准备工作
硬件环境:LG NEXUS 5X 2+32G
基带版本...: M8994F-2.6.42.5.03
Android8.1 OPM7.181205.001
系统环境:VMWare + Kali-Linux-2021.4a
1、下载 Kali NetHunter 开发包。nethunter-2021.3-bullhead-oreo-kalifs-full
2、下载 Nexus 5X 官方开发包 需要注意与 Kali 版本配套,例如 Kali 官网目前在奥利奥(android 8.1) 上构建得到,所以需要下载 android 8.1 的官方开发包(当然 Nexus 5X 官方已经停止更新,所以后续也没有更新版本的开发包了)。bullhead-opm7.181205.001-factory-5f189d84
3、下载 TWRP ,在 TWRP官网 查看你的手机型号,我这里选择 Nexus 5X 的固件,选择固件下载: twrp-3.3.1-0-bullhead.img。
4、下载 SuperSU,选择SR5-SuperSU-v2.82-SR5-20171001224502下载。
5、下载 android 平台开发工具 我这里使用的是 platform-tools_r31.0.3-linux.zip,主要使用其中的 fastboot 工具进行分区。
?:Android-fastboot -w报错: Cannot generate image for userdata的解决方法。
1. 症状:
fastboot -w
Erasing 'userdata' OKAY [ 0.112s]
/usr/bin/make_f2fs failed with status 1
fastboot: error: Cannot generate image for userdata
2. 解决
1.打开终端执行which fastboot (eg: /usr/bin/fastboot)
2.打开fastboot所在目录 (cd /usr/bin)
3.检查目录下是否存在make_f2fs文件、mke2fs文件、lib64文件夹(文件夹下含libc++.so文件)
4.不存在从platform-tools中拷贝过去 , platform-tools的下载网址: https://dl.google.com/android/repository/platform-tools_r31.0.3-linux.zip
sudo cp make_f2fs /usr/bin
sudo cp mke2fs /usr/bin
sudo cp -r lib64 /usr/bin
5. 赋予权限
sudo chmod 777 make_f2fs
sudo chmod 777 mke2fs
sudo chmod -R 777 lib64
┌──(root💀kali)-[/home/kali]
└─# cd bullhead-opm7.181205.001
┌──(root💀kali)-[/home/kali/bullhead-opm7.181205.001]
└─# ls
bootloader-bullhead-bhz32c.img flash-all.sh image-bullhead-opm7.181205.001.zip
flash-all.bat flash-base.sh radio-bullhead-m8994f-2.6.42.5.03.img
┌──(root💀kali)-[/home/kali/bullhead-opm7.181205.001]
└─# ./flash-all.sh (出现LOCK的情况,另开窗口使用#fastboot oem unlock解锁)
Sending 'bootloader' (4610 KB) OKAY [ 0.570s]
Writing 'bootloader' OKAY [ 0.150s]
Finished. Total time: 0.763s
Rebooting into bootloader OKAY [ 0.006s]
Finished. Total time: 0.057s
< waiting for any device >
Sending 'radio' (56630 KB) OKAY [ 6.356s]
Writing 'radio' OKAY [ 0.575s]
Finished. Total time: 6.980s
Rebooting into bootloader OKAY [ 0.019s]
Finished. Total time: 0.069s
< waiting for any device >
--------------------------------------------
Bootloader Version...: BHZ32c
Baseband Version.....: M8994F-2.6.42.5.03
Serial Number........: XXXXXXXXXXXXXXXXXX
--------------------------------------------
extracting android-info.txt (0 MB) to RAM...
