TL;DR
Table of Contents
- Connect an Android device to a Linux machine and manage Wi-Fi purely from a terminal.
- Enable Wi-Fi, start scans, view hidden SSIDs, and list saved profiles—all without touching the screen.
- Join a hidden or WPA-protected network, even one that the device never saw before.
- Create a temporary hotspot from a USB-connected alpha adapter and let the Android device hop onto it.
- Wrap everything in a bash script and run it in a single shot.
Why this matters
When you’re on a penetration-testing mission, a GUI can be a pain. A single USB cable, a terminal, and a handful of commands give you full control of the device’s network stack. It lets you discover rogue APs, spot hidden Wi-Fi, and test how the device behaves when you force a scan even when the radio is off. For mobile security researchers and Linux enthusiasts alike, ADB Wi-Fi commands are the Swiss-army knife of device networking.
I’ve spent months hunting for a lightweight way to pull Wi-Fi data from a device without rooting it. The native Android framework exposes a CMD Wi-Fi API that, when driven through ADB, can do everything from toggling the radio to enumerating every SSID in the air. The best part? No root, no custom ROM, just a USB cable and a Linux shell.
Core concepts
ADB (Android Debug Bridge) is a versatile bridge that lets a host machine issue shell commands on a device. The command adb shell hands you an interactive shell that runs as the shell user. Inside that shell you can query or set system properties, run native binaries, and even call hidden APIs through the CMD service.
The Wi-Fi service lives behind the CMD Wi-Fi command. Think of it as a command-line wrapper around the Android Wi-Fi framework. It understands verbs like status, set, get, start, list-scan-results, and connect-network. Each verb maps to a specific framework call, and the output is a plain-text JSON-ish blob that you can parse.
“ADB can be installed on Kali Linux with sudo apt install adb” Kali Linux ADB Package. “The device must have USB debugging enabled” Android ADB Official Docs. “The Wi-Fi service is accessed via adb shell CMD Wi-Fi” Android WifiManager Docs.
You don’t need a full Android SDK; the minimal ADB binaries are enough.
How to apply it
1. Prepare the host
# Install ADB
sudo apt install adb
# Verify the binary
which adb
adb --version
adb devices should list your device, e.g., 0123456789abcdef device.
If the device shows unauthorized, pull the USB cable, go to Settings → About phone, tap Build number seven times, then re-enable USB debugging from the Developer options screen. A prompt will ask you to authorize the host’s RSA key; tap Allow.
2. Verify you’re on a shell
adb shell
You should see a prompt ending in $. Type whoami → shell. Type id → uid=2000(shell) gid=2000(shell) groups=2000(shell).
3. Check Wi-Fi status
adb shell CMD Wi-Fi status
Typical output:
wifi-enabled=true
scan-always-available=false
country-code=US
If wifi-enabled=false, the radio is off. Let’s turn it on.
4. Enable Wi-Fi
adb shell CMD Wi-Fi set -wifi-enabled enabled
adb shell CMD Wi-Fi status
You should now see wifi-enabled=true. A short pause (≈1–2 s) gives the device time to spin up the radio.
5. Get the country code
The regulatory domain controls which channels are legal.
adb shell CMD Wi-Fi get -country-code
You’ll see country-code=US. If you’re operating in a different region, change it:
adb shell CMD Wi-Fi set -country-code CN
6. Trigger a scan
adb shell CMD Wi-Fi start -scan
echo $?
0 means the command accepted the request. Scans take a few seconds; the device will send probe requests on all enabled bands.
7. List scan results
adb shell CMD Wi-Fi list-scan-results
Output is a series of JSON objects:
{
\"bssid\":\"02:12:22:44:55:66\",
\"ssid\":\"CoffeeShop\",
\"frequency\":2412,
\"rssi\":-45,
\"flags\":[\"WPA2-PSK\"]
}
You can pipe the output through jq to pretty-print or grep for specific SSIDs.
8. Connect to a hidden network
Hidden SSIDs don’t broadcast; you need to supply the SSID and a pre-shared key.
adb shell CMD Wi-Fi connect-network \
-ssid MyHiddenNet \
-pre-shared-key secret123 \
-network-id 1
If the network ID is unknown, list saved profiles first:
adb shell CMD Wi-Fi list-networks
Then use the ID from the output in the connect command.
9. Manage scan-always-available
When scan-always-available=true, the device continues to probe even if Wi-Fi is off. This can leak location info.
adb shell CMD Wi-Fi set -scan-always-available disabled
You can verify with adb shell CMD Wi-Fi status.
10. Create a hotspot from an alpha adapter
On the host, create a software hotspot that the Android device can join.
sudo nmcli device wifi hotspot ifname wlan1 ssid \"FreshForensics\" password \"password123\"
The nmcli command uses the alpha adapter’s interface wlan1. On the Android side, connect:
adb shell CMD Wi-Fi connect-network -ssid FreshForensics -pre-shared-key password123 -network-id 2
The device will now show IP address: 192.168.50.2. You can ping the host or run adb shell ip addr show to confirm.
