@heywoodlh

heywoodlh thoughts

Remotely connecting to Rooted Android via ADB

This post will just contain some quick snippets on how I connect to my rooted Android phone with ADB. This post assumes that your Android phone is already rooted.

Install Termux, Termux:Boot: #

First, install F-Droid.

Then, using F-Droid, install Termux and Termux:Boot.

Launch Termux and launch Termux:Boot.

Configure Termux: #

In Termux, install the root-repo and tsu:

pkg install root-repo && pkg install tsu

Test that you can elevate to root:

~ $ tsu -
:/data/data/com.termux/files/home # whoami
root

As the normal Termux user – not root – create ~/.termux/boot/:

mkdir -p ~/.termux/boot

Setup SSH: #

With your preferred text editor, add the following to ~/.termux/boot/sshd:

#!/data/data/com.termux/files/usr/bin/env bash

termux-wake-lock
sshd

Make it executable:

chmod +x ~/.termux/boot/sshd

The above ~/.termux/boot/sshd script will run sshd on boot. You will either need to set a password for your user in Termux or set up an SSH key in the ~/.ssh/authorized_keys file.

Find the username of your Termux user with whoami

Also, add the following to $PREFIX/etc/ssh/sshd_config:

Port 1024

This will make sure that the SSH service runs on port 1024 on your Android.

Setup ADB: #

Now add the following to ~/.termux/boot/adb:

#!/data/data/com.termux/files/usr/bin/env bash

INTERFACE='tun0'

su -c "setprop service.adb.tcp.port 5555 && iptables -A INPUT -i ${INTERFACE} -p tcp --dport 5555 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT && stop adbd && start adbd"

Make sure to modify the $INTERFACE variable with whatever desired your desired interface is on your Android. You can list your interfaces with the ip addr command.

Make it executable:

chmod +x ~/.termux/boot/adb

The above script will run adb on TCP port 5555 of your Android. Since it is in the ~/.termux/boot folder and you have Termux:Boot installed it will run on boot.

Accessing ADB remotely from your workstation: #

This next part assumes you’re on a Unix-like machine with adb already installed.

Setup your SSH config on your workstation: #

I’d recommend adding something like the following to ~/.ssh/config on your workstation:

Host kali-phone
    Host 192.168.1.10
    User u0_a107
    Port 1024

Change the username and IP address based on your setup. Use whoami while in Termux to find the username.

Once you setup your config you can use ssh kali-phone to login to the phone.

Connect to ADB via SSH: #

Use the following command to forward ADB to your local machine using an SSH tunnel:

ssh -L 5555:127.0.0.1:5555 kali-phone

Then in a separate Terminal window connect with adb:

adb connect localhost:5555

adb shell

Conclusion: #

I documented this because I wanted to access ADB over my Wireguard setup, which would encrypt the ADB connection between my Mac and my Android – both connected to the same Wireguard instance.

Bonus: #

Here are some BASH aliases I use for ADB:

alias kali-phone-adb-start="screen -dmS kali-phone-adb ssh -L 5555:127.0.0.1:5555 -qCN kali-phone && adb connect localhost:5555"

alias kali-phone-adb-stop="screen -X -S kali-phone-adb quit && adb disconnect"

alias kali-phone-screen-capture='adb shell "while true; do screenrecord --output-format=h264 -; done" | ffplay -framerate 60 -probesize 32 -sync video -'
Written on July 14, 2021

android linux ssh adb