A fuzzing framework for Hexagon baseband firmware using QEMU system emulation. This tool enables security researchers to fuzz baseband processors by emulating firmware in a controlled environment, supporting debugging and vulnerability discovery in cellular modem implementations.
- QEMU-based emulation of baseband firmware
- LibAFL-based
- Support for Hexagon (Qualcomm DSP) architecture
- Integrated LLDB debugging capabilities with the Qualcomm SDK
- Configurable fuzzing targets and parameters
- Docker containerization for easy deployment
sudo apt install python3 python3-pip python3-sphinx python3-sphinx-rtd-theme ninja-build libglib2.0-dev flex bison clang rustup tmux gdb gdbserver socatgit clone https://github.com/srlabs/hexagon_fuzz.git
git submodule update --init- Set the
SDK_HOMEenv variable to the path of Hexagon SDK - Run the
scripts/tmux_bootstrap.shto start the emulation and attach a LLDB for debugging
- Set the
SDK_HOMEenv variable to the path of Hexagon SDK - Set
"fuzz": truein thefirmware_config.json - Set the fuzz target start and return address in
firmware_config.json - Run the fuzzer:
cargo build --release
./target/release/hexagon_fuzzAfter building it once, you can skip re-building/re-configuring the QEMU submodule by setting the environment variables CUSTOM_QEMU_NO_BUILD = "1" and CUSTOM_QEMU_NO_CONFIGURE = "1".
This can also be done in .cargo/config.toml if using cargo.
- Build and run the docker image
docker build -t hexagon_fuzz .
docker run -it hexagon_fuzz- Build and run the fuzzer inside the docker container
cargo build --release
./target/release/hexagon_fuzzWe used qdsp6sw.mbn (iPhone 14) with sha256 b5a0e5027c9dbe094569ebb08afc3d5ad0665b75c36ea827b40380c90ef8276a
Some documentation around reversing, setting up the tooling, emulation and more can be found in the docs directory