How to implement an Android Emulator target?

[7homasSutter]

I'm interested in using avatar2 to instrument the Android emulator. After reviewing the handbook, I noticed that there isn't currently support for an Android target, and PANDAS also doesn't support the Android emulator. Therefore, I'm curious about the feasibility of implementing an Avatar2 target for the Android emulator.

I assume that implementing an Android emulator target would involve similar steps to those taken for the QEMU target. Consequently, I briefly examined the avatar-qemu fork and observed that it hasn't been merged with the upstream QEMU in the past two years. Are there specific reasons for not incorporating the latest QEMU updates?

Moreover, I'm interested in the changes made in the avatar-qemu fork to enable compatibility with Avatar2. What are the key modifications, and what would be the logical steps in creating a new Avatar2 target for the Android emulator?

[aurelf]

Hi thanks for your interest. That would be nice to have, but I'm not aware or any such plans so far and I'm not sure how much work would be needed.
Maybe check the book "The book Fuzzing Against the Machine"? Although I think it only mentions the baseband side with Avatar (FirmWire), not the Android side.

It would be nice to update the QEMU to the most recent, I think last time @rawsample did it?

[7homasSutter]

@aurelf thanks for the tip with the book. I just got access to the book via my university library and the content answers some of my questions. I will read it in the next weeks. Hopefully, that gives me some idea of about how feasible it is to build an Android emulator target and how much time I would need to spend.

[aurelf]

Great, let us know how ot goes!

[7homasSutter]

@aurelf

I finished implementing the Python code for a new Android emulator target. This was kind of straightforward as it is very similar to the QemuTarget and works nearly out of the box. The Python code more or less allows me to start the Android emulator via avatar2, and I can connect GDB, QMP, and the QEMU monitor protocols. Naturally, it does not allow me to modify the memory, as I need to adjust the emulator QEMU version to be able to talk to avatar2.

I will progress with making the necessary adjustments to the Android emulator QEMU version, which seems to be more challenging because I'm unsure how the communication between avatar2 and QEMU works in detail. According to the avatar2 paper, mainly two modifications have been made to the original QEMU (v.6.2):

1. Adding the new emulation machine ("configurable machine").
2. Adding a set of dedicated avatar peripherals.

I guess no blog post exists that explains how to modify QEMU for avatar2. It would be nice to have some guidance, but lucky me we have a git history. So I will go through all the commits starting from (3034630) and check which files I can copy into the Android version of QEMU.

[aurelf]

Thanks for working on this and sharing your results !
Maybe @mariusmue or @rawsample could give more details there, I didn't look at this since long time.
In the meantime you can maybe also look at the avatar-qemu or the panda repo and the examples in avatar-examples.
It would be nice if you could do a PR with this (even as a draft), I guess this would be an interesting feature to have at some point.

[mariusmue]

Hi!

The avatar-changes related to qemu are mostly self-contained. Most of them are in the hw/avatar subdirectory, where the important bit is the configurable machine.

Besides this, you'll need to adjust at least target/arm/cpu.h to include the avatar configurable machine ([link]).
Generally speaking, I think the avatar2 patchset should be relatively easy to transfer to a new version of qemu.

That being said, I predicting to issues for the android-emulator-target:

• for emulating android, we will likely need an aarch64 avatar2 architecture. There have been some attempts for this around, but nothing was mainlined yet. I think @AndrewFasano may have had a working draft at some point in time - maybe it's time for me to pick this up. :)
• Android supports virtual memory. The configurable machine of avatar2, and its design, pretty much assumes a flat memory space. Support for the MMU may be a major effort.

I hope that helps!

Best,
Marius

[AndrewFasano]

We started building an aarch64 avatar2 configurable machine on this PANDA branch from about 4 years ago. I have no idea if it was working, but we never merged it. The changes we created were pretty simple.