PenTest Oriented Web Browser - Sandcat Browser 5.3

Sandcat is a lightweight multi-tabbed web browser that combines the speed and power of Chromium and Lua. Sandcat comes with built-in live headers, an extensible user interface and command line console, resource viewer, and many other features that are useful for web developers and pen-testers and when you need to examine live web applications. For more details, visit http://www.syhunt.com/sandcat/ . See also the docs directory and credits section below for a few more details about the Sandcat architecture.

Directories

• /docs - Lua API documentation
• /packs - contents of uncompressed pack files
  • /Common - common CSS, widgets and scripts package (Common.pak)
  • /Resources - resources package (Resources.pak)
• /src - the main executable source and built-in resource files
  • /core - user interface source
  • /html - user interface resources (HTML)
  • /lua - Lua API source

Download
Compiled binaries for Windows can be downloaded from the links below.

• 5.3 64-bit
• 5.3 32-bit
• 5.3 32-bit with Pen-Tester Tools (included as part of Syhunt Community)

Compiling
For compiling Sandcat, you will just need Catarinka and pLua .
The entire Sandcat user interface is created during runtime, so there is no need to install third-party components in the IDE - you can just add the dependencies listed above to the library path and hit compile. It compiles under Delphi 10 Seattle down to XE2. If you are trying to compile it with Lazarus, let me know which errors you get - I will try to do the same soon.
Some work is still needed before a Mac or Linux version materializes.

ChangeLog

5.3

This upgrade brings more stability on newer OSes.

• Fixed: constant freeze during navigation under some Windows installations (IPC related).
• Fixed: AV when restoring minimized Sciter dialog.
• Replaced the Selenite library with Catarinka.

5.2

• Added the ability to create offscreen Chromium renderers using the Lua API.
• Improved tab status bar text handling.
• Improved task script error handling.
• Improved live headers.
• Improved startup for Windows 10 compatibility.
• Make window close work as cancel in Preferences dialog.
• The Chromium library was upgraded to the latest release.
• Some extensive code cleanup.
• Minor user experience improvements.
• 64-bit version now available separately (special thanks for @RJ35 for fixing a Chromium

related crash under Win64 environments making this release possible)

• Fixed: a rare crash when switching tabs.

5.1

This release address minor issues like a crash when loading a homepage during startup or calling the context-menu from a loaded web page.

5.1 Beta 3

This release uses the latest Chromium binaries. This fixes some instability issues when browsing with the live headers enabled.

5.1 Beta 2

This release is focused on stability and performance, as well as some other improvements such as being able to ignore certificate errors while navigating and open PDF files.

Here is what changed in version 5.1:

• Switched to the WACEF Chromium framework and the latest Chromium binaries. This significantly improves speed and stability, and fixes some issues during shutdown.
• Most preferences now get applied instantly (just need to open a new tab instead of restarting).
• Added a certificate error dialog.
• Added a PDF viewer plugin.
• Added proxy support.
• Improved Lua integration.
• Minor compiler optimizations.
• The OpenSSL library was upgraded to the latest release.
• The Selenite library was upgraded to the latest release.

5.0

We're excited to announce a brand new version of our Sandcat Browser (codenamed Catarinka browser), now available as a free, open source project - because many people asked for it, the entire source for Sandcat is now available on GitHub. Feel free to fork it, examine it, contribute code, send suggestions, report or fix issues.

Here is what changed in version 5.0 beta 1:

• Faster startup and responsiveness.
• Huge refactoring and cleanup of the current code.
• The Chromium library was upgraded to the latest release (incredibly fast!).
• Improved compatibility with 64-bit Windows editions.
• Improved source code editor.
• Available as free, open source/community edition (under a BSD-3-Clause license).
• Built using components and libraries from the Catarinka toolkit (also made open source at the same time with this release and under the same license).
• Includes the Selenite Lua library - a multi-purpose set of Lua extensions developed to make the development of Lua extensions easier in Sandcat. The code for Selenite is now open source, under the MIT license. The library documentation is available here.
• Fixed: output of the SHA1 and the full URL encoders that come with the pen-tester pack. 
• 
  

Download Sandcat Browser

Read More

IDPS & SandBox & AntiVirus STEALTH KILLER - MorphAES

MorphAES is the world's first polymorphic shellcode/malware engine, with metamorphic properties and capability to bypass sandboxes, which makes it undetectable for an IDPS, it's cross-platform as well and library-independent.

Properties:

• Polymorphism (AES encryption)
• Metamorphism (logic and constants changing)
• Platform independent (Linux/BSD/Windows)
• IDPS stealthing (the total number of possible signatures is more the number of atoms in the universe for one given code)
• Sandbox evasion (special assembly instructions)
• Realism (no null bytes)
• Can produce executables (malwares)
• Input code can have arbitrary length

Dependencies for the morpher:

• Python 2.7 - main engine
• Python Crypto 2.6 - for encryption

Dependencies for the code execution:

• 64-bit Intel AES-NI - for decryption

Nonetheless, there are some limitations (aka white-hat aspects):

• Metamorphism is not very robust and can be detected using regular expressions (but can be improved pretty easily)
• Unicode null bytes might still work (but who cares?)
• It will only work on 64-bit Intel processors with AES-NI support, but since all the user's PCs (like Pentium, Celeron, i3, i5, i7) and the industry's servers (like Xeon) have it, it's more a specification, rather than a limitation, thus a 32-bit implementation is unpractical
• Almost any shellcode is guarantee to work however, an arbitrary code (malware) doesn't
• Windows/BSD PoC and executables are in progress...

How it works

1. Shellcode padding with NOPs (since AES is a block cipher)
2. Shellcode encryption with a random key using AES-128-ECB (not the best, but the simplest) - polymorphism
3. Constants randomization, logic changes, instructions modification and rewriting - metamorphism

HowTo
For Linux:

sudo apt-get install python python-crypto

Execute the Pyhton script and enter your shellcode or nothing for a default Linux shell. You can specify your own execution address as well.
It is possible to build and execute on Windows/BSD/Mac as well, but I'm still testing it.
You can also use the Linux PoC in assembly:

as shellcode.s -o shellcode.o
ld shellcode.o -o shellcode
./shellcode

Every file is commented and explained

Tests
At this point, it should be pretty obvious that, the hashes would be different every time, but let's compare SSDEEPes of 2 Linux executables of the same shellcode:

• 96:GztTHyKGQh3lo6Olv4W4zS/2WnDf74i4a4B7UEoB46keWJl09:Gzty6VOlvqSTDflmNroh,
• 96:GQtT23yKmFUh3lo6OlOnIrFS4rkoPPf74i4a4B7UEoB46keWJ5:GQtCGWVOlOWFSsPflmNroh,

Well, there's something in common, but globally those are 2 different signatures, now what about the shellcode it-self:

• 48:eip2bR2LRNtRPORDGRopRBXR3cRzER2vRU9BnH6ksr:Srn+,
• 48:6RjNeR2IRN7RPWRDeRokRB5R3xRz3R28RUxFT2+75eFK9iKMAdXAJKo:O9Tdwoo,

Almost totally different signatures for the same morphed shellcode!
At the publication date, the executable was detected as a shellcode only by 2 out of 53 antiviruses (AVG and Ikarus) on virustotal , but now, it just fails to analyze.
malwr's with cuckoo2 doesn't see anything suspicious.
On the reverser's perspective, IDA won't see anything either.
Radare2 would show the real instructions only if assembled by the assembler it-self however, it doesn't detects any crypto or suspicious activity for the executable.
Althrough, I didn't test it personally, I think that FortiSandbox, Sophos Sandstorm, Blue Coat, GateWatcher and their derivatives might fail badly...

To put it in the nutshell
Basically, it can transform a script-kid's code (or a known-one ) into a zero-day.
IDPS will fail because, it's almost impossible to make a signature and difficult to make a regular expression or heuristic analysis.
Most of the sandboxes doesn't use Intel's AES-NI instructions directly, so they will not execute the code, so "everything is fine" for them, whereas it's not.
The only way to defeat this type of shellcode/malware is to use an appropriate sandboxing or/and an AI.
Notice that, the whole execution is done by a pure assembly, no Python (or shitty OpenSSL) is needed for the shellcode's/malware's execution since, I use built-in assembly instructions only, thus it's system-independent (surely, you will have to assemble it for each-one by adapting the instructions/opcodes, but they are still same).

