Intro
It was time to upgrade my old Redmi Note 7 with a new Redmi Note 10 Pro. Like the old phone, installed my favorite ROM Pixel Experience on it because i love the clean and intuitive appearance without the bloatware from Xiaomi. Plus Kali Nethunter installed on top for mobile pentesting purposes.
Pixel Experience
Download my ROM
You can build it yourself using the guide below or just download my pre-built ROM. This ROM has all the features enabled Kali Nethunter suggests and has module support for a lot of WiFi, Bluetooth and SDR devices.
Skip to chapter Install the ROM if you just want to install the Kali Nethunter ROM without building it yourself.
Please keep in mind that i’m NOT responsible for bricking your phone. This procedure is done entirely at your own risk.
Build the ROM yourself
Platform Tools
Download adb and fastboot from Google and unzip
wget https://dl.google.com/android/repository/platform-tools-latest-linux.zip
unzip platform-tools-latest-linux.zip -d ~
Add the following to ~/.profile
# add Android SDK platform tools to path
if [ -d "$HOME/platform-tools" ] ; then
PATH="$HOME/platform-tools:$PATH"
fi
Install Git
sudo apt install git
Git clone the following script and execute
cd ~/
git clone https://github.com/akhilnarang/scripts
cd scripts
./setup/android_build_env.sh
Repo
Create these directories
mkdir -p ~/bin
mkdir -p ~/android/pe
Install Repo
curl https://storage.googleapis.com/git-repo-downloads/repo > ~/bin/repo
chmod a+x ~/bin/repo
Add ~/bin to Path
# set PATH so it includes user's private bin if it exists
if [ -d "$HOME/bin" ] ; then
PATH="$HOME/bin:$PATH"
fi
Update ~/.profile
source ~/.profile
Configure Git
git config --global user.email "you@example.com"
git config --global user.name "Your Name"
Initialize the Pixel Experience repository
cd ~/android/pe
repo init -u https://github.com/PixelExperience/manifest -b eleven-plus
Download the source. This could take a long time depending on your internet connection.
repo sync -c -j$(nproc --all) --force-sync --no-clone-bundle --no-tags
Download the device specific sources like kernel and device tree
source build/envsetup.sh
lunch aosp_sweet-userdebug
Edit kernel config
Add kernel features and modules. In a new terminal browse to the kernel source
cd kernel/xiaomi/sm6150
Edit the kernel configuration
export ARCH=arm64
make sweet_user_defconfig
make menuconfig
For Kali Nethunter to optimally function we need to enable a few kernel features and add some modules. Enable them by following the guide below or download my config. Unzip the config and place it in the configuration directory of the kernel (kernel/xiaomi/sm6150/arch/arm64/configs/)
General Setup
In General Setup
- clear “Local version”
- select “System V IPC” (CONFIG_SYSVIPC=y)
Loadable Module Support
In Enable loadable module support
- Enable “loadable module support” (CONFIG_MODULES=y):
- select “Module unloading” (CONFIG_MODULE_UNLOAD=y)
- select “Module versioning support” (CONFIG_MODULE_UNLOAD=y)
- select “Forced module unloading” (CONFIG_MODULE_FORCE_UNLOAD=y)
Bluetooth
In Networking support -> Bluetooth subsystem support -> Bluetooth device drivers
- select “HCI USB driver” (CONFIG_BT_HCIBTUSB=m)
- select “Broadcom protocol support” (CONFIG_BT_HCIBTUSB_BCM=y)
