Missing USB revocation on Android with Nethunter

Fri 05 May 2017

Today, I came across a strange issue when trying to interact with my phone using adb. I'd recently set up Kali nethunter on a phone I use for mobile application pentests, and found that I could no longer connect to it from my machine.

The error message is rather unhelpful. It indicates that the $ADB_VENDOR_KEYS are not present on the adb server, suggests that I run adb kill-server. This doesn't work. Another recommendation I found online was to wipe out the ~/.android directory (which contains the adbkey file -- the RSA key). Didn't work for me either, sadly. The third recommendation was to revoke the USB authorizations from the phone interface, while in Developer mode. This is where I noticed something curious: the option to revoke authorizations is not present -- or should I say, it is no longer present.

The problem is known; here's the thread that actually helped me out: https://github.com/offensive-security/kali-nethunter/issues/341

Re-enable USB debugging - method with additional android device

I'll admit that the prospective of flashing my phone did not appeal. Since I have a few extra phones for my tests, I tried one of the alternative solutions, which worked beautifully. Since I'm always a bit concerned about losing valuable information nuggets such as these, I've re-written it here. The process assumes that you are trying to get device A to talk to your computer, and that you have a second android device, B.

  1. Connect device B to your computer.

  2. Switch to Developer mode and enable USB debugging.

  3. From your computer, run adb shell. This will prompt your device to authorize the computer's RSA key.

  4. Authorize the key. This creates a file on the device's data drive containing the RSA public key of your computer, unsuprisingly much like an .ssh/authorized_keys files on a server with SSH running on it.

  5. Copy this file to the sdcard directory of the phone so that you can transfer it to your computer:

    On device B:

    cp /data/misc/adb/adb_keys /sdcard

    On your computer:

    adb pull /sdcard/adb_keys .

  6. Copy the file to device A. You can do this via MTP with a USB cable, or by using your computer as a web server.

  7. From a terminal on device B, copy the file to the /data partition. You'll need root permissions to do this (if, like me, you encountered this problem because you installed nethunter, this should not be an issue):

    cp /sdcard/adb_keys /data/misc/adb/adb_keys

  8. Kill your adb server and then try running adb shell again. That should do it.

Re-enable USB debugging - alternative, simpler method

After verifying that this work-around was successful, it occurred to me that it might not be necessary to have a second device after all: now that you know where android stores authorized keys, you should be able to take your public key and pop it straight into the file. So here's a simplified process:

  1. Copy ~/.android/adb_key.pub to your device, either via web or MTP.

  2. Using terminal on the device, copy the file to the /data partition as root:

    cp /sdcard/adb_key.pub /data/misc/adb/adb_keys

  3. Kill adb server and try running adb shell again.