Notes
This is still a work in progress, I will implement Windows and BSD/Mac engines and PoCs ASAP.
IDPSes and sanboxes suck.

"Tradition becomes our security, and when the mind is secure it is in decay."

Jiddu Krishnamurti

Download MorphAES

Read More

Onion URL Inspector - ONIOFF

A simple tool - written in pure python - for inspecting Deep Web URLs (or onions).
Compatible with Python 2.6 & 2.7.
Author: Nikolaos Kamarinakis ( nikolaskama.me )


Installation
You can download ONIOFF by cloning the Git Repo and simply installing its requirements:

$ git clone https://github.com/k4m4/onioff.git
$ cd onioff
$ pip install -r requirements.txt

Usage
Usage: python onioff.py {onion} [options]
To view all available options run:

$ python onioff.py -h

NOTE : In order for ONIOFF to work, Tor must be correctly configured and running.

Demo
Here's a short demo:

(For more demos click here )

Download ONIOFF

Read More

Essential Books for PenTest - Post Exploitation

Post-Exploitation

Hi soldier of offensive security

The purpose of the Post-Exploitation phase is to determine the value of the machine compromised and to maintain control of the machine for later use. The value of the machine is determined by the sensitivity of the data stored on it and the machines usefulness in further compromising the network.

The methods described in this phase are meant to help the tester identify and document sensitive data, identify configuration settings, communication channels, and relationships with other network devices that can be used to gain further access to the network, and setup one or more methods of accessing the machine at a later time. 

In cases where these methods differ from the agreed upon Rules of Engagement, the Rules of Engagement must be followed.

Book 1: Windows Post-Exploitation Command List



Book 2: Linux/Unix/BSD Post-Exploitation Command List



Book 3: OSX Post-Exploitation Command List

Broken links report for me

By OffensiveSec

Read More

USB Kill to Destroy any Computer within Seconds! - USB Kill 2.0

A proof-of-concept USB prototype that was designed by a Russian researcher, Dark Purple, last year, to effectively destroy sensitive components of a computer when plugged in.

Now, someone has actually created the Killer USB stick that destroys almost anything – such as Laptops, PCs, or televisions – it is plugged into.

A Hong Kong-based technology manufacturer is selling a USB thumb drive called USB Kill 2.0 that can fry any unauthorized computer it's plugged into by introducing a power surge via the USB port. It costs $49.95.

How does USB Kill 2.0 work?

As the company explains, when plugged in, the USB Kill 2.0 stick rapidly charges its capacitors via the USB power supply, and then discharges – all in a matter of seconds.

The USB stick discharges 200 volts DC power over the data lines of the host machine and this charge-and-discharge cycle is repeated several numbers of times in just one second, until the USB Kill stick is removed.

"When tested on computers, the device isn't designed or intended to erase data," the company says. "However, depending on the hardware configuration (SSD [solid-state drive] vs. platter HDD [hard disk drive]), the drive controllers may be damaged to the point that data retrieval is impractical."

"Any public facing USB port should be considered an attack vector," the company says in a news release. "In data security, these ports are often locked down to prevent exfiltration of data or infiltration of malware, but are very often unprotected against electrical attack."

When And For Whom USB KILL Would Be Useful?

USB Kill stick could be a boon for whistleblowers, journalists, activists, and, not to forget, cyber criminals, who want to keep their sensitive data away from law enforcement as well as cyber thieves.

It is like, if you're caught, kill yourself. In the same fashion as terrorists do. Here I mean to kill the data from your laptop if the law enforcement has caught your laptop. And USB Kill stick does the same for you.

However, the company claims to have developed USB Kill 2.0 stick for the sole purpose of allowing companies to test their devices against USB Power Surge attacks and to prevent data theft via "Juice Jacking" attacks.

Video Demonstration

You can watch the video demonstration below by the company that shows USB Kill 2.0 stick in action.

The company claims about 95% of all devices available on the market today are vulnerable to power surge attacks introduced via the USB port.

