I have added instrumentation to my FW (which runs on a separate HW device) and coverage guidance is generated. I used -fplugin=afl-gcc-pass -Wno-maybe-uninitialized for adding the instrumentation.
On the host side I use afl-proxy.c for fuzzing. I send the guidance available from my FW (separate HW ) to afl-proxy.c (on host).
I am surprised how can afl-proxy.c make use this coverage guidance to perform mutation of the input corpus while it does not have any information about the target binary or its ELF/map file etc. Could someone please share some pointers how does it make use of this guidance ?