Setting Up Pixel 8/9 for Android App Reversing and Mobile Security Testing

2026-01-22T00:00:00+00:00

This post aims to serve as a guide on how to set a Pixel device up for Android security testing. I’ve tested this on both the Pixel 8 and the Pixel 9. The steps are identical for both.

This covers flashing stock Pixel OS, rooting with Magisk, and getting Burp Suite working for traffic interception.

Prerequisites

Pixel 8 (codename: shiba) or Pixel 9 (codename: tokay)
Ubuntu 22.04 (or similar Linux distro)
USB cable
adb and fastboot installed: sudo apt install android-tools-adb android-tools-fastboot

Step 1: Download Factory Image

Get the latest factory image from https://developers.google.com/android/images

Pixel 8: look for shiba
Pixel 9: look for tokay

Google factory images are named like shiba-bp4a.251205.006-factory-*.zip. Don’t confuse with GrapheneOS images which use format shiba-install-*.zip.

Step 2: Enable Developer Options and OEM Unlocking

On the phone:

Settings → About phone → tap “Build number” 7 times to enable Developer Options
Settings → System → Developer options → USB debugging → ON
Settings → System → Developer options → OEM unlocking → ON

Note: If OEM unlocking is greyed out, connect to WiFi/mobile data and wait ~24 hours (Google’s anti-theft measure).

Step 3: Extract Factory Image

cd ~/Downloads
unzip shiba-*.zip  # or tokay-*.zip for Pixel 9
cd shiba-*         # or tokay-* for Pixel 9

For Pixel 8, extract the inner image zip:

unzip image-shiba-*.zip

For Pixel 9, the images come extracted already.

Make the flash script executable:

chmod +x flash-all.sh

Step 4: Unlock Bootloader and Flash

Reboot into fastboot mode using the hardware buttons (Power + Volume Down), then:

fastboot flashing unlock

Confirm on device with volume keys + power. This wipes everything.

Once back at fastboot:

fastboot devices
./flash-all.sh

Do not re-lock the bootloader since we need it unlocked for Magisk.

Step 5: Post-Flash Setup

After the phone boots:

Skip through initial setup
Re-enable Developer Options (tap Build number 7 times)
Re-enable USB Debugging

Step 6: Install Magisk

Magisk is a systemless root solution that modifies the boot image to provide root access while passing SafetyNet checks. It allows installing modules that modify the system without actually touching the system partition.

Download the latest Magisk APK from https://github.com/topjohnwu/Magisk/releases

adb install Magisk-*.apk

Allow notifications when prompted. Useful for superuser prompts.

Step 7: Patch init_boot Image

Important: Pixel 8 on Android 13+ uses init_boot.img for the ramdisk, not boot.img.

Push the init_boot image to the phone:

adb push init_boot.img /sdcard/Download/

On the phone:

Open Magisk app
Tap Install
Select Select and Patch a File
Navigate to Downloads and select init_boot.img

Note: You can also extract boot.img from a rooted device using dd, but for fresh installs use the init_boot.img from the factory zip. Just make sure it matches your flashed version.

Step 8: Flash Patched Image

List the patched file:

ls /sdcard/Download/

Pull it:

adb pull /sdcard/Download/magisk_patched-*.img .

You can test by booting the image directly without flashing:

adb reboot bootloader
fastboot boot magisk_patched-*.img

If Magisk shows as installed, flash it permanently:

adb reboot bootloader
fastboot flash init_boot magisk_patched-*.img
fastboot reboot

Step 9: Verify Root

adb shell
su

You should see a superuser prompt on the phone. Grant access and you’ll have a root shell.

Step 10: Configure Magisk

In Magisk app, go to Settings and configure:

Zygisk → ON (enables code injection into apps, needed for DenyList)
Enable Zygisk DenyList (hide root from specific apps)
Enable DNS over HTTPS
Hide the Magisk app → enter a custom name → add shortcut icon when prompted

Reboot the phone. After reboot, verify Zygisk shows Yes in Magisk home screen.

Step 11: Install Burp CA Certificate

Android 14+ has read-only system partitions protected by dm-verity. We’ll use a Magisk module to install the CA cert as a system certificate.

Export Burp Certificate

In Burp Suite: Proxy → Proxy settings → Import/Export CA Certificate → Export → Certificate in DER format → save as cacert.der

Convert and Hash the Certificate

openssl x509 -inform DER -in cacert.der -out cacert.pem
hash=$(openssl x509 -inform PEM -subject_hash_old -in cacert.pem | head -1)
mv cacert.pem $hash.0

Install MagiskTrustUserCerts Module

Download from https://github.com/NVISOsecurity/MagiskTrustUserCerts/releases

adb push MagiskTrustUserCerts.zip /sdcard/Download/

In Magisk app: Modules → Install from storage → select the zip → reboot

Install Certificate as User Cert

adb push $hash.0 /sdcard/Download/

On phone: Settings → Security & Privacy → More security settings → Encryption & credentials → Install a certificate → CA certificate → Install anyway → select your .0 file from Downloads

Reboot the phone. The MagiskTrustUserCerts module will promote the user certificate to system trust.

Step 12: Configure Proxy

Option A: WiFi Proxy

On phone: Settings → Network & internet → Internet → tap your WiFi network → Edit → Advanced options → Proxy → Manual

Set proxy hostname to your Burp machine’s IP and port 8080.

Option B: ADB Reverse (for VM setups)

If Burp is running in a VM, redirect USB to the VM first:

QEMU/virt-manager: Virtual Machine → Redirect USB device → select Pixel
VirtualBox/VMware: Configure USB passthrough in VM settings

Stop adb on host first if running:

adb kill-server

In the VM:

adb devices
adb reverse tcp:8080 tcp:8080

On phone, set proxy to 127.0.0.1:8080.

Important: Disable any VPN on the phone. VPN overrides proxy settings.

Step 13: Test

Open browser on phone. Traffic should appear in Burp’s HTTP history.

Troubleshooting

Magisk shows “N/A” after flashing: Make sure you’re flashing init_boot not boot on Pixel 8
Can’t remount system: Android 14+ uses dm-verity, use Magisk modules instead
No traffic in Burp: Check VPN is disabled, proxy settings are correct, and Burp is bound to all interfaces (0.0.0.0)
Certificate not trusted: Ensure MagiskTrustUserCerts module is installed and phone was rebooted

Berk Cem Göksel