However, the only devices not vulnerable to USB kill attacks are recent models of Apple's MacBook, which optically isolate the data lines on USB ports.

Juice jacking is a type of cyber attack wherein malware installed on a computer can surreptitiously copy data from a smartphone, tablet or other computers using a USB charging port that doubles as a data connection, typically over USB.

While USB Kill 2.0 has been "designed and tested to be safe," the company warns that the USB stick "is a high-voltage device" and is only meant for "responsible adults." Also, the company's website "strongly condemns the malicious use of its products."

USB Kill 2.0 also comes with a USB Protection Shield, called Test Shield, sold for additional $15.70, which is designed to allow testing of the USB Killer stick without destroying the host machine.

Source: UsbKill

By OffSec

Read More

Best PDF eBooks For Learning - Hacking

Cyber security takes big part in Technology. There’s a lot of script kiddie hackers who might get lucky and do maythem without understanding what they did. Hopefully, there’s hackers with better skills called White Hat hackers. They are truly professionals in cyber security. They do almost the same thing as black hat hackers do, but once they find vulnerability, they report it instead of exploiting it. I made this list of hacking eBooks and you can check it out.

If you are cyber security enthusiast, you might wanna take a look at following PDF hacking eBooks. They contain a lot of useful information. So feel free to download and share this article with your friends.

1. Black Belt Hacking & Complete Hacking Book
2. Hackers High School 13 Complete Hacking E-books
3. A Beginners Guide To Hacking Computer Systems
4. Black Book of Viruses and Hacking
5. Secrets of Super and Professional Hackers
6. Dangerours Google Hacking Database and Attacks
7. Internet Advanced Denial of Service (DDOS) Attack
8. Computer Hacking & Malware Attacks for Dummies
9. G-mail Advance Hacking Guides and Tutorials
10. Vulnerability Exploit & website Hacking for Dummies
11. Web App Hacking (Hackers Handbook)
12. Security Crypting Networks and Hacking
13. Hacking attacks and Examples Test
14. Network Hacking and Shadows Hacking Attacks
15. Gray Hat Hacking and Complete Guide to Hacking
16. 501 Website Hacking Secrets
17. Internet Security Technology and Hacking
18. CEH Certified Ethical Hacker Study Guide
19. Advanced SQL Injection Hacking and Guide
20. Web Hacking & Penetration testing
21. OWASP Hacking Tutorials and Web App Protection
22. CEH – Hacking Database Secrets and Exploit
23. Ethical Hacking Value and Penetration testing
24. Hack any Website, Complete Web App Hacking
25. Beginners Hackers and tutorials
26. Ethical Hacking Complete E-book for Beginners
27. Backtrack : Advance Hacking tutorials
28. SQL Injection attacks and tutorials by Exploit DB
29. XSS + Vulnerability Exploitation & Website Hacking
30. Ultimate Guide to Social Enginnering attacks
31. White Hat Hacking complete guide to XSS Attacks
32. Cross Site Scripting and Hacking Websites
33. The Hackers Underground Handbook ( hack the system)
34. Blind SQL Injection tutorials and Hacking
35. Hacking Secrets Revealed
36. Hacking Website Database and owning systems
37. Reverse Engineering for Beginners
38. Reverse Enginnering (The Real Hacking)
39. Computer Hacking
40. Hack your Friend using Backtrack
41. Reverse Enginnering Hacking and Cracking
42. Hack the System for beginners
43. Hacking into Computer Systems
44. Blind SQL Injection Discovery & Exploitation

By OffSec

Read More

Computer forensics - #4 Mind Map

Computer forensics

Computer forensics (sometimes known as computer forensic science) is a branch of digital forensic science pertaining to evidence found in computers and digital storage media. The goal of computer forensics is to examine digital media in a forensically sound manner with the aim of identifying, preserving, recovering, analyzing and presenting facts and opinions about the digital information.

Although it is most often associated with the investigation of a wide variety of computer crime, computer forensics may also be used in civil proceedings. The discipline involves similar techniques and principles to data recovery, but with additional guidelines and practices designed to create a legal audit trail.

Evidence from computer forensics investigations is usually subjected to the same guidelines and practices of other digital evidence. It has been used in a number of high-profile cases and is becoming widely accepted as reliable within U.S. and European court systems.


