[SEP 18][V0.3] Stable Customized BT5 for HD2 - Links updated

Zen's Backtrack 5 For HD2 (and other) Android Smartphones
V0.3
----------------------------------------------------------

New app for loading this (and other) Linux Systems! - https://play.google.com/store/apps/details?id=com.linux.autoloader

Image and app support can be found here --> http://www.zenfulapps.com/

Packed - 640mb

Unpacked - 2.6gig (fits on 3.3 img now.)

--GRAB THE UPDATED SCRIPTS ATTACHED TO THIS POST, THEY ARE NOT PACKAGED INTO THE ZIP--

--Scripts are set to load from EXT4 partition, when i modify them for the .img's ill add them to the script pack--
--if you have .img mounting scripts from previous versions, they will work, as long as file names and directories match--

V0.3 Download

http://www.zenfulapps.com/Android/backtrack5-0.3.7z
(MD5 is still the same

MD5sum (of .7z file) - 9a4796f0ed96e03579c2b4a684d026f5


--------------------
Script pack contains
--------------------

btgo - mounts BT5, and askes how you would like to start, CLI or VNC
bts - stops BT5, and unmounts everything for it.
btl - used to login to bt5 after it has been mounted, to avoid all those "resource busy" messages
mkcore - directory installation and swap file creation

-------------
What you need
-------------

Rooted Android Smartphone
Linux on PC
Busybox installed on your device
SDcard adapter or reader, if neccesary

----------
Lets begin
----------

There are 3 different ways you can do this:

1. Fresh install on EXT4 Sdcard partition ( I HIGHLY recommend this method if possible, much better, a bit faster (no double loops to write to)

2. Create Fresh .img

3. Replace old BT5 system .img


=========================================
1. Fresh install on EXT4 Sdcard Partition
=========================================

This portion of the guide is to install BT5 on a FRESH EXT4 partition on your SDcard. Throughout this porcess, you will:

Backup your current sdcard (EVERY PARTITION, this is why we use PC-linux and not windows)
Fully erase and repartition your SDcard
Replace Android system and user data
Install BT5 on third partition
prepare system for chroot and VNC connection

----------------------------------------

Boot into your Linux operating system. **I DO NOT recommend using virtualbox or vmware, as drivers for usb and SDcard connections arent direct, things can go wrong.**

Shutdown your phone, and remove your SDcard. Do not use adb, or any other tools to do this.

insert your SDcard into your computer (adapter or reader yada yada) and mount every partition.

Make careful note of what is on which partition. safest way to back everything up is through the command line with the command


Do this for each partition, whether you have 1, 2, 3, or more.

In my case, my backup directory looks like this:

(ignore the empty directory sizes, my TRUE backup folder is MUCH more vulgar and i wont display it publicly, people may tear thier eyes out )

After everything is backed up, open your partition manager (in Gnome it is gparted, cant remember the name in others)

Navigate to your SDcard, and DELETE every partition. every one.

afterwards, recreate them using this strategy:

partition 1 - FAT32 size = total sdcard size minus ext2 and ext4 partition sizes
partition 2 - EXT2 size = 256mb, 512mb, 1gb, depending on how you like your apps2sd
partition 3 - EXT4 size = size you want for linux, minimum should be 4gb (mines at 10gb, i like my linux and got 3 different ones on it at the same time.)


When you are done, copy back your fat32 and ext2 stuff using the SAME COMMAND AS ABOVE (sudo cp -Rfvp from/here to/here)

Now, unzip/tar the .tar.gz package. I recommend extracting it to your pc before trying to put it on your sdcard.

Using the copy command above, put the extracted files onto your sdcard's EXT4 partition.

Double check the partition (navigate to it in nautilus or whatever filemanager your using) and ensure that it has the system copied over properly. You should see /boot /etc /root /sys so on and so forth, NOT just one folder with all of those inside of it.

Insert your SDcard, power on your phone, go to terminal emulator, and enter this:

Swap file is damn near neccessary if your planning on using any GUI tools (armitage, zenmap)

Your directory structure is now in place, swap file created, and you start BT5 by typing (from /sdcard/scripts OR /data/linux):


=================================
2. Fresh Image Creation
=================================

for this, we use the dd command and mkfs.ext4 command.