- select “Realtek protocol support” (CONFIG_BT_HCIBTUSB_RTL=y)
- select “HCI UART driver” (CONFIG_BT_HCIUART=m)
- select “HCI BCM203x USB driver” (CONFIG_BT_HCIBCM203X=m)
- select “HCI BPA10x USB driver” (CONFIG_BT_HCIBPA10X=m)
- select “HCI BlueFRITZ! USB driver” CONFIG_BT_HCIBFUSB=m)
MAC80211
In Networking support -> Wireless
- select “cfg80211 wireless extensions compatibility” (CONFIG_CFG80211_WEXT=y)
- select “Generic IEEE 802.11 Networking Stack (mac80211)” (CONFIG_MAC80211=m)
- select “Enable mac80211 mesh networking (pre-802.11s) support” (CONFIG_MAC80211_MESH=y)
Ethernet
In Device Drivers -> Network Device Support -> USB Network Adapters
- select “USB RTL8150 based ethernet device support” (CONFIG_USB_RTL8150=m)
- select “Realtek RTL8152/RTL8153 Based USB Ethernet Adapters” (CONFIG_USB_RTL8152=m)
SDR
In Device Drivers -> Multimedia support
- select “Digital TV support” (CONFIG_MEDIA_DIGITAL_TV_SUPPORT=y)
- select “Software defined radio support” (CONFIG_MEDIA_SDR_SUPPORT=y)
Deselect at the bottom of the page
- Autoselect ancillary drivers (tuners, sensors, i2c, spi, frontends) (CONFIG_MEDIA_SUBDRV_AUTOSELECT=n)
In Device Drivers -> Multimedia support-> Customize TV tuners
Deselect all, except these
- select “Realtek RTL2830 DVB-T” (CONFIG_DVB_RTL2830=m)
- select “Realtek RTL2832 DVB-T” (CONFIG_DVB_RTL2832=m)
- select “Realtek RTL2832 SDR” (CONFIG_DVB_RTL2832_SDR=m)
- select “Silicon Labs Si2168” (CONFIG_DVB_SI2168=m)
- select “ZyDAS ZD1301” (CONFIG_DVB_ZD1301_DEMOD=m)
In Device Drivers -> Multimedia -> DVB/ATSC adapters -> Customize DVB Frontends
- select “AirSpy” (CONFIG_USB_AIRSPY=m)
- select “HackRF” (CONFIG_USB_HACKRF=m)
- select “Mirics MSi2500” (USB_MSI2500=m)
USB Modem
in Device Drivers -> USB support
- select USB Modem (CDC ACM) support (CONFIG_USB_ACM=y)
USB Gadget
In Device Drivers -> USB support -> USB Gadget Support
- select “Generic serial bulk in/out” (CONFIG_USB_CONFIGFS_SERIAL=y)
- select “Abstract Control Model (CDC ACM)” (CONFIG_USB_CONFIGFS_ACM=y)
- select “Object Exchange Model (CDC OBEX)” (CONFIG_USB_CONFIGFS_OBEX=y)
- select “Network Control Model (CDC NCM)” (CONFIG_USB_CONFIGFS_NCM=y)
- select “Ethernet Control Model (CDC ECM)” (CONFIG_USB_CONFIGFS_ECM=y)
- select “Ethernet Control Model (CDC ECM) subset” (CONFIG_USB_CONFIGFS_ECM_SUBSET=y)
- select “RNDIS” (CONFIG_USB_CONFIGFS_RNDIS=y)
- select “Ethernet Emulation Model (EEM)” (CONFIG_USB_CONFIGFS_EEM=y)
- select “Mass Storage” (CONFIG_USB_CONFIGFS_MASS_STORAGE=y)
Wireless LAN
In Device Drivers -> Network Device Support -> Wireless LAN
Atheros
- select “Atheros/Qualcomm devices” (CONFIG_WLAN_VENDOR_ATH=y)
- select “Atheros HTC based wireless cards support” (CONFIG_ATH9K_HTC=m)
- select “Linux Community AR9170 802.11n USB support” (CONFIG_CARL9170=m)
- select “Atheros mobile chipsets support” (CONFIG_ATH6KL=m)
- select “Atheros ath6kl USB support” (CONFIG_ATH6KL_USB=m)
MediaTek
- select “MediaTek devices” (CONFIG_WLAN_VENDOR_MEDIATEK=y)
- select “MediaTek MT7601U (USB) support” (CONFIG_MT7601U=y)
Ralink
- select “Ralink devices” (CONFIG_WLAN_VENDOR_RALINK=y)
- select “Ralink driver support” (CONFIG_RT2X00=m)
In Ralink driver support enable
- select “Ralink rt2500 (USB) support” (CONFIG_RT2500USB=m)
