Jekyll
2026-04-28T15:30:08+00:00
https://berkgoksel.com//
Berk Cem Göksel
Software Security Engineer
Berk Cem Göksel
Building the Pixel 8 kernel with MTE, KASAN and KCOV
2026-04-28T00:00:00+00:00
2026-04-28T00:00:00+00:00
https://berkgoksel.com/pixel8-kasan-mte-custom-kernel
<p>For my fuzzing environment I use a stack of Pixel8 devices which run under KASAN + KCOV. Recently I had to update my devices to the latest kernel version which broke my build. Google’s documentation is great to have, but not very specific when it comes to the details and you mostly end up with a bootloop. This post covers compiling the Pixel 8 kernel and booting it on the current latest Pixel 8 version.</p>
<!-- more -->
<p>The Pixel 8 supports <code class="language-plaintext highlighter-rouge">MTE</code>. That means we can enable <code class="language-plaintext highlighter-rouge">KASAN_HW_TAGS</code>, drastically reducing the overhead brought by <code class="language-plaintext highlighter-rouge">KASAN_GENERIC</code> or <code class="language-plaintext highlighter-rouge">KASAN_SW_TAGS</code>. However mind that <code class="language-plaintext highlighter-rouge">KASAN_VMALLOC</code> will be disabled, and the last time I checked was only supported on <code class="language-plaintext highlighter-rouge">KASAN_GENERIC</code>. For my fuzzing work, I need <code class="language-plaintext highlighter-rouge">MTE</code> and <code class="language-plaintext highlighter-rouge">KCOV</code> to be enabled, and <code class="language-plaintext highlighter-rouge">KASLR</code> disabled simply because it makes comparing crash reports easier and removes some overhead. I also disable SELinux for my own convenience, which may not make sense depending on which context you’re fuzzing from.</p>
<p><code class="language-plaintext highlighter-rouge">KASAN_HW_TAGS</code> itself is upstream work by <a href="https://xairy.io/">Andrey Konovalov (xairy)</a> and Vincenzo Frascino. Here is the: <a href="https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=6a63a63ff1ac2959706dba218d5e17f9ec721c0c">introducing commit</a> on git.kernel.org.</p>
<p>If you’re interested in debugging the Pixel kernel via GDB with GEF enabled, you can refer to xairy’s <a href="https://xairy.io/articles/pixel-kgdb">article</a>.</p>
<p>For more background on enabling MTE on the Pixel 8, see also Kees Cook’s <a href="https://outflux.net/blog/archives/2023/10/26/enable-mte-on-pixel-8/">post</a>.</p>
<h2>Downloading the relevant factory image</h2>
<p>Version mismatch between the factory image and your custom kernel will boot-loop with no useful diagnostics, so flash a good baseline first.</p>
<p>Go to <a href="https://developers.google.com/android/images">https://developers.google.com/android/images</a>, grab the Pixel 8 (shiba) factory image for <code class="language-plaintext highlighter-rouge">Android 16 (CP1A.260405.005)</code>, extract, run the bundled <code class="language-plaintext highlighter-rouge">flash-all.sh</code>. Enable developer options and OEM unlocking through the phone afterwards.</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>https://dl.google.com/dl/android/aosp/shiba-cp1a.260405.005-factory-XXXXXXXX.zip
</code></pre></div></div>
<h2>Downloading and compiling the kernel</h2>
<div class="language-sh highlighter-rouge"><div class="highlight"><pre class="highlight"><code>repo init <span class="nt">-u</span> https://android.googlesource.com/kernel/manifest <span class="nt">-b</span> android-gs-shusky-6.1-android16
repo <span class="nb">sync</span> <span class="nt">-c</span> <span class="nt">--no-tags</span>
</code></pre></div></div>
<p>(<code class="language-plaintext highlighter-rouge">uname -r</code> will report <code class="language-plaintext highlighter-rouge">6.1.124-android14-11...</code> once you boot. That’s the GKI ABI version, not the platform branch.)</p>
<p>Create <code class="language-plaintext highlighter-rouge">private/google-modules/soc/gs/build.config.slider.khwasan</code> with the configs we want; this fragment runs after <code class="language-plaintext highlighter-rouge">defconfig</code> and overrides via <code class="language-plaintext highlighter-rouge">scripts/config</code>.</p>
<div class="language-sh highlighter-rouge"><div class="highlight"><pre class="highlight"><code>append_cmd POST_DEFCONFIG_CMDS update_slider_khwasan_config
<span class="k">function </span>update_slider_khwasan_config<span class="o">()</span> <span class="o">{</span>
<span class="k">${</span><span class="nv">KERNEL_DIR</span><span class="k">}</span>/scripts/config <span class="nt">--file</span> <span class="k">${</span><span class="nv">OUT_DIR</span><span class="k">}</span>/.config <span class="se">\</span>
<span class="nt">-e</span> CONFIG_KASAN <span class="se">\</span>
<span class="nt">-e</span> CONFIG_KASAN_HW_TAGS <span class="se">\</span>
<span class="nt">-d</span> CONFIG_KASAN_SW_TAGS <span class="se">\</span>
<span class="nt">-e</span> CONFIG_KASAN_INLINE <span class="se">\</span>
<span class="nt">-e</span> CONFIG_KASAN_PANIC_ON_WARN <span class="se">\</span>
<span class="nt">-e</span> CONFIG_KCOV <span class="se">\</span>
<span class="nt">-e</span> CONFIG_PANIC_ON_WARN_DEFAULT_ENABLE <span class="se">\</span>
<span class="nt">-d</span> CONFIG_RANDOMIZE_BASE <span class="se">\</span>
<span class="nt">--set-val</span> CONFIG_FRAME_WARN 0 <span class="se">\</span>
<span class="nt">-d</span> CONFIG_SHADOW_CALL_STACK <span class="se">\</span>
<span class="nt">-e</span> CONFIG_SECURITY_SELINUX_BOOTPARAM
<span class="o">(</span><span class="nb">cd</span> <span class="k">${</span><span class="nv">OUT_DIR</span><span class="k">}</span> <span class="o">&&</span> <span class="se">\</span>
make <span class="nv">O</span><span class="o">=</span><span class="k">${</span><span class="nv">OUT_DIR</span><span class="k">}</span> <span class="s2">"</span><span class="k">${</span><span class="nv">TOOL_ARGS</span><span class="p">[@]</span><span class="k">}</span><span class="s2">"</span> <span class="k">${</span><span class="nv">MAKE_ARGS</span><span class="k">}</span> olddefconfig<span class="o">)</span>
<span class="o">}</span>
</code></pre></div></div>
<p>Export it in <code class="language-plaintext highlighter-rouge">private/google-modules/soc/gs/BUILD.bazel</code>:</p>
<div class="language-python highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="n">exports_files</span><span class="p">([</span><span class="s">"build.config.slider.khwasan"</span><span class="p">])</span>
</code></pre></div></div>
<p>Append <code class="language-plaintext highlighter-rouge">nokaslr</code> to <code class="language-plaintext highlighter-rouge">chosen.bootargs</code> in <code class="language-plaintext highlighter-rouge">private/devices/google/zuma/dts/zuma.dtsi</code>.</p>
<p>Edit <code class="language-plaintext highlighter-rouge">build_shusky.sh</code> and change the last line to:</p>
<div class="language-sh highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nb">exec </span>tools/bazel run <span class="se">\</span>
<span class="k">${</span><span class="nv">parameters</span><span class="k">}</span> <span class="se">\</span>
<span class="nt">--config</span><span class="o">=</span>stamp <span class="se">\</span>
<span class="nt">--lto</span><span class="o">=</span>none <span class="se">\</span>
<span class="nt">--config</span><span class="o">=</span>shusky <span class="se">\</span>
<span class="nt">--gki_build_config_fragment</span><span class="o">=</span>//private/google-modules/soc/gs:build.config.slider.khwasan <span class="se">\</span>