Change this command as needed, running it as is wont do anything good. Change the of= to where you want your img to be located.

next is mkfs.ext4

select yes when it cautions about "not a block device"

When this is finished, mount it using these commands:


now, extract the BT5 package to a place on your Computer. When finished, run this command:


changing parameters accordingly.

After this, copy the .img to /sdcard/bt5 and run the start scripts from your terminal emulator.


================================
3. Replace Existing Image
================================

Mount your bt5 image, erase what is inside of it, and copy in the new system:


unmount your .img, place it on your sdcard, and your all set.






==============================
Changes in v0.3
==============================

- Trimmed alot of fat, fits inside of 3.3 image now, though space is SEVERLY limited (removed CUPS and sound stuff, who needs to print from within thier phone anyways?)

- various small changes for performace improvements.
- a few new tools installed, but not tested
- restored my personal version that i nuked. It works now.

NEW STUFF TO COME, STAY TUNED!!!

First off, My apologies for starting a second thread on this, I've made ALOT of changes and i feel the first thread is dead and useless. (Reprimand me if needed

-pics coming once I find my camera could be a small while-

---------------------------------------
Backtrack5 for HD2 - v0.2
Customized by z3n
My goal: the perfect stealth
tool in your pocket
just one tap away
---------------------------------------

========================
Codename
Squeaky Wheel
========================



Updated, check second post for changelog


========================
DOWNLOAD
========================


Please use the scripts attached at the bottom of this post instead of the packaged ones, and i havent had a change to update the full image zip with it (uploads take a while )

V 0.2

Part 1 - http://www.megaupload.com/?d=D0MQVAS4

Part 2 - http://www.megaupload.com/?d=M2MRYLAH


MD5 - 06225e18cdbfee6f88daf7e9ee3a1163
SHA1 - eeba19e53565a1643703cf8938be2f8cfc12db9a

V 0.1

Part 1 - http://www.megaupload.com/?d=83B22Y00

Part 2 - http://www.megaupload.com/?d=SB98AA19

mirror - (NOT interchangeable)

Part 1 - http://www.megaupload.com/?d=HU320Z81

Part 2 - http://www.megaupload.com/?d=QN9C560Z

Checksums of bt5.img
MD5 = 863e6db99e5207a81ad0df7d13998235
SHA1 = c84d8f27df8b9b51059e5a6b09e65853f11de970



7zip required to extract.

Just over 1gb packed, unpacked is 4.9gb.


========================
INFO
========================

This is my first release of a customized, working, mostly stable BT5.

Many things have been added, taken out, and configured to be used within the Android system. For a full list, please see the bottom of this post.

Mounting is different than most other linux .img installations, allowing for a full (and expandable) image.

V 0.2 Now has a swap file created when you run the mkdirectory script. This swap file is necessary, as with all my tests, When you run VNC with most of the major tools, there's a high chance of the phone running out of memory (im running no extra apps, completely stock Hyperdroid)

(if you have a swapfile already, you can say no to creating another, just make sure that the file is located at /data/bt and named btswap.)

**This image is in ext4, make sure your kernel supports it!**
**Everything tested on Hyperdroid-CM7 by pongster**

==============
INSTALLATION
==============

You need:
-Full Nandroid Backup in case something goes batty
-16gb HD2
-ext4 support on your ROM/kernel (lost my ext2 image due to my own stupidity, will create another matching one later)
-Linux on PC (to create the ext4 partition)
-Busybox (from market)
-VNC Viewer (from market) (optional)

FAT32/EXT4 Split card
---------------------

1.
Back up your HD2 and SDCard to safe places (off of the phone and sdcard)

2.
Boot your linux installation and open partition manager. erase all the partitions on yor SDcard. Then create them in this order.

