Pixel 9 — Mobile Security Research Setup

#pixel9 #android #rooting #mobile-security #5G #NAS #modem-logging #red-team #setup-guide

📱 Pixel 9 — Mobile Security Research Setup

Legal Notice

This guide is for authorized red team engagements and security research only. Unlocking bootloaders and rooting voids warranty. NAS/protocol testing must be performed within engagement scope and applicable law. Never test against live networks without explicit written authorization.

Hardware Reality Check — Tensor G4 vs Qualcomm

Critical: Pixel 9 Uses Tensor G4, NOT Qualcomm Snapdragon

This changes your toolchain significantly. Many telecom research tools (SCAT, QXDM) target Qualcomm modems only.

graph LR
    subgraph "Pixel 9 — Tensor G4"
        T1["Google Tensor G4 SoC"]
        T2["Samsung Exynos\nModem 5400"]
        T3["Diagnostic: Samsung\nDiag protocol — partial\nSCAT support (limited)"]
    end

    subgraph "Qualcomm Devices (Better for NAS Research)"
        Q1["Snapdragon 8 Gen 3"]
        Q2["Qualcomm X75 Modem"]
        Q3["SCAT full support\nQXDM · QPST · full\nNAS decode"]
    end

    subgraph "Pixel 9 Capabilities"
        C1["✅ Bootloader unlock\nsupported"]
        C2["✅ Magisk root\nfull support"]
        C3["✅ ADB modem\ndiagnostic access"]
        C4["✅ NAS state\nmanipulation via\ncustom RIL/AT cmds"]
        C5["⚠️ Full NAS decode\nlimited vs Qualcomm"]
        C6["✅ UERANSIM\nclient mode\nvia Termux + USB"]
    end

    style T2 fill:#E36209,color:#fff
    style Q3 fill:#1F3864,color:#fff
    style C1 fill:#2E75B6,color:#fff
    style C5 fill:#E36209,color:#fff

Bottom line: Pixel 9 is excellent for app-layer, API, and subscriber-identity testing. For deep NAS packet capture, pair it with a Qualcomm-based second device or use UERANSIM on a laptop connected via the Pixel 9's hotspot.

Setup Flow

flowchart TD
    A["🛒 Start: Pixel 9\nAndroid 15"] --> B["⚙️ Phase 1\nDeveloper Mode &\nADB Setup"]
    B --> C{"Device Type?"}
    C -->|"Telecom-Joined\n(MDM enrolled — this setup)"| D1["🔒 Phase 3\nNo-Root Path\nNetHunter Rootless"]
    C -->|"Clean Device\n(unlocked from Google Store)"| E["🔓 Phase 2\nBootloader Unlock"]
    E --> F["🪄 Phase 3A/B\nMagisk Root\nor GrapheneOS"]
    D1 --> G["📦 Phase 4\nCore Tool Install\nTermux · Frida Rootless · HTTP Toolkit"]
    F --> G
    G --> H["📡 Phase 5\nModem Diagnostic\nSetup"]
    H --> I["🧪 Phase 6\nTesting Validation\n& Capability Check"]

    style A fill:#1F3864,color:#fff
    style C fill:#E36209,color:#fff
    style D1 fill:#2E75B6,color:#fff
    style F fill:#C00000,color:#fff
    style I fill:#2E75B6,color:#fff

Which Path Applies to This Device?

This guide is written for a telecom-joined Pixel 9 (carrier MDM enrolled). The primary path skips bootloader unlock entirely. The Magisk and GrapheneOS paths are documented for reference — they apply to a second, clean unlocked device. See Device Strategy at the end.

Do you need Phase 3 and 3A?

No. Treat them as alternative paths, not sequential required steps.

Situation	Necessary path
This current telecom-joined Pixel 9	Phase 3
Second clean unlocked Pixel for root-only testing	Phase 3A
You only need app testing, ADB telecom inspection, cell info, and non-destructive workflow	Phase 3 only
You need system cert injection, full Frida, full `tcpdump`, or deeper modem access	Add Phase 3A on a separate device

Phase 1 — Developer Mode & ADB

# On Pixel 9:
# Settings → About Phone → Build Number (tap 7x) → Developer Options enabled

# Enable in Developer Options:
# ✅ USB Debugging
# ✅ OEM Unlocking  ← required before bootloader unlock
# ✅ Wireless Debugging (for wireless ADB)

# On your workstation:
adb devices                          # verify device recognized
adb shell getprop ro.product.model   # should return "Pixel 9"
adb shell getprop ro.build.version.release  # Android version
adb shell getprop gsm.version.baseband      # modem firmware version

Phase 2 — Bootloader Unlock

This WIPES the device. Back up everything first.