<span class="nt">--sandbox_debug</span> <span class="se">\</span>
<span class="nt">--kasan</span> <span class="se">\</span>
<span class="nt">--</span>//build/kernel/kleaf:use_prebuilt_gki<span class="o">=</span><span class="nb">false</span> <span class="se">\</span>
//private/devices/google/shusky:zuma_shusky_dist <span class="s2">"</span><span class="nv">$@</span><span class="s2">"</span>
</code></pre></div></div>
<p>We set <code class="language-plaintext highlighter-rouge">--//build/kernel/kleaf:use_prebuilt_gki=false</code> here because the <code class="language-plaintext highlighter-rouge">--use_prebuilt_gki=false</code> alias set on the command line fails to override the same value set in <code class="language-plaintext highlighter-rouge">device.bazelrc</code>. In that case the GKI keeps coming from the prebuilt, throwing an error.</p>
<p>Compile:</p>
<div class="language-sh highlighter-rouge"><div class="highlight"><pre class="highlight"><code>./build_shusky.sh
</code></pre></div></div>
<h2>Patching SELinux to stay permissive</h2>
<p><code class="language-plaintext highlighter-rouge">androidboot.selinux=permissive</code> and <code class="language-plaintext highlighter-rouge">enforcing=0</code> on the cmdline are not enough on a <code class="language-plaintext highlighter-rouge">user</code> build. Android <code class="language-plaintext highlighter-rouge">init</code> writes <code class="language-plaintext highlighter-rouge">1</code> to <code class="language-plaintext highlighter-rouge">/sys/fs/selinux/enforce</code> after policy load, effectively setting it back to <code class="language-plaintext highlighter-rouge">enforcing</code>.</p>
<p>If you’re lazy like me, you can just patch <code class="language-plaintext highlighter-rouge">aosp/security/selinux/selinuxfs.c:sel_write_enforce</code>:</p>
<div class="language-c highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="n">new_value</span> <span class="o">=</span> <span class="o">!!</span><span class="n">new_value</span><span class="p">;</span>
<span class="k">if</span> <span class="p">(</span><span class="n">new_value</span><span class="p">)</span>
<span class="n">new_value</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span>
<span class="n">old_value</span> <span class="o">=</span> <span class="n">enforcing_enabled</span><span class="p">(</span><span class="n">state</span><span class="p">);</span>
</code></pre></div></div>
<p>Note: A better way would be to add this functionality to the <code class="language-plaintext highlighter-rouge">UAF test driver</code> I’ll talk about below, so we can set/unset enforcing whenever we need. That being said, I’m pretty sure there are more legitimate ways to achieve this.</p>
<h2>UAF test driver</h2>
<p>To test if <code class="language-plaintext highlighter-rouge">KASAN</code> works and actually produces a crash report, I’ve added a driver which we can use to trigger a UAF.</p>
<p>Drop <code class="language-plaintext highlighter-rouge">private/google-modules/misc/uaftest/{uaftest.c,Makefile,Kconfig,BUILD.bazel}</code> and add <code class="language-plaintext highlighter-rouge">"//private/google-modules/misc/uaftest"</code> to <code class="language-plaintext highlighter-rouge">private/devices/google/zuma/BUILD.bazel:kernel_ext_modules.srcs</code>.</p>
<p>The driver registers both <code class="language-plaintext highlighter-rouge">/dev/uaftest</code> and <code class="language-plaintext highlighter-rouge">/proc/uaftest</code>.</p>
<p><code class="language-plaintext highlighter-rouge">/dev/uaftest</code> is on mode 0666 in source, but Android ueventd downgrades it to 0600. For <code class="language-plaintext highlighter-rouge">/proc/uaftest</code> procfs respects the mode bits and ueventd doesn’t mess with them. While we’re at it let’s add a “give root” function so that we don’t have to deal with magisk.</p>
<p><code class="language-plaintext highlighter-rouge">private/google-modules/misc/uaftest/uaftest.c</code>:</p>
<div class="language-c highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="c1">// SPDX-License-Identifier: GPL-2.0-only</span>
<span class="cp">#include</span> <span class="cpf"><linux/cred.h></span><span class="cp">
#include</span> <span class="cpf"><linux/fs.h></span><span class="cp">
#include</span> <span class="cpf"><linux/init.h></span><span class="cp">
#include</span> <span class="cpf"><linux/ioctl.h></span><span class="cp">
#include</span> <span class="cpf"><linux/kernel.h></span><span class="cp">
#include</span> <span class="cpf"><linux/miscdevice.h></span><span class="cp">
#include</span> <span class="cpf"><linux/module.h></span><span class="cp">
#include</span> <span class="cpf"><linux/proc_fs.h></span><span class="cp">
#include</span> <span class="cpf"><linux/slab.h></span><span class="cp">
#include</span> <span class="cpf"><linux/uaccess.h></span><span class="cp">
</span>
<span class="cp">#define UAFTEST_MAGIC 'U'
#define UAFTEST_IOC_UAF_READ _IO(UAFTEST_MAGIC, 1)
#define UAFTEST_IOC_UAF_WRITE _IO(UAFTEST_MAGIC, 2)
#define UAFTEST_IOC_DOUBLE_FREE _IO(UAFTEST_MAGIC, 3)
#define UAFTEST_IOC_OOB_READ _IO(UAFTEST_MAGIC, 4)
#define UAFTEST_IOC_GIVE_ROOT _IO(UAFTEST_MAGIC, 100)
</span>
<span class="cp">#define UAFTEST_BUF_SZ 128
</span>
<span class="k">static</span> <span class="n">noinline</span> <span class="n">u8</span> <span class="nf">uaftest_uaf_read</span><span class="p">(</span><span class="kt">void</span><span class="p">)</span>
<span class="p">{</span>
<span class="n">u8</span> <span class="o">*</span><span class="n">p</span> <span class="o">=</span> <span class="n">kmalloc</span><span class="p">(</span><span class="n">UAFTEST_BUF_SZ</span><span class="p">,</span> <span class="n">GFP_KERNEL</span><span class="p">);</span>
<span class="n">u8</span> <span class="n">v</span><span class="p">;</span>
<span class="k">if</span> <span class="p">(</span><span class="o">!</span><span class="n">p</span><span class="p">)</span>
<span class="k">return</span> <span class="mi">0</span><span class="p">;</span>
<span class="n">memset</span><span class="p">(</span><span class="n">p</span><span class="p">,</span> <span class="mh">0xa5</span><span class="p">,</span> <span class="n">UAFTEST_BUF_SZ</span><span class="p">);</span>
<span class="n">kfree</span><span class="p">(</span><span class="n">p</span><span class="p">);</span>
<span class="cm">/* deliberate UAF read; KASAN/MTE should fire here */</span>
<span class="n">v</span> <span class="o">=</span> <span class="n">READ_ONCE</span><span class="p">(</span><span class="n">p</span><span class="p">[</span><span class="mi">16</span><span class="p">]);</span>
<span class="k">return</span> <span class="n">v</span><span class="p">;</span>
<span class="p">}</span>
<span class="k">static</span> <span class="n">noinline</span> <span class="kt">void</span> <span class="nf">uaftest_uaf_write</span><span class="p">(</span><span class="kt">void</span><span class="p">)</span>
<span class="p">{</span>
<span class="n">u8</span> <span class="o">*</span><span class="n">p</span> <span class="o">=</span> <span class="n">kmalloc</span><span class="p">(</span><span class="n">UAFTEST_BUF_SZ</span><span class="p">,</span> <span class="n">GFP_KERNEL</span><span class="p">);</span>
<span class="k">if</span> <span class="p">(</span><span class="o">!</span><span class="n">p</span><span class="p">)</span>
<span class="k">return</span><span class="p">;</span>
<span class="n">kfree</span><span class="p">(</span><span class="n">p</span><span class="p">);</span>