1. FAT32 - size of this is total sdcard size minus 6.5g (for bt image) minus 100mb for aps2sd
2. ext2 - 100mb
3. ext4 - 6.5 gb

3.
Copy the bt5.img to the root of your third partition.
copy the bts folder to the root of your FAT32 partition.

4.
if this is your first time using this script/image, run the mkdirectory script first with


Load up your android terminal and type

5.
Now it asks you if you want to log in to the console or start vnc automatically. (check log for port, usually 5901 or 5902)

DEFAULT VNC PASSWORD IS: toortoor



DEDICATED SDCARD
----------------
Same as everything above, minus the FAT32 partition.

"sh ded"
starts for dedicated SDcard instead of
"sh go"


Proper Shutdown Procedure
=====================

Stop script has been modified to shutdown backtrack and all of the (usual) programs that stop things from unmounting properly.

Exit any VNC connection you currently have.

1. Run sh stop (from your scripts location)
2. Reboot phone as a precaution.

One thing i did personally to make this easier was load the scripts onto /data/bt, so switching SDcards or locations doesnt matter.
(I also changed the terminal start directory to my scripts folder easy quick access)

=======================
Main Features I've gotten to work
=========================
-Clean mount/umount, as long as VNC and MySQL are killed BEFORE exiting the chroot - stop script kills these now
-Apps no longer disappear for good with sdcard removed, only disappear until SDcard is reinserted (apps2SD/loop device problem, any ideas?)
-MySQL for metasploit
-Metasploit working
-Armitage working, missing some "Attack" options (looking into it)
-Zenmap installed
-OpenVPN installed
-Traffic analysis possible with tcpdump (local only)
-Enables possibility for FakeAP attacks
-macchanger works (kinda, phone needs a reboot for original MAC to return)
-Armitage Launcher placed on Desktop (takes a while to load, be patient)
-Terminal Launchers in various places (updating may randomly remove your terminal, synaptic placed on desktop as standby to redownload terminals
-guake installed (drop down Terminal, makes commands easier to see while working) (not configured to a key yet)

This probably works with other Android phones too. If you change the scripts, and as long as it has a external SDcard you can partition.

if your using a different phone, this is untested unless specified otherwise.

-boot and shutdown scripts run clean as long as VNC and MySQL are shut off(in almost all cases)


@ XDA
http://xdaforums.com/show....php?t=1152994

PASSWORDS
------------
MySQL - user: root pass: toor
VNC - User: root pass:toortoor
sys pass - user:root pass:toor
(I know, standard ones, but this should answer a few questions)


===============================
Thanks
===============================
anantshri - for the original scripts and BT5 img for android
BT dev team - (of course )
and all of you

===============================
Information, bugs, and oddities
===============================

One important thing, While performing heavy operations, its normal for your screen to not turn on for a while if it turns off. Dont panic, just give it some time to finish whatever you were running and your phone will be back to normal again. DO NOT PULL THE BATTERY UNLESS ABSOLUTELY NECESSARY.

To avoid this, get wakelock (known to cause problems) or set your screen timeout to some large number.

Swap file will help with alot of this.

These are the features I've tested out so far.
No major changes to anything, (except new packages) just configuring everything i see.

If you find anything you want added in or that is acting odd, please let me know. Same goes for if you fix something!!

Overall
-------
-Repo's activated, most things work (upstart processes fail, for now)
-startvnc and stopvnc no longer give that pesky USER error
-startvnc starts mysql database for metasploit
-stopvnc stops mysql (mostly, invoke ps -A and look for mysqld. Kill it with fire(-9) if need be)
-network traffic is capture-able with tcpdump, with wifi hotspot activated
-working on adding in a swap partition on sdcard (if possible)
-openoffice installed
-openVPN installed (the quieter you become...)
-Removed Zoho Web services

MySQL
-----
default user - root
default pass - toor
-Starts automatically with startvnc
-stops automatically with stopvnc
-start manually by invoking "mysqld"
-Only runs as root (for now)
-Console hangs when it is manually loaded or shutdown, service continues running though. killall --signal 9 mysqld if needed.

