Introduction: Mastering Android Kernel Exploitation

Delving into Android kernel exploitation requires a robust and controlled environment. Setting up a dedicated lab allows security researchers to safely analyze kernel vulnerabilities, develop exploits, and understand the underlying ARM64 architecture without risking physical devices. This expert-level guide details the process of establishing an Android kernel exploit lab using QEMU, focusing on ARM64, providing a flexible and powerful platform for advanced security research.

Our goal is to compile a custom Android kernel for ARM64, create a minimal root filesystem, and boot it within QEMU, complete with GDB debugging capabilities. This setup is indispensable for anyone serious about kernel-level security on Android.

Prerequisites

• A Linux-based host system (Ubuntu 20.04+ recommended)
• Ample disk space (at least 50GB) and RAM (16GB+)
• Familiarity with Linux command line and basic kernel concepts

Essential tools to install:

sudo apt update
sudo apt install git qemu-system-arm flex bison build-essential libncurses-dev libssl-dev dwarves bc kmod cpio

Step 1: Acquiring the Android Kernel Source

Google maintains the Android Common Kernels, which are excellent starting points. We will fetch a recent kernel version, for instance, `android-4.14` or `android-5.4`, which are widely used.

mkdir -p ~/android-kernel-lab
cd ~/android-kernel-lab

git clone https://android.googlesource.com/kernel/common.git kernel_common
cd kernel_common
git checkout android-4.14-q

Note: The specific branch (`android-4.14-q` in this example) might need adjustment based on your target Android version or exploit focus.

Step 2: Setting Up the ARM64 Cross-Compilation Toolchain

Cross-compiling for ARM64 requires a specific GNU toolchain. The official Android NDK provides a reliable source.

cd ~/android-kernel-lab

wget https://dl.google.com/android/repository/android-ndk-r21e-linux-x86_64.zip
unzip android-ndk-r21e-linux-x86_64.zip

export PATH="$(pwd)/android-ndk-r21e/toolchains/llvm/prebuilt/linux-x86_64/bin:$PATH"
export CROSS_COMPILE="aarch64-linux-android-"
export ARCH=arm64

It’s advisable to add these `export` commands to your `~/.bashrc` or `~/.zshrc` for persistence.

Step 3: Configuring the Kernel for QEMU

The kernel needs to be configured specifically for QEMU and debugging. We’ll start with a default QEMU ARM64 configuration and then customize it.

cd ~/android-kernel-lab/kernel_common

make ARCH=arm64 CROSS_COMPILE=aarch64-linux-android- qemu_virt_defconfig

Now, we’ll enable crucial debugging options. Run `menuconfig`:

make ARCH=arm64 CROSS_COMPILE=aarch64-linux-android- menuconfig

Navigate and enable the following (press `y` to enable, then `Enter` to confirm, save and exit):

• Kernel hacking –> Compile-time checks and compiler options –> `[*] KASAN: runtime memory debugger`
• Kernel hacking –> Generic Kernel Debugging Options –> `[*] Kernel debugging`
• Kernel hacking –> Tracers –> `[*] Ftrace`
• General setup –> `[*] Initial RAM filesystem and RAM disk (initramfs/initrd) support`

Save the configuration (File -> Save) and exit.

Step 4: Compiling the Android Kernel

With the configuration set, compile the kernel. This process can take a significant amount of time depending on your system’s resources.

make -j$(nproc) ARCH=arm64 CROSS_COMPILE=aarch64-linux-android-

Upon successful compilation, the kernel image, typically named `Image` or `Image.gz`, will be located in `arch/arm64/boot/`. For QEMU, we often use `Image.gz` directly or need to decompress it.

Step 5: Creating a Minimal Root Filesystem with BusyBox

A minimal root filesystem is essential for the kernel to boot into a usable shell. BusyBox is an excellent choice for this, as it combines many common UNIX utilities into a single executable.

cd ~/android-kernel-lab

# Download BusyBox source
wget https://busybox.net/downloads/busybox-1.35.0.tar.bz2
tar -xvf busybox-1.35.0.tar.bz2
cd busybox-1.35.0

# Configure BusyBox
make ARCH=arm64 CROSS_COMPILE=aarch64-linux-android- defconfig
make ARCH=arm64 CROSS_COMPILE=aarch64-linux-android- menuconfig

In `menuconfig`, navigate to `BusyBox Settings –> Build Options` and ensure:

• `[*] Build BusyBox as a static executable (no shared libs)` is checked.
• `[*] Build with Large File Support` (optional but recommended).

Save and exit. Then compile:

make -j$(nproc) ARCH=arm64 CROSS_COMPILE=aarch64-linux-android-
make ARCH=arm64 CROSS_COMPILE=aarch64-linux-android- install

Now, create the root filesystem structure:

cd ~/android-kernel-lab
mkdir -p rootfs
cd rootfs
mkdir -p bin dev etc lib proc sys tmp

cp ../busybox-1.35.0/_install/* .

# Create necessary device nodes
sudo mknod dev/console c 5 1
sudo mknod dev/null c 1 3

# Create a simple init script
echo -e "#!/bin/sh

mount -t proc none /proc
mount -t sysfs none /sys

echo 'Boot successful! Welcome to the QEMU shell.'

/bin/sh
" > init
chmod +x init

# Package the root filesystem into a CPIO archive
find . -print0 | cpio --null -ov --format=newc > ../rootfs.cpio

Step 6: Launching QEMU with Your Custom Kernel and Rootfs

Finally, we can boot our custom Android kernel with the minimal root filesystem in QEMU.

cd ~/android-kernel-lab

qemu-system-aarch64 
    -M virt 
    -cpu cortex-a57 
    -kernel kernel_common/arch/arm64/boot/Image 
    -initrd rootfs.cpio 
    -append "console=ttyAMA0,115200 root=/dev/ram rdinit=/init earlycon=pl011,0x9000000"
    -nographic 
    -s -S

• `-M virt`: Specifies the `virt` board, a generic ARM virtualization platform.
• `-cpu cortex-a57`: Emulates a Cortex-A57 CPU, common in ARM64 Android devices.
• `-kernel`: Path to your compiled kernel image (`Image` or `Image.gz`).
• `-initrd`: Path to your CPIO root filesystem.
• `-append`: Kernel command-line arguments. Key ones here are `console` for output, `root` for the root device, and `rdinit` to execute our `init` script.
• `-nographic`: Runs QEMU without a graphical window.
• `-s -S`: Essential for GDB debugging. `-s` opens a GDB server on TCP port 1234. `-S` freezes the CPU at startup, waiting for GDB to connect.

If successful, you should see kernel boot messages and then land in your BusyBox shell after connecting GDB.

Step 7: Connecting GDB for Kernel Debugging

With QEMU running (and waiting due to `-S`), open a new terminal and connect GDB.

cd ~/android-kernel-lab/kernel_common

aarch64-linux-android-gdb vmlinux -ex "target remote :1234"

The `vmlinux` file (in your kernel source root) contains the symbol information needed by GDB. Once connected, you can use standard GDB commands like `c` (continue), `b` (breakpoint), `x` (examine memory), etc.

For example, to set a breakpoint at the `start_kernel` function and continue:

(gdb) b start_kernel
(gdb) c

The QEMU terminal will then show the kernel booting up until it hits your breakpoint.

Conclusion

You have now successfully set up an Android kernel exploit lab using ARM64 QEMU. This environment provides a powerful platform for in-depth security research, allowing you to trace kernel execution, analyze vulnerabilities, and test exploit primitives in a controlled setting. From here, you can explore various kernel internals, practice memory corruption techniques, and even integrate more complex Android user-space components to simulate real-world exploitation scenarios. The journey into advanced Android security has just begun!