<span class="n">WRITE_ONCE</span><span class="p">(</span><span class="n">p</span><span class="p">[</span><span class="mi">32</span><span class="p">],</span> <span class="mh">0x41</span><span class="p">);</span>
<span class="p">}</span>
<span class="k">static</span> <span class="n">noinline</span> <span class="kt">void</span> <span class="nf">uaftest_double_free</span><span class="p">(</span><span class="kt">void</span><span class="p">)</span>
<span class="p">{</span>
<span class="n">u8</span> <span class="o">*</span><span class="n">p</span> <span class="o">=</span> <span class="n">kmalloc</span><span class="p">(</span><span class="n">UAFTEST_BUF_SZ</span><span class="p">,</span> <span class="n">GFP_KERNEL</span><span class="p">);</span>
<span class="k">if</span> <span class="p">(</span><span class="o">!</span><span class="n">p</span><span class="p">)</span>
<span class="k">return</span><span class="p">;</span>
<span class="n">kfree</span><span class="p">(</span><span class="n">p</span><span class="p">);</span>
<span class="n">kfree</span><span class="p">(</span><span class="n">p</span><span class="p">);</span>
<span class="p">}</span>
<span class="k">static</span> <span class="n">noinline</span> <span class="n">u8</span> <span class="nf">uaftest_oob_read</span><span class="p">(</span><span class="kt">void</span><span class="p">)</span>
<span class="p">{</span>
<span class="n">u8</span> <span class="o">*</span><span class="n">p</span> <span class="o">=</span> <span class="n">kmalloc</span><span class="p">(</span><span class="n">UAFTEST_BUF_SZ</span><span class="p">,</span> <span class="n">GFP_KERNEL</span><span class="p">);</span>
<span class="n">u8</span> <span class="n">v</span><span class="p">;</span>
<span class="k">if</span> <span class="p">(</span><span class="o">!</span><span class="n">p</span><span class="p">)</span>
<span class="k">return</span> <span class="mi">0</span><span class="p">;</span>
<span class="n">v</span> <span class="o">=</span> <span class="n">READ_ONCE</span><span class="p">(</span><span class="n">p</span><span class="p">[</span><span class="n">UAFTEST_BUF_SZ</span><span class="p">]);</span> <span class="cm">/* one past end */</span>
<span class="n">kfree</span><span class="p">(</span><span class="n">p</span><span class="p">);</span>
<span class="k">return</span> <span class="n">v</span><span class="p">;</span>
<span class="p">}</span>
<span class="k">static</span> <span class="kt">int</span> <span class="nf">uaftest_give_root</span><span class="p">(</span><span class="kt">void</span><span class="p">)</span>
<span class="p">{</span>
<span class="k">struct</span> <span class="n">cred</span> <span class="o">*</span><span class="n">new</span> <span class="o">=</span> <span class="n">prepare_creds</span><span class="p">();</span>
<span class="k">if</span> <span class="p">(</span><span class="o">!</span><span class="n">new</span><span class="p">)</span>
<span class="k">return</span> <span class="o">-</span><span class="n">ENOMEM</span><span class="p">;</span>
<span class="n">new</span><span class="o">-></span><span class="n">uid</span><span class="p">.</span><span class="n">val</span> <span class="o">=</span> <span class="n">new</span><span class="o">-></span><span class="n">gid</span><span class="p">.</span><span class="n">val</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span>
<span class="n">new</span><span class="o">-></span><span class="n">euid</span><span class="p">.</span><span class="n">val</span> <span class="o">=</span> <span class="n">new</span><span class="o">-></span><span class="n">egid</span><span class="p">.</span><span class="n">val</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span>
<span class="n">new</span><span class="o">-></span><span class="n">suid</span><span class="p">.</span><span class="n">val</span> <span class="o">=</span> <span class="n">new</span><span class="o">-></span><span class="n">sgid</span><span class="p">.</span><span class="n">val</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span>
<span class="n">new</span><span class="o">-></span><span class="n">fsuid</span><span class="p">.</span><span class="n">val</span> <span class="o">=</span> <span class="n">new</span><span class="o">-></span><span class="n">fsgid</span><span class="p">.</span><span class="n">val</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span>
<span class="k">return</span> <span class="n">commit_creds</span><span class="p">(</span><span class="n">new</span><span class="p">);</span>
<span class="p">}</span>
<span class="k">static</span> <span class="kt">long</span> <span class="nf">uaftest_ioctl</span><span class="p">(</span><span class="k">struct</span> <span class="n">file</span> <span class="o">*</span><span class="n">f</span><span class="p">,</span> <span class="kt">unsigned</span> <span class="kt">int</span> <span class="n">cmd</span><span class="p">,</span> <span class="kt">unsigned</span> <span class="kt">long</span> <span class="n">arg</span><span class="p">)</span>
<span class="p">{</span>
<span class="k">switch</span> <span class="p">(</span><span class="n">cmd</span><span class="p">)</span> <span class="p">{</span>
<span class="k">case</span> <span class="n">UAFTEST_IOC_UAF_READ</span><span class="p">:</span>
<span class="n">pr_warn</span><span class="p">(</span><span class="s">"uaftest: triggering UAF read</span><span class="se">\n</span><span class="s">"</span><span class="p">);</span>
<span class="p">(</span><span class="kt">void</span><span class="p">)</span><span class="n">uaftest_uaf_read</span><span class="p">();</span>
<span class="k">return</span> <span class="mi">0</span><span class="p">;</span>
<span class="k">case</span> <span class="n">UAFTEST_IOC_UAF_WRITE</span><span class="p">:</span>
<span class="n">pr_warn</span><span class="p">(</span><span class="s">"uaftest: triggering UAF write</span><span class="se">\n</span><span class="s">"</span><span class="p">);</span>
<span class="n">uaftest_uaf_write</span><span class="p">();</span>
<span class="k">return</span> <span class="mi">0</span><span class="p">;</span>
<span class="k">case</span> <span class="n">UAFTEST_IOC_DOUBLE_FREE</span><span class="p">:</span>
<span class="n">pr_warn</span><span class="p">(</span><span class="s">"uaftest: triggering double-free</span><span class="se">\n</span><span class="s">"</span><span class="p">);</span>
<span class="n">uaftest_double_free</span><span class="p">();</span>
<span class="k">return</span> <span class="mi">0</span><span class="p">;</span>
<span class="k">case</span> <span class="n">UAFTEST_IOC_OOB_READ</span><span class="p">:</span>
<span class="n">pr_warn</span><span class="p">(</span><span class="s">"uaftest: triggering OOB read</span><span class="se">\n</span><span class="s">"</span><span class="p">);</span>
<span class="p">(</span><span class="kt">void</span><span class="p">)</span><span class="n">uaftest_oob_read</span><span class="p">();</span>
<span class="k">return</span> <span class="mi">0</span><span class="p">;</span>
<span class="k">case</span> <span class="n">UAFTEST_IOC_GIVE_ROOT</span><span class="p">:</span>
<span class="n">pr_warn</span><span class="p">(</span><span class="s">"uaftest: GIVE_ROOT requested by uid=%u pid=%d</span><span class="se">\n</span><span class="s">"</span><span class="p">,</span>
<span class="n">from_kuid</span><span class="p">(</span><span class="o">&</span><span class="n">init_user_ns</span><span class="p">,</span> <span class="n">current_uid</span><span class="p">()),</span>
<span class="n">task_pid_nr</span><span class="p">(</span><span class="n">current</span><span class="p">));</span>
<span class="k">return</span> <span class="n">uaftest_give_root</span><span class="p">();</span>