# Reboot to bootloader
adb reboot bootloader

# Verify fastboot sees device
fastboot devices

# Unlock bootloader (requires OEM unlock enabled in Developer Options)
fastboot flashing unlock

# Device will show warning → use volume keys to confirm → power to accept
# Device wipes and reboots → re-enable Developer Options + USB debugging

Carrier-Locked Pixels

If purchased from a carrier (Verizon, AT&T, T-Mobile), OEM unlock may be grayed out for 60-180 days or permanently disabled. Always buy unlocked directly from Google Store for research devices.

Phase 3 — No-Root Path (Telecom-Joined Device — This Setup)

Do NOT Unlock the Bootloader on This Device

This Pixel 9 is carrier MDM-enrolled. Bootloader unlock triggers Play Integrity failure → MDM detects it and may wipe/lock the device. You also lose the carrier SIM binding that makes this device valuable. Verify MDM status first.

Necessity

Phase 3 is the necessary path for the current telecom-joined device. If this is the handset you are actually carrying into an engagement, stop here and build your workflow around the no-root path.

# Check if OEM unlock is available:
# Settings → Developer Options → OEM Unlocking
# If GREYED OUT → MDM is active. Stop here. Use the no-root path.

# Verify MDM enrollment:
adb shell dumpsys device_policy | grep -i "admin\|mdm\|enrolled"
adb shell pm list packages | grep -i "mdm\|dpc\|enterprise"

NetHunter Rootless — Kali Tools Without Any OS Change

# NetHunter Rootless runs a full Kali chroot inside Termux — no root needed.
# Official guide: https://www.kali.org/docs/nethunter/nethunter-rootless/

# Step 1: Install Termux from F-Droid (NOT Google Play)
# Step 2: Install NetHunter Store APK from:
#   https://store.nethunter.com/
# Step 3: From NetHunter Store → install:
#   • Kali NetHunter App
#   • KeX (Kali desktop if needed)
# Step 4: Open NetHunter app → install Kali chroot (rootfs download ~1GB)

# You now have a full Kali CLI:
# kali   ← launches Kali shell in NetHunter app
# Inside Kali: apt install <any-kali-tool>

Capability map — no-root Pixel 9:

Capability	Available	Method
Kali toolchain	✅	NetHunter Rootless chroot
ADB modem diagnostics	✅	`dumpsys telephony`, `dumpsys phone`
Cell info harvesting	✅	NetMonster, `dumpsys telephony.registry`
App-layer MITM	✅ (non-pinned apps)	HTTP Toolkit or Packet Capture VPN app
Frida hooks	⚠️ Limited	Rootless attach (user procs) or frida-gadget APK repack
Burp CA injection	⚠️ User cert only	Works for non-pinned apps; not system store
Network scanning	✅	Termux nmap, tshark
AT command access	⚠️ Partial	ADB shell debug paths
Burp CA → system store	❌	Needs root
Frida on system/carrier apps	❌	Needs root
tcpdump all interfaces	❌	Needs root
Full modem diag port	❌	Needs root

If this is your only device, what do you lose?

If you stay on the safe Phase 3-only path, you do not lose the core value of the phone for telecom research. You still keep:

real carrier / MDM context
genuine SIM and subscriber identity testing
ADB-based telephony inspection
cell information harvesting
non-destructive app-layer interception against easier targets

What you do lose is the deeper root-only layer:

full MITM against pinned or system-trust-only apps
Frida against carrier apps, privileged apps, and system processes without repackaging
full-device packet capture with tcpdump -i any
cleaner modem / diag / AT access
system trust-store injection
easier LSPosed/Xposed-style hooking

Note

Since you only have one device, the practical tradeoff is simple: you keep the authentic carrier handset use case, but give up the destructive or root-heavy research use case unless you later add a second clean unlocked device.

Phase 3A — Magisk Root on Stock Android (Clean Device Only)

Clean Unlocked Device Only

Do NOT attempt this on the telecom-joined Pixel 9. This path is for a second device purchased unlocked directly from the Google Store and never enrolled in a carrier/corporate MDM.

