Installing Kali NetHunter Lite on DivestOS 20.0

2023-03-07T00:00:00Z

Update: DivestOS has been discontinued and downloads are no longer available.

This will turn your device into a purely penetration testing device, and it will be very insecure for any other purpose. Please do not do this on your daily driver.

This procedure should work without modification on many devices using the standard Android bootloader (not Samsung). However, every device has unique quirks that may require special attention.

Originally, I just needed a device to run packet capture on my other devices. I have a OnePlus 7T laying around which I am not using for anything (since it has already reached its end-of-life), so I thought it would be cool to give it a new purpose. I am using DivestOS here since it is my go‑to Android distribution, but you can use LineageOS or any other distribution if you want to.

Officially, Kali Nethunter only supports OxygenOS based on Android 10 or 11 on my device. However, since there is no security to be had anyways, I decided to have some fun and not do things by the book (their official documentation isn’t accurate anyways, as I will explain).

Installing DivestOS

The installation procedure for DivestOS is fairly straightforward. First download the recovery and boot it using fastboot:

fastboot reboot /path/to/the/divestos/recovery.img
fastboot reboot recovery

Select Apply Update and Apply Update from ADB:

adb sideload /path/to/the/divestos.zip

Do not attempt to relock the bootloader — we need to leave it unlocked to enable privileged access (“rooting”) anyways. Do not reboot into the OS at this stage either.

Installing Magisk and disabling forceencrypt

The official documentation recommends TWRP and Disable_Dm‑Verity_ForceEncrypt. However, TWRP doesn’t exist for Android 12 and above for my device, and Disable_Dm‑Verity_ForceEncrypt is deprecated and doesn’t even work on Android 11.

Instead, we will use the LineageOS recovery (which allows flashing files with arbitrary signatures) and Disable Force Encryption NEO.

First, reboot the device into the bootloader.

Then, you need to download the LineageOS Recovery for your device and boot into it:

fastboot reboot /path/to/the/lineageos/recovery.img

Next, you just need to do ADB sideload for Disable Force Encryption NEO. It will give you the option to install Magisk and disable forceencrypt, and choose yes on both. The rest of the options are up to you - they are not very important.

Installing Kali Nethunter Lite

Reboot into your OS and set it up normally. Make sure that encryption is disabled:

Finally, download the appropriate build for Nethunter and flash it as a Magisk module in the Magisk Manager.

Happy NetHunting!

Android VPN Leakage with Secondary User Profiles

2022-10-10T00:00:00Z

Update: This is no longer reproducible on Android 13 QPR1 and Android 14 Developer Preview 1.

Before We Start…

I have been aware of this issue for awhile now (since at least Android 11), though I have not done enough testing to see what actually causes the leak nor do I have any workaround at the moment. My guess is that applications which launch early when you log into a secondary profile can bypass the VPN killswitch.

I have reported it on Google’s issue tracker.

The Leak

You can reproduce the leak by doing the following:

Create a new user profile (you need to create a secondary user profile for this, as it is not reproducible on your owner profile or a work profile). Do not log into your Google account at this stage.
Sideload a VPN app. The leak happens with every VPN provider I have tried (since it is likely a platform issue), though if you do not have a VPN subscription I would recommend getting a free one with ProtonVPN.
Setup the VPN and the Android VPN killswitch.
Log into your Google account through Play Services.
Restart the phone. Open the secondary user profile again.
Go to Google’s My Devices page. Observe that one of the sessions for your phone has your actual location obtained with GeoIP. In some cases, your actual IP address will be shown there as well.

Notes

It is unlikely that this is caused by Play Services being privileged applications. This issue is reproducible on GrapheneOS with the Sandboxed Play Services (which runs as a normal, unprivileged application) as well.
More testing is needed to find the root cause of the problem. I do not think that this is Play Services specific. Unfortunately, I do not have access to a router to do a packet capture right now. I would appreciate it if someone can help me get to the bottom of this. You can find my contact information here.