<span class="nl">default:</span>
<span class="k">return</span> <span class="o">-</span><span class="n">ENOTTY</span><span class="p">;</span>
<span class="p">}</span>
<span class="p">}</span>
<span class="k">static</span> <span class="k">const</span> <span class="k">struct</span> <span class="n">file_operations</span> <span class="n">uaftest_fops</span> <span class="o">=</span> <span class="p">{</span>
<span class="p">.</span><span class="n">owner</span> <span class="o">=</span> <span class="n">THIS_MODULE</span><span class="p">,</span>
<span class="p">.</span><span class="n">unlocked_ioctl</span> <span class="o">=</span> <span class="n">uaftest_ioctl</span><span class="p">,</span>
<span class="p">.</span><span class="n">compat_ioctl</span> <span class="o">=</span> <span class="n">uaftest_ioctl</span><span class="p">,</span>
<span class="p">.</span><span class="n">llseek</span> <span class="o">=</span> <span class="n">noop_llseek</span><span class="p">,</span>
<span class="p">};</span>
<span class="k">static</span> <span class="k">struct</span> <span class="n">miscdevice</span> <span class="n">uaftest_dev</span> <span class="o">=</span> <span class="p">{</span>
<span class="p">.</span><span class="n">minor</span> <span class="o">=</span> <span class="n">MISC_DYNAMIC_MINOR</span><span class="p">,</span>
<span class="p">.</span><span class="n">name</span> <span class="o">=</span> <span class="s">"uaftest"</span><span class="p">,</span>
<span class="p">.</span><span class="n">fops</span> <span class="o">=</span> <span class="o">&</span><span class="n">uaftest_fops</span><span class="p">,</span>
<span class="p">.</span><span class="n">mode</span> <span class="o">=</span> <span class="mo">0666</span><span class="p">,</span>
<span class="p">};</span>
<span class="k">static</span> <span class="k">const</span> <span class="k">struct</span> <span class="n">proc_ops</span> <span class="n">uaftest_proc_ops</span> <span class="o">=</span> <span class="p">{</span>
<span class="p">.</span><span class="n">proc_ioctl</span> <span class="o">=</span> <span class="n">uaftest_ioctl</span><span class="p">,</span>
<span class="p">.</span><span class="n">proc_compat_ioctl</span> <span class="o">=</span> <span class="n">uaftest_ioctl</span><span class="p">,</span>
<span class="p">.</span><span class="n">proc_open</span> <span class="o">=</span> <span class="n">simple_open</span><span class="p">,</span>
<span class="p">.</span><span class="n">proc_lseek</span> <span class="o">=</span> <span class="n">noop_llseek</span><span class="p">,</span>
<span class="p">};</span>
<span class="k">static</span> <span class="k">struct</span> <span class="n">proc_dir_entry</span> <span class="o">*</span><span class="n">uaftest_proc</span><span class="p">;</span>
<span class="k">static</span> <span class="kt">int</span> <span class="n">__init</span> <span class="nf">uaftest_init</span><span class="p">(</span><span class="kt">void</span><span class="p">)</span>
<span class="p">{</span>
<span class="kt">int</span> <span class="n">rc</span><span class="p">;</span>
<span class="n">pr_warn</span><span class="p">(</span><span class="s">"uaftest: ENGINEERING TEST MODULE — do not ship</span><span class="se">\n</span><span class="s">"</span><span class="p">);</span>
<span class="n">rc</span> <span class="o">=</span> <span class="n">misc_register</span><span class="p">(</span><span class="o">&</span><span class="n">uaftest_dev</span><span class="p">);</span>
<span class="k">if</span> <span class="p">(</span><span class="n">rc</span><span class="p">)</span>
<span class="k">return</span> <span class="n">rc</span><span class="p">;</span>
<span class="cm">/* ueventd downgrades /dev/uaftest to 0600. /proc/uaftest keeps
* the mode we set here, giving the shell user a way in. */</span>
<span class="n">uaftest_proc</span> <span class="o">=</span> <span class="n">proc_create</span><span class="p">(</span><span class="s">"uaftest"</span><span class="p">,</span> <span class="mo">0666</span><span class="p">,</span> <span class="nb">NULL</span><span class="p">,</span> <span class="o">&</span><span class="n">uaftest_proc_ops</span><span class="p">);</span>
<span class="k">if</span> <span class="p">(</span><span class="o">!</span><span class="n">uaftest_proc</span><span class="p">)</span> <span class="p">{</span>
<span class="n">misc_deregister</span><span class="p">(</span><span class="o">&</span><span class="n">uaftest_dev</span><span class="p">);</span>
<span class="k">return</span> <span class="o">-</span><span class="n">ENOMEM</span><span class="p">;</span>
<span class="p">}</span>
<span class="k">return</span> <span class="mi">0</span><span class="p">;</span>
<span class="p">}</span>
<span class="k">static</span> <span class="kt">void</span> <span class="n">__exit</span> <span class="nf">uaftest_exit</span><span class="p">(</span><span class="kt">void</span><span class="p">)</span>
<span class="p">{</span>
<span class="k">if</span> <span class="p">(</span><span class="n">uaftest_proc</span><span class="p">)</span>
<span class="n">proc_remove</span><span class="p">(</span><span class="n">uaftest_proc</span><span class="p">);</span>
<span class="n">misc_deregister</span><span class="p">(</span><span class="o">&</span><span class="n">uaftest_dev</span><span class="p">);</span>
<span class="p">}</span>
<span class="n">module_init</span><span class="p">(</span><span class="n">uaftest_init</span><span class="p">);</span>
<span class="n">module_exit</span><span class="p">(</span><span class="n">uaftest_exit</span><span class="p">);</span>
<span class="n">MODULE_DESCRIPTION</span><span class="p">(</span><span class="s">"Test driver to check if KASAN is working"</span><span class="p">);</span>
<span class="n">MODULE_LICENSE</span><span class="p">(</span><span class="s">"GPL v2"</span><span class="p">);</span>
</code></pre></div></div>
<p>And the userspace trigger, <code class="language-plaintext highlighter-rouge">private/google-modules/misc/uaftest/uaftest_trigger.c</code>:</p>
<div class="language-c highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="c1">// SPDX-License-Identifier: GPL-2.0-only</span>
<span class="cp">#include</span> <span class="cpf"><errno.h></span><span class="cp">
#include</span> <span class="cpf"><fcntl.h></span><span class="cp">
#include</span> <span class="cpf"><stdio.h></span><span class="cp">
#include</span> <span class="cpf"><stdlib.h></span><span class="cp">
#include</span> <span class="cpf"><string.h></span><span class="cp">
#include</span> <span class="cpf"><sys/ioctl.h></span><span class="cp">
#include</span> <span class="cpf"><unistd.h></span><span class="cp">
</span>
<span class="cp">#define UAFTEST_MAGIC 'U'
#define UAFTEST_IOC_UAF_READ _IO(UAFTEST_MAGIC, 1)
#define UAFTEST_IOC_UAF_WRITE _IO(UAFTEST_MAGIC, 2)
#define UAFTEST_IOC_DOUBLE_FREE _IO(UAFTEST_MAGIC, 3)
#define UAFTEST_IOC_OOB_READ _IO(UAFTEST_MAGIC, 4)
#define UAFTEST_IOC_GIVE_ROOT _IO(UAFTEST_MAGIC, 100)
</span>
<span class="k">static</span> <span class="k">const</span> <span class="k">struct</span> <span class="p">{</span>
<span class="k">const</span> <span class="kt">char</span> <span class="o">*</span><span class="n">name</span><span class="p">;</span>
<span class="kt">unsigned</span> <span class="kt">long</span> <span class="n">cmd</span><span class="p">;</span>
<span class="k">const</span> <span class="kt">char</span> <span class="o">*</span><span class="n">desc</span><span class="p">;</span>
<span class="p">}</span> <span class="n">CMDS</span><span class="p">[]</span> <span class="o">=</span> <span class="p">{</span>
