The makers of backtrack Linux have released a version of the distro which is built for ARM processors. This means that backtrack, a full Linux distribution, sort of an Ubuntu pentester’s spin, will run on mobile devices. This does not however mean its a simple manner. Backtrack’s website has a downloadable image built to run on the Motorola Xoom. However its not exactly plug and play.

I used some directions I found online to get backtrack running on my old Droid Incredible, but it was painfully slow, and pretty muck unusable. Now I have two devices at my disposal which could be more up to the task. First is my new Droid 4. Second is my Asus eeePad Transformer.


For me? It’s just cool. I’m not a pentester, but I am a pretty skilled linux guru. I know a few pentesters, and this could come in handy for them. My skills could help them out. Besides, I want to see if I can do it. 😛

What is backtrack

So, Backtrack Linux is essentially ubuntu, with a ton of Penetration Testing and exploit tools added in. This is useful for guys who live and breathe IT Security. Have a look at Backtrack’s web site for more information about backtrack.

How does this work?

Familiar with chroot? It’s essentually a method of locking a user into a container in a linux system. It’s used for many security reasons. Think about it. Locking the user a service runs as into its own little container. This means that if an attacker breaks into that service, he only has access to what that service has access to. It’s also great for building and testing systems because you can create a file system in a directory, and then chroot into that directory, and then move around as if you were booted into that system. You could, for example, copy an ubuntu system into a disk image, or a directory structure inside of your Fedora system. Then chroot into the ubuntu install’s directory, and then, effectively, work in the ubuntu environment. It’s not identical to actually booting the ubuntu system. In fact you’d be running the Fedora kernel, it would just feel like the ubuntu system, if you did it right. Well this is exactly how Backtrack can be run inside of Android. Android runs a LInux kernel, just like Backtrack. So you get things into the right place, and get permissions the right way, and then chroot. Bang, there you are, Backtrack. X is handled via VNC.

Skip the details?

If you’re not interested in HOW I did this, and would just like to get the finished product, skip to the “The Quick And Dirty” heading at the bottom of this post.

Get the Backtrack Image

So, the first step is to go get Backtrack ARM. Go to Backtrack’s Downloads page, and get the Backtrack 5 for ARM image. I used Backtrack 5, the Torrent version. This download went amazingly fast. about 10 minutes for a gig 7z file. I wont go into talking about the days of 10 minutes for one mb, that’s off topic.

File size limitations

The Droid 4 uses vfat to store data on its sdcard. Or, at least thats the format that MY sd card is (and I had the Droid 4 format it..). Now, from what i’ve read, and what i’ve seen in practice, vfat supports a maximum file size of 2gb. However, the Droid 4 seems to happily charge through that boundary, but die at 4gb. The backtrack image is 5.1gb.

There’s a few options to get around this. One could be to build a new, smaller image, another could be to split the current image. I mounted the full image on a linux workstation, and had a look at where the space was going.

First, it’s not using the full 5 gb. So making a new sub 4gb image is possible.

[me@myworkstation mnt]$ df -h
Filesystem                              Size  Used Avail Use% Mounted on
/dev/loop0                              4.9G  2.6G  2.0G  57% /home/me/Projects/btandroid/mnt

Second, /usr is the pig.

[me@myworkstation mnt]$ sudo du -h --max-depth=1
249M	./opt
200K	./srv
4.0K	./sys
16K	./lost+found
4.0K	./media
4.0K	./home
8.6M	./sbin
4.6M	./root
4.0K	./mnt
140M	./var
12K	./dev
1.9M	./boot
4.0K	./proc
14M	./etc
1.7G	./usr
216K	./share
83M	./lib
6.3M	./bin
77M	./pentest
349M	./tmp
4.0K	./selinux
2.6G	.

So, you could make a new image, and duplicate the data from the 5gb image to a less than 4gb image. Or, you could do what I did. Split /usr and / into their own images. I ended up with a 3gb /usr, and a 2gb /. If you dont know how that’s done, here’s a quick rundown.

