How To Make Your Own PWN Phone

Matthew J Carter
4 min readSep 2, 2016

--

So You Took The Red Pill. Glad you made it. We’ll attempt to show you how to build your own Pwn Phone running the Kali operating system and our AOPP (Android Open Pwn Project) image.

Let’s get cracking…

Flashing the Phone

  1. Download and install the command line tools for your OS: https://developer.android.com/studio/index.html#downloads
  2. Download the AOPP ROM for your device:
    https://wiki.pwnieexpress.com/index.php/Official_devices
  3. Download the Recovery image for your device:
    https://twrp.me/Devices
  4. Connect the device to the host machine via USB cable.
  5. Power off the device and boot into the Bootloader:
    Press and hold the Power & Volume-Down buttons
  6. Confirm the device is recognized by the host machine:
    (a device should be listed when the command returns)
  7. $ fastboot devices
  8. Unlock the device:
    $ fastboot oem unlock
  9. Once unlocked, flash the Recovery image:
  10. $ fastboot flash recovery <name-of-recovery-image>.img
  11. Once the Recovery image has been flashed, boot into Recovery from the Bootloader:
    Use the Volume-Down/Up buttons to cycle through the Bootloader options and then the Power button to select
  12. If prompted, swipe “Swipe to Allow Modifications”.
  13. Once in Recovery, wipe the device:
    Tap Wipe > Advanced Wipe > tap: Dalvik/ART cache, System, Cache, Data > swipe “Swipe to Wipe”
  14. Once wiped, do NOT boot into System (You don’t have one; you just wiped it). Tap the Home button to return to the Recovery home screen.
  15. Confirm again the device is recognized by the host machine:
    (a device should be listed when the command returns)
  16. $ adb devices
  17. From the host machine, push the downloaded AOPP ROM zip to the device sdcard:
  18. $ adb push <name-of-rom-zip>.zip /sdcard/
  19. On device, tap Install and then select the AOPP ROM zip from /sdcard.
  20. Swipe “Swipe to Confirm Flash”
  21. Download SuperSU from Chainfire here:
    https://download.chainfire.eu/969/SuperSU/UPDATE-SuperSU-v2.76-20160630161323.zip
  22. Push the SuperSU zip to /sdcard/:
  23. $ adb push <SuperSU-zip-name>.zip /sdcard/
  24. Once installed, tap “Reboot System”

OK Now Let’s Build the Phone

Downloading the Source

  1. Refer to “Downloading and Building Requirements” before proceeding:
    https://source.android.com/source/requirements.html
  2. Refer to “Downloading the Source” before proceeding:
    https://source.android.com/source/downloading.html
  3. Create a directory for the build system to live in and cd into that directory:
  4. $ mkdir <WORKING_DIR>
  5. $ cd <WORKING_DIR>
  6. Initialize a local repository using this source tree, use the command:
  7. $ repo init -u git@github.com:aopp/android_platform.git -b px-0.1
  8. Sync the repository, use:
  9. $ repo sync

Building

Devices are referred to by codename (e.g. hammerhead). Make sure to use this when substituting <device-codename> in the following instruction set.

  1. Refer to “Building the System” before proceeding:
    https://source.android.com/source/building.html
  2. To initialize the build environment, use the following command:
  3. $ . build/envsetup.sh
  4. Prepare the build environment (download device-tree and dependencies) for your specific device:
  5. $ breakfast <device-codename>
  6. Connect the device running a working AOPP/AOSP ROM to the host machine via USB.
  7. Make sure it is booted into system and confirm the device is recognized by the host machine:
    (a device should be listed when the command returns)
  8. $ adb devices
  9. Enter the device directory:
  10. $ cd <WORKING_DIR>/device/<vendor>/<device-codename>/
  11. Extract the proprietary binaries from your device:
  12. $ ./extract-files.sh
  13. Return to the root of the build system:
  14. $ croot
  15. Start a build run for your device:
  16. $ brunch <device-name>
  17. Once complete, the ROM zip can be found in the out/ directory:
  18. $ cd /out/target/product/<device-codename>
  19. The flashable ROM zip (product of the build run) will be located in the out/ directory as:
    aopp-0.1-<build-date>-UNOFFICIAL-<device-codename>.zip

Flashing

  1. Download the Recovery image for your device:
    https://twrp.me/Devices
  2. Connect the device to the host machine via USB cable.
  3. Power off the device and boot into the Bootloader:
    Press and hold the Power & Volume-Down buttons
  4. Confirm the device is recognized by the host machine:
    (a device should be listed when the command returns)
  5. $ fastboot devices
  6. Unlock the device:
  7. $ fastboot oem unlock
  8. Once unlocked, flash the Recovery image:
  9. $ fastboot flash recovery <name-of-recovery-image>.img
  10. Once the Recovery image has been flashed, boot into Recovery from the Bootloader:
    Use the Volume-Down/Up buttons to cycle through the Bootloader options and then the Power button to select
  11. If prompted, swipe “Swipe to Allow Modifications”.
  12. Once in Recovery, wipe the device:
    Tap Wipe > Advanced Wipe > tap: Dalvik/ART cache, System, Cache, Data > swipe “Swipe to Wipe”
  13. Once wiped, do NOT boot into System (You don’t have one; you just wiped it). Tap the Home button to return to the Recovery home screen.
  14. Confirm again the device is recognized by the host machine:
    (a device should be listed when the command returns)
  15. $ adb devices
  16. From the host machine, push the downloaded AOPP ROM zip to the device sdcard:
    $ adb push <name-of-rom-zip>.zip /sdcard/
  17. On device, tap Install and then select the AOPP ROM zip from /sdcard.
  18. Swipe “Swipe to Confirm Flash”
  19. Once installed, tap “Reboot System”
  20. Hack the Gibson…and remember…hugs are worth more than handshakes

Big Thanks To Team over at PWNIE EXPRESS for making this available to us mere mortals and for all their hard-work. These instructions were originally featured on the website PWNIE EXPRESS

--

--

Matthew J Carter
Matthew J Carter

Written by Matthew J Carter

Entrepreneur and founder with a track record spanning 12 years in various start-ups, and one acquisition.

Responses (1)