<span class="p">{</span> <span class="s">"uaf-read"</span><span class="p">,</span> <span class="n">UAFTEST_IOC_UAF_READ</span><span class="p">,</span> <span class="s">"kmalloc -> kfree -> read (UAF read)"</span> <span class="p">},</span>
<span class="p">{</span> <span class="s">"uaf-write"</span><span class="p">,</span> <span class="n">UAFTEST_IOC_UAF_WRITE</span><span class="p">,</span> <span class="s">"kmalloc -> kfree -> write (UAF write)"</span> <span class="p">},</span>
<span class="p">{</span> <span class="s">"double-free"</span><span class="p">,</span> <span class="n">UAFTEST_IOC_DOUBLE_FREE</span><span class="p">,</span> <span class="s">"kmalloc -> kfree -> kfree"</span> <span class="p">},</span>
<span class="p">{</span> <span class="s">"oob-read"</span><span class="p">,</span> <span class="n">UAFTEST_IOC_OOB_READ</span><span class="p">,</span> <span class="s">"read one byte past kmalloc end"</span> <span class="p">},</span>
<span class="p">{</span> <span class="s">"give-root"</span><span class="p">,</span> <span class="n">UAFTEST_IOC_GIVE_ROOT</span><span class="p">,</span> <span class="s">"set current task creds to uid 0"</span> <span class="p">},</span>
<span class="p">};</span>
<span class="k">static</span> <span class="kt">void</span> <span class="nf">usage</span><span class="p">(</span><span class="k">const</span> <span class="kt">char</span> <span class="o">*</span><span class="n">prog</span><span class="p">)</span>
<span class="p">{</span>
<span class="kt">size_t</span> <span class="n">i</span><span class="p">;</span>
<span class="n">fprintf</span><span class="p">(</span><span class="n">stderr</span><span class="p">,</span> <span class="s">"usage: %s <command></span><span class="se">\n</span><span class="s"> commands:</span><span class="se">\n</span><span class="s">"</span><span class="p">,</span> <span class="n">prog</span><span class="p">);</span>
<span class="k">for</span> <span class="p">(</span><span class="n">i</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> <span class="n">i</span> <span class="o"><</span> <span class="k">sizeof</span><span class="p">(</span><span class="n">CMDS</span><span class="p">)</span><span class="o">/</span><span class="k">sizeof</span><span class="p">(</span><span class="n">CMDS</span><span class="p">[</span><span class="mi">0</span><span class="p">]);</span> <span class="n">i</span><span class="o">++</span><span class="p">)</span>
<span class="n">fprintf</span><span class="p">(</span><span class="n">stderr</span><span class="p">,</span> <span class="s">" %-12s %s</span><span class="se">\n</span><span class="s">"</span><span class="p">,</span> <span class="n">CMDS</span><span class="p">[</span><span class="n">i</span><span class="p">].</span><span class="n">name</span><span class="p">,</span> <span class="n">CMDS</span><span class="p">[</span><span class="n">i</span><span class="p">].</span><span class="n">desc</span><span class="p">);</span>
<span class="p">}</span>
<span class="kt">int</span> <span class="nf">main</span><span class="p">(</span><span class="kt">int</span> <span class="n">argc</span><span class="p">,</span> <span class="kt">char</span> <span class="o">**</span><span class="n">argv</span><span class="p">)</span>
<span class="p">{</span>
<span class="kt">int</span> <span class="n">fd</span><span class="p">,</span> <span class="n">rc</span><span class="p">;</span>
<span class="kt">size_t</span> <span class="n">i</span><span class="p">;</span>
<span class="kt">unsigned</span> <span class="kt">long</span> <span class="n">cmd</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span>
<span class="k">if</span> <span class="p">(</span><span class="n">argc</span> <span class="o">!=</span> <span class="mi">2</span><span class="p">)</span> <span class="p">{</span>
<span class="n">usage</span><span class="p">(</span><span class="n">argv</span><span class="p">[</span><span class="mi">0</span><span class="p">]);</span>
<span class="k">return</span> <span class="mi">2</span><span class="p">;</span>
<span class="p">}</span>
<span class="k">for</span> <span class="p">(</span><span class="n">i</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> <span class="n">i</span> <span class="o"><</span> <span class="k">sizeof</span><span class="p">(</span><span class="n">CMDS</span><span class="p">)</span><span class="o">/</span><span class="k">sizeof</span><span class="p">(</span><span class="n">CMDS</span><span class="p">[</span><span class="mi">0</span><span class="p">]);</span> <span class="n">i</span><span class="o">++</span><span class="p">)</span> <span class="p">{</span>
<span class="k">if</span> <span class="p">(</span><span class="o">!</span><span class="n">strcmp</span><span class="p">(</span><span class="n">argv</span><span class="p">[</span><span class="mi">1</span><span class="p">],</span> <span class="n">CMDS</span><span class="p">[</span><span class="n">i</span><span class="p">].</span><span class="n">name</span><span class="p">))</span> <span class="p">{</span>
<span class="n">cmd</span> <span class="o">=</span> <span class="n">CMDS</span><span class="p">[</span><span class="n">i</span><span class="p">].</span><span class="n">cmd</span><span class="p">;</span>
<span class="k">break</span><span class="p">;</span>
<span class="p">}</span>
<span class="p">}</span>
<span class="k">if</span> <span class="p">(</span><span class="o">!</span><span class="n">cmd</span><span class="p">)</span> <span class="p">{</span>
<span class="n">usage</span><span class="p">(</span><span class="n">argv</span><span class="p">[</span><span class="mi">0</span><span class="p">]);</span>
<span class="k">return</span> <span class="mi">2</span><span class="p">;</span>
<span class="p">}</span>
<span class="cm">/* /dev/uaftest gets 0600 root by ueventd; /proc/uaftest is 0666. */</span>
<span class="n">fd</span> <span class="o">=</span> <span class="n">open</span><span class="p">(</span><span class="s">"/proc/uaftest"</span><span class="p">,</span> <span class="n">O_RDWR</span><span class="p">);</span>
<span class="k">if</span> <span class="p">(</span><span class="n">fd</span> <span class="o"><</span> <span class="mi">0</span><span class="p">)</span>
<span class="n">fd</span> <span class="o">=</span> <span class="n">open</span><span class="p">(</span><span class="s">"/dev/uaftest"</span><span class="p">,</span> <span class="n">O_RDWR</span><span class="p">);</span>
<span class="k">if</span> <span class="p">(</span><span class="n">fd</span> <span class="o"><</span> <span class="mi">0</span><span class="p">)</span> <span class="p">{</span>
<span class="n">fprintf</span><span class="p">(</span><span class="n">stderr</span><span class="p">,</span> <span class="s">"open /proc/uaftest or /dev/uaftest: %s</span><span class="se">\n</span><span class="s">"</span><span class="p">,</span> <span class="n">strerror</span><span class="p">(</span><span class="n">errno</span><span class="p">));</span>
<span class="k">return</span> <span class="mi">1</span><span class="p">;</span>
<span class="p">}</span>
<span class="k">if</span> <span class="p">(</span><span class="n">cmd</span> <span class="o">==</span> <span class="n">UAFTEST_IOC_GIVE_ROOT</span><span class="p">)</span> <span class="p">{</span>
<span class="n">rc</span> <span class="o">=</span> <span class="n">ioctl</span><span class="p">(</span><span class="n">fd</span><span class="p">,</span> <span class="n">cmd</span><span class="p">,</span> <span class="mi">0</span><span class="p">);</span>
