• Fuzzing the ARM64 kernel natively with syzkaller and QEMU

    In the last post I brought up an Ampere Altra as a headless ARM64 host. Now I put it to work. This is my setup for fuzzing an ARM64 Linux kernel with syzkaller under QEMU, all of it native. The big win over doing this from an x86 box is that nothing gets cross-compiled. The kernel, syzkaller and the guest all build straight on the host.

    Read on →

  • Bringing up an Ampere Altra as a headless ARM64 fuzzing server

    Most of my kernel fuzzing runs on ARM64 targets, and cross-compiling everything from an x86 box gets old fast. I wanted a native ARM64 machine with enough cores to run a large fleet of QEMU VMs under syzkaller. The answer was an Ampere Altra on an ASRock Rack board. This post covers taking it from a bare board to a running Ubuntu host, all of it headless over the BMC.

    Read on →

  • Building the Pixel 8 kernel with MTE, KASAN and KCOV

    For my fuzzing environment I use a stack of Pixel8 devices which run under KASAN + KCOV. Recently I had to update my devices to the latest kernel version which broke my build. Google’s documentation is great to have, but not very specific when it comes to the details and you mostly end up with a bootloop. This post covers compiling the Pixel 8 kernel and booting it on the current latest Pixel 8 version.

    Read on →

  • Setting Up Pixel 8/9 for Android App Reversing and Mobile Security Testing

    This post aims to serve as a guide on how to set a Pixel device up for Android security testing. I’ve tested this on both the Pixel 8 and the Pixel 9. The steps are identical for both.

    This covers flashing stock Pixel OS, rooting with Magisk, and getting Burp Suite working for traffic interception.

    Read on →