Necessity

Phase 3A is optional. Use it only when you have a separate clean unlocked device and you specifically need root-only capabilities such as system trust-store injection, full Frida coverage, full-interface packet capture, or deeper modem access.

Where `patched_init_boot.img` comes from

You do not download patched_init_boot.img directly.

Use this flow:

Download the official Google Pixel 9 factory image or full OTA for the exact build currently on the phone
Extract the stock init_boot.img from the matching factory image
Copy init_boot.img to the Pixel
Patch it in Magisk
Copy the resulting patched_init_boot.img back to your laptop
Flash that patched image with fastboot

Important

Match the image to your exact current build number from:
adb shell getprop ro.build.fingerprint
or
adb shell getprop ro.build.id

Do not patch a random Pixel 9 image from a different monthly build.

Official sources

Factory images: https://developers.google.com/android/images
Full OTA packages: https://developers.google.com/android/ota

Practical guidance

Easiest path for Magisk boot patching: use the factory image for your exact build, because it gives you a direct route to init_boot.img
OTA path: works too, but often requires extracting from payload.bin, which is more annoying
On modern Pixels such as the Pixel 9 (tokay), Magisk root is obtained by patching init_boot.img, not boot.img

flowchart LR
    A["Download stock\nPixel 9 factory image\nfrom Google"] --> B["Extract init_boot.img\nfrom factory zip"]
    B --> C["Copy init_boot.img\nto Pixel 9 storage"]
    C --> D["Install Magisk APK\non device"]
    D --> E["Magisk → Install\n→ Select init_boot.img\n→ Patch"]
    E --> F["Copy patched_init_boot.img\nback to workstation"]
    F --> G["fastboot flash init_boot_\npatched_init_boot.img"]
    G --> H["✅ Rooted Pixel 9\nStock Android preserved"]

    style H fill:#2E75B6,color:#fff

# On laptop: identify current build first
adb shell getprop ro.build.id
adb shell getprop ro.build.fingerprint
adb shell getprop ro.boot.slot_suffix

# Download the matching official Pixel 9 image from Google
# Then extract init_boot.img from the factory image package

# Copy stock init_boot.img to the phone
adb push init_boot.img /sdcard/Download/

# On the phone:
# Open Magisk → Install → Select and Patch a File → choose /sdcard/Download/init_boot.img
# Magisk writes a patched image, typically under /sdcard/Download/

# List the patched file first; quote the remote wildcard so your local shell does not expand it
adb shell 'ls -lt /sdcard/Download/magisk_patched*.img'

# Pull the exact patched image back to the laptop
adb pull /sdcard/Download/magisk_patched-<id>.img patched_init_boot.img

# Reboot from Android into the bootloader
adb reboot bootloader
fastboot devices

# Flash patched init_boot to the active slot
# Example: if ro.boot.slot_suffix returned _b, flash init_boot_b
fastboot flash init_boot_<slot> patched_init_boot.img
fastboot reboot

# Verify root
adb shell su -c "id"   # should return uid=0(root)

# Recommended Magisk modules for research:
# • MagiskHide / Shamiko       — hide root from banking/telco apps
# • LSPosed                    — Xposed framework for app hooking
# • MoveCA / TrustMeAlready   — inject Burp CA into system store

Unlocks on a rooted clean device:

Full Frida server (persistent, all processes)
Burp CA in system trust store (works against all apps)
tcpdump -i any (capture all interfaces)
Full AT command access to modem (/dev/ttyACM0)
LSPosed hooks on carrier/system apps

Phase 3B — GrapheneOS (Clean Device, OPSEC Focus)

When to Choose GrapheneOS Over Magisk

GrapheneOS is the right call when OPSEC matters more than deep carrier API compatibility — e.g., you're researching what a privacy-hardened device leaks to carrier infrastructure, or you need near-zero telemetry during a physical red team where device seizure is possible. Trade-off: some carrier apps lose deep OS integration (VoLTE auto-config, RCS).

