# Pixel 7 Pro Discovery Scripts Rooted Pixel 7 Pro (cheetah) device discovery, WiFi capability check, and NetHunter setup. ## Quick Start ### Option 1: Full Discovery (10 sections, saved report) ```bash curl -fsSL https://rig.siren-hake.ts.net/discover.sh | bash -s -- --save ``` ### Option 2: Lean One-Shot (minimal, paste-friendly) ```bash curl -fsSL https://rig.siren-hake.ts.net/lean-discover.sh | bash ``` ### Option 3: Download and review first ```bash curl -fsSL https://rig.siren-hake.ts.net/discover.sh -o ~/discover.sh less ~/discover.sh bash ~/discover.sh --save ``` --- ## lean-discover.sh Minimal discovery — no arguments, no dependencies beyond shell + root. Paste directly into any terminal on the phone. ```bash #!/usr/bin/env bash # ============================================================================ # PIXEL 7 PRO — LEAN ONE-SHOT DISCOVERY # Minimal discovery for quick paste into any terminal on the phone. # ============================================================================ echo "" echo "========================================" echo " PIXEL 7 PRO LEAN DISCOVERY" echo " $(date '+%Y-%m-%d %H:%M:%S')" echo "========================================" echo "" # Detect root R="" if command -v tsu &>/dev/null && tsu -c "id" 2>/dev/null | grep -q root; then R="tsu -c" elif command -v su &>/dev/null && su -c "id" 2>/dev/null | grep -q root; then R="su -c" fi [ -n "$R" ] && echo "[ROOT: $R]" || echo "[NO ROOT]" echo "" echo "=== SYSTEM ===" uname -a getprop ro.build.version.release 2>/dev/null && echo "Android: $(getprop ro.build.version.release)" getprop ro.product.device 2>/dev/null && echo "Device: $(getprop ro.product.device)" getprop ro.product.model 2>/dev/null && echo "Model: $(getprop ro.product.model)" getprop ro.build.display.id 2>/dev/null && echo "Build: $(getprop ro.build.display.id)" getprop ro.boot.slot_suffix 2>/dev/null && echo "Slot: $(getprop ro.boot.slot_suffix)" $R "getenforce" 2>/dev/null && echo "SELinux: $($R "getenforce" 2>/dev/null)" echo "" echo "=== CPU/MEM ===" echo "Cores: $(nproc)" cat /proc/meminfo | grep -E "^(MemTotal|MemAvailable)" echo "" echo "=== NETWORK ===" $R "ip addr show" 2>/dev/null | grep -E "^[0-9]+:|inet " || ip addr show 2>/dev/null | grep -E "^[0-9]+:|inet " $R "ip route show" 2>/dev/null | head -5 echo "" echo "=== WIFI ===" $R "iw dev wlan0 info" 2>/dev/null || echo "[no iw]" $R "iw phy0 info" 2>/dev/null | grep -E "(monitor|managed|AP)" | head -10 || echo "[no phy0 info]" echo "" echo "=== BT ===" $R "hciconfig hci0" 2>/dev/null | head -5 || echo "[no hci0]" echo "" echo "=== USB ===" $R "lsusb" 2>/dev/null | head -10 || echo "[no lsusb]" echo "" echo "=== STORAGE ===" df -h | grep -E "(Filesystem|/dev/)" | head -10 echo "" echo "=== PARTITIONS ===" $R "ls -la /dev/block/by-name/" 2>/dev/null | grep -E "(boot|init_boot|vbmeta|recovery)" | head -10 || echo "[need root]" echo "" echo "=== PROPS ===" for p in ro.build.version.sdk ro.build.type ro.debuggable ro.secure ro.boot.verifiedbootstate ro.boot.vbmeta.device_state ro.hardware.chipname ro.soc.model ro.boot.flash.locked; do v="$(getprop $p 2>/dev/null)" [ -n "$v" ] && echo " $p = $v" done echo "" echo "=== MAGISK ===" $R "magisk --version" 2>/dev/null || echo "[no magisk]" $R "ls /data/adb/modules/" 2>/dev/null | head -10 || echo "[no modules]" echo "" echo "=== DONE ===" echo "Paste this output back to Hermes for analysis." ``` --- ## discover.sh — Full Discovery Script 10-section deep discovery with color output, root detection, and optional `--save` report. ```bash #!