Source: amanhardikar

By OffSec

Read More

Forensic Challenges - Labs

URLs

Host Forensics

Computer Forensic Investigation
http://www.shortinfosec.net/2008/07/competition-computer-forensic.html/
Digital Forensics Tool Testing Images
http://dftt.sourceforge.net/
DigitalCorpora
http://digitalcorpora.org/
DFRWS 2014 Forensics Rodeo
http://www.cs.uno.edu/~golden/dfrws-2014-rodeo.html
ForGe Forensic test image generator
https://github.com/hannuvisti/forge
ISFCE Sample Practical Exercise
http://www.isfce.com/sample-pe.htm
Linux LEO Supplemental Files
http://linuxleo.com/
NIST CFREDS
http://www.cfreds.nist.gov/dfr-test-images.html
http://www.cfreds.nist.gov/Hacking_Case.html
p0wnlabs Sample Challenges
http://www.p0wnlabs.com/free/forensics
Samples from Automating DFIR Series
http://www.hecfblog.com/2015/02/automating-dfir-how-to-series-on.html
volatility memory samples
https://code.google.com/p/volatility/wiki/FAQ

Network Forensics

Chris Sanders Packet Captures
http://chrissanders.org/packet-captures/
DigitalCorpora Packet Dumps
http://digitalcorpora.org/corpora/packet-dumps
Enron Email Dataset
http://www.cs.cmu.edu/~enron/
Ethereal Sample Captures
http://www.stearns.org/toolscd/current/pcapfile/README.ethereal-pcap.html
Evil Fingers PCAP Challenges
https://www.evilfingers.com/repository/pcaps_challenge.php
Kholia's Packet Captures
https://github.com/kholia/my-pcaps
LBNL-FTP-PKT
http://ee.lbl.gov/anonymized-traces.html/
MAWI Working Group Traffic Archive
http://mawi.wide.ad.jp/mawi/
PacketLife Capture Collection
http://packetlife.net/captures/
pcapr
http://www.pcapr.net
PCAPS Repository
https://github.com/markofu/pcaps
SANS DFIR Challenge
https://digital-forensics.sans.org/community/challenges
Spy Hunter Holiday Challenge
http://blog.mywarwithentropy.com/2015/11/spy-hunter-holiday-challenge-2015.html
http://blog.mywarwithentropy.com/2014/11/spy-hunter-holiday-challenge-2014.html
Tcpreplay Sample Captures
http://tcpreplay.appneta.com/wiki/captures.html
Wireshark Network Analysis Book Supplements
http://www.wiresharkbook.com/studyguide.html
Wireshark Sample Captures
http://wiki.wireshark.org/SampleCaptures
Xplico Sample captures
http://wiki.xplico.org/doku.php?id=pcap:pcap

Malware Analysis

Contagio
http://contagiodump.blogspot.com/
FakeAVs blog
http://www.fakeavs.com/
malc0de
http://malc0de.com/database/
MalShare
http://malshare.com/
Open Malware / Offensive Computing
http://openmalware.org/
theZoo / Malware DB
http://ytisf.github.io/theZoo/
VirusShare.com / VXShare
http://virusshare.com/
Virusign
http://www.virusign.com/
VX Heaven
http://vxheaven.org/
VXVault
http://vxvault.siri-urz.net
Georgia Tech malrec Page
http://panda.gtisc.gatech.edu/malrec/
Malware Traffic
http://malware-traffic-analysis.net/
Kernelmode Forum
http://www.kernelmode.info
Malware Hub Forum
http://malwaretips.com/categories/malware-hub.103/
Public Documents about APTs
https://github.com/kbandla/APTnotes
CLEAN MX realtime database
http://support.clean-mx.de/clean-mx/viruses.php
Joxean Koret's List
http://malwareurls.joxeankoret.com
MalwareBlacklist.com
http://www.malwareblacklist.com
Sucuri Research Labs
http://labs.sucuri.net/?malware
Android Sandbox
http://androidsandbox.net/samples/
Contagio Mobile Malware
http://contagiominidump.blogspot.com/
HoneyDrive
http://bruteforce.gr/honeydrive
maltrieve
http://maltrieve.org/

