Installing Kali on a Verizon S5

A problem in the hacker community right now is that a lot of people think you can only run Kali, the Penetration Testing Distribution of Linux, on Google Phone and Tablets. This is only partially true. This is how you can install Kali, or any linux distribution, on a Verizon S5. The point of this walkthrough is to make it easier to deploy Kali enabled rooted phones in the field for responsible techs when that driver is available.

SM-G900V spec sheet:

Broadcom Press Sheet:


There is currently no support for monitor mode on the Broadcom 4354 SoC, so if you couldn’t run Reaver because bcmon wouldn’t work, then Kali is not going to find a better driver for your chip until after an update to the bcm driver is released.

Broadcom obviously isn’t going to work on anything it isn’t paid for, and so we must patiently await the reversing of the chip until the linux driver update makes its debut. If you are earning right now and want to donate to XDA and bcmon, we would all appreciate it by the way. If people want to weaponize their smartphones and uphold the 2nd Amendment to protect the 13th in the 21st century, they will, but few equate open drivers as revolutionary so maybe additional development can be fomented. Your support of groups like XDA and bcmon empower the digital world. Now if only they built a kevlar S5 AR mount and waterproof bluetooth throat mic you could be highspeed with some waterproof wireless charging tactical operator S5 action too, but let’s just hope the driver comes out and take it one step at a time.

Root your phone:

Download older and newer firmware releases.

Flash back to previous firmware release that had the exploit towelroot uses.
Sideload towelroot.
Use towelroot to root your phone.
You may want to look at if you get hung up.
Flash newer release back to phone to upgrade with root and superuser preserved.

You can install safestrap as well so you can bounce back and forth between flashings but the built in locked bootloader works fine to do this.

Yes, one day the unlock codes for the S5 will be free but until then you have to send money to Chinese programmers who buy them from Samsung.

Set Permissions:
Now that we are working with a rooted phone, go ahead and open a Terminal on your device. I already had Rom Toolbox Pro installed so once you have the terminal open type:

Acquire Superuser
$ su

Change Directory
# cd /data/data/ru.meefik.linuxdeploy/linux/bin

Remove chroot jail
# rm sh chroot

Symlink shell and busybox
# ln -s /system/bin/mksh sh
# ln -s /system/xbin/busybox chroot

Install Linux Deploy, I set user as root, configured 8192MB for image size (virtual system size) and selected all the packages.

Hit the install button and come back in a half hour.

Verify the VNC server says done not failed.

Start Kali.

Use any VNC client with a display larger than the phone’s to connect to localhost on whatever port you set and you can SSH to the virtual Kali box once you have root as well.

The default Kali VNC user is android and the password is changeme and the default Kali user name and pass is root/toor. You can SSH as root by default in Kali even though you can’t on a lot of systems.

Open LXTerminal in Kali in a new VNC session, verify it is showing root@android and type:

$ passwd

Change the password to something someone won’t guess if they are sniffing your session.

Now the newer releases of Kali for ARM devices are stripped down so have enough space and pick your metapackage.

apt-get install kali-linux-full
for the full 5GB install

apt-get install kali-linux-top10
for the basic set of tools which includes aircrack-ng

or go here and see what else is available in the metapackages

Open terminal on the android system side and type ifconfig. Now you have your local subnet IP to SSH from your laptop to your Kali box on your phone over wifi. This can be done with your phone in your pocket.

Take your phone out of your pocket, open terminal on the android system side and ssh to localhost and you can login as root there to run a quick nmap scan or sniff some packets before class now.

You can use your phone to open your own VPN tunnel from private wifi at school to phone and to deposit your homework in your teacher’s cloud storage directory as a root user behind the firewall, totally working around the moodle/peoplesoft/oracle garbage and the time wasting fake authentication security their measly blogified database the internet frontend “provides.”

This doesn’t take much battery standing by with the screen off, but if you put John the Ripper to task while it’s unplugged I bet it’ll burn through battery before it breaks the hash.

Let’s see!


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s