- select “Ralink rt2501/rt73 (USB)”*** (CONFIG_RT73USB=m)
- select “Ralink rt27xx/rt28xx/rt30xx (USB)” (CONFIG_RT2800USB=y)
- select “rt2800usb – Include support for rt33xx devices” (CONFIG_RT2800USB_RT33XX=y)
- select “rt2800usb – Include support for rt35xx devices” (CONFIG_RT2800USB_RT35XX=y)
- select “rt2800usb – Include support for rt3573 devices” (CONFIG_RT2800USB_RT3573=y)
- select “rt2800usb – Include support for rt53xx devices” (CONFIG_RT2800USB_RT53XX=y)
- select “rt2800usb – Include support for rt55xx devices” (CONFIG_RT2800USB_RT55XX=y)
- select “rt2800usb – Include support for unknown (USB)” (CONFIG_RT2800USB_UNKNOWN=y)
Realtek
- select “Realtek devices” (CONFIG_WLAN_VENDOR_REALTEK=y)
- select “Realtek 8187 and 8187B USB support” (CONFIG_RTL8187=m)
- select “Realtek rtlwifi family of devices” (CONFIG_RTL_CARDS=m)
- select “RTL8723AU/RTL8188[CR]U/RTL819[12]CU (mac80211) support” (CONFIG_RTL8192CU=m)
- select “Include support for untested Realtek 8xxx USB devices” (CONFIG_RTL8XXXU_UNTESTED=y)
Others
- select “ZyDAS devices” (CONFIG_WLAN_VENDOR_ZYDAS=y)
- select “USB ZD1201 based Wireless device support” (CONFIG_USB_ZD1201=m)
- select “ZyDAS ZD1211/ZD1211B USB-wireless support” (CONFIG_ZD1211RW=y)
- select “Wireless RNDIS USB support” (CONFIG_USB_NET_RNDIS_WLAN=m)
Save and exit out of menuconfig and copy the new configuration to the kernel config
cp .config arch/arm64/sweet_user_defconfig
For good practice do a make mrproper in the root of the kernel directory
make mrproper
To let the build finish succesfully we need to disable OTA Compatibility Check. In the Pixel Experience root
nano build/make/tools/releasetools/ota_from_target_files.py
Around line 264 set skip_compatibility_check to True
OPTIONS.skip_compatibility_check = True
Edit another file to suppress the message “there is an internal problem with your device”
nano frameworks/base/core/java/android/os/Build.java
Comment out or remove the code within the isBuildConsistent function and let it just return true
public static boolean isBuildConsistent() {
return true;
}
Build the ROM
Turn cache on
export USE_CCACHE=1
export CCACHE_EXEC=/usr/bin/ccache
ccache -M 50G
Start the build process
mka bacon -j$(nproc --all)
Install the ROM
Before flashing anything onto the phone, we first need to unlock the bootloader. Xiaomi applies a ‘delay’ period between applying for the unlock procedure and actually being able to unlock the bootloader of 168 hours. (7 days) So you will have to wait one week before unlocking.
- Place a SIM card in the phone and disable WiFi
- Go to Settings → About Phone → Tap MIUI version 5 times to enable Developer Options.
- Next go Settings → Additional settings → Developer Option.
- In Developer Option → Turn on the toggle button OEM Unlocking and USB debugging options.
- Turn on your mobile data. You have to turn on mobile data from the same SIM from which you have created your Mi account.
- Tap on Mi Unlock status. And then hit the Agree button.
- After that, you have to tap on “Add Account and Device“.
- Make sure that you have a balance on your SIM. and avoid warning message on your screen.
- Then, Power off your phone.
- Once done, boot your phone into the Fastboot mode. Press Volume Down and Power Button simultaneously for a couple of seconds.
