Is it possible to fuzz android phone without Suzy-Q (or similar) device?

[HarryZ]

Hi Dmitry/All, 

I set up my syzkaller test environment followed by wiki "Setup: Linux host, Android device, arm64 kernel", it told that 

"Suzy-Q device" is a prerequisites.

So my question: Is it possible to fuzz android phone without Suzy-Q device? Just connect android phone and host with a USB cable.

When I run syz-manager, the android phone always reboots.

[Dmitry Vyukov]

Hi HarryZ,

The doc is somewhat outdated, I've updated it now:
https://github.com/google/syzkaller/blob/master/docs/setup_linux-host_android-device_arm64-kernel.md

Suzy-Q is not strictly necessary. syzkaller will automatically use the
normal usb cable. You should see this output on start:
https://github.com/google/syzkaller/blob/master/vm/adb/adb.go#L131
Do you see it?

Rebooting on start is intentional. syzkaller assumes that the device
can be in a bad state initially (e.g. from the previous fuzzing
session). Fuzzing should start after the reboot.

[miles....@gmail.com]

Hi Dmitry,

Do you know where to buy the Suzy-Q?

(Is Amazon selling this?)

Thanks,

Miles

[Dmitry Vyukov]

On Fri, Aug 18, 2017 at 4:43 AM, <miles....@gmail.com> wrote:
> Hi Dmitry,
>
> Do you know where to buy the Suzy-Q?
> (Is Amazon selling this?)

I have no idea. Sorry. People gave cables that worked. There is also
something called Android Serial Cable that also worked.
+Billy, do you know anything about how to get such cable?

> --
> You received this message because you are subscribed to the Google Groups
> "syzkaller" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to syzkaller+...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

[Dmitry Vyukov]

On Fri, Aug 18, 2017 at 7:19 AM, Dmitry Vyukov <dvy...@google.com> wrote:
> On Fri, Aug 18, 2017 at 4:43 AM, <miles....@gmail.com> wrote:
>> Hi Dmitry,
>>
>> Do you know where to buy the Suzy-Q?
>> (Is Amazon selling this?)
>
>
> I have no idea. Sorry. People gave cables that worked. There is also
> something called Android Serial Cable that also worked.
> +Billy, do you know anything about how to get such cable?

+Vishwath for the cables question, Billy seems to be OOO

[Vishwath Mohan]

I think I'm in somewhat the same state too - I was given the cables and don't know if/where they're available externally. Let me ask a few people and if I get a good answer I'll update this thread.

>> email to syzkaller+unsubscribe@googlegroups.com.

[seye...@uci.edu]

Hi All

I am in the same state.I compiled the kernel with kcov flag for nexus 5x but phone keeps rebooting. I would love to know how to fix this issue as well. Thanks

>> email to syzkaller+...@googlegroups.com.

[miles....@gmail.com]

Hi,

Lots of the crash went to "lost connection" while I was fuzzing with Syzkaller.

That's why I started to check this special cables.

I was fuzzing with Ubuntu 16 host and I noticed that I did not have the device: /dev/ttyUSB*

Instead, it added the device "/dev/libmtp-*" when the Android device is connected to the host.

Is Suzy-Q something like a debug board that can display the UART kernel log on Linux host (by minicom or teraterm) when connected to the guest device?

Thanks,

Miles

[Dmitry Vyukov]

On Mon, Aug 21, 2017 at 9:07 PM, <seye...@uci.edu> wrote:
> Hi All
> I am in the same state.I compiled the kernel with kcov flag for nexus 5x but
> phone keeps rebooting. I would love to know how to fix this issue as well.
> Thanks

If it reboots all the time, it's probably a different issues. Run
syz-manager with -debug flag.

[Dmitry Vyukov]

On Tue, Aug 22, 2017 at 9:29 AM, <miles....@gmail.com> wrote:
> Hi,
>
> Lots of the crash went to "lost connection" while I was fuzzing with
> Syzkaller.
> That's why I started to check this special cables.
> I was fuzzing with Ubuntu 16 host and I noticed that I did not have the
> device: /dev/ttyUSB*
>
> Instead, it added the device "/dev/libmtp-*" when the Android device is
> connected to the host.

Does the /dev/libmtp-* provide phone console output? If yes, syzkaller
can be extended to use it.