/usr/bin/env bash # ============================================================================ # PIXEL 7 PRO DISCOVERY — Full 10-section report # Usage: bash discover.sh [--json] [--save] # --save Save report to ~/discovery/reports/ # ============================================================================ set -uo pipefail SAVE=false JSON=false for arg in "$@"; do case "$arg" in --save) SAVE=true ;; --json) JSON=true ;; esac done if $SAVE; then mkdir -p ~/discovery/reports REPORT=~/discovery/reports/discovery_$(date +%Y%m%d_%H%M%S).txt exec > >(tee "$REPORT") 2>&1 fi R() { echo -e "\033[0;31m$1\033[0m"; } G() { echo -e "\033[0;32m$1\033[0m"; } C() { echo -e "\033[0;36m$1\033[0m"; } Y() { echo -e "\033[1;33m$1\033[0m"; } B() { echo -e "\033[1m$1\033[0m"; } # Detect root method HAS_ROOT=false ROOT_CMD="" if command -v tsu &>/dev/null && tsu -c "id" 2>/dev/null | grep -q root; then HAS_ROOT=true; ROOT_CMD="tsu -c" elif command -v su &>/dev/null && su -c "id" 2>/dev/null | grep -q root; then HAS_ROOT=true; ROOT_CMD="su -c" fi rc() { if $HAS_ROOT; then $ROOT_CMD "$1" 2>/dev/null else echo " [NO ROOT] $1" fi } sep() { echo ""; C "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"; } # 1. SYSTEM IDENTITY echo "" C " ╔══════════════════════════════════════════════╗" C " ║ PIXEL 7 PRO DISCOVERY REPORT ║" C " ║ $(date '+%Y-%m-%d %H:%M:%S') ║" C " ╚══════════════════════════════════════════════╝" echo "" sep; B " 1. SYSTEM IDENTITY"; sep echo " Kernel: $(uname -r)" echo " Arch: $(uname -m)" echo " Hostname: $(uname -n)" echo " Android: $(getprop ro.build.version.release 2>/dev/null || echo 'unknown')" echo " SDK: $(getprop ro.build.version.sdk 2>/dev/null || echo 'unknown')" echo " Build: $(getprop ro.build.display.id 2>/dev/null || echo 'unknown')" echo " Device: $(getprop ro.product.device 2>/dev/null || echo 'unknown')" echo " Model: $(getprop ro.product.model 2>/dev/null || echo 'unknown')" echo " Board: $(getprop ro.product.board 2>/dev/null || echo 'unknown')" echo " Slot: $(getprop ro.boot.slot_suffix 2>/dev/null || echo 'unknown')" echo " Root: $(if $HAS_ROOT; then G "YES ($ROOT_CMD)"; else R "NO"; fi)" echo " Magisk: $(rc "magisk --version" 2>/dev/null || getprop ro.magisk.version 2>/dev/null || echo 'not detected')" echo " SELinux: $(rc "getenforce" 2>/dev/null || cat /sys/fs/selinux/enforce 2>/dev/null || echo 'unknown')" echo " Bootloader: $(rc "getprop ro.boot.verifiedbootstate" 2>/dev/null || echo 'unknown')" # 2. CPU & MEMORY sep; B " 2. CPU & MEMORY"; sep echo " CPU Cores: $(nproc 2>/dev/null || echo '?')" echo " CPU Online: $(cat /sys/devices/system/cpu/online 2>/dev/null || echo '?')" for i in /sys/devices/system/cpu/cpu*/cpufreq/scaling_max_freq; do [ -f "$i" ] && echo " $(dirname "$i" | xargs basename): $(cat "$i") kHz max" && break done 2>/dev/null echo " SoC:" rc "cat /proc/cpuinfo" 2>/dev/null | grep -E "^(CPU part|Hardware|CPU implementer)" | sort -u | head -5 echo "" echo " Memory:" rc "cat /proc/meminfo" 