<span class="k">if</span> <span class="p">(</span><span class="n">rc</span> <span class="o"><</span> <span class="mi">0</span><span class="p">)</span> <span class="p">{</span>
<span class="n">fprintf</span><span class="p">(</span><span class="n">stderr</span><span class="p">,</span> <span class="s">"ioctl: %s</span><span class="se">\n</span><span class="s">"</span><span class="p">,</span> <span class="n">strerror</span><span class="p">(</span><span class="n">errno</span><span class="p">));</span>
<span class="k">return</span> <span class="mi">1</span><span class="p">;</span>
<span class="p">}</span>
<span class="n">printf</span><span class="p">(</span><span class="s">"uid=%u euid=%u — exec a shell to keep it: exec /system/bin/sh</span><span class="se">\n</span><span class="s">"</span><span class="p">,</span>
<span class="n">getuid</span><span class="p">(),</span> <span class="n">geteuid</span><span class="p">());</span>
<span class="n">execl</span><span class="p">(</span><span class="s">"/system/bin/sh"</span><span class="p">,</span> <span class="s">"sh"</span><span class="p">,</span> <span class="p">(</span><span class="kt">char</span> <span class="o">*</span><span class="p">)</span><span class="nb">NULL</span><span class="p">);</span>
<span class="n">perror</span><span class="p">(</span><span class="s">"execl"</span><span class="p">);</span>
<span class="k">return</span> <span class="mi">1</span><span class="p">;</span>
<span class="p">}</span>
<span class="n">rc</span> <span class="o">=</span> <span class="n">ioctl</span><span class="p">(</span><span class="n">fd</span><span class="p">,</span> <span class="n">cmd</span><span class="p">,</span> <span class="mi">0</span><span class="p">);</span>
<span class="k">if</span> <span class="p">(</span><span class="n">rc</span> <span class="o"><</span> <span class="mi">0</span><span class="p">)</span> <span class="p">{</span>
<span class="n">fprintf</span><span class="p">(</span><span class="n">stderr</span><span class="p">,</span> <span class="s">"ioctl: %s</span><span class="se">\n</span><span class="s">"</span><span class="p">,</span> <span class="n">strerror</span><span class="p">(</span><span class="n">errno</span><span class="p">));</span>
<span class="k">return</span> <span class="mi">1</span><span class="p">;</span>
<span class="p">}</span>
<span class="n">printf</span><span class="p">(</span><span class="s">"ok — check `dmesg` for the KASAN report</span><span class="se">\n</span><span class="s">"</span><span class="p">);</span>
<span class="k">return</span> <span class="mi">0</span><span class="p">;</span>
<span class="p">}</span>
</code></pre></div></div>
<p>Cross-compile the trigger with the NDK in the kernel tree:</p>
<div class="language-sh highlighter-rouge"><div class="highlight"><pre class="highlight"><code>prebuilts/ndk-r23/toolchains/llvm/prebuilt/linux-x86_64/bin/aarch64-linux-android31-clang <span class="se">\</span>
<span class="nt">-static</span> <span class="nt">-O2</span> <span class="nt">-o</span> uaftest_trigger <span class="se">\</span>
private/google-modules/misc/uaftest/uaftest_trigger.c
</code></pre></div></div>
<h2>Setting boot cmdline parameters on Pixel devices</h2>
<p><code class="language-plaintext highlighter-rouge">/proc/cmdline</code> after first boot has <code class="language-plaintext highlighter-rouge">kasan=off</code> and <code class="language-plaintext highlighter-rouge">arm64.nomte</code> appended after our dts cmdline, which kills runtime KASAN and MTE. <code class="language-plaintext highlighter-rouge">kasan=off</code> is in the <code class="language-plaintext highlighter-rouge">vendor_cmdline</code> field of <code class="language-plaintext highlighter-rouge">vendor_boot.img</code>’s header; <code class="language-plaintext highlighter-rouge">arm64.nomte</code> is appended by the bootloader.</p>
<p>For <code class="language-plaintext highlighter-rouge">arm64.nomte</code> there’s a bootloader knob:</p>
<div class="language-sh highlighter-rouge"><div class="highlight"><pre class="highlight"><code>fastboot oem mte on
</code></pre></div></div>
<p>For <code class="language-plaintext highlighter-rouge">kasan=off</code> you have to edit <code class="language-plaintext highlighter-rouge">vendor_boot.img</code>. My kernel build didn’t produce one so I pulled it from the matching factory image:</p>
<div class="language-sh highlighter-rouge"><div class="highlight"><pre class="highlight"><code>unzip image-shiba-cp1a.260405.005.zip vendor_boot.img init_boot.img vbmeta.img
python3 tools/mkbootimg/unpack_bootimg.py <span class="nt">--boot_img</span> vendor_boot.img <span class="nt">--out</span> vb
</code></pre></div></div>
<p>The <code class="language-plaintext highlighter-rouge">vendor command line args</code> value is logged to stdout by <code class="language-plaintext highlighter-rouge">unpack_bootimg.py</code>. Strip <code class="language-plaintext highlighter-rouge">kasan=off</code> and <code class="language-plaintext highlighter-rouge">rodata=on</code>, append <code class="language-plaintext highlighter-rouge">enforcing=0 kasan=on</code>, repack.</p>
<div class="language-sh highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nv">NEW_CMDLINE</span><span class="o">=</span><span class="s1">'fips140.load_sequential=1 exynos_drm.load_sequential=1 \
g2d.load_sequential=1 samsung_iommu_v9.load_sequential=1 swiotlb=noforce \
disable_dma32=on earlycon=exynos4210,0x10870000 console=ttySAC0,115200 \
androidboot.console=ttySAC0 printk.devkmsg=on cma_sysfs.experimental=Y \
rcupdate.rcu_expedited=1 rcu_nocbs=all rcutree.enable_rcu_lazy swiotlb=1024 \
cgroup.memory=nokmem sysctl.kernel.sched_pelt_multiplier=4 \
at24.write_timeout=100 log_buf_len=1024K android_arch_task_struct_size=512 \
bootconfig enforcing=0 kasan=on'</span>
python3 tools/mkbootimg/mkbootimg.py <span class="se">\</span>
<span class="nt">--header_version</span> 4 <span class="nt">--pagesize</span> 0x800 <span class="se">\</span>
<span class="nt">--vendor_cmdline</span> <span class="s2">"</span><span class="nv">$NEW_CMDLINE</span><span class="s2">"</span> <span class="se">\</span>
<span class="nt">--base</span> 0x0 <span class="se">\</span>
<span class="nt">--kernel_offset</span> 0x10008000 <span class="nt">--ramdisk_offset</span> 0x11000000 <span class="se">\</span>
<span class="nt">--tags_offset</span> 0x10000100 <span class="nt">--dtb_offset</span> 0x11f00000 <span class="se">\</span>
<span class="nt">--ramdisk_type</span> platform <span class="nt">--ramdisk_name</span> <span class="s1">''</span> <span class="se">\</span>
<span class="nt">--vendor_ramdisk_fragment</span> vb/vendor_ramdisk00 <span class="se">\</span>
<span class="nt">--ramdisk_type</span> none <span class="nt">--ramdisk_name</span> <span class="s1">'16K'</span> <span class="se">\</span>
<span class="nt">--vendor_ramdisk_fragment</span> vb/vendor_ramdisk01 <span class="se">\</span>
<span class="nt">--vendor_bootconfig</span> vb/bootconfig <span class="se">\</span>
<span class="nt">--vendor_boot</span> vendor_boot_new.img
</code></pre></div></div>
<h2>Console/serial</h2>
<p>P.S. If you have a SuzyQ cable or a USB cereal and would like to dump bootloader and kernel logs to tty, do it here — append your serial console params to <code class="language-plaintext highlighter-rouge">NEW_CMDLINE</code> above before repacking, or set them via <code class="language-plaintext highlighter-rouge">fastboot oem uart</code> after flashing:</p>
<div class="language-sh highlighter-rouge"><div class="highlight"><pre class="highlight"><code>fastboot oem uart <span class="nb">enable
</span>fastboot oem uart config 3000000
</code></pre></div></div>
<h2>Flashing</h2>
