1# Setup: Ubuntu host, arm32 kernel on an Android device 2 3This document will detail the steps involved in setting up a syzkaller instance fuzzing an ARM32 linux kernel on an Android (or Android Things) device. This is a work-in-progress at this time and being provided to spur further development. Some features of syzkaller may not yet work on ARM32. For example, not all debugging and test coverage features are available in the Linux kernel for ARM32, limiting the efficacy of syskaller in finding bugs fast. These instructions help set up syzkaller to be a basic fuzzer that does not rely on test coverage data from the kernel. 4 5## Install Android and Linux kernel on an ARM32 device 6 7Follow the instructions for the ARM32 board to install Android or 8Android Things and make sure the device boots properly. 9 10Set up the adb bridge so that adb and fastboot work. 11 12Setup a serial port, following the instructions for your board so that you can monitor any messages from the kernel. 13 14These were tested on an NXP Pico-Pi-IMX7D following the instructions [here](https://developer.android.com/things/hardware/developer-kits.html). 15 16If feasible, recompile and reinstall the Linux kernel with any debugging options available on your board. 17 18## Install Go 19 20Install Go as follows: 21``` bash 22wget https://storage.googleapis.com/golang/go1.9.2.linux-amd64.tar.gz 23tar -xf go1.9.2.linux-amd64.tar.gz 24export PATH=`pwd`/go/bin:$PATH 25mkdir gopath 26export GOPATH=`pwd`/gopath 27``` 28 29## Build syzkaller code 30 31### Initialize a working directory and set up environment variables 32 33Create a working directory. Also make sure GOROOT, GOPATH are defined and exported as instructed earlier. 34 35``` bash 36go get -u -d github.com/google/syzkaller/... 37cd gopath/src/github.com/google/syzkaller/ 38mkdir workdir 39``` 40 41### Build syzkaller executables 42 43Run make. 44``` 45make TARGETOS=linux TARGETARCH=arm 46``` 47 48### Create a manager configuration file 49 50Create a manager config myboard.cfg, replacing the environment 51variables `$GOPATH`, `$KERNEL` (path to kernel build dir for the ARM32 board), and `$DEVICES` (the device ID for your board as reported by adb devices) with their actual values. Change any other flags as needed for your ARM board. 52``` 53{ 54 "target": "linux/arm", 55 "http": "127.0.0.1:56741", 56 "workdir": "$GOPATH/src/github.com/google/syzkaller/workdir", 57 "kernel_obj": "$KERNEL", 58 "syzkaller": "$GOPATH/src/github.com/google/syzkaller", 59 "sandbox": none, 60 "procs": 1, 61 "type": "adb", 62 "cover": false, 63 "vm": { 64 "devices": [$DEVICES], 65 "battery_check": false 66 } 67} 68``` 69 70Run syzkaller manager: 71``` bash 72./bin/syz-manager -config=myboard.cfg 73``` 74 75Now syzkaller should be running, you can check manager status with your web browser at `127.0.0.1:56741`. 76 77If you get issues after `syz-manager` starts, consider running it with the `-debug` flag. 78Also see [this page](troubleshooting.md) for troubleshooting tips. 79