Normally I like spending time fuzzing/causing segfaults with real devices, not sure why - maybe it’s just because it just feels more gratifying. Though recently for a small project at work, I need to be able to do multiple devices for longer periods of time and swap out different modules relatively fast. This would be a huge problem - but I wanted to automate it and do the least amount of work possible. A challenge that comes up sometimes with the somewhat stock phones I use for testing, is that some compiled modules/elf binaries never worked that well. Sometimes due to carrier modifications, sometimes due to Cyanogen modifications other times just due to me being stupid and compiling things horribly wrong. Since I just got my desktop machine all set up, it seemed like the perfect time to try and automate this on a box I could just SSH into and let run all the time!
After a quick bit of Googling, I didn’t see many instructions on how to modify emulator images fast. Lots of people said, generate an emulator, then change the system.img by mounting it, then restart the emulator and make sure it doesn’t overwrite changes. That’s a pain though, I don’t want to mount anything! Though this did remind me of building the AOSP which can product the system.img – perfect!
After making all my changes, some Dalvik changes and some Webkit changes, kicked off a full build via the normal commands;
tstrazzere@spinach:~/repo/android$ . build/envsetup.sh including device/samsung/maguro/vendorsetup.sh including device/samsung/tuna/vendorsetup.sh including device/ti/panda/vendorsetup.sh including sdk/bash_completion/adb.bash tstrazzere@spinach:~/repo/android$ lunch full-eng
While waiting for the compilation to finish - I prepped a “target platform” to build an emulator image for. To quickly do this I just copied the android-15 directory under the platforms directory of the sdk. This will give us the proper structure and files required while keeping the normal platform for android-15 intact.
Awesome, we copied over the system.img too the nessicary directory, lets just edit a few files so I don’t forget what this when I build my emulators. Open up the source.properties file and edit the version number to something you can remember, I just changed mine to say 4.0.3-hacked;
1 2 3 4 5 6 7 8 9 10 11 12 13
tstrazzere@spinach:~/android/android-sdk-linux/platforms/custom$ android list targets Available Android targets: ... ---------- id: 22 or "android-15" Name: Android 4.0.3-hacked Type: Platform API level: 15 Revision: 1 Skins: WXGA (default) ABIs : armeabi ---------- ...
Now I can just create an emulator like normal and fire it up;
1 2 3 4 5 6 7 8 9 10
tstrazzere@spinach:~/android/android-sdk-linux/platforms/custom$ android create avd -t 27 -n dalvik_webcore_fuzz Auto-selecting single ABI armeabi-v7a Android 4.0.3-hacked is a basic Android platform. Do you wish to create a custom hardware profile [no] Created AVD 'dalvik_webcore_fuzz' based on Android 4.0.3-hacked, ARM (armeabi-v7a) processor, with the following hardware config: hw.lcd.density=240 vm.heapSize=48 hw.ramSize=512 tstrazzere@spinach:~/android/android-sdk-linux/platforms/custom$ emulator -avd dalvik_webcore_fuzz
Now it just time to attach your fuzzing and other automated tools to the emulator.