Installing Kali Nethunter on the OnePlus (and probably other phones too)

In a fit of boredom (and a desire to up my l33t cred), I decided to install Kali Nethunter on a OnePlus 7 Pro that I stopped using about a year ago. Naturally, the first stop was the official installation instructions. Big mistake. They’re darn near incomprehensible, rely on deprecated software, and cost me about 3 days of struggle.

But, with enough time, cussing, and reflashes, anything is possible, and Nethunter is now working beautifully on the OnePlus 7 Pro. So what follow are the steps I used to pull it off. Hopefully they’ll save you some time and heartache.

Obligatory Warnings

Flashing Nethunter requires the following actions, in increasing order of risk:

  • Rooting your phone. If you don’t know what that means, you are wildly out of your depth. Stop, reconsider your choices, and go have some ice cream instead.
  • Wiping your phone, completely, about a fghjillion times. You will lose all your data.
  • Unlocking your bootloader, which, in addition to wiping your phone, makes it display an annoying security message every time you boot from here on out.
  • Disabling your phone’s encryption. That is, even without knowing your passcode, someone who possesses your phone can view all those nudes you’re probably storing on it.

Further: doing any of the above can brick your phone. Bricking your phone will result in:

  • Turning your expensive-ass phone into a shiny paperweight
  • Voiding any and all warranties
  • Earning you mockery and derision on Reddit when you explain what you did in a desperate plea for help
  • Hours spent in the XDA-Developers forums — where you will encounter less mockery and derision, but the same bleak despair when they explain what you’ve done

Still here? Let’s go.

Step 0: Learn what region your phone is

Most manufacturers have different editions of the phones – with different hardware – for various regions like the USA, Europe, China, and India. Installing the wrong edition won’t fully brick your phone, but it’ll give you a good scare and cost a few hours to fix.

Typically, the regional variant of your OS is appended to the version number. For example, my OxygenOS version (available by going to Settings | About Phone | Build Number) is 11.0.9.1.GM21AA, where GM21AA is the variant.

If you’re on a OnePlus like me, it gets slightly more complicated, as there is a T-Mobile variant within the USA/Global variant, and you may have to reflash your entire phone’s image before you can proceed at all. I’ll write a follow-up post on how to do that, provided I remember.

Step 1: Update your phone to the latest stock OS

Installing any updates to your operating system will result in re-enabling the encryption that we are working so hard to remove. Ergo, you will not be able to update Android after installing Nethunter unless you want to repeat the entire Nethunter installation rigmarole.

Therefore, do future you a favor and get your phone on the latest version of Android (in my case, Oxygen OS 11.0.9.1GM21AA for the USA/Global edition).

Furthermore, you must use the stock version of Android that ships with your device. No custom OSes here.

Step 2: Install ADB and Fastboot

If you don’t know what these are, you should probably bail right now. At any rate, here’s how to get them:

  • Windows/Mac: Download from Google and unzip somewhere. Unless you want to get all fancy with the PATH variable, though, you’ll have to drop any files you intend to upload into this folder. This is the only time I will mention this caveat, so don’t forget it.
  • Ubuntu: sudo apt install android-tools
  • Arch: sudo pacman -S android-tools

Step 3: Enable USB Debugging and other fancy developer tools

Remember that build number from Step 0 (Settings | About Phone | Build Number if you already forgot somehow)? Tap on it 7-8 times to enable Developer Mode. Now, you can go to Settings | System | Developer Options and do the following:

  • Enable USB Debugging
  • (Optionally) enable Advanced Reboot

Step 4: Install Magisk

Magisk is a lovely app that serves multiple functions in our adventure, namely:

  • Rooting your phone
  • Disabling encryption
  • Installing Nethunter

To install:

  1. Go to Magisk’s GitHub page and download the .apk of the latest release. Don’t download Magisk from anywhere other than GitHub! It is known that amateurs are always looking for easier ways to root their phones, and bad actors capitalize on their naivete with malware-laden fakes.
  2. In a terminal (command prompt for your Windows folk), push the file to your phone with
    adb push Magisk-v25.2.apk /sdcard/Download
  3. On your phone, open the File Manager app and install the .apk that now resides in your phone’s Downloads folder. You’ll probably have to enable a bunch of permissions to accomplish this, but at least the menus involved are intuitive.

Step 5: Patch your Boot Image

In order for Magisk to work its rooty magic, it first needs some help by way of a patched boot image. Fortunately, Magisk will do the patching for you; all you have to do is secure that juicy .img file. To do so:

  1. Get a factory image of your OS. Two ways to do this:
    • Go to the vendor’s support site and poke around
    • Google “factory image [OS build] site:xda-developers.com” where [OS build] is the build number from Step 1.
  2. Open the .zip file that you downloaded and extract payload.bin.
  3. Clone the payload_dumper repository (or just download a ZIP of it from GitHub).
  4. Move payload.bin into the payload_dumper folder.
  5. Make sure that you have Python 3 installed with the following (pip) packages:
    • protobuf
    • bsdiff4
  6. Open a terminal in the payload_dumper folder and run
    python3 payload_dumper payload.bin
  7. Once it completes, there will be an output folder containing boot.img. Push it to your phone with
    adb push boot.img /sdcard/Download

Now you can patch that boot image in Magisk. To do so:

  1. Open Magisk.
  2. In the Magisk section (i.e. not the App section), click Install.
  3. Choose Select and Patch a File as your method.
  4. Navigate to boot.img from earlier.
  5. Let Magisk do its thing. When it finishes, the last line will give the name of the output file, along the lines of
    magisk_patched_[string of stuff].img.
  6. Retrieve that patched file with
    adb pull /sdcard/Download/magisk_patched_[string of stuff].img .

Step 6: Unlock the bootloader

Reboot into the bootloader. Two ways to do this:

  • adb reboot bootloader
  • Long-press the Power button and select bootloader, which should be available if you enabled Advanced Reboot in Step 3.

Once in the bootloader, unlock it with
fastboot oem unlock

Accept that this will wipe your phone and let it proceed.

Step 7: Repeat Steps 3-4

Remember when I said you’re going to wipe your phone a fghjillion times? Yeah, you’re gonna repeat Steps 3-4 a healthy number of times as well.

Step 8: Patch your boot image

Reboot into the bootloader, same as you did in Step 6. Then, flash the boot image that Magisk produced with
fastboot flash boot magisk_patched_[string of stuff].img

Once it’s flashed, boot the phone. Your phone is now rooted!

Step 9: Disable encryption

This is where the stock Nethunter installation instructions make their first mistake. They advocate using Disable_Dm-Verity_ForceEncrypt, which is deprecated and will soft-brick your phone.

Instead, you need Disable Force Encryption NEO (hereafter DFE-Neo). You can learn all about it on the XDA-Developers forum, or you can just download it from SourceForge.

You can download the file directly to your phone, or download it to your computer and adb push it to your phone. Either way, the next steps are:

  1. Open Magisk. It may request a reboot to complete installation; let it.
  2. Tap Modules in the bottom-right.
  3. Select Install from Storage and select the DFE-NEO zip you downloaded.
  4. Use Volume Up to cycle through the languages and use Volume Down to select the language of choice.
  5. Hit Volume Down again to continue.
  6. Hit Volume Up to select the Use arguments.txt option, and Volume Down to select.
  7. Let it run its course. When you get to the end, though, don’t hit the blue Reboot nugget. Instead, reboot into the bootloader using your preferred method from Step 6.

Step 10: Wipe the Data partition

Time to enter Recovery mode. For this, you will want the latest version of TWRP Recovery. Go to twrp.me/Devices/, find your device, and download the most-recent .img file.

Don’t install TWRP as it will overwrite your boot partition that you worked so hard to flash. Instead, we’re just going to boot into TWRP as a one-off. To do so, use
fastboot boot twrp-[version]-[model].img

Once TWRP Recovery has loaded, select Wipe and Wipe Data. Once that’s done, reboot.

Step 11: Repeat Steps 3-4

Another wipe of the phone, another reinstallation of Magisk.

Step 12: Install Nethunter

Friggin finally. Obtain the latest Nethunter image from kali.org, either by downloading directly to the phone or pushing via adb.

Open Magisk, and install the Nethunter image the same way you installed DFE-NEO in Step 9.

Step 13: Celebrate!

You did it! l33t points will be added to your account in due course.

Leave a Reply