OrangeFox Recovery
Download OrangeFox recovery from here. Boot the phone into fastboot mode by holding down the volume button and simultaneously holding down the power button. Connect the phone to the computer using an usb cable and launch
fastboot flash recovery recovery.img
Boot into recovery mode by powering off the phone and hold down the volume up key together with the power button. Or use the fastboot method
fastboot reboot recovery
Pixel Experience
In OrangeFox first wipe the phone clean by going to the Wipe tab and tapping on Advanced Wipe. Type “yes” to start the wiping process. After that go to Files and search for the Pixel Experience zip file we’ve previously created or downloaded and select “Swipe to install”

Magisk
Navigate to Magisk and download the latest flashable zip and copy it onto the phone
Bootup the phone and install the Magisk Manager App

After flashing Magisk. Reboot the phone and head over to Magisk Manager
Install Wireless Firmware for Nethunter
For the wireless modules to be used by Nethunter we need something called wireless firmware. This Magisk module will install the firmware for the following devices:
- Ralink – RT2501, RT2501USB, RT2561, RT2561S, RT2571W, RT2600, RT2661, RT2671, RT2760, RT2790, RT2860, RT2870, RT2890, RT3070, RT3071, RT3090, RT3290, RT5201, RT5600
- Realtek – RTL8188* (EU/FTV), RTL8192* (CU/EU/DE/SE), RTL8821/12* (AE/AU/BU), RTL8822BU
- Atheros – AR9170, AR7010
- Mediatek – MT7601u
- Broadcom – bcm43xx (not tested), BRCM4335, BRCM4339, BRCM4354
Go to Magisk and in the modules tab search for “Wireless Firmware for Nethunter” and hit install.
Update: Seems like Magisk doesn’t have it’s own (searchable) module repository any more. Please use Fox’s Magisk Module Manager instead.
Kali Nethunter
After installing the wireless firmware we can proceed to install Kali Nethunter.
Navigate to Kali and download the latest Generic ARM64 Nethunter zip file. Open Magisk Manager and select the Modules tab. From there click on install from storage and select the Kali Nethunter zip file you’ve previously downloaded.
This install could take a while since the full Kali chroot is going to be installed. After the install finishes hit Reboot.
Use the ROM
By selecting this ROM i’m guessing you know what you’re doing. But here are some pointers anyway.
HID
HID support is enabled in the kernel, but you have so set the USB mode when connected in order to get it working. Launch the Nethunter app and head over to USB Arsenal
Here you can set the USB function. Select the Target (OS) and USB Function and hit SET USB FUNCTION. You’ve got a couple of options to set for USB Function.
- reset – reset usb
- hid – set usb to hid (Keyboard / Rubber Ducky attack etc)
- mass_storage – set usb to mass storage
- rndis – set usb to be used as a (4G/5G) tether
- hid,mass_storage
- rndis,hid
- rndis,mass_storage
- rndis,hid,mass_storage

Wifi
I’m using Custom Commands for loading modules i frequently use. Launch the Nethunter app and head over to Custom Commands. There we’ll create a command that will load all the Wireless modules. Just create a new custom command and edit is like so

Bluetooth
Do the same for loading the Bluetooth module

Any other modules you’d like to add came be loaded the same way if you intent to use them often. Otherwise loading a module from the Android terminal will work just as well. (su -c modprobe -d /vendor/lib/modules <package name>)
SDR
Other SDR modules you could load for example
- SDR
- airspy
- hackrf
- rtl2830
- rtl2832
- zd1301_demod
- si2168
Optional
ANX Camera
The default camera in Pixel Experience is a generic piece of software that is intended to work on just about any Android phone. To fully utilize the 108 megapixel camera with all it’s features (macro, slow motion mode etc) we need to install ANX Camera. This piece of software is a clone of the camera software supplied by Xiaomi and supports all the features the embedded camera does.
Head over to ANX Camera and download the Noid Full Version modded for R (185R) Go to Magisk Manager and from the modules tab select install from storage and select the ANXCamera file you’ve downloaded.
Next download the patch for the Redmi Note 10 Pro and flash it again with Magisk
Keychain
From Aliexpress I’ve bought a USB type C OTG adapter together with a Ralink mt7601u. Bonded them together with a bit of shrink rap. And voila, a key-chain wireless adapter for Nethunter.