# Install via web installer at grapheneos.org/install/web
# Requires Chrome/Edge with WebUSB support — Pixel 9 is fully supported

# Post-install:
# Settings → System → Developer Options → enable ADB
# Install sandboxed Google Play for carrier app compatibility
# Note: some carrier provisioning flows need native Google Services —
# test per-carrier before using this as primary research platform

GrapheneOS vs Magisk for telecom research:

Factor	Magisk (Stock)	GrapheneOS
RIL / AT command access	✅ Native	✅ Works
Carrier app deep integration	✅ Full	⚠️ Sandboxed
VoLTE / RCS provisioning	✅	⚠️ May require workaround
Telemetry to Google	⚠️ Present	✅ Near-zero
Device seizure OPSEC	⚠️	✅ Strong
Network fingerprint	Standard Pixel	Slightly hardened
Root access	✅ Magisk	⚠️ Root via ADB only

Phase 4 — Core Tool Installation

Where Phase 4 actually happens

Phase 4 is split between your laptop and the Pixel, not done in only one place.

Component	Where you do it
Install desktop tooling like `adb`, `frida-tools`, Burp, HTTP Toolkit, jadx, MobSF helpers	Laptop
Install Termux / NetHunter Rootless / target apps	Pixel 9
Push, pull, inspect packages, and launch workflows	From laptop over ADB
Run on-device CLI tools such as `pkg`, `pip`, `termux-setup-storage`	Inside Termux on the Pixel

Practical answer

Yes — you start Phase 4 from your laptop, but some steps finish on the phone itself.

Use this order:

Laptop: connect ADB and verify the phone.
Pixel: install Termux and any Android-side apps.
Pixel / Termux: install the on-device packages.
Laptop: use ADB, Frida, Burp, or HTTP Toolkit to drive the workflow.

# Laptop side
adb devices
adb shell getprop ro.product.model

# Install APKs from the laptop when needed
adb install termux.apk
adb install httptoolkit.apk

# Open a shell from the laptop
adb shell

# Then, inside Termux on the Pixel, run:
# pkg update && pkg upgrade
# pkg install python3 git curl wget nmap tcpdump openssl tshark netcat-openbsd dnsutils
# pip install scapy requests frida-tools impacket
# termux-setup-storage

Important

Think of Phase 4 as laptop-orchestrated, phone-executed. Your laptop is the control station; the Pixel is where the Android and Termux-side tooling actually lives.

In this setup, keep the persistent Frida tooling on the laptop under ~/Documents/mobility/frida/:

Server binary: ~/Documents/mobility/frida/frida-server
Client CLI: ~/Documents/mobility/frida/venv/bin/frida-ps
Interactive CLI: ~/Documents/mobility/frida/venv/bin/frida

4.1 Termux (Linux Environment on Device)

# Install from F-Droid (NOT Google Play — Play version is outdated)
# https://f-droid.org/packages/com.termux/

# In Termux:
pkg update && pkg upgrade
pkg install python3 git curl wget nmap tcpdump openssl \
            tshark netcat-openbsd dnsutils

# Install Python security libs
pip install scapy requests frida-tools impacket

# Enable Termux storage access
termux-setup-storage

4.2 Frida (Dynamic Instrumentation)

Rootless Mode (Telecom-Joined Device — this setup)

# On workstation:
pip install frida-tools

# Option A: Frida via Termux (rootless — attaches to user processes)
# In Termux:
pkg install python
pip install frida-tools
# Run frida directly in Termux — can attach to own Termux processes
# Cannot attach to system/carrier processes without root

# Option B: Frida Gadget (repackage target APK)
# 1. Pull APK from device:
adb shell pm path com.carrier.app
adb pull /data/app/.../base.apk carrier.apk
# 2. Inject frida-gadget with apk-mitm or objection patcher:
pip install objection
objection patchapk --source carrier.apk
# 3. Install patched APK — Frida connects automatically on launch
# Works without root. Best for targeting specific carrier app.

# Verify (rootless attach):
frida-ps -U   # lists user-accessible processes
frida -U -l bypass-ssl-pinning.js -f com.carrier.app --no-pause

Rooted Mode (Clean Device Only)

# Download frida-server for arm64:
# https://github.com/frida/frida/releases — frida-server-<version>-android-arm64.xz

# Persistent laptop-side paths used in this workflow:
# ~/Documents/mobility/frida/frida-server
# ~/Documents/mobility/frida/venv/bin/frida-ps

adb push frida-server /data/local/tmp/
adb shell su -c 'chmod 755 /data/local/tmp/frida-server && /data/local/tmp/frida-server &'

~/Documents/mobility/frida/venv/bin/frida-ps -U   # all processes visible
# Full access: carrier apps, system processes, modem RIL

4.3 SSL Interception — Burp Suite / HTTP Toolkit

Rootless — User Certificate (Telecom-Joined Device — this setup)

