We are going to be covering how to install Kali NetHunter on a OnePlus One. This guide will use Kali Linux (as the host), a USB cable (to connect), TWRP (for recovery), Magisk (for root access) and LineageOS (Android 11, for the ROM).

At a higher level, the stages are:

• Configure host (Install packages)
• Configure device (Set options in developer settings)
• Unlock the bootloader (Allow write in bootloader)
• Flash recovery ROM (Install TWRP)
• Flash system ROM (Install LineageOS)
• Root device (Install Magisk)
• Install Kali NetHunter

System mode -> Enable developer settings -> Enable debugging/advance power menu + disable update recovery -> Unlock bootloader -> Boot to bootloader -> Replace recovery -> Boot to recovery -> Replace ROM -> Install Magisk -> Install Kali NetHunter -> Boot to system mode -> Update & Configure -> Done!

Preparing the host is straight forward as we are using Linux (Kali Linux) on a laptop/desktop - the steps to cover Windows/macOS/another Android device are not in this guide.

We are also opting for the straight forward method of using a USB cable, rather than networking (allowing for remote Wi-Fi access).

Getting the device, OnePlus One, ready is a little more work. Depending on the circumstances, it is possible to install Kali NetHunter without losing any data (or settings) on the device. However, this guide is NOT that. It will be making the assumption that all data will be lost, thus a backup needs to be done before continuing.

We are also going to revert the device back to the default ROM (CyanogenMod 11S) and configurations, losing any alterations previously applied (aka “stock”).

Besides the normal booting of an Android device (this is called “system”), depending on the manufacturer, it may have at least another two maintenance modes - recovery and bootloader/fastboot mode. There are other modes, such as Download/Odin, but they are most commonly found on Samsung or LG devices.

It is possible to access the OnePlus One maintenance modes by pressing keys during start up (Power + Volume Down + = Recovery, Power + Volume Up = bootloader).

These maintenance modes give us the ability to replace recovery and system ROMs with custom options.

By getting into the bootloader, we are able to get more lower level access over the device. When the bootloader is unlocked, it gives us write access to the partitions, so we can now install a different recovery option by completely replacing the recovery partition on the device. ROM/Stock recoveries, like CyanogenMod, LineageOS and OxygenOS, often do not give as much flexibility in their features/options, such as allowing us to disable certain checks or wiping all partitions, which custom recovery’s do (like TeamWin Recovery Project (TWRP) or OrangeFox). This is due to the fact that most stock recoveries are designed with the idea of recovering their ROM and being as simple and stable to use as possible - they do not require the advance power user features. Whilst the bootloader allows for low level access to the device, its functionally is simple (as that’s how its designed to be). For more complicated maintenance tasks, using recovery mode is required.

Using recovery mode allows for a “factory reset”, which wipes everything that is writable by a normal user (/data & /cache partitions, and clears the RAM). Depending on the recovery mode, you may also be able to wipe the /media & /system partitions. It is also possible to install/apply/run updates/packages/scripts using sideloading via adb/USB, or the internal/SDcard storage (such as Kali NetHunter!). This is also how we can upgrade/downgrade our Android version by flashing another ROM. Depending on LineageOS recovery mode version, it may also be able to enable adb and view logs.

However, using a TWRP recovery mode, you can:

• Do everything that LineageOS recovery mode offers
• Installing/applying/running
  • Enable/disable various signature checks when installing/applying
  • Queue up multiple updates to be installed at once
• Partitions
  • Get overview of partition usage
• Format any partition
• Repair/resize partitions
• Change partitions file system
• Backup and restore partitions (aka complete device backup)
• Mount any partition
• Terminal & file manager access

Inside of the bootloader, it is possible to replace partition(s) using a binary image(s), giving a direct 1:1 copy, however, it lacks the the ability to be dynamic by running pre/post tasks scripts.

As Kali NetHunter is not a ROM but an “add-on", it takes full advantage of this. Kali NetHunter is a series/bundle of apps and scripts to alter the device into a certain state. Because of this, we need to match the Kali NetHunter kernel, to the Android system ROM kernel and version that is installed on the device.

Here we can now flash ROMs, either system or recovery. By flashing custom ROMs, we can upgrade our Android version to a newer version or do a revert back to stock default (which is different to a factory wipe).

