NetHunter Hacker II: How to install Kali NetHunter on rooted OnePlus 7 Pro

In this post we will go through installation of NetHunter with full kernel support on OnePlus 7 Pro device. The main benefit is to have drivers support for internal or external devices such as Wi-fi, Bluetooth, HID, BadUSB and SDR gadgets. Our goal will be to flash stock OOS 10, open bootloader, flash custom TWRP recovery, root, install custom kernel and flash NetHunter. If you rather prefer video tutorials, feel free to check installation of rootless NetHunter on YouTube. This is a technical tutorial with risks involved. Because of that, I am not responsible for any damage that you might cause to your device.

If you don’t want to take the risk of rooting your Android device but still install NetHunter, you can follow my previous blog Installation of rootless Kali NetHunter.

Install stock Oxygen OS 10

NetHunter is a chroot (rootfs called by Kali NetHunter) and not a custom ROM that can be flashed. Simply put, it’s a system within a system. Because of that, it requires some prerequisites such as the exact version of the operating system with a particular Android version to be installed on the device. At the time of writing this post, NetHunter can be installed only on over stock OxygenOS versions 10 and 11. In further steps, we will install OOS 10 using official MSM Download tool in emergency (EDL) mode provided and verified by OnePlus. This will factory reset all your data, make sure to create a backup first.

As a prerequisite, you need to have downloaded Android SDK tools (adb and fastboot) on your computer. You can download them from official android website for your platform.

Instructions

1. Disable drivers signing verification on Windows computer using CMD executed with Admin privileges and reboot PC.
   • bcdedit /set testsigning on
2. Download and install Qualcomm drivers
3. Download OOS 10 ROM: guacamoleb_14_P.32_210127.zip
4. Unzip downloaded ROM, and run MsmDownloadTool V4.0.exe
5. Power off OnePlus 7 Pro. Simultaneously press volume up and volume down buttons for 5 seconds and connect the device to computer. Once the MSM Download Tool recognizes the device (connected instead of N/A) click on Start button. You have to do it within around 15 seconds, since after ~30seconds the device will go into bootloader mode and it will not be recognized. After a few minutes device will reboot
6. Setup device
7. Enable USB debugging and unlock bootloader
   • Go to Settings -> About Phone and tap 7 times on Build Number  
   • Tap back button and to go Developers options and enable Unlock bootloader and ADB debugging
8. Reboot Android into bootloader mode using adb command: adb reboot bootloader
9. From bootloader unlock OEM, using command: fastboot oem unlock
10. Device will be wiped

Device should now be successfully flashed with Stock OOS 10 ROM and have open bootloader.

Install TWRP recovery and root

After we successfully unlocked the bootloader, we can install custom recovery. From recovery we will install Magisk; this will patch the boot image and allows us to use root permissions. Without having custom recovery, we wouldn’t be able to root the device and install NetHunter.

Instructions

1. Enable USB debugging (mentioned above)
2. Download and copy to Android both TWRP and Magisk: twrp-3.4.0-10-guacamole-unified-installer-mauronofrio.zip and Magisk-v23.0.zip
3. Download TWRP: twrp-3.4.0-10-guacamole-unified-Q-mauronofrio.img
4. Reboot Android into bootloader mode using adb command: adb reboot bootloader
5. Boot downloaded TWRP from PC using command: fastboot boot twrp-3.4.0-10-guacamole-unified-Q-mauronofrio.img
6. From booted TWRP install copy TWRP (twrp-3.4.0-10-guacamole-unified-installer-mauronofrio.zip) and Magisk (Magisk-v23.0.zip)
7. Reboot to system
8. Open and setup Magisk app (update & install)
9. For clarification, you can verify if device was successfully rooted via adb commands: adb shell and su

Disable encryption and dm-verity

We need to disable force encryption of data partition, to read user data. Disable dm-verity, which is a kernel feature to check the integrity of boot image. Flashing the zip file mentioned in Instruction section, allows user to also enable or disable disk quota, that grants the system to get storage statistics faster and it should even improve system stability, necessarily it don’t have to be disabled.

Instructions

1. Download and copy to Android Disable_Dm-Verity_ForceEncrypt_11.02.2020.zip
2. Reboot Android into recovery mode using adb command: adb reboot recovery
3. Got to Wipe and tap on Format data, write “yes” as confirmation.
4. Reboot to recovery
5. From TWRP install Magisk (Magisk-v23.0.zip) again
6. From TWRP install Disable_Dm-Verity_ForceEncrypt_11.02.2020.zip
7. Reboot to system
8. Setup device (don’t enable any lock screen security)
9. Open and setup Magisk app (update & install)

Install NetHunter

Everything is now ready for NetHunter to be installed. We will proceed with flashing custom kernel separately, then NetHunter image and once again, we need to flash Magisk and dm-verity.

Instructions

1. Enable USB debugging
2. Download and copy to Android: kernel-nethunter-2021.3-oneplus7-oos-ten.zip, and latest version of NetHunter image for OnePlus 7 / 7 Pro / 7T / 7T Pro (Ten)
3. Reboot Android into recovery mode using adb command: adb reboot recovery
4. Install kernel (kernel-nethunter-2021.3-oneplus7-oos-ten.zip)
5. Install NetHunter image (in my case nethunter-2022.4-oneplus7-oos-ten-kalifs-full.zip)
   • If installation ends with error, “Not enough free space in your /system to continue!“, as you can see in Figure 3, then you have to resize /system partition.
   • Fix it by going to Wipe -> Advanced wipe -> select /system -> Repair or Change File System -> Resize File System
   • Repeat step 5)
6. Install Magisk
7. Install dm-verify
8. Reboot to system
9. Open NetHunter app and update via NetHunter App Store (not necessary)
10. Start chroot in NetHunter
11. Restart device
12. Disable system updates: su -c pm disable com.oneplus.opbackup
13. In NetHunter Terminal app, launch upgrade and update command: sudo apt update && sudo apt full-upgrade -y

Congratulation! If you carefully followed all the steps, you should have Kali NetHunter successfully installed on your OnePlus 7 device.

Conclusion

Installing Kali NetHunter on a OnePlus 7 device opens up a world of possibilities for mobile penetration testing and ethical hacking. By following the step-by-step instructions outlined in this blog post, you can unleash the power of Kali Linux on your OnePlus 7, turning it into a powerful tool for assessing the security of networks and systems.

We discussed the prerequisites, such as unlocking the bootloader and enabling USB debugging, and explained how to flash the NetHunter image onto the device using TWRP recovery. We also highlighted the importance of taking backups and ensuring compatibility with the specific OnePlus 7 model.

Once you have successfully installed Kali NetHunter, you gain access to a wide range of powerful tools and capabilities tailored for mobile penetration testing. You can perform network scans, exploit vulnerabilities, and analyze traffic, all from the convenience of your OnePlus 7 device.