# ── Option A: HTTP Toolkit (easiest, no root) ─────────────────────────
# https://httptoolkit.com/android/
# Install HTTP Toolkit app → one-click HTTPS interception
# Auto-injects CA for its own VPN session — works on non-pinned apps
# Best for: REST APIs, non-hardened carrier web views

# ── Option B: Burp as user cert ───────────────────────────────────────
# Export Burp CA cert (.der): Proxy → Options → CA Certificate
openssl x509 -inform DER -in cacert.der -out burp-ca.pem

# Install via Settings → Security → Encryption & Credentials → Install cert
# Installs as USER cert — trusted by apps that respect user cert store
# NOT trusted by apps with network_security_config pinning

# Which apps trust user certs?
# Pull app's network security config:
adb shell run-as com.carrier.app cat /data/data/com.carrier.app/... # varies per app
# Or: jadx decompile and search for network_security_config.xml

Rootless Limitation

User certs do NOT intercept apps that pin certificates or set cleartextTrafficPermitted=false with a custom network security config. For full MITM against hardened carrier apps, you need root (system cert store) or Frida gadget to bypass pinning.

Rooted Path — System Certificate Store (Clean Device Only)

# Export and convert Burp CA:
openssl x509 -inform DER -in cacert.der -out cacert.pem
cert_hash=$(openssl x509 -inform PEM -subject_hash_old -in cacert.pem | head -1)
cp cacert.pem ${cert_hash}.0
adb push ${cert_hash}.0 /sdcard/

# Inject into system store (root required):
adb shell su -c "mount -o remount,rw /system"
adb shell su -c "cp /sdcard/${cert_hash}.0 /system/etc/security/cacerts/"
adb shell su -c "chmod 644 /system/etc/security/cacerts/${cert_hash}.0"
adb shell su -c "mount -o remount,ro /system"
adb reboot

# Android 14+: use Magisk module "MoveCA" or "TrustMeAlready" instead
# — avoids remount (bypasses dm-verity issues)

Phase 5 — Modem Diagnostic Setup (Tensor G4)

5.1 Built-in Diagnostic Access

# Engineering menu — field test mode
# Dial on Pixel 9: *#*#4636#*#*
# → Phone Information → Run Ping / Network type override

# ADB modem info dump
adb shell dumpsys telephony.registry
adb shell dumpsys phone
adb shell dumpsys connectivity | grep -i "5G\|NR\|LTE"

# Current cell info
adb shell dumpsys telephony.registry | grep -iE "mcc|mnc|cid|signal|band"

# Force network type (for downgrade testing)
adb shell settings put global preferred_network_mode 0  # GSM only
adb shell settings put global preferred_network_mode 9  # LTE only
adb shell settings put global preferred_network_mode 20 # NR/5G preferred

5.2 Modem Logging — Tensor (Samsung Diag)

# Enable modem logging via hidden menu
# Dial: *#9900# → Sysdump → modem logging

# Or via ADB:
adb shell su -c "setprop persist.vendor.ril.log.diag 1"
adb reboot

# Pull modem logs
adb bugreport /tmp/pixel9_bugreport.zip
unzip /tmp/pixel9_bugreport.zip -d /tmp/bugreport/
# Look in: FS/data/vendor/radio/ for modem logs

# Parse with:
# • Wireshark (with NAS dissector) for protocol analysis
# • Samsung Modem Log Analyzer (limited public availability)

5.3 SCAT on Tensor (Limited Support)

SCAT Compatibility Note

SCAT (Smartphone Communication Analysis Tool from Seoul National University) has partial Tensor/Samsung modem support. Full NAS decode works better on Qualcomm devices.

# SCAT repo: https://github.com/fgsect/scat
pip3 install scat

# Try Samsung diag mode
scat -t samsung -a /dev/ttyUSB0 -D samsung -F output_dir/

# If modem exposes serial diag interface:
adb shell ls /dev/ttyUSB* /dev/smd*   # look for diag port

5.4 Better NAS Capture — Laptop + Pixel 9 Hotspot

flowchart LR
    PIX["📱 Pixel 9\n(Subscriber UE)\nReal SIM"] -->|"Mobile Hotspot"| LAP["💻 Laptop\nUERANSIM client\nor packet capture"]
    LAP -->|"Wireshark capture\non hotspot interface"| CAP["NAS/GTP\nprotocol analysis"]
    PIX -->|"ADB bridge"| LAP

    style PIX fill:#2E75B6,color:#fff
    style CAP fill:#1F3864,color:#fff

# On laptop — capture Pixel 9 hotspot traffic
# Find hotspot interface
ip link show | grep -i usb  # USB tethering interface