Metasploit
----------
-Loads up alright (45-90 seconds)
-MySQL already set as default DB
-Must manually connect to MySQL DB each instance of metasploit by invoking (from msf) db_connect root:toor@127.0.0.1
-working on a possible way to limit cpu consumption to prevent system hangs(cpulimit does some nasty things)
-So far, this is the only connection string ive been able to get to work: root:toor@127.0.0.1

Armitage
--------
-Takes forever to load (30 seconds for connect screen, 4 minutes or so for main client)
-Causes system hangs frequently (to minimize this, leave the vnc server on your screen, and set the display timeout to 10 minutes-switch it back when done to conserve battery life)
-So far, this is the only connection string ive been able to get to work: root:toor@127.0.0.1
-Can Crash phone if running too big of an operation (Max Phone memory problem, fixed in v.2 with swapfile added)

Zenmap
------
-Slows phone down (incredibly bad with more complex scans, of course)
-Some Complex scanning options can crash phone (Nothing damaging has happened)
-will attempt to throttle cpu usage in the future
-Can Crash phone if running too big of an operation (Max Phone memory problem, fixed in v.2 with swapfile added)


Aircrack-ng suite
-----------------
-Aircrack-ng works
-Airodump-ng doesnt work (needs monitor)
-Airdecap-ng untested
-Airdecloak-ng untested
-Airbase-ng doesnt work (needs monitor)
-Airmon-ng doesnt work (needs monitor)
-Aireplay-ng doesnt work (needs monitor)
-Airdriver-ng doesnt work (yet)
-Airolib-ng works (doesnt do anything yet)
-Airserv-ng doesnt work (needs monitor)
-Airtun-ng doesnt work(needs monitor)



Plus lots of stuff for the future, stay tuned!!

http://xdaforums.com/show....php?t=1152994

In the future
=========
-nessus
-Booting via HD2 Toolbox by d4n14l (sp?)
-Custom kernel (WAYYYY down the road, but working on it)
and more
--Copyrighted by z3n, 2011
(just kidding, but it looks good )

Enjoy everyone

The next release is going to be faster, stabler, and more useful

I'm also working on a round-about way for packet injection and monitor mode

Stay tuned

Sent from my Hyperdroid Pocket Laptop

Not useless, just last night I ganked my roommates computer with my phone

As far as monitor mode and injection go, sadly, they may be right that its not possible, but I got some ideas that may make it work, I just need to hammer out some kinks in BT first

And who needs monitor when you can fakeAP?
"Make them hand you the keys and you don't have to break their Window(s)™"
Sent from my Hyperdroid Pocket Laptop

Next release is going to be even better this 5gig image is almost full, so I'm going to expand it to 6gig, along with instructions on how to expand your own image if that's to large or want even more space.

Btw, Wine should be good to go in the next one

stay tuned!!

Sent from my HD2 "Pocket Laptop"

Lol will do, gotta go find my 10 year old Polaroid I've been using this phone or all my pics and videos, so this could be tricky

Sent from my HD2 "Pocket Laptop"

Not at all, I've been trying to track down your name again so it can add you to the credits part, as the basis of the scripts was yours lol, I just changed the loops and mounting structures around a bit, and added some stability checks.

The scripts for this image are slightly out of date but I got new ones going up once I have time they should fix a few of the small eerrors people get while mounting

My next version is a little ways out (works gotten crazy busy lately) but it'll be out eventually

Sent from my HD2 Pocket Laptop

-edit- just double checked (forgot scripts were on my phone... its been a long week lol) and you should just need to change the mount -t ext4 /dev/block/vold/179:3 to /dev/block/vold/179:4

Also, did you run the new mkdirectory script? If you have the one packaged with the image its out of date. The attachment on the fist post has the updated ones

Ignore all mmcblk's

For another "buffer" partition, you need t point the sdcard parts (mmcblk0p* and vold/179:*) to what yours are in /dev/block. In your case I think you just need to change any vold/179:3 to 179:4. If you go to /dev/block/vold it will have folders from each partition (they are numbered 0 and up, but 1 would be your fat32, 2 is ext2 so on and so forth)



When I'm near my computer ill figure out the full ones for you

Sent from my HD2 Pocket Laptop

It should work, as long as you have a big enough sdcard, your phomes kernel suppers ext4, and you might have to change a few small variables

Sent from my HD2 Pocket Laptop