I have made a lot of content on both this website and my YouTube channel about pentesting Android applications. A lot of that content has been made with an Android emulator in mind. If you are a beginner or don’t have the resources to get physical devices for testing purposes, an emulator can be very useful to get you started in mobile pentesting. If you have the resources though, physical devices can be very helpful and allow you to test different attack vectors that aren’t possible with an emulator, and in order to use most of the tools and techniques that we need for testing, first we have to root our Android device.
For this example, I will be rooting a Nexus 5X, but this process can be used with any Nexus or Pixel device. It is possible to root a lot of other Android devices from other manufacturers, but I highly recommend using either a Nexus or a Pixel since they are supported by Google and have a lot of resources available that are more difficult to find for other devices.
Enabling USB Debugging
The first thing we need to do when rooting an Android device is enable USB debugging. To do this, we need to go to the “About phone” menu in the settings and scroll down to the build number. Tap on the build number 7 times. After doing this, you should see a message that says “You are now a developer!” There should now be a new menu option under “System” listed as “Developer options.” In this menu, you should be able to find an option to enable USB debugging, which will allow us to interact with our device over a USB cable.
Once the USB debugging option is enabled, we can plug our device into our PC with a USB cable, open a terminal, and run adb devices. When we do this, it should list our device in the terminal as unauthorized, and there should be a pop up on the mobile device asking us to “Allow USB debugging.” After clicking OK on our device, we can run adb devices again, and it should now be listed as device instead of unauthorized.
Downloading Factory Image
One of the reasons that I recommend using either a Nexus or a Pixel device is that those devices are supported directly by Google, and Google provides a very easily accessible repository of factory images for these devices. We can access this repository at https://developers.google.com/android/images. On this site, we can scroll down to find the proper factory image for our device. There is also an option on the right panel to click a direct link to each device.
For my example, I am using a Nexus 5X device, so I am going to scroll down to “bullhead” for Nexus 5X. Under this section, I am going to scroll down to the most recent build that is available, which in this case is 8.1.0, and click the link to download the image.
Once the download is complete, we should have a zip file that includes the factory image files. We can then open up a terminal and unzip those files. Once that extraction is complete, we should see another zip file in the extracted directory. We can unzip that file as well. Inside that second zip file, there should be a file named boot.img. After we have this file, we can use ADB to push this file onto our device.
adb push boot.img /sdcard/Download/
Installing Magisk
Once we have the files we need, now we can download Magisk, which is a suite of open source software for customizing Android. This is the tool that we are going to use to actually root our device. We can download Magisk from https://github.com/topjohnwu/Magisk. On the Github page, we can go to releases and go to the assets under the most recent release, and we can download the Magisk APK file. Once we have the APK file, we can install it onto our device with ADB.
adb install <magisk app>.apk
Patching File
After the Magisk app is installed, we can launch the app on our device, and there should be a button in the top right corner that says “Install.” Clicking on that button should open a new page with some install options, but we can leave all of those as is and click “Next”. Now there should be an option to “Select and Patch a File”. Clicking on this should bring up the file system of the device where we can locate the boot.img file that we pushed onto our device earlier. After selecting this file, we can click “Let’s Go” which will begin a process that should result in a new file being created.
Once that new file is created we can use ADB to pull that file off our device.
adb pull <path to patched file>
Rebooting, Unlocking, and Flashing
Once we have our newly patched file, we can reboot our device into fastboot mode. Then, if our device is locked, we will need to unlock it. And finally, we need to flash our device using the patched file that we got from Magisk.
adb reboot bootloader
fastboot flashing unlock (may not be necessary)
fastboot flash boot <magisk patched file>
Once this process is complete, we can boot up our device.
Checking Root
Once our device boots up, we need to make sure our device is rooted. To do this, run adb shell to access the file system on the device. Immediately we can tell that we are not root since the shell prompt is $, and if we run whoami, it returns shell. However, if we run the command su, there should be a popup on the phone asking us to grant a “Superuser Request.” After granting this request, now we can see that the prompt has changed from $ to #, and if we run whoami again, now it says that we are root.
If you’re interested in more content about security, hacking, making, and tech, check out my YouTube channel at https://youtube.com/@CorSecure.