# Wireshark with NAS dissector
tshark -i <hotspot_if> -f "not port 22" -w pixel9_capture.pcapng

# For NAS decode — filter in Wireshark:
# nas-5gs   (5G NAS messages)
# nas-eps   (4G/LTE NAS messages)
# gtpv2     (GTP-C control plane)

Phase 6 — Testing Capabilities Matrix

graph TD
    subgraph "✅ Pixel 9 Can Do Well"
        G1["App-layer MITM\nBurp + cert pinning bypass"]
        G2["Subscriber identity\ntesting (IMSI/IMEI)\nvia AT commands"]
        G3["Network type forcing\n5G SA / NSA / LTE / 3G"]
        G4["Cell info harvesting\nMCC/MNC/CID/Band/RSRP"]
        G5["VoLTE/IMS testing\nSIP stack probing"]
        G6["API testing\nNEF/BSS via apps"]
        G7["Carrier app reversing\nFrida hooks"]
        G8["eSIM RSP probing\nSM-DP+ requests"]
    end

    subgraph "⚠️ Pixel 9 — Limited / Workaround Needed"
        W1["Full NAS decode\nUse Qualcomm device\nor UERANSIM on laptop"]
        W2["Deep modem logging\nSCAT partial only"]
        W3["Rogue gNB simulation\nNeed srsRAN on laptop\n+ RF hardware"]
    end

    subgraph "❌ Pixel 9 Cannot Do"
        B1["QXDM / QPST logging\nQualcomm-only"]
        B2["Run srsRAN gNB\nneeds RF hardware"]
    end

    style G1 fill:#2E75B6,color:#fff
    style G2 fill:#2E75B6,color:#fff
    style G3 fill:#2E75B6,color:#fff
    style W1 fill:#E36209,color:#fff
    style B1 fill:#C00000,color:#fff

AT Command Access — Modem Control

# Find modem AT port
adb shell su -c "ls /dev/ttyACM* /dev/ttyUSB* /dev/smd*"

# Connect to modem AT interface (via Termux with root)
# In Termux:
su
cat /dev/ttyACM0 &
echo "AT" > /dev/ttyACM0       # basic test
echo "AT+CIMI" > /dev/ttyACM0  # read IMSI
echo "AT+CGSN" > /dev/ttyACM0  # read IMEI
echo "AT+COPS?" > /dev/ttyACM0 # current operator
echo "AT+CEREG?" > /dev/ttyACM0 # LTE/NR registration status

# Force RAT (Radio Access Technology)
echo "AT+CNMP=38" > /dev/ttyACM0   # LTE only
echo "AT+CNMP=109" > /dev/ttyACM0  # 5G NR preferred
echo "AT+CNMP=2" > /dev/ttyACM0    # automatic

# Supplementary services (for testing SS registration)
echo "AT+CCFC=0,2" > /dev/ttyACM0  # query call forwarding

Key Apps for Mobile Security Research

App	Source	Purpose
CellMapper	Play Store / cellmapper.net	Live tower map, PCI/eNB/gNB correlation, crowdsourced site lookup
NetMonster	Play Store	Detailed cell info: band, EARFCN, ARFCN, NR-ARFCN, CID
Network Cell Info	Play Store	Signal maps, neighboring cells
Network Survey	F-Droid / GitHub	Detailed LTE/NR logging, exports CSV/GeoPackage, good for field collection
Tower Collector	F-Droid / GitHub	Collect and export GSM/UMTS/LTE/NR cell observations for OpenCellID/BeaconDB
IMSI Tool	Termux/ADB	Read IMSI/ICCID from SIM
Packet Capture	Play Store	No-root traffic capture (VPN-based)
HTTP Toolkit	httptoolkit.com	HTTPS intercept, cert pinning bypass
jadx	GitHub	APK decompile (run on laptop, APKs from device)
Drozer	GitHub	Android app attack framework
MobSF	GitHub	Mobile Security Framework (static+dynamic)
Termux:API	F-Droid	Bridge Termux to Android APIs
RootBeer Sample	GitHub	Test root detection bypass