github.com/google/syzkaller@v0.0.0-20240517125934-c0f1611a36d6/docs/linux/setup_linux-host_android-device_arm-kernel.md (about) 1 # Setup: Linux host, Android device, arm32/64 kernel 2 3 **Note: fuzzing the kernel on a real Android device may brick it.** 4 5 This document details the steps involved in setting up a syzkaller instance fuzzing an `arm32/64` linux kernel on an Android device. 6 7 Some features of syzkaller may not yet work properly on `arm32`. For example, not all debugging and test coverage features are available in the Linux kernel for `arm32`, limiting the efficacy of syskaller in finding bugs fast. 8 9 These were tested on an NXP Pico-Pi-IMX7D following the instructions [here](https://developer.android.com/things/hardware/developer-kits.html). 10 11 You may find additional details in syzkaller's `adb` vm implementation [here](/vm/adb/adb.go). 12 13 ## Device setup 14 15 Follow the instructions for your board to install Android and make sure the device boots properly. 16 17 Set up the adb bridge so that adb and fastboot work. 18 19 Set up a serial port, following the instructions for your device so that you can monitor kernel log messages. On Android-based boards the serial port is typically exposed as a USB (or some custom) port, or over GPIO pins. On phones you can use Android Serial Cable or [Suzy-Q](https://chromium.googlesource.com/chromiumos/platform/ec/+/master/docs/case_closed_debugging.md). syzkaller can work without a dedicated serial port as well (by falling back to `adb shell dmesg -w`), but that is unreliable and turns lots of crashes into "lost connection to test machine" crashes with no additional info. 20 21 Get the proper compiler toolchain for your device. 22 23 Recompile and reinstall the Linux kernel with [debugging kernel options](https://github.com/xairy/syzkaller/blob/up-docs/docs/linux/kernel_configs.md) available on your board. You might benefit from backporting KCOV or KASAN patches. 24 25 ## Building syzkaller 26 27 Get syzkaller as described [here](/docs/linux/setup.md#go-and-syzkaller). 28 29 Then build it for either `arm` or `arm64` target architecture depending on the device you're using. 30 31 ``` bash 32 make TARGETOS=linux TARGETARCH=arm 33 ``` 34 35 ``` bash 36 make TARGETOS=linux TARGETARCH=arm64 37 ``` 38 39 In case you have old Android `/dev/ion` driver (kernel <= 3.18) before building syzkaller copy old `/dev/ion` descriptions: 40 41 ``` bash 42 cp sys/android/* sys/linux 43 ``` 44 45 ## Manager config 46 47 Create a manager config `android.cfg`: 48 49 ``` 50 { 51 "target": "linux/arm", 52 "http": "127.0.0.1:56741", 53 "workdir": "$GOPATH/src/github.com/google/syzkaller/workdir", 54 "kernel_obj": "$KERNEL", 55 "syzkaller": "$GOPATH/src/github.com/google/syzkaller", 56 "cover": true, 57 "type": "adb", 58 "vm": { 59 "devices": [$DEVICES], 60 "battery_check": true 61 } 62 } 63 ``` 64 65 Replace the variables `$GOPATH`, `$KERNEL` (path to kernel build directory), and `$DEVICES` (the device ID for your board as reported by adb devices, e.g. `ABCD000010`) with their actual values. 66 67 For `arm64` use `"target": "linux/arm64"`. 68 69 If your kernel doesn't support coverage collection (e.g. `arm32` without KCOV patches) set `"cover": false`. 70 71 Turn off `battery_check` if your device doesn't have battery service, see the comment [here](/vm/adb/adb.go) for details. 72 73 ## Running syzkaller 74 75 Run syzkaller manager: 76 77 ``` bash 78 ./bin/syz-manager -config=android.cfg 79 ``` 80 81 Now syzkaller should be running, you can check manager status with your web browser at `127.0.0.1:56741`. 82 83 If you get issues after `syz-manager` starts, consider running it with the `-debug` flag. 84 85 Also see [this page](/docs/troubleshooting.md) for troubleshooting tips and [Building a Pixel kernel with KASAN+KCOV](https://source.android.com/devices/tech/debug/kasan-kcov) or [Building a PH-1 kernel with KASAN+KCOV](https://github.com/EssentialOpenSource/kernel-manifest/blob/master/README.md) for kernel build/boot instructions.