Online and CTFs

Black T-Shirt Cyber Forensics Challenge
https://cyberforensicschallenge.com/
DEFCON CTF Archive
https://www.defcon.org/html/links/dc-ctf.html
DFRWS
http://www.dfrws.org/2013/challenge/index.shtml
http://www.dfrws.org/2010/challenge/
http://www.dfrws.org/2011/challenge/index.shtml
http://www.dfrws.org/2007/challenge/index.shtml
http://www.dfrws.org/2006/challenge/
http://www.dfrws.org/2005/challenge/
Digital Forensics Security Treasure Hunt
http://digitalforensics.securitytreasurehunt.com/
ENISA CERT Training Material
https://www.enisa.europa.eu/activities/cert/support/exercise
ForensicKB Practicals
http://www.forensickb.com/2008/01/forensic-practical.html
http://www.forensickb.com/2008/01/forensic-practical-2.html
http://www.forensickb.com/2010/01/forensic-practical-exercise-3.html
http://www.forensickb.com/2010/06/forensic-practical-exercise-4.html
http://www.forensickb.com/2011/01/simple-forensic-puzzle-1.html
http://www.forensickb.com/2011/02/forensic-puzzle-6.html
HackEire CTF
https://github.com/markofu/hackeire
Honeynet Challenges
https://www.honeynet.org/challenges
http://old.honeynet.org/scans/index.html
Jack Crook's DFIR Challenges
https://docs.google.com/file/d/0B_xsNYzneAhEN2I5ZXpTdW9VMGM
I Smell Packets
http://ismellpackets.com/
Network Forensics Puzzle Contest
http://forensicscontest.com/puzzles
RingZer0 Team
http://ringzer0team.com/challenges
UMass Trace Repository
http://traces.cs.umass.edu/

Source: amanhardikar

By OffSec

Read More

Vulnerability Scanner - HellRaiser

HellRaiser Vulnerability Scanner

HellRaiser Vulnerability Scanner scans targets with nmap and then correlates cpe’s found with cve-search to enumerate vulnerabilities.
In order to test and run HellRaiser Vulnerability Scanner you need to install ruby, bundler and rails. https://gorails.com/setup/ubuntu/16.04

Install redis-server and nmap.

sudo apt-get update
sudo apt-get install redis-server nmap

Clone HellRaiser repository, change to hellraiser web app directory and run bundle install and bundle exec rake db:migrate.

git clone https://github.com/m0nad/HellRaiser/
cd HellRaiser/hellraiser/
bundle install
bundle exec rake db:migrate

Start

Start redis server.

redis-server

Go to the hellraiser web app directory and start sidekiq.

bundle exec sidekiq

Go to the hellraiser web app directory and start rails server.

rails s

Usage

Access http://127.0.0.1:3000

Download HellRaiser 

Read More

Build Your Own - PwnPhone

Build Your Own PwnPhone

We’ll attempt to show you how to build your own Pwn Phone running the Kali operating system and our AOPP (Android Open Pwn Project) image.

Let’s get cracking…

Flashing the Phone

1. Download the Recovery image for your device:
   https://twrp.me/Devices
2. Connect the device to the host machine via USB cable.
3. Power off the device and boot into the Bootloader:
   Press and hold the Power & Volume-Down buttons
4. Confirm the device is recognized by the host machine:
   (a device should be listed when the command returns)
   $ fastboot devices
5. Unlock the device:$ fastboot oem unlock
6. Once unlocked, flash the Recovery image:$ fastboot flash recovery <name-of-recovery-image>.img
7. Once the Recovery image has been flashed, boot into Recovery from the Bootloader:
   Use the Volume-Down/Up buttons to cycle through the Bootloader options and then the Power button to select
8. If prompted, swipe “Swipe to Allow Modifications”.
9. Once in Recovery, wipe the device:
   Tap Wipe > Advanced Wipe > tap: Dalvik/ART cache, System, Cache, Data > swipe “Swipe to Wipe”
10. Once wiped, do NOT boot into System (You don’t have one; you just wiped it). Tap the Home button to return to the Recovery home screen.
11. Confirm again the device is recognized by the host machine:
    (a device should be listed when the command returns)$ adb devices
12. From the host machine, push the downloaded AOPP ROM zip to the device sdcard:
    $ adb push <name-of-rom-zip>.zip /sdcard/
13. On device, tap Install and then select the AOPP ROM zip from /sdcard.
14. Swipe “Swipe to Confirm Flash”
15. Once installed, tap “Reboot System”