[me@myworkstation tmp]$ dd if=/dev/zero of=./bt_root.img bs=1024 count=2000000
2000000+0 records in
2000000+0 records out
2048000000 bytes (2.0 GB) copied, 27.4198 s, 74.7 MB/s
[me@myworkstation tmp]$ dd if=/dev/zero of=./bt_usr.img bs=1024 count=3000000
3000000+0 records in
3000000+0 records out
3072000000 bytes (3.1 GB) copied, 53.8706 s, 57.0 MB/s
[me@myworkstation tmp]$ mkfs.ext3 ./bt_root.img 
mke2fs 1.41.14 (22-Dec-2010)
./bt_root.img is not a block special device.
Proceed anyway? (y,n) y


[me@myworkstation tmp]$ mkfs.ext3 ./bt_usr.img 
mke2fs 1.41.14 (22-Dec-2010)
./bt_usr.img is not a block special device.
Proceed anyway? (y,n) y


[me@myworkstation tmp]$ mkdir bt
[me@myworkstation tmp]$ mkdir bt_s
[me@myworkstation tmp]$ sudo mount -o loop ../bt5.img ./bt
[me@myworkstation tmp]$ sudo mount -o loop bt_root.img ./bt_s
[me@myworkstation tmp]$ mkdir ./bt_s/usr
[me@myworkstation tmp]$ sudo mount -o loop bt_usr.img ./bt_s/usr/
[me@myworkstation tmp]$ sudo rsync -r --links bt/ bt_s

You’ll get a lot of “Skipping non-regular file” warnings from rsync. This is mostly special device files and whatnot, that get replaced with actual working dev files after you mount bt on android.

Now just umount everything.

[me@myworkstation tmp]$ sudo umount bt_s/usr bt_s bt


Now, because you’re on an android device, and the manufacturer doesn’t trust you (even though you paid for the device, and you “own” it….) you don’t have permission to actually do much beyond USE the Droid 4. At this point, you need root. Root exploits are pretty common. The Droid 4 was rooted the day it was released. For this to work, you just need root, and busybox. I gained it by using a nice one-click method that rooted the phone, and installed busybox. Root at your own risk, and in your own way. I won’t presume to tell you what the “best” way to do this is. When i wrote this, there weren’t many options out there.

Get all of this on to the phone

There are three essential files you need to boot backtrack. The “bootbt” script, and the two images I just showed you how to create. Get them on to the phone. I placed them on my sdcard, in a folder called “bt”. This translates to /mnt/sdcard-ext/bt on the phone. Put them wherever you please, just note that you’ll need to change bootbt to the new path if you do with a location other than /mnt/sdcard-ext/bt. If you dont have an sd card, use /mnt/sdcard (which is internal memory, regardless of what the mount point says).

bootbt script

The Backtrack image came with a “bootbt” shell script. This is written for the Motorola Xoom. It needs some modification in order to work on the Droid 4.

Here’s what I ended up with:

[me@myworkstation tmp]$ adb shell cat /mnt/sdcard-ext/bt/bootbt
perm=$(id|cut -b 5)

if [ "$perm" != "0" ];then echo "This Script Needs Root! Type : su";exit;fi

#mount -o remount,rw /dev/block/system /system
export kit=/sdcard-ext/bt
export bin=/system/bin
export mnt=/data/local/mnt
if [ ! -d "$mnt" ];then
  mkdir -p $mnt
export PATH=$bin:/usr/bin:/usr/local/bin:/usr/sbin:/bin:/usr/local/sbin:/usr/games:$PATH
export TERM=linux
export HOME=/root
export USER=root
if [ -b /dev/block/loop254 ]; then
  echo "Loop254 device exists"
  busybox mknod /dev/block/loop254 b 7 254
if [ -b /dev/block/loop253 ]; then     
  echo "Loop254 device exists"  
  busybox mknod /dev/block/loop253 b 7 253    

/sbin/losetup /dev/block/loop254 $kit/bt_root.img
/sbin/losetup /dev/block/loop253 $kit/bt_usr.img

mount -t ext3 /dev/block/loop254 $mnt
mount -t ext3 /dev/block/loop253 $mnt/usr

mount -o bind /dev/pts $mnt/dev/pts
mount -o bind /proc $mnt/proc
mount -o bind /sys $mnt/sys

sysctl -w net.ipv4.ip_forward=1
echo "Setting /etc/resolv.conf to Google Open DNS and"
echo "nameserver" > $mnt/etc/resolv.conf
echo "nameserver" >> $mnt/etc/resolv.conf
echo " localhost" > $mnt/etc/hosts

busybox chroot $mnt /bin/bash

echo "Shutting down BackTrack ARM For Droid 4"
umount $mnt/dev/pts
umount $mnt/proc 
umount $mnt/sys
umount $mnt/usr 
umount $mnt

I could step through the whole thing with you, but i’ll keep this brief. The script sets up some environment. Then it checks for two loop devices, creates them if they’re not there already. Then it mounts my images on /data/local/mnt and /data/local/mnt/usr. And the binds the host’s proc, sys, and dev/pts to the Backtrack locations for such.

Then it chroots you into Backtrack! It looks something like this:

[me@myworkstation tmp]$ adb shell
shell@cdma_maserati:/$ su
root@cdma_maserati:/# cd /mnt/sdcard-ext/bt
root@cdma_maserati:/mnt/sdcard-ext/bt# sh ./bootbt
Loop254 device exists
Loop254 device exists
net.ipv4.ip_forward = 1
Setting /etc/resolv.conf to Google Open DNS and
groups: cannot find name for group ID 1003
groups: cannot find name for group ID 1004
groups: cannot find name for group ID 1007
groups: cannot find name for group ID 1009
groups: cannot find name for group ID 1011
groups: cannot find name for group ID 1015
groups: cannot find name for group ID 3001
groups: cannot find name for group ID 3002
groups: cannot find name for group ID 3003
root@localhost:/# exit    --- Here's backtrack!
Shutting down BackTrack ARM For Droid 4
root@cdma_maserati:/mnt/sdcard-ext/bt# exit
shell@cdma_maserati:/$ exit
[me@myworkstation tmp]$ 

The script does its best to clean up after you exit (umounting all of the things we mounted), but it’s best to reboot after you exit, just so you’re sure it’s clean.


You thought that getting Backtrack running was it? Nooooo There’s more! You get X too! X is handled by VNC. You basically start up a vnc server inside of BT, and then connect to it using a VNC client on the phone. So, here goes.

You’ll need a terminal emulator on the phone. I use Better Terminal Emulator. Fire up your terminal, and execute the bootbt script. You’ll do this by opening the terminal, using su to get root, then cd to /path/to/bt, and then sh bootbt. Once you have the BT prompt, run “startvnc”. This will start up the vnc server. Now hit your Home button (without exiting backtrack, or your terminal). Now fire up your vnc app. I use Android-vnc. Connect to on port 5901. The default password is toortoor. You can reset this with vncpasswd. Make sure you select a color depth that’s to your liking. I use 24 bit. Why not, right? That’s it, you’re in! Use bt!

Something you may want to tweak, is the screen resolution of the vnc session. This is done in the startvnc script. The Droid 4’s screen is 960 x 560 pixels.

The script is located in /usr/bin/

root@localhost:/# cat /usr/bin/startvnc
rm -rf /tmp/.X1*
vncserver -geometry 960x560 

Stopping vnc is as easy as dropping back to your terminal, and running “stopvnc”.

Then just exit bt by typing exit. As stated, it’s a good idea to reboot after exiting, unless you’re planning on starting bt right back up again.

The quick and dirty

So, as promised, here’s the overall procedure. We’ll call it a recap.

Get the images here: add link here

Get Root, and Busybox (you’re on your own).

Get a terminal emulator, and a vnc client for your phone. (Check the market, see above for my preferred apps).

Extract the bt archive, and put the “bt” directory on your phone. Somewhere like /mnt/sdcard, or /mnt/sdcard-ext is preferable.

Now edit the bootbt script so that the “kit” variable points to the location of the bt folder.

export $kit=/mnt/sdcard-ext/bt

Run bootbt, as root.

shell@cdma_maserati:/$ su
root@cdma_maserati:/# cd /mnt/sdcard-ext/bt
root@cdma_maserati:/mnt/sdcard-ext/bt# sh ./bootbt

From within bt, use “startvnc” to start up X, in a vnc session.

Use your VNC app to connect to: password toortoor (unless you changed it).

When you’re done, exit bt from your terminal, and then reboot the phone for proper cleanup.

And, Here it is: