← buildbench

Profiling a Redmi before picking a pentest stack

#android #pentesting #termux #hardware

Before scaffolding anything, I wanted the device to tell me what it could actually do. “Set up a pentest lab on the phone” branches into very different repos depending on five or six getprop answers. So I asked.

The device is a Xiaomi Redmi (codename dandelion, model 220233L2G). Here’s what came back over adb:

Android         11 (API 30), MIUI V125
Security patch  2022-07-01
ABI             armeabi-v7a  (abilist: armeabi-v7a,armeabi)
Kernel          4.19.127, uname -m: armv8l
Hardware        mt6762 / mt6765 (MediaTek Helio)
Bootloader      ro.boot.flash.locked=0, verifiedbootstate=orange
Root            /system/bin/sh: su: inaccessible or not found
SELinux         Enforcing
Termux          already installed

Five things in that block decide the whole project.

32-bit userspace on a 64-bit kernel. uname -m says armv8l but the ABI list is armeabi-v7a,armeabi — no arm64-v8a. The CPU can run 64-bit, but Android was built 32-bit only. That immediately removes a chunk of modern tooling: a lot of Go-based pentest binaries don’t ship armv7 builds anymore, and the ones that do are often stale. Anything I install via pkg in Termux will be 32-bit, full stop.

MediaTek Wi-Fi chip. mt6762/mt6765. In theory NetHunter is the glamorous answer for a phone-as-pentest-rig — monitor mode, packet injection, the works. In practice MTK chips almost never have working monitor-mode drivers, and chasing a custom kernel for a Helio SoC is a weekend I don’t want to spend. NetHunter is out, not because it can’t be installed but because the part that makes it interesting won’t work.

Bootloader unlocked, no root. flash.locked=0 and verifiedbootstate=orange mean Magisk is on the table whenever I want it — patch a boot.img from matching MIUI firmware and flash via fastboot. But there’s no su today, and I don’t need root for 90% of what a portable lab does. Worth documenting as a path; not worth taking now.

SELinux enforcing, security patch from mid-2022. Enforcing is fine — pentest tooling in userland doesn’t need permissive. The stale patch level is a separate problem (this device shouldn’t hold secrets), not a blocker.

Termux already installed. That settles it.

Given all of the above, the pragmatic stack writes itself: Termux for the native layer, plus proot-distro Kali for anything that wants a real Debian userland. No root required, no kernel work, no fighting MTK drivers. The 32-bit constraint hurts inside proot too, but it hurts equally everywhere on this device, so it’s not a reason to pick something else.

The lesson I keep relearning: don’t pick the stack from the blog post, pick it from getprop. Five minutes of profiling turned “set up a hacking phone” from a vague aspiration into a short list of yes/no decisions, each anchored to a specific line of output. The repo scaffold that came after — Termux bootstrap script, Kali installer, a documented-but-unexecuted Magisk path — is just those decisions written down.

The phone tells you what it is. You just have to ask.