Installing Kali Nethunter on the OnePlus (and probably other phones too)

In a fit of boredom (and a desire to up my l33t cred), I decided to install Kali Nethunter on a OnePlus 7 Pro that I stopped using about a year ago. Naturally, the first stop was the official installation instructions. Big mistake. They’re darn near incomprehensible, rely on deprecated software, and cost me about 3 days of struggle.

But, with enough time, cussing, and reflashes, anything is possible, and Nethunter is now working beautifully on the OnePlus 7 Pro. So what follow are the steps I used to pull it off. Hopefully they’ll save you some time and heartache.

Obligatory Warnings

Flashing Nethunter requires the following actions, in increasing order of risk:

  • Rooting your phone. If you don’t know what that means, you are wildly out of your depth. Stop, reconsider your choices, and go have some ice cream instead.
  • Wiping your phone, completely, about a fghjillion times. You will lose all your data.
  • Unlocking your bootloader, which, in addition to wiping your phone, makes it display an annoying security message every time you boot from here on out.
  • Disabling your phone’s encryption. That is, even without knowing your passcode, someone who possesses your phone can view all those nudes you’re probably storing on it.

Further: doing any of the above can brick your phone. Bricking your phone will result in:

  • Turning your expensive-ass phone into a shiny paperweight
  • Voiding any and all warranties
  • Earning you mockery and derision on Reddit when you explain what you did in a desperate plea for help
  • Hours spent in the XDA-Developers forums — where you will encounter less mockery and derision, but the same bleak despair when they explain what you’ve done

Still here? Let’s go.

Step 0: Learn what region your phone is

Most manufacturers have different editions of the phones – with different hardware – for various regions like the USA, Europe, China, and India. Installing the wrong edition won’t fully brick your phone, but it’ll give you a good scare and cost a few hours to fix.

Typically, the regional variant of your OS is appended to the version number. For example, my OxygenOS version (available by going to Settings | About Phone | Build Number) is 11.0.9.1.GM21AA, where GM21AA is the variant.

If you’re on a OnePlus like me, it gets slightly more complicated, as there is a T-Mobile variant within the USA/Global variant, and you may have to reflash your entire phone’s image before you can proceed at all. I’ll write a follow-up post on how to do that, provided I remember.

Step 1: Update your phone to the latest stock OS

Installing any updates to your operating system will result in re-enabling the encryption that we are working so hard to remove. Ergo, you will not be able to update Android after installing Nethunter unless you want to repeat the entire Nethunter installation rigmarole.

Therefore, do future you a favor and get your phone on the latest version of Android (in my case, Oxygen OS 11.0.9.1GM21AA for the USA/Global edition).

Furthermore, you must use the stock version of Android that ships with your device. No custom OSes here.

Step 2: Install ADB and Fastboot

If you don’t know what these are, you should probably bail right now. At any rate, here’s how to get them:

  • Windows/Mac: Download from Google and unzip somewhere. Unless you want to get all fancy with the PATH variable, though, you’ll have to drop any files you intend to upload into this folder. This is the only time I will mention this caveat, so don’t forget it.
  • Ubuntu: sudo apt install android-tools
  • Arch: sudo pacman -S android-tools

Step 3: Enable USB Debugging and other fancy developer tools

Remember that build number from Step 0 (Settings | About Phone | Build Number if you already forgot somehow)? Tap on it 7-8 times to enable Developer Mode. Now, you can go to Settings | System | Developer Options and do the following:

  • Enable USB Debugging
  • (Optionally) enable Advanced Reboot

Step 4: Install Magisk

Magisk is a lovely app that serves multiple functions in our adventure, namely:

  • Rooting your phone
  • Disabling encryption
  • Installing Nethunter

To install:

  1. Go to Magisk’s GitHub page and download the .apk of the latest release. Don’t download Magisk from anywhere other than GitHub! It is known that amateurs are always looking for easier ways to root their phones, and bad actors capitalize on their naivete with malware-laden fakes.
  2. In a terminal (command prompt for your Windows folk), push the file to your phone with
    adb push Magisk-v25.2.apk /sdcard/Download
  3. On your phone, open the File Manager app and install the .apk that now resides in your phone’s Downloads folder. You’ll probably have to enable a bunch of permissions to accomplish this, but at least the menus involved are intuitive.

Step 5: Patch your Boot Image

In order for Magisk to work its rooty magic, it first needs some help by way of a patched boot image. Fortunately, Magisk will do the patching for you; all you have to do is secure that juicy .img file. To do so:

  1. Get a factory image of your OS. Two ways to do this:
    • Go to the vendor’s support site and poke around
    • Google “factory image [OS build] site:xda-developers.com” where [OS build] is the build number from Step 1.
  2. Open the .zip file that you downloaded and extract payload.bin.
  3. Clone the payload_dumper repository (or just download a ZIP of it from GitHub).
  4. Move payload.bin into the payload_dumper folder.
  5. Make sure that you have Python 3 installed with the following (pip) packages:
    • protobuf
    • bsdiff4
  6. Open a terminal in the payload_dumper folder and run
    python3 payload_dumper payload.bin
  7. Once it completes, there will be an output folder containing boot.img. Push it to your phone with
    adb push boot.img /sdcard/Download

Now you can patch that boot image in Magisk. To do so:

  1. Open Magisk.
  2. In the Magisk section (i.e. not the App section), click Install.
  3. Choose Select and Patch a File as your method.
  4. Navigate to boot.img from earlier.
  5. Let Magisk do its thing. When it finishes, the last line will give the name of the output file, along the lines of
    magisk_patched_[string of stuff].img.
  6. Retrieve that patched file with
    adb pull /sdcard/Download/magisk_patched_[string of stuff].img .

Step 6: Unlock the bootloader

Reboot into the bootloader. Two ways to do this:

  • adb reboot bootloader
  • Long-press the Power button and select bootloader, which should be available if you enabled Advanced Reboot in Step 3.

Once in the bootloader, unlock it with
fastboot oem unlock

Accept that this will wipe your phone and let it proceed.

Step 7: Repeat Steps 3-4

Remember when I said you’re going to wipe your phone a fghjillion times? Yeah, you’re gonna repeat Steps 3-4 a healthy number of times as well.

Step 8: Patch your boot image

Reboot into the bootloader, same as you did in Step 6. Then, flash the boot image that Magisk produced with
fastboot flash boot magisk_patched_[string of stuff].img

Once it’s flashed, boot the phone. Your phone is now rooted!

Step 9: Disable encryption

This is where the stock Nethunter installation instructions make their first mistake. They advocate using Disable_Dm-Verity_ForceEncrypt, which is deprecated and will soft-brick your phone.

Instead, you need Disable Force Encryption NEO (hereafter DFE-Neo). You can learn all about it on the XDA-Developers forum, or you can just download it from SourceForge.

You can download the file directly to your phone, or download it to your computer and adb push it to your phone. Either way, the next steps are:

  1. Open Magisk. It may request a reboot to complete installation; let it.
  2. Tap Modules in the bottom-right.
  3. Select Install from Storage and select the DFE-NEO zip you downloaded.
  4. Use Volume Up to cycle through the languages and use Volume Down to select the language of choice.
  5. Hit Volume Down again to continue.
  6. Hit Volume Up to select the Use arguments.txt option, and Volume Down to select.
  7. Let it run its course. When you get to the end, though, don’t hit the blue Reboot nugget. Instead, reboot into the bootloader using your preferred method from Step 6.

Step 10: Wipe the Data partition

Time to enter Recovery mode. For this, you will want the latest version of TWRP Recovery. Go to twrp.me/Devices/, find your device, and download the most-recent .img file.

Don’t install TWRP as it will overwrite your boot partition that you worked so hard to flash. Instead, we’re just going to boot into TWRP as a one-off. To do so, use
fastboot boot twrp-[version]-[model].img

Once TWRP Recovery has loaded, select Wipe and Wipe Data. Once that’s done, reboot.

Step 11: Repeat Steps 3-4

Another wipe of the phone, another reinstallation of Magisk.

Step 12: Install Nethunter

Friggin finally. Obtain the latest Nethunter image from kali.org, either by downloading directly to the phone or pushing via adb.

Open Magisk, and install the Nethunter image the same way you installed DFE-NEO in Step 9.

Step 13: Celebrate!

You did it! l33t points will be added to your account in due course.

10 comments

soc
April 17, 2023 Reply

Hi, just to let you know that I’ve tried it on a oneplus 8 pro and it worked, finally.
Well, the protobuf complained about version so had to install it on the version it wanted (protobuf==3.19.0) and after disabling encryption I thought I’d brick it because it wouldn’t boot, just staying at logo screen. After going in recovery mode and wiping data/cache though, it managed to boot up and continue with rest.

Nexus
April 29, 2023 Reply

Hi Bro,
Good day

My phone is Oneplus 7pro. Model is GM1913, Android version is 12. (Ram 8 gb , Rom 256 gb ) .

I do respect your waring as you mentioned bingeing of your blog. Now please advice me should I follow your steps for this model ..?
If there is any other suggestion for my model (GM1913) requesting your kind help.
BR
Nexus

Sir Noface
October 28, 2023 Reply

I have a Oneplus 7 Pro v11 and I followed David Bombal on Youtube. 2 videos:
1. Root Android Kali Linux
2. Kali Linux Nethunter with Wifi Support
Worked for me. I am wondering if Nethunter works better on v10 or v11 of OnePlus?

adalab3
October 28, 2023 Reply

His guide came out after mine and I couldn’t recommend it more – far easier. Glad it worked for you!

CypherOxide
November 7, 2023 Reply

Had a bit of an issue when flashing the DFE package via Magisk. As a test, I decided to flash it via adb in Lineage Recovery and after a reboot, wipe, magisk reinstall, and reboot, I opened magisk and chose my Nethunter file in Magisk and it installed without a hiccup. Maybe it’s because of my specific config, maybe I did something weird/wrong. I’m running Lineage OS 20 on AOSP 13 on a Oneplus 7 Pro. It was a T-Mobile model, flashed the global firmware following the Lineage OS instructions.

Truthfully, I’m not sure why it worked this way. The last few times I tried flashing Nethunter, I either didn’t have the right firmware for wifi cards or bluetooth attacks, or (last time) I soft-bricked it on the fastboot screen. Thankfully, heading over to the Lineage page, I got the dtbo and vbmeta files to allow me to flash to separate partitions and was able to get a functioning recovery to install my ROM.

After 8 months and 5 attempts, it seems I got the right order to make it work. Thanks for sharing that the method on the Nethunter page was outdated/mistaken. Your method as a base template helped me finally flash my 1+7Pro correctly.

-Cy

Tuffsky
February 27, 2024 Reply

Can i ask where you found the instructions you used? been trying every guide for months and havent had luck. happy for you getting it to work

Tuffsky
February 27, 2024 Reply

Can I ask where you found those instructions? I’ve tried every guide for months with no luck. Happy for you getting it to work, though.

ahint
February 4, 2024 Reply

This is my first time attempting to start the process of installing Nethunter. Over the past few days I have hardly got anywhere but I have still learned a lot. I have been following this tutorial (https://www.mobile-hacker.com/2023/07/04/about-me/). I spent a lot of time researching the best phone for nethunter and decided to go with the One Plus 7. I specifically ordered one that was network unlocked but it seems I still received the network unlocked T-Mobile GM1915 variant. Because of this I need to flash the global or international firmware on my device first to essentially change it from the T-Mobile variant, to the currently supported version before I even start the whole process. When following this tutorial I only get as far as using the msm tool, which when I connect to it and click start it gives me the error “device not match image” which I assume is because the guacamole (OOS10 ROM) isn’t the correct image for my specific variant. I have searched for a supported one to use but I haven’t had too much luck with dead links and outdated forums. I saw on another forum he said ” I found out I had a globalized T-Mobile phone so I needed to flash T-Mobile image and then the global patch” but i cannot find these supported zips anywhere. If this doesn’t make sense, my apologies or if I can clear anything up let me know. Any help would be great or any pointers. Thank you! Or if you can point me to the follow up post on the tmobile varient that would be great!

Here’s my exact build
model GM1915
snapdragon 855 processor
android version 11
build number – Oxygen OS 11.0.1.8 GM31CB

ahint
February 4, 2024 Reply

This is my first time attempting to start the process of installing Nethunter. Over the past few days I have hardly got anywhere but I have still learned a lot. I have been following this tutorial (https://www.mobile-hacker.com/2023/07/04/about-me/). I spent a lot of time researching the best phone for nethunter and decided to go with the One Plus 7. I specifically ordered one that was network unlocked but it seems I still received the network unlocked T-Mobile GM1915 variant. Because of this I need to flash the global or international firmware on my device first to essentially change it from the T-Mobile variant, to the currently supported version before I even start the whole process. When following this tutorial I only get as far as using the msm tool, which when I connect to it and click start it gives me the error “device not match image” which I assume is because the guacamole (OOS10 ROM) isn’t the correct image for my specific variant. I have searched for a supported one to use but I haven’t had too much luck with dead links and outdated forums. I saw on another forum he said ” I found out I had a globalized T-Mobile phone so I needed to flash T-Mobile image and then the global patch” but i cannot find these supported zips anywhere. If this doesn’t make sense, my apologies or if I can clear anything up let me know. Any help would be great or any pointers. Thank you!

Here’s my exact build
model GM1915
snapdragon 855 processor
android version 11
build number – Oxygen OS 11.0.1.8 GM31CB

Tuffsky
February 28, 2024 Reply

I was able to get my oneplus 7 pro global msmtool working by choosing the “conversion to GMA” tool in the list of the stock images for my device. It took me a while to realize that that was an option in the list of all the image builds and that it was the only way to convert mine to global but also converts from any build, or kernel i currently have. After using the conversion to global(or GMA) tool I was able to update to the build i needed(it always converts to the oldest build). hopefully that helps you out.

Leave a Reply