内容整理自肉丝姐的安卓入门课
nexus 5x 刷机指北,其它手机类似
环境搭建
首先下载肉丝姐提供的kali系统
https://github.com/r0ysue/AndroidSecurityStudy/blob/master/FART/kali-linux-2019-4-vmware-amd64-zip.torrent
账号:root
密码:toor
修改时区
dpkg-reconfigure tzdata
选择Asia→Shanghai
安装软件
apt install xfonts-intl-chinese
apt install ttf-wqy-microhei
apt install tmux jnettop
下载Android Studio
wget https://redirector.gvt1.com/edgedl/android/studio/ide-zips/4.0.1.0/android-studio-ide-193.6626763-linux.tar.gz
解压并运行,一路默认即可,不要设置代理,最后会下载一些依赖sdk等
要是下载的慢,可以用手机流量开热点下载
添加adb
vim ~/.bashrc
PATH=$PATH:/root/Android/Sdk/platform-tools
source ~/.bashrc
安卓镜像
wget https://dl.google.com/dl/android/aosp/bullhead-opm1.171019.011-factory-3be6fd1c.zip
7z x bullhead-opm1.171019.011-factory-3be6fd1c.zip
开始刷机
关机状态同时按住“音量减”和“电源”直到手机开机,进入 bootloader
确保 adb 和 fastboot 存在, 将手机连接到虚拟机内,把那个不在询问勾上,确保手机连接的是虚拟机而不是物理机,否则虚拟机可能会卡死
确保手机已解锁,未解锁输入 fastboot oem unlock
解锁,
root@kali:~/Downloads# cd bullhead-opm1.171019.011/
root@kali:~/Downloads/bullhead-opm1.171019.011# ls
bootloader-bullhead-bhz31a.img flash-all.sh image-bullhead-opm1.171019.011.zip
flash-all.bat flash-base.sh radio-bullhead-m8994f-2.6.40.4.04.img
root@kali:~/Downloads/bullhead-opm1.171019.011# ./flash-all.sh
Sending 'bootloader' (4620 KB) OKAY [ 0.625s]
Writing 'bootloader' OKAY [ 0.182s]
Finished. Total time: 0.849s
Rebooting into bootloader OKAY [ 0.010s]
Finished. Total time: 0.061s
Sending 'radio' (56630 KB) OKAY [ 6.872s]
Writing 'radio' OKAY [ 0.974s]
Finished. Total time: 7.889s
Rebooting into bootloader OKAY [ 0.013s]
Finished. Total time: 0.068s
--------------------------------------------
Bootloader Version...: BHZ31a
Baseband Version.....: M8994F-2.6.40.4.04
Serial Number........: 0215f2aa23abaee8
--------------------------------------------
extracting android-info.txt (0 MB) to RAM...
Checking 'product' OKAY [ 0.018s]
Checking 'version-bootloader' OKAY [ 0.020s]
Checking 'version-baseband' OKAY [ 0.020s]
extracting boot.img (11 MB) to disk... took 0.029s
archive does not contain 'boot.sig'
Sending 'boot' (11785 KB) OKAY [ 1.439s]
Writing 'boot' OKAY [ 0.204s]
archive does not contain 'dtbo.img'
archive does not contain 'dt.img'
extracting recovery.img (17 MB) to disk... took 0.036s
archive does not contain 'recovery.sig'
Sending 'recovery' (17429 KB) OKAY [ 2.083s]
Writing 'recovery' OKAY [ 0.323s]
archive does not contain 'vbmeta.img'
archive does not contain 'vbmeta_system.img'
archive does not contain 'vendor_boot.img'
archive does not contain 'super_empty.img'
archive does not contain 'odm.img'
archive does not contain 'product.img'
extracting system.img (1909 MB) to disk... took 15.022s
archive does not contain 'system.sig'
Sending sparse 'system' 1/4 (512608 KB) OKAY [ 63.256s]
Writing 'system' OKAY [ 9.505s]
Sending sparse 'system' 2/4 (523962 KB) OKAY [ 62.638s]
Writing 'system' OKAY [ 9.653s]
Sending sparse 'system' 3/4 (494953 KB) OKAY [ 60.435s]
Writing 'system' OKAY [ 9.762s]
Sending sparse 'system' 4/4 (423449 KB) OKAY [ 50.828s]
Writing 'system' OKAY [ 7.702s]