<div class="language-sh highlighter-rouge"><div class="highlight"><pre class="highlight"><code>fastboot <span class="nt">-w</span> <span class="nt">--disable-verification</span>
fastboot oem disable-verification
fastboot flash boot out/shusky/dist/boot.img
fastboot flash dtbo out/shusky/dist/dtbo.img
fastboot flash vendor_kernel_boot out/shusky/dist/vendor_kernel_boot.img
fastboot flash vendor_boot vendor_boot_new.img
fastboot flash vbmeta vbmeta.img
fastboot oem uart <span class="nb">enable
</span>fastboot oem uart config 3000000
fastboot oem mte on
fastboot reboot fastboot
<span class="c"># wait until `fastboot getvar is-userspace` says yes</span>
fastboot flash vendor_dlkm out/shusky/dist/vendor_dlkm.img
fastboot flash system_dlkm out/shusky/dist/system_dlkm.img
fastboot reboot
</code></pre></div></div>
<p><code class="language-plaintext highlighter-rouge">vendor_dlkm</code> and <code class="language-plaintext highlighter-rouge">system_dlkm</code> are logical partitions inside <code class="language-plaintext highlighter-rouge">super</code> and can only be resized from <code class="language-plaintext highlighter-rouge">fastbootd</code>, hence the bounce.</p>
<h2>Verifying it works</h2>
<div class="language-sh highlighter-rouge"><div class="highlight"><pre class="highlight"><code>adb shell getenforce
adb shell <span class="nb">cat</span> /proc/uaftest
adb push uaftest_trigger /data/local/tmp/
adb shell <span class="nb">chmod</span> +x /data/local/tmp/uaftest_trigger
adb shell /data/local/tmp/uaftest_trigger uaf-read
</code></pre></div></div>
<p>dmesg report (read it after <code class="language-plaintext highlighter-rouge">give-root</code>):</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>[ 229.126588] uaftest: triggering UAF read
[ 229.127765] BUG: KASAN: invalid-access in uaftest_uaf_read+0x6c [uaftest]
[ 229.128456] Read at addr f9ffff88e6653610 by task uaftest_trigger/13318
[ 229.128485] Pointer tag: [f9], memory tag: [fe]
[ 229.132481] Hardware name: ZUMA SHIBA MP based on ZUMA (DT)
…
</code></pre></div></div>
<p>If you’re seeing something like the above, that means KASAN and MTE are doing their job.</p>
<h2>Root via the driver</h2>
<p><code class="language-plaintext highlighter-rouge">adb root</code> won’t work on a <code class="language-plaintext highlighter-rouge">user</code> build (<code class="language-plaintext highlighter-rouge">ro.debuggable=0</code>), and production Android does not ship <code class="language-plaintext highlighter-rouge">su</code> or <code class="language-plaintext highlighter-rouge">sudo</code> in <code class="language-plaintext highlighter-rouge">$PATH</code> (userdebug builds do). Luckily, our driver’s <code class="language-plaintext highlighter-rouge">GIVE_ROOT</code> ioctl gives us root inside an existing shell:</p>
<div class="language-sh highlighter-rouge"><div class="highlight"><pre class="highlight"><code>adb shell /data/local/tmp/uaftest_trigger give-root
<span class="c"># uid=0(root) gid=0(root)</span>
</code></pre></div></div>
<p>I created a <code class="language-plaintext highlighter-rouge">su</code> script for convenience:</p>
<div class="language-sh highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="c">#!/system/bin/sh</span>
<span class="nb">exec</span> /data/local/tmp/uaftest_trigger give-root
</code></pre></div></div>
<div class="language-sh highlighter-rouge"><div class="highlight"><pre class="highlight"><code>adb push su /data/local/tmp/su
adb shell <span class="nb">chmod</span> +x /data/local/tmp/su
adb shell /data/local/tmp/su <span class="nt">-c</span> <span class="nb">id</span>
</code></pre></div></div>
<p><code class="language-plaintext highlighter-rouge">/data/local/tmp</code> isn’t on <code class="language-plaintext highlighter-rouge">$PATH</code>, so either always type the full path or <code class="language-plaintext highlighter-rouge">export PATH=/data/local/tmp:$PATH</code> per session.</p>
<p>Note: <code class="language-plaintext highlighter-rouge">adbd</code> itself runs as <code class="language-plaintext highlighter-rouge">shell</code> because the system image has <code class="language-plaintext highlighter-rouge">ro.debuggable=0</code>. <code class="language-plaintext highlighter-rouge">adb push</code> to read-only partitions still fails as a non root user. If this bothers you use Magisk to patch <code class="language-plaintext highlighter-rouge">init_boot.img</code> from the factory image and flash it.</p>
Berk Cem Göksel
For my fuzzing environment I use a stack of Pixel8 devices which run under KASAN + KCOV. Recently I had to update my devices to the latest kernel version which broke my build. Google’s documentation is great to have, but not very specific when it comes to the details and you mostly end up with a bootloop. This post covers compiling the Pixel 8 kernel and booting it on the current latest Pixel 8 version.
Setting Up Pixel 8/9 for Android App Reversing and Mobile Security Testing
2026-01-22T00:00:00+00:00
2026-01-22T00:00:00+00:00
https://berkgoksel.com/pixel-security-setup
<p>This post aims to serve as a guide on how to set a Pixel device up for Android security testing. I’ve tested this on both the Pixel 8 and the Pixel 9. The steps are identical for both.</p>
<p>This covers flashing stock Pixel OS, rooting with Magisk, and getting Burp Suite working for traffic interception.</p>
<!-- more -->
<h2>Prerequisites</h2>
<ul>
<li>Pixel 8 (codename: shiba) or Pixel 9 (codename: tokay)</li>
<li>Ubuntu 22.04 (or similar Linux distro)</li>
<li>USB cable</li>
<li>adb and fastboot installed: <code class="language-plaintext highlighter-rouge">sudo apt install android-tools-adb android-tools-fastboot</code></li>
</ul>
<h2>Step 1: Download Factory Image</h2>
<p>Get the latest factory image from https://developers.google.com/android/images</p>
<ul>
<li>Pixel 8: look for <strong>shiba</strong></li>
<li>Pixel 9: look for <strong>tokay</strong></li>
</ul>
<p>Google factory images are named like <code class="language-plaintext highlighter-rouge">shiba-bp4a.251205.006-factory-*.zip</code>. Don’t confuse with GrapheneOS images which use format <code class="language-plaintext highlighter-rouge">shiba-install-*.zip</code>.</p>
<h2>Step 2: Enable Developer Options and OEM Unlocking</h2>
<p>On the phone:</p>
<ol>
<li><strong>Settings → About phone → tap “Build number” 7 times</strong> to enable Developer Options</li>
<li><strong>Settings → System → Developer options → USB debugging → ON</strong></li>
<li><strong>Settings → System → Developer options → OEM unlocking → ON</strong></li>
</ol>
<p>Note: If OEM unlocking is greyed out, connect to WiFi/mobile data and wait ~24 hours (Google’s anti-theft measure).</p>
<h2>Step 3: Extract Factory Image</h2>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nb">cd</span> ~/Downloads
unzip shiba-<span class="k">*</span>.zip <span class="c"># or tokay-*.zip for Pixel 9</span>
<span class="nb">cd </span>shiba-<span class="k">*</span> <span class="c"># or tokay-* for Pixel 9</span>
</code></pre></div></div>
<p>For Pixel 8, extract the inner image zip:</p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>unzip image-shiba-<span class="k">*</span>.zip
</code></pre></div></div>
<p>For Pixel 9, the images come extracted already.</p>
<p>Make the flash script executable:</p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nb">chmod</span> +x flash-all.sh
</code></pre></div></div>
<h2>Step 4: Unlock Bootloader and Flash</h2>
<p>Reboot into fastboot mode using the hardware buttons (Power + Volume Down), then:</p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>fastboot flashing unlock