11. Forget a network
After testing, clean up:
adb shell CMD Wi-Fi forget-network -network-id 2
12. Automate with a script
#!/usr/bin/env bash
adb shell CMD Wi-Fi set -wifi-enabled enabled
adb shell CMD Wi-Fi start -scan
adb shell CMD Wi-Fi list-scan-results > scan.txt
adb shell CMD Wi-Fi set -scan-always-available disabled
Make it executable (chmod +x wifi.sh) and run whenever you need a fresh scan.
A quick table of the most common ADB Wi-Fi commands
| Command | Use Case | Limitation |
|---|---|---|
| CMD Wi-Fi set -wifi-enabled enabled | Turn the radio on or off from a script | Requires USB debugging; device may prompt for permission |
| CMD Wi-Fi start -scan | Trigger a full 2.4 GHz / 5 GHz scan | Wi-Fi must be enabled; scan duration is device-dependent |
| CMD Wi-Fi connect-network | Join a known or hidden SSID | Needs correct credentials; network ID may be required |
Pitfalls & edge cases
Root vs. non-root: Most CMD Wi-Fi verbs work as the shell user, so you don’t need root. Commands that manipulate BSSID targeting or lower-level radios do, however, and will fail with “Permission denied”.
Scanning while Wi-Fi is off: Enabling scan-always-available lets the device probe for networks even when the radio is off. That can betray your location and is a privacy risk. Keep it disabled unless you’re doing a covert reconnaissance mission.
USB debugging security: Leaving USB debugging enabled opens a direct shell to the device. After you’re done, run adb shell settings put global development_settings_enabled 0 or simply disable the toggle in Settings. You can also revoke the host’s RSA key via Settings → Developer options → Revoke USB debugging authorizations.
Hidden network quirks: Some Android builds reject hidden SSIDs if the SSID is longer than 32 characters or contains non-ASCII bytes. The CMD Wi-Fi API will return -1 and print an error. In that case, try connecting from a rooted shell or use the Android UI.
WPA3 support: The CMD Wi-Fi API only exposes WPA2-PSK fields in its output. If your device supports WPA3, you’ll still need to pass the same pre-shared key; the framework handles the negotiation behind the scenes.
Compatibility: On very old Android versions (pre-6.0), the CMD Wi-Fi command may not exist. The API was introduced in Android 6.0 Lollipop. If you’re on an older device, you’ll need to use the legacy svc wifi commands or a custom script.
Quick FAQ
Q: Can I use ADB Wi-Fi commands without root? A: Yes. The majority of CMD Wi-Fi verbs run as the shell user. Only advanced functions that tweak BSSID targeting require root.
Q: What happens if I enable scan-always-available while Wi-Fi is off? A: The device will still emit probe requests, revealing its presence. Use it sparingly and turn it off afterward.
Q: How do I protect the device after using ADB Wi-Fi commands? A: Disable USB debugging, revoke host keys, and forget any temporary network profiles you added.
Q: Can I connect to WPA3 networks via ADB? A: The CMD Wi-Fi API passes the pre-shared key; WPA3 is handled by the framework, so you can connect just like WPA2.
Q: Is it safe to keep the USB cable connected after operations? A: As long as USB debugging is off, the cable is just a data link. It poses minimal risk.
Q: How can I automate all steps? A: Write a bash script that calls the commands in sequence, checks exit codes (echo $?), and logs output. Run it with ./wifi.sh.
Conclusion
ADB Wi-Fi commands give you a lightweight, cross-platform way to interrogate and control an Android device’s network stack. For penetration testers, it means you can silently gather Wi-Fi information, join hidden networks, and spin up your own hotspot—all from a terminal. For security researchers, it offers a repeatable, scriptable workflow that doesn’t require rooting or a custom ROM.
Who should use this? If you’re a Linux user with a USB cable and an Android device that supports USB debugging, you’re set. If your device is locked down by a vendor that disables ADB, or if you’re on a platform that doesn’t expose CMD Wi-Fi (pre-Lollipop Android), you’ll hit a wall. In those cases, a rooted or custom-ROM solution is the only path.
Take the steps above, experiment, and write your own scripts. The network layer is your playground, and with ADB Wi-Fi commands you can paint any picture you need.
References
- Android ADB Official Docs: https://developer.android.com/studio/command-line/adb
- Android WifiManager Docs: https://developer.android.com/reference/android/hardware/wifi/WifiManager
- Kali Linux ADB Package: https://packages.kali.org/kali/adb
- Linux nmcli Documentation: https://manpages.ubuntu.com/manpages/focal/man1/nmcli.1.html