2>/dev/null | grep -E "^(MemTotal|MemAvailable|SwapTotal|SwapFree)" | while read line; do echo " $line" done # 3. STORAGE & PARTITIONS sep; B " 3. STORAGE & PARTITIONS"; sep echo " Disk Usage:" rc "df -h" 2>/dev/null | grep -E "(Filesystem|/dev/)" | head -15 || df -h 2>/dev/null | head -15 echo "" echo " Key Mounts:" rc "mount" 2>/dev/null | grep -E "(ext4|f2fs|tmpfs|overlay)" | head -10 echo "" echo " Partitions:" rc "ls -la /dev/block/by-name/" 2>/dev/null | head -20 || echo " [blocked without root]" # 4. NETWORK INTERFACES sep; B " 4. NETWORK INTERFACES"; sep echo " Interfaces:" rc "ip link show" 2>/dev/null || ip link show 2>/dev/null | head -20 echo "" echo " IP Addresses:" rc "ip addr show" 2>/dev/null | grep -E "inet " || ip addr show 2>/dev/null | grep -E "inet " echo "" echo " Default Route:" rc "ip route show" 2>/dev/null | head -5 || route -n 2>/dev/null | head -5 echo "" echo " DNS:" cat /etc/resolv.conf 2>/dev/null || getprop net.dns1 2>/dev/null || getprop dhcp.wlan0.dns1 2>/dev/null echo "" echo " ARP Cache:" rc "ip neigh show" 2>/dev/null | head -20 || cat /proc/net/arp 2>/dev/null | head -20 # 5. WIFI DETAIL sep; B " 5. WIFI — BCM4389"; sep echo " WiFi Interface:" rc "iw dev wlan0 info" 2>/dev/null || echo " [iw not available]" echo "" echo " WiFi PHY Capabilities:" PHY_INFO=$(rc "iw phy0 info" 2>/dev/null) if [ -n "$PHY_INFO" ]; then echo "$PHY_INFO" | head -60 echo "" echo " Supported interface modes:" echo "$PHY_INFO" | grep -A20 "supported interface modes" | head -20 echo "" echo " Monitor mode check:" if echo "$PHY_INFO" | grep -q "monitor"; then G " [YES] Monitor mode listed in PHY capabilities" else R " [NO] Monitor mode NOT listed — need external adapter or kernel patch" fi echo "" echo " Channel info:" echo "$PHY_INFO" | grep -E "Frequencies:|\" | head -5 echo "$PHY_INFO" | grep -E "^\s+\*@" | head -15 else echo " [no iw or no root]" fi echo "" echo " WiFi Connection:" rc "iw dev wlan0 link" 2>/dev/null || echo " [not connected or no iw]" echo "" echo " WiFi Scan (neighbor APs):" rc "iw dev wlan0 scan dump" 2>/dev/null | grep -E "(BSS|SSID|signal|freq)" | head -40 || echo " [scan requires root + iw]" echo "" echo " rfkill:" rc "rfkill list" 2>/dev/null || echo " [rfkill not available]" # 6. BLUETOOTH sep; B " 6. BLUETOOTH"; sep echo " HCI Device:" rc "hciconfig hci0" 2>/dev/null || echo " [hciconfig not available or no BT]" echo "" echo " BT Kernel Modules:" rc "lsmod" 2>/dev/null | grep -i blue | head -10 || echo " [lsmod not available]" echo "" echo " Quick BT Scan (5 sec):" rc "hcitool scan" 2>/dev/null | head -20 || echo " [hcitool not available]" # 7. USB sep; B " 7. USB DEVICES"; sep rc "lsusb" 2>/dev/null | head -20 || echo " [lsusb not available]" echo "" echo " USB Device Details:" rc "cat /sys/kernel/debug/usb/devices" 2>/dev/null | grep -E "^(T:|S:|D:|E:)" | head -40 || echo " [/sys/kernel/debug/usb not accessible]" echo "" echo " USB Net Interfaces:" for iface in /sys/class/net/*; do [ -d "$iface/device" ] && echo " $(basename "$iface"): $(readlink "$iface/device/driver" 2>/dev/null || echo 'no driver')" done 2>/dev/null # 8. PROCESSES & SERVICES sep; B " 8. PROCESSES & SERVICES"; sep echo " Top Processes by CPU:" rc "top -b -n1" 2>/dev/null | head -15 || rc "ps -A -o