Why
I used my Nexus 5 for two years. The battery got worse and worse—going from charging once a day to three times a day. When I was out, even plugged into a power bank, the battery percentage still kept dropping. It ended up dying and going offline by itself multiple times, which delayed a lot of things.
So I bought a Nubia Z11: a 2.5D glass screen, almost bezel-less look, nice design, good performance, decent battery life, and fast charging—suitable for daily use.
After the Nexus 5 was left idle, its standby time could surprisingly last more than a week. Now I finally found the real reason the battery became terrible: I had installed too much stuff. The old phone was simultaneously running Telegram, GAPPS, QQ, WeChat, Alipay, Meituan, Xianyu (and other battery hogs), plus Xposed Framework and Shadowsocks. No wonder it drained like crazy. So this time I planned to separate usage: Nexus 5 as the “work phone”, and Nubia Z11 as the “life/personal phone”.
I also tried to get a SIM card online using information of someone who has the same name as me, but then I realized everything requires real-name verification now: not only holding an ID card, but also a photo of the ID card together with the SIM package.
That made it much harder. I took a look at the real-name verification site and found it was based on a secondary-developed xxshop: the frontend is a store where you can buy SIM cards, and the backend has a review function for verifying users’ identities.
Uploaded photos are renamed with random strings. If you know the upload directory, it’s possible to retrieve users’ photos by brute-forcing, but it’s quite difficult. Another approach would be to look for vulnerabilities, but the platform was heavily customized and not that easy to find issues in. Also it didn’t feel worth spending time on it, so I stopped there.
Tinkering
Starting from scratch
I started working on my backup phone. First I flashed back to the official firmware: Google factory images. Then I entered fastboot to flash TWRP recovery, and then booted into recovery to flash SuperSU.
Install, install, install
After entering the system, I installed my proxy/VPN first, and also the most important one: Coolapk. Must-haves:
Because my power button was broken and often got “stuck” as if it was being held down, the phone would power off or reboot nonstop. You can also see the SIM slot area cracked (many people’s phones crack here). So I had to take it apart.
In GravityBox I remapped the volume keys to act as the power key, double-tap the virtual Home button to turn off the screen, and disabled volume changes while listening to music—so I could also wake the phone while playing music.
I won’t talk about what Nethunter ships with by default. Here are a few apps I recommend:
- zANTI — MITM attacks
- IP Cam Viewer — monitor certain people
- Packet Capture — capture packets without root
- HiPER Calc Pro — a powerful calculator
- Larix Broadcaster — live streaming app
- DroidEdit — Sublime on Android, more usable than Jota+
- VNC Viewer
- Microsoft Remote Desktop — two remote desktop apps
I’m an Arch Linux user and I use KDE, so I installed KDE Connect on desktop and the mobile app as a wireless link between my phone and computer.
Finally, I flashed Kali Nethunter. I wrote a note last year, Trying Kali Nethunter, but it no longer applies today.
postgresql can’t start
After installing Nethunter, I found the postgresql service couldn’t start:
root@kali:~# service postgresql start
[....] Starting PostgreSQL 9.4 database server: main[....] The PostgreSQL server failed to start. Please check the log output: 2016-10-08 12:18:03 UTC [5618-1] FATAL: could not create shared memory segment: Function not implemented 2016-10-08 12:18:03 UTC [561[FAILDETAIL: Failed system call was shmget(key=5432001, size=40, 03600). ... failed!
The error was from shmget, so the shared-memory part was broken. My first guess was that the configured value might be too small.
root@kali:~# cat /proc/sys/kernel/shmmax
cat: /proc/sys/kernel/shmmax: No such file or directory
I checked the kernel and found this sysctl doesn’t exist at all, which was awkward. After Googling a lot, I finally saw the same situation in an Offensive Security GitHub issue. They already patched it, but the official release hadn’t changed yet, so you needed to build the package yourself.
So I started building it. In fact, it doesn’t have to be a Nexus 5 to flash Nethunter. Following the official wiki step by step: Download the Nethunter source and enter the directory:
git clone https://github.com/offensive-security/kali-nethunter
cd kali-nethunter/nethunter-installer
You can only build with Python 2 here. After reading the instructions, I ran the following command. The parameters are roughly: device codename hammerhead (Nexus 5), target system Marshmallow, and build kernel only.
Since I had already installed it once, this time I only built the kernel, and added a custom release name—let’s call it RBQ!
gorgias@3vil ~/g/k/nethunter-installer> python2 build.py -d hammerhead -m -k -r RBQ
Kernel: Copying common files...
Kernel: Copying armhf arch specific common files...
Kernel: Copying boot-patcher files...
Kernel: Copying armhf arch specific boot-patcher files...
Kernel: Configuring installer script for hammerhead
Kernel: Configuring boot-patcher script for hammerhead
Found kernel image at: devices/marshmallow/hammerhead/zImage-dtb
Creating ZIP file: kernel-nethunter-hammerhead-marshmallow-RBQ.zip
Added: zImage-dtb
Added: boot-patcher.sh
Added: env.sh
Added: patch.d-env
Added: META-INF/com/google/android/update-binary
Added: META-INF/com/google/android/updater-script
Added: ramdisk-patch/init.nethunter.rc
Added: ramdisk-patch/sbin/dvmediarevert
Added: ramdisk-patch/sbin/media_profiles.xml
Added: ramdisk-patch/sbin/dvbootscript.sh
Added: ramdisk-patch/sbin/hostapd
Added: tools/busybox
Added: tools/unpackbootimg
Added: tools/freespace.sh
Added: tools/installbusybox.sh
Added: tools/mkbootimg
Added: tools/lz4
Added: patch.d/01-ramdisk-patch
Added: patch.d/02-no-verity-opt-encrypt
Added: system/xbin/hid-keyboard
Added: system/etc/firmware/htc_9271.fw
Added: system/etc/firmware/ar9170-1.fw
Added: system/etc/firmware/ar9170-2.fw
Added: system/etc/firmware/rt2870.bin
Added: system/etc/firmware/rt3070.bin
Added: system/etc/firmware/rt73.bin
Added: system/etc/firmware/rt2561.bin
Added: system/etc/firmware/rt2860.bin
Added: system/etc/firmware/htc_7010.fw
Added: system/etc/firmware/carl9170-1.fw
Added: system/etc/firmware/zd1211/zd1211_ub
Added: system/etc/firmware/zd1211/zd1211b_uph
Added: system/etc/firmware/zd1211/zd1211_ur
Added: system/etc/firmware/zd1211/zd1211b_uphm
Added: system/etc/firmware/zd1211/zd1211b_ur
Added: system/etc/firmware/zd1211/zd1211_uph
Added: system/etc/firmware/zd1211/zd1211_uphr
Added: system/etc/firmware/zd1211/zd1211_uphm
Added: system/etc/firmware/zd1211/zd1211b_uphr
Added: system/etc/firmware/zd1211/zd1211b_ub
Added: system/etc/firmware/rtlwifi/rtl8192cufw.bin
Added: system/etc/firmware/rtlwifi/rtl8188efw.bin
Created kernel installer: kernel-nethunter-hammerhead-marshmallow-RBQ.zip
After building, a file will be generated in the directory. I transferred it to the phone via KDE Connect, rebooted into recovery, and flashed it. Done!!
The latest Nethunter uses the kali-rolling source. If you fail to update the sources or download packages, change your sources to:
deb http://http.kali.org/kali kali-rolling main contrib non-free
deb-src http://http.kali.org/kali kali-rolling main contrib non-free
CC BY-NC-SA 4.0