Below is a great write-up from Cory Kennedy.

I just finished a Backtrack 5 install on my Samsung Galaxy S phone.  I will detail out the steps to get it running most Android phones.  While this method was ONLY testing on my Galaxy S (Vibrant) but should work with other devices.


I have split this guide into two sections.  The first section titled “Quick Version” is a simple set of steps to get this working on your phone.  All the work in the full version has already been completed by using the quick version.
The “Full Version” goes into process detail if you would like to perform all the steps or it may help if you get stuck at any time during the process.  This guide will continually be updated to include any feedback or changes.

Quick Version:

  1. Download the complete set of files you need from here: Extract to your phones internal SDcard in a directory called “BT5″ (cAsE sEnSiTiVe)
  2. Launch terminal emulator from your phone and type (everything after the $: or #: is user input):
    $: su
    #: cd sdcard
    #: cd BT5
    #: sh bootbt
  3. While Backtrack is loaded (when you see a red “root@localhost“) start the VNC server by typing:root@localhost:~#: startvnc (stopvnc kills it)
  4. Launch VNC (im using this)from your phone and point it at VNC pass: toortoor
  5. Welcome to Backtrack on your Phone!

Full Version

1. Download a copy of Backtrack 5 for ARM from : (Be nice and register)

Name: BT5-GNOME-ARM.torrent
Size: 1060
Flavor: GNOME
Arch: arm
Image: IMG
Download: Torrent
MD5: a66bf35409f4458ee7f35a77891951eb

Complete package files that you need to install on your phone can be found here: Instructions are included.

2. Extract and review the “README” file.

I have posted the readme file here for quick reference, and have just added my notes to during the process.     I urge you to read the official read me included with the release prior to reading the below with comments.  My notes are in bold.
I would HIGHLY recommend following busybox instructions for your specific rom.   Most of the time this means updating to the latest version, but that is not always the case.
The Vibrant comes with 16gig NON removable internal storage.  The phone mounts this as the “sdcard” and the external SD card is removable.  I will be using the internal mass storage device to install BT5.
Without wasting more time, onto the readme.

BackTrack 5 ARM Edition Quick Start
This image has been developed and tested on the Motorola Xoom.
Your mileage may vary on other devices. As this image runs in a chroot, you will need to have your device rooted. There are numerous tutorials on the subject online and are not included here.
***Rooting your device will potentially void its warranty and we are not in any way resposible if  you brick your device while rooting it.***
1. Since the image runs in a chroot, there is no root password set.
2. There are 2 scripts under /usr/bin/ ‘startvnc’ and ‘stopvnc’ that are set to start with the Xoom’s default resolution.

Once Backtrack5 is running off your phones internal storage you will need to edit the scripts to match your phone or devices resolution.  In my case, the Vibrant uses 480×800.   Details on this step later in the instructions.

3. The current vnc password is set to ‘toortoor’ and can be changed by running ‘vncpasswd’
4. This image is a work in progress and suggestions/tips from the community are always welcome.

ADB is a  veristile tool when it comes to Android development and interacting with the device and while the below WILL indeed work, and is independent of any OS (assuming you have the Android SDK installed).  I felt it was overkill for this task and simply mounted my SDcard and moved the files through OSX finder.  I also made changes via another machine using Windows explorer.  Again, choose your comfort level, steps 1-5 are simply a means to an end. That end is getting the files onto your SDcard.

1. Once you have downloaded the ARM BT package, save the files in a convenient location. The steps below assume they are in the platform-tools folder of the Android SDK.
2. Go to your platform-tools directory and proceed to make a directory on the device to store BT5: ./adb shell mkdir /sdcard/BT5 exit
3. Copy over the busybox install files: ./adb push busybox /sdcard/ ./adb push /sdcard
4. Install busybox on the device: ./adb shell cd /sdcard/ sh exit
5. Transfer the required BT5 files to the device: ./adb push fsrw /sdcard/BT5/ ./adb push mountonly /sdcard/BT5/ ./adb push bootbt /sdcard/BT5/ ./adb push bt5.img.gz /sdcard/BT5/ ./adb push unionfs /sdcard/BT5/
6. Uncompress the image and start BT5: ./adb shell su cd /sdcard/BT5 gunzip bt5.img.gz sh bootbt

My internal SDcard is formated as FAT32 and this file system is “required” for the phone to interact with the contents on the sd card.  I have tried formating the internal card with EXT3, EXT4, exFAT and was greeted each time with a “Damaged SD card” message.
Because of this the installation stops when trying to extract the official bt5.img file from the ARM package as it ends up being >5 gigs.  Since there is a 4 gig file limitation on the FAT32  filesystem, we should just give up. Right?

Nope, Lets Try Harder.

I have tried splitting  the bt5.img and resembling on the device which obviously failed.  There is only one thing left to do….
Modify the bt5.img file to fit into 4 gigs.  What can we remove?

  1. Looks like someone over at XDA had the same idea. Therefore,  I am going to revisit this section at a later day on how to manually create the image file.  I started the process, but decided in my end goal for this post was to have a working Backtrack 5 install on my Vibrant.
  2. Since the heavy lifting is done, It’s time to grab the files (or contact me for a mirror) , join them together and place this file into the BT5 directory of our sdcard.
    To join the 3 files from the XDA post together, simply put them all in the same directory and use the cat command to join them: “cat bt.7z.* > bt.7z “
  3. Extract the joined bt.7z file
  4. Rename bt.img to bt5.img and grab on that file and move it to your sd cards’s BT5 directory.

This is what you should end up with in your phones BT5 directory.

Starting BackTrack 5
Once all the files have been transfered, test the installation by trying to start Backtrack from terminal emulator.

If all goes well, you’ll be in the BT5 chroot:# sh bootbtnet.ipv4.ip_forward = 1root@localhost:/
# ls /pentest/backdoors  database   exploits   passwords  scanners stressing  voipcisco  enumeration  forensics  python     sniffers  tunneling  webroot@localhost:/#

3. ???? (or is this one profit?)

4. VNC

Here is the fun part, sure the shell is pretty to look at however I want a gui to interact with.
Note: Prior to starting the VNC server, you MUST perform this step to alter the screen resolution to match your device by modifying the /usr/bin/startvnc file.

If you do not alter the geometry you may encounter the error below.

I modified /usr/bin/startvnc by starting an SSH daemon on my phone and doing the work from a computer.

1. Start the VNC server running on the BT5 phone install.

2. Check the VNC log! BT5 is listening on 5901. Then click connect.

3. Welcome to Backtrack 5!

At the beginning of April  I tweeted: “Wouldn’t this just bring tears to your eyes if it was true? #metasploitonandroid ” , and now its true. <tear>
Huge thanks to the backtrack team for providing an Android version of  Backtrack.  Great work!
Special thanks to : anantshri at XDA for the advice and doing the hard work of creating the image files so quickly.  Be sure to check out his other work.
PaulDotCom will be teaching Offensive Countermeasures at Black Hat July 30-31

About the author