Upon doing various testing at this stage, depending on the desired ROM/Android version, may require multiple flashing steps to jump/hop each upgrade. It may not be possible to jump too far ahead in versions. Example:

--------------------    ----------------------    ------------------    ---------------------
  CyanogenMod 11.0   ->    CyanogenMod 12.1    ->   LineageOS 17.1   ->    LineageOS 18.1
(Android 4 "KitKat")    (Android 5 "Lollipop")    (Android 10 "Ten")    (Android 11 "Eleven")
--------------------    ----------------------    ------------------    ---------------------

Breaking this down a bit, our flash path could be:

• Using bootloader, we can flash CyanogenMod 11.0 (CM 11)
• Then using recovery we can either:
  • Flash CM 12.1.x OR 13.1.x
  • Flash CM 13.0 OR 14.1, but would require us to wipe the /data partition before we are able to flash
• Afterwards, able to flash LineageOS 17.1 (LOS 17.1)
• Finally, flash LOS 18.1, but it requires us to wipe the /data partition before we reboot

There is an element of trial and error here. Best of luck!

From here, we can then aim to get superuser access (aka “root”), which would previously be locked away in Android, and just like in Linux, this is the highest level of privilege. We now have complete freedom and control over the device. There has been various different solutions with the aim of getting root, such as SuperSU, APatch, KernelSU or Magisk.

This means we are finally are in a place to start to install Kali NetHunter on the device! We can do this either from recovery mode (via TWRP) or system mode (via Magisk).

Once Kali NetHunter is on the device, we can use the new app store to make sure everything is up-to-date and then run the main NetHunter app to complete the first time setup.

• cm-11.0-XNPH44S-bacon-signed-fastboot.zip
  • SHA256: 249bf098bb2b9ea187691c5b9f6b11084071ab7a0997f38921370bfbb03ad80f
• cm-13.1.2-ZNH2KAS3P0-bacon-signed-8502142fdc.zip
  • SHA256: 53f0e58953e630e167aef100dc120d7c85a2ca779b67dfdb26f02b53547e2638
• lineage-17.1-20210325-nightly-bacon-signed.zip
  • SHA256: 50d9b2a4a60b110c6f9c7b602e13ae23a85d6036352fbc877f72fec512f4682b
• lineage-18.1-20240306-nightly-bacon-signed.zip
  • SHA256: d19c26cee2e2b664dc4a84378eb92c9ced986fcba0a8e926d93e247aaa673723
• Magisk-v27.0.apk
  • SHA256: f511bd33d3242911d05b0939f910a3133ef2ba0e0ff1e098128f9f3cd0c16610
• Magisk-v28.0.apk
  • SHA256: 1b1eebac29f8ab1a41e5f20bbdceefb3341e93bc3d55a0f995c902b0fe877fe2
• twrp-3.6.2_9-0-bacon.img
  • SHA256: 1b165d6feee41e705e5fc3d208762aba6fac400fb61f12fd0ae54ced0642acc8
• nethunter-*-oneplus1-eleven-kalifs-full.zip

The first thing is to install packages on our host (Kali Linux) in order to communicate and interact with the mobile device (OnePlus One) when in various different states. We will be using Android Debug Bridge (ADB) and fastboot. This is because:

• adb lets you connect directly to your Android device and and perform a variety of operations when in recovery or system (aka “default normal operation”)
• fastboot lets you install (flash) Android and interact with the device’s bootloader

kali@kali:~$ sudo apt update
[...]
kali@kali:~$ sudo apt install --yes adb fastboot
[...]
kali@kali:~$

Using developer options is not a hard requirement, but is highly recommended.

Next on the OnePlus One, we can:

• Allow the host to communicate with the device, which is done by enabling “Android debugging”
• Easier accesses the device’s maintenance modes, which is done by enabling “Advanced restart”
• Stop Android updates from reverting recovery back to stock, which is done by disabling “Update recovery”
  • Failing to-do this may result in TWRP not being able to install

For developer options to be visible:

• Settings -> About phone -> Build number: Press/tap 7 times

Afterwards, go into the Developer options, which depending on the Android version:

• Settings -> Developer options (Android 8 “Oreo”/LineageOS 15 or lower)
• Settings -> System -> Advanced -> Developer options (Android 9 “Pie”/LineageOS 16 or higher)

Then either scroll down or search for:

• Android debugging: Enable
  • Android 11 “Eleven”/LineageOS 18, this has been renamed to “USB Debugging”
• Advanced restart: Enable
  • Android 11 “Eleven”/LineageOS 18, this has been moved to: Settings -> System -> Advanced -> Gestures -> Power menu -> Advance restart
• Update recovery: Disable
  • Android 11 “Eleven”/LineageOS 18, this has been moved to: Settings -> System -> Updater -> Preferences -> Update recovery

If there is already a USB cable attached to the device, you may be prompted to trust the RSA key fingerprint.

If you haven’t already attached the USB cable from the host to the device, go ahead now. Since enabling Android debugging, as soon as the host tries to communicate with the device for the first time, you will then be prompted to allow the connected device to interact with the device. You will need to trust the RSA key fingerprint. You may want to always trust it to stop being repeatedly asked.

Afterwards, we should be able to communicate with the device. Starting with adb, as the device should be normal/system operational state, we will check to see what devices we can see:

kali@kali:~$ adb devices
* daemon not running; starting now at tcp:5037
* daemon started successfully
List of devices attached
dea044c9    device

kali@kali:~$

We can see there is a device attached, which has the serial number of dea044c9.

The first time running in hosts/Kali’s session, the daemon should start up.

Next we want to put the device into bootloader mode, as this allows us to unlock the device, with the end result being more control and freedom (such as write access to be able to flash ROMs). We can now reboot either using the new power options menu (press and hold the power button -> tap restart -> bootloader) or run:

kali@kali:~$ adb reboot bootloader
kali@kali:~$

The device should now restart and say “Fastboot Mode” on the screen.

Making sure we can still interact, we can check with fastboot, as we are now in the bootloader:

kali@kali:~$ fastboot devices
dea044c9     fastboot

kali@kali:~$

Great! A valid response and got the same device serial number.

Let’s now check the status of the device:

kali@kali:~$ fastboot oem device-info
(bootloader)     Device tampered: false
(bootloader)     Device unlocked: false
(bootloader)     Charger screen enabled: false
(bootloader)     Display panel:
OKAY [  0.005s]
Finished. Total time: 0.005s

kali@kali:~$

We can see the device’s bootloader is “locked”. We need to unlock it, which will give us write access to partitions, in order to flash a different ROM.

To unlock the bootloader, we can issue:

kali@kali:~$ fastboot oem unlock
OKAY [  0.022s]
Finished. Total time: 0.022s

kali@kali:~$

Depending on the device state, ROM and version, it may:

• Reboot into recovery mode
• Reboot back into normal/system operational state - if the device was previously locked and without TWRP recovery
• Nothing - such as if the device was already unlocked and you re-ran the same command

During testing, we had more success using fastboot image as a starting point, doing a complete re-image of the device (not to be confused with factory reset). This meant every partition was changed. This may be overkill for some people, however as a result it means the steps are repeatable and consistent, therefore reliable and stable.

Regardless of the current Android version, thanks to fastboot images we are going downgrade to shipped ROM. At the same time, going to flash TWRP recovery (v3.6.0_9-0) rather than using CyanogenMod’s recovery.

Turn off the device, and remove any USB cables. Turn on the device by pressing & holding power and + volume up. When the screen turns on and device vibrates, let go. It should shortly show “fastboot mode” on the screen. Re-attach the USB cable back in and run the following commands:

kali@kali:~$ mkdir -pv cm/ && cd cm/ && unzip ../cm-11.0-XNPH44S-bacon-signed-fastboot.zip
kali@kali:~/cm$ fastboot oem unlock
kali@kali:~/cm$ fastboot flash modem NON-HLOS.bin
kali@kali:~/cm$ fastboot flash sbl1 sbl1.mbn
kali@kali:~/cm$ fastboot flash dbi sdi.mbn
kali@kali:~/cm$ fastboot flash aboot emmc_appsboot.mbn
kali@kali:~/cm$ fastboot flash rpm rpm.mbn
kali@kali:~/cm$ fastboot flash tz tz.mbn
kali@kali:~/cm$ fastboot flash LOGO logo.bin
kali@kali:~/cm$ fastboot flash oppostanvbk static_nvbk.bin
kali@kali:~/cm$ #fastboot flash recovery recovery.img
kali@kali:~/cm$ fastboot flash system system.img
kali@kali:~/cm$ fastboot flash boot boot.img
kali@kali:~/cm$ fastboot flash cache cache.img
kali@kali:~/cm$ #fastboot flash userdata userdata.img      # OnePlus One 16GB
kali@kali:~/cm$ fastboot flash userdata userdata_64G.img   # OnePlus One 64GB
kali@kali:~/cm$ cd ../ && rm -rf cm/
kali@kali:~$
kali@kali:~$ fastboot flash recovery twrp-3.6.2_9-0-bacon.img
kali@kali:~$
kali@kali:~$ fastboot boot twrp-3.6.2_9-0-bacon.img

