added rom header fuzzer

source/bootrom_emulator/emulator.py

@@ -3,12 +3,15 @@ from unicorn.arm64_const import *
 from ghidra_assistant.utils.utils import *
 from ghidra_assistant.utils.archs.arm64.arm64_emulator import ARM64UC_Emulator
 from ghidra_assistant.utils.archs.arm64.asm_arm64 import ShellcodeCrafterARM64
-import sys, pathlib
+import sys, pathlib, struct
 from add_memory_maps import *
 from tools import *
 from amlogic_devices import *
 from amlogic_rom_db import *
 
+def p8(v):
+    return struct.pack("<B", v)
+
 ENTRY_POINT = 0xffff0000
 STACK_ADDRESS = 0xfffe3800
     
@@ -241,6 +244,10 @@ class Amlogic_Emulator(ARM64UC_Emulator):
         '''
         Hook startup code to continue boot process
         '''
+        # if self.pc == 0xffff3520: # Reboo ttod
+            
+        if self.pc == 0xffff05c4:
+            pass
         if self.enable_trace:
             self.pc_trace.append(hex(self.pc))
         return
@@ -342,8 +349,47 @@ class Amlogic_Emulator(ARM64UC_Emulator):
             self.enable_trace = True
         self.uc.emu_start(self.pc, 0)
         return 0
+    
+    def place_bootloader(self, data=b"\xbb" * 0x40):
+        BL_LOCATION = 0xfffa0000 #0x40 size?
+        OUT_OFFSET = 0xfffa0000 + 0x1000
+        
+        self.uc.mem_write(BL_LOCATION, data)
+        
+    def run_check_bootloader_header(self):
+        BL_LOCATION = 0xfffa0000 #0x40 size?
+        OUT_OFFSET = 0xfffa0000 + 0x1000
+        VERIFY_BL = 0xffff1b2c
+        self.X0 = BL_LOCATION
+        self.X1 = OUT_OFFSET
+        self.pc = VERIFY_BL
+        
+        SOMETHING_WRONG_AND_REBOOT = 0xffff05c4
+        
+        def _hook_something_wrong(uc : Uc, address, size, em : Amlogic_Emulator):
+            if hasattr(em, "debug") and em.debug:
+                em.print_ctx()
+                
+            em.something_wrong = True
+            uc.emu_stop()
+            return True
+        
+        self.uc.hook_add(UC_HOOK_CODE, _hook_something_wrong, self, SOMETHING_WRONG_AND_REBOOT, SOMETHING_WRONG_AND_REBOOT + 1)
+        
+        # self.enable_trace = True
+        self.uc.emu_start(self.pc, 0)
+        return 0
 
 if __name__ == "__main__":
     device = "S905X3"
     
-    emulator = Amlogic_Emulator()
+    # self.uc.mem_write(BL_LOCATION, b"@AML") # Magic
+    # self.uc.mem_write(BL_LOCATION + 0xa, p8(1)) #unk1
+    # self.uc.mem_write(BL_LOCATION + 0xb, p8(1)) #unk2
+    
+    emulator = Amlogic_Emulator(debug=True)
+    # emulator.place_bootloader(open("fuzz_bl.bin", 'rb').read())
+    d = bytes.fromhex("4f41 4d4f 414d 104d 4c5c 414d 4c4c")
+    d += (0x40 - len(d)) * b"\x00"
+    emulator.place_bootloader(d)
+    emulator.run_check_bootloader_header()

source/bootrom_emulator/fuzzer.py

@@ -1,6 +1,6 @@
 from emulator import *
 import unicornafl
-import argparse
+import argparse, os
 
 ENTRY_POINT = 0xffff0000
 STACK_ADDRESS = 0xfffe3800
@@ -23,7 +23,7 @@ def test_fb_cmd(cmd=b'getvar:version', device="S905X3"):
     res = emulator.run_fastboot_cmd()
     pass
 
-def afl_fuzzer(device="S905X3"):
+def afl_fuzzer_fastboot(device="S905X3"):
     emulator = Amlogic_Emulator(device=device)
     # emulator.debug = True
 
@@ -41,7 +41,29 @@ def afl_fuzzer(device="S905X3"):
         emulator.run_fastboot_cmd()
         return 0
         
-    unicornafl.uc_afl_fuzz_custom(emulator.uc, "input/getvar", _place_fb_command, _run, persistent_iters=1)
+    unicornafl.uc_afl_fuzz_custom(emulator.uc, "fuzz_fastboot_input/getvar", _place_fb_command, _run, persistent_iters=1)
+    
+def afl_fuzzer_verifybl(device="S905X3"):
+    emulator = Amlogic_Emulator(device=device)
+    # emulator.debug = True
+
+    def place_bootloader_header(uc, input, persistent_round, data):
+        # hexdump(bytes(input), "input")
+        if len(input) != 0x40:
+            return False
+        # Filter some unsupported commands:
+        if input[:4] == b"@AML":
+            return False
+        emulator = Amlogic_Emulator(device=device)
+        emulator.place_bootloader(input)
+        return True
+
+    def _run(uc, data):
+        emulator.run_check_bootloader_header()
+        return 0
+        
+    unicornafl.uc_afl_fuzz_custom(emulator.uc, "fuzz_verifybl_input/fuzz_bl.bin", place_bootloader_header, _run, persistent_iters=1)
+    
     
 if __name__ == "__main__":
     # print(sys.argv)
@@ -51,7 +73,6 @@ if __name__ == "__main__":
     # args.add_argument("--input", "-i", help="Input file for crash", default=None)
     
     # args = args.parse_args()
-    
     # if args.test:
     #     test_fb_cmd(device=args.device)
     #     print("", flush=True)
@@ -63,4 +84,11 @@ if __name__ == "__main__":
     # else:
     #     pass
     # Run AFL
-    afl_fuzzer()
+    
+    if os.getenv("AFL_FUZZER") == "verifybl":
+        afl_fuzzer_verifybl()
+    elif os.getenv("AFL_FUZZER") == "fastboot":
+        afl_fuzzer_fastboot()
+    else:
+        print("No AFL fuzzer selected")
+        exit(1)

source/bootrom_emulator/run_fuzzer.sh

@@ -4,6 +4,7 @@ app_name="amlogic"
 target_soc="S922"
 inputs_dir="/fuzz/input/"
 outputs_dir="/fuzz/fuzz_output/${target_soc}"
+export AFL_FUZZER="verifybl"
 
 # generate screenrc
 tmp_screen_rc="/tmp/screenrc.${app_name}"