archive does not contain 'system_ext.img'
extracting vendor.img (185 MB) to disk... took 1.232s
archive does not contain 'vendor.sig'
Sending 'vendor' (190300 KB) OKAY [ 22.550s]
Writing 'vendor' OKAY [ 3.885s]
archive does not contain 'vendor_dlkm.img'
Erasing 'userdata' OKAY [ 0.522s]
mke2fs 1.45.4 (23-Sep-2019)
Creating filesystem with 2874363 4k blocks and 719488 inodes
Filesystem UUID: 7ee79fef-b58e-48fb-95d0-2b7e5f13fa9c
Superblock backups stored on blocks:
32768, 98304, 163840, 229376, 294912, 819200, 884736, 1605632, 2654208
Allocating group tables: done
Writing inode tables: done
Creating journal (16384 blocks): done
Writing superblocks and filesystem accounting information: done
Sending 'userdata' (124 KB) OKAY [ 0.111s]
Writing 'userdata' OKAY [ 0.018s]
Erasing 'cache' OKAY [ 0.082s]
mke2fs 1.45.4 (23-Sep-2019)
Creating filesystem with 24576 4k blocks and 24576 inodes
Allocating group tables: done
Writing inode tables: done
Creating journal (1024 blocks): done
Writing superblocks and filesystem accounting information: done
Sending 'cache' (44 KB) OKAY [ 0.082s]
Writing 'cache' OKAY [ 0.014s]
Rebooting OKAY [ 0.020s]
Finished. Total time: 323.028s
root@kali:~/Downloads/bullhead-opm1.171019.011#
刷完了之后手机会自动重启, 刷机已经完成
TWRP
在物理机上下载,然后拖到虚拟机里面
https://eu.dl.twrp.me/bullhead/twrp-3.3.1-0-bullhead.img
手机再次进入 bootloader 模式
root@kali:~/Downloads# ls -al
total 1937804
drwxr-xr-x 4 root root 4096 Aug 30 16:11 .
drwxr-xr-x 20 root root 4096 Aug 30 15:31 ..
drwxrwxr-x 7 root root 4096 Jun 29 18:40 android-studio
-rw-r--r-- 1 root root 907569312 Jul 15 01:00 android-studio-ide-193.6626763-linux.tar.gz
drwxr-x--- 2 root root 4096 Nov 28 2017 bullhead-opm1.171019.011
-rw-r--r-- 1 root root 1059996441 Feb 19 2020 bullhead-opm1.171019.011-factory-3be6fd1c.zip
-rwxrw-rw- 1 root root 16713004 Aug 30 16:10 twrp-3.3.1-0-bullhead.img
root@kali:~/Downloads# adb reboot bootloader
root@kali:~/Downloads# fastboot flash recovery twrp-3.3.1-0-bullhead.img
Sending 'recovery' (16321 KB) OKAY [ 2.222s]
Writing 'recovery' OKAY [ 0.291s]
Finished. Total time: 2.559s
root@kali:~/Downloads#
按两下音量减进入 recovery 模式
下面的划动条划到最右边显示所有的选项
Magisk
root@kali:~/Downloads# wget https://github.com/topjohnwu/Magisk/releases/download/v20.4/Magisk-v20.4.zip
root@kali:~/Downloads# ls
android-studio bullhead-opm1.171019.011-factory-3be6fd1c.zip
android-studio-ide-193.6626763-linux.tar.gz Magisk-v20.4.zip
bullhead-opm1.171019.011 twrp-3.3.1-0-bullhead.img
root@kali:~/Downloads# adb push Magisk-v20.4.zip /sdcard/
adb: error: failed to get feature set: no devices/emulators found
root@kali:~/Downloads# adb push Magisk-v20.4.zip /sdcard/
Magisk-v20.4.zip: 1 file pushed, 0 skipped. 1.2 MB/s (5942417 bytes in 4.825s)
frida-server
root@kali:~/Downloads# wget https://github.com/frida/frida/releases/download/12.11.11/frida-server-12.11.11-android-arm64.xz
root@kali:~/Downloads# 7z x frida-server-12.11.11-android-arm64.xz
root@kali:~/Downloads# ls -al
total 1996216
drwxr-xr-x 4 root root 4096 Aug 30 16:43 .
drwxr-xr-x 20 root root 4096 Aug 30 16:41 ..