OK Now Let’s Build the Phone

Downloading the Source

1. Refer to “Downloading and Building Requirements” before proceeding:
   https://source.android.com/source/requirements.html
2. Refer to “Downloading the Source” before proceeding:
   https://source.android.com/source/downloading.html
3. Create a directory for the build system to live in and cd into that directory:$ mkdir <WORKING_DIR>$ cd <WORKING_DIR>
4. Initialize a local repository using this source tree, use the command:
   $ repo init -u git@github.com:aopp/android_platform.git -b px-0.1
5. Sync the repository, use:
   $ repo sync

Building

Devices are referred to by codename (e.g. hammerhead). Make sure to use this when substituting <device-codename> in the following instruction set.

1. Refer to “Building the System” before proceeding:
   https://source.android.com/source/building.html
   
2. To initialize the build environment, use the following command:$ . build/envsetup.sh
3. Prepare the build environment (download device-tree and dependencies) for your specific device:$ breakfast <device-codename>
4. Connect the device running a working AOPP/AOSP ROM to the host machine via USB.
5. Make sure it is booted into system and confirm the device is recognized by the host machine:
   (a device should be listed when the command returns)$ adb devices
6. Enter the device directory:$ cd <WORKING_DIR>/device/<vendor>/<device-codename>/
7. Extract the proprietary binaries from your device:$ ./extract-files.sh
8. Return to the root of the build system:$ croot
9. Start a build run for your device:
   $ brunch <device-name>
10. Once complete, the ROM zip can be found in the out/ directory:$ cd /out/target/product/<device-codename>
11. The flashable ROM zip (product of the build run) will be located in the out/ directory as:
    aopp-0.1-<build-date>-UNOFFICIAL-<device-codename>.zip

Flashing

1. Download and install the command line tools for your OS: https://developer.android.com/studio/index.html#downloads
   
2. Download the AOPP ROM for your device:
   https://wiki.pwnieexpress.com/index.php/Official_devices
   
3. Download the Recovery image for your device:
   https://twrp.me/Devices
   
4. Connect the device to the host machine via USB cable.
5. Power off the device and boot into the Bootloader:
   Press and hold the Power & Volume-Down buttons
6. Confirm the device is recognized by the host machine:
   (a device should be listed when the command returns)
$ fastboot devices
7. Unlock the device:
$ fastboot oem unlock
8. Once unlocked, flash the Recovery image:$ fastboot flash recovery <name-of-recovery-image>.img
9. Once the Recovery image has been flashed, boot into Recovery from the Bootloader:
   Use the Volume-Down/Up buttons to cycle through the Bootloader options and then the Power button to select
10. If prompted, swipe “Swipe to Allow Modifications”.
11. Once in Recovery, wipe the device:
    Tap Wipe > Advanced Wipe > tap: Dalvik/ART cache, System, Cache, Data > swipe “Swipe to Wipe”
12. Once wiped, do NOT boot into System (You don’t have one; you just wiped it). Tap the Home button to return to the Recovery home screen.
13. Confirm again the device is recognized by the host machine:
    (a device should be listed when the command returns)$ adb devices
14. From the host machine, push the downloaded AOPP ROM zip to the device sdcard:$ adb push <name-of-rom-zip>.zip /sdcard/
15. On device, tap Install and then select the AOPP ROM zip from /sdcard.
16. Swipe “Swipe to Confirm Flash”
17. Download SuperSU from Chainfire here:
    https://download.chainfire.eu/969/SuperSU/UPDATE-SuperSU-v2.76-20160630161323.zip
18. Push the SuperSU zip to /sdcard/:
    $ adb push <SuperSU-zip-name>.zip /sdcard/
19. Once installed, tap “Reboot System”
20. Hack the Gibson…and remember…hugs are worth more than handshakes

Source: pwnieexpress

Read More