Posts Tagged - tutorial

Extracting Android Factory Images on macOS

There seem to be a plethora of tutorials for how to extract factory images on Linux and Windows without much crossover into macOS.

Thankfully, the method for extracting a factory image on macOS so we can peruse the filesystem is really similar to Linux. The problem is, we need some way to mount the extracted image to an extended filesystem. macOS doesn’t support this out of the box, so we’ll use OSXFuse to make it happen.

FUSE implements a mechanism that makes it possible to implement a fully functional file system in a user-space program on macOS.

Now, in order to access ext4, we’ll also need an ext4 implementation for macOS Fuse (aptly named, ext4fuse).

This is a read-only implementation of ext4 for FUSE. The main reason this exists is to be able to read linux partitions from OSX.

If you’re curious about ext4 vs ext3 vs ext2 Linux file systems, take a look at this handy summary.

Finally, in order to extract the image file (before mounting it with OSX Fuse), we’re going to use imgtool. In many Linux tutorials you’ll see references to simg2img; this replaces that for macOS (although a Linux binary exists as well).

Think of it as the inverse of mkbootimg (from the AOSP), coupled with simg2img (the sparse image extractor). Another bonus feature it provides is unpacking the Linux bzimage kernels.

It was developed by the legendary Jonathan Levin. He is brilliant.


Download whatever image file you want to extract. Google makes theirs readily available here. I’ll be using “taimen” for Pixel2 XL for this tutorial. Unzip the downloaded image file, navigate within that unzipped directory, and unzip the inner directory (in this example, named ) as well. We want to get to the system.img file within that second zipped directory.

Download imgtool and unpack the .tgz:

tar -xvzf <imgtool.tgz path> -C /path/where/to/extract

Then, navigate to the directory where imgtool was unzipped where you’ll see a bunch of fun C files.

We’re going to use imgtool on the image file downloaded from Google (or wherever yours is from). I like using a split-screen in iTerm so I don’t forget where my image lives.

Extract the image file with imgtool:

./imgtool <path-to-factory-image>/system.img extract

You should now see a new directory within imgtool called “extracted”: imgtool/extracted/image.img Within this directory is a new image file. This is the image you’ll mount in order to access the filesystem.

Install OSXFuse:

brew cask install osxfuse

Restart your computer. Painful, I know.

Install ext4fuse:

brew install ext4fuse

Create a directory to hold the mounted image: sudo mkdir /Volumes/Linux

Mount the extracted image to that directory:

sudo ext4fuse ../imgtool/extracted/image.img /Volumes/Linux -o allow_other

Including the allow_other option is really important here: it allows users other than the superuser account to access the filesystem.

Navigate to /Volumes/Linux and you should be able to see the system dump!

When you’re done working with the mounted image, you won’t be able to just delete the directory you’ve created. You’ll have to unmount it:

diskutil unmount /Volumes/Linux

Do you have another way of extracting image files in macOS? Would love to hear what your approach is! Leave a comment below.

Read More

Painless VPN Set-up on Kali Linux

If you follow me on Instagram or Twitter, you know that I love the command line and use a dedicated Thinkpad T420 as my “hacking machine”. While I’m new to Kali, I’ve been a Linux user for a while — dating back to my first-year of university in 2007. I have a pretty strong love-hate relationship with Linux. While I mostly love Linux distros and would gladly use one as my primary work OS, troubleshooting hardware issues between Ubuntu and Apple hardware has caused me some grief in the past.

But I digress.

For a network security course I’m taking, we needed to play around with Nmap and a lab network set-up by our professor at Ryerson. I’ve used many a VPN before, but not with Linux and certainly not with Kali. I kind of expected a GUI like I’ve had in the past with OSX or Windows, and while I’ve realized that you *can *access one:

    sudo apt-get install network-manager-openvpn
    sudo apt-get install network-manager-openvpn-gnome

the CLI is much easier to work with and likely already installed for you.

It’s a pretty painless process, but finding some kind of set-up tutorial online proved surprisingly difficult.

If you don’t have OpenVPN installed already, run

    sudo apt-get install openvpn

Next, grab the config file you’d like to use. If you’re in a class, it’s probably provided by your professor or whoever’s providing you with a network to pen test. Otherwise, you can find other config files online to play around with.

You will likely have 2 files provided to you: a config file with the filetype “.opvn”, and a certificate file.

We’re going to add the certificate file and the config file to the equivalent of a Windows config folder in Kali.

    mv config-file /etc/openvpn/config-file;
    mv cert-file /etc/openvpn/cert-file

That’s basically it! To spin up the VPN, run:

    openvpn — config /etc/openvpn/config-file;

You’ll likely be asked to authenticate with whatever username and password you’ve been given to access the network.

Note that the command above will start the VPN in the foreground and will terminate when the terminal is closed.

If you’d rather run the VPN in the background and not terminate when closing terminal, run:

    sudo nohup openvpn — config /etc/openvpn/cert-file.ovpn &;

I read several SO posts and random tutorials to get to this point, but some didn’t quite work or were too dated. The most useful site was easily, which is actually a VPN client.

Hopefully this saved someone out there some time.

Read More