pid,comm,%cpu" 2>/dev/null | head -15 echo "" echo " Network-Related Processes:" rc "ps -A" 2>/dev/null | grep -iE "(wifi|wpa|dhcp|bluetooth|dnsmasq|hostapd|clat|mtp|adb)" | head -20 echo "" echo " Listening Ports:" rc "ss -tlnp" 2>/dev/null | head -20 || rc "netstat -tlnp" 2>/dev/null | head -20 || echo " [ss/netstat not available]" # 9. ANDROID PROPERTIES sep; B " 9. ANDROID PROPERTIES"; sep for prop in \ ro.build.version.release \ ro.build.version.sdk \ ro.build.version.security_patch \ ro.product.cpu.abi \ ro.hardware.chipname \ ro.soc.model \ ro.bootimage.build.fingerprint \ ro.build.type \ ro.debuggable \ ro.secure \ ro.adb.secure \ persist.sys.usb.config \ ro.boot.verifiedbootstate \ ro.boot.vbmeta.device_state \ ro.magisk.version \ init.svc.adbd \ wifi.interface \ ro.bluetooth.hfpclient \ ro.bluetooth.sapclient \ persist.bluetooth.enablenewavrcp \ ; do val=$(getprop "$prop" 2>/dev/null) [ -n "$val" ] && echo " $prop = $val" done # 10. SECURITY & ROOT STATUS sep; B " 10. SECURITY & ROOT STATUS"; sep echo " Bootloader: $(rc "getprop ro.boot.flash.locked" 2>/dev/null || echo 'unknown')" echo " VBMeta: $(rc "getprop ro.boot.vbmeta.device_state" 2>/dev/null || echo 'unknown')" echo " dm-verity: $(rc "getprop ro.boot.verifiedbootstate" 2>/dev/null || echo 'unknown')" echo " SELinux: $(rc "getenforce" 2>/dev/null || echo 'unknown')" echo " Root: $(if $HAS_ROOT; then G "AVAILABLE ($ROOT_CMD)"; else R "NOT AVAILABLE"; fi)" if $HAS_ROOT; then echo "" echo " Magisk Details:" rc "magisk --version" 2>/dev/null && echo "" echo " Magisk Modules:" rc "ls -1 /data/adb/modules/" 2>/dev/null | head -15 || echo " [no modules dir]" echo "" echo " Su Binary:" rc "which su" 2>/dev/null || rc "which /sbin/su" 2>/dev/null || echo " [su not in PATH]" fi # SUMMARY echo "" C "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━" B " DISCOVERY COMPLETE" C "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━" echo "" echo " Key Findings:" echo " Root: $(if $HAS_ROOT; then G "available"; else R "NOT available"; fi)" echo " WiFi: BCM4389 — check monitor mode result above" echo " BT: check hci0 above" echo " USB: check lsusb above" echo "" if $SAVE; then G " Report saved to: $REPORT" fi echo "" echo " Next Steps:" echo " 1. Review monitor mode status — if NO, plan for external adapter" echo " 2. If root works, run: bash ~/discovery/network-scan.sh" echo " 3. Install NetHunter: see 04-NETHUNTER.md" echo " 4. Set up Termux+Debian: see 07-TERMUX-HERMES-SETUP.md" echo "" ``` --- ## setup-nethunter.sh — Rooting + NetHunter Setup Phases ```bash #!/data/data/com.termux/files/usr/bin/bash # Full setup script — see docs/07-TERMUX-HERMES-SETUP.md for complete walkthrough ``` *(Full content available at `/setup-nethunter.sh`)* --- ## Requirements - **Root**: Magisk v27+ or su access required for full discovery - **Termux**: Install from F-Droid or termux.dev (NOT Play Store) - **Tailscale**: Phone must be on tailnet OR use Funnel URL for public access ## After Discovery Paste the output back to your Hermes instance on rig for analysis. We'll determine: 1. Exact Android 15 build → match factory image for rooting 2. Bootloader state → rooting prerequisites 3. BCM4389 monitor mode → WiFi pentest path 4. Kernel version → NetHunter compatibility