Checking 'product' OKAY [ 0.020s]
Checking 'version-bootloader' OKAY [ 0.020s]
Checking 'version-baseband' OKAY [ 0.020s]
extracting boot.img (11 MB) to disk... took 0.111s
archive does not contain 'boot.sig'
Sending 'boot' (11781 KB) OKAY [ 1.240s]
Writing 'boot' OKAY [ 0.126s]
archive does not contain 'dtbo.img'
archive does not contain 'dt.img'
archive does not contain 'pvmfw.img'
extracting recovery.img (17 MB) to disk... took 0.129s
archive does not contain 'recovery.sig'
Sending 'recovery' (17425 KB) OKAY [ 1.831s]
Writing 'recovery' OKAY [ 0.190s]
archive does not contain 'vbmeta.img'
archive does not contain 'vbmeta_system.img'
archive does not contain 'vbmeta_vendor.img'
archive does not contain 'vendor_boot.img'
archive does not contain 'super_empty.img'
archive does not contain 'odm.img'
archive does not contain 'odm_dlkm.img'
archive does not contain 'product.img'
extracting system.img (1909 MB) to disk... took 17.332s
archive does not contain 'system.sig'
Sending sparse 'system' 1/4 (508768 KB) OKAY [ 53.441s]
Writing 'system' OKAY [ 6.211s]
Sending sparse 'system' 2/4 (524238 KB) OKAY [ 56.589s]
Writing 'system' OKAY [ 6.182s]
Sending sparse 'system' 3/4 (501061 KB) OKAY [ 55.602s]
Writing 'system' OKAY [ 6.639s]
Sending sparse 'system' 4/4 (421469 KB) OKAY [ 43.053s]
Writing 'system' OKAY [ 4.854s]
archive does not contain 'system_ext.img'
extracting vendor.img (185 MB) to disk... took 1.736s
archive does not contain 'vendor.sig'
Sending 'vendor' (190332 KB) OKAY [ 18.740s]
Writing 'vendor' OKAY [ 2.662s]
archive does not contain 'vendor_dlkm.img'
Erasing 'userdata' OKAY [ 0.258s]
mke2fs 1.46.2 (28-Feb-2021)
Creating filesystem with 6661115 4k blocks and 1667904 inodes
Filesystem UUID: 3728a865-dbc1-4e1e-b5ab-6c502fe46e67
Superblock backups stored on blocks:
32768, 98304, 163840, 229376, 294912, 819200, 884736, 1605632, 2654208,
4096000
Allocating group tables: done
Writing inode tables: done
Creating journal (32768 blocks): done
Writing superblocks and filesystem accounting information: done
Sending 'userdata' (4412 KB) OKAY [ 0.522s]
Writing 'userdata' OKAY [ 0.068s]
Erasing 'cache' OKAY [ 0.085s]
mke2fs 1.46.2 (28-Feb-2021)
Creating filesystem with 24576 4k blocks and 24576 inodes
Allocating group tables: done
Writing inode tables: done
Creating journal (1024 blocks): done
Writing superblocks and filesystem accounting information: done
Sending 'cache' (92 KB) OKAY [ 0.089s]
Writing 'cache' OKAY [ 0.019s]
Rebooting OKAY [ 0.020s]
Finished. Total time: 278.972s
重启至新系统 调整系统状态
┌──(root💀kali)-[/home/kali/bullhead-opm7.181205.001]
└─# adb shell settings put global captive_portal_http_url http://www.google.cn/generate_204
┌──(root💀kali)-[/home/kali/bullhead-opm7.181205.001]
└─# adb shell settings put global captive_portal_https_url https://www.google.cn/generate_204
┌──(root💀kali)-[/home/kali/bullhead-opm7.181205.001]
└─# adb shell settings put global ntp_server 1.hk.pool.ntp.org
┌──(root💀kali)-[/home/kali]
└─# fastboot flash recovery twrp-3.3.1-0-bullhead.img
Sending 'recovery' (16321 KB) OKAY [ 1.687s]
Writing 'recovery' OKAY [ 0.172s]
Finished. Total time: 1.904s
┌──(root💀kali)-[/home/kali]
└─# adb reboot bootloader
进入恢复模式
###################重点部分#################################################
1.出现mount decrypt data - enter password,发现recovery加密了,不能读写内存
点击 cancel,在点击keep read only,出现 team win recovery project。
2.选择wipe,拖动三个箭头的图标确认,点击recovery主图标返回主界面,此时就可以访问sdcard内存了。
3.返回recovery主界面后,选择 mount,点击两次MTP选项,第一次点击 Disable MTP 变成 Enable MTP,在点击一次变成 Disable MTP,就会开启手机的U盘。
4.把SuperSU zip文件 SR5-SuperSU-v2.82-SR5-20171001224502.zip 复制进去
点击recovery主图标返回主界面
5.选择Install,选中刚刚复制进去的zip文件,拖动三个箭头的图标确认
完成后选择 reboot system,在选择do not install重启系统.
############################################################################
┌──(root💀kali)-[/home/kali]
└─# adb push SR5-SuperSU-v2.82-SR5-20171001224502.zip /sdcard/
┌──(root💀kali)-[/home/kali]
└─# adb push nethunter-2021.3-bullhead-oreo-kalifs-full.zip /sdcard/
nethunter-2021.3-bullhead-oreo-kalifs-full.zip: 1... pushed. 0.9 MB/s (1612679421 bytes in 1791.139s)
TWRP中安装Kali。