Note, we have the 64GB OnePlus One model, toggle comments if doing 16GB device!

If everything went well, you should shortly see TWRP splash screen:

kali@bdesktop:~$ adb devices
List of devices attached
dea044c9  recovery

kali@bdesktop:~$

The plan is to go from CM 11 to CM 13.1.2 to LOS 17.1 to finally LOS 18.1 (Android 4.4.4 “KitKat” -> Android 6 “Marshmallow” -> Android 10 “Ten” -> Android 11 “eleven”).

During testing, it was found that when LOS 18.1 required /data to be wiped, otherwise after the first time installation wizard completed, the phone would become unresponsive (only the power button worked, screen would be on but black, like a crashed app, and phone would vibrate, but no actions taken). The ordering of flashing LOS 18.1 and wiping /data does not matter, as long as its done before the device is restarted.

Using TWRP, by default it will have ABD enabled (unlike CyanogenMod/LineageOS recovery), so we can straight away start to upload (aka push) files to the device! After uploading the files, we can use the screen and tap away, or we can stick to command line:

kali@kali:~$ adb push cm-13.1.2-ZNH2KAS3P0-bacon-signed-8502142fdc.zip /sdcard/Download/cm-13.1.2.zip; adb shell 'twrp install /sdcard/Download/cm-13.1.2.zip'
kali@kali:~$
kali@kali:~$ adb push lineage-17.1-20210325-nightly-bacon-signed.zip /sdcard/Download/los-17.1.zip; adb shell 'twrp install /sdcard/Download/los-17.1.zip'
kali@kali:~$
kali@kali:~$ adb push lineage-18.1-20240306-nightly-bacon-signed.zip /sdcard/Download/los-18.1.zip; adb shell 'twrp install /sdcard/Download/los-18.1.zip'
kali@kali:~$ adb shell 'twrp wipe data'    # Alt: adb shell 'twrp format data'
kali@kali:~$
kali@kali:~$ adb reboot

Note, we did not need to reboot in-between flashing/upgrades.

After the device restarts, apps will start to be optimized again. Once complete, the first time installation wizard will be shown. After answering the wizards questions, we are back in Android and see the launcher (aka home screen).

The last thing before installing Kali NetHunter, we need to be able to get root access on the device. In order to-do this, we will be using Magisk. Magisk can be installed by either using recovery/TWRP or installing via adb (developer settings). Both methods have their advantages and disadvantages; adb will require us to enable developer settings once again as well as generate an image file to be flashed, however recovery/TWRP will require Internet access on the device. Note: At the time of writing, v28 is the latest stable version. Using adb its possible to install any version, but in our testing via recovery/TWRP was failing to install v28 - needed to be v27.

Once developer settings are enabled again, also enable Android debugging for adb to work and accept the RSA key fingerprint. Then after downloading Magisk on the host, its possible to install via:

kali@kali:~$ wget 'https://github.com/topjohnwu/Magisk/releases/download/v28.0/Magisk-v28.0.apk'
[...]
kali@kali:~$ adb install Magisk-v28.0.apk
Performing Streamed Install
Success
kali@kali:~$

This will upload and install Magisk to the device.

After tapping on the Magisk app for the first time, it should prompt you to patch your boot image.

The only option should be “Select and Patch a File”.

Locate the same ROM used (Download -> los-18.1.zip).

Then tap on “Let’s Go”

Magisk will then generate a magisk_patched-*.img in the same directory.

