phone into the Fastboot mode. Press Volume Down and Power Button simultaneously for a couple of seconds.

OrangeFox Recovery

Download OrangeFox or TWRP. Boot the phone into fastboot mode by holding down the volume button and simultaneously pressing the power button. Connect the phone to the computer using an usb cable and launch

fastboot flash recovery recovery.img

Boot into recovery mode by powering off the phone and hold down the volume up key together with the power button. Or use the fastboot method

fastboot reboot recovery

Pixel Experience

In OrangeFox first wipe the phone clean by going to the Wipe tab and tapping on Advanced Wipe. Type “yes” to start the wiping process. After that go to Files and search for the Pixel Experience zip file we’ve previously created or downloaded and select “Swipe to install”

Magisk

Navigate to Magisk and download the latest flashable zip and copy it onto the phone

Bootup the phone and install the Magisk Manager App

After flashing Magisk. Reboot the phone and head over to Magisk Manager

Install Wireless Firmware for Nethunter

For the wireless modules to be used by Nethunter we need something called wireless firmware. This Magisk module will install the firmware for the following devices:

  • Ralink – RT2501, RT2501USB, RT2561, RT2561S, RT2571W, RT2600, RT2661, RT2671, RT2760, RT2790, RT2860, RT2870, RT2890, RT3070, RT3071, RT3090, RT3290, RT5201, RT5600
  • Realtek – RTL8188* (EU/FTV), RTL8192* (CU/EU/DE/SE), RTL8821/12* (AE/AU/BU), RTL8822BU
  • Atheros – AR9170, AR7010
  • Mediatek – MT7601u
  • Broadcom – bcm43xx (not tested), BRCM4335, BRCM4339, BRCM4354

Go to Magisk and in the modules tab search for “Wireless Firmware for Nethunter” and hit install.

Magisk doesn’t have it’s own (searchable) module repository any more. Please use Fox’s Magisk Module Manager instead

Kali Nethunter

After installing the wireless firmware we can proceed to install Kali Nethunter.

Navigate to Kali and download the latest Generic ARM64 Nethunter zip file. Open Magisk Manager and select the Modules tab. From there click on install from storage and select the Kali Nethunter zip file you’ve previously downloaded.

This install could take a while since the full Kali chroot is going to be installed. After the install finishes hit Reboot.

Use the ROM

By selecting this ROM i’m guessing you know what you’re doing. But here are some pointers anyway.

HID

HID support is enabled in the kernel, but you have so set the USB mode when connected in order to get it working. Launch the Nethunter app and head over to USB Arsenal

Here you can set the USB function. Select the Target (OS) and USB Function and hit SET USB FUNCTION. You’ve got a couple of options to set for USB Function.

  • reset – reset usb
  • hid – set usb to hid (Keyboard / Rubber Ducky attack etc)
  • mass_storage – set usb to mass storage
  • rndis – set usb to be used as a (4G/5G) tether
  • hid,mass_storage
  • rndis,hid
  • rndis,mass_storage
  • rndis,hid,mass_storage

Wifi

I’m using Custom Commands for loading modules i frequently use. Launch the Nethunter app and head over to Custom Commands. There we’ll create a command that will load the Wireless modules we need. (In this example: mt7601u, ath9k_htc and rt2800usb) Just create a new custom command and edit is like so

Bluetooth

Do the same for loading the Bluetooth module

Any other modules you’d like to add can be loaded the same way if you intent to use them often. Otherwise loading a module from the Android terminal will work just as well. (su -c modprobe -d /vendor/lib/modules <package name>)

SDR

Other SDR modules you could load for example

  • SDR
    • airspy
    • hackrf
    • rtl2830
    • rtl2832
    • zd1301_demod
    • si2168

Optional

Keychain

From AliExpress I’ve bought a USB type C OTG adapter together with a Ralink mt7601u. Bonded them together with a bit of shrink rap. And voila, a key-chain wireless adapter for Nethunter.

GPU Acceleration

So you’re using Wifite to crack WPA hashes and your phone isn’t cutting it. Then take a loot at this post if you want the power of a (Nvidia) GPU in the field

Finished

Happy hunting !

PayPal

If you like my work, please consider supporting.