> Is Suzy-Q something like a debug board that can display the UART kernel log
> on Linux host (by minicom or teraterm) when connected to the guest device?

Yes, it just exposes device console output.

[Jianqiang Zhao]

Hi,

I met the same problem. I removed the adb reboot command:

if _, err := inst.adb("shell", "reboot"); err != nil {

Then, it always report lost connection:

./bin/syz-manager -config adb.cfg 

2017/08/31 15:39:22 loading corpus...

2017/08/31 15:39:22 loaded 0 programs (0 total, 0 deleted)

2017/08/31 15:39:22 serving http on http://127.0.0.1:50000

2017/08/31 15:39:22 serving rpc on tcp://[::]:51376

2017/08/31 15:39:22 booting test machines...

2017/08/31 15:39:22 wait for the connection from test machine...

2017/08/31 15:39:35 failed to associate adb device FA6AR0303635 with console: no unassociated console devices left

2017/08/31 15:39:35 falling back to 'adb shell dmesg -w'

2017/08/31 15:39:35 note: some bugs may be detected as 'lost connection to test machine' with no kernel output

2017/08/31 15:39:35 device FA6AR0303635: battery level 100%, OK

2017/08/31 15:39:40 vm-0: crash: lost connection to test machine

2017/08/31 15:39:53 device FA6AR0303635: battery level 100%, OK

2017/08/31 15:39:58 vm-0: crash: lost connection to test machine

2017/08/31 15:40:12 device FA6AR0303635: battery level 100%, OK

Thanks

在 2017年8月23日星期三 UTC+8下午4:05:35，Dmitry Vyukov写道：

[demid...@gmail.com]

Is this https://blog.trendmicro.com/trendlabs-security-intelligence/practical-android-debugging-via-kgdb/ can be used for use with syzkaller without suze-q? And solve problem with lost connection?

[mike...@gmail.com]

Op woensdag 23 augustus 2017 10:05:35 UTC+2 schreef Dmitry Vyukov:

On Tue, Aug 22, 2017 at 9:29 AM,  <miles....@gmail.com> wrote:
> Hi,
>
> Lots of the crash went to "lost connection" while I was fuzzing with
> Syzkaller.
> That's why I started to check this special cables.
> I was fuzzing with Ubuntu 16 host and I noticed that I did not have the
> device: /dev/ttyUSB*
>
> Instead, it added the device "/dev/libmtp-*" when the Android device is
> connected to the host.

Does the /dev/libmtp-* provide phone console output? If yes, syzkaller
can be extended to use it.

libmtp is for the MTP, Media Tranfsfer Protocol. I don't think it will provide console access.

"Console" access can be gained via serial, as with most/all embedded devices, or ADB, Andriod Debug Bridge.

Serial is a hardware access serial port.

https://wiki.postmarketos.org/wiki/Serial_debugging

Also list Suzy-Q

ADB works over USB. The device enumerates a virtual USB device but needs to be manually activated after each reboot. I guess with a rooted device you can force that automatically.

ADB works after firmware and linux kernel boot. ADB will not be able to capture firmware or kernel boot messages. Firmwares (U-boot) have their own solutions.

Andriod recovery is a small Linux/Andriod environment and can contain ADB eg. custom recoveries like TWRP.

The firmware decides which software to boot (Regular/Recovery) based on a non-volatile toggle bit.

Good luck 

[snaider...@gmail.com]

can I use Suzy-Q only for ChroomiumOS? How about android 9?

[mike...@gmail.com]

Op donderdag 10 januari 2019 16:20:14 UTC+1 schreef snaider...@gmail.com:

> can I use Suzy-Q only for ChroomiumOS?

No, more
> How about android 9?
Yes

SuzyQ is a live debug system. It's not tied to a specific OS. It's tied to specific hardware. Google's pixel 2 and 3 are confirmed. There might be others.

[demid...@gmail.com]

Hi, tried Suzy-q on pixel 3; get log in minicom /dev/ttyusb0 from boot loader, but can’t pass kernel log in console, in kernel cmdline write console=ttymsm0,115200n8; so it pass to kernel; but nothing in minicom;
I have /dev/ttymsm0, how I understand it is uart, driver for it loaded(msm_)