Skip to content

Instantly share code, notes, and snippets.

@IMSoley

IMSoley/dropbearonandroid.md

Forked from hamgravy/dropbearonandroid.md
Created December 17, 2020 09:17
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save IMSoley/000e14acfea5bce1768cd6daa4e9eedf to your computer and use it in GitHub Desktop.
Save IMSoley/000e14acfea5bce1768cd6daa4e9eedf to your computer and use it in GitHub Desktop.
Download ZIP
Run an SSH daemon with root console access in Android without rooting
Raw
dropbearonandroid.md

Sometimes you want an Android device on a network. Sometimes that Android device isn't rooted for whatever reason. It's convenient to be able to log into such an Android device's console with root access over the network. Network access can exist over WiFi or Ethernet. There are ssh daemon Android apps out there, but they usually require root. A convenient use-case is logging into your tablet in your backpack under your desk, or on another desk in a remote laboratory.

A great utility for this is dropbear. It's a self-contained binary that implements a stand-alone ssh server with key generation abilities. Once compiled, the binary can be placed on an Android device, will allow the generation of ssh keys and provide root console access over the network.

Get source code and patch it. The patches apply specifically for Android use. Dropbear is obviously suited for most *nix platforms, but Android requires some special modifications.

This is a repository that mirrors the main dropbear repo with the tag that corresponds with the following patches.

git clone https://github.com/mkj/dropbear.git -b DROPBEAR_0.52

The patches you'll need to make it work on Android are floating around the net. Grab these and check the hashes.

https://code.google.com/p/droidsshd/downloads/detail?name=dropbear0.52-android.patch&can=2&q=

sha1sum 107fa045cfd98282f6e69472241f1597b9d9cd9e

https://code.google.com/p/droidsshd/downloads/detail?name=droidsshd.patch&can=2&q=

sha1sum 914c9b43c30ca9ec2f889a24d082e1cc82b615a6

Go the dropbear source directory and do this to apply the patches.

patch -p1 < dropbear0.52-android.patch
patch -p1 < droidsshd.patch

Now we need to cross-compile dropbear. My favorite cross-compile environment is an open embedded toolchain armhf file system provided by gnuradio. It's not as hard as it may look. http://gnuradio.org/data/sdk/ There is a good walkthrough to set up the cross-compile environment in a docker container in just a few lines of code... https://github.com/hamgravy/dockerpile

Once the toolchain is installed, source the environment file that is generated.

source /usr/local/oecore-x86_64/environment-setup-armv7ahf-vfp-neon-oe-linux-gnueabi

Now go to the source dir for dropbear, configure and cross-compile...

./configure --host=arm-none-linux-gnueabi \
--disable-zlib \
--disable-largefile \
--disable-loginfunc \
--disable-shadow \
--disable-utmp \
--disable-utmpx \
--disable-wtmp \
--disable-wtmpx \
--disable-pututline \
--disable-pututxline \
--disable-lastlog \

export STATIC=1 MULTI=1 SCPPROGRESS=0 PROGRAMS="dropbear dropbearkey scp dbclient"
make strip

now check to make sure an ARM binary was generated...

file dropbearmulti

copy the binary file to the Android device using adb. As far as I know, the binary placement is arbitrary

adb push dropbearmulti /data/dropbear

This file works similarly to busybox, it has multiple functions in-built. Now make symlinks to access the internal functions.

ln -s dropbearmulti dbclient
ln -s dropbearmulti dropbearkey
ln -s dropbearmulti scp

now it's time to generate the host key so that we can connect remotely. Make sure the permissions are appropriate (600, root:root).

dropbearkey -t rsa -f dropbear_rsa_host_key
chmod 600 dropbear_rsa_host_key
chown root:root dropbear_rsa_host_key

Now it's time to generate key pairs. This can be done on either the remote machine using dropbear, or on the Android device.

dropbearkey -t rsa -f /some/dir/id_rsa
dropbearkey -f /some/dir/id_rsa -y > /some/dir/id_rsa.pub

Finally, put the pubkey in an authorized keys file so we can connect using pubkey authentication. Password authentication is not supported.

mkdir /some/dir/.ssh
cat /some/dir/id_rsa.pub > /some/dir/.ssh/authorized_keys

The references below show a way to change the key format to be useful for OpenSSH. This method didn't work for me, so I just used dropbear on my remote x86 machine. Somehow copy the private key to the remote host, copy-paste from the ADB shell is a good idea, or use ADB pull.

adb pull /host/dir/id_rsa
chmod 600 /host/dir/id_rsa

On the Android machine, launch the dropbear ssh daemon, make sure you're root. Make sure you have a networking device that has an IP address.

abd root
adb shell
netcfg eth0 up
netcfg eth0 dhcp
PATH=/some/dir:$PATH 
dropbear -A -N root -U 0 -G 0 -C nothing -R /some/dir/.ssh/authorized_keys -r /some/dir/dropbear_rsa_host_key -p 22 -s
exit

The process will exist and run in the background on the Android device. Install dropbear if it isn't present on the remote device. Make note of the IP address of the Android device that was obtained using netcfg in the previous step (10.1.1.12 used as an example)

apt-get install dropbear
dbclient -y -i /host/dir/id_rsa 10.0.1.12

There should now be a shell of the Android device from the remote host.

references:

https://code.google.com/p/droidsshd/wiki/BuildingDropbear http://jblomer.web.cern.ch/jblomer/android.htm https://github.com/mkj/dropbear http://cri.ch/sven/doku.php/blog/running-dropbear-on-android https://github.com/hamgravy/dockerpile https://gnuradio.org/data/sdk

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment