Hexagon Fuzz
June 26, 2025 ยท View on GitHub
A fuzzing framework for Hexagon baseband firmware using QEMU system emulation. This tool enables security researchers to fuzz baseband processors by emulating firmware in a controlled environment, supporting debugging and vulnerability discovery in cellular modem implementations.
Features
- QEMU-based emulation of baseband firmware
- LibAFL-based
- Support for Hexagon (Qualcomm DSP) architecture
- Integrated LLDB debugging capabilities with the Qualcomm SDK
- Configurable fuzzing targets and parameters
- Docker containerization for easy deployment
Setup
Install dependencies on Ubuntu
sudo apt install python3 python3-pip python3-sphinx python3-sphinx-rtd-theme ninja-build libglib2.0-dev flex bison clang rustup tmux gdb gdbserver socat
Clone the repo and fetch the qemu submodule
git clone https://github.com/srlabs/hexagon_fuzz.git
git submodule update --init
Tmux script
- Set the
SDK_HOMEenv variable to the path of Hexagon SDK - Run the
scripts/tmux_bootstrap.shto start the emulation and attach a LLDB for debugging
Steps for fuzzing
- Set the
SDK_HOMEenv variable to the path of Hexagon SDK - Set
"fuzz": truein thefirmware_config.json - Set the fuzz target start and return address in
firmware_config.json - Run the fuzzer:
cargo build --release
./target/release/hexagon_fuzz
After building it once, you can skip re-building/re-configuring the QEMU submodule by setting the environment variables CUSTOM_QEMU_NO_BUILD = "1" and CUSTOM_QEMU_NO_CONFIGURE = "1".
This can also be done in .cargo/config.toml if using cargo.
Docker setup
- Build and run the docker image
docker build -t hexagon_fuzz .
docker run -it hexagon_fuzz
- Build and run the fuzzer inside the docker container
cargo build --release
./target/release/hexagon_fuzz
Get a firmware
We used qdsp6sw.mbn (iPhone 14) with sha256 b5a0e5027c9dbe094569ebb08afc3d5ad0665b75c36ea827b40380c90ef8276a
Documentation
Some documentation around reversing, setting up the tooling, emulation and more can be found in the docs directory