Reboot into recovery and we can use TWRP to install.

kali@kali:~$ adb reboot recovery

Install -> Install Image -> /sdcard/Download/: magisk_patched-*.img -> Boot -> Swipe to confirm Flash -> Reboot System

Note, Can’t use CLI to install a image (only zip)

When the device is back up, we are now in a place to finally install Kali NetHunter!

After booting into recovery mode, using adb & twrp we can manually upload then install it:

kali@kali:~$ wget 'https://github.com/topjohnwu/Magisk/releases/download/v27.0/Magisk-v27.0.apk'
[...]
kali@kali:~$ adb push Magisk-v27.0.apk /sdcard/Download/Magisk-27.apk
Magisk-v27.0.apk: 1 file pushed, 0 skipped. 7.1 MB/s (12498796 bytes in 1.680s)
kali@kali:~$
kali@kali:~$ adb shell 'twrp install /sdcard/Download/Magisk-27.apk'
Installing zip file '/sdcard/Download/Magisk-27.apk'
Unmounting System...
***********************
 Magisk 27.0 Installer
***********************
- Mounting /system
- Device is system-as-root
- Legacy SAR, force kernel to load rootfs
- No vbmeta partition, patch vbmeta in boot image
- System-as-root, keep dm-verity
- Target image: /dev/block/mmcblk0p7
- Device platform: armeabi-v7a
- Constructing environment
- Adding addon.d survival script
- Unpacking boot image
- Checking ramdisk status
- Stock boot image detected
- Patching ramdisk
- Repacking boot image
- Flashing new boot image
- Unmounting partitions
- Done
Done processing script file
kali@kali:~$
kali@kali:~$ adb reboot

Upon the device booting back into system, when the app is run for the first time, it will request to download the rest of the required data from the Internet.

Notice how the icon currenly is the stock Android.

When its pulled the external data, it will then prompt before installing/upgrading.

After tapping on the Magisk app for the first time, it should prompt you to patch your boot image - which can now be done all inside of the Magisk app.

Give the app the necessary permissions, select “Direct Install (Recommended)” and wait. After it is complete, the reboot button will show up. Final step is to tab Reboot.

When the device is back up, we are now in a place to finally install Kali NetHunter!

Installing Kali NetHunter can currently be done two in ways:

• Recovery/TWRP
• Magisk via Modules

Again, both methods have their advantages and disadvantages; Recovery/TWRP has been around for longer, is more mature, but requires rebooting the device. Magisk is the newer method, easier, but does not (yet) support installing everything!

Either method, you will need to download a pre-created image, or build one yourself (it is simple to-do!).

Note, the Kali NetHunter Android version needs to match the same ROM and version as what is on the device!

Install via Recovery/TWRP

After booting into recovery mode (either by advance power menu or button combinations):

kali@kali:~$ adb push nethunter-*-oneplus1-los-eleven-kalifs-full.zip /sdcard/Download/nh-11.zip; adb shell 'twrp install /sdcard/Download/nh-11.zip'
[...]
kali@kali:~$ adb reboot

Install via Magisk

Kali NetHunter can be either uploaded by using adb or downloaded on the device itself.

In system mode:

kali@kali:~$ adb push nethunter-*-oneplus1-los-eleven-kalifs-full.zip /sdcard/Download/nh-11.zip

Then, start up Magisk. Tap on Modules -> Install from storage -> hamburger icon (3 lines) -> Downloads -> nh-11.zip -> Ok -> Reboot

Upon rebooting the device, you should see:

• A new boot animation
• The home screen has a new wallpaper
• Various new apps!

Updating via NetHunter Store

Using the NetHunter Store, its possible to check and update the NetHunter app.

Its recommended to check to see if there has been an update and if so, upgrade!

NetHunter App

Upon opening the NetHunter app for the first time, you will have a permissions requests - Root Access (Magisk)

Afterwards, if there is an included filesystem/rootfs/chroot in the Kali NetHunter image that was installed, it will extract it (do not worry if not, it can be installed afterwards!)

That’s it!

Done!

Feel free to delete everything/anything in /sdcard/Downloads/ that we have uploaded.

You may want to look into flashing some Open GApps.

Remember the OnePlus One is a ARM platform (not ARM64):

kali@kali:~$ adb shell
bacon:/ $ getprop ro.product.cpu.abi
armeabi-v7a
bacon:/ $