Finished
Happy hunting !
PayPal
So this is not the ROM you’re looking for because you have another type of Android phone. Not to worry. I will custom build a Kali Nethunter ROM for any type of Android phone you want.
For just € 250,- you will get a custom ROM based on Pixel Experience (Android 11 or 12) which will have all the WiFi/Bluetooth/SDR/HID drivers suggested by Kali Nethunter.
Custom Kali Nethunter ROM |
If you like my work, please consider supporting.
Isn’t there a kernel which I can flash on any aosp ROM ,directly without building acustom ROM every time I decide to update it,
And thank you for your usefull blog.
You should be able to build a flashable zip for any AOSP ROM by extracting the Image-gz.dtb and modules. See these steps: https://wvthoog.nl/mobile-pentesting-android-11-update/#AnyKernel3
Will this unofficial pixel experience built get updates
No OTA updates for the ROM have been built in. So no. While having said that, i have seen some security updates been pushed to the device.
Because ,I’m new to this
I won’t be able to do that
So what about flashing this rom , rooting it
and make a backup of kernels by an app called flashify
Will this work
Think it’s easier to just flash the boot.img (which contains the kernel and the modules) with TWRP or Orange Fox recovery. I can extract the boot.img and make it available for download.
I read about something called arb
(anti-rollback) should I be afraid of ?
Or I can just flash what ever rom I want ?
Thank you very much for your help.
Yeah read about that as well. Didn’t have any problems unlocking my bootloader and flashing this ROM. But i immediately upgraded to PE without updating Xiaomi’s ROM
Can I flash this boot.img in orangefox just as flashing a kernel ?
I have the zip file I think I can extract it.
Yes, you have to select flash image instead of zip. Then select the boot.img and flash it to the boot partition
Thank you
I successfully installed your rom but
I noticed that screen blinks alot
Is there something like that happened with you
You installed (only) the kernel right ? (boot.img) I don’t have that issue with the full installation of the ROM. But maybe you can ‘play’ with the herz settings of the screen. I’m running at 120Hz
I installed the whole rom
Mail me using the form in the About Me page. Let me see what i can do
I mean flickering
Will system encryption affect nethunter
Don’t know actually. But Nethunter is a chroot environment, so i doubt it will be affected.
Hello , sur
Could you please advise me a wireless adapter to buy
I think to buy tp-link tl-lwn772n adapter ,
But I think that rtl8188eus driver didn’t included in this artcle ,?
The original (v1) TP-Link TL-WN722N (Atheros based) is one of the best adapters with an external antenna. If you’d want something to hang of a key-chain, go for a Mediatek MT7601u.
You are correct about the RTL8188EUS. I haven’t included it since it doesn’t offer a native kernel module.
Thank you,sir
Is there any another supported cheap adapter in this rom, because I can’t find v1 in my country ,
Just buy them of AliExpress. Search for one of these supported chipsets
-Atheros AR9170
-MediaTek MT7601U
-Ralink rt2500
-Ralink rt2501/rt73
-Ralink rt27xx/rt28xx/rt30xx
-Realtek 8187 and 8187B
-Realtek RTL8723AU/RTL8188[CR]U/RTL819[12]CU
-Realtek 8xxx
Hello,sir
I have a question
Do these drivers stored on the kernel of this builded rom ?
The ROM has the drivers included as modules. So yes
thank for great job
how i can include tp-link tl 722n v3 driver with monitor mode support
because its only available for me
and can enable monitor mode on built-in antinna ?
Hello,sir
Do you still usong this rom ?
Yes i am
Good tutorial, congrats.
I’ve always used a kali kernerless installation though (after installing the custom kernel I mean), your approach seem to be equally effective but I wonder if there’s any downside with installing the full generic ROM instead of a custom rom with no kernel. I’ve also normally used TWRP for this matter instead of Magisk.
But overall yeah, you nailed it.
The downside would be that installing the generic Nethunter ROM would lack kernel modifications and modules (wifi, bluetooth and sdr) that Kali suggests.