drwxrwxr-x 7 root root 4096 Jun 29 18:40 android-studio
-rw-r--r-- 1 root root 907569312 Jul 15 01:00 android-studio-ide-193.6626763-linux.tar.gz
drwxr-x--- 2 root root 4096 Nov 28 2017 bullhead-opm1.171019.011
-rw-r--r-- 1 root root 1059996441 Feb 19 2020 bullhead-opm1.171019.011-factory-3be6fd1c.zip
-rw-r--r-- 1 root root 41023080 Aug 26 02:29 frida-server-12.11.11-android-arm64
-rw-r--r-- 1 root root 12843976 Aug 26 02:29 frida-server-12.11.11-android-arm64.xz
-rwxrw-rw- 1 root root 5942417 Aug 30 16:24 Magisk-v20.4.zip
-rwxrw-rw- 1 root root 16713004 Aug 30 16:10 twrp-3.3.1-0-bullhead.img
root@kali:~/Downloads# adb root
adbd is already running as root
root@kali:~/Downloads# adb push frida-server-12.11.11-android-arm64 /data/local/tmp/
frida-server-12.11.11-android-arm64: 1 file pu... skipped. 0.7 MB/s (41023080 bytes in 58.544s)
root@kali:~/Downloads#
install
进入 bootloader, 进入 recovery 模式,
手机上点击 install, 找到 Magisk-v20.4.zip,
点击该文件,划到最右边安装,安装完成之后重启手机即可
完成
第二套
刷 Kali NetHunter
下载
wget https://images.kali.org/nethunter/nethunter-2020.3-bullhead-oreo-kalifs-full.zip
wget https://download.chainfire.eu/1220/SuperSU/SR5-SuperSU-v2.82-SR5-20171001224502.zip?retrieve_file=1
root@kali:~/Downloads# adb reboot bootloader
root@kali:~/Downloads# fastboot flash recovery twrp-3.3.1-0-bullhead.img
Sending 'recovery' (16321 KB) OKAY [ 2.139s]
Writing 'recovery' OKAY [ 0.283s]
Finished. Total time: 2.465s
root@kali:~/Downloads# ls -al
total 3290304
drwxr-xr-x 4 root root 4096 Aug 30 17:51 .
drwxr-xr-x 20 root root 4096 Aug 30 16:41 ..
drwxrwxr-x 7 root root 4096 Jun 29 18:40 android-studio
-rw-r--r-- 1 root root 907569312 Jul 15 01:00 android-studio-ide-193.6626763-linux.tar.gz
drwxr-x--- 2 root root 4096 Nov 28 2017 bullhead-opm1.171019.011
-rw-r--r-- 1 root root 1059996441 Feb 19 2020 bullhead-opm1.171019.011-factory-3be6fd1c.zip
-rw-r--r-- 1 root root 41023080 Aug 26 02:29 frida-server-12.11.11-android-arm64
-rw-r--r-- 1 root root 12843976 Aug 26 02:29 frida-server-12.11.11-android-arm64.xz
-rwxrw-rw- 1 root root 5942417 Aug 30 16:24 Magisk-v20.4.zip
-rwxrw-rw- 1 root root 1318256428 Aug 30 17:43 nethunter-2020.3-bullhead-oreo-kalifs-full.zip
-rw-r--r-- 1 root root 6882992 Oct 2 2017 SR5-SuperSU-v2.82-SR5-20171001224502.zip
-rwxrw-rw- 1 root root 16713004 Aug 30 16:10 twrp-3.3.1-0-bullhead.img
root@kali:~/Downloads# adb push SR5-SuperSU-v2.82-SR5-20171001224502.zip /sdcard/SR5-SuperSU-v2.82-SR5-20171001224502.zip: 1 fil..., 0 skipped. 1.0 MB/s (6882992 bytes in 6.279s)
root@kali:~/Downloads# adb push nethunter-2020.3-bullhead-oreo-kalifs-full.zip /sdcard/
nethunter-2020.3-bullhead-oreo-kalifs-full.zip:...ipped. 0.7 MB/s (1318256428 bytes in 1883.874s)
root@kali:~/Downloads#
install
进入 bootloader, 进入 recovery 模式,
手机上点击 install, 找到 需要安装的模块,
点击该文件,划到最右边安装,安装完成之后重启手机即可
完成
网友评论