</code></pre></div></div>
<p>Confirm on device with volume keys + power. This wipes everything.</p>
<p>Once back at fastboot:</p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>fastboot devices
./flash-all.sh
</code></pre></div></div>
<p><strong>Do not re-lock the bootloader</strong> since we need it unlocked for Magisk.</p>
<h2>Step 5: Post-Flash Setup</h2>
<p>After the phone boots:</p>
<ol>
<li>Skip through initial setup</li>
<li>Re-enable Developer Options (tap Build number 7 times)</li>
<li>Re-enable USB Debugging</li>
</ol>
<h2>Step 6: Install Magisk</h2>
<p>Magisk is a systemless root solution that modifies the boot image to provide root access while passing SafetyNet checks. It allows installing modules that modify the system without actually touching the system partition.</p>
<p>Download the latest Magisk APK from https://github.com/topjohnwu/Magisk/releases</p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>adb <span class="nb">install </span>Magisk-<span class="k">*</span>.apk
</code></pre></div></div>
<p>Allow notifications when prompted. Useful for superuser prompts.</p>
<h2>Step 7: Patch init_boot Image</h2>
<p><strong>Important:</strong> Pixel 8 on Android 13+ uses <code class="language-plaintext highlighter-rouge">init_boot.img</code> for the ramdisk, not <code class="language-plaintext highlighter-rouge">boot.img</code>.</p>
<p>Push the init_boot image to the phone:</p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>adb push init_boot.img /sdcard/Download/
</code></pre></div></div>
<p>On the phone:</p>
<ol>
<li>Open Magisk app</li>
<li>Tap <strong>Install</strong></li>
<li>Select <strong>Select and Patch a File</strong></li>
<li>Navigate to Downloads and select <code class="language-plaintext highlighter-rouge">init_boot.img</code></li>
</ol>
<p>Note: You can also extract boot.img from a rooted device using dd, but for fresh installs use the init_boot.img from the factory zip. Just make sure it matches your flashed version.</p>
<h2>Step 8: Flash Patched Image</h2>
<p>List the patched file:</p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nb">ls</span> /sdcard/Download/
</code></pre></div></div>
<p>Pull it:</p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>adb pull /sdcard/Download/magisk_patched-<span class="k">*</span>.img <span class="nb">.</span>
</code></pre></div></div>
<p>You can test by booting the image directly without flashing:</p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>adb reboot bootloader
fastboot boot magisk_patched-<span class="k">*</span>.img
</code></pre></div></div>
<p>If Magisk shows as installed, flash it permanently:</p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>adb reboot bootloader
fastboot flash init_boot magisk_patched-<span class="k">*</span>.img
fastboot reboot
</code></pre></div></div>
<h2>Step 9: Verify Root</h2>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>adb shell
su
</code></pre></div></div>
<p>You should see a superuser prompt on the phone. Grant access and you’ll have a root shell.</p>
<h2>Step 10: Configure Magisk</h2>
<p>In Magisk app, go to <strong>Settings</strong> and configure:</p>
<ol>
<li><strong>Zygisk → ON</strong> (enables code injection into apps, needed for DenyList)</li>
<li><strong>Enable Zygisk DenyList</strong> (hide root from specific apps)</li>
<li><strong>Enable DNS over HTTPS</strong></li>
<li><strong>Hide the Magisk app</strong> → enter a custom name → add shortcut icon when prompted</li>
</ol>
<p>Reboot the phone. After reboot, verify Zygisk shows <strong>Yes</strong> in Magisk home screen.</p>
<h2>Step 11: Install Burp CA Certificate</h2>
<p>Android 14+ has read-only system partitions protected by dm-verity. We’ll use a Magisk module to install the CA cert as a system certificate.</p>
<h3>Export Burp Certificate</h3>
<p>In Burp Suite: <strong>Proxy → Proxy settings → Import/Export CA Certificate → Export → Certificate in DER format</strong> → save as <code class="language-plaintext highlighter-rouge">cacert.der</code></p>
<h3>Convert and Hash the Certificate</h3>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>openssl x509 <span class="nt">-inform</span> DER <span class="nt">-in</span> cacert.der <span class="nt">-out</span> cacert.pem
<span class="nb">hash</span><span class="o">=</span><span class="si">$(</span>openssl x509 <span class="nt">-inform</span> PEM <span class="nt">-subject_hash_old</span> <span class="nt">-in</span> cacert.pem | <span class="nb">head</span> <span class="nt">-1</span><span class="si">)</span>
<span class="nb">mv </span>cacert.pem <span class="nv">$hash</span>.0
</code></pre></div></div>
<h3>Install MagiskTrustUserCerts Module</h3>
<p>Download from https://github.com/NVISOsecurity/MagiskTrustUserCerts/releases</p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>adb push MagiskTrustUserCerts.zip /sdcard/Download/
</code></pre></div></div>
<p>In Magisk app: <strong>Modules → Install from storage → select the zip → reboot</strong></p>
<h3>Install Certificate as User Cert</h3>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>adb push <span class="nv">$hash</span>.0 /sdcard/Download/
</code></pre></div></div>
<p>On phone: <strong>Settings → Security & Privacy → More security settings → Encryption & credentials → Install a certificate → CA certificate → Install anyway</strong> → select your .0 file from Downloads</p>
<p>Reboot the phone. The MagiskTrustUserCerts module will promote the user certificate to system trust.</p>
<h2>Step 12: Configure Proxy</h2>
<h3>Option A: WiFi Proxy</h3>
<p>On phone: <strong>Settings → Network & internet → Internet → tap your WiFi network → Edit → Advanced options → Proxy → Manual</strong></p>
<p>Set proxy hostname to your Burp machine’s IP and port 8080.</p>
<h3>Option B: ADB Reverse (for VM setups)</h3>
<p>If Burp is running in a VM, redirect USB to the VM first:</p>
<ul>
<li><strong>QEMU/virt-manager:</strong> Virtual Machine → Redirect USB device → select Pixel</li>
<li><strong>VirtualBox/VMware:</strong> Configure USB passthrough in VM settings</li>
</ul>
<p>Stop adb on host first if running:</p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>adb kill-server
</code></pre></div></div>
<p>In the VM:</p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>adb devices
adb reverse tcp:8080 tcp:8080
</code></pre></div></div>
<p>On phone, set proxy to <code class="language-plaintext highlighter-rouge">127.0.0.1:8080</code>.</p>
<p><strong>Important:</strong> Disable any VPN on the phone. VPN overrides proxy settings.</p>
<h2>Step 13: Test</h2>
<p>Open browser on phone. Traffic should appear in Burp’s HTTP history.</p>
<h2>Troubleshooting</h2>
<ul>
<li><strong>Magisk shows “N/A” after flashing:</strong> Make sure you’re flashing <code class="language-plaintext highlighter-rouge">init_boot</code> not <code class="language-plaintext highlighter-rouge">boot</code> on Pixel 8</li>
<li><strong>Can’t remount system:</strong> Android 14+ uses dm-verity, use Magisk modules instead</li>
<li><strong>No traffic in Burp:</strong> Check VPN is disabled, proxy settings are correct, and Burp is bound to all interfaces (0.0.0.0)</li>
<li><strong>Certificate not trusted:</strong> Ensure MagiskTrustUserCerts module is installed and phone was rebooted</li>
</ul>
Berk Cem Göksel
This post aims to serve as a guide on how to set a Pixel device up for Android security testing. I’ve tested this on both the Pixel 8 and the Pixel 9. The steps are identical for both. This covers flashing stock Pixel OS, rooting with Magisk, and getting Burp Suite working for traffic interception.